@keycardai/oauth 0.6.0 → 0.8.0

package/dist/esm/server/index.js

@@ -1,4 +1,7 @@
 export { AccessContext } from "./accessContext.js";
 export { TokenVerifier } from "./tokenVerifier.js";
 export { ClientSecret } from "./clientSecret.js";
+export { FilePrivateKeyStorage, PrivateKeyManager } from "./privateKey.js";
+export { WebIdentity } from "./webIdentity.js";
+export { EKSWorkloadIdentity } from "./eksWorkloadIdentity.js";
 //# sourceMappingURL=index.js.map

package/dist/esm/server/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAGnD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAGnD,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD,OAAO,EAAE,qBAAqB,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAE3E,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAE/C,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC"}

package/dist/esm/server/privateKey.d.ts

@@ -0,0 +1,47 @@
+export interface JsonWebKey {
+    kty: string;
+    alg?: string;
+    use?: string;
+    kid?: string;
+    n?: string;
+    e?: string;
+    [key: string]: unknown;
+}
+export interface PrivateKeyStorage {
+    exists(keyId: string): Promise<boolean>;
+    storeKeyPair(keyId: string, privateKeyPem: string, publicKeyJwk: JsonWebKey): Promise<void>;
+    loadKeyPair(keyId: string): Promise<{
+        privateKeyPem: string;
+        publicKeyJwk: JsonWebKey;
+    }>;
+    deleteKeyPair(keyId: string): Promise<boolean>;
+    listKeyIds(): Promise<string[]>;
+}
+export declare class FilePrivateKeyStorage implements PrivateKeyStorage {
+    #private;
+    constructor(storageDir: string);
+    exists(keyId: string): Promise<boolean>;
+    storeKeyPair(keyId: string, privateKeyPem: string, publicKeyJwk: JsonWebKey): Promise<void>;
+    loadKeyPair(keyId: string): Promise<{
+        privateKeyPem: string;
+        publicKeyJwk: JsonWebKey;
+    }>;
+    deleteKeyPair(keyId: string): Promise<boolean>;
+    listKeyIds(): Promise<string[]>;
+}
+export declare class PrivateKeyManager {
+    #private;
+    constructor(options: {
+        storage: PrivateKeyStorage;
+        keyId?: string;
+        audienceConfig?: string | Record<string, string>;
+    });
+    bootstrapIdentity(): Promise<void>;
+    createClientAssertion(issuer: string, audience: string, expirySeconds?: number): Promise<string>;
+    getPublicJwks(): {
+        keys: JsonWebKey[];
+    };
+    getClientId(): string;
+    getClientJwksUrl(resourceServerUrl: string): string;
+}
+//# sourceMappingURL=privateKey.d.ts.map

package/dist/esm/server/privateKey.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"privateKey.d.ts","sourceRoot":"","sources":["../../../src/server/privateKey.ts"],"names":[],"mappings":"AASA,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,iBAAiB;IAChC,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IACxC,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,YAAY,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5F,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,UAAU,CAAA;KAAE,CAAC,CAAC;IACzF,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC/C,UAAU,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;CACjC;AAMD,qBAAa,qBAAsB,YAAW,iBAAiB;;gBAGjD,UAAU,EAAE,MAAM;IAIxB,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAUvC,YAAY,CAChB,KAAK,EAAE,MAAM,EACb,aAAa,EAAE,MAAM,EACrB,YAAY,EAAE,UAAU,GACvB,OAAO,CAAC,IAAI,CAAC;IAeV,WAAW,CACf,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,UAAU,CAAA;KAAE,CAAC;IASzD,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAO9C,UAAU,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;CAqBtC;AAMD,qBAAa,iBAAiB;;gBAOhB,OAAO,EAAE;QACnB,OAAO,EAAE,iBAAiB,CAAC;QAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAClD;IAMK,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC;IAUlC,qBAAqB,CACzB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,aAAa,SAAM,GAClB,OAAO,CAAC,MAAM,CAAC;IAiBlB,aAAa,IAAI;QAAE,IAAI,EAAE,UAAU,EAAE,CAAA;KAAE;IAOvC,WAAW,IAAI,MAAM;IAIrB,gBAAgB,CAAC,iBAAiB,EAAE,MAAM,GAAG,MAAM;CA0BpD"}

package/dist/esm/server/privateKey.js

@@ -0,0 +1,195 @@
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _FilePrivateKeyStorage_instances, _FilePrivateKeyStorage_storageDir, _FilePrivateKeyStorage_keyPath, _FilePrivateKeyStorage_metadataPath, _PrivateKeyManager_instances, _PrivateKeyManager_storage, _PrivateKeyManager_keyId, _PrivateKeyManager_audienceConfig, _PrivateKeyManager_privateKeyPem, _PrivateKeyManager_publicKeyJwk, _PrivateKeyManager_generateAndStoreKeyPair, _PemPrivateKeyring_pem, _PemPrivateKeyring_kid, _PemPrivateKeyring_issuer;
+import * as crypto from "node:crypto";
+import * as fs from "node:fs/promises";
+import * as path from "node:path";
+import { JWTSigner } from "../jwt/signer.js";
+// =============================================================================
+// File-Based Storage
+// =============================================================================
+export class FilePrivateKeyStorage {
+    constructor(storageDir) {
+        _FilePrivateKeyStorage_instances.add(this);
+        _FilePrivateKeyStorage_storageDir.set(this, void 0);
+        __classPrivateFieldSet(this, _FilePrivateKeyStorage_storageDir, storageDir, "f");
+    }
+    async exists(keyId) {
+        try {
+            await fs.access(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_keyPath).call(this, keyId));
+            await fs.access(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_metadataPath).call(this, keyId));
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async storeKeyPair(keyId, privateKeyPem, publicKeyJwk) {
+        await fs.mkdir(__classPrivateFieldGet(this, _FilePrivateKeyStorage_storageDir, "f"), { recursive: true });
+        const metadata = {
+            key_id: keyId,
+            public_key_jwk: publicKeyJwk,
+            created_at: Date.now() / 1000,
+            algorithm: "RS256",
+        };
+        await fs.writeFile(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_keyPath).call(this, keyId), privateKeyPem, { encoding: "utf-8", mode: 0o600 });
+        await fs.writeFile(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_metadataPath).call(this, keyId), JSON.stringify(metadata, null, 2), {
+            encoding: "utf-8",
+            mode: 0o644,
+        });
+    }
+    async loadKeyPair(keyId) {
+        const [privateKeyPem, metadataRaw] = await Promise.all([
+            fs.readFile(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_keyPath).call(this, keyId), "utf-8"),
+            fs.readFile(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_metadataPath).call(this, keyId), "utf-8"),
+        ]);
+        const metadata = JSON.parse(metadataRaw);
+        return { privateKeyPem, publicKeyJwk: metadata.public_key_jwk };
+    }
+    async deleteKeyPair(keyId) {
+        let deleted = false;
+        try {
+            await fs.unlink(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_keyPath).call(this, keyId));
+            deleted = true;
+        }
+        catch { /* ignore */ }
+        try {
+            await fs.unlink(__classPrivateFieldGet(this, _FilePrivateKeyStorage_instances, "m", _FilePrivateKeyStorage_metadataPath).call(this, keyId));
+            deleted = true;
+        }
+        catch { /* ignore */ }
+        return deleted;
+    }
+    async listKeyIds() {
+        try {
+            const files = await fs.readdir(__classPrivateFieldGet(this, _FilePrivateKeyStorage_storageDir, "f"));
+            const keyIds = [];
+            for (const file of files.filter((f) => f.endsWith(".json"))) {
+                const keyId = file.replace(/\.json$/, "");
+                if (await this.exists(keyId))
+                    keyIds.push(keyId);
+            }
+            return keyIds.sort();
+        }
+        catch {
+            return [];
+        }
+    }
+}
+_FilePrivateKeyStorage_storageDir = new WeakMap(), _FilePrivateKeyStorage_instances = new WeakSet(), _FilePrivateKeyStorage_keyPath = function _FilePrivateKeyStorage_keyPath(keyId) {
+    return path.join(__classPrivateFieldGet(this, _FilePrivateKeyStorage_storageDir, "f"), `${keyId}.pem`);
+}, _FilePrivateKeyStorage_metadataPath = function _FilePrivateKeyStorage_metadataPath(keyId) {
+    return path.join(__classPrivateFieldGet(this, _FilePrivateKeyStorage_storageDir, "f"), `${keyId}.json`);
+};
+// =============================================================================
+// Private Key Manager
+// =============================================================================
+export class PrivateKeyManager {
+    constructor(options) {
+        _PrivateKeyManager_instances.add(this);
+        _PrivateKeyManager_storage.set(this, void 0);
+        _PrivateKeyManager_keyId.set(this, void 0);
+        _PrivateKeyManager_audienceConfig.set(this, void 0);
+        _PrivateKeyManager_privateKeyPem.set(this, void 0);
+        _PrivateKeyManager_publicKeyJwk.set(this, void 0);
+        __classPrivateFieldSet(this, _PrivateKeyManager_storage, options.storage, "f");
+        __classPrivateFieldSet(this, _PrivateKeyManager_keyId, options.keyId ?? crypto.randomUUID(), "f");
+        __classPrivateFieldSet(this, _PrivateKeyManager_audienceConfig, options.audienceConfig, "f");
+    }
+    async bootstrapIdentity() {
+        if (await __classPrivateFieldGet(this, _PrivateKeyManager_storage, "f").exists(__classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"))) {
+            const { privateKeyPem, publicKeyJwk } = await __classPrivateFieldGet(this, _PrivateKeyManager_storage, "f").loadKeyPair(__classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"));
+            __classPrivateFieldSet(this, _PrivateKeyManager_privateKeyPem, privateKeyPem, "f");
+            __classPrivateFieldSet(this, _PrivateKeyManager_publicKeyJwk, publicKeyJwk, "f");
+        }
+        else {
+            await __classPrivateFieldGet(this, _PrivateKeyManager_instances, "m", _PrivateKeyManager_generateAndStoreKeyPair).call(this);
+        }
+    }
+    async createClientAssertion(issuer, audience, expirySeconds = 300) {
+        if (!__classPrivateFieldGet(this, _PrivateKeyManager_privateKeyPem, "f") || !__classPrivateFieldGet(this, _PrivateKeyManager_publicKeyJwk, "f")) {
+            throw new Error("Identity not bootstrapped. Call bootstrapIdentity() first.");
+        }
+        const keyring = new PemPrivateKeyring(__classPrivateFieldGet(this, _PrivateKeyManager_privateKeyPem, "f"), __classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"), issuer);
+        const signer = new JWTSigner(keyring);
+        const now = Math.floor(Date.now() / 1000);
+        return signer.sign({
+            iss: issuer,
+            sub: issuer,
+            aud: audience,
+            jti: crypto.randomUUID(),
+            iat: now,
+            exp: now + expirySeconds,
+        });
+    }
+    getPublicJwks() {
+        if (!__classPrivateFieldGet(this, _PrivateKeyManager_publicKeyJwk, "f")) {
+            throw new Error("Identity not bootstrapped. Call bootstrapIdentity() first.");
+        }
+        return { keys: [__classPrivateFieldGet(this, _PrivateKeyManager_publicKeyJwk, "f")] };
+    }
+    getClientId() {
+        return __classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f");
+    }
+    getClientJwksUrl(resourceServerUrl) {
+        const url = new URL(resourceServerUrl);
+        return `${url.protocol}//${url.host}/.well-known/jwks.json`;
+    }
+}
+_PrivateKeyManager_storage = new WeakMap(), _PrivateKeyManager_keyId = new WeakMap(), _PrivateKeyManager_audienceConfig = new WeakMap(), _PrivateKeyManager_privateKeyPem = new WeakMap(), _PrivateKeyManager_publicKeyJwk = new WeakMap(), _PrivateKeyManager_instances = new WeakSet(), _PrivateKeyManager_generateAndStoreKeyPair = async function _PrivateKeyManager_generateAndStoreKeyPair() {
+    const keyPair = crypto.generateKeyPairSync("rsa", {
+        modulusLength: 2048,
+        publicKeyEncoding: { type: "spki", format: "pem" },
+        privateKeyEncoding: { type: "pkcs8", format: "pem" },
+    });
+    const privateKeyPem = String(keyPair.privateKey);
+    const publicKeyObj = crypto.createPublicKey(String(keyPair.publicKey));
+    const jwk = publicKeyObj.export({ format: "jwk" });
+    const publicKeyJwk = {
+        kty: jwk.kty,
+        n: jwk.n,
+        e: jwk.e,
+        kid: __classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"),
+        alg: "RS256",
+        use: "sig",
+    };
+    await __classPrivateFieldGet(this, _PrivateKeyManager_storage, "f").storeKeyPair(__classPrivateFieldGet(this, _PrivateKeyManager_keyId, "f"), privateKeyPem, publicKeyJwk);
+    __classPrivateFieldSet(this, _PrivateKeyManager_privateKeyPem, privateKeyPem, "f");
+    __classPrivateFieldSet(this, _PrivateKeyManager_publicKeyJwk, publicKeyJwk, "f");
+};
+// =============================================================================
+// PEM-based PrivateKeyring adapter (implements PrivateKeyring from @keycardai/oauth)
+// =============================================================================
+class PemPrivateKeyring {
+    constructor(pem, kid, issuer) {
+        _PemPrivateKeyring_pem.set(this, void 0);
+        _PemPrivateKeyring_kid.set(this, void 0);
+        _PemPrivateKeyring_issuer.set(this, void 0);
+        __classPrivateFieldSet(this, _PemPrivateKeyring_pem, pem, "f");
+        __classPrivateFieldSet(this, _PemPrivateKeyring_kid, kid, "f");
+        __classPrivateFieldSet(this, _PemPrivateKeyring_issuer, issuer, "f");
+    }
+    async key(_usage) {
+        const keyObj = crypto.createPrivateKey(__classPrivateFieldGet(this, _PemPrivateKeyring_pem, "f"));
+        const jwk = keyObj.export({ format: "jwk" });
+        const cryptoKey = await crypto.subtle.importKey("jwk", jwk, { name: "RSASSA-PKCS1-v1_5", hash: { name: "SHA-256" } }, false, ["sign"]);
+        return {
+            // node:crypto.webcrypto.CryptoKey and global CryptoKey are identical at
+            // runtime; the declaration split is a TypeScript-only artefact.
+            key: cryptoKey,
+            kid: __classPrivateFieldGet(this, _PemPrivateKeyring_kid, "f"),
+            issuer: __classPrivateFieldGet(this, _PemPrivateKeyring_issuer, "f"),
+        };
+    }
+}
+_PemPrivateKeyring_pem = new WeakMap(), _PemPrivateKeyring_kid = new WeakMap(), _PemPrivateKeyring_issuer = new WeakMap();
+//# sourceMappingURL=privateKey.js.map

package/dist/esm/server/privateKey.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"privateKey.js","sourceRoot":"","sources":["../../../src/server/privateKey.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACvC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAuB7C,gFAAgF;AAChF,qBAAqB;AACrB,gFAAgF;AAEhF,MAAM,OAAO,qBAAqB;IAGhC,YAAY,UAAkB;;QAF9B,oDAAoB;QAGlB,uBAAA,IAAI,qCAAe,UAAU,MAAA,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,MAAM,CAAC,uBAAA,IAAI,wEAAS,MAAb,IAAI,EAAU,KAAK,CAAC,CAAC,CAAC;YACtC,MAAM,EAAE,CAAC,MAAM,CAAC,uBAAA,IAAI,6EAAc,MAAlB,IAAI,EAAe,KAAK,CAAC,CAAC,CAAC;YAC3C,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAY,CAChB,KAAa,EACb,aAAqB,EACrB,YAAwB;QAExB,MAAM,EAAE,CAAC,KAAK,CAAC,uBAAA,IAAI,yCAAY,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,MAAM,QAAQ,GAAG;YACf,MAAM,EAAE,KAAK;YACb,cAAc,EAAE,YAAY;YAC5B,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI;YAC7B,SAAS,EAAE,OAAO;SACnB,CAAC;QACF,MAAM,EAAE,CAAC,SAAS,CAAC,uBAAA,IAAI,wEAAS,MAAb,IAAI,EAAU,KAAK,CAAC,EAAE,aAAa,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAC5F,MAAM,EAAE,CAAC,SAAS,CAAC,uBAAA,IAAI,6EAAc,MAAlB,IAAI,EAAe,KAAK,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE;YAC/E,QAAQ,EAAE,OAAO;YACjB,IAAI,EAAE,KAAK;SACZ,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,WAAW,CACf,KAAa;QAEb,MAAM,CAAC,aAAa,EAAE,WAAW,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACrD,EAAE,CAAC,QAAQ,CAAC,uBAAA,IAAI,wEAAS,MAAb,IAAI,EAAU,KAAK,CAAC,EAAE,OAAO,CAAC;YAC1C,EAAE,CAAC,QAAQ,CAAC,uBAAA,IAAI,6EAAc,MAAlB,IAAI,EAAe,KAAK,CAAC,EAAE,OAAO,CAAC;SAChD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAmC,CAAC;QAC3E,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,QAAQ,CAAC,cAAc,EAAE,CAAC;IAClE,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,KAAa;QAC/B,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,IAAI,CAAC;YAAC,MAAM,EAAE,CAAC,MAAM,CAAC,uBAAA,IAAI,wEAAS,MAAb,IAAI,EAAU,KAAK,CAAC,CAAC,CAAC;YAAC,OAAO,GAAG,IAAI,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QACrF,IAAI,CAAC;YAAC,MAAM,EAAE,CAAC,MAAM,CAAC,uBAAA,IAAI,6EAAc,MAAlB,IAAI,EAAe,KAAK,CAAC,CAAC,CAAC;YAAC,OAAO,GAAG,IAAI,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QAC1F,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,CAAC,UAAU;QACd,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,uBAAA,IAAI,yCAAY,CAAC,CAAC;YACjD,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBAC5D,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;gBAC1C,IAAI,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;oBAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACnD,CAAC;YACD,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;CASF;8KAPU,KAAa;IACpB,OAAO,IAAI,CAAC,IAAI,CAAC,uBAAA,IAAI,yCAAY,EAAE,GAAG,KAAK,MAAM,CAAC,CAAC;AACrD,CAAC,qFAEa,KAAa;IACzB,OAAO,IAAI,CAAC,IAAI,CAAC,uBAAA,IAAI,yCAAY,EAAE,GAAG,KAAK,OAAO,CAAC,CAAC;AACtD,CAAC;AAGH,gFAAgF;AAChF,sBAAsB;AACtB,gFAAgF;AAEhF,MAAM,OAAO,iBAAiB;IAO5B,YAAY,OAIX;;QAVD,6CAA4B;QAC5B,2CAAe;QACf,oDAAkD;QAClD,mDAAwB;QACxB,kDAA2B;QAOzB,uBAAA,IAAI,8BAAY,OAAO,CAAC,OAAO,MAAA,CAAC;QAChC,uBAAA,IAAI,4BAAU,OAAO,CAAC,KAAK,IAAI,MAAM,CAAC,UAAU,EAAE,MAAA,CAAC;QACnD,uBAAA,IAAI,qCAAmB,OAAO,CAAC,cAAc,MAAA,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,iBAAiB;QACrB,IAAI,MAAM,uBAAA,IAAI,kCAAS,CAAC,MAAM,CAAC,uBAAA,IAAI,gCAAO,CAAC,EAAE,CAAC;YAC5C,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,GAAG,MAAM,uBAAA,IAAI,kCAAS,CAAC,WAAW,CAAC,uBAAA,IAAI,gCAAO,CAAC,CAAC;YACrF,uBAAA,IAAI,oCAAkB,aAAa,MAAA,CAAC;YACpC,uBAAA,IAAI,mCAAiB,YAAY,MAAA,CAAC;QACpC,CAAC;aAAM,CAAC;YACN,MAAM,uBAAA,IAAI,gFAAyB,MAA7B,IAAI,CAA2B,CAAC;QACxC,CAAC;IACH,CAAC;IAED,KAAK,CAAC,qBAAqB,CACzB,MAAc,EACd,QAAgB,EAChB,aAAa,GAAG,GAAG;QAEnB,IAAI,CAAC,uBAAA,IAAI,wCAAe,IAAI,CAAC,uBAAA,IAAI,uCAAc,EAAE,CAAC;YAChD,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,iBAAiB,CAAC,uBAAA,IAAI,wCAAe,EAAE,uBAAA,IAAI,gCAAO,EAAE,MAAM,CAAC,CAAC;QAChF,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC,OAAO,CAAC,CAAC;QACtC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,OAAO,MAAM,CAAC,IAAI,CAAC;YACjB,GAAG,EAAE,MAAM;YACX,GAAG,EAAE,MAAM;YACX,GAAG,EAAE,QAAQ;YACb,GAAG,EAAE,MAAM,CAAC,UAAU,EAAE;YACxB,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,GAAG,GAAG,aAAa;SACzB,CAAC,CAAC;IACL,CAAC;IAED,aAAa;QACX,IAAI,CAAC,uBAAA,IAAI,uCAAc,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,CAAC,uBAAA,IAAI,uCAAc,CAAC,EAAE,CAAC;IACxC,CAAC;IAED,WAAW;QACT,OAAO,uBAAA,IAAI,gCAAO,CAAC;IACrB,CAAC;IAED,gBAAgB,CAAC,iBAAyB;QACxC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,iBAAiB,CAAC,CAAC;QACvC,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,IAAI,wBAAwB,CAAC;IAC9D,CAAC;CAuBF;uUArBC,KAAK;IACH,MAAM,OAAO,GAAG,MAAM,CAAC,mBAAmB,CAAC,KAAK,EAAE;QAChD,aAAa,EAAE,IAAI;QACnB,iBAAiB,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE;QAClD,kBAAkB,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE;KACrD,CAAC,CAAC;IACH,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACjD,MAAM,YAAY,GAAG,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;IACvE,MAAM,GAAG,GAAG,YAAY,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACnD,MAAM,YAAY,GAAe;QAC/B,GAAG,EAAE,GAAG,CAAC,GAAI;QACb,CAAC,EAAG,GAAsB,CAAC,CAAE;QAC7B,CAAC,EAAG,GAAsB,CAAC,CAAE;QAC7B,GAAG,EAAE,uBAAA,IAAI,gCAAO;QAChB,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,KAAK;KACX,CAAC;IACF,MAAM,uBAAA,IAAI,kCAAS,CAAC,YAAY,CAAC,uBAAA,IAAI,gCAAO,EAAE,aAAa,EAAE,YAAY,CAAC,CAAC;IAC3E,uBAAA,IAAI,oCAAkB,aAAa,MAAA,CAAC;IACpC,uBAAA,IAAI,mCAAiB,YAAY,MAAA,CAAC;AACpC,CAAC;AAGH,gFAAgF;AAChF,qFAAqF;AACrF,gFAAgF;AAEhF,MAAM,iBAAiB;IAKrB,YAAY,GAAW,EAAE,GAAW,EAAE,MAAc;QAJpD,yCAAa;QACb,yCAAa;QACb,4CAAgB;QAGd,uBAAA,IAAI,0BAAQ,GAAG,MAAA,CAAC;QAChB,uBAAA,IAAI,0BAAQ,GAAG,MAAA,CAAC;QAChB,uBAAA,IAAI,6BAAW,MAAM,MAAA,CAAC;IACxB,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,MAAc;QACtB,MAAM,MAAM,GAAG,MAAM,CAAC,gBAAgB,CAAC,uBAAA,IAAI,8BAAK,CAAC,CAAC;QAClD,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QAC7C,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC7C,KAAK,EACL,GAAG,EACH,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EACxD,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;QACF,OAAO;YACL,wEAAwE;YACxE,gEAAgE;YAChE,GAAG,EAAE,SAAsB;YAC3B,GAAG,EAAE,uBAAA,IAAI,8BAAK;YACd,MAAM,EAAE,uBAAA,IAAI,iCAAQ;SACrB,CAAC;IACJ,CAAC;CACF"}

package/dist/esm/server/webIdentity.d.ts

@@ -0,0 +1,37 @@
+import type { ApplicationCredential } from "../credentials.js";
+import type { TokenExchangeRequest } from "../tokenExchange.js";
+import type { PrivateKeyStorage } from "./privateKey.js";
+export type { PrivateKeyStorage } from "./privateKey.js";
+export interface WebIdentityOptions {
+    serverName?: string;
+    storage?: PrivateKeyStorage;
+    storageDir?: string;
+    keyId?: string;
+    audienceConfig?: string | Record<string, string>;
+}
+/**
+ * RFC 7523 private_key_jwt client assertion credential provider.
+ *
+ * Generates and persists an RSA key pair using the supplied storage
+ * implementation (default: `FilePrivateKeyStorage("./mcp_keys")`).
+ * On each token exchange the private key signs a client assertion JWT
+ * that the authorization server verifies instead of a shared secret.
+ *
+ * **Requires Node.js.** Key generation and storage use Node.js crypto
+ * and filesystem APIs.
+ */
+export declare class WebIdentity implements ApplicationCredential {
+    #private;
+    constructor(options?: WebIdentityOptions);
+    bootstrap(): Promise<void>;
+    getAuth(): null;
+    prepareTokenExchangeRequest(subjectToken: string, resource: string, options?: {
+        tokenEndpoint?: string;
+        authInfo?: Record<string, string>;
+    }): Promise<TokenExchangeRequest>;
+    getPublicJwks(): {
+        keys: Record<string, unknown>[];
+    };
+    getClientJwksUrl(resourceServerUrl: string): string;
+}
+//# sourceMappingURL=webIdentity.d.ts.map

package/dist/esm/server/webIdentity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webIdentity.d.ts","sourceRoot":"","sources":["../../../src/server/webIdentity.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAEhE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAEzD,YAAY,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAEzD,MAAM,WAAW,kBAAkB;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,iBAAiB,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClD;AAED;;;;;;;;;;GAUG;AACH,qBAAa,WAAY,YAAW,qBAAqB;;gBAI3C,OAAO,GAAE,kBAAuB;IAiBtC,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;IAOhC,OAAO,IAAI,IAAI;IAIT,2BAA2B,CAC/B,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,GACtE,OAAO,CAAC,oBAAoB,CAAC;IAchC,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAA;KAAE;IAIpD,gBAAgB,CAAC,iBAAiB,EAAE,MAAM,GAAG,MAAM;CAGpD"}

package/dist/esm/server/webIdentity.js

@@ -0,0 +1,71 @@
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var _WebIdentity_keyManager, _WebIdentity_bootstrapPromise;
+import { PrivateKeyManager, FilePrivateKeyStorage } from "./privateKey.js";
+/**
+ * RFC 7523 private_key_jwt client assertion credential provider.
+ *
+ * Generates and persists an RSA key pair using the supplied storage
+ * implementation (default: `FilePrivateKeyStorage("./mcp_keys")`).
+ * On each token exchange the private key signs a client assertion JWT
+ * that the authorization server verifies instead of a shared secret.
+ *
+ * **Requires Node.js.** Key generation and storage use Node.js crypto
+ * and filesystem APIs.
+ */
+export class WebIdentity {
+    constructor(options = {}) {
+        _WebIdentity_keyManager.set(this, void 0);
+        _WebIdentity_bootstrapPromise.set(this, void 0);
+        const storage = options.storage ??
+            new FilePrivateKeyStorage(options.storageDir ?? "./mcp_keys");
+        let keyId = options.keyId;
+        if (!keyId && options.serverName) {
+            keyId = options.serverName.replace(/[^a-zA-Z0-9\-_]/g, "_");
+        }
+        __classPrivateFieldSet(this, _WebIdentity_keyManager, new PrivateKeyManager({
+            storage,
+            keyId,
+            audienceConfig: options.audienceConfig,
+        }), "f");
+    }
+    async bootstrap() {
+        if (!__classPrivateFieldGet(this, _WebIdentity_bootstrapPromise, "f")) {
+            __classPrivateFieldSet(this, _WebIdentity_bootstrapPromise, __classPrivateFieldGet(this, _WebIdentity_keyManager, "f").bootstrapIdentity(), "f");
+        }
+        return __classPrivateFieldGet(this, _WebIdentity_bootstrapPromise, "f");
+    }
+    getAuth() {
+        return null;
+    }
+    async prepareTokenExchangeRequest(subjectToken, resource, options) {
+        await this.bootstrap();
+        const issuer = options?.authInfo?.resource_client_id ?? __classPrivateFieldGet(this, _WebIdentity_keyManager, "f").getClientId();
+        const audience = options?.tokenEndpoint ?? issuer;
+        const clientAssertion = await __classPrivateFieldGet(this, _WebIdentity_keyManager, "f").createClientAssertion(issuer, audience);
+        return {
+            subjectToken,
+            resource,
+            subjectTokenType: "urn:ietf:params:oauth:token-type:access_token",
+            clientAssertionType: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+            clientAssertion,
+        };
+    }
+    getPublicJwks() {
+        return __classPrivateFieldGet(this, _WebIdentity_keyManager, "f").getPublicJwks();
+    }
+    getClientJwksUrl(resourceServerUrl) {
+        return __classPrivateFieldGet(this, _WebIdentity_keyManager, "f").getClientJwksUrl(resourceServerUrl);
+    }
+}
+_WebIdentity_keyManager = new WeakMap(), _WebIdentity_bootstrapPromise = new WeakMap();
+//# sourceMappingURL=webIdentity.js.map

package/dist/esm/server/webIdentity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webIdentity.js","sourceRoot":"","sources":["../../../src/server/webIdentity.ts"],"names":[],"mappings":";;;;;;;;;;;;AAEA,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAa3E;;;;;;;;;;GAUG;AACH,MAAM,OAAO,WAAW;IAItB,YAAY,UAA8B,EAAE;QAH5C,0CAA+B;QAC/B,gDAAkC;QAGhC,MAAM,OAAO,GACX,OAAO,CAAC,OAAO;YACf,IAAI,qBAAqB,CAAC,OAAO,CAAC,UAAU,IAAI,YAAY,CAAC,CAAC;QAEhE,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC1B,IAAI,CAAC,KAAK,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YACjC,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC;QAC9D,CAAC;QAED,uBAAA,IAAI,2BAAe,IAAI,iBAAiB,CAAC;YACvC,OAAO;YACP,KAAK;YACL,cAAc,EAAE,OAAO,CAAC,cAAc;SACvC,CAAC,MAAA,CAAC;IACL,CAAC;IAED,KAAK,CAAC,SAAS;QACb,IAAI,CAAC,uBAAA,IAAI,qCAAkB,EAAE,CAAC;YAC5B,uBAAA,IAAI,iCAAqB,uBAAA,IAAI,+BAAY,CAAC,iBAAiB,EAAE,MAAA,CAAC;QAChE,CAAC;QACD,OAAO,uBAAA,IAAI,qCAAkB,CAAC;IAChC,CAAC;IAED,OAAO;QACL,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,2BAA2B,CAC/B,YAAoB,EACpB,QAAgB,EAChB,OAAuE;QAEvE,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,OAAO,EAAE,QAAQ,EAAE,kBAAkB,IAAI,uBAAA,IAAI,+BAAY,CAAC,WAAW,EAAE,CAAC;QACvF,MAAM,QAAQ,GAAG,OAAO,EAAE,aAAa,IAAI,MAAM,CAAC;QAClD,MAAM,eAAe,GAAG,MAAM,uBAAA,IAAI,+BAAY,CAAC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACvF,OAAO;YACL,YAAY;YACZ,QAAQ;YACR,gBAAgB,EAAE,+CAA+C;YACjE,mBAAmB,EAAE,wDAAwD;YAC7E,eAAe;SAChB,CAAC;IACJ,CAAC;IAED,aAAa;QACX,OAAO,uBAAA,IAAI,+BAAY,CAAC,aAAa,EAAE,CAAC;IAC1C,CAAC;IAED,gBAAgB,CAAC,iBAAyB;QACxC,OAAO,uBAAA,IAAI,+BAAY,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,CAAC;IAC9D,CAAC;CACF"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@keycardai/oauth",
-  "version": "0.6.0",
+  "version": "0.8.0",
   "description": "[Preview] OAuth 2.0 primitives for Keycard: JWKS keyring, JWT signing/verification, server-tier token verifier, AccessContext, ClientSecret credentials, and impersonation via RFC 8693 token exchange",
   "license": "MIT",
   "repository": {