npm - @keycardai/oauth - Versions diffs - 0.5.0 → 0.7.0 - Mend

@keycardai/oauth 0.5.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

package/LICENSE +5 -17
package/README.md +45 -0
package/dist/cjs/index.d.ts +2 -0
package/dist/cjs/index.d.ts.map +1 -1
package/dist/cjs/index.js +7 -1
package/dist/cjs/index.js.map +1 -1
package/dist/cjs/pkce.d.ts +64 -0
package/dist/cjs/pkce.d.ts.map +1 -0
package/dist/cjs/pkce.js +249 -0
package/dist/cjs/pkce.js.map +1 -0
package/dist/cjs/server/eksWorkloadIdentity.d.ts +22 -0
package/dist/cjs/server/eksWorkloadIdentity.d.ts.map +1 -0
package/dist/cjs/server/eksWorkloadIdentity.js +117 -0
package/dist/cjs/server/eksWorkloadIdentity.js.map +1 -0
package/dist/cjs/server/index.d.ts +6 -0
package/dist/cjs/server/index.d.ts.map +1 -1
package/dist/cjs/server/index.js +8 -1
package/dist/cjs/server/index.js.map +1 -1
package/dist/cjs/server/privateKey.d.ts +47 -0
package/dist/cjs/server/privateKey.d.ts.map +1 -0
package/dist/cjs/server/privateKey.js +233 -0
package/dist/cjs/server/privateKey.js.map +1 -0
package/dist/cjs/server/webIdentity.d.ts +37 -0
package/dist/cjs/server/webIdentity.d.ts.map +1 -0
package/dist/cjs/server/webIdentity.js +75 -0
package/dist/cjs/server/webIdentity.js.map +1 -0
package/dist/esm/index.d.ts +2 -0
package/dist/esm/index.d.ts.map +1 -1
package/dist/esm/index.js +1 -0
package/dist/esm/index.js.map +1 -1
package/dist/esm/pkce.d.ts +64 -0
package/dist/esm/pkce.d.ts.map +1 -0
package/dist/esm/pkce.js +206 -0
package/dist/esm/pkce.js.map +1 -0
package/dist/esm/server/eksWorkloadIdentity.d.ts +22 -0
package/dist/esm/server/eksWorkloadIdentity.d.ts.map +1 -0
package/dist/esm/server/eksWorkloadIdentity.js +80 -0
package/dist/esm/server/eksWorkloadIdentity.js.map +1 -0
package/dist/esm/server/index.d.ts +6 -0
package/dist/esm/server/index.d.ts.map +1 -1
package/dist/esm/server/index.js +3 -0
package/dist/esm/server/index.js.map +1 -1
package/dist/esm/server/privateKey.d.ts +47 -0
package/dist/esm/server/privateKey.d.ts.map +1 -0
package/dist/esm/server/privateKey.js +195 -0
package/dist/esm/server/privateKey.js.map +1 -0
package/dist/esm/server/webIdentity.d.ts +37 -0
package/dist/esm/server/webIdentity.d.ts.map +1 -0
package/dist/esm/server/webIdentity.js +71 -0
package/dist/esm/server/webIdentity.js.map +1 -0
package/package.json +7 -1

package/dist/esm/server/webIdentity.d.ts ADDED Viewed

@@ -0,0 +1,37 @@
+import type { ApplicationCredential } from "../credentials.js";
+import type { TokenExchangeRequest } from "../tokenExchange.js";
+import type { PrivateKeyStorage } from "./privateKey.js";
+export type { PrivateKeyStorage } from "./privateKey.js";
+export interface WebIdentityOptions {
+    serverName?: string;
+    storage?: PrivateKeyStorage;
+    storageDir?: string;
+    keyId?: string;
+    audienceConfig?: string | Record<string, string>;
+}
+/**
+ * RFC 7523 private_key_jwt client assertion credential provider.
+ *
+ * Generates and persists an RSA key pair using the supplied storage
+ * implementation (default: `FilePrivateKeyStorage("./mcp_keys")`).
+ * On each token exchange the private key signs a client assertion JWT
+ * that the authorization server verifies instead of a shared secret.
+ *
+ * **Requires Node.js.** Key generation and storage use Node.js crypto
+ * and filesystem APIs.
+ */
+export declare class WebIdentity implements ApplicationCredential {
+    #private;
+    constructor(options?: WebIdentityOptions);
+    bootstrap(): Promise<void>;
+    getAuth(): null;
+    prepareTokenExchangeRequest(subjectToken: string, resource: string, options?: {
+        tokenEndpoint?: string;
+        authInfo?: Record<string, string>;
+    }): Promise<TokenExchangeRequest>;
+    getPublicJwks(): {
+        keys: Record<string, unknown>[];
+    };
+    getClientJwksUrl(resourceServerUrl: string): string;
+}
+//# sourceMappingURL=webIdentity.d.ts.map

package/dist/esm/server/webIdentity.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"webIdentity.d.ts","sourceRoot":"","sources":["../../../src/server/webIdentity.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAEhE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAEzD,YAAY,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAEzD,MAAM,WAAW,kBAAkB;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,iBAAiB,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClD;AAED;;;;;;;;;;GAUG;AACH,qBAAa,WAAY,YAAW,qBAAqB;;gBAI3C,OAAO,GAAE,kBAAuB;IAiBtC,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;IAOhC,OAAO,IAAI,IAAI;IAIT,2BAA2B,CAC/B,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GACtE,OAAO,CAAC,oBAAoB,CAAC;IAchC,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAA;KAAE;IAIpD,gBAAgB,CAAC,iBAAiB,EAAE,MAAM,GAAG,MAAM;CAGpD"}

package/dist/esm/server/webIdentity.js ADDED Viewed

@@ -0,0 +1,71 @@
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _WebIdentity_keyManager, _WebIdentity_bootstrapPromise;
+import { PrivateKeyManager, FilePrivateKeyStorage } from "./privateKey.js";
+/**
+ * RFC 7523 private_key_jwt client assertion credential provider.
+ *
+ * Generates and persists an RSA key pair using the supplied storage
+ * implementation (default: `FilePrivateKeyStorage("./mcp_keys")`).
+ * On each token exchange the private key signs a client assertion JWT
+ * that the authorization server verifies instead of a shared secret.
+ *
+ * **Requires Node.js.** Key generation and storage use Node.js crypto
+ * and filesystem APIs.
+ */
+export class WebIdentity {
+    constructor(options = {}) {
+        _WebIdentity_keyManager.set(this, void 0);
+        _WebIdentity_bootstrapPromise.set(this, void 0);
+        const storage = options.storage ??
+            new FilePrivateKeyStorage(options.storageDir ?? "./mcp_keys");
+        let keyId = options.keyId;
+        if (!keyId && options.serverName) {
+            keyId = options.serverName.replace(/[^a-zA-Z0-9\-_]/g, "_");
+        }
+        __classPrivateFieldSet(this, _WebIdentity_keyManager, new PrivateKeyManager({
+            storage,
+            keyId,
+            audienceConfig: options.audienceConfig,
+        }), "f");
+    }
+    async bootstrap() {
+        if (!__classPrivateFieldGet(this, _WebIdentity_bootstrapPromise, "f")) {
+            __classPrivateFieldSet(this, _WebIdentity_bootstrapPromise, __classPrivateFieldGet(this, _WebIdentity_keyManager, "f").bootstrapIdentity(), "f");
+        }
+        return __classPrivateFieldGet(this, _WebIdentity_bootstrapPromise, "f");
+    }
+    getAuth() {
+        return null;
+    }
+    async prepareTokenExchangeRequest(subjectToken, resource, options) {
+        await this.bootstrap();
+        const issuer = options?.authInfo?.resource_client_id ?? __classPrivateFieldGet(this, _WebIdentity_keyManager, "f").getClientId();
+        const audience = options?.tokenEndpoint ?? issuer;
+        const clientAssertion = await __classPrivateFieldGet(this, _WebIdentity_keyManager, "f").createClientAssertion(issuer, audience);
+        return {
+            subjectToken,
+            resource,
+            subjectTokenType: "urn:ietf:params:oauth:token-type:access_token",
+            clientAssertionType: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+            clientAssertion,
+        };
+    }
+    getPublicJwks() {
+        return __classPrivateFieldGet(this, _WebIdentity_keyManager, "f").getPublicJwks();
+    }
+    getClientJwksUrl(resourceServerUrl) {
+        return __classPrivateFieldGet(this, _WebIdentity_keyManager, "f").getClientJwksUrl(resourceServerUrl);
+    }
+}
+_WebIdentity_keyManager = new WeakMap(), _WebIdentity_bootstrapPromise = new WeakMap();
+//# sourceMappingURL=webIdentity.js.map

package/dist/esm/server/webIdentity.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"webIdentity.js","sourceRoot":"","sources":["../../../src/server/webIdentity.ts"],"names":[],"mappings":";;;;;;;;;;;;AAEA,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAa3E;;;;;;;;;;GAUG;AACH,MAAM,OAAO,WAAW;IAItB,YAAY,UAA8B,EAAE;QAH5C,0CAA+B;QAC/B,gDAAkC;QAGhC,MAAM,OAAO,GACX,OAAO,CAAC,OAAO;YACf,IAAI,qBAAqB,CAAC,OAAO,CAAC,UAAU,IAAI,YAAY,CAAC,CAAC;QAEhE,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC1B,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACjC,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;QAC9D,CAAC;QAED,uBAAA,IAAI,2BAAe,IAAI,iBAAiB,CAAC;YACvC,OAAO;YACP,KAAK;YACL,cAAc,EAAE,OAAO,CAAC,cAAc;SACvC,CAAC,MAAA,CAAC;IACL,CAAC;IAED,KAAK,CAAC,SAAS;QACb,IAAI,CAAC,uBAAA,IAAI,qCAAkB,EAAE,CAAC;YAC5B,uBAAA,IAAI,iCAAqB,uBAAA,IAAI,+BAAY,CAAC,iBAAiB,EAAE,MAAA,CAAC;QAChE,CAAC;QACD,OAAO,uBAAA,IAAI,qCAAkB,CAAC;IAChC,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,2BAA2B,CAC/B,YAAoB,EACpB,QAAgB,EAChB,OAAuE;QAEvE,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,OAAO,EAAE,QAAQ,EAAE,kBAAkB,IAAI,uBAAA,IAAI,+BAAY,CAAC,WAAW,EAAE,CAAC;QACvF,MAAM,QAAQ,GAAG,OAAO,EAAE,aAAa,IAAI,MAAM,CAAC;QAClD,MAAM,eAAe,GAAG,MAAM,uBAAA,IAAI,+BAAY,CAAC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACvF,OAAO;YACL,YAAY;YACZ,QAAQ;YACR,gBAAgB,EAAE,+CAA+C;YACjE,mBAAmB,EAAE,wDAAwD;YAC7E,eAAe;SAChB,CAAC;IACJ,CAAC;IAED,aAAa;QACX,OAAO,uBAAA,IAAI,+BAAY,CAAC,aAAa,EAAE,CAAC;IAC1C,CAAC;IAED,gBAAgB,CAAC,iBAAyB;QACxC,OAAO,uBAAA,IAAI,+BAAY,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,CAAC;IAC9D,CAAC;CACF"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@keycardai/oauth",
-  "version": "0.5.0",
+  "version": "0.7.0",
   "description": "[Preview] OAuth 2.0 primitives for Keycard: JWKS keyring, JWT signing/verification, server-tier token verifier, AccessContext, ClientSecret credentials, and impersonation via RFC 8693 token exchange",
   "license": "MIT",
   "repository": {
@@ -89,6 +89,11 @@
       "import": "./dist/esm/server/clientSecret.js",
       "require": "./dist/cjs/server/clientSecret.js",
       "types": "./dist/esm/server/clientSecret.d.ts"
+    },
+    "./pkce": {
+      "import": "./dist/esm/pkce.js",
+      "require": "./dist/cjs/pkce.js",
+      "types": "./dist/esm/pkce.d.ts"
     }
   },
   "files": [
@@ -112,6 +117,7 @@
   },
   "devDependencies": {
     "@jest/globals": "^30.0.4",
+    "@types/node": "^25.6.0",
     "jest": "^30.0.4",
     "ts-jest": "^29.4.0",
     "typescript": "^5.8.3"