@keycardai/oauth 0.1.0

package/dist/cjs/tokenExchange.js

@@ -0,0 +1,130 @@
+"use strict";
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _TokenExchangeClient_instances, _TokenExchangeClient_issuerUrl, _TokenExchangeClient_clientId, _TokenExchangeClient_clientSecret, _TokenExchangeClient_tokenEndpoint, _TokenExchangeClient_discoveryPromise, _TokenExchangeClient_getTokenEndpoint;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenExchangeClient = void 0;
+const discovery_js_1 = require("./discovery.js");
+// =============================================================================
+// Wire format helpers (camelCase <-> snake_case at the boundary)
+// =============================================================================
+function serializeRequest(request) {
+    const params = new URLSearchParams();
+    params.set("grant_type", request.grantType ?? "urn:ietf:params:oauth:grant-type:token-exchange");
+    params.set("subject_token", request.subjectToken);
+    params.set("subject_token_type", request.subjectTokenType ?? "urn:ietf:params:oauth:token-type:access_token");
+    if (request.resource)
+        params.set("resource", request.resource);
+    if (request.audience)
+        params.set("audience", request.audience);
+    if (request.scope)
+        params.set("scope", request.scope);
+    if (request.requestedTokenType)
+        params.set("requested_token_type", request.requestedTokenType);
+    if (request.actorToken)
+        params.set("actor_token", request.actorToken);
+    if (request.actorTokenType)
+        params.set("actor_token_type", request.actorTokenType);
+    if (request.clientAssertion)
+        params.set("client_assertion", request.clientAssertion);
+    if (request.clientAssertionType)
+        params.set("client_assertion_type", request.clientAssertionType);
+    return params;
+}
+function deserializeResponse(json) {
+    const accessToken = json.access_token;
+    if (typeof accessToken !== "string" || !accessToken) {
+        throw new Error("Token exchange response missing access_token");
+    }
+    const response = {
+        accessToken,
+        tokenType: typeof json.token_type === "string" ? json.token_type : "bearer",
+    };
+    if (typeof json.expires_in === "number")
+        response.expiresIn = json.expires_in;
+    if (typeof json.refresh_token === "string")
+        response.refreshToken = json.refresh_token;
+    if (typeof json.issued_token_type === "string")
+        response.issuedTokenType = json.issued_token_type;
+    if (typeof json.scope === "string") {
+        response.scope = json.scope.split(" ").filter(Boolean);
+    }
+    return response;
+}
+// =============================================================================
+// Token Exchange Client
+// =============================================================================
+class TokenExchangeClient {
+    constructor(issuerUrl, options) {
+        _TokenExchangeClient_instances.add(this);
+        _TokenExchangeClient_issuerUrl.set(this, void 0);
+        _TokenExchangeClient_clientId.set(this, void 0);
+        _TokenExchangeClient_clientSecret.set(this, void 0);
+        _TokenExchangeClient_tokenEndpoint.set(this, void 0);
+        _TokenExchangeClient_discoveryPromise.set(this, void 0);
+        __classPrivateFieldSet(this, _TokenExchangeClient_issuerUrl, issuerUrl, "f");
+        __classPrivateFieldSet(this, _TokenExchangeClient_clientId, options?.clientId, "f");
+        __classPrivateFieldSet(this, _TokenExchangeClient_clientSecret, options?.clientSecret, "f");
+    }
+    async exchangeToken(request) {
+        const tokenEndpoint = await __classPrivateFieldGet(this, _TokenExchangeClient_instances, "m", _TokenExchangeClient_getTokenEndpoint).call(this);
+        const body = serializeRequest(request);
+        const headers = {
+            "Content-Type": "application/x-www-form-urlencoded",
+        };
+        if (__classPrivateFieldGet(this, _TokenExchangeClient_clientId, "f") && __classPrivateFieldGet(this, _TokenExchangeClient_clientSecret, "f")) {
+            const credentials = btoa(`${__classPrivateFieldGet(this, _TokenExchangeClient_clientId, "f")}:${__classPrivateFieldGet(this, _TokenExchangeClient_clientSecret, "f")}`);
+            headers["Authorization"] = `Basic ${credentials}`;
+        }
+        const response = await fetch(tokenEndpoint, {
+            method: "POST",
+            headers,
+            body: body.toString(),
+        });
+        if (!response.ok) {
+            let errorDetail = "";
+            try {
+                const errorBody = await response.json();
+                errorDetail = typeof errorBody.error_description === "string"
+                    ? errorBody.error_description
+                    : typeof errorBody.error === "string"
+                        ? errorBody.error
+                        : "";
+            }
+            catch {
+                // ignore parse errors
+            }
+            throw new Error(`Token exchange failed (HTTP ${response.status})${errorDetail ? `: ${errorDetail}` : ""}`);
+        }
+        const json = await response.json();
+        return deserializeResponse(json);
+    }
+}
+exports.TokenExchangeClient = TokenExchangeClient;
+_TokenExchangeClient_issuerUrl = new WeakMap(), _TokenExchangeClient_clientId = new WeakMap(), _TokenExchangeClient_clientSecret = new WeakMap(), _TokenExchangeClient_tokenEndpoint = new WeakMap(), _TokenExchangeClient_discoveryPromise = new WeakMap(), _TokenExchangeClient_instances = new WeakSet(), _TokenExchangeClient_getTokenEndpoint = async function _TokenExchangeClient_getTokenEndpoint() {
+    if (__classPrivateFieldGet(this, _TokenExchangeClient_tokenEndpoint, "f")) {
+        return __classPrivateFieldGet(this, _TokenExchangeClient_tokenEndpoint, "f");
+    }
+    // Promise-based lock: only one concurrent discovery
+    if (!__classPrivateFieldGet(this, _TokenExchangeClient_discoveryPromise, "f")) {
+        __classPrivateFieldSet(this, _TokenExchangeClient_discoveryPromise, (async () => {
+            const metadata = await (0, discovery_js_1.fetchAuthorizationServerMetadata)(__classPrivateFieldGet(this, _TokenExchangeClient_issuerUrl, "f"));
+            if (!metadata.token_endpoint) {
+                throw new Error(`Authorization server "${__classPrivateFieldGet(this, _TokenExchangeClient_issuerUrl, "f")}" does not advertise a token_endpoint`);
+            }
+            __classPrivateFieldSet(this, _TokenExchangeClient_tokenEndpoint, metadata.token_endpoint, "f");
+            return __classPrivateFieldGet(this, _TokenExchangeClient_tokenEndpoint, "f");
+        })(), "f");
+    }
+    return __classPrivateFieldGet(this, _TokenExchangeClient_discoveryPromise, "f");
+};
+//# sourceMappingURL=tokenExchange.js.map

package/dist/cjs/tokenExchange.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,iDAAkE;AAkClE,gFAAgF;AAChF,iEAAiE;AACjE,gFAAgF;AAEhF,SAAS,gBAAgB,CAAC,OAA6B;IACrD,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IAErC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,SAAS,IAAI,iDAAiD,CAAC,CAAC;IACjG,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,oBAAoB,EAAE,OAAO,CAAC,gBAAgB,IAAI,+CAA+C,CAAC,CAAC;IAE9G,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,OAAO,CAAC,kBAAkB;QAAE,MAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC/F,IAAI,OAAO,CAAC,UAAU;QAAE,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACtE,IAAI,OAAO,CAAC,cAAc;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IACnF,IAAI,OAAO,CAAC,eAAe;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACrF,IAAI,OAAO,CAAC,mBAAmB;QAAE,MAAM,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAElG,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,mBAAmB,CAAC,IAA6B;IACxD,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IAEF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAC9E,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,QAAQ,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IACvF,IAAI,OAAO,IAAI,CAAC,iBAAiB,KAAK,QAAQ;QAAE,QAAQ,CAAC,eAAe,GAAG,IAAI,CAAC,iBAAiB,CAAC;IAClG,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF,MAAa,mBAAmB;IAO9B,YAAY,SAAiB,EAAE,OAAoC;;QANnE,iDAAmB;QACnB,gDAAmB;QACnB,oDAAuB;QACvB,qDAAwB;QACxB,wDAAoC;QAGlC,uBAAA,IAAI,kCAAc,SAAS,MAAA,CAAC;QAC5B,uBAAA,IAAI,iCAAa,OAAO,EAAE,QAAQ,MAAA,CAAC;QACnC,uBAAA,IAAI,qCAAiB,OAAO,EAAE,YAAY,MAAA,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAA6B;QAC/C,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,CAAoB,CAAC;QACrD,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAEvC,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;SACpD,CAAC;QAEF,IAAI,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC;YACzC,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC,CAAC;YACpE,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,WAAW,GAAG,EAAE,CAAC;YACrB,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;gBACnE,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;oBAC3D,CAAC,CAAC,SAAS,CAAC,iBAAiB;oBAC7B,CAAC,CAAC,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ;wBACnC,CAAC,CAAC,SAAS,CAAC,KAAK;wBACjB,CAAC,CAAC,EAAE,CAAC;YACX,CAAC;YAAC,MAAM,CAAC;gBACP,sBAAsB;YACxB,CAAC;YACD,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,MAAM,IAAI,WAAW,CAAC,CAAC,CAAC,KAAK,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAC1F,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;QAC9D,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACnC,CAAC;CAqBF;AAxED,kDAwEC;qVAnBC,KAAK;IACH,IAAI,uBAAA,IAAI,0CAAe,EAAE,CAAC;QACxB,OAAO,uBAAA,IAAI,0CAAe,CAAC;IAC7B,CAAC;IAED,oDAAoD;IACpD,IAAI,CAAC,uBAAA,IAAI,6CAAkB,EAAE,CAAC;QAC5B,uBAAA,IAAI,yCAAqB,CAAC,KAAK,IAAI,EAAE;YACnC,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,uBAAA,IAAI,sCAAW,CAAC,CAAC;YACzE,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,yBAAyB,uBAAA,IAAI,sCAAW,uCAAuC,CAAC,CAAC;YACnG,CAAC;YACD,uBAAA,IAAI,sCAAkB,QAAQ,CAAC,cAAc,MAAA,CAAC;YAC9C,OAAO,uBAAA,IAAI,0CAAe,CAAC;QAC7B,CAAC,CAAC,EAAE,MAAA,CAAC;IACP,CAAC;IAED,OAAO,uBAAA,IAAI,6CAAkB,CAAC;AAChC,CAAC"}

package/dist/esm/base64url.d.ts

@@ -0,0 +1,6 @@
+declare const _default: {
+    encode: (data: ArrayBuffer) => string;
+    decode: (str: string) => ArrayBuffer;
+};
+export default _default;
+//# sourceMappingURL=base64url.d.ts.map

package/dist/esm/base64url.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base64url.d.ts","sourceRoot":"","sources":["../../src/base64url.ts"],"names":[],"mappings":";mBAoB0B,WAAW,KAAG,MAAM;kBAsBrB,MAAM,KAAG,WAAW;;AAvB7C,wBAiDE"}

package/dist/esm/base64url.js

@@ -0,0 +1,48 @@
+/*
+ * Base64URL-ArrayBuffer
+ * https://github.com/yackermann/Base64URL-ArrayBuffer
+ *
+ * Copyright (c) 2017 Yuriy Ackermann <ackermann.yuriy@gmail.com>
+ * Copyright (c) 2012 Niklas von Hertzen
+ * Licensed under the MIT license.
+ *
+ */
+const CHARACTERS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+// Use a lookup table to find the index.
+var lookup = new Uint8Array(256);
+for (var i = 0; i < CHARACTERS.length; i++) {
+    lookup[CHARACTERS.charCodeAt(i)] = i;
+}
+export default {
+    encode: function (data) {
+        var bytes = new Uint8Array(data), i, len = bytes.length, str = "";
+        for (i = 0; i < len; i += 3) {
+            str += CHARACTERS[bytes[i] >> 2];
+            str += CHARACTERS[((bytes[i] & 3) << 4) | (bytes[i + 1] >> 4)];
+            str += CHARACTERS[((bytes[i + 1] & 15) << 2) | (bytes[i + 2] >> 6)];
+            str += CHARACTERS[bytes[i + 2] & 63];
+        }
+        if (len % 3 === 2) {
+            str = str.substring(0, str.length - 1);
+        }
+        else if (len % 3 === 1) {
+            str = str.substring(0, str.length - 2);
+        }
+        return str;
+    },
+    decode: function (str) {
+        var bufferLength = str.length * 0.75, len = str.length, i, p = 0, encoded1, encoded2, encoded3, encoded4;
+        var data = new ArrayBuffer(bufferLength), bytes = new Uint8Array(data);
+        for (i = 0; i < len; i += 4) {
+            encoded1 = lookup[str.charCodeAt(i)];
+            encoded2 = lookup[str.charCodeAt(i + 1)];
+            encoded3 = lookup[str.charCodeAt(i + 2)];
+            encoded4 = lookup[str.charCodeAt(i + 3)];
+            bytes[p++] = (encoded1 << 2) | (encoded2 >> 4);
+            bytes[p++] = ((encoded2 & 15) << 4) | (encoded3 >> 2);
+            bytes[p++] = ((encoded3 & 3) << 6) | (encoded4 & 63);
+        }
+        return data;
+    },
+};
+//# sourceMappingURL=base64url.js.map

package/dist/esm/base64url.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"base64url.js","sourceRoot":"","sources":["../../src/base64url.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,UAAU,GACd,kEAAkE,CAAC;AAErE,wCAAwC;AACxC,IAAI,MAAM,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;AACjC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;IAC3C,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;AACvC,CAAC;AAED,eAAe;IACb,MAAM,EAAE,UAAU,IAAiB;QACjC,IAAI,KAAK,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,EAC9B,CAAC,EACD,GAAG,GAAG,KAAK,CAAC,MAAM,EAClB,GAAG,GAAG,EAAE,CAAC;QAEX,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;YACjC,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC/D,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACpE,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;QACvC,CAAC;QAED,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAClB,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACzC,CAAC;aAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACzC,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAED,MAAM,EAAE,UAAU,GAAW;QAC3B,IAAI,YAAY,GAAG,GAAG,CAAC,MAAM,GAAG,IAAI,EAClC,GAAG,GAAG,GAAG,CAAC,MAAM,EAChB,CAAC,EACD,CAAC,GAAG,CAAC,EACL,QAAQ,EACR,QAAQ,EACR,QAAQ,EACR,QAAQ,CAAC;QAEX,IAAI,IAAI,GAAG,IAAI,WAAW,CAAC,YAAY,CAAC,EACtC,KAAK,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;QAE/B,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;YACrC,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACzC,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACzC,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAEzC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC;YAC/C,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,QAAQ,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC;YACtD,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,GAAG,EAAE,CAAC,CAAC;QACvD,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CACF,CAAC"}

package/dist/esm/discovery.d.ts

@@ -0,0 +1,27 @@
+import { z } from "zod";
+declare const OAuthAuthorizationServerMetadataSchema: z.ZodObject<{
+    issuer: z.ZodString;
+    authorization_endpoint: z.ZodOptional<z.ZodString>;
+    token_endpoint: z.ZodOptional<z.ZodString>;
+    jwks_uri: z.ZodOptional<z.ZodString>;
+    registration_endpoint: z.ZodOptional<z.ZodString>;
+    token_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    issuer: z.ZodString;
+    authorization_endpoint: z.ZodOptional<z.ZodString>;
+    token_endpoint: z.ZodOptional<z.ZodString>;
+    jwks_uri: z.ZodOptional<z.ZodString>;
+    registration_endpoint: z.ZodOptional<z.ZodString>;
+    token_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    issuer: z.ZodString;
+    authorization_endpoint: z.ZodOptional<z.ZodString>;
+    token_endpoint: z.ZodOptional<z.ZodString>;
+    jwks_uri: z.ZodOptional<z.ZodString>;
+    registration_endpoint: z.ZodOptional<z.ZodString>;
+    token_endpoint_auth_methods_supported: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, z.ZodTypeAny, "passthrough">>;
+export type OAuthAuthorizationServerMetadata = z.infer<typeof OAuthAuthorizationServerMetadataSchema>;
+export declare function fetchAuthorizationServerMetadata(issuer: string): Promise<OAuthAuthorizationServerMetadata>;
+export {};
+//# sourceMappingURL=discovery.d.ts.map

package/dist/esm/discovery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,QAAA,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;gCAO5B,CAAC;AAEjB,MAAM,MAAM,gCAAgC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sCAAsC,CAAC,CAAC;AAEtG,wBAAsB,gCAAgC,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,gCAAgC,CAAC,CAsBhH"}

package/dist/esm/discovery.js

@@ -0,0 +1,28 @@
+import { z } from "zod";
+const OAuthAuthorizationServerMetadataSchema = z.object({
+    issuer: z.string(),
+    authorization_endpoint: z.string().optional(),
+    token_endpoint: z.string().optional(),
+    jwks_uri: z.string().optional(),
+    registration_endpoint: z.string().optional(),
+    token_endpoint_auth_methods_supported: z.array(z.string()).optional(),
+}).passthrough();
+export async function fetchAuthorizationServerMetadata(issuer) {
+    const issuerURL = new URL(issuer);
+    let path = issuerURL.pathname;
+    if (path.endsWith("/")) {
+        path = path.slice(0, -1);
+    }
+    const url = new URL(`/.well-known/oauth-authorization-server${path}`, issuer);
+    const response = await fetch(url);
+    if (!response.ok) {
+        throw new Error(`Failed to fetch OAuth authorization server metadata for "${issuer}"`);
+    }
+    const json = await response.json();
+    const metadata = OAuthAuthorizationServerMetadataSchema.parse(json);
+    if (metadata.issuer !== issuer) {
+        throw new Error(`Issuer mismatch in OAuth authorization server metadata for "${issuer}"`);
+    }
+    return metadata;
+}
+//# sourceMappingURL=discovery.js.map

package/dist/esm/discovery.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../src/discovery.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,sCAAsC,GAAG,CAAC,CAAC,MAAM,CAAC;IACtD,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;IAClB,sBAAsB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7C,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACrC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,qBAAqB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5C,qCAAqC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACtE,CAAC,CAAC,WAAW,EAAE,CAAC;AAIjB,MAAM,CAAC,KAAK,UAAU,gCAAgC,CAAC,MAAc;IACnE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAClC,IAAI,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC;IAC9B,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,0CAA0C,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;IAC9E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,4DAA4D,MAAM,GAAG,CACtE,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,MAAM,QAAQ,GAAG,sCAAsC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpE,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,+DAA+D,MAAM,GAAG,CAAC,CAAC;IAC5F,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/esm/errors.d.ts

@@ -0,0 +1,19 @@
+export declare class HTTPError extends Error {
+    constructor(message: string);
+}
+export declare class BadRequestError extends HTTPError {
+}
+export declare class UnauthorizedError extends HTTPError {
+}
+export declare class OAuthError extends Error {
+    readonly errorCode: string;
+    readonly errorUri?: string | undefined;
+    constructor(errorCode: string, message: string, errorUri?: string | undefined);
+}
+export declare class InvalidTokenError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+export declare class InsufficientScopeError extends OAuthError {
+    constructor(message: string, errorUri?: string);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/esm/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AAAA,qBAAa,SAAU,SAAQ,KAAK;gBAEhC,OAAO,EAAE,MAAM;CAIlB;AAED,qBAAa,eAAgB,SAAQ,SAAS;CAC7C;AAED,qBAAa,iBAAkB,SAAQ,SAAS;CAC/C;AAED,qBAAa,UAAW,SAAQ,KAAK;aAEjB,SAAS,EAAE,MAAM;aAEjB,QAAQ,CAAC,EAAE,MAAM;gBAFjB,SAAS,EAAE,MAAM,EACjC,OAAO,EAAE,MAAM,EACC,QAAQ,CAAC,EAAE,MAAM,YAAA;CAIpC;AAED,qBAAa,iBAAkB,SAAQ,UAAU;gBACnC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C;AAED,qBAAa,sBAAuB,SAAQ,UAAU;gBACxC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM;CAG/C"}

package/dist/esm/errors.js

@@ -0,0 +1,27 @@
+export class HTTPError extends Error {
+    constructor(message) {
+        super(message);
+    }
+}
+export class BadRequestError extends HTTPError {
+}
+export class UnauthorizedError extends HTTPError {
+}
+export class OAuthError extends Error {
+    constructor(errorCode, message, errorUri) {
+        super(message);
+        this.errorCode = errorCode;
+        this.errorUri = errorUri;
+    }
+}
+export class InvalidTokenError extends OAuthError {
+    constructor(message, errorUri) {
+        super("invalid_token", message, errorUri);
+    }
+}
+export class InsufficientScopeError extends OAuthError {
+    constructor(message, errorUri) {
+        super("insufficient_scope", message, errorUri);
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/esm/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,SAAU,SAAQ,KAAK;IAClC,YACE,OAAe;QAEf,KAAK,CAAC,OAAO,CAAC,CAAC;IACjB,CAAC;CACF;AAED,MAAM,OAAO,eAAgB,SAAQ,SAAS;CAC7C;AAED,MAAM,OAAO,iBAAkB,SAAQ,SAAS;CAC/C;AAED,MAAM,OAAO,UAAW,SAAQ,KAAK;IACnC,YACkB,SAAiB,EACjC,OAAe,EACC,QAAiB;QAEjC,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,cAAS,GAAT,SAAS,CAAQ;QAEjB,aAAQ,GAAR,QAAQ,CAAS;IAGnC,CAAC;CACF;AAED,MAAM,OAAO,iBAAkB,SAAQ,UAAU;IAC/C,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,eAAe,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC5C,CAAC;CACF;AAED,MAAM,OAAO,sBAAuB,SAAQ,UAAU;IACpD,YAAY,OAAe,EAAE,QAAiB;QAC5C,KAAK,CAAC,oBAAoB,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACjD,CAAC;CACF"}

package/dist/esm/index.d.ts

@@ -0,0 +1,12 @@
+export type { OAuthKeyring, PrivateKeyring, IdentifiableKey } from "./keyring.js";
+export { JWKSOAuthKeyring } from "./keyring.js";
+export { default as base64url } from "./base64url.js";
+export { fetchAuthorizationServerMetadata } from "./discovery.js";
+export type { OAuthAuthorizationServerMetadata } from "./discovery.js";
+export { HTTPError, BadRequestError, UnauthorizedError, OAuthError, InvalidTokenError, InsufficientScopeError } from "./errors.js";
+export { JWTSigner } from "./jwt/signer.js";
+export type { JWTClaims } from "./jwt/signer.js";
+export { JWTVerifier } from "./jwt/verifier.js";
+export { TokenExchangeClient } from "./tokenExchange.js";
+export type { TokenExchangeRequest, TokenResponse, TokenExchangeClientOptions } from "./tokenExchange.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/esm/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAClF,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,aAAa,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/esm/index.js

@@ -0,0 +1,8 @@
+export { JWKSOAuthKeyring } from "./keyring.js";
+export { default as base64url } from "./base64url.js";
+export { fetchAuthorizationServerMetadata } from "./discovery.js";
+export { HTTPError, BadRequestError, UnauthorizedError, OAuthError, InvalidTokenError, InsufficientScopeError } from "./errors.js";
+export { JWTSigner } from "./jwt/signer.js";
+export { JWTVerifier } from "./jwt/verifier.js";
+export { TokenExchangeClient } from "./tokenExchange.js";
+//# sourceMappingURL=index.js.map

package/dist/esm/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,iBAAiB,EAAE,UAAU,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AACnI,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/esm/jwt/signer.d.ts

@@ -0,0 +1,19 @@
+import { PrivateKeyring } from "../keyring.js";
+export interface JWTClaims {
+    iss?: string;
+    sub?: string;
+    aud?: string | string[];
+    exp?: number;
+    nbf?: number;
+    iat?: number;
+    jti?: string;
+    scope?: string;
+    client_id?: string;
+    [key: string]: unknown;
+}
+export declare class JWTSigner {
+    #private;
+    constructor(keyring: PrivateKeyring);
+    sign(claims: JWTClaims): Promise<string>;
+}
+//# sourceMappingURL=signer.d.ts.map

package/dist/esm/jwt/signer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.d.ts","sourceRoot":"","sources":["../../../src/jwt/signer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAG/C,MAAM,WAAW,SAAS;IACxB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,qBAAa,SAAS;;gBAGR,OAAO,EAAE,cAAc;IAI7B,IAAI,CAAC,MAAM,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC;CA2B/C"}

package/dist/esm/jwt/signer.js

@@ -0,0 +1,48 @@
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _JWTSigner_privateKeyring;
+import base64url from "../base64url.js";
+export class JWTSigner {
+    constructor(keyring) {
+        _JWTSigner_privateKeyring.set(this, void 0);
+        __classPrivateFieldSet(this, _JWTSigner_privateKeyring, keyring, "f");
+    }
+    async sign(claims) {
+        const { key, kid, issuer } = await __classPrivateFieldGet(this, _JWTSigner_privateKeyring, "f").key('sign');
+        const jsonHeader = {
+            alg: 'RS256',
+            kid: kid
+        };
+        const resolvedClaims = { ...claims };
+        if (issuer && !resolvedClaims.iss) {
+            resolvedClaims.iss = issuer;
+        }
+        const header = btoau(JSON.stringify(jsonHeader));
+        const payload = btoau(JSON.stringify(resolvedClaims));
+        const input = `${header}.${payload}`;
+        let signature = await crypto.subtle.sign({
+            name: 'RSASSA-PKCS1-v1_5',
+        }, key, stringToUint8Array(input));
+        return `${input}.${base64url.encode(signature)}`;
+    }
+}
+_JWTSigner_privateKeyring = new WeakMap();
+function btoau(str) {
+    return btoa(str).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+// TextEncoder.encode() always returns a Uint8Array backed by ArrayBuffer,
+// but TS 5.7+ types .buffer as ArrayBufferLike (includes SharedArrayBuffer).
+// The cast is safe and necessary for crypto.subtle.sign's BufferSource parameter.
+function stringToUint8Array(str) {
+    return new TextEncoder().encode(str).buffer;
+}
+//# sourceMappingURL=signer.js.map

package/dist/esm/jwt/signer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.js","sourceRoot":"","sources":["../../../src/jwt/signer.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,OAAO,SAAS,MAAM,iBAAiB,CAAA;AAevC,MAAM,OAAO,SAAS;IAGpB,YAAY,OAAuB;QAFnC,4CAAgC;QAG9B,uBAAA,IAAI,6BAAmB,OAAO,MAAA,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,MAAiB;QAC1B,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,GAAI,MAAM,uBAAA,IAAI,iCAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAErE,MAAM,UAAU,GAAG;YACjB,GAAG,EAAE,OAAO;YACZ,GAAG,EAAE,GAAG;SACT,CAAC;QAEF,MAAM,cAAc,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;QACrC,IAAI,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,CAAC;YAClC,cAAc,CAAC,GAAG,GAAG,MAAM,CAAC;QAC9B,CAAC;QAED,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC;QACjD,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC,CAAC;QAEtD,MAAM,KAAK,GAAG,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC;QACrC,IAAI,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CACtC;YACE,IAAI,EAAE,mBAAmB;SAC1B,EACD,GAAG,EACH,kBAAkB,CAAC,KAAK,CAAC,CAC1B,CAAC;QAEF,OAAO,GAAG,KAAK,IAAI,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;IACnD,CAAC;CACF;;AAED,SAAS,KAAK,CAAC,GAAW;IACxB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;AAC5E,CAAC;AAED,0EAA0E;AAC1E,6EAA6E;AAC7E,kFAAkF;AAClF,SAAS,kBAAkB,CAAC,GAAW;IACrC,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAqB,CAAC;AAC7D,CAAC"}

package/dist/esm/jwt/verifier.d.ts

@@ -0,0 +1,8 @@
+import { OAuthKeyring } from "../keyring.js";
+import type { JWTClaims } from "./signer.js";
+export declare class JWTVerifier {
+    #private;
+    constructor(keyring: OAuthKeyring);
+    verify(token: string): Promise<JWTClaims>;
+}
+//# sourceMappingURL=verifier.d.ts.map

package/dist/esm/jwt/verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,qBAAa,WAAW;;gBAGV,OAAO,EAAE,YAAY;IAI3B,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CA2BhD"}

package/dist/esm/jwt/verifier.js

@@ -0,0 +1,42 @@
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _JWTVerifier_keyring;
+import { InvalidTokenError } from "../errors.js";
+import base64url from "../base64url.js";
+export class JWTVerifier {
+    constructor(keyring) {
+        _JWTVerifier_keyring.set(this, void 0);
+        __classPrivateFieldSet(this, _JWTVerifier_keyring, keyring, "f");
+    }
+    async verify(token) {
+        const [header, payload, signature, ...rest] = token.split('.');
+        const jsonHeader = JSON.parse(autob(header));
+        const jsonPayload = JSON.parse(autob(payload));
+        if (!jsonPayload.iss) {
+            throw new InvalidTokenError("JWT missing issuer (iss) claim");
+        }
+        const key = await __classPrivateFieldGet(this, _JWTVerifier_keyring, "f").key(jsonPayload.iss, jsonHeader.kid);
+        const verified = await crypto.subtle.verify({
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: { name: 'SHA-256' },
+        }, key, base64url.decode(signature), new TextEncoder().encode(`${header}.${payload}`));
+        if (!verified) {
+            throw new InvalidTokenError("Invalid signature");
+        }
+        return jsonPayload;
+    }
+}
+_JWTVerifier_keyring = new WeakMap();
+function autob(data) {
+    return atob(data.replace(/-/g, '+').replace(/_/g, '/'));
+}
+//# sourceMappingURL=verifier.js.map

package/dist/esm/jwt/verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,SAAS,MAAM,iBAAiB,CAAC;AAGxC,MAAM,OAAO,WAAW;IAGtB,YAAY,OAAqB;QAFjC,uCAAuB;QAGrB,uBAAA,IAAI,wBAAY,OAAO,MAAA,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAE/D,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;QAC7C,MAAM,WAAW,GAAc,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAE1D,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,iBAAiB,CAAC,gCAAgC,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC;QAErE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACzC;YACE,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SAC1B,EACD,GAAG,EACH,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,EAC3B,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CACjD,CAAC;QACF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;CACF;;AAED,SAAS,KAAK,CAAC,IAAY;IACzB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;AAC1D,CAAC"}

package/dist/esm/keyring.d.ts

@@ -0,0 +1,15 @@
+export interface OAuthKeyring {
+    key(issuer: string, kid: string): Promise<CryptoKey>;
+}
+export type IdentifiableKey = {
+    key: CryptoKey;
+    issuer: string;
+    kid: string;
+};
+export interface PrivateKeyring {
+    key(usage: string): Promise<IdentifiableKey>;
+}
+export declare class JWKSOAuthKeyring implements OAuthKeyring {
+    key(issuer: string, kid: string): Promise<CryptoKey>;
+}
+//# sourceMappingURL=keyring.d.ts.map

package/dist/esm/keyring.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keyring.d.ts","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;CACrD;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb,CAAC;AAEF,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAAA;CAC7C;AAyBD,qBAAa,gBAAiB,YAAW,YAAY;IAE7C,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CA8B3D"}

package/dist/esm/keyring.js

@@ -0,0 +1,45 @@
+import { z } from "zod";
+import { fetchAuthorizationServerMetadata } from "./discovery.js";
+const JWKSchema = z.object({
+    kty: z.string(),
+    alg: z.string().optional(),
+    use: z.string().optional(),
+    kid: z.string().optional(),
+});
+const RSAJWKSchema = JWKSchema.extend({
+    n: z.string(),
+    e: z.string(),
+});
+const ECJWKSchema = JWKSchema.extend({
+    crv: z.string(),
+    x: z.string(),
+    y: z.string(),
+});
+const JWKSetSchema = z.object({
+    keys: z.array(z.union([RSAJWKSchema, ECJWKSchema])),
+});
+export class JWKSOAuthKeyring {
+    async key(issuer, kid) {
+        const authorizationServer = await fetchAuthorizationServerMetadata(issuer);
+        if (!authorizationServer.jwks_uri) {
+            throw new Error(`No JSON Web Key Set available for "${issuer}"`);
+        }
+        const response = await fetch(authorizationServer.jwks_uri);
+        if (!response.ok) {
+            throw new Error(`Failed to fetch OAuth authorization server metadata for "${issuer}"`);
+        }
+        const json = await response.json();
+        const jwkSet = JWKSetSchema.parse(json);
+        const jwk = jwkSet.keys.find((jwk) => jwk.kid === kid);
+        if (!jwk) {
+            throw new Error(`Failed to find key "${kid}" of "${issuer}"`);
+        }
+        // TODO: make this more robust to uses and algs
+        const key = await crypto.subtle.importKey('jwk', jwk, {
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: { name: 'SHA-256' },
+        }, true, ['verify']);
+        return key;
+    }
+}
+//# sourceMappingURL=keyring.js.map

package/dist/esm/keyring.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"keyring.js","sourceRoot":"","sources":["../../src/keyring.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAiBlE,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,CAAC;IACzB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC3B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC;IACpC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,SAAS,CAAC,MAAM,CAAC;IACnC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;CACpD,CAAC,CAAC;AAEH,MAAM,OAAO,gBAAgB;IAE3B,KAAK,CAAC,GAAG,CAAC,MAAc,EAAE,GAAW;QACnC,MAAM,mBAAmB,GAAG,MAAM,gCAAgC,CAAC,MAAM,CAAC,CAAC;QAC3E,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,sCAAsC,MAAM,GAAG,CAAC,CAAC;QACnE,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QAC3D,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,4DAA4D,MAAM,GAAG,CAAC,CAAC;QACzF,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACxC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;QACvD,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,SAAS,MAAM,GAAG,CAAC,CAAC;QAChE,CAAC;QAED,+CAA+C;QAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH;YACE,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SAC1B,EACD,IAAI,EACJ,CAAC,QAAQ,CAAC,CACX,CAAC;QACF,OAAO,GAAG,CAAC;IACb,CAAC;CACF"}

package/dist/esm/package.json

@@ -0,0 +1 @@
+{"type": "module"}

package/dist/esm/tokenExchange.d.ts

@@ -0,0 +1,31 @@
+export interface TokenExchangeRequest {
+    grantType?: string;
+    resource?: string;
+    audience?: string;
+    scope?: string;
+    requestedTokenType?: string;
+    subjectToken: string;
+    subjectTokenType?: string;
+    actorToken?: string;
+    actorTokenType?: string;
+    clientAssertion?: string;
+    clientAssertionType?: string;
+}
+export interface TokenResponse {
+    accessToken: string;
+    tokenType: string;
+    expiresIn?: number;
+    refreshToken?: string;
+    scope?: string[];
+    issuedTokenType?: string;
+}
+export interface TokenExchangeClientOptions {
+    clientId?: string;
+    clientSecret?: string;
+}
+export declare class TokenExchangeClient {
+    #private;
+    constructor(issuerUrl: string, options?: TokenExchangeClientOptions);
+    exchangeToken(request: TokenExchangeRequest): Promise<TokenResponse>;
+}
+//# sourceMappingURL=tokenExchange.d.ts.map

package/dist/esm/tokenExchange.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,oBAAoB;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAkDD,qBAAa,mBAAmB;;gBAOlB,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,0BAA0B;IAM7D,aAAa,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,aAAa,CAAC;CA2D3E"}