npm - @keycardai/oauth - Versions diffs - 0.4.1 → 0.6.0 - Mend

@keycardai/oauth 0.4.1 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/README.md +67 -0
package/dist/cjs/index.d.ts +2 -0
package/dist/cjs/index.d.ts.map +1 -1
package/dist/cjs/index.js +3 -1
package/dist/cjs/index.js.map +1 -1
package/dist/cjs/pkce.d.ts +64 -0
package/dist/cjs/pkce.d.ts.map +1 -0
package/dist/cjs/pkce.js +249 -0
package/dist/cjs/pkce.js.map +1 -0
package/dist/cjs/registration.d.ts +75 -0
package/dist/cjs/registration.d.ts.map +1 -0
package/dist/cjs/registration.js +172 -0
package/dist/cjs/registration.js.map +1 -0
package/dist/esm/index.d.ts +2 -0
package/dist/esm/index.d.ts.map +1 -1
package/dist/esm/index.js +1 -0
package/dist/esm/index.js.map +1 -1
package/dist/esm/pkce.d.ts +64 -0
package/dist/esm/pkce.d.ts.map +1 -0
package/dist/esm/pkce.js +206 -0
package/dist/esm/pkce.js.map +1 -0
package/dist/esm/registration.d.ts +75 -0
package/dist/esm/registration.d.ts.map +1 -0
package/dist/esm/registration.js +169 -0
package/dist/esm/registration.js.map +1 -0
package/package.json +12 -1

package/dist/cjs/registration.js ADDED Viewed

@@ -0,0 +1,172 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerClient = registerClient;
+const discovery_js_1 = require("./discovery.js");
+const errors_js_1 = require("./errors.js");
+/**
+ * Register a new OAuth 2.0 client with an authorization server (RFC 7591).
+ *
+ * Discovers `registration_endpoint` from the AS's
+ * `.well-known/oauth-authorization-server` metadata, POSTs the registration
+ * request as JSON, and returns the issued client credentials.
+ *
+ * Throws:
+ * - `Error` when the AS does not advertise `registration_endpoint`.
+ * - `OAuthError` when the AS returns an RFC 6749 §5.2 error response.
+ * - `Error` on non-OAuth HTTP failures or malformed responses.
+ */
+async function registerClient(issuerUrl, request, options) {
+    const signal = options?.signal ??
+        (options?.timeoutMs != null ? AbortSignal.timeout(options.timeoutMs) : undefined);
+    const metadata = await (0, discovery_js_1.fetchAuthorizationServerMetadata)(issuerUrl, { signal });
+    if (!metadata.registration_endpoint) {
+        throw new Error(`Authorization server "${issuerUrl}" does not advertise a registration_endpoint`);
+    }
+    const response = await fetch(metadata.registration_endpoint, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+            Accept: "application/json",
+        },
+        body: JSON.stringify(serializeRequest(request)),
+        signal,
+    });
+    if (!response.ok) {
+        let errorBody = null;
+        try {
+            const json = await response.json();
+            if (json && typeof json === "object" && !Array.isArray(json)) {
+                errorBody = json;
+            }
+        }
+        catch {
+            // non-JSON error body — fall through to generic error
+        }
+        if (errorBody && typeof errorBody.error === "string") {
+            const description = typeof errorBody.error_description === "string"
+                ? errorBody.error_description
+                : errorBody.error;
+            const errorUri = typeof errorBody.error_uri === "string" ? errorBody.error_uri : undefined;
+            throw new errors_js_1.OAuthError(errorBody.error, description, errorUri);
+        }
+        throw new Error(`Client registration failed (HTTP ${response.status})`);
+    }
+    let json;
+    try {
+        json = await response.json();
+    }
+    catch {
+        throw new Error("Client registration response is not valid JSON");
+    }
+    if (!json || typeof json !== "object" || Array.isArray(json)) {
+        throw new Error("Client registration response is not a valid JSON object");
+    }
+    const body = json;
+    if (typeof body.client_id !== "string") {
+        throw new Error("Client registration response missing client_id");
+    }
+    return deserializeResponse(body);
+}
+function serializeRequest(request) {
+    // additionalMetadata goes in first so named fields always take precedence
+    // over vendor extensions — callers cannot accidentally override client_name etc.
+    const body = {};
+    if (request.additionalMetadata) {
+        for (const [key, value] of Object.entries(request.additionalMetadata)) {
+            body[key] = value;
+        }
+    }
+    if (request.clientName !== undefined)
+        body.client_name = request.clientName;
+    if (request.clientUri !== undefined)
+        body.client_uri = request.clientUri;
+    if (request.logoUri !== undefined)
+        body.logo_uri = request.logoUri;
+    if (request.tosUri !== undefined)
+        body.tos_uri = request.tosUri;
+    if (request.policyUri !== undefined)
+        body.policy_uri = request.policyUri;
+    if (request.softwareId !== undefined)
+        body.software_id = request.softwareId;
+    if (request.softwareVersion !== undefined)
+        body.software_version = request.softwareVersion;
+    if (request.jwksUri !== undefined)
+        body.jwks_uri = request.jwksUri;
+    if (request.jwks !== undefined)
+        body.jwks = request.jwks;
+    if (request.tokenEndpointAuthMethod !== undefined) {
+        body.token_endpoint_auth_method = request.tokenEndpointAuthMethod;
+    }
+    if (request.redirectUris !== undefined)
+        body.redirect_uris = [...request.redirectUris];
+    if (request.grantTypes !== undefined)
+        body.grant_types = [...request.grantTypes];
+    if (request.responseTypes !== undefined)
+        body.response_types = [...request.responseTypes];
+    if (request.scope !== undefined)
+        body.scope = request.scope;
+    return body;
+}
+function deserializeResponse(body) {
+    const response = {
+        clientId: body.client_id,
+        raw: body,
+    };
+    if (typeof body.client_secret === "string")
+        response.clientSecret = body.client_secret;
+    if (typeof body.client_id_issued_at === "number")
+        response.clientIdIssuedAt = body.client_id_issued_at;
+    if (typeof body.client_secret_expires_at === "number") {
+        response.clientSecretExpiresAt = body.client_secret_expires_at;
+    }
+    if (typeof body.client_name === "string")
+        response.clientName = body.client_name;
+    if (typeof body.client_uri === "string")
+        response.clientUri = body.client_uri;
+    if (typeof body.logo_uri === "string")
+        response.logoUri = body.logo_uri;
+    if (typeof body.tos_uri === "string")
+        response.tosUri = body.tos_uri;
+    if (typeof body.policy_uri === "string")
+        response.policyUri = body.policy_uri;
+    if (typeof body.software_id === "string")
+        response.softwareId = body.software_id;
+    if (typeof body.software_version === "string")
+        response.softwareVersion = body.software_version;
+    if (typeof body.jwks_uri === "string")
+        response.jwksUri = body.jwks_uri;
+    if (body.jwks && typeof body.jwks === "object") {
+        response.jwks = body.jwks;
+    }
+    if (typeof body.token_endpoint_auth_method === "string") {
+        response.tokenEndpointAuthMethod = body.token_endpoint_auth_method;
+    }
+    response.redirectUris = normalizeStringArray(body.redirect_uris);
+    response.grantTypes = normalizeStringArray(body.grant_types);
+    response.responseTypes = normalizeStringArray(body.response_types);
+    response.scope = normalizeScope(body.scope);
+    if (typeof body.registration_access_token === "string") {
+        response.registrationAccessToken = body.registration_access_token;
+    }
+    if (typeof body.registration_client_uri === "string") {
+        response.registrationClientUri = body.registration_client_uri;
+    }
+    return response;
+}
+function normalizeStringArray(value) {
+    if (typeof value === "string")
+        return [value];
+    if (Array.isArray(value)) {
+        const out = value.filter((v) => typeof v === "string");
+        return out.length > 0 ? out : undefined;
+    }
+    return undefined;
+}
+function normalizeScope(value) {
+    if (typeof value === "string") {
+        const parts = value.split(" ").filter(Boolean);
+        return parts.length > 0 ? parts : undefined;
+    }
+    return normalizeStringArray(value);
+}
+//# sourceMappingURL=registration.js.map

package/dist/cjs/registration.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"registration.js","sourceRoot":"","sources":["../../src/registration.ts"],"names":[],"mappings":";;AA+EA,wCA6DC;AA5ID,iDAAkE;AAClE,2CAAyC;AAkEzC;;;;;;;;;;;GAWG;AACI,KAAK,UAAU,cAAc,CAClC,SAAiB,EACjB,OAAkC,EAClC,OAA+B;IAE/B,MAAM,MAAM,GAAG,OAAO,EAAE,MAAM;QAC5B,CAAC,OAAO,EAAE,SAAS,IAAI,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAEpF,MAAM,QAAQ,GAAG,MAAM,IAAA,+CAAgC,EAAC,SAAS,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;IAC/E,IAAI,CAAC,QAAQ,CAAC,qBAAqB,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CACb,yBAAyB,SAAS,8CAA8C,CACjF,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,qBAAqB,EAAE;QAC3D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,kBAAkB;SAC3B;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;QAC/C,MAAM;KACP,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,IAAI,SAAS,GAAmC,IAAI,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;YAC9C,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7D,SAAS,GAAG,IAA+B,CAAC;YAC9C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sDAAsD;QACxD,CAAC;QACD,IAAI,SAAS,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;gBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;gBAC7B,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC;YACpB,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAC3F,MAAM,IAAI,sBAAU,CAAC,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,oCAAoC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IAC1E,CAAC;IAED,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC7E,CAAC;IACD,MAAM,IAAI,GAAG,IAA+B,CAAC;IAE7C,IAAI,OAAO,IAAI,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAkC;IAC1D,0EAA0E;IAC1E,iFAAiF;IACjF,MAAM,IAAI,GAA4B,EAAE,CAAC;IACzC,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;QAC/B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACtE,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACpB,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,UAAU,KAAK,SAAS;QAAE,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;IAC5E,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS;QAAE,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC;IACzE,IAAI,OAAO,CAAC,OAAO,KAAK,SAAS;QAAE,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IACnE,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS;QAAE,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC;IAChE,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS;QAAE,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC;IACzE,IAAI,OAAO,CAAC,UAAU,KAAK,SAAS;QAAE,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC;IAC5E,IAAI,OAAO,CAAC,eAAe,KAAK,SAAS;QAAE,IAAI,CAAC,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC;IAC3F,IAAI,OAAO,CAAC,OAAO,KAAK,SAAS;QAAE,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IACnE,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS;QAAE,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IACzD,IAAI,OAAO,CAAC,uBAAuB,KAAK,SAAS,EAAE,CAAC;QAClD,IAAI,CAAC,0BAA0B,GAAG,OAAO,CAAC,uBAAuB,CAAC;IACpE,CAAC;IACD,IAAI,OAAO,CAAC,YAAY,KAAK,SAAS;QAAE,IAAI,CAAC,aAAa,GAAG,CAAC,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IACvF,IAAI,OAAO,CAAC,UAAU,KAAK,SAAS;QAAE,IAAI,CAAC,WAAW,GAAG,CAAC,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;IACjF,IAAI,OAAO,CAAC,aAAa,KAAK,SAAS;QAAE,IAAI,CAAC,cAAc,GAAG,CAAC,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IAC1F,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS;QAAE,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC5D,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,mBAAmB,CAAC,IAA6B;IACxD,MAAM,QAAQ,GAA+B;QAC3C,QAAQ,EAAE,IAAI,CAAC,SAAmB;QAClC,GAAG,EAAE,IAAI;KACV,CAAC;IACF,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,QAAQ,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IACvF,IAAI,OAAO,IAAI,CAAC,mBAAmB,KAAK,QAAQ;QAAE,QAAQ,CAAC,gBAAgB,GAAG,IAAI,CAAC,mBAAmB,CAAC;IACvG,IAAI,OAAO,IAAI,CAAC,wBAAwB,KAAK,QAAQ,EAAE,CAAC;QACtD,QAAQ,CAAC,qBAAqB,GAAG,IAAI,CAAC,wBAAwB,CAAC;IACjE,CAAC;IACD,IAAI,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ;QAAE,QAAQ,CAAC,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC;IACjF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAC9E,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ;QAAE,QAAQ,CAAC,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC;IACxE,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ;QAAE,QAAQ,CAAC,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC;IACrE,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IAC9E,IAAI,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ;QAAE,QAAQ,CAAC,UAAU,GAAG,IAAI,CAAC,WAAW,CAAC;IACjF,IAAI,OAAO,IAAI,CAAC,gBAAgB,KAAK,QAAQ;QAAE,QAAQ,CAAC,eAAe,GAAG,IAAI,CAAC,gBAAgB,CAAC;IAChG,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ;QAAE,QAAQ,CAAC,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC;IACxE,IAAI,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC/C,QAAQ,CAAC,IAAI,GAAG,IAAI,CAAC,IAA+B,CAAC;IACvD,CAAC;IACD,IAAI,OAAO,IAAI,CAAC,0BAA0B,KAAK,QAAQ,EAAE,CAAC;QACxD,QAAQ,CAAC,uBAAuB,GAAG,IAAI,CAAC,0BAA0B,CAAC;IACrE,CAAC;IACD,QAAQ,CAAC,YAAY,GAAG,oBAAoB,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IACjE,QAAQ,CAAC,UAAU,GAAG,oBAAoB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC7D,QAAQ,CAAC,aAAa,GAAG,oBAAoB,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IACnE,QAAQ,CAAC,KAAK,GAAG,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC5C,IAAI,OAAO,IAAI,CAAC,yBAAyB,KAAK,QAAQ,EAAE,CAAC;QACvD,QAAQ,CAAC,uBAAuB,GAAG,IAAI,CAAC,yBAAyB,CAAC;IACpE,CAAC;IACD,IAAI,OAAO,IAAI,CAAC,uBAAuB,KAAK,QAAQ,EAAE,CAAC;QACrD,QAAQ,CAAC,qBAAqB,GAAG,IAAI,CAAC,uBAAuB,CAAC;IAChE,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAc;IAC1C,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAC9C,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;QACpE,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;IAC1C,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC/C,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;IAC9C,CAAC;IACD,OAAO,oBAAoB,CAAC,KAAK,CAAC,CAAC;AACrC,CAAC"}

package/dist/esm/index.d.ts CHANGED Viewed

@@ -11,6 +11,8 @@ export { buildSubstituteUserToken } from "./jwt/substituteUser.js";
 export { TokenExchangeClient, TokenType } from "./tokenExchange.js";
 export type { TokenExchangeRequest, TokenResponse, TokenExchangeClientOptions, ExchangeOptions, ImpersonateRequest, } from "./tokenExchange.js";
 export type { ApplicationCredential } from "./credentials.js";
+export { registerClient } from "./registration.js";
+export type { ClientRegistrationRequest, ClientRegistrationResponse, RegisterClientOptions, } from "./registration.js";
 export { AccessContext, TokenVerifier, ClientSecret } from "./server/index.js";
 export type { ErrorDetail, AccessContextStatus, AccessToken, TokenVerifierOptions, ClientSecretCredentials, } from "./server/index.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/esm/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,0BAA0B,EAC1B,eAAe,EACf,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC/E,YAAY,EACV,WAAW,EACX,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,mBAAmB,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,0BAA0B,EAC1B,eAAe,EACf,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,YAAY,EACV,yBAAyB,EACzB,0BAA0B,EAC1B,qBAAqB,GACtB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC/E,YAAY,EACV,WAAW,EACX,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,mBAAmB,CAAC"}

package/dist/esm/index.js CHANGED Viewed

@@ -6,5 +6,6 @@ export { JWTSigner } from "./jwt/signer.js";
 export { JWTVerifier } from "./jwt/verifier.js";
 export { buildSubstituteUserToken } from "./jwt/substituteUser.js";
 export { TokenExchangeClient, TokenType } from "./tokenExchange.js";
+export { registerClient } from "./registration.js";
 export { AccessContext, TokenVerifier, ClientSecret } from "./server/index.js";
 //# sourceMappingURL=index.js.map

package/dist/esm/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AASpE,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AASpE,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAMnD,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/esm/pkce.d.ts ADDED Viewed

@@ -0,0 +1,64 @@
+import type { TokenResponse } from "./tokenExchange.js";
+export interface Pkce {
+    codeVerifier: string;
+    codeChallenge: string;
+    codeChallengeMethod: "S256" | "plain";
+}
+/**
+ * Generate a cryptographically random PKCE code verifier (RFC 7636 §4.1).
+ *
+ * Returns a 43-character base64url string (32 random bytes). Runtime-agnostic:
+ * uses the global `crypto.getRandomValues` which is available in Node 19+,
+ * Cloudflare Workers, and browsers.
+ */
+export declare function generateCodeVerifier(): string;
+/**
+ * Derive a PKCE code challenge from a code verifier (RFC 7636 §4.2).
+ *
+ * S256 (default): `BASE64URL(SHA-256(ASCII(code_verifier)))`
+ * plain: returns the verifier unchanged (not recommended; use only when
+ * the AS does not support S256).
+ */
+export declare function generateCodeChallenge(verifier: string, method?: "S256" | "plain"): Promise<string>;
+/**
+ * Generate a PKCE pair (verifier + challenge) in one call.
+ */
+export declare function generatePkcePair(method?: "S256" | "plain"): Promise<Pkce>;
+export interface ExchangeAuthorizationCodeOptions {
+    codeVerifier: string;
+    redirectUri: string;
+    clientId?: string;
+    clientSecret?: string;
+    signal?: AbortSignal;
+}
+/**
+ * Exchange an authorization code for tokens (RFC 6749 §4.1.3 + RFC 7636).
+ *
+ * Discovers `token_endpoint` from the AS metadata, then POSTs
+ * `grant_type=authorization_code` with the code verifier.
+ */
+export declare function exchangeAuthorizationCode(issuerUrl: string, code: string, options: ExchangeAuthorizationCodeOptions): Promise<TokenResponse>;
+export interface AuthenticateOptions {
+    clientId: string;
+    /** Default: "http://localhost:{port}/callback" */
+    redirectUri?: string;
+    /** Default: 8080 */
+    port?: number;
+    scopes?: readonly string[];
+    clientSecret?: string;
+    /** Default: 60_000 ms */
+    timeoutMs?: number;
+}
+/**
+ * Full authorization-code-with-PKCE flow for local/CLI contexts.
+ *
+ * Generates a PKCE pair, builds the authorization URL, opens the user's
+ * browser, starts a local loopback HTTP server to receive the redirect,
+ * and exchanges the authorization code for tokens.
+ *
+ * **Requires Node.js.** Uses `node:http` and `node:child_process` via
+ * dynamic import. Importing this module is safe in any runtime; only
+ * *calling* `authenticate()` requires Node.js.
+ */
+export declare function authenticate(issuerUrl: string, options: AuthenticateOptions): Promise<TokenResponse>;
+//# sourceMappingURL=pkce.d.ts.map

package/dist/esm/pkce.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAMxD,MAAM,WAAW,IAAI;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,GAAG,OAAO,CAAC;CACvC;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CAI7C;AAED;;;;;;GAMG;AACH,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,MAAM,EAChB,MAAM,GAAE,MAAM,GAAG,OAAgB,GAChC,OAAO,CAAC,MAAM,CAAC,CASjB;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,GAAE,MAAM,GAAG,OAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAIvF;AAMD,MAAM,WAAW,gCAAgC;IAC/C,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED;;;;;GAKG;AACH,wBAAsB,yBAAyB,CAC7C,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,gCAAgC,GACxC,OAAO,CAAC,aAAa,CAAC,CAyExB;AAMD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,kDAAkD;IAClD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,oBAAoB;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,yBAAyB;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,YAAY,CAChC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,aAAa,CAAC,CAkCxB"}

package/dist/esm/pkce.js ADDED Viewed

@@ -0,0 +1,206 @@
+import base64url from "./base64url.js";
+import { fetchAuthorizationServerMetadata } from "./discovery.js";
+import { OAuthError } from "./errors.js";
+/**
+ * Generate a cryptographically random PKCE code verifier (RFC 7636 §4.1).
+ *
+ * Returns a 43-character base64url string (32 random bytes). Runtime-agnostic:
+ * uses the global `crypto.getRandomValues` which is available in Node 19+,
+ * Cloudflare Workers, and browsers.
+ */
+export function generateCodeVerifier() {
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    return base64url.encode(bytes.buffer);
+}
+/**
+ * Derive a PKCE code challenge from a code verifier (RFC 7636 §4.2).
+ *
+ * S256 (default): `BASE64URL(SHA-256(ASCII(code_verifier)))`
+ * plain: returns the verifier unchanged (not recommended; use only when
+ * the AS does not support S256).
+ */
+export async function generateCodeChallenge(verifier, method = "S256") {
+    if (method === "plain") {
+        return verifier;
+    }
+    const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(verifier));
+    return base64url.encode(digest);
+}
+/**
+ * Generate a PKCE pair (verifier + challenge) in one call.
+ */
+export async function generatePkcePair(method = "S256") {
+    const codeVerifier = generateCodeVerifier();
+    const codeChallenge = await generateCodeChallenge(codeVerifier, method);
+    return { codeVerifier, codeChallenge, codeChallengeMethod: method };
+}
+/**
+ * Exchange an authorization code for tokens (RFC 6749 §4.1.3 + RFC 7636).
+ *
+ * Discovers `token_endpoint` from the AS metadata, then POSTs
+ * `grant_type=authorization_code` with the code verifier.
+ */
+export async function exchangeAuthorizationCode(issuerUrl, code, options) {
+    const metadata = await fetchAuthorizationServerMetadata(issuerUrl, {
+        signal: options.signal,
+    });
+    if (!metadata.token_endpoint) {
+        throw new Error(`Authorization server "${issuerUrl}" does not advertise a token_endpoint`);
+    }
+    const params = new URLSearchParams();
+    params.set("grant_type", "authorization_code");
+    params.set("code", code);
+    params.set("code_verifier", options.codeVerifier);
+    params.set("redirect_uri", options.redirectUri);
+    if (options.clientId)
+        params.set("client_id", options.clientId);
+    const headers = {
+        "Content-Type": "application/x-www-form-urlencoded",
+    };
+    if (options.clientId && options.clientSecret) {
+        headers["Authorization"] = `Basic ${btoa(`${options.clientId}:${options.clientSecret}`)}`;
+        params.delete("client_id");
+    }
+    const response = await fetch(metadata.token_endpoint, {
+        method: "POST",
+        headers,
+        body: params.toString(),
+        signal: options.signal,
+    });
+    if (!response.ok) {
+        let errorBody = null;
+        try {
+            const json = await response.json();
+            if (json && typeof json === "object" && !Array.isArray(json)) {
+                errorBody = json;
+            }
+        }
+        catch {
+            // non-JSON error body — fall through to generic error
+        }
+        if (errorBody && typeof errorBody.error === "string") {
+            const description = typeof errorBody.error_description === "string"
+                ? errorBody.error_description
+                : errorBody.error;
+            const errorUri = typeof errorBody.error_uri === "string" ? errorBody.error_uri : undefined;
+            throw new OAuthError(errorBody.error, description, errorUri);
+        }
+        throw new Error(`Authorization code exchange failed (HTTP ${response.status})`);
+    }
+    const json = await response.json();
+    if (!json || typeof json !== "object" || Array.isArray(json)) {
+        throw new Error("Token endpoint response is not a valid JSON object");
+    }
+    const body = json;
+    const accessToken = body.access_token;
+    if (typeof accessToken !== "string" || !accessToken) {
+        throw new Error("Token endpoint response missing access_token");
+    }
+    const tokenResponse = {
+        accessToken,
+        tokenType: typeof body.token_type === "string" ? body.token_type : "bearer",
+    };
+    if (typeof body.expires_in === "number")
+        tokenResponse.expiresIn = body.expires_in;
+    if (typeof body.refresh_token === "string")
+        tokenResponse.refreshToken = body.refresh_token;
+    if (typeof body.scope === "string") {
+        tokenResponse.scope = body.scope.split(" ").filter(Boolean);
+    }
+    return tokenResponse;
+}
+/**
+ * Full authorization-code-with-PKCE flow for local/CLI contexts.
+ *
+ * Generates a PKCE pair, builds the authorization URL, opens the user's
+ * browser, starts a local loopback HTTP server to receive the redirect,
+ * and exchanges the authorization code for tokens.
+ *
+ * **Requires Node.js.** Uses `node:http` and `node:child_process` via
+ * dynamic import. Importing this module is safe in any runtime; only
+ * *calling* `authenticate()` requires Node.js.
+ */
+export async function authenticate(issuerUrl, options) {
+    const port = options.port ?? 8080;
+    const redirectUri = options.redirectUri ?? `http://localhost:${port}/callback`;
+    const timeoutMs = options.timeoutMs ?? 60_000;
+    const { codeVerifier, codeChallenge } = await generatePkcePair("S256");
+    const metadata = await fetchAuthorizationServerMetadata(issuerUrl);
+    if (!metadata.authorization_endpoint) {
+        throw new Error(`Authorization server "${issuerUrl}" does not advertise an authorization_endpoint`);
+    }
+    const authUrl = new URL(metadata.authorization_endpoint);
+    authUrl.searchParams.set("response_type", "code");
+    authUrl.searchParams.set("client_id", options.clientId);
+    authUrl.searchParams.set("redirect_uri", redirectUri);
+    authUrl.searchParams.set("code_challenge", codeChallenge);
+    authUrl.searchParams.set("code_challenge_method", "S256");
+    if (options.scopes && options.scopes.length > 0) {
+        authUrl.searchParams.set("scope", options.scopes.join(" "));
+    }
+    await openBrowser(authUrl.toString());
+    const code = await waitForCode(port, redirectUri, timeoutMs);
+    return exchangeAuthorizationCode(issuerUrl, code, {
+        codeVerifier,
+        redirectUri,
+        clientId: options.clientId,
+        clientSecret: options.clientSecret,
+    });
+}
+async function openBrowser(url) {
+    const { execFile } = await import("node:child_process");
+    if (process.platform === "darwin") {
+        execFile("open", [url]);
+    }
+    else if (process.platform === "win32") {
+        // `start` is a cmd.exe built-in, not a standalone executable.
+        execFile("cmd", ["/c", "start", "", url]);
+    }
+    else {
+        execFile("xdg-open", [url]);
+    }
+}
+async function waitForCode(port, redirectUri, timeoutMs) {
+    // Import before entering the Promise constructor to avoid the async-executor
+    // anti-pattern: if the dynamic import throws, the rejection propagates through
+    // this async function rather than escaping an async Promise constructor.
+    const { createServer } = await import("node:http");
+    return new Promise((resolve, reject) => {
+        const timer = setTimeout(() => {
+            server.close();
+            reject(new Error(`PKCE authentication timed out after ${timeoutMs}ms`));
+        }, timeoutMs);
+        const server = createServer((req, res) => {
+            try {
+                const reqUrl = new URL(req.url ?? "/", redirectUri);
+                const code = reqUrl.searchParams.get("code");
+                const error = reqUrl.searchParams.get("error");
+                res.writeHead(200, { "Content-Type": "text/html" });
+                res.end("<html><body><p>Authentication complete. You can close this tab.</p></body></html>");
+                server.close();
+                clearTimeout(timer);
+                if (error) {
+                    reject(new OAuthError(error, reqUrl.searchParams.get("error_description") ?? error));
+                }
+                else if (code) {
+                    resolve(code);
+                }
+                else {
+                    reject(new Error("No authorization code in redirect"));
+                }
+            }
+            catch (e) {
+                server.close();
+                clearTimeout(timer);
+                reject(e);
+            }
+        });
+        server.listen(port, "localhost");
+        server.on("error", (err) => {
+            clearTimeout(timer);
+            reject(new Error(`Failed to start loopback server on port ${port}: ${err.message}`));
+        });
+    });
+}
+//# sourceMappingURL=pkce.js.map

package/dist/esm/pkce.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAAA,OAAO,SAAS,MAAM,gBAAgB,CAAC;AACvC,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAazC;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,MAAqB,CAAC,CAAC;AACvD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,QAAgB,EAChB,SAA2B,MAAM;IAEjC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACvC,SAAS,EACT,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CACnC,CAAC;IACF,OAAO,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,SAA2B,MAAM;IACtE,MAAM,YAAY,GAAG,oBAAoB,EAAE,CAAC;IAC5C,MAAM,aAAa,GAAG,MAAM,qBAAqB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IACxE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,EAAE,CAAC;AACtE,CAAC;AAcD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,SAAiB,EACjB,IAAY,EACZ,OAAyC;IAEzC,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,SAAS,EAAE;QACjE,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,yBAAyB,SAAS,uCAAuC,CAC1E,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IACrC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC;IAC/C,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IAChD,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEhE,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,mCAAmC;KACpD,CAAC;IACF,IAAI,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QAC7C,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,IAAI,CAAC,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC,EAAE,CAAC;QAC1F,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC7B,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,cAAc,EAAE;QACpD,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;QACvB,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,IAAI,SAAS,GAAmC,IAAI,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;YAC9C,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7D,SAAS,GAAG,IAA+B,CAAC;YAC9C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sDAAsD;QACxD,CAAC;QACD,IAAI,SAAS,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;gBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;gBAC7B,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC;YACpB,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAC3F,MAAM,IAAI,UAAU,CAAC,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,4CAA4C,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;IAC9C,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,IAAI,GAAG,IAA+B,CAAC;IAE7C,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,aAAa,GAAkB;QACnC,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IACF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,aAAa,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IACnF,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,aAAa,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IAC5F,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,aAAa,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAkBD;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,SAAiB,EACjB,OAA4B;IAE5B,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC;IAClC,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,oBAAoB,IAAI,WAAW,CAAC;IAC/E,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC;IAE9C,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAEvE,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,SAAS,CAAC,CAAC;IACnE,IAAI,CAAC,QAAQ,CAAC,sBAAsB,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,yBAAyB,SAAS,gDAAgD,CACnF,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;IACzD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAClD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACxD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IACtD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC1D,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,WAAW,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAEtC,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC;IAE7D,OAAO,yBAAyB,CAAC,SAAS,EAAE,IAAI,EAAE;QAChD,YAAY;QACZ,WAAW;QACX,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;KACnC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,GAAW;IACpC,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;IACxD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,QAAQ,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,CAAC;SAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACxC,8DAA8D;QAC9D,QAAQ,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;SAAM,CAAC;QACN,QAAQ,CAAC,UAAU,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,CAAC;AACH,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,IAAY,EAAE,WAAmB,EAAE,SAAiB;IAC7E,6EAA6E;IAC7E,+EAA+E;IAC/E,yEAAyE;IACzE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;IAEnD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,KAAK,CAAC,uCAAuC,SAAS,IAAI,CAAC,CAAC,CAAC;QAC1E,CAAC,EAAE,SAAS,CAAC,CAAC;QAEd,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YACvC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,WAAW,CAAC,CAAC;gBACpD,MAAM,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAC7C,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAE/C,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;gBACpD,GAAG,CAAC,GAAG,CAAC,mFAAmF,CAAC,CAAC;gBAE7F,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,YAAY,CAAC,KAAK,CAAC,CAAC;gBAEpB,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,CAAC,IAAI,UAAU,CAAC,KAAK,EAAE,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC;gBACvF,CAAC;qBAAM,IAAI,IAAI,EAAE,CAAC;oBAChB,OAAO,CAAC,IAAI,CAAC,CAAC;gBAChB,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,MAAM,CAAC,CAAC,CAAC,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QACjC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACzB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,IAAI,KAAK,CAAC,2CAA2C,IAAI,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACvF,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/esm/registration.d.ts ADDED Viewed

@@ -0,0 +1,75 @@
+/**
+ * RFC 7591 Dynamic Client Registration request metadata.
+ * Reference: https://datatracker.ietf.org/doc/html/rfc7591#section-2
+ */
+export interface ClientRegistrationRequest {
+    clientName?: string;
+    clientUri?: string;
+    logoUri?: string;
+    tosUri?: string;
+    policyUri?: string;
+    softwareId?: string;
+    softwareVersion?: string;
+    jwksUri?: string;
+    jwks?: Record<string, unknown>;
+    tokenEndpointAuthMethod?: string;
+    redirectUris?: readonly string[];
+    grantTypes?: readonly string[];
+    responseTypes?: readonly string[];
+    scope?: string;
+    /**
+     * Vendor-extension or AS-specific fields not covered by the typed shape.
+     * Merged into the request body verbatim (snake_case keys preserved).
+     */
+    additionalMetadata?: Record<string, unknown>;
+}
+/**
+ * RFC 7591 Dynamic Client Registration response.
+ * Reference: https://datatracker.ietf.org/doc/html/rfc7591#section-3.2.1
+ */
+export interface ClientRegistrationResponse {
+    clientId: string;
+    clientSecret?: string;
+    clientIdIssuedAt?: number;
+    clientSecretExpiresAt?: number;
+    clientName?: string;
+    clientUri?: string;
+    logoUri?: string;
+    tosUri?: string;
+    policyUri?: string;
+    softwareId?: string;
+    softwareVersion?: string;
+    jwksUri?: string;
+    jwks?: Record<string, unknown>;
+    tokenEndpointAuthMethod?: string;
+    redirectUris?: string[];
+    grantTypes?: string[];
+    responseTypes?: string[];
+    scope?: string[];
+    registrationAccessToken?: string;
+    registrationClientUri?: string;
+    /**
+     * The full unparsed response body. Useful for AS-specific extensions
+     * not captured by the typed fields above.
+     */
+    raw: Record<string, unknown>;
+}
+export interface RegisterClientOptions {
+    signal?: AbortSignal;
+    /** Request timeout in milliseconds. Ignored if `signal` is already provided. */
+    timeoutMs?: number;
+}
+/**
+ * Register a new OAuth 2.0 client with an authorization server (RFC 7591).
+ *
+ * Discovers `registration_endpoint` from the AS's
+ * `.well-known/oauth-authorization-server` metadata, POSTs the registration
+ * request as JSON, and returns the issued client credentials.
+ *
+ * Throws:
+ * - `Error` when the AS does not advertise `registration_endpoint`.
+ * - `OAuthError` when the AS returns an RFC 6749 §5.2 error response.
+ * - `Error` on non-OAuth HTTP failures or malformed responses.
+ */
+export declare function registerClient(issuerUrl: string, request: ClientRegistrationRequest, options?: RegisterClientOptions): Promise<ClientRegistrationResponse>;
+//# sourceMappingURL=registration.d.ts.map

package/dist/esm/registration.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"registration.d.ts","sourceRoot":"","sources":["../../src/registration.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,MAAM,WAAW,yBAAyB;IACxC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,YAAY,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACjC,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC/B,aAAa,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAClC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC9C;AAED;;;GAGG;AACH,MAAM,WAAW,0BAA0B;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B;;;OAGG;IACH,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAC9B;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,CAAC,EAAE,WAAW,CAAC;IACrB,gFAAgF;IAChF,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,cAAc,CAClC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,yBAAyB,EAClC,OAAO,CAAC,EAAE,qBAAqB,GAC9B,OAAO,CAAC,0BAA0B,CAAC,CAyDrC"}