@keycardai/oauth 0.4.0 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +22 -0
- package/dist/cjs/index.d.ts +2 -0
- package/dist/cjs/index.d.ts.map +1 -1
- package/dist/cjs/index.js +3 -1
- package/dist/cjs/index.js.map +1 -1
- package/dist/cjs/registration.d.ts +75 -0
- package/dist/cjs/registration.d.ts.map +1 -0
- package/dist/cjs/registration.js +172 -0
- package/dist/cjs/registration.js.map +1 -0
- package/dist/esm/index.d.ts +2 -0
- package/dist/esm/index.d.ts.map +1 -1
- package/dist/esm/index.js +1 -0
- package/dist/esm/index.js.map +1 -1
- package/dist/esm/registration.d.ts +75 -0
- package/dist/esm/registration.d.ts.map +1 -0
- package/dist/esm/registration.js +169 -0
- package/dist/esm/registration.js.map +1 -0
- package/package.json +12 -1
package/README.md
CHANGED
|
@@ -136,6 +136,27 @@ expired token, missing scope, audience mismatch) return `null`; callers map that
|
|
|
136
136
|
to an HTTP 401. `verifyTokenForZone(token, zoneId)` enables per-zone validation
|
|
137
137
|
when the verifier is constructed with `enableMultiZone: true`.
|
|
138
138
|
|
|
139
|
+
### Dynamic Client Registration (RFC 7591)
|
|
140
|
+
|
|
141
|
+
```typescript
|
|
142
|
+
import { registerClient } from "@keycardai/oauth/registration";
|
|
143
|
+
|
|
144
|
+
const response = await registerClient("https://your-zone.keycard.cloud", {
|
|
145
|
+
clientName: "My Service",
|
|
146
|
+
redirectUris: ["https://app.example.com/callback"],
|
|
147
|
+
grantTypes: ["client_credentials"],
|
|
148
|
+
scope: "read write",
|
|
149
|
+
});
|
|
150
|
+
|
|
151
|
+
console.log(response.clientId, response.clientSecret);
|
|
152
|
+
```
|
|
153
|
+
|
|
154
|
+
`registerClient` discovers the AS's `registration_endpoint` from
|
|
155
|
+
`.well-known/oauth-authorization-server`, posts the request as JSON, and
|
|
156
|
+
returns the issued client credentials. Throws `OAuthError` on RFC 6749 §5.2
|
|
157
|
+
error responses, a plain `Error` on missing `registration_endpoint` or
|
|
158
|
+
non-OAuth HTTP failures.
|
|
159
|
+
|
|
139
160
|
## API Overview
|
|
140
161
|
|
|
141
162
|
### JWKS Key Management
|
|
@@ -162,6 +183,7 @@ when the verifier is constructed with `enableMultiZone: true`.
|
|
|
162
183
|
| `TokenExchangeClient` | `@keycardai/oauth/tokenExchange` | RFC 8693 token exchange client with auto-discovery, plus `impersonate()` for substitute-user exchange |
|
|
163
184
|
| `TokenType` | `@keycardai/oauth/tokenExchange` | URN constants: `ACCESS_TOKEN`, `SUBSTITUTE_USER` |
|
|
164
185
|
| `buildSubstituteUserToken` | `@keycardai/oauth/jwt/substituteUser` | Builds the unsigned subject JWT for impersonation calls |
|
|
186
|
+
| `registerClient` | `@keycardai/oauth/registration` | RFC 7591 dynamic client registration with auto-discovery |
|
|
165
187
|
|
|
166
188
|
### Server-tier Primitives
|
|
167
189
|
|
package/dist/cjs/index.d.ts
CHANGED
|
@@ -11,6 +11,8 @@ export { buildSubstituteUserToken } from "./jwt/substituteUser.js";
|
|
|
11
11
|
export { TokenExchangeClient, TokenType } from "./tokenExchange.js";
|
|
12
12
|
export type { TokenExchangeRequest, TokenResponse, TokenExchangeClientOptions, ExchangeOptions, ImpersonateRequest, } from "./tokenExchange.js";
|
|
13
13
|
export type { ApplicationCredential } from "./credentials.js";
|
|
14
|
+
export { registerClient } from "./registration.js";
|
|
15
|
+
export type { ClientRegistrationRequest, ClientRegistrationResponse, RegisterClientOptions, } from "./registration.js";
|
|
14
16
|
export { AccessContext, TokenVerifier, ClientSecret } from "./server/index.js";
|
|
15
17
|
export type { ErrorDetail, AccessContextStatus, AccessToken, TokenVerifierOptions, ClientSecretCredentials, } from "./server/index.js";
|
|
16
18
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/cjs/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,0BAA0B,EAC1B,eAAe,EACf,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC/E,YAAY,EACV,WAAW,EACX,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,mBAAmB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,0BAA0B,EAC1B,eAAe,EACf,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,YAAY,EACV,yBAAyB,EACzB,0BAA0B,EAC1B,qBAAqB,GACtB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC/E,YAAY,EACV,WAAW,EACX,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,mBAAmB,CAAC"}
|
package/dist/cjs/index.js
CHANGED
|
@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
3
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
4
|
};
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
-
exports.ClientSecret = exports.TokenVerifier = exports.AccessContext = exports.TokenType = exports.TokenExchangeClient = exports.buildSubstituteUserToken = exports.JWTVerifier = exports.JWTSigner = exports.AuthProviderConfigurationError = exports.ResourceAccessError = exports.InsufficientScopeError = exports.InvalidTokenError = exports.OAuthError = exports.UnauthorizedError = exports.BadRequestError = exports.HTTPError = exports.fetchAuthorizationServerMetadata = exports.base64url = exports.JWKSOAuthKeyring = void 0;
|
|
6
|
+
exports.ClientSecret = exports.TokenVerifier = exports.AccessContext = exports.registerClient = exports.TokenType = exports.TokenExchangeClient = exports.buildSubstituteUserToken = exports.JWTVerifier = exports.JWTSigner = exports.AuthProviderConfigurationError = exports.ResourceAccessError = exports.InsufficientScopeError = exports.InvalidTokenError = exports.OAuthError = exports.UnauthorizedError = exports.BadRequestError = exports.HTTPError = exports.fetchAuthorizationServerMetadata = exports.base64url = exports.JWKSOAuthKeyring = void 0;
|
|
7
7
|
var keyring_js_1 = require("./keyring.js");
|
|
8
8
|
Object.defineProperty(exports, "JWKSOAuthKeyring", { enumerable: true, get: function () { return keyring_js_1.JWKSOAuthKeyring; } });
|
|
9
9
|
var base64url_js_1 = require("./base64url.js");
|
|
@@ -28,6 +28,8 @@ Object.defineProperty(exports, "buildSubstituteUserToken", { enumerable: true, g
|
|
|
28
28
|
var tokenExchange_js_1 = require("./tokenExchange.js");
|
|
29
29
|
Object.defineProperty(exports, "TokenExchangeClient", { enumerable: true, get: function () { return tokenExchange_js_1.TokenExchangeClient; } });
|
|
30
30
|
Object.defineProperty(exports, "TokenType", { enumerable: true, get: function () { return tokenExchange_js_1.TokenType; } });
|
|
31
|
+
var registration_js_1 = require("./registration.js");
|
|
32
|
+
Object.defineProperty(exports, "registerClient", { enumerable: true, get: function () { return registration_js_1.registerClient; } });
|
|
31
33
|
var index_js_1 = require("./server/index.js");
|
|
32
34
|
Object.defineProperty(exports, "AccessContext", { enumerable: true, get: function () { return index_js_1.AccessContext; } });
|
|
33
35
|
Object.defineProperty(exports, "TokenVerifier", { enumerable: true, get: function () { return index_js_1.TokenVerifier; } });
|
package/dist/cjs/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;AACA,2CAAgD;AAAvC,8GAAA,gBAAgB,OAAA;AACzB,+CAAsD;AAA7C,0HAAA,OAAO,OAAa;AAC7B,+CAAkE;AAAzD,gIAAA,gCAAgC,OAAA;AAEzC,yCASqB;AARnB,sGAAA,SAAS,OAAA;AACT,4GAAA,eAAe,OAAA;AACf,8GAAA,iBAAiB,OAAA;AACjB,uGAAA,UAAU,OAAA;AACV,8GAAA,iBAAiB,OAAA;AACjB,mHAAA,sBAAsB,OAAA;AACtB,gHAAA,mBAAmB,OAAA;AACnB,2HAAA,8BAA8B,OAAA;AAEhC,6CAA4C;AAAnC,sGAAA,SAAS,OAAA;AAElB,iDAAgD;AAAvC,0GAAA,WAAW,OAAA;AACpB,6DAAmE;AAA1D,6HAAA,wBAAwB,OAAA;AACjC,uDAAoE;AAA3D,uHAAA,mBAAmB,OAAA;AAAE,6GAAA,SAAS,OAAA;AASvC,8CAA+E;AAAtE,yGAAA,aAAa,OAAA;AAAE,yGAAA,aAAa,OAAA;AAAE,wGAAA,YAAY,OAAA"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;AACA,2CAAgD;AAAvC,8GAAA,gBAAgB,OAAA;AACzB,+CAAsD;AAA7C,0HAAA,OAAO,OAAa;AAC7B,+CAAkE;AAAzD,gIAAA,gCAAgC,OAAA;AAEzC,yCASqB;AARnB,sGAAA,SAAS,OAAA;AACT,4GAAA,eAAe,OAAA;AACf,8GAAA,iBAAiB,OAAA;AACjB,uGAAA,UAAU,OAAA;AACV,8GAAA,iBAAiB,OAAA;AACjB,mHAAA,sBAAsB,OAAA;AACtB,gHAAA,mBAAmB,OAAA;AACnB,2HAAA,8BAA8B,OAAA;AAEhC,6CAA4C;AAAnC,sGAAA,SAAS,OAAA;AAElB,iDAAgD;AAAvC,0GAAA,WAAW,OAAA;AACpB,6DAAmE;AAA1D,6HAAA,wBAAwB,OAAA;AACjC,uDAAoE;AAA3D,uHAAA,mBAAmB,OAAA;AAAE,6GAAA,SAAS,OAAA;AASvC,qDAAmD;AAA1C,iHAAA,cAAc,OAAA;AAMvB,8CAA+E;AAAtE,yGAAA,aAAa,OAAA;AAAE,yGAAA,aAAa,OAAA;AAAE,wGAAA,YAAY,OAAA"}
|
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* RFC 7591 Dynamic Client Registration request metadata.
|
|
3
|
+
* Reference: https://datatracker.ietf.org/doc/html/rfc7591#section-2
|
|
4
|
+
*/
|
|
5
|
+
export interface ClientRegistrationRequest {
|
|
6
|
+
clientName?: string;
|
|
7
|
+
clientUri?: string;
|
|
8
|
+
logoUri?: string;
|
|
9
|
+
tosUri?: string;
|
|
10
|
+
policyUri?: string;
|
|
11
|
+
softwareId?: string;
|
|
12
|
+
softwareVersion?: string;
|
|
13
|
+
jwksUri?: string;
|
|
14
|
+
jwks?: Record<string, unknown>;
|
|
15
|
+
tokenEndpointAuthMethod?: string;
|
|
16
|
+
redirectUris?: readonly string[];
|
|
17
|
+
grantTypes?: readonly string[];
|
|
18
|
+
responseTypes?: readonly string[];
|
|
19
|
+
scope?: string;
|
|
20
|
+
/**
|
|
21
|
+
* Vendor-extension or AS-specific fields not covered by the typed shape.
|
|
22
|
+
* Merged into the request body verbatim (snake_case keys preserved).
|
|
23
|
+
*/
|
|
24
|
+
additionalMetadata?: Record<string, unknown>;
|
|
25
|
+
}
|
|
26
|
+
/**
|
|
27
|
+
* RFC 7591 Dynamic Client Registration response.
|
|
28
|
+
* Reference: https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1
|
|
29
|
+
*/
|
|
30
|
+
export interface ClientRegistrationResponse {
|
|
31
|
+
clientId: string;
|
|
32
|
+
clientSecret?: string;
|
|
33
|
+
clientIdIssuedAt?: number;
|
|
34
|
+
clientSecretExpiresAt?: number;
|
|
35
|
+
clientName?: string;
|
|
36
|
+
clientUri?: string;
|
|
37
|
+
logoUri?: string;
|
|
38
|
+
tosUri?: string;
|
|
39
|
+
policyUri?: string;
|
|
40
|
+
softwareId?: string;
|
|
41
|
+
softwareVersion?: string;
|
|
42
|
+
jwksUri?: string;
|
|
43
|
+
jwks?: Record<string, unknown>;
|
|
44
|
+
tokenEndpointAuthMethod?: string;
|
|
45
|
+
redirectUris?: string[];
|
|
46
|
+
grantTypes?: string[];
|
|
47
|
+
responseTypes?: string[];
|
|
48
|
+
scope?: string[];
|
|
49
|
+
registrationAccessToken?: string;
|
|
50
|
+
registrationClientUri?: string;
|
|
51
|
+
/**
|
|
52
|
+
* The full unparsed response body. Useful for AS-specific extensions
|
|
53
|
+
* not captured by the typed fields above.
|
|
54
|
+
*/
|
|
55
|
+
raw: Record<string, unknown>;
|
|
56
|
+
}
|
|
57
|
+
export interface RegisterClientOptions {
|
|
58
|
+
signal?: AbortSignal;
|
|
59
|
+
/** Request timeout in milliseconds. Ignored if `signal` is already provided. */
|
|
60
|
+
timeoutMs?: number;
|
|
61
|
+
}
|
|
62
|
+
/**
|
|
63
|
+
* Register a new OAuth 2.0 client with an authorization server (RFC 7591).
|
|
64
|
+
*
|
|
65
|
+
* Discovers `registration_endpoint` from the AS's
|
|
66
|
+
* `.well-known/oauth-authorization-server` metadata, POSTs the registration
|
|
67
|
+
* request as JSON, and returns the issued client credentials.
|
|
68
|
+
*
|
|
69
|
+
* Throws:
|
|
70
|
+
* - `Error` when the AS does not advertise `registration_endpoint`.
|
|
71
|
+
* - `OAuthError` when the AS returns an RFC 6749 §5.2 error response.
|
|
72
|
+
* - `Error` on non-OAuth HTTP failures or malformed responses.
|
|
73
|
+
*/
|
|
74
|
+
export declare function registerClient(issuerUrl: string, request: ClientRegistrationRequest, options?: RegisterClientOptions): Promise<ClientRegistrationResponse>;
|
|
75
|
+
//# sourceMappingURL=registration.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"registration.d.ts","sourceRoot":"","sources":["../../src/registration.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,YAAY,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACjC,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC/B,aAAa,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAClC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC9C;AAED;;;GAGG;AACH,MAAM,WAAW,0BAA0B;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B;;;OAGG;IACH,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC9B;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,gFAAgF;IAChF,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,cAAc,CAClC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,yBAAyB,EAClC,OAAO,CAAC,EAAE,qBAAqB,GAC9B,OAAO,CAAC,0BAA0B,CAAC,CAyDrC"}
|
|
@@ -0,0 +1,172 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.registerClient = registerClient;
|
|
4
|
+
const discovery_js_1 = require("./discovery.js");
|
|
5
|
+
const errors_js_1 = require("./errors.js");
|
|
6
|
+
/**
|
|
7
|
+
* Register a new OAuth 2.0 client with an authorization server (RFC 7591).
|
|
8
|
+
*
|
|
9
|
+
* Discovers `registration_endpoint` from the AS's
|
|
10
|
+
* `.well-known/oauth-authorization-server` metadata, POSTs the registration
|
|
11
|
+
* request as JSON, and returns the issued client credentials.
|
|
12
|
+
*
|
|
13
|
+
* Throws:
|
|
14
|
+
* - `Error` when the AS does not advertise `registration_endpoint`.
|
|
15
|
+
* - `OAuthError` when the AS returns an RFC 6749 §5.2 error response.
|
|
16
|
+
* - `Error` on non-OAuth HTTP failures or malformed responses.
|
|
17
|
+
*/
|
|
18
|
+
async function registerClient(issuerUrl, request, options) {
|
|
19
|
+
const signal = options?.signal ??
|
|
20
|
+
(options?.timeoutMs != null ? AbortSignal.timeout(options.timeoutMs) : undefined);
|
|
21
|
+
const metadata = await (0, discovery_js_1.fetchAuthorizationServerMetadata)(issuerUrl, { signal });
|
|
22
|
+
if (!metadata.registration_endpoint) {
|
|
23
|
+
throw new Error(`Authorization server "${issuerUrl}" does not advertise a registration_endpoint`);
|
|
24
|
+
}
|
|
25
|
+
const response = await fetch(metadata.registration_endpoint, {
|
|
26
|
+
method: "POST",
|
|
27
|
+
headers: {
|
|
28
|
+
"Content-Type": "application/json",
|
|
29
|
+
Accept: "application/json",
|
|
30
|
+
},
|
|
31
|
+
body: JSON.stringify(serializeRequest(request)),
|
|
32
|
+
signal,
|
|
33
|
+
});
|
|
34
|
+
if (!response.ok) {
|
|
35
|
+
let errorBody = null;
|
|
36
|
+
try {
|
|
37
|
+
const json = await response.json();
|
|
38
|
+
if (json && typeof json === "object" && !Array.isArray(json)) {
|
|
39
|
+
errorBody = json;
|
|
40
|
+
}
|
|
41
|
+
}
|
|
42
|
+
catch {
|
|
43
|
+
// non-JSON error body — fall through to generic error
|
|
44
|
+
}
|
|
45
|
+
if (errorBody && typeof errorBody.error === "string") {
|
|
46
|
+
const description = typeof errorBody.error_description === "string"
|
|
47
|
+
? errorBody.error_description
|
|
48
|
+
: errorBody.error;
|
|
49
|
+
const errorUri = typeof errorBody.error_uri === "string" ? errorBody.error_uri : undefined;
|
|
50
|
+
throw new errors_js_1.OAuthError(errorBody.error, description, errorUri);
|
|
51
|
+
}
|
|
52
|
+
throw new Error(`Client registration failed (HTTP ${response.status})`);
|
|
53
|
+
}
|
|
54
|
+
let json;
|
|
55
|
+
try {
|
|
56
|
+
json = await response.json();
|
|
57
|
+
}
|
|
58
|
+
catch {
|
|
59
|
+
throw new Error("Client registration response is not valid JSON");
|
|
60
|
+
}
|
|
61
|
+
if (!json || typeof json !== "object" || Array.isArray(json)) {
|
|
62
|
+
throw new Error("Client registration response is not a valid JSON object");
|
|
63
|
+
}
|
|
64
|
+
const body = json;
|
|
65
|
+
if (typeof body.client_id !== "string") {
|
|
66
|
+
throw new Error("Client registration response missing client_id");
|
|
67
|
+
}
|
|
68
|
+
return deserializeResponse(body);
|
|
69
|
+
}
|
|
70
|
+
function serializeRequest(request) {
|
|
71
|
+
// additionalMetadata goes in first so named fields always take precedence
|
|
72
|
+
// over vendor extensions — callers cannot accidentally override client_name etc.
|
|
73
|
+
const body = {};
|
|
74
|
+
if (request.additionalMetadata) {
|
|
75
|
+
for (const [key, value] of Object.entries(request.additionalMetadata)) {
|
|
76
|
+
body[key] = value;
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
if (request.clientName !== undefined)
|
|
80
|
+
body.client_name = request.clientName;
|
|
81
|
+
if (request.clientUri !== undefined)
|
|
82
|
+
body.client_uri = request.clientUri;
|
|
83
|
+
if (request.logoUri !== undefined)
|
|
84
|
+
body.logo_uri = request.logoUri;
|
|
85
|
+
if (request.tosUri !== undefined)
|
|
86
|
+
body.tos_uri = request.tosUri;
|
|
87
|
+
if (request.policyUri !== undefined)
|
|
88
|
+
body.policy_uri = request.policyUri;
|
|
89
|
+
if (request.softwareId !== undefined)
|
|
90
|
+
body.software_id = request.softwareId;
|
|
91
|
+
if (request.softwareVersion !== undefined)
|
|
92
|
+
body.software_version = request.softwareVersion;
|
|
93
|
+
if (request.jwksUri !== undefined)
|
|
94
|
+
body.jwks_uri = request.jwksUri;
|
|
95
|
+
if (request.jwks !== undefined)
|
|
96
|
+
body.jwks = request.jwks;
|
|
97
|
+
if (request.tokenEndpointAuthMethod !== undefined) {
|
|
98
|
+
body.token_endpoint_auth_method = request.tokenEndpointAuthMethod;
|
|
99
|
+
}
|
|
100
|
+
if (request.redirectUris !== undefined)
|
|
101
|
+
body.redirect_uris = [...request.redirectUris];
|
|
102
|
+
if (request.grantTypes !== undefined)
|
|
103
|
+
body.grant_types = [...request.grantTypes];
|
|
104
|
+
if (request.responseTypes !== undefined)
|
|
105
|
+
body.response_types = [...request.responseTypes];
|
|
106
|
+
if (request.scope !== undefined)
|
|
107
|
+
body.scope = request.scope;
|
|
108
|
+
return body;
|
|
109
|
+
}
|
|
110
|
+
function deserializeResponse(body) {
|
|
111
|
+
const response = {
|
|
112
|
+
clientId: body.client_id,
|
|
113
|
+
raw: body,
|
|
114
|
+
};
|
|
115
|
+
if (typeof body.client_secret === "string")
|
|
116
|
+
response.clientSecret = body.client_secret;
|
|
117
|
+
if (typeof body.client_id_issued_at === "number")
|
|
118
|
+
response.clientIdIssuedAt = body.client_id_issued_at;
|
|
119
|
+
if (typeof body.client_secret_expires_at === "number") {
|
|
120
|
+
response.clientSecretExpiresAt = body.client_secret_expires_at;
|
|
121
|
+
}
|
|
122
|
+
if (typeof body.client_name === "string")
|
|
123
|
+
response.clientName = body.client_name;
|
|
124
|
+
if (typeof body.client_uri === "string")
|
|
125
|
+
response.clientUri = body.client_uri;
|
|
126
|
+
if (typeof body.logo_uri === "string")
|
|
127
|
+
response.logoUri = body.logo_uri;
|
|
128
|
+
if (typeof body.tos_uri === "string")
|
|
129
|
+
response.tosUri = body.tos_uri;
|
|
130
|
+
if (typeof body.policy_uri === "string")
|
|
131
|
+
response.policyUri = body.policy_uri;
|
|
132
|
+
if (typeof body.software_id === "string")
|
|
133
|
+
response.softwareId = body.software_id;
|
|
134
|
+
if (typeof body.software_version === "string")
|
|
135
|
+
response.softwareVersion = body.software_version;
|
|
136
|
+
if (typeof body.jwks_uri === "string")
|
|
137
|
+
response.jwksUri = body.jwks_uri;
|
|
138
|
+
if (body.jwks && typeof body.jwks === "object") {
|
|
139
|
+
response.jwks = body.jwks;
|
|
140
|
+
}
|
|
141
|
+
if (typeof body.token_endpoint_auth_method === "string") {
|
|
142
|
+
response.tokenEndpointAuthMethod = body.token_endpoint_auth_method;
|
|
143
|
+
}
|
|
144
|
+
response.redirectUris = normalizeStringArray(body.redirect_uris);
|
|
145
|
+
response.grantTypes = normalizeStringArray(body.grant_types);
|
|
146
|
+
response.responseTypes = normalizeStringArray(body.response_types);
|
|
147
|
+
response.scope = normalizeScope(body.scope);
|
|
148
|
+
if (typeof body.registration_access_token === "string") {
|
|
149
|
+
response.registrationAccessToken = body.registration_access_token;
|
|
150
|
+
}
|
|
151
|
+
if (typeof body.registration_client_uri === "string") {
|
|
152
|
+
response.registrationClientUri = body.registration_client_uri;
|
|
153
|
+
}
|
|
154
|
+
return response;
|
|
155
|
+
}
|
|
156
|
+
function normalizeStringArray(value) {
|
|
157
|
+
if (typeof value === "string")
|
|
158
|
+
return [value];
|
|
159
|
+
if (Array.isArray(value)) {
|
|
160
|
+
const out = value.filter((v) => typeof v === "string");
|
|
161
|
+
return out.length > 0 ? out : undefined;
|
|
162
|
+
}
|
|
163
|
+
return undefined;
|
|
164
|
+
}
|
|
165
|
+
function normalizeScope(value) {
|
|
166
|
+
if (typeof value === "string") {
|
|
167
|
+
const parts = value.split(" ").filter(Boolean);
|
|
168
|
+
return parts.length > 0 ? parts : undefined;
|
|
169
|
+
}
|
|
170
|
+
return normalizeStringArray(value);
|
|
171
|
+
}
|
|
172
|
+
//# sourceMappingURL=registration.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"registration.js","sourceRoot":"","sources":["../../src/registration.ts"],"names":[],"mappings":";;AA+EA,wCA6DC;AA5ID,iDAAkE;AAClE,2CAAyC;AAkEzC;;;;;;;;;;;GAWG;AACI,KAAK,UAAU,cAAc,CAClC,SAAiB,EACjB,OAAkC,EAClC,OAA+B;IAE/B,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM;QAC5B,CAAC,OAAO,EAAE,SAAS,IAAI,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAEpF,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,SAAS,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;IAC/E,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CACb,yBAAyB,SAAS,8CAA8C,CACjF,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,qBAAqB,EAAE;QAC3D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,kBAAkB;SAC3B;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAC/C,MAAM;KACP,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,IAAI,SAAS,GAAmC,IAAI,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;YAC9C,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7D,SAAS,GAAG,IAA+B,CAAC;YAC9C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sDAAsD;QACxD,CAAC;QACD,IAAI,SAAS,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;gBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;gBAC7B,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC;YACpB,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAC3F,MAAM,IAAI,sBAAU,CAAC,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,oCAAoC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IAC1E,CAAC;IAED,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC7E,CAAC;IACD,MAAM,IAAI,GAAG,IAA+B,CAAC;IAE7C,IAAI,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAkC;IAC1D,0EAA0E;IAC1E,iFAAiF;IACjF,MAAM,IAAI,GAA4B,EAAE,CAAC;IACzC,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;QAC/B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACtE,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACpB,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,UAAU,KAAK,SAAS;QAAE,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;IAC5E,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS;QAAE,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC;IACzE,IAAI,OAAO,CAAC,OAAO,KAAK,SAAS;QAAE,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IACnE,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS;QAAE,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;IAChE,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS;QAAE,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC;IACzE,IAAI,OAAO,CAAC,UAAU,KAAK,SAAS;QAAE,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;IAC5E,IAAI,OAAO,CAAC,eAAe,KAAK,SAAS;QAAE,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAC3F,IAAI,OAAO,CAAC,OAAO,KAAK,SAAS;QAAE,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IACnE,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS;QAAE,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IACzD,IAAI,OAAO,CAAC,uBAAuB,KAAK,SAAS,EAAE,CAAC;QAClD,IAAI,CAAC,0BAA0B,GAAG,OAAO,CAAC,uBAAuB,CAAC;IACpE,CAAC;IACD,IAAI,OAAO,CAAC,YAAY,KAAK,SAAS;QAAE,IAAI,CAAC,aAAa,GAAG,CAAC,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACvF,IAAI,OAAO,CAAC,UAAU,KAAK,SAAS;QAAE,IAAI,CAAC,WAAW,GAAG,CAAC,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACjF,IAAI,OAAO,CAAC,aAAa,KAAK,SAAS;QAAE,IAAI,CAAC,cAAc,GAAG,CAAC,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IAC1F,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS;QAAE,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC5D,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,mBAAmB,CAAC,IAA6B;IACxD,MAAM,QAAQ,GAA+B;QAC3C,QAAQ,EAAE,IAAI,CAAC,SAAmB;QAClC,GAAG,EAAE,IAAI;KACV,CAAC;IACF,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,QAAQ,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IACvF,IAAI,OAAO,IAAI,CAAC,mBAAmB,KAAK,QAAQ;QAAE,QAAQ,CAAC,gBAAgB,GAAG,IAAI,CAAC,mBAAmB,CAAC;IACvG,IAAI,OAAO,IAAI,CAAC,wBAAwB,KAAK,QAAQ,EAAE,CAAC;QACtD,QAAQ,CAAC,qBAAqB,GAAG,IAAI,CAAC,wBAAwB,CAAC;IACjE,CAAC;IACD,IAAI,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ;QAAE,QAAQ,CAAC,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC;IACjF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAC9E,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ;QAAE,QAAQ,CAAC,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC;IACxE,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ;QAAE,QAAQ,CAAC,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC;IACrE,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAC9E,IAAI,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ;QAAE,QAAQ,CAAC,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC;IACjF,IAAI,OAAO,IAAI,CAAC,gBAAgB,KAAK,QAAQ;QAAE,QAAQ,CAAC,eAAe,GAAG,IAAI,CAAC,gBAAgB,CAAC;IAChG,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ;QAAE,QAAQ,CAAC,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC;IACxE,IAAI,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC/C,QAAQ,CAAC,IAAI,GAAG,IAAI,CAAC,IAA+B,CAAC;IACvD,CAAC;IACD,IAAI,OAAO,IAAI,CAAC,0BAA0B,KAAK,QAAQ,EAAE,CAAC;QACxD,QAAQ,CAAC,uBAAuB,GAAG,IAAI,CAAC,0BAA0B,CAAC;IACrE,CAAC;IACD,QAAQ,CAAC,YAAY,GAAG,oBAAoB,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IACjE,QAAQ,CAAC,UAAU,GAAG,oBAAoB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC7D,QAAQ,CAAC,aAAa,GAAG,oBAAoB,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IACnE,QAAQ,CAAC,KAAK,GAAG,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC5C,IAAI,OAAO,IAAI,CAAC,yBAAyB,KAAK,QAAQ,EAAE,CAAC;QACvD,QAAQ,CAAC,uBAAuB,GAAG,IAAI,CAAC,yBAAyB,CAAC;IACpE,CAAC;IACD,IAAI,OAAO,IAAI,CAAC,uBAAuB,KAAK,QAAQ,EAAE,CAAC;QACrD,QAAQ,CAAC,qBAAqB,GAAG,IAAI,CAAC,uBAAuB,CAAC;IAChE,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAc;IAC1C,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAC9C,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;QACpE,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IAC1C,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC/C,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9C,CAAC;IACD,OAAO,oBAAoB,CAAC,KAAK,CAAC,CAAC;AACrC,CAAC"}
|
package/dist/esm/index.d.ts
CHANGED
|
@@ -11,6 +11,8 @@ export { buildSubstituteUserToken } from "./jwt/substituteUser.js";
|
|
|
11
11
|
export { TokenExchangeClient, TokenType } from "./tokenExchange.js";
|
|
12
12
|
export type { TokenExchangeRequest, TokenResponse, TokenExchangeClientOptions, ExchangeOptions, ImpersonateRequest, } from "./tokenExchange.js";
|
|
13
13
|
export type { ApplicationCredential } from "./credentials.js";
|
|
14
|
+
export { registerClient } from "./registration.js";
|
|
15
|
+
export type { ClientRegistrationRequest, ClientRegistrationResponse, RegisterClientOptions, } from "./registration.js";
|
|
14
16
|
export { AccessContext, TokenVerifier, ClientSecret } from "./server/index.js";
|
|
15
17
|
export type { ErrorDetail, AccessContextStatus, AccessToken, TokenVerifierOptions, ClientSecretCredentials, } from "./server/index.js";
|
|
16
18
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/esm/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,0BAA0B,EAC1B,eAAe,EACf,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC/E,YAAY,EACV,WAAW,EACX,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,mBAAmB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,0BAA0B,EAC1B,eAAe,EACf,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,YAAY,EACV,yBAAyB,EACzB,0BAA0B,EAC1B,qBAAqB,GACtB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC/E,YAAY,EACV,WAAW,EACX,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,mBAAmB,CAAC"}
|
package/dist/esm/index.js
CHANGED
|
@@ -6,5 +6,6 @@ export { JWTSigner } from "./jwt/signer.js";
|
|
|
6
6
|
export { JWTVerifier } from "./jwt/verifier.js";
|
|
7
7
|
export { buildSubstituteUserToken } from "./jwt/substituteUser.js";
|
|
8
8
|
export { TokenExchangeClient, TokenType } from "./tokenExchange.js";
|
|
9
|
+
export { registerClient } from "./registration.js";
|
|
9
10
|
export { AccessContext, TokenVerifier, ClientSecret } from "./server/index.js";
|
|
10
11
|
//# sourceMappingURL=index.js.map
|
package/dist/esm/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AASpE,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AASpE,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAMnD,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC"}
|
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* RFC 7591 Dynamic Client Registration request metadata.
|
|
3
|
+
* Reference: https://datatracker.ietf.org/doc/html/rfc7591#section-2
|
|
4
|
+
*/
|
|
5
|
+
export interface ClientRegistrationRequest {
|
|
6
|
+
clientName?: string;
|
|
7
|
+
clientUri?: string;
|
|
8
|
+
logoUri?: string;
|
|
9
|
+
tosUri?: string;
|
|
10
|
+
policyUri?: string;
|
|
11
|
+
softwareId?: string;
|
|
12
|
+
softwareVersion?: string;
|
|
13
|
+
jwksUri?: string;
|
|
14
|
+
jwks?: Record<string, unknown>;
|
|
15
|
+
tokenEndpointAuthMethod?: string;
|
|
16
|
+
redirectUris?: readonly string[];
|
|
17
|
+
grantTypes?: readonly string[];
|
|
18
|
+
responseTypes?: readonly string[];
|
|
19
|
+
scope?: string;
|
|
20
|
+
/**
|
|
21
|
+
* Vendor-extension or AS-specific fields not covered by the typed shape.
|
|
22
|
+
* Merged into the request body verbatim (snake_case keys preserved).
|
|
23
|
+
*/
|
|
24
|
+
additionalMetadata?: Record<string, unknown>;
|
|
25
|
+
}
|
|
26
|
+
/**
|
|
27
|
+
* RFC 7591 Dynamic Client Registration response.
|
|
28
|
+
* Reference: https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1
|
|
29
|
+
*/
|
|
30
|
+
export interface ClientRegistrationResponse {
|
|
31
|
+
clientId: string;
|
|
32
|
+
clientSecret?: string;
|
|
33
|
+
clientIdIssuedAt?: number;
|
|
34
|
+
clientSecretExpiresAt?: number;
|
|
35
|
+
clientName?: string;
|
|
36
|
+
clientUri?: string;
|
|
37
|
+
logoUri?: string;
|
|
38
|
+
tosUri?: string;
|
|
39
|
+
policyUri?: string;
|
|
40
|
+
softwareId?: string;
|
|
41
|
+
softwareVersion?: string;
|
|
42
|
+
jwksUri?: string;
|
|
43
|
+
jwks?: Record<string, unknown>;
|
|
44
|
+
tokenEndpointAuthMethod?: string;
|
|
45
|
+
redirectUris?: string[];
|
|
46
|
+
grantTypes?: string[];
|
|
47
|
+
responseTypes?: string[];
|
|
48
|
+
scope?: string[];
|
|
49
|
+
registrationAccessToken?: string;
|
|
50
|
+
registrationClientUri?: string;
|
|
51
|
+
/**
|
|
52
|
+
* The full unparsed response body. Useful for AS-specific extensions
|
|
53
|
+
* not captured by the typed fields above.
|
|
54
|
+
*/
|
|
55
|
+
raw: Record<string, unknown>;
|
|
56
|
+
}
|
|
57
|
+
export interface RegisterClientOptions {
|
|
58
|
+
signal?: AbortSignal;
|
|
59
|
+
/** Request timeout in milliseconds. Ignored if `signal` is already provided. */
|
|
60
|
+
timeoutMs?: number;
|
|
61
|
+
}
|
|
62
|
+
/**
|
|
63
|
+
* Register a new OAuth 2.0 client with an authorization server (RFC 7591).
|
|
64
|
+
*
|
|
65
|
+
* Discovers `registration_endpoint` from the AS's
|
|
66
|
+
* `.well-known/oauth-authorization-server` metadata, POSTs the registration
|
|
67
|
+
* request as JSON, and returns the issued client credentials.
|
|
68
|
+
*
|
|
69
|
+
* Throws:
|
|
70
|
+
* - `Error` when the AS does not advertise `registration_endpoint`.
|
|
71
|
+
* - `OAuthError` when the AS returns an RFC 6749 §5.2 error response.
|
|
72
|
+
* - `Error` on non-OAuth HTTP failures or malformed responses.
|
|
73
|
+
*/
|
|
74
|
+
export declare function registerClient(issuerUrl: string, request: ClientRegistrationRequest, options?: RegisterClientOptions): Promise<ClientRegistrationResponse>;
|
|
75
|
+
//# sourceMappingURL=registration.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"registration.d.ts","sourceRoot":"","sources":["../../src/registration.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,YAAY,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACjC,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC/B,aAAa,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAClC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC9C;AAED;;;GAGG;AACH,MAAM,WAAW,0BAA0B;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B;;;OAGG;IACH,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC9B;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,gFAAgF;IAChF,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,cAAc,CAClC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,yBAAyB,EAClC,OAAO,CAAC,EAAE,qBAAqB,GAC9B,OAAO,CAAC,0BAA0B,CAAC,CAyDrC"}
|
|
@@ -0,0 +1,169 @@
|
|
|
1
|
+
import { fetchAuthorizationServerMetadata } from "./discovery.js";
|
|
2
|
+
import { OAuthError } from "./errors.js";
|
|
3
|
+
/**
|
|
4
|
+
* Register a new OAuth 2.0 client with an authorization server (RFC 7591).
|
|
5
|
+
*
|
|
6
|
+
* Discovers `registration_endpoint` from the AS's
|
|
7
|
+
* `.well-known/oauth-authorization-server` metadata, POSTs the registration
|
|
8
|
+
* request as JSON, and returns the issued client credentials.
|
|
9
|
+
*
|
|
10
|
+
* Throws:
|
|
11
|
+
* - `Error` when the AS does not advertise `registration_endpoint`.
|
|
12
|
+
* - `OAuthError` when the AS returns an RFC 6749 §5.2 error response.
|
|
13
|
+
* - `Error` on non-OAuth HTTP failures or malformed responses.
|
|
14
|
+
*/
|
|
15
|
+
export async function registerClient(issuerUrl, request, options) {
|
|
16
|
+
const signal = options?.signal ??
|
|
17
|
+
(options?.timeoutMs != null ? AbortSignal.timeout(options.timeoutMs) : undefined);
|
|
18
|
+
const metadata = await fetchAuthorizationServerMetadata(issuerUrl, { signal });
|
|
19
|
+
if (!metadata.registration_endpoint) {
|
|
20
|
+
throw new Error(`Authorization server "${issuerUrl}" does not advertise a registration_endpoint`);
|
|
21
|
+
}
|
|
22
|
+
const response = await fetch(metadata.registration_endpoint, {
|
|
23
|
+
method: "POST",
|
|
24
|
+
headers: {
|
|
25
|
+
"Content-Type": "application/json",
|
|
26
|
+
Accept: "application/json",
|
|
27
|
+
},
|
|
28
|
+
body: JSON.stringify(serializeRequest(request)),
|
|
29
|
+
signal,
|
|
30
|
+
});
|
|
31
|
+
if (!response.ok) {
|
|
32
|
+
let errorBody = null;
|
|
33
|
+
try {
|
|
34
|
+
const json = await response.json();
|
|
35
|
+
if (json && typeof json === "object" && !Array.isArray(json)) {
|
|
36
|
+
errorBody = json;
|
|
37
|
+
}
|
|
38
|
+
}
|
|
39
|
+
catch {
|
|
40
|
+
// non-JSON error body — fall through to generic error
|
|
41
|
+
}
|
|
42
|
+
if (errorBody && typeof errorBody.error === "string") {
|
|
43
|
+
const description = typeof errorBody.error_description === "string"
|
|
44
|
+
? errorBody.error_description
|
|
45
|
+
: errorBody.error;
|
|
46
|
+
const errorUri = typeof errorBody.error_uri === "string" ? errorBody.error_uri : undefined;
|
|
47
|
+
throw new OAuthError(errorBody.error, description, errorUri);
|
|
48
|
+
}
|
|
49
|
+
throw new Error(`Client registration failed (HTTP ${response.status})`);
|
|
50
|
+
}
|
|
51
|
+
let json;
|
|
52
|
+
try {
|
|
53
|
+
json = await response.json();
|
|
54
|
+
}
|
|
55
|
+
catch {
|
|
56
|
+
throw new Error("Client registration response is not valid JSON");
|
|
57
|
+
}
|
|
58
|
+
if (!json || typeof json !== "object" || Array.isArray(json)) {
|
|
59
|
+
throw new Error("Client registration response is not a valid JSON object");
|
|
60
|
+
}
|
|
61
|
+
const body = json;
|
|
62
|
+
if (typeof body.client_id !== "string") {
|
|
63
|
+
throw new Error("Client registration response missing client_id");
|
|
64
|
+
}
|
|
65
|
+
return deserializeResponse(body);
|
|
66
|
+
}
|
|
67
|
+
function serializeRequest(request) {
|
|
68
|
+
// additionalMetadata goes in first so named fields always take precedence
|
|
69
|
+
// over vendor extensions — callers cannot accidentally override client_name etc.
|
|
70
|
+
const body = {};
|
|
71
|
+
if (request.additionalMetadata) {
|
|
72
|
+
for (const [key, value] of Object.entries(request.additionalMetadata)) {
|
|
73
|
+
body[key] = value;
|
|
74
|
+
}
|
|
75
|
+
}
|
|
76
|
+
if (request.clientName !== undefined)
|
|
77
|
+
body.client_name = request.clientName;
|
|
78
|
+
if (request.clientUri !== undefined)
|
|
79
|
+
body.client_uri = request.clientUri;
|
|
80
|
+
if (request.logoUri !== undefined)
|
|
81
|
+
body.logo_uri = request.logoUri;
|
|
82
|
+
if (request.tosUri !== undefined)
|
|
83
|
+
body.tos_uri = request.tosUri;
|
|
84
|
+
if (request.policyUri !== undefined)
|
|
85
|
+
body.policy_uri = request.policyUri;
|
|
86
|
+
if (request.softwareId !== undefined)
|
|
87
|
+
body.software_id = request.softwareId;
|
|
88
|
+
if (request.softwareVersion !== undefined)
|
|
89
|
+
body.software_version = request.softwareVersion;
|
|
90
|
+
if (request.jwksUri !== undefined)
|
|
91
|
+
body.jwks_uri = request.jwksUri;
|
|
92
|
+
if (request.jwks !== undefined)
|
|
93
|
+
body.jwks = request.jwks;
|
|
94
|
+
if (request.tokenEndpointAuthMethod !== undefined) {
|
|
95
|
+
body.token_endpoint_auth_method = request.tokenEndpointAuthMethod;
|
|
96
|
+
}
|
|
97
|
+
if (request.redirectUris !== undefined)
|
|
98
|
+
body.redirect_uris = [...request.redirectUris];
|
|
99
|
+
if (request.grantTypes !== undefined)
|
|
100
|
+
body.grant_types = [...request.grantTypes];
|
|
101
|
+
if (request.responseTypes !== undefined)
|
|
102
|
+
body.response_types = [...request.responseTypes];
|
|
103
|
+
if (request.scope !== undefined)
|
|
104
|
+
body.scope = request.scope;
|
|
105
|
+
return body;
|
|
106
|
+
}
|
|
107
|
+
function deserializeResponse(body) {
|
|
108
|
+
const response = {
|
|
109
|
+
clientId: body.client_id,
|
|
110
|
+
raw: body,
|
|
111
|
+
};
|
|
112
|
+
if (typeof body.client_secret === "string")
|
|
113
|
+
response.clientSecret = body.client_secret;
|
|
114
|
+
if (typeof body.client_id_issued_at === "number")
|
|
115
|
+
response.clientIdIssuedAt = body.client_id_issued_at;
|
|
116
|
+
if (typeof body.client_secret_expires_at === "number") {
|
|
117
|
+
response.clientSecretExpiresAt = body.client_secret_expires_at;
|
|
118
|
+
}
|
|
119
|
+
if (typeof body.client_name === "string")
|
|
120
|
+
response.clientName = body.client_name;
|
|
121
|
+
if (typeof body.client_uri === "string")
|
|
122
|
+
response.clientUri = body.client_uri;
|
|
123
|
+
if (typeof body.logo_uri === "string")
|
|
124
|
+
response.logoUri = body.logo_uri;
|
|
125
|
+
if (typeof body.tos_uri === "string")
|
|
126
|
+
response.tosUri = body.tos_uri;
|
|
127
|
+
if (typeof body.policy_uri === "string")
|
|
128
|
+
response.policyUri = body.policy_uri;
|
|
129
|
+
if (typeof body.software_id === "string")
|
|
130
|
+
response.softwareId = body.software_id;
|
|
131
|
+
if (typeof body.software_version === "string")
|
|
132
|
+
response.softwareVersion = body.software_version;
|
|
133
|
+
if (typeof body.jwks_uri === "string")
|
|
134
|
+
response.jwksUri = body.jwks_uri;
|
|
135
|
+
if (body.jwks && typeof body.jwks === "object") {
|
|
136
|
+
response.jwks = body.jwks;
|
|
137
|
+
}
|
|
138
|
+
if (typeof body.token_endpoint_auth_method === "string") {
|
|
139
|
+
response.tokenEndpointAuthMethod = body.token_endpoint_auth_method;
|
|
140
|
+
}
|
|
141
|
+
response.redirectUris = normalizeStringArray(body.redirect_uris);
|
|
142
|
+
response.grantTypes = normalizeStringArray(body.grant_types);
|
|
143
|
+
response.responseTypes = normalizeStringArray(body.response_types);
|
|
144
|
+
response.scope = normalizeScope(body.scope);
|
|
145
|
+
if (typeof body.registration_access_token === "string") {
|
|
146
|
+
response.registrationAccessToken = body.registration_access_token;
|
|
147
|
+
}
|
|
148
|
+
if (typeof body.registration_client_uri === "string") {
|
|
149
|
+
response.registrationClientUri = body.registration_client_uri;
|
|
150
|
+
}
|
|
151
|
+
return response;
|
|
152
|
+
}
|
|
153
|
+
function normalizeStringArray(value) {
|
|
154
|
+
if (typeof value === "string")
|
|
155
|
+
return [value];
|
|
156
|
+
if (Array.isArray(value)) {
|
|
157
|
+
const out = value.filter((v) => typeof v === "string");
|
|
158
|
+
return out.length > 0 ? out : undefined;
|
|
159
|
+
}
|
|
160
|
+
return undefined;
|
|
161
|
+
}
|
|
162
|
+
function normalizeScope(value) {
|
|
163
|
+
if (typeof value === "string") {
|
|
164
|
+
const parts = value.split(" ").filter(Boolean);
|
|
165
|
+
return parts.length > 0 ? parts : undefined;
|
|
166
|
+
}
|
|
167
|
+
return normalizeStringArray(value);
|
|
168
|
+
}
|
|
169
|
+
//# sourceMappingURL=registration.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"registration.js","sourceRoot":"","sources":["../../src/registration.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAkEzC;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,SAAiB,EACjB,OAAkC,EAClC,OAA+B;IAE/B,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM;QAC5B,CAAC,OAAO,EAAE,SAAS,IAAI,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAEpF,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,SAAS,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;IAC/E,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CACb,yBAAyB,SAAS,8CAA8C,CACjF,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,qBAAqB,EAAE;QAC3D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,kBAAkB;SAC3B;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAC/C,MAAM;KACP,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,IAAI,SAAS,GAAmC,IAAI,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;YAC9C,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7D,SAAS,GAAG,IAA+B,CAAC;YAC9C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sDAAsD;QACxD,CAAC;QACD,IAAI,SAAS,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;gBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;gBAC7B,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC;YACpB,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAC3F,MAAM,IAAI,UAAU,CAAC,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,oCAAoC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IAC1E,CAAC;IAED,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC7E,CAAC;IACD,MAAM,IAAI,GAAG,IAA+B,CAAC;IAE7C,IAAI,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAkC;IAC1D,0EAA0E;IAC1E,iFAAiF;IACjF,MAAM,IAAI,GAA4B,EAAE,CAAC;IACzC,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;QAC/B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACtE,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACpB,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,UAAU,KAAK,SAAS;QAAE,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;IAC5E,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS;QAAE,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC;IACzE,IAAI,OAAO,CAAC,OAAO,KAAK,SAAS;QAAE,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IACnE,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS;QAAE,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;IAChE,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS;QAAE,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC;IACzE,IAAI,OAAO,CAAC,UAAU,KAAK,SAAS;QAAE,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;IAC5E,IAAI,OAAO,CAAC,eAAe,KAAK,SAAS;QAAE,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAC3F,IAAI,OAAO,CAAC,OAAO,KAAK,SAAS;QAAE,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IACnE,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS;QAAE,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IACzD,IAAI,OAAO,CAAC,uBAAuB,KAAK,SAAS,EAAE,CAAC;QAClD,IAAI,CAAC,0BAA0B,GAAG,OAAO,CAAC,uBAAuB,CAAC;IACpE,CAAC;IACD,IAAI,OAAO,CAAC,YAAY,KAAK,SAAS;QAAE,IAAI,CAAC,aAAa,GAAG,CAAC,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACvF,IAAI,OAAO,CAAC,UAAU,KAAK,SAAS;QAAE,IAAI,CAAC,WAAW,GAAG,CAAC,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACjF,IAAI,OAAO,CAAC,aAAa,KAAK,SAAS;QAAE,IAAI,CAAC,cAAc,GAAG,CAAC,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IAC1F,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS;QAAE,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC5D,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,mBAAmB,CAAC,IAA6B;IACxD,MAAM,QAAQ,GAA+B;QAC3C,QAAQ,EAAE,IAAI,CAAC,SAAmB;QAClC,GAAG,EAAE,IAAI;KACV,CAAC;IACF,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,QAAQ,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IACvF,IAAI,OAAO,IAAI,CAAC,mBAAmB,KAAK,QAAQ;QAAE,QAAQ,CAAC,gBAAgB,GAAG,IAAI,CAAC,mBAAmB,CAAC;IACvG,IAAI,OAAO,IAAI,CAAC,wBAAwB,KAAK,QAAQ,EAAE,CAAC;QACtD,QAAQ,CAAC,qBAAqB,GAAG,IAAI,CAAC,wBAAwB,CAAC;IACjE,CAAC;IACD,IAAI,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ;QAAE,QAAQ,CAAC,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC;IACjF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAC9E,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ;QAAE,QAAQ,CAAC,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC;IACxE,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ;QAAE,QAAQ,CAAC,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC;IACrE,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAC9E,IAAI,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ;QAAE,QAAQ,CAAC,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC;IACjF,IAAI,OAAO,IAAI,CAAC,gBAAgB,KAAK,QAAQ;QAAE,QAAQ,CAAC,eAAe,GAAG,IAAI,CAAC,gBAAgB,CAAC;IAChG,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ;QAAE,QAAQ,CAAC,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC;IACxE,IAAI,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC/C,QAAQ,CAAC,IAAI,GAAG,IAAI,CAAC,IAA+B,CAAC;IACvD,CAAC;IACD,IAAI,OAAO,IAAI,CAAC,0BAA0B,KAAK,QAAQ,EAAE,CAAC;QACxD,QAAQ,CAAC,uBAAuB,GAAG,IAAI,CAAC,0BAA0B,CAAC;IACrE,CAAC;IACD,QAAQ,CAAC,YAAY,GAAG,oBAAoB,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IACjE,QAAQ,CAAC,UAAU,GAAG,oBAAoB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC7D,QAAQ,CAAC,aAAa,GAAG,oBAAoB,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IACnE,QAAQ,CAAC,KAAK,GAAG,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC5C,IAAI,OAAO,IAAI,CAAC,yBAAyB,KAAK,QAAQ,EAAE,CAAC;QACvD,QAAQ,CAAC,uBAAuB,GAAG,IAAI,CAAC,yBAAyB,CAAC;IACpE,CAAC;IACD,IAAI,OAAO,IAAI,CAAC,uBAAuB,KAAK,QAAQ,EAAE,CAAC;QACrD,QAAQ,CAAC,qBAAqB,GAAG,IAAI,CAAC,uBAAuB,CAAC;IAChE,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAc;IAC1C,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAC9C,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;QACpE,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IAC1C,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC/C,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9C,CAAC;IACD,OAAO,oBAAoB,CAAC,KAAK,CAAC,CAAC;AACrC,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@keycardai/oauth",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.5.0",
|
|
4
4
|
"description": "[Preview] OAuth 2.0 primitives for Keycard: JWKS keyring, JWT signing/verification, server-tier token verifier, AccessContext, ClientSecret credentials, and impersonation via RFC 8693 token exchange",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"repository": {
|
|
@@ -60,6 +60,11 @@
|
|
|
60
60
|
"require": "./dist/cjs/jwt/substituteUser.js",
|
|
61
61
|
"types": "./dist/esm/jwt/substituteUser.d.ts"
|
|
62
62
|
},
|
|
63
|
+
"./registration": {
|
|
64
|
+
"import": "./dist/esm/registration.js",
|
|
65
|
+
"require": "./dist/cjs/registration.js",
|
|
66
|
+
"types": "./dist/esm/registration.d.ts"
|
|
67
|
+
},
|
|
63
68
|
"./server": {
|
|
64
69
|
"import": "./dist/esm/server/index.js",
|
|
65
70
|
"require": "./dist/cjs/server/index.js",
|
|
@@ -91,6 +96,12 @@
|
|
|
91
96
|
],
|
|
92
97
|
"typesVersions": {
|
|
93
98
|
"*": {
|
|
99
|
+
"server": [
|
|
100
|
+
"./dist/esm/server/index.d.ts"
|
|
101
|
+
],
|
|
102
|
+
"server/*": [
|
|
103
|
+
"./dist/esm/server/*.d.ts"
|
|
104
|
+
],
|
|
94
105
|
"*": [
|
|
95
106
|
"./dist/esm/*"
|
|
96
107
|
]
|