@keycardai/oauth 0.6.0 → 0.7.0

package/LICENSE

@@ -1,21 +1,9 @@
-MIT License
+MIT LICENSE
 
-Copyright (c) 2024 Keycard
+Copyright © 2026 Keycard Labs, inc.
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/dist/cjs/index.d.ts

@@ -15,4 +15,6 @@ export { registerClient } from "./registration.js";
 export type { ClientRegistrationRequest, ClientRegistrationResponse, RegisterClientOptions, } from "./registration.js";
 export { AccessContext, TokenVerifier, ClientSecret } from "./server/index.js";
 export type { ErrorDetail, AccessContextStatus, AccessToken, TokenVerifierOptions, ClientSecretCredentials, } from "./server/index.js";
+export { generateCodeVerifier, generateCodeChallenge, generatePkcePair, exchangeAuthorizationCode, authenticate, } from "./pkce.js";
+export type { Pkce, ExchangeAuthorizationCodeOptions, AuthenticateOptions, } from "./pkce.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/cjs/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,0BAA0B,EAC1B,eAAe,EACf,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,YAAY,EACV,yBAAyB,EACzB,0BAA0B,EAC1B,qBAAqB,GACtB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC/E,YAAY,EACV,WAAW,EACX,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,0BAA0B,EAC1B,eAAe,EACf,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,YAAY,EACV,yBAAyB,EACzB,0BAA0B,EAC1B,qBAAqB,GACtB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC/E,YAAY,EACV,WAAW,EACX,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,gBAAgB,EAChB,yBAAyB,EACzB,YAAY,GACb,MAAM,WAAW,CAAC;AACnB,YAAY,EACV,IAAI,EACJ,gCAAgC,EAChC,mBAAmB,GACpB,MAAM,WAAW,CAAC"}

package/dist/cjs/index.js

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ClientSecret = exports.TokenVerifier = exports.AccessContext = exports.registerClient = exports.TokenType = exports.TokenExchangeClient = exports.buildSubstituteUserToken = exports.JWTVerifier = exports.JWTSigner = exports.AuthProviderConfigurationError = exports.ResourceAccessError = exports.InsufficientScopeError = exports.InvalidTokenError = exports.OAuthError = exports.UnauthorizedError = exports.BadRequestError = exports.HTTPError = exports.fetchAuthorizationServerMetadata = exports.base64url = exports.JWKSOAuthKeyring = void 0;
+exports.authenticate = exports.exchangeAuthorizationCode = exports.generatePkcePair = exports.generateCodeChallenge = exports.generateCodeVerifier = exports.ClientSecret = exports.TokenVerifier = exports.AccessContext = exports.registerClient = exports.TokenType = exports.TokenExchangeClient = exports.buildSubstituteUserToken = exports.JWTVerifier = exports.JWTSigner = exports.AuthProviderConfigurationError = exports.ResourceAccessError = exports.InsufficientScopeError = exports.InvalidTokenError = exports.OAuthError = exports.UnauthorizedError = exports.BadRequestError = exports.HTTPError = exports.fetchAuthorizationServerMetadata = exports.base64url = exports.JWKSOAuthKeyring = void 0;
 var keyring_js_1 = require("./keyring.js");
 Object.defineProperty(exports, "JWKSOAuthKeyring", { enumerable: true, get: function () { return keyring_js_1.JWKSOAuthKeyring; } });
 var base64url_js_1 = require("./base64url.js");
@@ -34,4 +34,10 @@ var index_js_1 = require("./server/index.js");
 Object.defineProperty(exports, "AccessContext", { enumerable: true, get: function () { return index_js_1.AccessContext; } });
 Object.defineProperty(exports, "TokenVerifier", { enumerable: true, get: function () { return index_js_1.TokenVerifier; } });
 Object.defineProperty(exports, "ClientSecret", { enumerable: true, get: function () { return index_js_1.ClientSecret; } });
+var pkce_js_1 = require("./pkce.js");
+Object.defineProperty(exports, "generateCodeVerifier", { enumerable: true, get: function () { return pkce_js_1.generateCodeVerifier; } });
+Object.defineProperty(exports, "generateCodeChallenge", { enumerable: true, get: function () { return pkce_js_1.generateCodeChallenge; } });
+Object.defineProperty(exports, "generatePkcePair", { enumerable: true, get: function () { return pkce_js_1.generatePkcePair; } });
+Object.defineProperty(exports, "exchangeAuthorizationCode", { enumerable: true, get: function () { return pkce_js_1.exchangeAuthorizationCode; } });
+Object.defineProperty(exports, "authenticate", { enumerable: true, get: function () { return pkce_js_1.authenticate; } });
 //# sourceMappingURL=index.js.map

package/dist/cjs/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;AACA,2CAAgD;AAAvC,8GAAA,gBAAgB,OAAA;AACzB,+CAAsD;AAA7C,0HAAA,OAAO,OAAa;AAC7B,+CAAkE;AAAzD,gIAAA,gCAAgC,OAAA;AAEzC,yCASqB;AARnB,sGAAA,SAAS,OAAA;AACT,4GAAA,eAAe,OAAA;AACf,8GAAA,iBAAiB,OAAA;AACjB,uGAAA,UAAU,OAAA;AACV,8GAAA,iBAAiB,OAAA;AACjB,mHAAA,sBAAsB,OAAA;AACtB,gHAAA,mBAAmB,OAAA;AACnB,2HAAA,8BAA8B,OAAA;AAEhC,6CAA4C;AAAnC,sGAAA,SAAS,OAAA;AAElB,iDAAgD;AAAvC,0GAAA,WAAW,OAAA;AACpB,6DAAmE;AAA1D,6HAAA,wBAAwB,OAAA;AACjC,uDAAoE;AAA3D,uHAAA,mBAAmB,OAAA;AAAE,6GAAA,SAAS,OAAA;AASvC,qDAAmD;AAA1C,iHAAA,cAAc,OAAA;AAMvB,8CAA+E;AAAtE,yGAAA,aAAa,OAAA;AAAE,yGAAA,aAAa,OAAA;AAAE,wGAAA,YAAY,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;;;;AACA,2CAAgD;AAAvC,8GAAA,gBAAgB,OAAA;AACzB,+CAAsD;AAA7C,0HAAA,OAAO,OAAa;AAC7B,+CAAkE;AAAzD,gIAAA,gCAAgC,OAAA;AAEzC,yCASqB;AARnB,sGAAA,SAAS,OAAA;AACT,4GAAA,eAAe,OAAA;AACf,8GAAA,iBAAiB,OAAA;AACjB,uGAAA,UAAU,OAAA;AACV,8GAAA,iBAAiB,OAAA;AACjB,mHAAA,sBAAsB,OAAA;AACtB,gHAAA,mBAAmB,OAAA;AACnB,2HAAA,8BAA8B,OAAA;AAEhC,6CAA4C;AAAnC,sGAAA,SAAS,OAAA;AAElB,iDAAgD;AAAvC,0GAAA,WAAW,OAAA;AACpB,6DAAmE;AAA1D,6HAAA,wBAAwB,OAAA;AACjC,uDAAoE;AAA3D,uHAAA,mBAAmB,OAAA;AAAE,6GAAA,SAAS,OAAA;AASvC,qDAAmD;AAA1C,iHAAA,cAAc,OAAA;AAMvB,8CAA+E;AAAtE,yGAAA,aAAa,OAAA;AAAE,yGAAA,aAAa,OAAA;AAAE,wGAAA,YAAY,OAAA;AAQnD,qCAMmB;AALjB,+GAAA,oBAAoB,OAAA;AACpB,gHAAA,qBAAqB,OAAA;AACrB,2GAAA,gBAAgB,OAAA;AAChB,oHAAA,yBAAyB,OAAA;AACzB,uGAAA,YAAY,OAAA"}

package/dist/cjs/server/eksWorkloadIdentity.d.ts

@@ -0,0 +1,22 @@
+import type { ApplicationCredential } from "../credentials.js";
+import type { TokenExchangeRequest } from "../tokenExchange.js";
+export interface EKSWorkloadIdentityOptions {
+    tokenFilePath?: string;
+    envVarName?: string;
+}
+/**
+ * EKS pod identity credential provider. Reads the workload identity token
+ * from the mounted file path (resolved from the standard EKS environment
+ * variables or the explicit `tokenFilePath` option) and uses it as a
+ * client assertion in RFC 8693 token exchange requests.
+ *
+ * **Requires Node.js.** Reads the token file synchronously from the
+ * filesystem at construction and exchange time.
+ */
+export declare class EKSWorkloadIdentity implements ApplicationCredential {
+    #private;
+    constructor(options?: EKSWorkloadIdentityOptions);
+    getAuth(): null;
+    prepareTokenExchangeRequest(subjectToken: string, resource: string): Promise<TokenExchangeRequest>;
+}
+//# sourceMappingURL=eksWorkloadIdentity.d.ts.map

package/dist/cjs/server/eksWorkloadIdentity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"eksWorkloadIdentity.d.ts","sourceRoot":"","sources":["../../../src/server/eksWorkloadIdentity.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAQhE,MAAM,WAAW,0BAA0B;IACzC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,qBAAa,mBAAoB,YAAW,qBAAqB;;gBAGnD,OAAO,CAAC,EAAE,0BAA0B;IAmBhD,OAAO,IAAI,IAAI;IAIT,2BAA2B,CAC/B,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,oBAAoB,CAAC;CA+BjC"}

package/dist/cjs/server/eksWorkloadIdentity.js

@@ -0,0 +1,117 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _EKSWorkloadIdentity_instances, _EKSWorkloadIdentity_tokenFilePath, _EKSWorkloadIdentity_validateTokenFile, _EKSWorkloadIdentity_readToken;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EKSWorkloadIdentity = void 0;
+const fs = __importStar(require("node:fs"));
+const DEFAULT_EKS_ENV_VARS = [
+    "KEYCARD_EKS_WORKLOAD_IDENTITY_TOKEN_FILE",
+    "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE",
+    "AWS_WEB_IDENTITY_TOKEN_FILE",
+];
+/**
+ * EKS pod identity credential provider. Reads the workload identity token
+ * from the mounted file path (resolved from the standard EKS environment
+ * variables or the explicit `tokenFilePath` option) and uses it as a
+ * client assertion in RFC 8693 token exchange requests.
+ *
+ * **Requires Node.js.** Reads the token file synchronously from the
+ * filesystem at construction and exchange time.
+ */
+class EKSWorkloadIdentity {
+    constructor(options) {
+        _EKSWorkloadIdentity_instances.add(this);
+        _EKSWorkloadIdentity_tokenFilePath.set(this, void 0);
+        if (options?.tokenFilePath) {
+            __classPrivateFieldSet(this, _EKSWorkloadIdentity_tokenFilePath, options.tokenFilePath, "f");
+        }
+        else {
+            const envNames = options?.envVarName
+                ? [options.envVarName, ...DEFAULT_EKS_ENV_VARS]
+                : DEFAULT_EKS_ENV_VARS;
+            const found = envNames.find((name) => process.env[name]);
+            if (!found || !process.env[found]) {
+                throw new Error(`EKSWorkloadIdentity: could not find token file path in environment variables. ` +
+                    `Checked: ${envNames.join(", ")}`);
+            }
+            __classPrivateFieldSet(this, _EKSWorkloadIdentity_tokenFilePath, process.env[found], "f");
+        }
+        __classPrivateFieldGet(this, _EKSWorkloadIdentity_instances, "m", _EKSWorkloadIdentity_validateTokenFile).call(this);
+    }
+    getAuth() {
+        return null;
+    }
+    async prepareTokenExchangeRequest(subjectToken, resource) {
+        return {
+            subjectToken,
+            resource,
+            subjectTokenType: "urn:ietf:params:oauth:token-type:access_token",
+            clientAssertionType: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+            clientAssertion: __classPrivateFieldGet(this, _EKSWorkloadIdentity_instances, "m", _EKSWorkloadIdentity_readToken).call(this),
+        };
+    }
+}
+exports.EKSWorkloadIdentity = EKSWorkloadIdentity;
+_EKSWorkloadIdentity_tokenFilePath = new WeakMap(), _EKSWorkloadIdentity_instances = new WeakSet(), _EKSWorkloadIdentity_validateTokenFile = function _EKSWorkloadIdentity_validateTokenFile() {
+    try {
+        const token = fs.readFileSync(__classPrivateFieldGet(this, _EKSWorkloadIdentity_tokenFilePath, "f"), "utf-8").trim();
+        if (!token) {
+            throw new Error(`EKSWorkloadIdentity: token file is empty: ${__classPrivateFieldGet(this, _EKSWorkloadIdentity_tokenFilePath, "f")}`);
+        }
+    }
+    catch (error) {
+        if (error instanceof Error && error.message.startsWith("EKSWorkloadIdentity:"))
+            throw error;
+        throw new Error(`EKSWorkloadIdentity: error reading token file "${__classPrivateFieldGet(this, _EKSWorkloadIdentity_tokenFilePath, "f")}": ${error}`);
+    }
+}, _EKSWorkloadIdentity_readToken = function _EKSWorkloadIdentity_readToken() {
+    const token = fs.readFileSync(__classPrivateFieldGet(this, _EKSWorkloadIdentity_tokenFilePath, "f"), "utf-8").trim();
+    if (!token) {
+        throw new Error(`EKSWorkloadIdentity: token file is empty: ${__classPrivateFieldGet(this, _EKSWorkloadIdentity_tokenFilePath, "f")}`);
+    }
+    return token;
+};
+//# sourceMappingURL=eksWorkloadIdentity.js.map

package/dist/cjs/server/eksWorkloadIdentity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"eksWorkloadIdentity.js","sourceRoot":"","sources":["../../../src/server/eksWorkloadIdentity.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,4CAA8B;AAI9B,MAAM,oBAAoB,GAAG;IAC3B,0CAA0C;IAC1C,wCAAwC;IACxC,6BAA6B;CAC9B,CAAC;AAOF;;;;;;;;GAQG;AACH,MAAa,mBAAmB;IAG9B,YAAY,OAAoC;;QAFhD,qDAAuB;QAGrB,IAAI,OAAO,EAAE,aAAa,EAAE,CAAC;YAC3B,uBAAA,IAAI,sCAAkB,OAAO,CAAC,aAAa,MAAA,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,MAAM,QAAQ,GAAG,OAAO,EAAE,UAAU;gBAClC,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,GAAG,oBAAoB,CAAC;gBAC/C,CAAC,CAAC,oBAAoB,CAAC;YACzB,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;YACzD,IAAI,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBAClC,MAAM,IAAI,KAAK,CACb,gFAAgF;oBAChF,YAAY,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAClC,CAAC;YACJ,CAAC;YACD,uBAAA,IAAI,sCAAkB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAE,MAAA,CAAC;QAC5C,CAAC;QACD,uBAAA,IAAI,8EAAmB,MAAvB,IAAI,CAAqB,CAAC;IAC5B,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,2BAA2B,CAC/B,YAAoB,EACpB,QAAgB;QAEhB,OAAO;YACL,YAAY;YACZ,QAAQ;YACR,gBAAgB,EAAE,+CAA+C;YACjE,mBAAmB,EAAE,wDAAwD;YAC7E,eAAe,EAAE,uBAAA,IAAI,sEAAW,MAAf,IAAI,CAAa;SACnC,CAAC;IACJ,CAAC;CAuBF;AA5DD,kDA4DC;;IApBG,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,EAAE,CAAC,YAAY,CAAC,uBAAA,IAAI,0CAAe,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QACnE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,6CAA6C,uBAAA,IAAI,0CAAe,EAAE,CAAC,CAAC;QACtF,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,sBAAsB,CAAC;YAAE,MAAM,KAAK,CAAC;QAC5F,MAAM,IAAI,KAAK,CACb,kDAAkD,uBAAA,IAAI,0CAAe,MAAM,KAAK,EAAE,CACnF,CAAC;IACJ,CAAC;AACH,CAAC;IAGC,MAAM,KAAK,GAAG,EAAE,CAAC,YAAY,CAAC,uBAAA,IAAI,0CAAe,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;IACnE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,6CAA6C,uBAAA,IAAI,0CAAe,EAAE,CAAC,CAAC;IACtF,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/cjs/server/index.d.ts

@@ -5,4 +5,10 @@ export { TokenVerifier } from "./tokenVerifier.js";
 export type { TokenVerifierOptions } from "./tokenVerifier.js";
 export { ClientSecret } from "./clientSecret.js";
 export type { ClientSecretCredentials } from "./clientSecret.js";
+export { FilePrivateKeyStorage, PrivateKeyManager } from "./privateKey.js";
+export type { PrivateKeyStorage, JsonWebKey } from "./privateKey.js";
+export { WebIdentity } from "./webIdentity.js";
+export type { WebIdentityOptions } from "./webIdentity.js";
+export { EKSWorkloadIdentity } from "./eksWorkloadIdentity.js";
+export type { EKSWorkloadIdentityOptions } from "./eksWorkloadIdentity.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/cjs/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,YAAY,EAAE,WAAW,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC3E,YAAY,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,YAAY,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,YAAY,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,YAAY,EAAE,WAAW,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC3E,YAAY,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,YAAY,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,YAAY,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC;AACjE,OAAO,EAAE,qBAAqB,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAC3E,YAAY,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,YAAY,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,YAAY,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAC"}

package/dist/cjs/server/index.js

@@ -1,10 +1,17 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ClientSecret = exports.TokenVerifier = exports.AccessContext = void 0;
+exports.EKSWorkloadIdentity = exports.WebIdentity = exports.PrivateKeyManager = exports.FilePrivateKeyStorage = exports.ClientSecret = exports.TokenVerifier = exports.AccessContext = void 0;
 var accessContext_js_1 = require("./accessContext.js");
 Object.defineProperty(exports, "AccessContext", { enumerable: true, get: function () { return accessContext_js_1.AccessContext; } });
 var tokenVerifier_js_1 = require("./tokenVerifier.js");
 Object.defineProperty(exports, "TokenVerifier", { enumerable: true, get: function () { return tokenVerifier_js_1.TokenVerifier; } });
 var clientSecret_js_1 = require("./clientSecret.js");
 Object.defineProperty(exports, "ClientSecret", { enumerable: true, get: function () { return clientSecret_js_1.ClientSecret; } });
+var privateKey_js_1 = require("./privateKey.js");
+Object.defineProperty(exports, "FilePrivateKeyStorage", { enumerable: true, get: function () { return privateKey_js_1.FilePrivateKeyStorage; } });
+Object.defineProperty(exports, "PrivateKeyManager", { enumerable: true, get: function () { return privateKey_js_1.PrivateKeyManager; } });
+var webIdentity_js_1 = require("./webIdentity.js");
+Object.defineProperty(exports, "WebIdentity", { enumerable: true, get: function () { return webIdentity_js_1.WebIdentity; } });
+var eksWorkloadIdentity_js_1 = require("./eksWorkloadIdentity.js");
+Object.defineProperty(exports, "EKSWorkloadIdentity", { enumerable: true, get: function () { return eksWorkloadIdentity_js_1.EKSWorkloadIdentity; } });
 //# sourceMappingURL=index.js.map

package/dist/cjs/server/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":";;;AAAA,uDAAmD;AAA1C,iHAAA,aAAa,OAAA;AAGtB,uDAAmD;AAA1C,iHAAA,aAAa,OAAA;AAEtB,qDAAiD;AAAxC,+GAAA,YAAY,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":";;;AAAA,uDAAmD;AAA1C,iHAAA,aAAa,OAAA;AAGtB,uDAAmD;AAA1C,iHAAA,aAAa,OAAA;AAEtB,qDAAiD;AAAxC,+GAAA,YAAY,OAAA;AAErB,iDAA2E;AAAlE,sHAAA,qBAAqB,OAAA;AAAE,kHAAA,iBAAiB,OAAA;AAEjD,mDAA+C;AAAtC,6GAAA,WAAW,OAAA;AAEpB,mEAA+D;AAAtD,6HAAA,mBAAmB,OAAA"}

package/dist/cjs/server/privateKey.d.ts

@@ -0,0 +1,47 @@
+export interface JsonWebKey {
+    kty: string;
+    alg?: string;
+    use?: string;
+    kid?: string;
+    n?: string;
+    e?: string;
+    [key: string]: unknown;
+}
+export interface PrivateKeyStorage {
+    exists(keyId: string): Promise<boolean>;
+    storeKeyPair(keyId: string, privateKeyPem: string, publicKeyJwk: JsonWebKey): Promise<void>;
+    loadKeyPair(keyId: string): Promise<{
+        privateKeyPem: string;
+        publicKeyJwk: JsonWebKey;
+    }>;
+    deleteKeyPair(keyId: string): Promise<boolean>;
+    listKeyIds(): Promise<string[]>;
+}
+export declare class FilePrivateKeyStorage implements PrivateKeyStorage {
+    #private;
+    constructor(storageDir: string);
+    exists(keyId: string): Promise<boolean>;
+    storeKeyPair(keyId: string, privateKeyPem: string, publicKeyJwk: JsonWebKey): Promise<void>;
+    loadKeyPair(keyId: string): Promise<{
+        privateKeyPem: string;
+        publicKeyJwk: JsonWebKey;
+    }>;
+    deleteKeyPair(keyId: string): Promise<boolean>;
+    listKeyIds(): Promise<string[]>;
+}
+export declare class PrivateKeyManager {
+    #private;
+    constructor(options: {
+        storage: PrivateKeyStorage;
+        keyId?: string;
+        audienceConfig?: string | Record<string, string>;
+    });
+    bootstrapIdentity(): Promise<void>;
+    createClientAssertion(issuer: string, audience: string, expirySeconds?: number): Promise<string>;
+    getPublicJwks(): {
+        keys: JsonWebKey[];
+    };
+    getClientId(): string;
+    getClientJwksUrl(resourceServerUrl: string): string;
+}
+//# sourceMappingURL=privateKey.d.ts.map

package/dist/cjs/server/privateKey.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"privateKey.d.ts","sourceRoot":"","sources":["../../../src/server/privateKey.ts"],"names":[],"mappings":"AASA,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,iBAAiB;IAChC,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACxC,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,YAAY,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5F,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,UAAU,CAAA;KAAE,CAAC,CAAC;IACzF,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC/C,UAAU,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;CACjC;AAMD,qBAAa,qBAAsB,YAAW,iBAAiB;;gBAGjD,UAAU,EAAE,MAAM;IAIxB,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAUvC,YAAY,CAChB,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM,EACrB,YAAY,EAAE,UAAU,GACvB,OAAO,CAAC,IAAI,CAAC;IAeV,WAAW,CACf,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,UAAU,CAAA;KAAE,CAAC;IASzD,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAO9C,UAAU,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;CAqBtC;AAMD,qBAAa,iBAAiB;;gBAOhB,OAAO,EAAE;QACnB,OAAO,EAAE,iBAAiB,CAAC;QAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAClD;IAMK,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC;IAUlC,qBAAqB,CACzB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,aAAa,SAAM,GAClB,OAAO,CAAC,MAAM,CAAC;IAiBlB,aAAa,IAAI;QAAE,IAAI,EAAE,UAAU,EAAE,CAAA;KAAE;IAOvC,WAAW,IAAI,MAAM;IAIrB,gBAAgB,CAAC,iBAAiB,EAAE,MAAM,GAAG,MAAM;CA0BpD"}

package/dist/cjs/server/privateKey.js

@@ -0,0 +1,233 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _FilePrivateKeyStorage_instances, _FilePrivateKeyStorage_storageDir, _FilePrivateKeyStorage_keyPath, _FilePrivateKeyStorage_metadataPath, _PrivateKeyManager_instances, _PrivateKeyManager_storage, _PrivateKeyManager_keyId, _PrivateKeyManager_audienceConfig, _PrivateKeyManager_privateKeyPem, _PrivateKeyManager_publicKeyJwk, _PrivateKeyManager_generateAndStoreKeyPair, _PemPrivateKeyring_pem, _PemPrivateKeyring_kid, _PemPrivateKeyring_issuer;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PrivateKeyManager = exports.FilePrivateKeyStorage = void 0;
+const crypto = __importStar(require("node:crypto"));
+const fs = __importStar(require("node:fs/promises"));
+const path = __importStar(require("node:path"));
+const signer_js_1 = require("../jwt/signer.js");
+// =============================================================================
+// File-Based Storage
+// =============================================================================
+class FilePrivateKeyStorage {
+    constructor(storageDir) {
+        _FilePrivateKeyStorage_instances.add(this);
+        _FilePrivateKeyStorage_storageDir.set(this, void 0);
+        __classPrivateFieldSet(this, _FilePrivateKeyStorage_storageDir, storageDir, "f");
+    }
+    async exists(keyId) {
+        try {
+            await fs.access(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_keyPath).call(this, keyId));
+            await fs.access(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_metadataPath).call(this, keyId));
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async storeKeyPair(keyId, privateKeyPem, publicKeyJwk) {
+        await fs.mkdir(__classPrivateFieldGet(this, _FilePrivateKeyStorage_storageDir, "f"), { recursive: true });
+        const metadata = {
+            key_id: keyId,
+            public_key_jwk: publicKeyJwk,
+            created_at: Date.now() / 1000,
+            algorithm: "RS256",
+        };
+        await fs.writeFile(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_keyPath).call(this, keyId), privateKeyPem, { encoding: "utf-8", mode: 0o600 });
+        await fs.writeFile(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_metadataPath).call(this, keyId), JSON.stringify(metadata, null, 2), {
+            encoding: "utf-8",
+            mode: 0o644,
+        });
+    }
+    async loadKeyPair(keyId) {
+        const [privateKeyPem, metadataRaw] = await Promise.all([
+            fs.readFile(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_keyPath).call(this, keyId), "utf-8"),
+            fs.readFile(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_metadataPath).call(this, keyId), "utf-8"),
+        ]);
+        const metadata = JSON.parse(metadataRaw);
+        return { privateKeyPem, publicKeyJwk: metadata.public_key_jwk };
+    }
+    async deleteKeyPair(keyId) {
+        let deleted = false;
+        try {
+            await fs.unlink(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_keyPath).call(this, keyId));
+            deleted = true;
+        }
+        catch { /* ignore */ }
+        try {
+            await fs.unlink(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_metadataPath).call(this, keyId));
+            deleted = true;
+        }
+        catch { /* ignore */ }
+        return deleted;
+    }
+    async listKeyIds() {
+        try {
+            const files = await fs.readdir(__classPrivateFieldGet(this, _FilePrivateKeyStorage_storageDir, "f"));
+            const keyIds = [];
+            for (const file of files.filter((f) => f.endsWith(".json"))) {
+                const keyId = file.replace(/\.json$/, "");
+                if (await this.exists(keyId))
+                    keyIds.push(keyId);
+            }
+            return keyIds.sort();
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.FilePrivateKeyStorage = FilePrivateKeyStorage;
+_FilePrivateKeyStorage_storageDir = new WeakMap(), _FilePrivateKeyStorage_instances = new WeakSet(), _FilePrivateKeyStorage_keyPath = function _FilePrivateKeyStorage_keyPath(keyId) {
+    return path.join(__classPrivateFieldGet(this, _FilePrivateKeyStorage_storageDir, "f"), `${keyId}.pem`);
+}, _FilePrivateKeyStorage_metadataPath = function _FilePrivateKeyStorage_metadataPath(keyId) {
+    return path.join(__classPrivateFieldGet(this, _FilePrivateKeyStorage_storageDir, "f"), `${keyId}.json`);
+};
+// =============================================================================
+// Private Key Manager
+// =============================================================================
+class PrivateKeyManager {
+    constructor(options) {
+        _PrivateKeyManager_instances.add(this);
+        _PrivateKeyManager_storage.set(this, void 0);
+        _PrivateKeyManager_keyId.set(this, void 0);
+        _PrivateKeyManager_audienceConfig.set(this, void 0);
+        _PrivateKeyManager_privateKeyPem.set(this, void 0);
+        _PrivateKeyManager_publicKeyJwk.set(this, void 0);
+        __classPrivateFieldSet(this, _PrivateKeyManager_storage, options.storage, "f");
+        __classPrivateFieldSet(this, _PrivateKeyManager_keyId, options.keyId ?? crypto.randomUUID(), "f");
+        __classPrivateFieldSet(this, _PrivateKeyManager_audienceConfig, options.audienceConfig, "f");
+    }
+    async bootstrapIdentity() {
+        if (await __classPrivateFieldGet(this, _PrivateKeyManager_storage, "f").exists(__classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"))) {
+            const { privateKeyPem, publicKeyJwk } = await __classPrivateFieldGet(this, _PrivateKeyManager_storage, "f").loadKeyPair(__classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"));
+            __classPrivateFieldSet(this, _PrivateKeyManager_privateKeyPem, privateKeyPem, "f");
+            __classPrivateFieldSet(this, _PrivateKeyManager_publicKeyJwk, publicKeyJwk, "f");
+        }
+        else {
+            await __classPrivateFieldGet(this, _PrivateKeyManager_instances, "m", _PrivateKeyManager_generateAndStoreKeyPair).call(this);
+        }
+    }
+    async createClientAssertion(issuer, audience, expirySeconds = 300) {
+        if (!__classPrivateFieldGet(this, _PrivateKeyManager_privateKeyPem, "f") || !__classPrivateFieldGet(this, _PrivateKeyManager_publicKeyJwk, "f")) {
+            throw new Error("Identity not bootstrapped. Call bootstrapIdentity() first.");
+        }
+        const keyring = new PemPrivateKeyring(__classPrivateFieldGet(this, _PrivateKeyManager_privateKeyPem, "f"), __classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"), issuer);
+        const signer = new signer_js_1.JWTSigner(keyring);
+        const now = Math.floor(Date.now() / 1000);
+        return signer.sign({
+            iss: issuer,
+            sub: issuer,
+            aud: audience,
+            jti: crypto.randomUUID(),
+            iat: now,
+            exp: now + expirySeconds,
+        });
+    }
+    getPublicJwks() {
+        if (!__classPrivateFieldGet(this, _PrivateKeyManager_publicKeyJwk, "f")) {
+            throw new Error("Identity not bootstrapped. Call bootstrapIdentity() first.");
+        }
+        return { keys: [__classPrivateFieldGet(this, _PrivateKeyManager_publicKeyJwk, "f")] };
+    }
+    getClientId() {
+        return __classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f");
+    }
+    getClientJwksUrl(resourceServerUrl) {
+        const url = new URL(resourceServerUrl);
+        return `${url.protocol}//${url.host}/.well-known/jwks.json`;
+    }
+}
+exports.PrivateKeyManager = PrivateKeyManager;
+_PrivateKeyManager_storage = new WeakMap(), _PrivateKeyManager_keyId = new WeakMap(), _PrivateKeyManager_audienceConfig = new WeakMap(), _PrivateKeyManager_privateKeyPem = new WeakMap(), _PrivateKeyManager_publicKeyJwk = new WeakMap(), _PrivateKeyManager_instances = new WeakSet(), _PrivateKeyManager_generateAndStoreKeyPair = async function _PrivateKeyManager_generateAndStoreKeyPair() {
+    const keyPair = crypto.generateKeyPairSync("rsa", {
+        modulusLength: 2048,
+        publicKeyEncoding: { type: "spki", format: "pem" },
+        privateKeyEncoding: { type: "pkcs8", format: "pem" },
+    });
+    const privateKeyPem = String(keyPair.privateKey);
+    const publicKeyObj = crypto.createPublicKey(String(keyPair.publicKey));
+    const jwk = publicKeyObj.export({ format: "jwk" });
+    const publicKeyJwk = {
+        kty: jwk.kty,
+        n: jwk.n,
+        e: jwk.e,
+        kid: __classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"),
+        alg: "RS256",
+        use: "sig",
+    };
+    await __classPrivateFieldGet(this, _PrivateKeyManager_storage, "f").storeKeyPair(__classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"), privateKeyPem, publicKeyJwk);
+    __classPrivateFieldSet(this, _PrivateKeyManager_privateKeyPem, privateKeyPem, "f");
+    __classPrivateFieldSet(this, _PrivateKeyManager_publicKeyJwk, publicKeyJwk, "f");
+};
+// =============================================================================
+// PEM-based PrivateKeyring adapter (implements PrivateKeyring from @keycardai/oauth)
+// =============================================================================
+class PemPrivateKeyring {
+    constructor(pem, kid, issuer) {
+        _PemPrivateKeyring_pem.set(this, void 0);
+        _PemPrivateKeyring_kid.set(this, void 0);
+        _PemPrivateKeyring_issuer.set(this, void 0);
+        __classPrivateFieldSet(this, _PemPrivateKeyring_pem, pem, "f");
+        __classPrivateFieldSet(this, _PemPrivateKeyring_kid, kid, "f");
+        __classPrivateFieldSet(this, _PemPrivateKeyring_issuer, issuer, "f");
+    }
+    async key(_usage) {
+        const keyObj = crypto.createPrivateKey(__classPrivateFieldGet(this, _PemPrivateKeyring_pem, "f"));
+        const jwk = keyObj.export({ format: "jwk" });
+        const cryptoKey = await crypto.subtle.importKey("jwk", jwk, { name: "RSASSA-PKCS1-v1_5", hash: { name: "SHA-256" } }, false, ["sign"]);
+        return {
+            // node:crypto.webcrypto.CryptoKey and global CryptoKey are identical at
+            // runtime; the declaration split is a TypeScript-only artefact.
+            key: cryptoKey,
+            kid: __classPrivateFieldGet(this, _PemPrivateKeyring_kid, "f"),
+            issuer: __classPrivateFieldGet(this, _PemPrivateKeyring_issuer, "f"),
+        };
+    }
+}
+_PemPrivateKeyring_pem = new WeakMap(), _PemPrivateKeyring_kid = new WeakMap(), _PemPrivateKeyring_issuer = new WeakMap();
+//# sourceMappingURL=privateKey.js.map

package/dist/cjs/server/privateKey.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"privateKey.js","sourceRoot":"","sources":["../../../src/server/privateKey.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AACtC,qDAAuC;AACvC,gDAAkC;AAElC,gDAA6C;AAuB7C,gFAAgF;AAChF,qBAAqB;AACrB,gFAAgF;AAEhF,MAAa,qBAAqB;IAGhC,YAAY,UAAkB;;QAF9B,oDAAoB;QAGlB,uBAAA,IAAI,qCAAe,UAAU,MAAA,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,MAAM,CAAC,uBAAA,IAAI,wEAAS,MAAb,IAAI,EAAU,KAAK,CAAC,CAAC,CAAC;YACtC,MAAM,EAAE,CAAC,MAAM,CAAC,uBAAA,IAAI,6EAAc,MAAlB,IAAI,EAAe,KAAK,CAAC,CAAC,CAAC;YAC3C,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAY,CAChB,KAAa,EACb,aAAqB,EACrB,YAAwB;QAExB,MAAM,EAAE,CAAC,KAAK,CAAC,uBAAA,IAAI,yCAAY,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,MAAM,QAAQ,GAAG;YACf,MAAM,EAAE,KAAK;YACb,cAAc,EAAE,YAAY;YAC5B,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI;YAC7B,SAAS,EAAE,OAAO;SACnB,CAAC;QACF,MAAM,EAAE,CAAC,SAAS,CAAC,uBAAA,IAAI,wEAAS,MAAb,IAAI,EAAU,KAAK,CAAC,EAAE,aAAa,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC5F,MAAM,EAAE,CAAC,SAAS,CAAC,uBAAA,IAAI,6EAAc,MAAlB,IAAI,EAAe,KAAK,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;YAC/E,QAAQ,EAAE,OAAO;YACjB,IAAI,EAAE,KAAK;SACZ,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,WAAW,CACf,KAAa;QAEb,MAAM,CAAC,aAAa,EAAE,WAAW,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACrD,EAAE,CAAC,QAAQ,CAAC,uBAAA,IAAI,wEAAS,MAAb,IAAI,EAAU,KAAK,CAAC,EAAE,OAAO,CAAC;YAC1C,EAAE,CAAC,QAAQ,CAAC,uBAAA,IAAI,6EAAc,MAAlB,IAAI,EAAe,KAAK,CAAC,EAAE,OAAO,CAAC;SAChD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAmC,CAAC;QAC3E,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,QAAQ,CAAC,cAAc,EAAE,CAAC;IAClE,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,KAAa;QAC/B,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC;YAAC,MAAM,EAAE,CAAC,MAAM,CAAC,uBAAA,IAAI,wEAAS,MAAb,IAAI,EAAU,KAAK,CAAC,CAAC,CAAC;YAAC,OAAO,GAAG,IAAI,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QACrF,IAAI,CAAC;YAAC,MAAM,EAAE,CAAC,MAAM,CAAC,uBAAA,IAAI,6EAAc,MAAlB,IAAI,EAAe,KAAK,CAAC,CAAC,CAAC;YAAC,OAAO,GAAG,IAAI,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QAC1F,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,UAAU;QACd,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,uBAAA,IAAI,yCAAY,CAAC,CAAC;YACjD,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBAC5D,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;gBAC1C,IAAI,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;oBAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACnD,CAAC;YACD,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CASF;AA3ED,sDA2EC;8KAPU,KAAa;IACpB,OAAO,IAAI,CAAC,IAAI,CAAC,uBAAA,IAAI,yCAAY,EAAE,GAAG,KAAK,MAAM,CAAC,CAAC;AACrD,CAAC,qFAEa,KAAa;IACzB,OAAO,IAAI,CAAC,IAAI,CAAC,uBAAA,IAAI,yCAAY,EAAE,GAAG,KAAK,OAAO,CAAC,CAAC;AACtD,CAAC;AAGH,gFAAgF;AAChF,sBAAsB;AACtB,gFAAgF;AAEhF,MAAa,iBAAiB;IAO5B,YAAY,OAIX;;QAVD,6CAA4B;QAC5B,2CAAe;QACf,oDAAkD;QAClD,mDAAwB;QACxB,kDAA2B;QAOzB,uBAAA,IAAI,8BAAY,OAAO,CAAC,OAAO,MAAA,CAAC;QAChC,uBAAA,IAAI,4BAAU,OAAO,CAAC,KAAK,IAAI,MAAM,CAAC,UAAU,EAAE,MAAA,CAAC;QACnD,uBAAA,IAAI,qCAAmB,OAAO,CAAC,cAAc,MAAA,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,iBAAiB;QACrB,IAAI,MAAM,uBAAA,IAAI,kCAAS,CAAC,MAAM,CAAC,uBAAA,IAAI,gCAAO,CAAC,EAAE,CAAC;YAC5C,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,GAAG,MAAM,uBAAA,IAAI,kCAAS,CAAC,WAAW,CAAC,uBAAA,IAAI,gCAAO,CAAC,CAAC;YACrF,uBAAA,IAAI,oCAAkB,aAAa,MAAA,CAAC;YACpC,uBAAA,IAAI,mCAAiB,YAAY,MAAA,CAAC;QACpC,CAAC;aAAM,CAAC;YACN,MAAM,uBAAA,IAAI,gFAAyB,MAA7B,IAAI,CAA2B,CAAC;QACxC,CAAC;IACH,CAAC;IAED,KAAK,CAAC,qBAAqB,CACzB,MAAc,EACd,QAAgB,EAChB,aAAa,GAAG,GAAG;QAEnB,IAAI,CAAC,uBAAA,IAAI,wCAAe,IAAI,CAAC,uBAAA,IAAI,uCAAc,EAAE,CAAC;YAChD,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,iBAAiB,CAAC,uBAAA,IAAI,wCAAe,EAAE,uBAAA,IAAI,gCAAO,EAAE,MAAM,CAAC,CAAC;QAChF,MAAM,MAAM,GAAG,IAAI,qBAAS,CAAC,OAAO,CAAC,CAAC;QACtC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,OAAO,MAAM,CAAC,IAAI,CAAC;YACjB,GAAG,EAAE,MAAM;YACX,GAAG,EAAE,MAAM;YACX,GAAG,EAAE,QAAQ;YACb,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE;YACxB,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,GAAG,GAAG,aAAa;SACzB,CAAC,CAAC;IACL,CAAC;IAED,aAAa;QACX,IAAI,CAAC,uBAAA,IAAI,uCAAc,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,CAAC,uBAAA,IAAI,uCAAc,CAAC,EAAE,CAAC;IACxC,CAAC;IAED,WAAW;QACT,OAAO,uBAAA,IAAI,gCAAO,CAAC;IACrB,CAAC;IAED,gBAAgB,CAAC,iBAAyB;QACxC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,iBAAiB,CAAC,CAAC;QACvC,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,IAAI,wBAAwB,CAAC;IAC9D,CAAC;CAuBF;AArFD,8CAqFC;uUArBC,KAAK;IACH,MAAM,OAAO,GAAG,MAAM,CAAC,mBAAmB,CAAC,KAAK,EAAE;QAChD,aAAa,EAAE,IAAI;QACnB,iBAAiB,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE;QAClD,kBAAkB,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE;KACrD,CAAC,CAAC;IACH,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACjD,MAAM,YAAY,GAAG,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;IACvE,MAAM,GAAG,GAAG,YAAY,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACnD,MAAM,YAAY,GAAe;QAC/B,GAAG,EAAE,GAAG,CAAC,GAAI;QACb,CAAC,EAAG,GAAsB,CAAC,CAAE;QAC7B,CAAC,EAAG,GAAsB,CAAC,CAAE;QAC7B,GAAG,EAAE,uBAAA,IAAI,gCAAO;QAChB,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,KAAK;KACX,CAAC;IACF,MAAM,uBAAA,IAAI,kCAAS,CAAC,YAAY,CAAC,uBAAA,IAAI,gCAAO,EAAE,aAAa,EAAE,YAAY,CAAC,CAAC;IAC3E,uBAAA,IAAI,oCAAkB,aAAa,MAAA,CAAC;IACpC,uBAAA,IAAI,mCAAiB,YAAY,MAAA,CAAC;AACpC,CAAC;AAGH,gFAAgF;AAChF,qFAAqF;AACrF,gFAAgF;AAEhF,MAAM,iBAAiB;IAKrB,YAAY,GAAW,EAAE,GAAW,EAAE,MAAc;QAJpD,yCAAa;QACb,yCAAa;QACb,4CAAgB;QAGd,uBAAA,IAAI,0BAAQ,GAAG,MAAA,CAAC;QAChB,uBAAA,IAAI,0BAAQ,GAAG,MAAA,CAAC;QAChB,uBAAA,IAAI,6BAAW,MAAM,MAAA,CAAC;IACxB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,MAAc;QACtB,MAAM,MAAM,GAAG,MAAM,CAAC,gBAAgB,CAAC,uBAAA,IAAI,8BAAK,CAAC,CAAC;QAClD,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC7C,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC7C,KAAK,EACL,GAAG,EACH,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EACxD,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;QACF,OAAO;YACL,wEAAwE;YACxE,gEAAgE;YAChE,GAAG,EAAE,SAAsB;YAC3B,GAAG,EAAE,uBAAA,IAAI,8BAAK;YACd,MAAM,EAAE,uBAAA,IAAI,iCAAQ;SACrB,CAAC;IACJ,CAAC;CACF"}

package/dist/cjs/server/webIdentity.d.ts

@@ -0,0 +1,37 @@
+import type { ApplicationCredential } from "../credentials.js";
+import type { TokenExchangeRequest } from "../tokenExchange.js";
+import type { PrivateKeyStorage } from "./privateKey.js";
+export type { PrivateKeyStorage } from "./privateKey.js";
+export interface WebIdentityOptions {
+    serverName?: string;
+    storage?: PrivateKeyStorage;
+    storageDir?: string;
+    keyId?: string;
+    audienceConfig?: string | Record<string, string>;
+}
+/**
+ * RFC 7523 private_key_jwt client assertion credential provider.
+ *
+ * Generates and persists an RSA key pair using the supplied storage
+ * implementation (default: `FilePrivateKeyStorage("./mcp_keys")`).
+ * On each token exchange the private key signs a client assertion JWT
+ * that the authorization server verifies instead of a shared secret.
+ *
+ * **Requires Node.js.** Key generation and storage use Node.js crypto
+ * and filesystem APIs.
+ */
+export declare class WebIdentity implements ApplicationCredential {
+    #private;
+    constructor(options?: WebIdentityOptions);
+    bootstrap(): Promise<void>;
+    getAuth(): null;
+    prepareTokenExchangeRequest(subjectToken: string, resource: string, options?: {
+        tokenEndpoint?: string;
+        authInfo?: Record<string, string>;
+    }): Promise<TokenExchangeRequest>;
+    getPublicJwks(): {
+        keys: Record<string, unknown>[];
+    };
+    getClientJwksUrl(resourceServerUrl: string): string;
+}
+//# sourceMappingURL=webIdentity.d.ts.map

package/dist/cjs/server/webIdentity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webIdentity.d.ts","sourceRoot":"","sources":["../../../src/server/webIdentity.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAEhE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAEzD,YAAY,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAEzD,MAAM,WAAW,kBAAkB;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,iBAAiB,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClD;AAED;;;;;;;;;;GAUG;AACH,qBAAa,WAAY,YAAW,qBAAqB;;gBAI3C,OAAO,GAAE,kBAAuB;IAiBtC,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;IAOhC,OAAO,IAAI,IAAI;IAIT,2BAA2B,CAC/B,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GACtE,OAAO,CAAC,oBAAoB,CAAC;IAchC,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAA;KAAE;IAIpD,gBAAgB,CAAC,iBAAiB,EAAE,MAAM,GAAG,MAAM;CAGpD"}