@keycardai/oauth 0.12.0 → 0.14.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/clientCredentials.d.ts +33 -0
- package/dist/cjs/clientCredentials.d.ts.map +1 -0
- package/dist/cjs/clientCredentials.js +127 -0
- package/dist/cjs/clientCredentials.js.map +1 -0
- package/dist/cjs/index.d.ts +2 -0
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/index.js +3 -1
- package/dist/cjs/index.js.map +1 -1
- package/dist/cjs/pkce.d.ts +9 -7
- package/dist/cjs/pkce.d.ts.map +1 -1
- package/dist/cjs/pkce.js +27 -13
- package/dist/cjs/pkce.js.map +1 -1
- package/dist/cjs/tokenExchange.d.ts +1 -0
- package/dist/cjs/tokenExchange.d.ts.map +1 -1
- package/dist/cjs/tokenExchange.js +3 -2
- package/dist/cjs/tokenExchange.js.map +1 -1
- package/dist/esm/clientCredentials.d.ts +33 -0
- package/dist/esm/clientCredentials.d.ts.map +1 -0
- package/dist/esm/clientCredentials.js +123 -0
- package/dist/esm/clientCredentials.js.map +1 -0
- package/dist/esm/index.d.ts +2 -0
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/index.js +1 -0
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/pkce.d.ts +9 -7
- package/dist/esm/pkce.d.ts.map +1 -1
- package/dist/esm/pkce.js +27 -13
- package/dist/esm/pkce.js.map +1 -1
- package/dist/esm/tokenExchange.d.ts +1 -0
- package/dist/esm/tokenExchange.d.ts.map +1 -1
- package/dist/esm/tokenExchange.js +2 -2
- package/dist/esm/tokenExchange.js.map +1 -1
- package/package.json +1 -1
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
import type { ApplicationCredential } from "./credentials.js";
|
|
2
|
+
import { type TokenResponse } from "./tokenExchange.js";
|
|
3
|
+
export interface ClientCredentialsRequest {
|
|
4
|
+
resource?: string;
|
|
5
|
+
scope?: string;
|
|
6
|
+
clientAssertion?: string;
|
|
7
|
+
clientAssertionType?: string;
|
|
8
|
+
}
|
|
9
|
+
export interface ClientCredentialsClientOptions {
|
|
10
|
+
clientId?: string;
|
|
11
|
+
clientSecret?: string;
|
|
12
|
+
/**
|
|
13
|
+
* Application credential provider. When set, takes precedence over
|
|
14
|
+
* static `clientId`/`clientSecret` and resolves the per-request
|
|
15
|
+
* Authorization header from the credential's `getAuth(zoneId)`.
|
|
16
|
+
*/
|
|
17
|
+
credential?: ApplicationCredential;
|
|
18
|
+
}
|
|
19
|
+
export interface RequestTokenOptions {
|
|
20
|
+
zoneId?: string;
|
|
21
|
+
}
|
|
22
|
+
export declare class ClientCredentialsClient {
|
|
23
|
+
#private;
|
|
24
|
+
constructor(issuer: string, options?: ClientCredentialsClientOptions);
|
|
25
|
+
requestToken(request?: ClientCredentialsRequest, options?: RequestTokenOptions): Promise<TokenResponse>;
|
|
26
|
+
/**
|
|
27
|
+
* Resolve the authorization server's token endpoint (discovered from metadata
|
|
28
|
+
* and cached). Exposed so a caller can build a credential assertion whose
|
|
29
|
+
* `aud` is the token endpoint before invoking {@link requestToken}.
|
|
30
|
+
*/
|
|
31
|
+
getTokenEndpoint(): Promise<string>;
|
|
32
|
+
}
|
|
33
|
+
//# sourceMappingURL=clientCredentials.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"clientCredentials.d.ts","sourceRoot":"","sources":["../../src/clientCredentials.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAA4B,KAAK,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAMlF,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,8BAA8B;IAC7C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,UAAU,CAAC,EAAE,qBAAqB,CAAC;CACpC;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAuBD,qBAAa,uBAAuB;;gBAQtB,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,8BAA8B;IAO9D,YAAY,CAChB,OAAO,CAAC,EAAE,wBAAwB,EAClC,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC,aAAa,CAAC;IA0DzB;;;;OAIG;IACG,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC;CAuB1C"}
|
|
@@ -0,0 +1,127 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
|
|
3
|
+
if (kind === "m") throw new TypeError("Private method is not writable");
|
|
4
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
|
|
5
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
|
|
6
|
+
return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
|
|
7
|
+
};
|
|
8
|
+
var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
|
|
9
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
|
|
10
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
|
|
11
|
+
return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
|
|
12
|
+
};
|
|
13
|
+
var _ClientCredentialsClient_instances, _ClientCredentialsClient_issuer, _ClientCredentialsClient_clientId, _ClientCredentialsClient_clientSecret, _ClientCredentialsClient_credential, _ClientCredentialsClient_tokenEndpoint, _ClientCredentialsClient_discoveryPromise, _ClientCredentialsClient_resolveBasicAuth, _ClientCredentialsClient_getTokenEndpoint;
|
|
14
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
|
+
exports.ClientCredentialsClient = void 0;
|
|
16
|
+
const discovery_js_1 = require("./discovery.js");
|
|
17
|
+
const errors_js_1 = require("./errors.js");
|
|
18
|
+
const tokenExchange_js_1 = require("./tokenExchange.js");
|
|
19
|
+
// =============================================================================
|
|
20
|
+
// Wire format helpers (camelCase <-> snake_case at the boundary)
|
|
21
|
+
// =============================================================================
|
|
22
|
+
function serializeRequest(request) {
|
|
23
|
+
const params = new URLSearchParams();
|
|
24
|
+
params.set("grant_type", "client_credentials");
|
|
25
|
+
if (request.resource)
|
|
26
|
+
params.set("resource", request.resource);
|
|
27
|
+
if (request.scope)
|
|
28
|
+
params.set("scope", request.scope);
|
|
29
|
+
if (request.clientAssertion)
|
|
30
|
+
params.set("client_assertion", request.clientAssertion);
|
|
31
|
+
if (request.clientAssertionType)
|
|
32
|
+
params.set("client_assertion_type", request.clientAssertionType);
|
|
33
|
+
return params;
|
|
34
|
+
}
|
|
35
|
+
// =============================================================================
|
|
36
|
+
// Client Credentials Client
|
|
37
|
+
// =============================================================================
|
|
38
|
+
class ClientCredentialsClient {
|
|
39
|
+
constructor(issuer, options) {
|
|
40
|
+
_ClientCredentialsClient_instances.add(this);
|
|
41
|
+
_ClientCredentialsClient_issuer.set(this, void 0);
|
|
42
|
+
_ClientCredentialsClient_clientId.set(this, void 0);
|
|
43
|
+
_ClientCredentialsClient_clientSecret.set(this, void 0);
|
|
44
|
+
_ClientCredentialsClient_credential.set(this, void 0);
|
|
45
|
+
_ClientCredentialsClient_tokenEndpoint.set(this, void 0);
|
|
46
|
+
_ClientCredentialsClient_discoveryPromise.set(this, void 0);
|
|
47
|
+
__classPrivateFieldSet(this, _ClientCredentialsClient_issuer, issuer, "f");
|
|
48
|
+
__classPrivateFieldSet(this, _ClientCredentialsClient_clientId, options?.clientId, "f");
|
|
49
|
+
__classPrivateFieldSet(this, _ClientCredentialsClient_clientSecret, options?.clientSecret, "f");
|
|
50
|
+
__classPrivateFieldSet(this, _ClientCredentialsClient_credential, options?.credential, "f");
|
|
51
|
+
}
|
|
52
|
+
async requestToken(request, options) {
|
|
53
|
+
const tokenEndpoint = await __classPrivateFieldGet(this, _ClientCredentialsClient_instances, "m", _ClientCredentialsClient_getTokenEndpoint).call(this);
|
|
54
|
+
const body = serializeRequest(request ?? {});
|
|
55
|
+
const headers = {
|
|
56
|
+
"Content-Type": "application/x-www-form-urlencoded",
|
|
57
|
+
};
|
|
58
|
+
const basicAuth = __classPrivateFieldGet(this, _ClientCredentialsClient_instances, "m", _ClientCredentialsClient_resolveBasicAuth).call(this, options?.zoneId);
|
|
59
|
+
if (basicAuth) {
|
|
60
|
+
const credentials = btoa(`${basicAuth.clientId}:${basicAuth.clientSecret}`);
|
|
61
|
+
headers["Authorization"] = `Basic ${credentials}`;
|
|
62
|
+
}
|
|
63
|
+
const response = await fetch(tokenEndpoint, {
|
|
64
|
+
method: "POST",
|
|
65
|
+
headers,
|
|
66
|
+
body: body.toString(),
|
|
67
|
+
});
|
|
68
|
+
if (!response.ok) {
|
|
69
|
+
try {
|
|
70
|
+
const errorBody = await response.json();
|
|
71
|
+
if (typeof errorBody.error === "string") {
|
|
72
|
+
const errorCode = errorBody.error;
|
|
73
|
+
const description = typeof errorBody.error_description === "string"
|
|
74
|
+
? errorBody.error_description
|
|
75
|
+
: errorCode;
|
|
76
|
+
const errorUri = typeof errorBody.error_uri === "string"
|
|
77
|
+
? errorBody.error_uri
|
|
78
|
+
: undefined;
|
|
79
|
+
throw new errors_js_1.OAuthError(errorCode, description, errorUri);
|
|
80
|
+
}
|
|
81
|
+
}
|
|
82
|
+
catch (e) {
|
|
83
|
+
if (e instanceof errors_js_1.OAuthError)
|
|
84
|
+
throw e;
|
|
85
|
+
// non-JSON or no "error" key: fall through
|
|
86
|
+
}
|
|
87
|
+
throw new Error(`Client credentials request failed (HTTP ${response.status})`);
|
|
88
|
+
}
|
|
89
|
+
const json = await response.json();
|
|
90
|
+
return (0, tokenExchange_js_1.deserializeTokenResponse)(json);
|
|
91
|
+
}
|
|
92
|
+
/**
|
|
93
|
+
* Resolve the authorization server's token endpoint (discovered from metadata
|
|
94
|
+
* and cached). Exposed so a caller can build a credential assertion whose
|
|
95
|
+
* `aud` is the token endpoint before invoking {@link requestToken}.
|
|
96
|
+
*/
|
|
97
|
+
async getTokenEndpoint() {
|
|
98
|
+
return __classPrivateFieldGet(this, _ClientCredentialsClient_instances, "m", _ClientCredentialsClient_getTokenEndpoint).call(this);
|
|
99
|
+
}
|
|
100
|
+
}
|
|
101
|
+
exports.ClientCredentialsClient = ClientCredentialsClient;
|
|
102
|
+
_ClientCredentialsClient_issuer = new WeakMap(), _ClientCredentialsClient_clientId = new WeakMap(), _ClientCredentialsClient_clientSecret = new WeakMap(), _ClientCredentialsClient_credential = new WeakMap(), _ClientCredentialsClient_tokenEndpoint = new WeakMap(), _ClientCredentialsClient_discoveryPromise = new WeakMap(), _ClientCredentialsClient_instances = new WeakSet(), _ClientCredentialsClient_resolveBasicAuth = function _ClientCredentialsClient_resolveBasicAuth(zoneId) {
|
|
103
|
+
if (__classPrivateFieldGet(this, _ClientCredentialsClient_credential, "f")) {
|
|
104
|
+
return __classPrivateFieldGet(this, _ClientCredentialsClient_credential, "f").getAuth(zoneId);
|
|
105
|
+
}
|
|
106
|
+
if (__classPrivateFieldGet(this, _ClientCredentialsClient_clientId, "f") && __classPrivateFieldGet(this, _ClientCredentialsClient_clientSecret, "f")) {
|
|
107
|
+
return { clientId: __classPrivateFieldGet(this, _ClientCredentialsClient_clientId, "f"), clientSecret: __classPrivateFieldGet(this, _ClientCredentialsClient_clientSecret, "f") };
|
|
108
|
+
}
|
|
109
|
+
return null;
|
|
110
|
+
}, _ClientCredentialsClient_getTokenEndpoint = async function _ClientCredentialsClient_getTokenEndpoint() {
|
|
111
|
+
if (__classPrivateFieldGet(this, _ClientCredentialsClient_tokenEndpoint, "f")) {
|
|
112
|
+
return __classPrivateFieldGet(this, _ClientCredentialsClient_tokenEndpoint, "f");
|
|
113
|
+
}
|
|
114
|
+
// Promise-based lock: only one concurrent discovery
|
|
115
|
+
if (!__classPrivateFieldGet(this, _ClientCredentialsClient_discoveryPromise, "f")) {
|
|
116
|
+
__classPrivateFieldSet(this, _ClientCredentialsClient_discoveryPromise, (async () => {
|
|
117
|
+
const metadata = await (0, discovery_js_1.fetchAuthorizationServerMetadata)(__classPrivateFieldGet(this, _ClientCredentialsClient_issuer, "f"));
|
|
118
|
+
if (!metadata.token_endpoint) {
|
|
119
|
+
throw new Error(`Authorization server "${__classPrivateFieldGet(this, _ClientCredentialsClient_issuer, "f")}" does not advertise a token_endpoint`);
|
|
120
|
+
}
|
|
121
|
+
__classPrivateFieldSet(this, _ClientCredentialsClient_tokenEndpoint, metadata.token_endpoint, "f");
|
|
122
|
+
return __classPrivateFieldGet(this, _ClientCredentialsClient_tokenEndpoint, "f");
|
|
123
|
+
})(), "f");
|
|
124
|
+
}
|
|
125
|
+
return __classPrivateFieldGet(this, _ClientCredentialsClient_discoveryPromise, "f");
|
|
126
|
+
};
|
|
127
|
+
//# sourceMappingURL=clientCredentials.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"clientCredentials.js","sourceRoot":"","sources":["../../src/clientCredentials.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,iDAAkE;AAClE,2CAAyC;AAEzC,yDAAkF;AA4BlF,gFAAgF;AAChF,iEAAiE;AACjE,gFAAgF;AAEhF,SAAS,gBAAgB,CAAC,OAAiC;IACzD,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IAErC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC;IAE/C,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,OAAO,CAAC,eAAe;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACrF,IAAI,OAAO,CAAC,mBAAmB;QAAE,MAAM,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAElG,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,gFAAgF;AAChF,4BAA4B;AAC5B,gFAAgF;AAEhF,MAAa,uBAAuB;IAQlC,YAAY,MAAc,EAAE,OAAwC;;QAPpE,kDAAgB;QAChB,oDAAmB;QACnB,wDAAuB;QACvB,sDAAoC;QACpC,yDAAwB;QACxB,4DAAoC;QAGlC,uBAAA,IAAI,mCAAW,MAAM,MAAA,CAAC;QACtB,uBAAA,IAAI,qCAAa,OAAO,EAAE,QAAQ,MAAA,CAAC;QACnC,uBAAA,IAAI,yCAAiB,OAAO,EAAE,YAAY,MAAA,CAAC;QAC3C,uBAAA,IAAI,uCAAe,OAAO,EAAE,UAAU,MAAA,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,YAAY,CAChB,OAAkC,EAClC,OAA6B;QAE7B,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,qFAAkB,MAAtB,IAAI,CAAoB,CAAC;QACrD,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;QAE7C,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;SACpD,CAAC;QAEF,MAAM,SAAS,GAAG,uBAAA,IAAI,qFAAkB,MAAtB,IAAI,EAAmB,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;YAC5E,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;gBACnE,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACxC,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC;oBAClC,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;wBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;wBAC7B,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ;wBACtD,CAAC,CAAC,SAAS,CAAC,SAAS;wBACrB,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,IAAI,sBAAU,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,YAAY,sBAAU;oBAAE,MAAM,CAAC,CAAC;gBACrC,2CAA2C;YAC7C,CAAC;YACD,MAAM,IAAI,KAAK,CACb,2CAA2C,QAAQ,CAAC,MAAM,GAAG,CAC9D,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;QAC9D,OAAO,IAAA,2CAAwB,EAAC,IAAI,CAAC,CAAC;IACxC,CAAC;IAcD;;;;OAIG;IACH,KAAK,CAAC,gBAAgB;QACpB,OAAO,uBAAA,IAAI,qFAAkB,MAAtB,IAAI,CAAoB,CAAC;IAClC,CAAC;CAqBF;AAxGD,0DAwGC;sdAvCG,MAA0B;IAE1B,IAAI,uBAAA,IAAI,2CAAY,EAAE,CAAC;QACrB,OAAO,uBAAA,IAAI,2CAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,uBAAA,IAAI,yCAAU,IAAI,uBAAA,IAAI,6CAAc,EAAE,CAAC;QACzC,OAAO,EAAE,QAAQ,EAAE,uBAAA,IAAI,yCAAU,EAAE,YAAY,EAAE,uBAAA,IAAI,6CAAc,EAAE,CAAC;IACxE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC,8CAWD,KAAK;IACH,IAAI,uBAAA,IAAI,8CAAe,EAAE,CAAC;QACxB,OAAO,uBAAA,IAAI,8CAAe,CAAC;IAC7B,CAAC;IAED,oDAAoD;IACpD,IAAI,CAAC,uBAAA,IAAI,iDAAkB,EAAE,CAAC;QAC5B,uBAAA,IAAI,6CAAqB,CAAC,KAAK,IAAI,EAAE;YACnC,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,uBAAA,IAAI,uCAAQ,CAAC,CAAC;YACtE,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,yBAAyB,uBAAA,IAAI,uCAAQ,uCAAuC,CAAC,CAAC;YAChG,CAAC;YACD,uBAAA,IAAI,0CAAkB,QAAQ,CAAC,cAAc,MAAA,CAAC;YAC9C,OAAO,uBAAA,IAAI,8CAAe,CAAC;QAC7B,CAAC,CAAC,EAAE,MAAA,CAAC;IACP,CAAC;IAED,OAAO,uBAAA,IAAI,iDAAkB,CAAC;AAChC,CAAC"}
|
package/dist/cjs/index.d.ts
CHANGED
|
@@ -10,6 +10,8 @@ export { JWTVerifier } from "./jwt/verifier.js";
|
|
|
10
10
|
export { buildSubstituteUserToken } from "./jwt/substituteUser.js";
|
|
11
11
|
export { TokenExchangeClient, TokenType } from "./tokenExchange.js";
|
|
12
12
|
export type { TokenExchangeRequest, TokenResponse, TokenExchangeClientOptions, ExchangeOptions, ImpersonateRequest, } from "./tokenExchange.js";
|
|
13
|
+
export { ClientCredentialsClient } from "./clientCredentials.js";
|
|
14
|
+
export type { ClientCredentialsRequest, ClientCredentialsClientOptions, RequestTokenOptions, } from "./clientCredentials.js";
|
|
13
15
|
export type { ApplicationCredential } from "./credentials.js";
|
|
14
16
|
export { registerClient } from "./registration.js";
|
|
15
17
|
export type { ClientRegistrationRequest, ClientRegistrationResponse, RegisterClientOptions, } from "./registration.js";
|
package/dist/cjs/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,EAC9B,SAAS,EACT,kBAAkB,EAClB,sBAAsB,EACtB,cAAc,EACd,oBAAoB,GACrB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,0BAA0B,EAC1B,eAAe,EACf,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,YAAY,EACV,yBAAyB,EACzB,0BAA0B,EAC1B,qBAAqB,GACtB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC/E,YAAY,EACV,WAAW,EACX,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,gBAAgB,EAChB,yBAAyB,EACzB,YAAY,GACb,MAAM,WAAW,CAAC;AACnB,YAAY,EACV,IAAI,EACJ,gCAAgC,EAChC,mBAAmB,GACpB,MAAM,WAAW,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,EAC9B,SAAS,EACT,kBAAkB,EAClB,sBAAsB,EACtB,cAAc,EACd,oBAAoB,GACrB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,0BAA0B,EAC1B,eAAe,EACf,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACjE,YAAY,EACV,wBAAwB,EACxB,8BAA8B,EAC9B,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;AAChC,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,YAAY,EACV,yBAAyB,EACzB,0BAA0B,EAC1B,qBAAqB,GACtB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC/E,YAAY,EACV,WAAW,EACX,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,gBAAgB,EAChB,yBAAyB,EACzB,YAAY,GACb,MAAM,WAAW,CAAC;AACnB,YAAY,EACV,IAAI,EACJ,gCAAgC,EAChC,mBAAmB,GACpB,MAAM,WAAW,CAAC"}
|
package/dist/cjs/index.js
CHANGED
|
@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
3
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
4
|
};
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
-
exports.authenticate = exports.exchangeAuthorizationCode = exports.generatePkcePair = exports.generateCodeChallenge = exports.generateCodeVerifier = exports.ClientSecret = exports.TokenVerifier = exports.AccessContext = exports.registerClient = exports.TokenType = exports.TokenExchangeClient = exports.buildSubstituteUserToken = exports.JWTVerifier = exports.JWTSigner = exports.JWKSKeyNotFoundError = exports.JWKSFetchError = exports.JWKSUriValidationError = exports.JWKSDiscoveryError = exports.JWKSError = exports.AuthProviderConfigurationError = exports.ResourceAccessError = exports.InsufficientScopeError = exports.InvalidTokenError = exports.OAuthError = exports.UnauthorizedError = exports.BadRequestError = exports.HTTPError = exports.fetchAuthorizationServerMetadata = exports.base64url = exports.JWKSOAuthKeyring = void 0;
|
|
6
|
+
exports.authenticate = exports.exchangeAuthorizationCode = exports.generatePkcePair = exports.generateCodeChallenge = exports.generateCodeVerifier = exports.ClientSecret = exports.TokenVerifier = exports.AccessContext = exports.registerClient = exports.ClientCredentialsClient = exports.TokenType = exports.TokenExchangeClient = exports.buildSubstituteUserToken = exports.JWTVerifier = exports.JWTSigner = exports.JWKSKeyNotFoundError = exports.JWKSFetchError = exports.JWKSUriValidationError = exports.JWKSDiscoveryError = exports.JWKSError = exports.AuthProviderConfigurationError = exports.ResourceAccessError = exports.InsufficientScopeError = exports.InvalidTokenError = exports.OAuthError = exports.UnauthorizedError = exports.BadRequestError = exports.HTTPError = exports.fetchAuthorizationServerMetadata = exports.base64url = exports.JWKSOAuthKeyring = void 0;
|
|
7
7
|
var keyring_js_1 = require("./keyring.js");
|
|
8
8
|
Object.defineProperty(exports, "JWKSOAuthKeyring", { enumerable: true, get: function () { return keyring_js_1.JWKSOAuthKeyring; } });
|
|
9
9
|
var base64url_js_1 = require("./base64url.js");
|
|
@@ -33,6 +33,8 @@ Object.defineProperty(exports, "buildSubstituteUserToken", { enumerable: true, g
|
|
|
33
33
|
var tokenExchange_js_1 = require("./tokenExchange.js");
|
|
34
34
|
Object.defineProperty(exports, "TokenExchangeClient", { enumerable: true, get: function () { return tokenExchange_js_1.TokenExchangeClient; } });
|
|
35
35
|
Object.defineProperty(exports, "TokenType", { enumerable: true, get: function () { return tokenExchange_js_1.TokenType; } });
|
|
36
|
+
var clientCredentials_js_1 = require("./clientCredentials.js");
|
|
37
|
+
Object.defineProperty(exports, "ClientCredentialsClient", { enumerable: true, get: function () { return clientCredentials_js_1.ClientCredentialsClient; } });
|
|
36
38
|
var registration_js_1 = require("./registration.js");
|
|
37
39
|
Object.defineProperty(exports, "registerClient", { enumerable: true, get: function () { return registration_js_1.registerClient; } });
|
|
38
40
|
var index_js_1 = require("./server/index.js");
|
package/dist/cjs/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;AACA,2CAAgD;AAAvC,8GAAA,gBAAgB,OAAA;AACzB,+CAAsD;AAA7C,0HAAA,OAAO,OAAa;AAC7B,+CAAkE;AAAzD,gIAAA,gCAAgC,OAAA;AAEzC,yCAcqB;AAbnB,sGAAA,SAAS,OAAA;AACT,4GAAA,eAAe,OAAA;AACf,8GAAA,iBAAiB,OAAA;AACjB,uGAAA,UAAU,OAAA;AACV,8GAAA,iBAAiB,OAAA;AACjB,mHAAA,sBAAsB,OAAA;AACtB,gHAAA,mBAAmB,OAAA;AACnB,2HAAA,8BAA8B,OAAA;AAC9B,sGAAA,SAAS,OAAA;AACT,+GAAA,kBAAkB,OAAA;AAClB,mHAAA,sBAAsB,OAAA;AACtB,2GAAA,cAAc,OAAA;AACd,iHAAA,oBAAoB,OAAA;AAEtB,6CAA4C;AAAnC,sGAAA,SAAS,OAAA;AAElB,iDAAgD;AAAvC,0GAAA,WAAW,OAAA;AACpB,6DAAmE;AAA1D,6HAAA,wBAAwB,OAAA;AACjC,uDAAoE;AAA3D,uHAAA,mBAAmB,OAAA;AAAE,6GAAA,SAAS,OAAA;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;AACA,2CAAgD;AAAvC,8GAAA,gBAAgB,OAAA;AACzB,+CAAsD;AAA7C,0HAAA,OAAO,OAAa;AAC7B,+CAAkE;AAAzD,gIAAA,gCAAgC,OAAA;AAEzC,yCAcqB;AAbnB,sGAAA,SAAS,OAAA;AACT,4GAAA,eAAe,OAAA;AACf,8GAAA,iBAAiB,OAAA;AACjB,uGAAA,UAAU,OAAA;AACV,8GAAA,iBAAiB,OAAA;AACjB,mHAAA,sBAAsB,OAAA;AACtB,gHAAA,mBAAmB,OAAA;AACnB,2HAAA,8BAA8B,OAAA;AAC9B,sGAAA,SAAS,OAAA;AACT,+GAAA,kBAAkB,OAAA;AAClB,mHAAA,sBAAsB,OAAA;AACtB,2GAAA,cAAc,OAAA;AACd,iHAAA,oBAAoB,OAAA;AAEtB,6CAA4C;AAAnC,sGAAA,SAAS,OAAA;AAElB,iDAAgD;AAAvC,0GAAA,WAAW,OAAA;AACpB,6DAAmE;AAA1D,6HAAA,wBAAwB,OAAA;AACjC,uDAAoE;AAA3D,uHAAA,mBAAmB,OAAA;AAAE,6GAAA,SAAS,OAAA;AAQvC,+DAAiE;AAAxD,+HAAA,uBAAuB,OAAA;AAOhC,qDAAmD;AAA1C,iHAAA,cAAc,OAAA;AAMvB,8CAA+E;AAAtE,yGAAA,aAAa,OAAA;AAAE,yGAAA,aAAa,OAAA;AAAE,wGAAA,YAAY,OAAA;AAQnD,qCAMmB;AALjB,+GAAA,oBAAoB,OAAA;AACpB,gHAAA,qBAAqB,OAAA;AACrB,2GAAA,gBAAgB,OAAA;AAChB,oHAAA,yBAAyB,OAAA;AACzB,uGAAA,YAAY,OAAA"}
|
package/dist/cjs/pkce.d.ts
CHANGED
|
@@ -7,11 +7,11 @@ export interface Pkce {
|
|
|
7
7
|
/**
|
|
8
8
|
* Generate a cryptographically random PKCE code verifier (RFC 7636 §4.1).
|
|
9
9
|
*
|
|
10
|
-
* Returns a
|
|
11
|
-
* uses the global `crypto.getRandomValues`
|
|
12
|
-
* Cloudflare Workers, and browsers.
|
|
10
|
+
* Returns a base64url string of the requested length (43-128 characters,
|
|
11
|
+
* default 128). Runtime-agnostic: uses the global `crypto.getRandomValues`
|
|
12
|
+
* which is available in Node 19+, Cloudflare Workers, and browsers.
|
|
13
13
|
*/
|
|
14
|
-
export declare function generateCodeVerifier(): string;
|
|
14
|
+
export declare function generateCodeVerifier(length?: number): string;
|
|
15
15
|
/**
|
|
16
16
|
* Derive a PKCE code challenge from a code verifier (RFC 7636 §4.2).
|
|
17
17
|
*
|
|
@@ -23,7 +23,7 @@ export declare function generateCodeChallenge(verifier: string, method?: "S256"
|
|
|
23
23
|
/**
|
|
24
24
|
* Generate a PKCE pair (verifier + challenge) in one call.
|
|
25
25
|
*/
|
|
26
|
-
export declare function generatePkcePair(method?: "S256" | "plain"): Promise<Pkce>;
|
|
26
|
+
export declare function generatePkcePair(method?: "S256" | "plain", verifierLength?: number): Promise<Pkce>;
|
|
27
27
|
export interface ExchangeAuthorizationCodeOptions {
|
|
28
28
|
codeVerifier: string;
|
|
29
29
|
redirectUri: string;
|
|
@@ -44,14 +44,16 @@ export interface AuthenticateOptions {
|
|
|
44
44
|
clientId: string;
|
|
45
45
|
/** Default: "http://localhost:{port}/callback" */
|
|
46
46
|
redirectUri?: string;
|
|
47
|
-
/** Default:
|
|
47
|
+
/** Default: 8765 */
|
|
48
48
|
port?: number;
|
|
49
49
|
scopes?: readonly string[];
|
|
50
50
|
clientSecret?: string;
|
|
51
|
-
/** Default:
|
|
51
|
+
/** Default: 300_000 ms */
|
|
52
52
|
timeoutMs?: number;
|
|
53
53
|
/** RFC 8707 resource indicator. Scopes the issued token's audience to this resource URL, enabling token exchange against it. */
|
|
54
54
|
resource?: string;
|
|
55
|
+
/** Opens the authorization URL. Default: the platform browser launcher. */
|
|
56
|
+
openBrowser?: (url: string) => void | Promise<void>;
|
|
55
57
|
}
|
|
56
58
|
/**
|
|
57
59
|
* Full authorization-code-with-PKCE flow for local/CLI contexts.
|
package/dist/cjs/pkce.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAMxD,MAAM,WAAW,IAAI;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,GAAG,OAAO,CAAC;CACvC;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,
|
|
1
|
+
{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAMxD,MAAM,WAAW,IAAI;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,GAAG,OAAO,CAAC;CACvC;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,SAAM,GAAG,MAAM,CASzD;AAED;;;;;;GAMG;AACH,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,MAAM,EAChB,MAAM,GAAE,MAAM,GAAG,OAAgB,GAChC,OAAO,CAAC,MAAM,CAAC,CASjB;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,GAAE,MAAM,GAAG,OAAgB,EACjC,cAAc,SAAM,GACnB,OAAO,CAAC,IAAI,CAAC,CAIf;AAMD,MAAM,WAAW,gCAAgC;IAC/C,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qGAAqG;IACrG,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED;;;;;GAKG;AACH,wBAAsB,yBAAyB,CAC7C,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,gCAAgC,GACxC,OAAO,CAAC,aAAa,CAAC,CA0ExB;AAMD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,kDAAkD;IAClD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,oBAAoB;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,0BAA0B;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gIAAgI;IAChI,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2EAA2E;IAC3E,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACrD;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,YAAY,CAChC,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,aAAa,CAAC,CA6CxB"}
|
package/dist/cjs/pkce.js
CHANGED
|
@@ -47,14 +47,19 @@ const errors_js_1 = require("./errors.js");
|
|
|
47
47
|
/**
|
|
48
48
|
* Generate a cryptographically random PKCE code verifier (RFC 7636 §4.1).
|
|
49
49
|
*
|
|
50
|
-
* Returns a
|
|
51
|
-
* uses the global `crypto.getRandomValues`
|
|
52
|
-
* Cloudflare Workers, and browsers.
|
|
50
|
+
* Returns a base64url string of the requested length (43-128 characters,
|
|
51
|
+
* default 128). Runtime-agnostic: uses the global `crypto.getRandomValues`
|
|
52
|
+
* which is available in Node 19+, Cloudflare Workers, and browsers.
|
|
53
53
|
*/
|
|
54
|
-
function generateCodeVerifier() {
|
|
55
|
-
|
|
54
|
+
function generateCodeVerifier(length = 128) {
|
|
55
|
+
if (length < 43 || length > 128) {
|
|
56
|
+
throw new RangeError("Code verifier length must be between 43 and 128 characters");
|
|
57
|
+
}
|
|
58
|
+
// base64url yields 4 characters per 3 bytes; generate enough bytes to
|
|
59
|
+
// cover the requested length, then trim.
|
|
60
|
+
const bytes = new Uint8Array(Math.ceil((length * 3) / 4));
|
|
56
61
|
crypto.getRandomValues(bytes);
|
|
57
|
-
return base64url_js_1.default.encode(bytes.buffer);
|
|
62
|
+
return base64url_js_1.default.encode(bytes.buffer).slice(0, length);
|
|
58
63
|
}
|
|
59
64
|
/**
|
|
60
65
|
* Derive a PKCE code challenge from a code verifier (RFC 7636 §4.2).
|
|
@@ -73,8 +78,8 @@ async function generateCodeChallenge(verifier, method = "S256") {
|
|
|
73
78
|
/**
|
|
74
79
|
* Generate a PKCE pair (verifier + challenge) in one call.
|
|
75
80
|
*/
|
|
76
|
-
async function generatePkcePair(method = "S256") {
|
|
77
|
-
const codeVerifier = generateCodeVerifier();
|
|
81
|
+
async function generatePkcePair(method = "S256", verifierLength = 128) {
|
|
82
|
+
const codeVerifier = generateCodeVerifier(verifierLength);
|
|
78
83
|
const codeChallenge = await generateCodeChallenge(codeVerifier, method);
|
|
79
84
|
return { codeVerifier, codeChallenge, codeChallengeMethod: method };
|
|
80
85
|
}
|
|
@@ -167,10 +172,15 @@ async function exchangeAuthorizationCode(issuer, code, options) {
|
|
|
167
172
|
* *calling* `authenticate()` requires Node.js.
|
|
168
173
|
*/
|
|
169
174
|
async function authenticate(issuer, options) {
|
|
170
|
-
const port = options.port ??
|
|
175
|
+
const port = options.port ?? 8765;
|
|
171
176
|
const redirectUri = options.redirectUri ?? `http://localhost:${port}/callback`;
|
|
172
|
-
const timeoutMs = options.timeoutMs ??
|
|
177
|
+
const timeoutMs = options.timeoutMs ?? 300_000;
|
|
173
178
|
const { codeVerifier, codeChallenge } = await generatePkcePair("S256");
|
|
179
|
+
// CSRF protection (RFC 6749 §10.12): bind the loopback callback to this
|
|
180
|
+
// authorization request.
|
|
181
|
+
const stateBytes = new Uint8Array(32);
|
|
182
|
+
crypto.getRandomValues(stateBytes);
|
|
183
|
+
const state = base64url_js_1.default.encode(stateBytes.buffer);
|
|
174
184
|
const metadata = await (0, discovery_js_1.fetchAuthorizationServerMetadata)(issuer);
|
|
175
185
|
if (!metadata.authorization_endpoint) {
|
|
176
186
|
throw new Error(`Authorization server "${issuer}" does not advertise an authorization_endpoint`);
|
|
@@ -181,14 +191,15 @@ async function authenticate(issuer, options) {
|
|
|
181
191
|
authUrl.searchParams.set("redirect_uri", redirectUri);
|
|
182
192
|
authUrl.searchParams.set("code_challenge", codeChallenge);
|
|
183
193
|
authUrl.searchParams.set("code_challenge_method", "S256");
|
|
194
|
+
authUrl.searchParams.set("state", state);
|
|
184
195
|
if (options.scopes && options.scopes.length > 0) {
|
|
185
196
|
authUrl.searchParams.set("scope", options.scopes.join(" "));
|
|
186
197
|
}
|
|
187
198
|
if (options.resource) {
|
|
188
199
|
authUrl.searchParams.set("resource", options.resource);
|
|
189
200
|
}
|
|
190
|
-
await openBrowser(authUrl.toString());
|
|
191
|
-
const code = await waitForCode(port, redirectUri, timeoutMs);
|
|
201
|
+
await (options.openBrowser ?? openBrowser)(authUrl.toString());
|
|
202
|
+
const code = await waitForCode(port, redirectUri, timeoutMs, state);
|
|
192
203
|
return exchangeAuthorizationCode(issuer, code, {
|
|
193
204
|
codeVerifier,
|
|
194
205
|
redirectUri,
|
|
@@ -210,7 +221,7 @@ async function openBrowser(url) {
|
|
|
210
221
|
execFile("xdg-open", [url]);
|
|
211
222
|
}
|
|
212
223
|
}
|
|
213
|
-
async function waitForCode(port, redirectUri, timeoutMs) {
|
|
224
|
+
async function waitForCode(port, redirectUri, timeoutMs, expectedState) {
|
|
214
225
|
// Import before entering the Promise constructor to avoid the async-executor
|
|
215
226
|
// anti-pattern: if the dynamic import throws, the rejection propagates through
|
|
216
227
|
// this async function rather than escaping an async Promise constructor.
|
|
@@ -232,6 +243,9 @@ async function waitForCode(port, redirectUri, timeoutMs) {
|
|
|
232
243
|
if (error) {
|
|
233
244
|
reject(new errors_js_1.OAuthError(error, reqUrl.searchParams.get("error_description") ?? error));
|
|
234
245
|
}
|
|
246
|
+
else if (reqUrl.searchParams.get("state") !== expectedState) {
|
|
247
|
+
reject(new Error("State mismatch in redirect: possible CSRF attack"));
|
|
248
|
+
}
|
|
235
249
|
else if (code) {
|
|
236
250
|
resolve(code);
|
|
237
251
|
}
|
package/dist/cjs/pkce.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsBA,
|
|
1
|
+
{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsBA,oDASC;AASD,sDAYC;AAKD,4CAOC;AAsBD,8DA8EC;AAiCD,oCAgDC;AArPD,kEAAuC;AACvC,iDAAkE;AAClE,2CAAyC;AAazC;;;;;;GAMG;AACH,SAAgB,oBAAoB,CAAC,MAAM,GAAG,GAAG;IAC/C,IAAI,MAAM,GAAG,EAAE,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,UAAU,CAAC,4DAA4D,CAAC,CAAC;IACrF,CAAC;IACD,sEAAsE;IACtE,yCAAyC;IACzC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAC1D,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,sBAAS,CAAC,MAAM,CAAC,KAAK,CAAC,MAAqB,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;AACxE,CAAC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,qBAAqB,CACzC,QAAgB,EAChB,SAA2B,MAAM;IAEjC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACvC,SAAS,EACT,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CACnC,CAAC;IACF,OAAO,sBAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,gBAAgB,CACpC,SAA2B,MAAM,EACjC,cAAc,GAAG,GAAG;IAEpB,MAAM,YAAY,GAAG,oBAAoB,CAAC,cAAc,CAAC,CAAC;IAC1D,MAAM,aAAa,GAAG,MAAM,qBAAqB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IACxE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,EAAE,CAAC;AACtE,CAAC;AAgBD;;;;;GAKG;AACI,KAAK,UAAU,yBAAyB,CAC7C,MAAc,EACd,IAAY,EACZ,OAAyC;IAEzC,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,MAAM,EAAE;QAC9D,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,yBAAyB,MAAM,uCAAuC,CACvE,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IACrC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC;IAC/C,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IAChD,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEhE,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,mCAAmC;KACpD,CAAC;IACF,IAAI,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QAC7C,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,IAAI,CAAC,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC,EAAE,CAAC;QAC1F,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC7B,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,cAAc,EAAE;QACpD,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;QACvB,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,IAAI,SAAS,GAAmC,IAAI,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;YAC9C,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7D,SAAS,GAAG,IAA+B,CAAC;YAC9C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sDAAsD;QACxD,CAAC;QACD,IAAI,SAAS,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;gBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;gBAC7B,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC;YACpB,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAC3F,MAAM,IAAI,sBAAU,CAAC,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,4CAA4C,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;IAC9C,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,IAAI,GAAG,IAA+B,CAAC;IAE7C,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,aAAa,GAAkB;QACnC,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IACF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,aAAa,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IACnF,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,aAAa,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IAC5F,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,aAAa,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAsBD;;;;;;;;;;GAUG;AACI,KAAK,UAAU,YAAY,CAChC,MAAc,EACd,OAA4B;IAE5B,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC;IAClC,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,oBAAoB,IAAI,WAAW,CAAC;IAC/E,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC;IAE/C,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAEvE,wEAAwE;IACxE,yBAAyB;IACzB,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACtC,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;IACnC,MAAM,KAAK,GAAG,sBAAS,CAAC,MAAM,CAAC,UAAU,CAAC,MAAqB,CAAC,CAAC;IAEjE,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,MAAM,CAAC,CAAC;IAChE,IAAI,CAAC,QAAQ,CAAC,sBAAsB,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,yBAAyB,MAAM,gDAAgD,CAChF,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;IACzD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAClD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACxD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IACtD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACzC,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,CAAC,OAAO,CAAC,WAAW,IAAI,WAAW,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAE/D,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;IAEpE,OAAO,yBAAyB,CAAC,MAAM,EAAE,IAAI,EAAE;QAC7C,YAAY;QACZ,WAAW;QACX,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ;KAC3B,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,GAAW;IACpC,MAAM,EAAE,QAAQ,EAAE,GAAG,wDAAa,oBAAoB,GAAC,CAAC;IACxD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,QAAQ,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,CAAC;SAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACxC,8DAA8D;QAC9D,QAAQ,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;SAAM,CAAC;QACN,QAAQ,CAAC,UAAU,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,CAAC;AACH,CAAC;AAED,KAAK,UAAU,WAAW,CACxB,IAAY,EACZ,WAAmB,EACnB,SAAiB,EACjB,aAAqB;IAErB,6EAA6E;IAC7E,+EAA+E;IAC/E,yEAAyE;IACzE,MAAM,EAAE,YAAY,EAAE,GAAG,wDAAa,WAAW,GAAC,CAAC;IAEnD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,KAAK,CAAC,uCAAuC,SAAS,IAAI,CAAC,CAAC,CAAC;QAC1E,CAAC,EAAE,SAAS,CAAC,CAAC;QAEd,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YACvC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,WAAW,CAAC,CAAC;gBACpD,MAAM,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAC7C,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAE/C,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;gBACpD,GAAG,CAAC,GAAG,CAAC,mFAAmF,CAAC,CAAC;gBAE7F,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,YAAY,CAAC,KAAK,CAAC,CAAC;gBAEpB,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,CAAC,IAAI,sBAAU,CAAC,KAAK,EAAE,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC;gBACvF,CAAC;qBAAM,IAAI,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,aAAa,EAAE,CAAC;oBAC9D,MAAM,CAAC,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC,CAAC;gBACxE,CAAC;qBAAM,IAAI,IAAI,EAAE,CAAC;oBAChB,OAAO,CAAC,IAAI,CAAC,CAAC;gBAChB,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,MAAM,CAAC,CAAC,CAAC,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QACjC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACzB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,IAAI,KAAK,CAAC,2CAA2C,IAAI,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACvF,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -48,6 +48,7 @@ export interface ImpersonateRequest {
|
|
|
48
48
|
scope?: string;
|
|
49
49
|
zoneId?: string;
|
|
50
50
|
}
|
|
51
|
+
export declare function deserializeTokenResponse(json: Record<string, unknown>): TokenResponse;
|
|
51
52
|
export declare class TokenExchangeClient {
|
|
52
53
|
#private;
|
|
53
54
|
constructor(issuer: string, options?: TokenExchangeClientOptions);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAO9D,eAAO,MAAM,SAAS;;IAEpB;;;OAGG;;CAEK,CAAC;AACX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,SAAS,CAAC,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAEnE,MAAM,WAAW,oBAAoB;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,UAAU,CAAC,EAAE,qBAAqB,CAAC;CACpC;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,kBAAkB;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;
|
|
1
|
+
{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAO9D,eAAO,MAAM,SAAS;;IAEpB;;;OAGG;;CAEK,CAAC;AACX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,SAAS,CAAC,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAEnE,MAAM,WAAW,oBAAoB;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,UAAU,CAAC,EAAE,qBAAqB,CAAC;CACpC;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,kBAAkB;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAyBD,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,aAAa,CAmBrF;AAMD,qBAAa,mBAAmB;;gBAQlB,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,0BAA0B;IAO1D,aAAa,CACjB,OAAO,EAAE,oBAAoB,EAC7B,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,aAAa,CAAC;IA8CnB,WAAW,CAAC,GAAG,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC;IA+BlE;;;;OAIG;IACG,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC;CAuB1C"}
|
|
@@ -13,6 +13,7 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
|
|
|
13
13
|
var _TokenExchangeClient_instances, _TokenExchangeClient_issuer, _TokenExchangeClient_clientId, _TokenExchangeClient_clientSecret, _TokenExchangeClient_credential, _TokenExchangeClient_tokenEndpoint, _TokenExchangeClient_discoveryPromise, _TokenExchangeClient_resolveBasicAuth, _TokenExchangeClient_getTokenEndpoint;
|
|
14
14
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
15
|
exports.TokenExchangeClient = exports.TokenType = void 0;
|
|
16
|
+
exports.deserializeTokenResponse = deserializeTokenResponse;
|
|
16
17
|
const discovery_js_1 = require("./discovery.js");
|
|
17
18
|
const errors_js_1 = require("./errors.js");
|
|
18
19
|
const substituteUser_js_1 = require("./jwt/substituteUser.js");
|
|
@@ -53,7 +54,7 @@ function serializeRequest(request) {
|
|
|
53
54
|
params.set("client_assertion_type", request.clientAssertionType);
|
|
54
55
|
return params;
|
|
55
56
|
}
|
|
56
|
-
function
|
|
57
|
+
function deserializeTokenResponse(json) {
|
|
57
58
|
const accessToken = json.access_token;
|
|
58
59
|
if (typeof accessToken !== "string" || !accessToken) {
|
|
59
60
|
throw new Error("Token exchange response missing access_token");
|
|
@@ -128,7 +129,7 @@ class TokenExchangeClient {
|
|
|
128
129
|
throw new Error(`Token exchange failed (HTTP ${response.status})`);
|
|
129
130
|
}
|
|
130
131
|
const json = await response.json();
|
|
131
|
-
return
|
|
132
|
+
return deserializeTokenResponse(json);
|
|
132
133
|
}
|
|
133
134
|
async impersonate(req) {
|
|
134
135
|
if (!req.userIdentifier) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAuFA,4DAmBC;AA1GD,iDAAkE;AAClE,2CAAyC;AAEzC,+DAAmE;AAEnE,gFAAgF;AAChF,kCAAkC;AAClC,gFAAgF;AAEnE,QAAA,SAAS,GAAG;IACvB,YAAY,EAAE,+CAA+C;IAC7D;;;OAGG;IACH,eAAe,EAAE,qDAAqD;CAC9D,CAAC;AAgDX,gFAAgF;AAChF,iEAAiE;AACjE,gFAAgF;AAEhF,SAAS,gBAAgB,CAAC,OAA6B;IACrD,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IAErC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,SAAS,IAAI,iDAAiD,CAAC,CAAC;IACjG,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,oBAAoB,EAAE,OAAO,CAAC,gBAAgB,IAAI,+CAA+C,CAAC,CAAC;IAE9G,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,OAAO,CAAC,kBAAkB;QAAE,MAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC/F,IAAI,OAAO,CAAC,UAAU;QAAE,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACtE,IAAI,OAAO,CAAC,cAAc;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IACnF,IAAI,OAAO,CAAC,eAAe;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACrF,IAAI,OAAO,CAAC,mBAAmB;QAAE,MAAM,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAElG,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAgB,wBAAwB,CAAC,IAA6B;IACpE,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IAEF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAC9E,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,QAAQ,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IACvF,IAAI,OAAO,IAAI,CAAC,iBAAiB,KAAK,QAAQ;QAAE,QAAQ,CAAC,eAAe,GAAG,IAAI,CAAC,iBAAiB,CAAC;IAClG,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF,MAAa,mBAAmB;IAQ9B,YAAY,MAAc,EAAE,OAAoC;;QAPhE,8CAAgB;QAChB,gDAAmB;QACnB,oDAAuB;QACvB,kDAAoC;QACpC,qDAAwB;QACxB,wDAAoC;QAGlC,uBAAA,IAAI,+BAAW,MAAM,MAAA,CAAC;QACtB,uBAAA,IAAI,iCAAa,OAAO,EAAE,QAAQ,MAAA,CAAC;QACnC,uBAAA,IAAI,qCAAiB,OAAO,EAAE,YAAY,MAAA,CAAC;QAC3C,uBAAA,IAAI,mCAAe,OAAO,EAAE,UAAU,MAAA,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,OAA6B,EAC7B,OAAyB;QAEzB,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,CAAoB,CAAC;QACrD,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAEvC,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;SACpD,CAAC;QAEF,MAAM,SAAS,GAAG,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,EAAmB,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;YAC5E,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;gBACnE,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACxC,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC;oBAClC,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;wBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;wBAC7B,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ;wBACtD,CAAC,CAAC,SAAS,CAAC,SAAS;wBACrB,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,IAAI,sBAAU,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,YAAY,sBAAU;oBAAE,MAAM,CAAC,CAAC;gBACrC,4CAA4C;YAC9C,CAAC;YACD,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,MAAM,GAAG,CAClD,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;QAC9D,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAuB;QACvC,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,MAAM,YAAY,GAAG,IAAA,4CAAwB,EAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAClE,OAAO,IAAI,CAAC,aAAa,CACvB;YACE,YAAY;YACZ,gBAAgB,EAAE,iBAAS,CAAC,eAAe;YAC3C,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,KAAK,EAAE,GAAG,CAAC,KAAK;SACjB,EACD,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,CACvB,CAAC;IACJ,CAAC;IAcD;;;;OAIG;IACH,KAAK,CAAC,gBAAgB;QACpB,OAAO,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,CAAoB,CAAC;IAClC,CAAC;CAqBF;AA3HD,kDA2HC;kbAvCG,MAA0B;IAE1B,IAAI,uBAAA,IAAI,uCAAY,EAAE,CAAC;QACrB,OAAO,uBAAA,IAAI,uCAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC;QACzC,OAAO,EAAE,QAAQ,EAAE,uBAAA,IAAI,qCAAU,EAAE,YAAY,EAAE,uBAAA,IAAI,yCAAc,EAAE,CAAC;IACxE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC,0CAWD,KAAK;IACH,IAAI,uBAAA,IAAI,0CAAe,EAAE,CAAC;QACxB,OAAO,uBAAA,IAAI,0CAAe,CAAC;IAC7B,CAAC;IAED,oDAAoD;IACpD,IAAI,CAAC,uBAAA,IAAI,6CAAkB,EAAE,CAAC;QAC5B,uBAAA,IAAI,yCAAqB,CAAC,KAAK,IAAI,EAAE;YACnC,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,uBAAA,IAAI,mCAAQ,CAAC,CAAC;YACtE,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,yBAAyB,uBAAA,IAAI,mCAAQ,uCAAuC,CAAC,CAAC;YAChG,CAAC;YACD,uBAAA,IAAI,sCAAkB,QAAQ,CAAC,cAAc,MAAA,CAAC;YAC9C,OAAO,uBAAA,IAAI,0CAAe,CAAC;QAC7B,CAAC,CAAC,EAAE,MAAA,CAAC;IACP,CAAC;IAED,OAAO,uBAAA,IAAI,6CAAkB,CAAC;AAChC,CAAC"}
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
import type { ApplicationCredential } from "./credentials.js";
|
|
2
|
+
import { type TokenResponse } from "./tokenExchange.js";
|
|
3
|
+
export interface ClientCredentialsRequest {
|
|
4
|
+
resource?: string;
|
|
5
|
+
scope?: string;
|
|
6
|
+
clientAssertion?: string;
|
|
7
|
+
clientAssertionType?: string;
|
|
8
|
+
}
|
|
9
|
+
export interface ClientCredentialsClientOptions {
|
|
10
|
+
clientId?: string;
|
|
11
|
+
clientSecret?: string;
|
|
12
|
+
/**
|
|
13
|
+
* Application credential provider. When set, takes precedence over
|
|
14
|
+
* static `clientId`/`clientSecret` and resolves the per-request
|
|
15
|
+
* Authorization header from the credential's `getAuth(zoneId)`.
|
|
16
|
+
*/
|
|
17
|
+
credential?: ApplicationCredential;
|
|
18
|
+
}
|
|
19
|
+
export interface RequestTokenOptions {
|
|
20
|
+
zoneId?: string;
|
|
21
|
+
}
|
|
22
|
+
export declare class ClientCredentialsClient {
|
|
23
|
+
#private;
|
|
24
|
+
constructor(issuer: string, options?: ClientCredentialsClientOptions);
|
|
25
|
+
requestToken(request?: ClientCredentialsRequest, options?: RequestTokenOptions): Promise<TokenResponse>;
|
|
26
|
+
/**
|
|
27
|
+
* Resolve the authorization server's token endpoint (discovered from metadata
|
|
28
|
+
* and cached). Exposed so a caller can build a credential assertion whose
|
|
29
|
+
* `aud` is the token endpoint before invoking {@link requestToken}.
|
|
30
|
+
*/
|
|
31
|
+
getTokenEndpoint(): Promise<string>;
|
|
32
|
+
}
|
|
33
|
+
//# sourceMappingURL=clientCredentials.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"clientCredentials.d.ts","sourceRoot":"","sources":["../../src/clientCredentials.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAA4B,KAAK,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAMlF,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,8BAA8B;IAC7C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,UAAU,CAAC,EAAE,qBAAqB,CAAC;CACpC;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAuBD,qBAAa,uBAAuB;;gBAQtB,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,8BAA8B;IAO9D,YAAY,CAChB,OAAO,CAAC,EAAE,wBAAwB,EAClC,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC,aAAa,CAAC;IA0DzB;;;;OAIG;IACG,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC;CAuB1C"}
|
|
@@ -0,0 +1,123 @@
|
|
|
1
|
+
var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
|
|
2
|
+
if (kind === "m") throw new TypeError("Private method is not writable");
|
|
3
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
|
|
4
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
|
|
5
|
+
return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
|
|
6
|
+
};
|
|
7
|
+
var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
|
|
8
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
|
|
9
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
|
|
10
|
+
return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
|
|
11
|
+
};
|
|
12
|
+
var _ClientCredentialsClient_instances, _ClientCredentialsClient_issuer, _ClientCredentialsClient_clientId, _ClientCredentialsClient_clientSecret, _ClientCredentialsClient_credential, _ClientCredentialsClient_tokenEndpoint, _ClientCredentialsClient_discoveryPromise, _ClientCredentialsClient_resolveBasicAuth, _ClientCredentialsClient_getTokenEndpoint;
|
|
13
|
+
import { fetchAuthorizationServerMetadata } from "./discovery.js";
|
|
14
|
+
import { OAuthError } from "./errors.js";
|
|
15
|
+
import { deserializeTokenResponse } from "./tokenExchange.js";
|
|
16
|
+
// =============================================================================
|
|
17
|
+
// Wire format helpers (camelCase <-> snake_case at the boundary)
|
|
18
|
+
// =============================================================================
|
|
19
|
+
function serializeRequest(request) {
|
|
20
|
+
const params = new URLSearchParams();
|
|
21
|
+
params.set("grant_type", "client_credentials");
|
|
22
|
+
if (request.resource)
|
|
23
|
+
params.set("resource", request.resource);
|
|
24
|
+
if (request.scope)
|
|
25
|
+
params.set("scope", request.scope);
|
|
26
|
+
if (request.clientAssertion)
|
|
27
|
+
params.set("client_assertion", request.clientAssertion);
|
|
28
|
+
if (request.clientAssertionType)
|
|
29
|
+
params.set("client_assertion_type", request.clientAssertionType);
|
|
30
|
+
return params;
|
|
31
|
+
}
|
|
32
|
+
// =============================================================================
|
|
33
|
+
// Client Credentials Client
|
|
34
|
+
// =============================================================================
|
|
35
|
+
export class ClientCredentialsClient {
|
|
36
|
+
constructor(issuer, options) {
|
|
37
|
+
_ClientCredentialsClient_instances.add(this);
|
|
38
|
+
_ClientCredentialsClient_issuer.set(this, void 0);
|
|
39
|
+
_ClientCredentialsClient_clientId.set(this, void 0);
|
|
40
|
+
_ClientCredentialsClient_clientSecret.set(this, void 0);
|
|
41
|
+
_ClientCredentialsClient_credential.set(this, void 0);
|
|
42
|
+
_ClientCredentialsClient_tokenEndpoint.set(this, void 0);
|
|
43
|
+
_ClientCredentialsClient_discoveryPromise.set(this, void 0);
|
|
44
|
+
__classPrivateFieldSet(this, _ClientCredentialsClient_issuer, issuer, "f");
|
|
45
|
+
__classPrivateFieldSet(this, _ClientCredentialsClient_clientId, options?.clientId, "f");
|
|
46
|
+
__classPrivateFieldSet(this, _ClientCredentialsClient_clientSecret, options?.clientSecret, "f");
|
|
47
|
+
__classPrivateFieldSet(this, _ClientCredentialsClient_credential, options?.credential, "f");
|
|
48
|
+
}
|
|
49
|
+
async requestToken(request, options) {
|
|
50
|
+
const tokenEndpoint = await __classPrivateFieldGet(this, _ClientCredentialsClient_instances, "m", _ClientCredentialsClient_getTokenEndpoint).call(this);
|
|
51
|
+
const body = serializeRequest(request ?? {});
|
|
52
|
+
const headers = {
|
|
53
|
+
"Content-Type": "application/x-www-form-urlencoded",
|
|
54
|
+
};
|
|
55
|
+
const basicAuth = __classPrivateFieldGet(this, _ClientCredentialsClient_instances, "m", _ClientCredentialsClient_resolveBasicAuth).call(this, options?.zoneId);
|
|
56
|
+
if (basicAuth) {
|
|
57
|
+
const credentials = btoa(`${basicAuth.clientId}:${basicAuth.clientSecret}`);
|
|
58
|
+
headers["Authorization"] = `Basic ${credentials}`;
|
|
59
|
+
}
|
|
60
|
+
const response = await fetch(tokenEndpoint, {
|
|
61
|
+
method: "POST",
|
|
62
|
+
headers,
|
|
63
|
+
body: body.toString(),
|
|
64
|
+
});
|
|
65
|
+
if (!response.ok) {
|
|
66
|
+
try {
|
|
67
|
+
const errorBody = await response.json();
|
|
68
|
+
if (typeof errorBody.error === "string") {
|
|
69
|
+
const errorCode = errorBody.error;
|
|
70
|
+
const description = typeof errorBody.error_description === "string"
|
|
71
|
+
? errorBody.error_description
|
|
72
|
+
: errorCode;
|
|
73
|
+
const errorUri = typeof errorBody.error_uri === "string"
|
|
74
|
+
? errorBody.error_uri
|
|
75
|
+
: undefined;
|
|
76
|
+
throw new OAuthError(errorCode, description, errorUri);
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
catch (e) {
|
|
80
|
+
if (e instanceof OAuthError)
|
|
81
|
+
throw e;
|
|
82
|
+
// non-JSON or no "error" key: fall through
|
|
83
|
+
}
|
|
84
|
+
throw new Error(`Client credentials request failed (HTTP ${response.status})`);
|
|
85
|
+
}
|
|
86
|
+
const json = await response.json();
|
|
87
|
+
return deserializeTokenResponse(json);
|
|
88
|
+
}
|
|
89
|
+
/**
|
|
90
|
+
* Resolve the authorization server's token endpoint (discovered from metadata
|
|
91
|
+
* and cached). Exposed so a caller can build a credential assertion whose
|
|
92
|
+
* `aud` is the token endpoint before invoking {@link requestToken}.
|
|
93
|
+
*/
|
|
94
|
+
async getTokenEndpoint() {
|
|
95
|
+
return __classPrivateFieldGet(this, _ClientCredentialsClient_instances, "m", _ClientCredentialsClient_getTokenEndpoint).call(this);
|
|
96
|
+
}
|
|
97
|
+
}
|
|
98
|
+
_ClientCredentialsClient_issuer = new WeakMap(), _ClientCredentialsClient_clientId = new WeakMap(), _ClientCredentialsClient_clientSecret = new WeakMap(), _ClientCredentialsClient_credential = new WeakMap(), _ClientCredentialsClient_tokenEndpoint = new WeakMap(), _ClientCredentialsClient_discoveryPromise = new WeakMap(), _ClientCredentialsClient_instances = new WeakSet(), _ClientCredentialsClient_resolveBasicAuth = function _ClientCredentialsClient_resolveBasicAuth(zoneId) {
|
|
99
|
+
if (__classPrivateFieldGet(this, _ClientCredentialsClient_credential, "f")) {
|
|
100
|
+
return __classPrivateFieldGet(this, _ClientCredentialsClient_credential, "f").getAuth(zoneId);
|
|
101
|
+
}
|
|
102
|
+
if (__classPrivateFieldGet(this, _ClientCredentialsClient_clientId, "f") && __classPrivateFieldGet(this, _ClientCredentialsClient_clientSecret, "f")) {
|
|
103
|
+
return { clientId: __classPrivateFieldGet(this, _ClientCredentialsClient_clientId, "f"), clientSecret: __classPrivateFieldGet(this, _ClientCredentialsClient_clientSecret, "f") };
|
|
104
|
+
}
|
|
105
|
+
return null;
|
|
106
|
+
}, _ClientCredentialsClient_getTokenEndpoint = async function _ClientCredentialsClient_getTokenEndpoint() {
|
|
107
|
+
if (__classPrivateFieldGet(this, _ClientCredentialsClient_tokenEndpoint, "f")) {
|
|
108
|
+
return __classPrivateFieldGet(this, _ClientCredentialsClient_tokenEndpoint, "f");
|
|
109
|
+
}
|
|
110
|
+
// Promise-based lock: only one concurrent discovery
|
|
111
|
+
if (!__classPrivateFieldGet(this, _ClientCredentialsClient_discoveryPromise, "f")) {
|
|
112
|
+
__classPrivateFieldSet(this, _ClientCredentialsClient_discoveryPromise, (async () => {
|
|
113
|
+
const metadata = await fetchAuthorizationServerMetadata(__classPrivateFieldGet(this, _ClientCredentialsClient_issuer, "f"));
|
|
114
|
+
if (!metadata.token_endpoint) {
|
|
115
|
+
throw new Error(`Authorization server "${__classPrivateFieldGet(this, _ClientCredentialsClient_issuer, "f")}" does not advertise a token_endpoint`);
|
|
116
|
+
}
|
|
117
|
+
__classPrivateFieldSet(this, _ClientCredentialsClient_tokenEndpoint, metadata.token_endpoint, "f");
|
|
118
|
+
return __classPrivateFieldGet(this, _ClientCredentialsClient_tokenEndpoint, "f");
|
|
119
|
+
})(), "f");
|
|
120
|
+
}
|
|
121
|
+
return __classPrivateFieldGet(this, _ClientCredentialsClient_discoveryPromise, "f");
|
|
122
|
+
};
|
|
123
|
+
//# sourceMappingURL=clientCredentials.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"clientCredentials.js","sourceRoot":"","sources":["../../src/clientCredentials.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,wBAAwB,EAAsB,MAAM,oBAAoB,CAAC;AA4BlF,gFAAgF;AAChF,iEAAiE;AACjE,gFAAgF;AAEhF,SAAS,gBAAgB,CAAC,OAAiC;IACzD,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IAErC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC;IAE/C,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,OAAO,CAAC,eAAe;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACrF,IAAI,OAAO,CAAC,mBAAmB;QAAE,MAAM,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAElG,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,gFAAgF;AAChF,4BAA4B;AAC5B,gFAAgF;AAEhF,MAAM,OAAO,uBAAuB;IAQlC,YAAY,MAAc,EAAE,OAAwC;;QAPpE,kDAAgB;QAChB,oDAAmB;QACnB,wDAAuB;QACvB,sDAAoC;QACpC,yDAAwB;QACxB,4DAAoC;QAGlC,uBAAA,IAAI,mCAAW,MAAM,MAAA,CAAC;QACtB,uBAAA,IAAI,qCAAa,OAAO,EAAE,QAAQ,MAAA,CAAC;QACnC,uBAAA,IAAI,yCAAiB,OAAO,EAAE,YAAY,MAAA,CAAC;QAC3C,uBAAA,IAAI,uCAAe,OAAO,EAAE,UAAU,MAAA,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,YAAY,CAChB,OAAkC,EAClC,OAA6B;QAE7B,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,qFAAkB,MAAtB,IAAI,CAAoB,CAAC;QACrD,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;QAE7C,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;SACpD,CAAC;QAEF,MAAM,SAAS,GAAG,uBAAA,IAAI,qFAAkB,MAAtB,IAAI,EAAmB,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;YAC5E,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;gBACnE,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACxC,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC;oBAClC,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;wBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;wBAC7B,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ;wBACtD,CAAC,CAAC,SAAS,CAAC,SAAS;wBACrB,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,IAAI,UAAU,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,YAAY,UAAU;oBAAE,MAAM,CAAC,CAAC;gBACrC,2CAA2C;YAC7C,CAAC;YACD,MAAM,IAAI,KAAK,CACb,2CAA2C,QAAQ,CAAC,MAAM,GAAG,CAC9D,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;QAC9D,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAC;IACxC,CAAC;IAcD;;;;OAIG;IACH,KAAK,CAAC,gBAAgB;QACpB,OAAO,uBAAA,IAAI,qFAAkB,MAAtB,IAAI,CAAoB,CAAC;IAClC,CAAC;CAqBF;sdAvCG,MAA0B;IAE1B,IAAI,uBAAA,IAAI,2CAAY,EAAE,CAAC;QACrB,OAAO,uBAAA,IAAI,2CAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,uBAAA,IAAI,yCAAU,IAAI,uBAAA,IAAI,6CAAc,EAAE,CAAC;QACzC,OAAO,EAAE,QAAQ,EAAE,uBAAA,IAAI,yCAAU,EAAE,YAAY,EAAE,uBAAA,IAAI,6CAAc,EAAE,CAAC;IACxE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC,8CAWD,KAAK;IACH,IAAI,uBAAA,IAAI,8CAAe,EAAE,CAAC;QACxB,OAAO,uBAAA,IAAI,8CAAe,CAAC;IAC7B,CAAC;IAED,oDAAoD;IACpD,IAAI,CAAC,uBAAA,IAAI,iDAAkB,EAAE,CAAC;QAC5B,uBAAA,IAAI,6CAAqB,CAAC,KAAK,IAAI,EAAE;YACnC,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,uBAAA,IAAI,uCAAQ,CAAC,CAAC;YACtE,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,yBAAyB,uBAAA,IAAI,uCAAQ,uCAAuC,CAAC,CAAC;YAChG,CAAC;YACD,uBAAA,IAAI,0CAAkB,QAAQ,CAAC,cAAc,MAAA,CAAC;YAC9C,OAAO,uBAAA,IAAI,8CAAe,CAAC;QAC7B,CAAC,CAAC,EAAE,MAAA,CAAC;IACP,CAAC;IAED,OAAO,uBAAA,IAAI,iDAAkB,CAAC;AAChC,CAAC"}
|
package/dist/esm/index.d.ts
CHANGED
|
@@ -10,6 +10,8 @@ export { JWTVerifier } from "./jwt/verifier.js";
|
|
|
10
10
|
export { buildSubstituteUserToken } from "./jwt/substituteUser.js";
|
|
11
11
|
export { TokenExchangeClient, TokenType } from "./tokenExchange.js";
|
|
12
12
|
export type { TokenExchangeRequest, TokenResponse, TokenExchangeClientOptions, ExchangeOptions, ImpersonateRequest, } from "./tokenExchange.js";
|
|
13
|
+
export { ClientCredentialsClient } from "./clientCredentials.js";
|
|
14
|
+
export type { ClientCredentialsRequest, ClientCredentialsClientOptions, RequestTokenOptions, } from "./clientCredentials.js";
|
|
13
15
|
export type { ApplicationCredential } from "./credentials.js";
|
|
14
16
|
export { registerClient } from "./registration.js";
|
|
15
17
|
export type { ClientRegistrationRequest, ClientRegistrationResponse, RegisterClientOptions, } from "./registration.js";
|
package/dist/esm/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,EAC9B,SAAS,EACT,kBAAkB,EAClB,sBAAsB,EACtB,cAAc,EACd,oBAAoB,GACrB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,0BAA0B,EAC1B,eAAe,EACf,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,YAAY,EACV,yBAAyB,EACzB,0BAA0B,EAC1B,qBAAqB,GACtB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC/E,YAAY,EACV,WAAW,EACX,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,gBAAgB,EAChB,yBAAyB,EACzB,YAAY,GACb,MAAM,WAAW,CAAC;AACnB,YAAY,EACV,IAAI,EACJ,gCAAgC,EAChC,mBAAmB,GACpB,MAAM,WAAW,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,EAC9B,SAAS,EACT,kBAAkB,EAClB,sBAAsB,EACtB,cAAc,EACd,oBAAoB,GACrB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,0BAA0B,EAC1B,eAAe,EACf,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACjE,YAAY,EACV,wBAAwB,EACxB,8BAA8B,EAC9B,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;AAChC,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,YAAY,EACV,yBAAyB,EACzB,0BAA0B,EAC1B,qBAAqB,GACtB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC/E,YAAY,EACV,WAAW,EACX,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,gBAAgB,EAChB,yBAAyB,EACzB,YAAY,GACb,MAAM,WAAW,CAAC;AACnB,YAAY,EACV,IAAI,EACJ,gCAAgC,EAChC,mBAAmB,GACpB,MAAM,WAAW,CAAC"}
|
package/dist/esm/index.js
CHANGED
|
@@ -6,6 +6,7 @@ export { JWTSigner } from "./jwt/signer.js";
|
|
|
6
6
|
export { JWTVerifier } from "./jwt/verifier.js";
|
|
7
7
|
export { buildSubstituteUserToken } from "./jwt/substituteUser.js";
|
|
8
8
|
export { TokenExchangeClient, TokenType } from "./tokenExchange.js";
|
|
9
|
+
export { ClientCredentialsClient } from "./clientCredentials.js";
|
|
9
10
|
export { registerClient } from "./registration.js";
|
|
10
11
|
export { AccessContext, TokenVerifier, ClientSecret } from "./server/index.js";
|
|
11
12
|
export { generateCodeVerifier, generateCodeChallenge, generatePkcePair, exchangeAuthorizationCode, authenticate, } from "./pkce.js";
|
package/dist/esm/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,EAC9B,SAAS,EACT,kBAAkB,EAClB,sBAAsB,EACtB,cAAc,EACd,oBAAoB,GACrB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,EAC9B,SAAS,EACT,kBAAkB,EAClB,sBAAsB,EACtB,cAAc,EACd,oBAAoB,GACrB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAQpE,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AAOjE,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAMnD,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAQ/E,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,gBAAgB,EAChB,yBAAyB,EACzB,YAAY,GACb,MAAM,WAAW,CAAC"}
|
package/dist/esm/pkce.d.ts
CHANGED
|
@@ -7,11 +7,11 @@ export interface Pkce {
|
|
|
7
7
|
/**
|
|
8
8
|
* Generate a cryptographically random PKCE code verifier (RFC 7636 §4.1).
|
|
9
9
|
*
|
|
10
|
-
* Returns a
|
|
11
|
-
* uses the global `crypto.getRandomValues`
|
|
12
|
-
* Cloudflare Workers, and browsers.
|
|
10
|
+
* Returns a base64url string of the requested length (43-128 characters,
|
|
11
|
+
* default 128). Runtime-agnostic: uses the global `crypto.getRandomValues`
|
|
12
|
+
* which is available in Node 19+, Cloudflare Workers, and browsers.
|
|
13
13
|
*/
|
|
14
|
-
export declare function generateCodeVerifier(): string;
|
|
14
|
+
export declare function generateCodeVerifier(length?: number): string;
|
|
15
15
|
/**
|
|
16
16
|
* Derive a PKCE code challenge from a code verifier (RFC 7636 §4.2).
|
|
17
17
|
*
|
|
@@ -23,7 +23,7 @@ export declare function generateCodeChallenge(verifier: string, method?: "S256"
|
|
|
23
23
|
/**
|
|
24
24
|
* Generate a PKCE pair (verifier + challenge) in one call.
|
|
25
25
|
*/
|
|
26
|
-
export declare function generatePkcePair(method?: "S256" | "plain"): Promise<Pkce>;
|
|
26
|
+
export declare function generatePkcePair(method?: "S256" | "plain", verifierLength?: number): Promise<Pkce>;
|
|
27
27
|
export interface ExchangeAuthorizationCodeOptions {
|
|
28
28
|
codeVerifier: string;
|
|
29
29
|
redirectUri: string;
|
|
@@ -44,14 +44,16 @@ export interface AuthenticateOptions {
|
|
|
44
44
|
clientId: string;
|
|
45
45
|
/** Default: "http://localhost:{port}/callback" */
|
|
46
46
|
redirectUri?: string;
|
|
47
|
-
/** Default:
|
|
47
|
+
/** Default: 8765 */
|
|
48
48
|
port?: number;
|
|
49
49
|
scopes?: readonly string[];
|
|
50
50
|
clientSecret?: string;
|
|
51
|
-
/** Default:
|
|
51
|
+
/** Default: 300_000 ms */
|
|
52
52
|
timeoutMs?: number;
|
|
53
53
|
/** RFC 8707 resource indicator. Scopes the issued token's audience to this resource URL, enabling token exchange against it. */
|
|
54
54
|
resource?: string;
|
|
55
|
+
/** Opens the authorization URL. Default: the platform browser launcher. */
|
|
56
|
+
openBrowser?: (url: string) => void | Promise<void>;
|
|
55
57
|
}
|
|
56
58
|
/**
|
|
57
59
|
* Full authorization-code-with-PKCE flow for local/CLI contexts.
|
package/dist/esm/pkce.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAMxD,MAAM,WAAW,IAAI;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,GAAG,OAAO,CAAC;CACvC;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,
|
|
1
|
+
{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAMxD,MAAM,WAAW,IAAI;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,GAAG,OAAO,CAAC;CACvC;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,SAAM,GAAG,MAAM,CASzD;AAED;;;;;;GAMG;AACH,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,MAAM,EAChB,MAAM,GAAE,MAAM,GAAG,OAAgB,GAChC,OAAO,CAAC,MAAM,CAAC,CASjB;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,GAAE,MAAM,GAAG,OAAgB,EACjC,cAAc,SAAM,GACnB,OAAO,CAAC,IAAI,CAAC,CAIf;AAMD,MAAM,WAAW,gCAAgC;IAC/C,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qGAAqG;IACrG,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED;;;;;GAKG;AACH,wBAAsB,yBAAyB,CAC7C,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,gCAAgC,GACxC,OAAO,CAAC,aAAa,CAAC,CA0ExB;AAMD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,kDAAkD;IAClD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,oBAAoB;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,0BAA0B;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gIAAgI;IAChI,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2EAA2E;IAC3E,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACrD;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,YAAY,CAChC,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,aAAa,CAAC,CA6CxB"}
|
package/dist/esm/pkce.js
CHANGED
|
@@ -4,14 +4,19 @@ import { OAuthError } from "./errors.js";
|
|
|
4
4
|
/**
|
|
5
5
|
* Generate a cryptographically random PKCE code verifier (RFC 7636 §4.1).
|
|
6
6
|
*
|
|
7
|
-
* Returns a
|
|
8
|
-
* uses the global `crypto.getRandomValues`
|
|
9
|
-
* Cloudflare Workers, and browsers.
|
|
7
|
+
* Returns a base64url string of the requested length (43-128 characters,
|
|
8
|
+
* default 128). Runtime-agnostic: uses the global `crypto.getRandomValues`
|
|
9
|
+
* which is available in Node 19+, Cloudflare Workers, and browsers.
|
|
10
10
|
*/
|
|
11
|
-
export function generateCodeVerifier() {
|
|
12
|
-
|
|
11
|
+
export function generateCodeVerifier(length = 128) {
|
|
12
|
+
if (length < 43 || length > 128) {
|
|
13
|
+
throw new RangeError("Code verifier length must be between 43 and 128 characters");
|
|
14
|
+
}
|
|
15
|
+
// base64url yields 4 characters per 3 bytes; generate enough bytes to
|
|
16
|
+
// cover the requested length, then trim.
|
|
17
|
+
const bytes = new Uint8Array(Math.ceil((length * 3) / 4));
|
|
13
18
|
crypto.getRandomValues(bytes);
|
|
14
|
-
return base64url.encode(bytes.buffer);
|
|
19
|
+
return base64url.encode(bytes.buffer).slice(0, length);
|
|
15
20
|
}
|
|
16
21
|
/**
|
|
17
22
|
* Derive a PKCE code challenge from a code verifier (RFC 7636 §4.2).
|
|
@@ -30,8 +35,8 @@ export async function generateCodeChallenge(verifier, method = "S256") {
|
|
|
30
35
|
/**
|
|
31
36
|
* Generate a PKCE pair (verifier + challenge) in one call.
|
|
32
37
|
*/
|
|
33
|
-
export async function generatePkcePair(method = "S256") {
|
|
34
|
-
const codeVerifier = generateCodeVerifier();
|
|
38
|
+
export async function generatePkcePair(method = "S256", verifierLength = 128) {
|
|
39
|
+
const codeVerifier = generateCodeVerifier(verifierLength);
|
|
35
40
|
const codeChallenge = await generateCodeChallenge(codeVerifier, method);
|
|
36
41
|
return { codeVerifier, codeChallenge, codeChallengeMethod: method };
|
|
37
42
|
}
|
|
@@ -124,10 +129,15 @@ export async function exchangeAuthorizationCode(issuer, code, options) {
|
|
|
124
129
|
* *calling* `authenticate()` requires Node.js.
|
|
125
130
|
*/
|
|
126
131
|
export async function authenticate(issuer, options) {
|
|
127
|
-
const port = options.port ??
|
|
132
|
+
const port = options.port ?? 8765;
|
|
128
133
|
const redirectUri = options.redirectUri ?? `http://localhost:${port}/callback`;
|
|
129
|
-
const timeoutMs = options.timeoutMs ??
|
|
134
|
+
const timeoutMs = options.timeoutMs ?? 300_000;
|
|
130
135
|
const { codeVerifier, codeChallenge } = await generatePkcePair("S256");
|
|
136
|
+
// CSRF protection (RFC 6749 §10.12): bind the loopback callback to this
|
|
137
|
+
// authorization request.
|
|
138
|
+
const stateBytes = new Uint8Array(32);
|
|
139
|
+
crypto.getRandomValues(stateBytes);
|
|
140
|
+
const state = base64url.encode(stateBytes.buffer);
|
|
131
141
|
const metadata = await fetchAuthorizationServerMetadata(issuer);
|
|
132
142
|
if (!metadata.authorization_endpoint) {
|
|
133
143
|
throw new Error(`Authorization server "${issuer}" does not advertise an authorization_endpoint`);
|
|
@@ -138,14 +148,15 @@ export async function authenticate(issuer, options) {
|
|
|
138
148
|
authUrl.searchParams.set("redirect_uri", redirectUri);
|
|
139
149
|
authUrl.searchParams.set("code_challenge", codeChallenge);
|
|
140
150
|
authUrl.searchParams.set("code_challenge_method", "S256");
|
|
151
|
+
authUrl.searchParams.set("state", state);
|
|
141
152
|
if (options.scopes && options.scopes.length > 0) {
|
|
142
153
|
authUrl.searchParams.set("scope", options.scopes.join(" "));
|
|
143
154
|
}
|
|
144
155
|
if (options.resource) {
|
|
145
156
|
authUrl.searchParams.set("resource", options.resource);
|
|
146
157
|
}
|
|
147
|
-
await openBrowser(authUrl.toString());
|
|
148
|
-
const code = await waitForCode(port, redirectUri, timeoutMs);
|
|
158
|
+
await (options.openBrowser ?? openBrowser)(authUrl.toString());
|
|
159
|
+
const code = await waitForCode(port, redirectUri, timeoutMs, state);
|
|
149
160
|
return exchangeAuthorizationCode(issuer, code, {
|
|
150
161
|
codeVerifier,
|
|
151
162
|
redirectUri,
|
|
@@ -167,7 +178,7 @@ async function openBrowser(url) {
|
|
|
167
178
|
execFile("xdg-open", [url]);
|
|
168
179
|
}
|
|
169
180
|
}
|
|
170
|
-
async function waitForCode(port, redirectUri, timeoutMs) {
|
|
181
|
+
async function waitForCode(port, redirectUri, timeoutMs, expectedState) {
|
|
171
182
|
// Import before entering the Promise constructor to avoid the async-executor
|
|
172
183
|
// anti-pattern: if the dynamic import throws, the rejection propagates through
|
|
173
184
|
// this async function rather than escaping an async Promise constructor.
|
|
@@ -189,6 +200,9 @@ async function waitForCode(port, redirectUri, timeoutMs) {
|
|
|
189
200
|
if (error) {
|
|
190
201
|
reject(new OAuthError(error, reqUrl.searchParams.get("error_description") ?? error));
|
|
191
202
|
}
|
|
203
|
+
else if (reqUrl.searchParams.get("state") !== expectedState) {
|
|
204
|
+
reject(new Error("State mismatch in redirect: possible CSRF attack"));
|
|
205
|
+
}
|
|
192
206
|
else if (code) {
|
|
193
207
|
resolve(code);
|
|
194
208
|
}
|
package/dist/esm/pkce.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAAA,OAAO,SAAS,MAAM,gBAAgB,CAAC;AACvC,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAazC;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB;
|
|
1
|
+
{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAAA,OAAO,SAAS,MAAM,gBAAgB,CAAC;AACvC,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAazC;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAM,GAAG,GAAG;IAC/C,IAAI,MAAM,GAAG,EAAE,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,UAAU,CAAC,4DAA4D,CAAC,CAAC;IACrF,CAAC;IACD,sEAAsE;IACtE,yCAAyC;IACzC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAC1D,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,MAAqB,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;AACxE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,QAAgB,EAChB,SAA2B,MAAM;IAEjC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACvC,SAAS,EACT,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CACnC,CAAC;IACF,OAAO,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,SAA2B,MAAM,EACjC,cAAc,GAAG,GAAG;IAEpB,MAAM,YAAY,GAAG,oBAAoB,CAAC,cAAc,CAAC,CAAC;IAC1D,MAAM,aAAa,GAAG,MAAM,qBAAqB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IACxE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,EAAE,CAAC;AACtE,CAAC;AAgBD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,MAAc,EACd,IAAY,EACZ,OAAyC;IAEzC,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,MAAM,EAAE;QAC9D,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,yBAAyB,MAAM,uCAAuC,CACvE,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IACrC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC;IAC/C,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IAChD,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEhE,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,mCAAmC;KACpD,CAAC;IACF,IAAI,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QAC7C,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,IAAI,CAAC,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC,EAAE,CAAC;QAC1F,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC7B,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,cAAc,EAAE;QACpD,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;QACvB,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,IAAI,SAAS,GAAmC,IAAI,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;YAC9C,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7D,SAAS,GAAG,IAA+B,CAAC;YAC9C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sDAAsD;QACxD,CAAC;QACD,IAAI,SAAS,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;gBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;gBAC7B,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC;YACpB,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAC3F,MAAM,IAAI,UAAU,CAAC,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,4CAA4C,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;IAC9C,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,IAAI,GAAG,IAA+B,CAAC;IAE7C,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,aAAa,GAAkB;QACnC,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IACF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,aAAa,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IACnF,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,aAAa,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IAC5F,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,aAAa,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAsBD;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAAc,EACd,OAA4B;IAE5B,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC;IAClC,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,oBAAoB,IAAI,WAAW,CAAC;IAC/E,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC;IAE/C,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAEvE,wEAAwE;IACxE,yBAAyB;IACzB,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACtC,MAAM,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;IACnC,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,CAAC,UAAU,CAAC,MAAqB,CAAC,CAAC;IAEjE,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,MAAM,CAAC,CAAC;IAChE,IAAI,CAAC,QAAQ,CAAC,sBAAsB,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,yBAAyB,MAAM,gDAAgD,CAChF,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;IACzD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAClD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACxD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IACtD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACzC,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,CAAC,OAAO,CAAC,WAAW,IAAI,WAAW,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAE/D,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,WAAW,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;IAEpE,OAAO,yBAAyB,CAAC,MAAM,EAAE,IAAI,EAAE;QAC7C,YAAY;QACZ,WAAW;QACX,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ;KAC3B,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,GAAW;IACpC,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;IACxD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,QAAQ,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,CAAC;SAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACxC,8DAA8D;QAC9D,QAAQ,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;SAAM,CAAC;QACN,QAAQ,CAAC,UAAU,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,CAAC;AACH,CAAC;AAED,KAAK,UAAU,WAAW,CACxB,IAAY,EACZ,WAAmB,EACnB,SAAiB,EACjB,aAAqB;IAErB,6EAA6E;IAC7E,+EAA+E;IAC/E,yEAAyE;IACzE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;IAEnD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,KAAK,CAAC,uCAAuC,SAAS,IAAI,CAAC,CAAC,CAAC;QAC1E,CAAC,EAAE,SAAS,CAAC,CAAC;QAEd,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YACvC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,WAAW,CAAC,CAAC;gBACpD,MAAM,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAC7C,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAE/C,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;gBACpD,GAAG,CAAC,GAAG,CAAC,mFAAmF,CAAC,CAAC;gBAE7F,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,YAAY,CAAC,KAAK,CAAC,CAAC;gBAEpB,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,CAAC,IAAI,UAAU,CAAC,KAAK,EAAE,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC;gBACvF,CAAC;qBAAM,IAAI,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,aAAa,EAAE,CAAC;oBAC9D,MAAM,CAAC,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC,CAAC;gBACxE,CAAC;qBAAM,IAAI,IAAI,EAAE,CAAC;oBAChB,OAAO,CAAC,IAAI,CAAC,CAAC;gBAChB,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,MAAM,CAAC,CAAC,CAAC,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QACjC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACzB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,IAAI,KAAK,CAAC,2CAA2C,IAAI,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACvF,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -48,6 +48,7 @@ export interface ImpersonateRequest {
|
|
|
48
48
|
scope?: string;
|
|
49
49
|
zoneId?: string;
|
|
50
50
|
}
|
|
51
|
+
export declare function deserializeTokenResponse(json: Record<string, unknown>): TokenResponse;
|
|
51
52
|
export declare class TokenExchangeClient {
|
|
52
53
|
#private;
|
|
53
54
|
constructor(issuer: string, options?: TokenExchangeClientOptions);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAO9D,eAAO,MAAM,SAAS;;IAEpB;;;OAGG;;CAEK,CAAC;AACX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,SAAS,CAAC,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAEnE,MAAM,WAAW,oBAAoB;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,UAAU,CAAC,EAAE,qBAAqB,CAAC;CACpC;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,kBAAkB;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;
|
|
1
|
+
{"version":3,"file":"tokenExchange.d.ts","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAO9D,eAAO,MAAM,SAAS;;IAEpB;;;OAGG;;CAEK,CAAC;AACX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,SAAS,CAAC,CAAC,MAAM,OAAO,SAAS,CAAC,CAAC;AAEnE,MAAM,WAAW,oBAAoB;IACnC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,UAAU,CAAC,EAAE,qBAAqB,CAAC;CACpC;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,kBAAkB;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAyBD,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,aAAa,CAmBrF;AAMD,qBAAa,mBAAmB;;gBAQlB,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,0BAA0B;IAO1D,aAAa,CACjB,OAAO,EAAE,oBAAoB,EAC7B,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,aAAa,CAAC;IA8CnB,WAAW,CAAC,GAAG,EAAE,kBAAkB,GAAG,OAAO,CAAC,aAAa,CAAC;IA+BlE;;;;OAIG;IACG,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC;CAuB1C"}
|
|
@@ -50,7 +50,7 @@ function serializeRequest(request) {
|
|
|
50
50
|
params.set("client_assertion_type", request.clientAssertionType);
|
|
51
51
|
return params;
|
|
52
52
|
}
|
|
53
|
-
function
|
|
53
|
+
export function deserializeTokenResponse(json) {
|
|
54
54
|
const accessToken = json.access_token;
|
|
55
55
|
if (typeof accessToken !== "string" || !accessToken) {
|
|
56
56
|
throw new Error("Token exchange response missing access_token");
|
|
@@ -125,7 +125,7 @@ export class TokenExchangeClient {
|
|
|
125
125
|
throw new Error(`Token exchange failed (HTTP ${response.status})`);
|
|
126
126
|
}
|
|
127
127
|
const json = await response.json();
|
|
128
|
-
return
|
|
128
|
+
return deserializeTokenResponse(json);
|
|
129
129
|
}
|
|
130
130
|
async impersonate(req) {
|
|
131
131
|
if (!req.userIdentifier) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AAEnE,gFAAgF;AAChF,kCAAkC;AAClC,gFAAgF;AAEhF,MAAM,CAAC,MAAM,SAAS,GAAG;IACvB,YAAY,EAAE,+CAA+C;IAC7D;;;OAGG;IACH,eAAe,EAAE,qDAAqD;CAC9D,CAAC;AAgDX,gFAAgF;AAChF,iEAAiE;AACjE,gFAAgF;AAEhF,SAAS,gBAAgB,CAAC,OAA6B;IACrD,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IAErC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,SAAS,IAAI,iDAAiD,CAAC,CAAC;IACjG,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,oBAAoB,EAAE,OAAO,CAAC,gBAAgB,IAAI,+CAA+C,CAAC,CAAC;IAE9G,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,OAAO,CAAC,kBAAkB;QAAE,MAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC/F,IAAI,OAAO,CAAC,UAAU;QAAE,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACtE,IAAI,OAAO,CAAC,cAAc;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IACnF,IAAI,OAAO,CAAC,eAAe;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACrF,IAAI,OAAO,CAAC,mBAAmB;QAAE,MAAM,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAElG,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,
|
|
1
|
+
{"version":3,"file":"tokenExchange.js","sourceRoot":"","sources":["../../src/tokenExchange.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AAEnE,gFAAgF;AAChF,kCAAkC;AAClC,gFAAgF;AAEhF,MAAM,CAAC,MAAM,SAAS,GAAG;IACvB,YAAY,EAAE,+CAA+C;IAC7D;;;OAGG;IACH,eAAe,EAAE,qDAAqD;CAC9D,CAAC;AAgDX,gFAAgF;AAChF,iEAAiE;AACjE,gFAAgF;AAEhF,SAAS,gBAAgB,CAAC,OAA6B;IACrD,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IAErC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,OAAO,CAAC,SAAS,IAAI,iDAAiD,CAAC,CAAC;IACjG,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,oBAAoB,EAAE,OAAO,CAAC,gBAAgB,IAAI,+CAA+C,CAAC,CAAC;IAE9G,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,KAAK;QAAE,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,OAAO,CAAC,kBAAkB;QAAE,MAAM,CAAC,GAAG,CAAC,sBAAsB,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC/F,IAAI,OAAO,CAAC,UAAU;QAAE,MAAM,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACtE,IAAI,OAAO,CAAC,cAAc;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IACnF,IAAI,OAAO,CAAC,eAAe;QAAE,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;IACrF,IAAI,OAAO,CAAC,mBAAmB;QAAE,MAAM,CAAC,GAAG,CAAC,uBAAuB,EAAE,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAElG,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,IAA6B;IACpE,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IAEF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAC9E,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,QAAQ,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IACvF,IAAI,OAAO,IAAI,CAAC,iBAAiB,KAAK,QAAQ;QAAE,QAAQ,CAAC,eAAe,GAAG,IAAI,CAAC,iBAAiB,CAAC;IAClG,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,QAAQ,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF,MAAM,OAAO,mBAAmB;IAQ9B,YAAY,MAAc,EAAE,OAAoC;;QAPhE,8CAAgB;QAChB,gDAAmB;QACnB,oDAAuB;QACvB,kDAAoC;QACpC,qDAAwB;QACxB,wDAAoC;QAGlC,uBAAA,IAAI,+BAAW,MAAM,MAAA,CAAC;QACtB,uBAAA,IAAI,iCAAa,OAAO,EAAE,QAAQ,MAAA,CAAC;QACnC,uBAAA,IAAI,qCAAiB,OAAO,EAAE,YAAY,MAAA,CAAC;QAC3C,uBAAA,IAAI,mCAAe,OAAO,EAAE,UAAU,MAAA,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,OAA6B,EAC7B,OAAyB;QAEzB,MAAM,aAAa,GAAG,MAAM,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,CAAoB,CAAC;QACrD,MAAM,IAAI,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAEvC,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,mCAAmC;SACpD,CAAC;QAEF,MAAM,SAAS,GAAG,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,EAAmB,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,SAAS,CAAC,QAAQ,IAAI,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC;YAC5E,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;SACtB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;gBACnE,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;oBACxC,MAAM,SAAS,GAAG,SAAS,CAAC,KAAK,CAAC;oBAClC,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;wBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;wBAC7B,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ;wBACtD,CAAC,CAAC,SAAS,CAAC,SAAS;wBACrB,CAAC,CAAC,SAAS,CAAC;oBACd,MAAM,IAAI,UAAU,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,YAAY,UAAU;oBAAE,MAAM,CAAC,CAAC;gBACrC,4CAA4C;YAC9C,CAAC;YACD,MAAM,IAAI,KAAK,CACb,+BAA+B,QAAQ,CAAC,MAAM,GAAG,CAClD,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA6B,CAAC;QAC9D,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAuB;QACvC,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,MAAM,YAAY,GAAG,wBAAwB,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAClE,OAAO,IAAI,CAAC,aAAa,CACvB;YACE,YAAY;YACZ,gBAAgB,EAAE,SAAS,CAAC,eAAe;YAC3C,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,KAAK,EAAE,GAAG,CAAC,KAAK;SACjB,EACD,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,CACvB,CAAC;IACJ,CAAC;IAcD;;;;OAIG;IACH,KAAK,CAAC,gBAAgB;QACpB,OAAO,uBAAA,IAAI,6EAAkB,MAAtB,IAAI,CAAoB,CAAC;IAClC,CAAC;CAqBF;kbAvCG,MAA0B;IAE1B,IAAI,uBAAA,IAAI,uCAAY,EAAE,CAAC;QACrB,OAAO,uBAAA,IAAI,uCAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,uBAAA,IAAI,qCAAU,IAAI,uBAAA,IAAI,yCAAc,EAAE,CAAC;QACzC,OAAO,EAAE,QAAQ,EAAE,uBAAA,IAAI,qCAAU,EAAE,YAAY,EAAE,uBAAA,IAAI,yCAAc,EAAE,CAAC;IACxE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC,0CAWD,KAAK;IACH,IAAI,uBAAA,IAAI,0CAAe,EAAE,CAAC;QACxB,OAAO,uBAAA,IAAI,0CAAe,CAAC;IAC7B,CAAC;IAED,oDAAoD;IACpD,IAAI,CAAC,uBAAA,IAAI,6CAAkB,EAAE,CAAC;QAC5B,uBAAA,IAAI,yCAAqB,CAAC,KAAK,IAAI,EAAE;YACnC,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,uBAAA,IAAI,mCAAQ,CAAC,CAAC;YACtE,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;gBAC7B,MAAM,IAAI,KAAK,CAAC,yBAAyB,uBAAA,IAAI,mCAAQ,uCAAuC,CAAC,CAAC;YAChG,CAAC;YACD,uBAAA,IAAI,sCAAkB,QAAQ,CAAC,cAAc,MAAA,CAAC;YAC9C,OAAO,uBAAA,IAAI,0CAAe,CAAC;QAC7B,CAAC,CAAC,EAAE,MAAA,CAAC;IACP,CAAC;IAED,OAAO,uBAAA,IAAI,6CAAkB,CAAC;AAChC,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@keycardai/oauth",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.14.0",
|
|
4
4
|
"description": "[Preview] OAuth 2.0 primitives for Keycard: JWKS keyring, JWT signing/verification, server-tier token verifier, AccessContext, ClientSecret credentials, and impersonation via RFC 8693 token exchange",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"repository": {
|