@keycardai/oauth 0.6.0 → 0.8.0

package/dist/cjs/server/privateKey.js

@@ -0,0 +1,233 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _FilePrivateKeyStorage_instances, _FilePrivateKeyStorage_storageDir, _FilePrivateKeyStorage_keyPath, _FilePrivateKeyStorage_metadataPath, _PrivateKeyManager_instances, _PrivateKeyManager_storage, _PrivateKeyManager_keyId, _PrivateKeyManager_audienceConfig, _PrivateKeyManager_privateKeyPem, _PrivateKeyManager_publicKeyJwk, _PrivateKeyManager_generateAndStoreKeyPair, _PemPrivateKeyring_pem, _PemPrivateKeyring_kid, _PemPrivateKeyring_issuer;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PrivateKeyManager = exports.FilePrivateKeyStorage = void 0;
+const crypto = __importStar(require("node:crypto"));
+const fs = __importStar(require("node:fs/promises"));
+const path = __importStar(require("node:path"));
+const signer_js_1 = require("../jwt/signer.js");
+// =============================================================================
+// File-Based Storage
+// =============================================================================
+class FilePrivateKeyStorage {
+    constructor(storageDir) {
+        _FilePrivateKeyStorage_instances.add(this);
+        _FilePrivateKeyStorage_storageDir.set(this, void 0);
+        __classPrivateFieldSet(this, _FilePrivateKeyStorage_storageDir, storageDir, "f");
+    }
+    async exists(keyId) {
+        try {
+            await fs.access(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_keyPath).call(this, keyId));
+            await fs.access(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_metadataPath).call(this, keyId));
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async storeKeyPair(keyId, privateKeyPem, publicKeyJwk) {
+        await fs.mkdir(__classPrivateFieldGet(this, _FilePrivateKeyStorage_storageDir, "f"), { recursive: true });
+        const metadata = {
+            key_id: keyId,
+            public_key_jwk: publicKeyJwk,
+            created_at: Date.now() / 1000,
+            algorithm: "RS256",
+        };
+        await fs.writeFile(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_keyPath).call(this, keyId), privateKeyPem, { encoding: "utf-8", mode: 0o600 });
+        await fs.writeFile(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_metadataPath).call(this, keyId), JSON.stringify(metadata, null, 2), {
+            encoding: "utf-8",
+            mode: 0o644,
+        });
+    }
+    async loadKeyPair(keyId) {
+        const [privateKeyPem, metadataRaw] = await Promise.all([
+            fs.readFile(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_keyPath).call(this, keyId), "utf-8"),
+            fs.readFile(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_metadataPath).call(this, keyId), "utf-8"),
+        ]);
+        const metadata = JSON.parse(metadataRaw);
+        return { privateKeyPem, publicKeyJwk: metadata.public_key_jwk };
+    }
+    async deleteKeyPair(keyId) {
+        let deleted = false;
+        try {
+            await fs.unlink(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_keyPath).call(this, keyId));
+            deleted = true;
+        }
+        catch { /* ignore */ }
+        try {
+            await fs.unlink(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_metadataPath).call(this, keyId));
+            deleted = true;
+        }
+        catch { /* ignore */ }
+        return deleted;
+    }
+    async listKeyIds() {
+        try {
+            const files = await fs.readdir(__classPrivateFieldGet(this, _FilePrivateKeyStorage_storageDir, "f"));
+            const keyIds = [];
+            for (const file of files.filter((f) => f.endsWith(".json"))) {
+                const keyId = file.replace(/\.json$/, "");
+                if (await this.exists(keyId))
+                    keyIds.push(keyId);
+            }
+            return keyIds.sort();
+        }
+        catch {
+            return [];
+        }
+    }
+}
+exports.FilePrivateKeyStorage = FilePrivateKeyStorage;
+_FilePrivateKeyStorage_storageDir = new WeakMap(), _FilePrivateKeyStorage_instances = new WeakSet(), _FilePrivateKeyStorage_keyPath = function _FilePrivateKeyStorage_keyPath(keyId) {
+    return path.join(__classPrivateFieldGet(this, _FilePrivateKeyStorage_storageDir, "f"), `${keyId}.pem`);
+}, _FilePrivateKeyStorage_metadataPath = function _FilePrivateKeyStorage_metadataPath(keyId) {
+    return path.join(__classPrivateFieldGet(this, _FilePrivateKeyStorage_storageDir, "f"), `${keyId}.json`);
+};
+// =============================================================================
+// Private Key Manager
+// =============================================================================
+class PrivateKeyManager {
+    constructor(options) {
+        _PrivateKeyManager_instances.add(this);
+        _PrivateKeyManager_storage.set(this, void 0);
+        _PrivateKeyManager_keyId.set(this, void 0);
+        _PrivateKeyManager_audienceConfig.set(this, void 0);
+        _PrivateKeyManager_privateKeyPem.set(this, void 0);
+        _PrivateKeyManager_publicKeyJwk.set(this, void 0);
+        __classPrivateFieldSet(this, _PrivateKeyManager_storage, options.storage, "f");
+        __classPrivateFieldSet(this, _PrivateKeyManager_keyId, options.keyId ?? crypto.randomUUID(), "f");
+        __classPrivateFieldSet(this, _PrivateKeyManager_audienceConfig, options.audienceConfig, "f");
+    }
+    async bootstrapIdentity() {
+        if (await __classPrivateFieldGet(this, _PrivateKeyManager_storage, "f").exists(__classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"))) {
+            const { privateKeyPem, publicKeyJwk } = await __classPrivateFieldGet(this, _PrivateKeyManager_storage, "f").loadKeyPair(__classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"));
+            __classPrivateFieldSet(this, _PrivateKeyManager_privateKeyPem, privateKeyPem, "f");
+            __classPrivateFieldSet(this, _PrivateKeyManager_publicKeyJwk, publicKeyJwk, "f");
+        }
+        else {
+            await __classPrivateFieldGet(this, _PrivateKeyManager_instances, "m", _PrivateKeyManager_generateAndStoreKeyPair).call(this);
+        }
+    }
+    async createClientAssertion(issuer, audience, expirySeconds = 300) {
+        if (!__classPrivateFieldGet(this, _PrivateKeyManager_privateKeyPem, "f") || !__classPrivateFieldGet(this, _PrivateKeyManager_publicKeyJwk, "f")) {
+            throw new Error("Identity not bootstrapped. Call bootstrapIdentity() first.");
+        }
+        const keyring = new PemPrivateKeyring(__classPrivateFieldGet(this, _PrivateKeyManager_privateKeyPem, "f"), __classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"), issuer);
+        const signer = new signer_js_1.JWTSigner(keyring);
+        const now = Math.floor(Date.now() / 1000);
+        return signer.sign({
+            iss: issuer,
+            sub: issuer,
+            aud: audience,
+            jti: crypto.randomUUID(),
+            iat: now,
+            exp: now + expirySeconds,
+        });
+    }
+    getPublicJwks() {
+        if (!__classPrivateFieldGet(this, _PrivateKeyManager_publicKeyJwk, "f")) {
+            throw new Error("Identity not bootstrapped. Call bootstrapIdentity() first.");
+        }
+        return { keys: [__classPrivateFieldGet(this, _PrivateKeyManager_publicKeyJwk, "f")] };
+    }
+    getClientId() {
+        return __classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f");
+    }
+    getClientJwksUrl(resourceServerUrl) {
+        const url = new URL(resourceServerUrl);
+        return `${url.protocol}//${url.host}/.well-known/jwks.json`;
+    }
+}
+exports.PrivateKeyManager = PrivateKeyManager;
+_PrivateKeyManager_storage = new WeakMap(), _PrivateKeyManager_keyId = new WeakMap(), _PrivateKeyManager_audienceConfig = new WeakMap(), _PrivateKeyManager_privateKeyPem = new WeakMap(), _PrivateKeyManager_publicKeyJwk = new WeakMap(), _PrivateKeyManager_instances = new WeakSet(), _PrivateKeyManager_generateAndStoreKeyPair = async function _PrivateKeyManager_generateAndStoreKeyPair() {
+    const keyPair = crypto.generateKeyPairSync("rsa", {
+        modulusLength: 2048,
+        publicKeyEncoding: { type: "spki", format: "pem" },
+        privateKeyEncoding: { type: "pkcs8", format: "pem" },
+    });
+    const privateKeyPem = String(keyPair.privateKey);
+    const publicKeyObj = crypto.createPublicKey(String(keyPair.publicKey));
+    const jwk = publicKeyObj.export({ format: "jwk" });
+    const publicKeyJwk = {
+        kty: jwk.kty,
+        n: jwk.n,
+        e: jwk.e,
+        kid: __classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"),
+        alg: "RS256",
+        use: "sig",
+    };
+    await __classPrivateFieldGet(this, _PrivateKeyManager_storage, "f").storeKeyPair(__classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"), privateKeyPem, publicKeyJwk);
+    __classPrivateFieldSet(this, _PrivateKeyManager_privateKeyPem, privateKeyPem, "f");
+    __classPrivateFieldSet(this, _PrivateKeyManager_publicKeyJwk, publicKeyJwk, "f");
+};
+// =============================================================================
+// PEM-based PrivateKeyring adapter (implements PrivateKeyring from @keycardai/oauth)
+// =============================================================================
+class PemPrivateKeyring {
+    constructor(pem, kid, issuer) {
+        _PemPrivateKeyring_pem.set(this, void 0);
+        _PemPrivateKeyring_kid.set(this, void 0);
+        _PemPrivateKeyring_issuer.set(this, void 0);
+        __classPrivateFieldSet(this, _PemPrivateKeyring_pem, pem, "f");
+        __classPrivateFieldSet(this, _PemPrivateKeyring_kid, kid, "f");
+        __classPrivateFieldSet(this, _PemPrivateKeyring_issuer, issuer, "f");
+    }
+    async key(_usage) {
+        const keyObj = crypto.createPrivateKey(__classPrivateFieldGet(this, _PemPrivateKeyring_pem, "f"));
+        const jwk = keyObj.export({ format: "jwk" });
+        const cryptoKey = await crypto.subtle.importKey("jwk", jwk, { name: "RSASSA-PKCS1-v1_5", hash: { name: "SHA-256" } }, false, ["sign"]);
+        return {
+            // node:crypto.webcrypto.CryptoKey and global CryptoKey are identical at
+            // runtime; the declaration split is a TypeScript-only artefact.
+            key: cryptoKey,
+            kid: __classPrivateFieldGet(this, _PemPrivateKeyring_kid, "f"),
+            issuer: __classPrivateFieldGet(this, _PemPrivateKeyring_issuer, "f"),
+        };
+    }
+}
+_PemPrivateKeyring_pem = new WeakMap(), _PemPrivateKeyring_kid = new WeakMap(), _PemPrivateKeyring_issuer = new WeakMap();
+//# sourceMappingURL=privateKey.js.map

package/dist/cjs/server/privateKey.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"privateKey.js","sourceRoot":"","sources":["../../../src/server/privateKey.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AACtC,qDAAuC;AACvC,gDAAkC;AAElC,gDAA6C;AAuB7C,gFAAgF;AAChF,qBAAqB;AACrB,gFAAgF;AAEhF,MAAa,qBAAqB;IAGhC,YAAY,UAAkB;;QAF9B,oDAAoB;QAGlB,uBAAA,IAAI,qCAAe,UAAU,MAAA,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,MAAM,CAAC,uBAAA,IAAI,wEAAS,MAAb,IAAI,EAAU,KAAK,CAAC,CAAC,CAAC;YACtC,MAAM,EAAE,CAAC,MAAM,CAAC,uBAAA,IAAI,6EAAc,MAAlB,IAAI,EAAe,KAAK,CAAC,CAAC,CAAC;YAC3C,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAY,CAChB,KAAa,EACb,aAAqB,EACrB,YAAwB;QAExB,MAAM,EAAE,CAAC,KAAK,CAAC,uBAAA,IAAI,yCAAY,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,MAAM,QAAQ,GAAG;YACf,MAAM,EAAE,KAAK;YACb,cAAc,EAAE,YAAY;YAC5B,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI;YAC7B,SAAS,EAAE,OAAO;SACnB,CAAC;QACF,MAAM,EAAE,CAAC,SAAS,CAAC,uBAAA,IAAI,wEAAS,MAAb,IAAI,EAAU,KAAK,CAAC,EAAE,aAAa,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC5F,MAAM,EAAE,CAAC,SAAS,CAAC,uBAAA,IAAI,6EAAc,MAAlB,IAAI,EAAe,KAAK,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;YAC/E,QAAQ,EAAE,OAAO;YACjB,IAAI,EAAE,KAAK;SACZ,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,WAAW,CACf,KAAa;QAEb,MAAM,CAAC,aAAa,EAAE,WAAW,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACrD,EAAE,CAAC,QAAQ,CAAC,uBAAA,IAAI,wEAAS,MAAb,IAAI,EAAU,KAAK,CAAC,EAAE,OAAO,CAAC;YAC1C,EAAE,CAAC,QAAQ,CAAC,uBAAA,IAAI,6EAAc,MAAlB,IAAI,EAAe,KAAK,CAAC,EAAE,OAAO,CAAC;SAChD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAmC,CAAC;QAC3E,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,QAAQ,CAAC,cAAc,EAAE,CAAC;IAClE,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,KAAa;QAC/B,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC;YAAC,MAAM,EAAE,CAAC,MAAM,CAAC,uBAAA,IAAI,wEAAS,MAAb,IAAI,EAAU,KAAK,CAAC,CAAC,CAAC;YAAC,OAAO,GAAG,IAAI,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QACrF,IAAI,CAAC;YAAC,MAAM,EAAE,CAAC,MAAM,CAAC,uBAAA,IAAI,6EAAc,MAAlB,IAAI,EAAe,KAAK,CAAC,CAAC,CAAC;YAAC,OAAO,GAAG,IAAI,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QAC1F,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,UAAU;QACd,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,uBAAA,IAAI,yCAAY,CAAC,CAAC;YACjD,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBAC5D,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;gBAC1C,IAAI,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;oBAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACnD,CAAC;YACD,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CASF;AA3ED,sDA2EC;8KAPU,KAAa;IACpB,OAAO,IAAI,CAAC,IAAI,CAAC,uBAAA,IAAI,yCAAY,EAAE,GAAG,KAAK,MAAM,CAAC,CAAC;AACrD,CAAC,qFAEa,KAAa;IACzB,OAAO,IAAI,CAAC,IAAI,CAAC,uBAAA,IAAI,yCAAY,EAAE,GAAG,KAAK,OAAO,CAAC,CAAC;AACtD,CAAC;AAGH,gFAAgF;AAChF,sBAAsB;AACtB,gFAAgF;AAEhF,MAAa,iBAAiB;IAO5B,YAAY,OAIX;;QAVD,6CAA4B;QAC5B,2CAAe;QACf,oDAAkD;QAClD,mDAAwB;QACxB,kDAA2B;QAOzB,uBAAA,IAAI,8BAAY,OAAO,CAAC,OAAO,MAAA,CAAC;QAChC,uBAAA,IAAI,4BAAU,OAAO,CAAC,KAAK,IAAI,MAAM,CAAC,UAAU,EAAE,MAAA,CAAC;QACnD,uBAAA,IAAI,qCAAmB,OAAO,CAAC,cAAc,MAAA,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,iBAAiB;QACrB,IAAI,MAAM,uBAAA,IAAI,kCAAS,CAAC,MAAM,CAAC,uBAAA,IAAI,gCAAO,CAAC,EAAE,CAAC;YAC5C,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,GAAG,MAAM,uBAAA,IAAI,kCAAS,CAAC,WAAW,CAAC,uBAAA,IAAI,gCAAO,CAAC,CAAC;YACrF,uBAAA,IAAI,oCAAkB,aAAa,MAAA,CAAC;YACpC,uBAAA,IAAI,mCAAiB,YAAY,MAAA,CAAC;QACpC,CAAC;aAAM,CAAC;YACN,MAAM,uBAAA,IAAI,gFAAyB,MAA7B,IAAI,CAA2B,CAAC;QACxC,CAAC;IACH,CAAC;IAED,KAAK,CAAC,qBAAqB,CACzB,MAAc,EACd,QAAgB,EAChB,aAAa,GAAG,GAAG;QAEnB,IAAI,CAAC,uBAAA,IAAI,wCAAe,IAAI,CAAC,uBAAA,IAAI,uCAAc,EAAE,CAAC;YAChD,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,iBAAiB,CAAC,uBAAA,IAAI,wCAAe,EAAE,uBAAA,IAAI,gCAAO,EAAE,MAAM,CAAC,CAAC;QAChF,MAAM,MAAM,GAAG,IAAI,qBAAS,CAAC,OAAO,CAAC,CAAC;QACtC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,OAAO,MAAM,CAAC,IAAI,CAAC;YACjB,GAAG,EAAE,MAAM;YACX,GAAG,EAAE,MAAM;YACX,GAAG,EAAE,QAAQ;YACb,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE;YACxB,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,GAAG,GAAG,aAAa;SACzB,CAAC,CAAC;IACL,CAAC;IAED,aAAa;QACX,IAAI,CAAC,uBAAA,IAAI,uCAAc,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,CAAC,uBAAA,IAAI,uCAAc,CAAC,EAAE,CAAC;IACxC,CAAC;IAED,WAAW;QACT,OAAO,uBAAA,IAAI,gCAAO,CAAC;IACrB,CAAC;IAED,gBAAgB,CAAC,iBAAyB;QACxC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,iBAAiB,CAAC,CAAC;QACvC,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,IAAI,wBAAwB,CAAC;IAC9D,CAAC;CAuBF;AArFD,8CAqFC;uUArBC,KAAK;IACH,MAAM,OAAO,GAAG,MAAM,CAAC,mBAAmB,CAAC,KAAK,EAAE;QAChD,aAAa,EAAE,IAAI;QACnB,iBAAiB,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE;QAClD,kBAAkB,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE;KACrD,CAAC,CAAC;IACH,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACjD,MAAM,YAAY,GAAG,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;IACvE,MAAM,GAAG,GAAG,YAAY,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACnD,MAAM,YAAY,GAAe;QAC/B,GAAG,EAAE,GAAG,CAAC,GAAI;QACb,CAAC,EAAG,GAAsB,CAAC,CAAE;QAC7B,CAAC,EAAG,GAAsB,CAAC,CAAE;QAC7B,GAAG,EAAE,uBAAA,IAAI,gCAAO;QAChB,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,KAAK;KACX,CAAC;IACF,MAAM,uBAAA,IAAI,kCAAS,CAAC,YAAY,CAAC,uBAAA,IAAI,gCAAO,EAAE,aAAa,EAAE,YAAY,CAAC,CAAC;IAC3E,uBAAA,IAAI,oCAAkB,aAAa,MAAA,CAAC;IACpC,uBAAA,IAAI,mCAAiB,YAAY,MAAA,CAAC;AACpC,CAAC;AAGH,gFAAgF;AAChF,qFAAqF;AACrF,gFAAgF;AAEhF,MAAM,iBAAiB;IAKrB,YAAY,GAAW,EAAE,GAAW,EAAE,MAAc;QAJpD,yCAAa;QACb,yCAAa;QACb,4CAAgB;QAGd,uBAAA,IAAI,0BAAQ,GAAG,MAAA,CAAC;QAChB,uBAAA,IAAI,0BAAQ,GAAG,MAAA,CAAC;QAChB,uBAAA,IAAI,6BAAW,MAAM,MAAA,CAAC;IACxB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,MAAc;QACtB,MAAM,MAAM,GAAG,MAAM,CAAC,gBAAgB,CAAC,uBAAA,IAAI,8BAAK,CAAC,CAAC;QAClD,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC7C,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC7C,KAAK,EACL,GAAG,EACH,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EACxD,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;QACF,OAAO;YACL,wEAAwE;YACxE,gEAAgE;YAChE,GAAG,EAAE,SAAsB;YAC3B,GAAG,EAAE,uBAAA,IAAI,8BAAK;YACd,MAAM,EAAE,uBAAA,IAAI,iCAAQ;SACrB,CAAC;IACJ,CAAC;CACF"}

package/dist/cjs/server/webIdentity.d.ts

@@ -0,0 +1,37 @@
+import type { ApplicationCredential } from "../credentials.js";
+import type { TokenExchangeRequest } from "../tokenExchange.js";
+import type { PrivateKeyStorage } from "./privateKey.js";
+export type { PrivateKeyStorage } from "./privateKey.js";
+export interface WebIdentityOptions {
+    serverName?: string;
+    storage?: PrivateKeyStorage;
+    storageDir?: string;
+    keyId?: string;
+    audienceConfig?: string | Record<string, string>;
+}
+/**
+ * RFC 7523 private_key_jwt client assertion credential provider.
+ *
+ * Generates and persists an RSA key pair using the supplied storage
+ * implementation (default: `FilePrivateKeyStorage("./mcp_keys")`).
+ * On each token exchange the private key signs a client assertion JWT
+ * that the authorization server verifies instead of a shared secret.
+ *
+ * **Requires Node.js.** Key generation and storage use Node.js crypto
+ * and filesystem APIs.
+ */
+export declare class WebIdentity implements ApplicationCredential {
+    #private;
+    constructor(options?: WebIdentityOptions);
+    bootstrap(): Promise<void>;
+    getAuth(): null;
+    prepareTokenExchangeRequest(subjectToken: string, resource: string, options?: {
+        tokenEndpoint?: string;
+        authInfo?: Record<string, string>;
+    }): Promise<TokenExchangeRequest>;
+    getPublicJwks(): {
+        keys: Record<string, unknown>[];
+    };
+    getClientJwksUrl(resourceServerUrl: string): string;
+}
+//# sourceMappingURL=webIdentity.d.ts.map

package/dist/cjs/server/webIdentity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webIdentity.d.ts","sourceRoot":"","sources":["../../../src/server/webIdentity.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAEhE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAEzD,YAAY,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAEzD,MAAM,WAAW,kBAAkB;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,iBAAiB,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClD;AAED;;;;;;;;;;GAUG;AACH,qBAAa,WAAY,YAAW,qBAAqB;;gBAI3C,OAAO,GAAE,kBAAuB;IAiBtC,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;IAOhC,OAAO,IAAI,IAAI;IAIT,2BAA2B,CAC/B,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GACtE,OAAO,CAAC,oBAAoB,CAAC;IAchC,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAA;KAAE;IAIpD,gBAAgB,CAAC,iBAAiB,EAAE,MAAM,GAAG,MAAM;CAGpD"}

package/dist/cjs/server/webIdentity.js

@@ -0,0 +1,75 @@
+"use strict";
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _WebIdentity_keyManager, _WebIdentity_bootstrapPromise;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WebIdentity = void 0;
+const privateKey_js_1 = require("./privateKey.js");
+/**
+ * RFC 7523 private_key_jwt client assertion credential provider.
+ *
+ * Generates and persists an RSA key pair using the supplied storage
+ * implementation (default: `FilePrivateKeyStorage("./mcp_keys")`).
+ * On each token exchange the private key signs a client assertion JWT
+ * that the authorization server verifies instead of a shared secret.
+ *
+ * **Requires Node.js.** Key generation and storage use Node.js crypto
+ * and filesystem APIs.
+ */
+class WebIdentity {
+    constructor(options = {}) {
+        _WebIdentity_keyManager.set(this, void 0);
+        _WebIdentity_bootstrapPromise.set(this, void 0);
+        const storage = options.storage ??
+            new privateKey_js_1.FilePrivateKeyStorage(options.storageDir ?? "./mcp_keys");
+        let keyId = options.keyId;
+        if (!keyId && options.serverName) {
+            keyId = options.serverName.replace(/[^a-zA-Z0-9\-_]/g, "_");
+        }
+        __classPrivateFieldSet(this, _WebIdentity_keyManager, new privateKey_js_1.PrivateKeyManager({
+            storage,
+            keyId,
+            audienceConfig: options.audienceConfig,
+        }), "f");
+    }
+    async bootstrap() {
+        if (!__classPrivateFieldGet(this, _WebIdentity_bootstrapPromise, "f")) {
+            __classPrivateFieldSet(this, _WebIdentity_bootstrapPromise, __classPrivateFieldGet(this, _WebIdentity_keyManager, "f").bootstrapIdentity(), "f");
+        }
+        return __classPrivateFieldGet(this, _WebIdentity_bootstrapPromise, "f");
+    }
+    getAuth() {
+        return null;
+    }
+    async prepareTokenExchangeRequest(subjectToken, resource, options) {
+        await this.bootstrap();
+        const issuer = options?.authInfo?.resource_client_id ?? __classPrivateFieldGet(this, _WebIdentity_keyManager, "f").getClientId();
+        const audience = options?.tokenEndpoint ?? issuer;
+        const clientAssertion = await __classPrivateFieldGet(this, _WebIdentity_keyManager, "f").createClientAssertion(issuer, audience);
+        return {
+            subjectToken,
+            resource,
+            subjectTokenType: "urn:ietf:params:oauth:token-type:access_token",
+            clientAssertionType: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+            clientAssertion,
+        };
+    }
+    getPublicJwks() {
+        return __classPrivateFieldGet(this, _WebIdentity_keyManager, "f").getPublicJwks();
+    }
+    getClientJwksUrl(resourceServerUrl) {
+        return __classPrivateFieldGet(this, _WebIdentity_keyManager, "f").getClientJwksUrl(resourceServerUrl);
+    }
+}
+exports.WebIdentity = WebIdentity;
+_WebIdentity_keyManager = new WeakMap(), _WebIdentity_bootstrapPromise = new WeakMap();
+//# sourceMappingURL=webIdentity.js.map

package/dist/cjs/server/webIdentity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webIdentity.js","sourceRoot":"","sources":["../../../src/server/webIdentity.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAEA,mDAA2E;AAa3E;;;;;;;;;;GAUG;AACH,MAAa,WAAW;IAItB,YAAY,UAA8B,EAAE;QAH5C,0CAA+B;QAC/B,gDAAkC;QAGhC,MAAM,OAAO,GACX,OAAO,CAAC,OAAO;YACf,IAAI,qCAAqB,CAAC,OAAO,CAAC,UAAU,IAAI,YAAY,CAAC,CAAC;QAEhE,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC1B,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACjC,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;QAC9D,CAAC;QAED,uBAAA,IAAI,2BAAe,IAAI,iCAAiB,CAAC;YACvC,OAAO;YACP,KAAK;YACL,cAAc,EAAE,OAAO,CAAC,cAAc;SACvC,CAAC,MAAA,CAAC;IACL,CAAC;IAED,KAAK,CAAC,SAAS;QACb,IAAI,CAAC,uBAAA,IAAI,qCAAkB,EAAE,CAAC;YAC5B,uBAAA,IAAI,iCAAqB,uBAAA,IAAI,+BAAY,CAAC,iBAAiB,EAAE,MAAA,CAAC;QAChE,CAAC;QACD,OAAO,uBAAA,IAAI,qCAAkB,CAAC;IAChC,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,2BAA2B,CAC/B,YAAoB,EACpB,QAAgB,EAChB,OAAuE;QAEvE,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,OAAO,EAAE,QAAQ,EAAE,kBAAkB,IAAI,uBAAA,IAAI,+BAAY,CAAC,WAAW,EAAE,CAAC;QACvF,MAAM,QAAQ,GAAG,OAAO,EAAE,aAAa,IAAI,MAAM,CAAC;QAClD,MAAM,eAAe,GAAG,MAAM,uBAAA,IAAI,+BAAY,CAAC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACvF,OAAO;YACL,YAAY;YACZ,QAAQ;YACR,gBAAgB,EAAE,+CAA+C;YACjE,mBAAmB,EAAE,wDAAwD;YAC7E,eAAe;SAChB,CAAC;IACJ,CAAC;IAED,aAAa;QACX,OAAO,uBAAA,IAAI,+BAAY,CAAC,aAAa,EAAE,CAAC;IAC1C,CAAC;IAED,gBAAgB,CAAC,iBAAyB;QACxC,OAAO,uBAAA,IAAI,+BAAY,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,CAAC;IAC9D,CAAC;CACF;AAzDD,kCAyDC"}

package/dist/esm/index.d.ts

@@ -15,4 +15,6 @@ export { registerClient } from "./registration.js";
 export type { ClientRegistrationRequest, ClientRegistrationResponse, RegisterClientOptions, } from "./registration.js";
 export { AccessContext, TokenVerifier, ClientSecret } from "./server/index.js";
 export type { ErrorDetail, AccessContextStatus, AccessToken, TokenVerifierOptions, ClientSecretCredentials, } from "./server/index.js";
+export { generateCodeVerifier, generateCodeChallenge, generatePkcePair, exchangeAuthorizationCode, authenticate, } from "./pkce.js";
+export type { Pkce, ExchangeAuthorizationCodeOptions, AuthenticateOptions, } from "./pkce.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/esm/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,0BAA0B,EAC1B,eAAe,EACf,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,YAAY,EACV,yBAAyB,EACzB,0BAA0B,EAC1B,qBAAqB,GACtB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC/E,YAAY,EACV,WAAW,EACX,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAC3G,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,YAAY,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,YAAY,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AACpE,YAAY,EACV,oBAAoB,EACpB,aAAa,EACb,0BAA0B,EAC1B,eAAe,EACf,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,qBAAqB,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACnD,YAAY,EACV,yBAAyB,EACzB,0BAA0B,EAC1B,qBAAqB,GACtB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAC/E,YAAY,EACV,WAAW,EACX,mBAAmB,EACnB,WAAW,EACX,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,gBAAgB,EAChB,yBAAyB,EACzB,YAAY,GACb,MAAM,WAAW,CAAC;AACnB,YAAY,EACV,IAAI,EACJ,gCAAgC,EAChC,mBAAmB,GACpB,MAAM,WAAW,CAAC"}

package/dist/esm/index.js

@@ -8,4 +8,5 @@ export { buildSubstituteUserToken } from "./jwt/substituteUser.js";
 export { TokenExchangeClient, TokenType } from "./tokenExchange.js";
 export { registerClient } from "./registration.js";
 export { AccessContext, TokenVerifier, ClientSecret } from "./server/index.js";
+export { generateCodeVerifier, generateCodeChallenge, generatePkcePair, exchangeAuthorizationCode, authenticate, } from "./pkce.js";
 //# sourceMappingURL=index.js.map

package/dist/esm/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AASpE,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAMnD,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EACL,SAAS,EACT,eAAe,EACf,iBAAiB,EACjB,UAAU,EACV,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,8BAA8B,GAC/B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,wBAAwB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AASpE,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAMnD,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAQ/E,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,gBAAgB,EAChB,yBAAyB,EACzB,YAAY,GACb,MAAM,WAAW,CAAC"}

package/dist/esm/pkce.d.ts

@@ -29,6 +29,8 @@ export interface ExchangeAuthorizationCodeOptions {
     redirectUri: string;
     clientId?: string;
     clientSecret?: string;
+    /** RFC 8707 resource indicator. When set, restricts the issued token's audience to this resource. */
+    resource?: string;
     signal?: AbortSignal;
 }
 /**
@@ -48,6 +50,8 @@ export interface AuthenticateOptions {
     clientSecret?: string;
     /** Default: 60_000 ms */
     timeoutMs?: number;
+    /** RFC 8707 resource indicator. Scopes the issued token's audience to this resource URL, enabling token exchange against it. */
+    resource?: string;
 }
 /**
  * Full authorization-code-with-PKCE flow for local/CLI contexts.

package/dist/esm/pkce.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAMxD,MAAM,WAAW,IAAI;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,GAAG,OAAO,CAAC;CACvC;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CAI7C;AAED;;;;;;GAMG;AACH,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,MAAM,EAChB,MAAM,GAAE,MAAM,GAAG,OAAgB,GAChC,OAAO,CAAC,MAAM,CAAC,CASjB;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,GAAE,MAAM,GAAG,OAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAIvF;AAMD,MAAM,WAAW,gCAAgC;IAC/C,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED;;;;;GAKG;AACH,wBAAsB,yBAAyB,CAC7C,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,gCAAgC,GACxC,OAAO,CAAC,aAAa,CAAC,CAyExB;AAMD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,kDAAkD;IAClD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,oBAAoB;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,yBAAyB;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,YAAY,CAChC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,aAAa,CAAC,CAkCxB"}
+{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAMxD,MAAM,WAAW,IAAI;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,mBAAmB,EAAE,MAAM,GAAG,OAAO,CAAC;CACvC;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,IAAI,MAAM,CAI7C;AAED;;;;;;GAMG;AACH,wBAAsB,qBAAqB,CACzC,QAAQ,EAAE,MAAM,EAChB,MAAM,GAAE,MAAM,GAAG,OAAgB,GAChC,OAAO,CAAC,MAAM,CAAC,CASjB;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,GAAE,MAAM,GAAG,OAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAIvF;AAMD,MAAM,WAAW,gCAAgC;IAC/C,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,qGAAqG;IACrG,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED;;;;;GAKG;AACH,wBAAsB,yBAAyB,CAC7C,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,gCAAgC,GACxC,OAAO,CAAC,aAAa,CAAC,CA0ExB;AAMD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,kDAAkD;IAClD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,oBAAoB;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,yBAAyB;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gIAAgI;IAChI,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,YAAY,CAChC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,aAAa,CAAC,CAsCxB"}

package/dist/esm/pkce.js

@@ -53,6 +53,8 @@ export async function exchangeAuthorizationCode(issuerUrl, code, options) {
     params.set("code", code);
     params.set("code_verifier", options.codeVerifier);
     params.set("redirect_uri", options.redirectUri);
+    if (options.resource)
+        params.set("resource", options.resource);
     if (options.clientId)
         params.set("client_id", options.clientId);
     const headers = {
@@ -139,6 +141,9 @@ export async function authenticate(issuerUrl, options) {
     if (options.scopes && options.scopes.length > 0) {
         authUrl.searchParams.set("scope", options.scopes.join(" "));
     }
+    if (options.resource) {
+        authUrl.searchParams.set("resource", options.resource);
+    }
     await openBrowser(authUrl.toString());
     const code = await waitForCode(port, redirectUri, timeoutMs);
     return exchangeAuthorizationCode(issuerUrl, code, {
@@ -146,6 +151,7 @@ export async function authenticate(issuerUrl, options) {
         redirectUri,
         clientId: options.clientId,
         clientSecret: options.clientSecret,
+        resource: options.resource,
     });
 }
 async function openBrowser(url) {

package/dist/esm/pkce.js.map

@@ -1 +1 @@
-{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAAA,OAAO,SAAS,MAAM,gBAAgB,CAAC;AACvC,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAazC;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,MAAqB,CAAC,CAAC;AACvD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,QAAgB,EAChB,SAA2B,MAAM;IAEjC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACvC,SAAS,EACT,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CACnC,CAAC;IACF,OAAO,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,SAA2B,MAAM;IACtE,MAAM,YAAY,GAAG,oBAAoB,EAAE,CAAC;IAC5C,MAAM,aAAa,GAAG,MAAM,qBAAqB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IACxE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,EAAE,CAAC;AACtE,CAAC;AAcD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,SAAiB,EACjB,IAAY,EACZ,OAAyC;IAEzC,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,SAAS,EAAE;QACjE,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,yBAAyB,SAAS,uCAAuC,CAC1E,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IACrC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC;IAC/C,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IAChD,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEhE,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,mCAAmC;KACpD,CAAC;IACF,IAAI,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QAC7C,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,IAAI,CAAC,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC,EAAE,CAAC;QAC1F,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC7B,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,cAAc,EAAE;QACpD,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;QACvB,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,IAAI,SAAS,GAAmC,IAAI,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;YAC9C,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7D,SAAS,GAAG,IAA+B,CAAC;YAC9C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sDAAsD;QACxD,CAAC;QACD,IAAI,SAAS,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;gBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;gBAC7B,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC;YACpB,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAC3F,MAAM,IAAI,UAAU,CAAC,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,4CAA4C,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;IAC9C,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,IAAI,GAAG,IAA+B,CAAC;IAE7C,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,aAAa,GAAkB;QACnC,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IACF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,aAAa,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IACnF,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,aAAa,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IAC5F,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,aAAa,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAkBD;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,SAAiB,EACjB,OAA4B;IAE5B,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC;IAClC,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,oBAAoB,IAAI,WAAW,CAAC;IAC/E,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC;IAE9C,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAEvE,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,SAAS,CAAC,CAAC;IACnE,IAAI,CAAC,QAAQ,CAAC,sBAAsB,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,yBAAyB,SAAS,gDAAgD,CACnF,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;IACzD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAClD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACxD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IACtD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC1D,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,WAAW,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAEtC,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC;IAE7D,OAAO,yBAAyB,CAAC,SAAS,EAAE,IAAI,EAAE;QAChD,YAAY;QACZ,WAAW;QACX,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;KACnC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,GAAW;IACpC,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;IACxD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,QAAQ,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,CAAC;SAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACxC,8DAA8D;QAC9D,QAAQ,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;SAAM,CAAC;QACN,QAAQ,CAAC,UAAU,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,CAAC;AACH,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,IAAY,EAAE,WAAmB,EAAE,SAAiB;IAC7E,6EAA6E;IAC7E,+EAA+E;IAC/E,yEAAyE;IACzE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;IAEnD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,KAAK,CAAC,uCAAuC,SAAS,IAAI,CAAC,CAAC,CAAC;QAC1E,CAAC,EAAE,SAAS,CAAC,CAAC;QAEd,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YACvC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,WAAW,CAAC,CAAC;gBACpD,MAAM,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAC7C,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAE/C,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;gBACpD,GAAG,CAAC,GAAG,CAAC,mFAAmF,CAAC,CAAC;gBAE7F,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,YAAY,CAAC,KAAK,CAAC,CAAC;gBAEpB,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,CAAC,IAAI,UAAU,CAAC,KAAK,EAAE,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC;gBACvF,CAAC;qBAAM,IAAI,IAAI,EAAE,CAAC;oBAChB,OAAO,CAAC,IAAI,CAAC,CAAC;gBAChB,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,MAAM,CAAC,CAAC,CAAC,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QACjC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACzB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,IAAI,KAAK,CAAC,2CAA2C,IAAI,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACvF,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}
+{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../src/pkce.ts"],"names":[],"mappings":"AAAA,OAAO,SAAS,MAAM,gBAAgB,CAAC;AACvC,OAAO,EAAE,gCAAgC,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAazC;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,MAAqB,CAAC,CAAC;AACvD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,QAAgB,EAChB,SAA2B,MAAM;IAEjC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACvC,SAAS,EACT,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CACnC,CAAC;IACF,OAAO,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AAClC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,SAA2B,MAAM;IACtE,MAAM,YAAY,GAAG,oBAAoB,EAAE,CAAC;IAC5C,MAAM,aAAa,GAAG,MAAM,qBAAqB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IACxE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,EAAE,CAAC;AACtE,CAAC;AAgBD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,SAAiB,EACjB,IAAY,EACZ,OAAyC;IAEzC,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,SAAS,EAAE;QACjE,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;IACH,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,yBAAyB,SAAS,uCAAuC,CAC1E,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;IACrC,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC;IAC/C,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;IAChD,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,IAAI,OAAO,CAAC,QAAQ;QAAE,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEhE,MAAM,OAAO,GAA2B;QACtC,cAAc,EAAE,mCAAmC;KACpD,CAAC;IACF,IAAI,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QAC7C,OAAO,CAAC,eAAe,CAAC,GAAG,SAAS,IAAI,CAAC,GAAG,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC,EAAE,CAAC;QAC1F,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC7B,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,cAAc,EAAE;QACpD,MAAM,EAAE,MAAM;QACd,OAAO;QACP,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;QACvB,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,IAAI,SAAS,GAAmC,IAAI,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;YAC9C,IAAI,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7D,SAAS,GAAG,IAA+B,CAAC;YAC9C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,sDAAsD;QACxD,CAAC;QACD,IAAI,SAAS,IAAI,OAAO,SAAS,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,WAAW,GAAG,OAAO,SAAS,CAAC,iBAAiB,KAAK,QAAQ;gBACjE,CAAC,CAAC,SAAS,CAAC,iBAAiB;gBAC7B,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC;YACpB,MAAM,QAAQ,GAAG,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;YAC3F,MAAM,IAAI,UAAU,CAAC,SAAS,CAAC,KAAK,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,4CAA4C,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAa,CAAC;IAC9C,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,IAAI,GAAG,IAA+B,CAAC;IAE7C,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC;IACtC,IAAI,OAAO,WAAW,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,aAAa,GAAkB;QACnC,WAAW;QACX,SAAS,EAAE,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;KAC5E,CAAC;IACF,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ;QAAE,aAAa,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,CAAC;IACnF,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,aAAa,CAAC,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC;IAC5F,IAAI,OAAO,IAAI,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACnC,aAAa,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC9D,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAoBD;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,SAAiB,EACjB,OAA4B;IAE5B,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC;IAClC,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,oBAAoB,IAAI,WAAW,CAAC;IAC/E,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC;IAE9C,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAEvE,MAAM,QAAQ,GAAG,MAAM,gCAAgC,CAAC,SAAS,CAAC,CAAC;IACnE,IAAI,CAAC,QAAQ,CAAC,sBAAsB,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,yBAAyB,SAAS,gDAAgD,CACnF,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;IACzD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAClD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACxD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,CAAC;IACtD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;IAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAC1D,IAAI,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,WAAW,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAEtC,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC;IAE7D,OAAO,yBAAyB,CAAC,SAAS,EAAE,IAAI,EAAE;QAChD,YAAY;QACZ,WAAW;QACX,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ;KAC3B,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,GAAW;IACpC,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;IACxD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,QAAQ,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,CAAC;SAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACxC,8DAA8D;QAC9D,QAAQ,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;SAAM,CAAC;QACN,QAAQ,CAAC,UAAU,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,CAAC;AACH,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,IAAY,EAAE,WAAmB,EAAE,SAAiB;IAC7E,6EAA6E;IAC7E,+EAA+E;IAC/E,yEAAyE;IACzE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;IAEnD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,MAAM,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,KAAK,CAAC,uCAAuC,SAAS,IAAI,CAAC,CAAC,CAAC;QAC1E,CAAC,EAAE,SAAS,CAAC,CAAC;QAEd,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YACvC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,WAAW,CAAC,CAAC;gBACpD,MAAM,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAC7C,MAAM,KAAK,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAE/C,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;gBACpD,GAAG,CAAC,GAAG,CAAC,mFAAmF,CAAC,CAAC;gBAE7F,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,YAAY,CAAC,KAAK,CAAC,CAAC;gBAEpB,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,CAAC,IAAI,UAAU,CAAC,KAAK,EAAE,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC;gBACvF,CAAC;qBAAM,IAAI,IAAI,EAAE,CAAC;oBAChB,OAAO,CAAC,IAAI,CAAC,CAAC;gBAChB,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC,CAAC;gBACzD,CAAC;YACH,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,CAAC,KAAK,EAAE,CAAC;gBACf,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,MAAM,CAAC,CAAC,CAAC,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QACjC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACzB,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,IAAI,KAAK,CAAC,2CAA2C,IAAI,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACvF,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/esm/server/eksWorkloadIdentity.d.ts

@@ -0,0 +1,22 @@
+import type { ApplicationCredential } from "../credentials.js";
+import type { TokenExchangeRequest } from "../tokenExchange.js";
+export interface EKSWorkloadIdentityOptions {
+    tokenFilePath?: string;
+    envVarName?: string;
+}
+/**
+ * EKS pod identity credential provider. Reads the workload identity token
+ * from the mounted file path (resolved from the standard EKS environment
+ * variables or the explicit `tokenFilePath` option) and uses it as a
+ * client assertion in RFC 8693 token exchange requests.
+ *
+ * **Requires Node.js.** Reads the token file synchronously from the
+ * filesystem at construction and exchange time.
+ */
+export declare class EKSWorkloadIdentity implements ApplicationCredential {
+    #private;
+    constructor(options?: EKSWorkloadIdentityOptions);
+    getAuth(): null;
+    prepareTokenExchangeRequest(subjectToken: string, resource: string): Promise<TokenExchangeRequest>;
+}
+//# sourceMappingURL=eksWorkloadIdentity.d.ts.map

package/dist/esm/server/eksWorkloadIdentity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"eksWorkloadIdentity.d.ts","sourceRoot":"","sources":["../../../src/server/eksWorkloadIdentity.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAQhE,MAAM,WAAW,0BAA0B;IACzC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,qBAAa,mBAAoB,YAAW,qBAAqB;;gBAGnD,OAAO,CAAC,EAAE,0BAA0B;IAmBhD,OAAO,IAAI,IAAI;IAIT,2BAA2B,CAC/B,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,oBAAoB,CAAC;CA+BjC"}

package/dist/esm/server/eksWorkloadIdentity.js

@@ -0,0 +1,80 @@
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _EKSWorkloadIdentity_instances, _EKSWorkloadIdentity_tokenFilePath, _EKSWorkloadIdentity_validateTokenFile, _EKSWorkloadIdentity_readToken;
+import * as fs from "node:fs";
+const DEFAULT_EKS_ENV_VARS = [
+    "KEYCARD_EKS_WORKLOAD_IDENTITY_TOKEN_FILE",
+    "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE",
+    "AWS_WEB_IDENTITY_TOKEN_FILE",
+];
+/**
+ * EKS pod identity credential provider. Reads the workload identity token
+ * from the mounted file path (resolved from the standard EKS environment
+ * variables or the explicit `tokenFilePath` option) and uses it as a
+ * client assertion in RFC 8693 token exchange requests.
+ *
+ * **Requires Node.js.** Reads the token file synchronously from the
+ * filesystem at construction and exchange time.
+ */
+export class EKSWorkloadIdentity {
+    constructor(options) {
+        _EKSWorkloadIdentity_instances.add(this);
+        _EKSWorkloadIdentity_tokenFilePath.set(this, void 0);
+        if (options?.tokenFilePath) {
+            __classPrivateFieldSet(this, _EKSWorkloadIdentity_tokenFilePath, options.tokenFilePath, "f");
+        }
+        else {
+            const envNames = options?.envVarName
+                ? [options.envVarName, ...DEFAULT_EKS_ENV_VARS]
+                : DEFAULT_EKS_ENV_VARS;
+            const found = envNames.find((name) => process.env[name]);
+            if (!found || !process.env[found]) {
+                throw new Error(`EKSWorkloadIdentity: could not find token file path in environment variables. ` +
+                    `Checked: ${envNames.join(", ")}`);
+            }
+            __classPrivateFieldSet(this, _EKSWorkloadIdentity_tokenFilePath, process.env[found], "f");
+        }
+        __classPrivateFieldGet(this, _EKSWorkloadIdentity_instances, "m", _EKSWorkloadIdentity_validateTokenFile).call(this);
+    }
+    getAuth() {
+        return null;
+    }
+    async prepareTokenExchangeRequest(subjectToken, resource) {
+        return {
+            subjectToken,
+            resource,
+            subjectTokenType: "urn:ietf:params:oauth:token-type:access_token",
+            clientAssertionType: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+            clientAssertion: __classPrivateFieldGet(this, _EKSWorkloadIdentity_instances, "m", _EKSWorkloadIdentity_readToken).call(this),
+        };
+    }
+}
+_EKSWorkloadIdentity_tokenFilePath = new WeakMap(), _EKSWorkloadIdentity_instances = new WeakSet(), _EKSWorkloadIdentity_validateTokenFile = function _EKSWorkloadIdentity_validateTokenFile() {
+    try {
+        const token = fs.readFileSync(__classPrivateFieldGet(this, _EKSWorkloadIdentity_tokenFilePath, "f"), "utf-8").trim();
+        if (!token) {
+            throw new Error(`EKSWorkloadIdentity: token file is empty: ${__classPrivateFieldGet(this, _EKSWorkloadIdentity_tokenFilePath, "f")}`);
+        }
+    }
+    catch (error) {
+        if (error instanceof Error && error.message.startsWith("EKSWorkloadIdentity:"))
+            throw error;
+        throw new Error(`EKSWorkloadIdentity: error reading token file "${__classPrivateFieldGet(this, _EKSWorkloadIdentity_tokenFilePath, "f")}": ${error}`);
+    }
+}, _EKSWorkloadIdentity_readToken = function _EKSWorkloadIdentity_readToken() {
+    const token = fs.readFileSync(__classPrivateFieldGet(this, _EKSWorkloadIdentity_tokenFilePath, "f"), "utf-8").trim();
+    if (!token) {
+        throw new Error(`EKSWorkloadIdentity: token file is empty: ${__classPrivateFieldGet(this, _EKSWorkloadIdentity_tokenFilePath, "f")}`);
+    }
+    return token;
+};
+//# sourceMappingURL=eksWorkloadIdentity.js.map

package/dist/esm/server/eksWorkloadIdentity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"eksWorkloadIdentity.js","sourceRoot":"","sources":["../../../src/server/eksWorkloadIdentity.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAI9B,MAAM,oBAAoB,GAAG;IAC3B,0CAA0C;IAC1C,wCAAwC;IACxC,6BAA6B;CAC9B,CAAC;AAOF;;;;;;;;GAQG;AACH,MAAM,OAAO,mBAAmB;IAG9B,YAAY,OAAoC;;QAFhD,qDAAuB;QAGrB,IAAI,OAAO,EAAE,aAAa,EAAE,CAAC;YAC3B,uBAAA,IAAI,sCAAkB,OAAO,CAAC,aAAa,MAAA,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,MAAM,QAAQ,GAAG,OAAO,EAAE,UAAU;gBAClC,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,GAAG,oBAAoB,CAAC;gBAC/C,CAAC,CAAC,oBAAoB,CAAC;YACzB,MAAM,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;YACzD,IAAI,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBAClC,MAAM,IAAI,KAAK,CACb,gFAAgF;oBAChF,YAAY,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAClC,CAAC;YACJ,CAAC;YACD,uBAAA,IAAI,sCAAkB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAE,MAAA,CAAC;QAC5C,CAAC;QACD,uBAAA,IAAI,8EAAmB,MAAvB,IAAI,CAAqB,CAAC;IAC5B,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,2BAA2B,CAC/B,YAAoB,EACpB,QAAgB;QAEhB,OAAO;YACL,YAAY;YACZ,QAAQ;YACR,gBAAgB,EAAE,+CAA+C;YACjE,mBAAmB,EAAE,wDAAwD;YAC7E,eAAe,EAAE,uBAAA,IAAI,sEAAW,MAAf,IAAI,CAAa;SACnC,CAAC;IACJ,CAAC;CAuBF;;IApBG,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,EAAE,CAAC,YAAY,CAAC,uBAAA,IAAI,0CAAe,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QACnE,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,6CAA6C,uBAAA,IAAI,0CAAe,EAAE,CAAC,CAAC;QACtF,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,sBAAsB,CAAC;YAAE,MAAM,KAAK,CAAC;QAC5F,MAAM,IAAI,KAAK,CACb,kDAAkD,uBAAA,IAAI,0CAAe,MAAM,KAAK,EAAE,CACnF,CAAC;IACJ,CAAC;AACH,CAAC;IAGC,MAAM,KAAK,GAAG,EAAE,CAAC,YAAY,CAAC,uBAAA,IAAI,0CAAe,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;IACnE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,6CAA6C,uBAAA,IAAI,0CAAe,EAAE,CAAC,CAAC;IACtF,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/esm/server/index.d.ts

@@ -5,4 +5,10 @@ export { TokenVerifier } from "./tokenVerifier.js";
 export type { TokenVerifierOptions } from "./tokenVerifier.js";
 export { ClientSecret } from "./clientSecret.js";
 export type { ClientSecretCredentials } from "./clientSecret.js";
+export { FilePrivateKeyStorage, PrivateKeyManager } from "./privateKey.js";
+export type { PrivateKeyStorage, JsonWebKey } from "./privateKey.js";
+export { WebIdentity } from "./webIdentity.js";
+export type { WebIdentityOptions } from "./webIdentity.js";
+export { EKSWorkloadIdentity } from "./eksWorkloadIdentity.js";
+export type { EKSWorkloadIdentityOptions } from "./eksWorkloadIdentity.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/esm/server/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,YAAY,EAAE,WAAW,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC3E,YAAY,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,YAAY,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,YAAY,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,YAAY,EAAE,WAAW,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC3E,YAAY,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,YAAY,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,YAAY,EAAE,uBAAuB,EAAE,MAAM,mBAAmB,CAAC;AACjE,OAAO,EAAE,qBAAqB,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAC3E,YAAY,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AACrE,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,YAAY,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,YAAY,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAC"}