@nocobase/plugin-idp-oauth 2.1.0-alpha.10

package/dist/node_modules/oidc-provider/README.md

@@ -0,0 +1,174 @@
+# oidc-provider
+
+This module provides an OAuth 2.0 ([RFC 6749][oauth2]) Authorization Server with support for OpenID Connect ([OIDC][openid-connect]) and many
+other additional features and standards.
+
+**Table of Contents**
+
+- [Implemented specs & features](#implemented-specs--features)
+- [Certification](#certification)
+- [Documentation & Configuration](#documentation--configuration)
+- [Community Guides](#community-guides)
+- [Events](#events)
+
+## Implemented specs & features
+
+The following specifications are implemented by oidc-provider (not exhaustive):
+
+_Note that not all features are enabled by default, check the configuration section on how to enable them._
+
+- [`RFC6749` - OAuth 2.0][oauth2] & [`OIDC` Core 1.0][core]
+- [OIDC `Discovery 1.0`][discovery] & [`RFC8414` Authorization Server Metadata][rfc8414]
+- Dynamic Client Registration
+  - [OIDC `Dynamic Client Registration 1.0`][registration]
+  - [`RFC7591` - OAuth 2.0 Dynamic Client Registration Protocol][oauth2-registration]
+  - [`RFC7592` - OAuth 2.0 Dynamic Client Registration Management Protocol][registration-management]
+- [OIDC `RP-Initiated Logout 1.0`][rpinitiated-logout]
+- [OIDC `Back-Channel Logout 1.0`][backchannel-logout]
+- [`RFC7009` - OAuth 2.0 Token Revocation][revocation]
+- [`RFC7636` - Proof Key for Code Exchange (`PKCE`)][pkce]
+- [`RFC7662` - OAuth 2.0 Token Introspection][introspection]
+- [`RFC8252` - OAuth 2.0 for Native Apps BCP (`AppAuth`)][oauth-native-apps]
+- [`RFC8628` - OAuth 2.0 Device Authorization Grant (`Device Flow`)][device-flow]
+- [`RFC8705` - OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (`MTLS`)][mtls]
+- [`RFC8707` - OAuth 2.0 Resource Indicators][resource-indicators]
+- [`RFC9101` - OAuth 2.0 JWT-Secured Authorization Request (`JAR`)][jar]
+- [`RFC9126` - OAuth 2.0 Pushed Authorization Requests (`PAR`)][par]
+- [`RFC9207` - OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response][iss-auth-resp]
+- [`RFC9449` - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (`DPoP`)][dpop]
+- [`RFC9701` - JWT Response for OAuth Token Introspection][jwt-introspection]
+- [FAPI 1.0 Security Profile - Part 2: Advanced (`FAPI 1.0`)][fapi]
+- [FAPI 2.0 Security Profile (`FAPI 2.0`)][fapi2sp]
+- [FAPI 2.0 Message Signing (`FAPI 2.0`)][fapi2ms]
+- [JWT Secured Authorization Response Mode for OAuth 2.0 (`JARM`)][jarm]
+- [OIDC Client Initiated Backchannel Authentication Flow (`CIBA`)][ciba]
+
+Supported Access Token formats:
+
+- Opaque
+- [JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens][jwt-at]
+
+The following specifications and drafts are implemented as experimental features:
+
+- [Financial-grade API: Client Initiated Backchannel Authentication Profile (`FAPI-CIBA`) - Implementers Draft 01][fapi-ciba]
+- [OIDC Relying Party Metadata Choices 1.0 - Implementers Draft 01][rp-metadata-choices]
+- [OAuth 2.0 Attestation-Based Client Authentication - Draft 06][attestation-client-auth]
+- [OAuth Client ID Metadata Document (`CIMD`) - Draft 01][cimd]
+
+Updates to experimental feature specification versions are released as MINOR library versions,
+if you utilize these features consider using the tilde `~` operator in your
+package.json since breaking changes may be introduced as part of these version updates. Alternatively
+[acknowledge](/docs/README.md#features) the version and be notified of breaking changes as part of
+your CI.
+
+## Certification
+
+[<img width="184" height="96" align="right" src="https://cdn.jsdelivr.net/gh/panva/node-oidc-provider@acd3ebf2f5ebbb5605463cb681a1fb2ab9742ace/OpenID_Certified.png" alt="OpenID Certification">][openid-certified-link]  
+Filip Skokan has [certified][openid-certified-link] that [oidc-provider][npm-url]
+conforms to the following profiles of the OpenID Connect™ protocol.
+
+- Basic, Implicit, Hybrid, Config, Form Post, and 3rd Party-Init
+- Back-Channel Logout and RP-Initiated Logout
+- FAPI 1.0
+- FAPI CIBA
+- FAPI 2.0
+
+## Sponsor
+
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/panva/node-oidc-provider/HEAD/sponsor/Auth0byOkta_dark.png">
+  <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/panva/node-oidc-provider/HEAD/sponsor/Auth0byOkta_light.png">
+  <img height="65" align="left" alt="Auth0 by Okta" src="https://raw.githubusercontent.com/panva/node-oidc-provider/HEAD/sponsor/Auth0byOkta_light.png">
+</picture>
+
+If you want to quickly add OpenID Connect authentication to Node.js apps, feel free to check out Auth0's Node.js SDK and free plan. [Create an Auth0 account; it's free!][sponsor-auth0]<br><br>
+
+## Support
+
+If you or your company use this module, or you need help using/upgrading the module, please consider becoming a [sponsor][support-sponsor] so I can continue maintaining it and adding new features carefree. The only way to guarantee you get feedback from the author & sole maintainer of this module is to support the package through GitHub Sponsors.
+
+## [Documentation](/docs/README.md) & Configuration
+
+oidc-provider can be mounted to existing connect, express, fastify, hapi, or koa applications, see
+[how](/docs/README.md#mounting-oidc-provider). The authorization server allows to be extended and configured in
+various ways to fit a variety of uses. See the [documentation](/docs/README.md) and [example folder](/example).
+
+```js
+import * as oidc from "oidc-provider";
+
+const provider = new oidc.Provider("http://localhost:3000", {
+  // refer to the documentation for other available configuration
+  clients: [
+    {
+      client_id: "foo",
+      client_secret: "bar",
+      redirect_uris: ["http://localhost:8080/cb"],
+      // ... other client properties
+    },
+  ],
+});
+
+const server = provider.listen(3000, () => {
+  console.log(
+    "oidc-provider listening on port 3000, check http://localhost:3000/.well-known/openid-configuration",
+  );
+});
+```
+
+External type definitions are available via [DefinitelyTyped](https://npmjs.com/package/@types/oidc-provider).
+
+## Community Guides
+
+Collection of Community-maintained configuration use cases are in the [Community Guides Discussions section](https://github.com/panva/node-oidc-provider/discussions/categories/community-guides)
+
+## Events
+
+oidc-provider instances are event emitters, using event handlers you can hook into the various
+actions and i.e. emit metrics that react to specific triggers. See the list of available emitted [event names](/docs/events.md) and their description.
+
+## Supported Versions
+
+| Version                                                       | Security Fixes 🔑 | Other Bug Fixes 🐞 | New Features ⭐ |
+| ------------------------------------------------------------- | ----------------- | ------------------ | --------------- |
+| [v9.x](https://github.com/panva/node-oidc-provider/tree/v9.x) | [Security Policy] | ✅                 | ✅              |
+| [v8.x](https://github.com/panva/node-oidc-provider/tree/v8.x) | [Security Policy] | ❌                 | ❌              |
+
+[npm-url]: https://www.npmjs.com/package/oidc-provider
+[openid-certified-link]: https://openid.net/certification/
+[openid-connect]: https://openid.net/connect/
+[core]: https://openid.net/specs/openid-connect-core-1_0-errata2.html
+[discovery]: https://openid.net/specs/openid-connect-discovery-1_0-errata2.html
+[oauth2-registration]: https://www.rfc-editor.org/rfc/rfc7591.html
+[registration]: https://openid.net/specs/openid-connect-registration-1_0-errata2.html
+[oauth2]: https://www.rfc-editor.org/rfc/rfc6749.html
+[oauth2-bearer]: https://www.rfc-editor.org/rfc/rfc6750.html
+[revocation]: https://www.rfc-editor.org/rfc/rfc7009.html
+[introspection]: https://www.rfc-editor.org/rfc/rfc7662.html
+[pkce]: https://www.rfc-editor.org/rfc/rfc7636.html
+[example-repo]: https://github.com/panva/node-oidc-provider-example
+[backchannel-logout]: https://openid.net/specs/openid-connect-backchannel-1_0-errata1.html
+[registration-management]: https://www.rfc-editor.org/rfc/rfc7592.html
+[oauth-native-apps]: https://www.rfc-editor.org/rfc/rfc8252.html
+[jar]: https://www.rfc-editor.org/rfc/rfc9101.html
+[device-flow]: https://www.rfc-editor.org/rfc/rfc8628.html
+[jwt-introspection]: https://www.rfc-editor.org/rfc/rfc9701.html
+[sponsor-auth0]: https://a0.to/signup/panva
+[mtls]: https://www.rfc-editor.org/rfc/rfc8705.html
+[dpop]: https://www.rfc-editor.org/rfc/rfc9449.html
+[resource-indicators]: https://www.rfc-editor.org/rfc/rfc8707.html
+[jarm]: https://openid.net/specs/oauth-v2-jarm-errata1.html
+[jwt-at]: https://www.rfc-editor.org/rfc/rfc9068.html
+[support-sponsor]: https://github.com/sponsors/panva
+[par]: https://www.rfc-editor.org/rfc/rfc9126.html
+[rpinitiated-logout]: https://openid.net/specs/openid-connect-rpinitiated-1_0-final.html
+[iss-auth-resp]: https://www.rfc-editor.org/rfc/rfc9207.html
+[fapi]: https://openid.net/specs/openid-financial-api-part-2-1_0-final.html
+[ciba]: https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-final.html
+[fapi-ciba]: https://openid.net/specs/openid-financial-api-ciba-ID1.html
+[fapi2sp]: https://openid.net/specs/fapi-security-profile-2_0-final.html
+[fapi2ms]: https://openid.net/specs/fapi-message-signing-2_0-final.html
+[Security Policy]: https://github.com/panva/node-oidc-provider/security/policy
+[rp-metadata-choices]: https://openid.net/specs/openid-connect-rp-metadata-choices-1_0-ID1.html
+[rfc8414]: https://www.rfc-editor.org/rfc/rfc8414.html
+[attestation-client-auth]: https://www.ietf.org/archive/id/draft-ietf-oauth-attestation-based-client-auth-06.html
+[cimd]: https://www.ietf.org/archive/id/draft-ietf-oauth-client-id-metadata-document-01.html

package/dist/node_modules/oidc-provider/lib/actions/authorization/assign_claims.js

@@ -0,0 +1,28 @@
+import merge from '../../helpers/_/merge.js';
+import instance from '../../helpers/weak_cache.js';
+
+/*
+ * Merges requested claims with auth_time as requested if max_age is provided or require_auth_time
+ * is configured for the client.
+ *
+ * Merges requested claims with acr as requested if acr_values is provided
+ */
+export default function assignClaims(ctx, next) {
+  const { params } = ctx.oidc;
+
+  if (params.claims !== undefined && instance(ctx.oidc.provider).features.claimsParameter.enabled) {
+    ctx.oidc.claims = JSON.parse(params.claims);
+  }
+
+  if (params.max_age !== undefined || ctx.oidc.client.requireAuthTime || ctx.oidc.prompts.has('login')) {
+    merge(ctx.oidc.claims, { id_token: { auth_time: { essential: true } } });
+  }
+
+  const acrValues = params.acr_values;
+
+  if (acrValues) {
+    merge(ctx.oidc.claims, { id_token: { acr: { values: acrValues.split(' ') } } });
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/assign_defaults.js

@@ -0,0 +1,17 @@
+/*
+ * assign max_age and acr_values if it is not provided explictly but is configured with default
+ * values on the client
+ */
+export default function assignDefaults(ctx, next) {
+  const { params, client } = ctx.oidc;
+
+  if (!params.acr_values && client.defaultAcrValues) {
+    params.acr_values = client.defaultAcrValues.join(' ');
+  }
+
+  if (params.max_age === undefined && client.defaultMaxAge !== undefined) {
+    params.max_age = client.defaultMaxAge.toString();
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/authenticated_client_id.js

@@ -0,0 +1,6 @@
+export default function deviceAuthorizationResponse(ctx, next) {
+  if (!ctx.oidc.body.client_id) {
+    ctx.oidc.body.client_id = ctx.oidc.client.clientId;
+  }
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/backchannel_request_remap_errors.js

@@ -0,0 +1,17 @@
+import { InvalidRequestObject } from '../../helpers/errors.js';
+
+/*
+ * Remaps the Backchannel Authentication Endpoint errors thrown in downstream middlewares.
+ */
+export default async function requestObjectRemapErrors(ctx, next) {
+  return next().catch((err) => {
+    if (err instanceof InvalidRequestObject) {
+      Object.assign(err, {
+        message: 'invalid_request',
+        error: 'invalid_request',
+      });
+    }
+
+    throw err;
+  });
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/backchannel_request_response.js

@@ -0,0 +1,41 @@
+import instance from '../../helpers/weak_cache.js';
+
+export default async function backchannelRequestResponse(ctx) {
+  const { BackchannelAuthenticationRequest } = ctx.oidc.provider;
+  const { ciba } = instance(ctx.oidc.provider).features;
+
+  const request = new BackchannelAuthenticationRequest({
+    accountId: ctx.oidc.account.accountId,
+    claims: ctx.oidc.claims,
+    client: ctx.oidc.client,
+    nonce: ctx.oidc.params.nonce,
+    params: ctx.oidc.params.toPlainObject(),
+    resource: Object.keys(ctx.oidc.resourceServers),
+    scope: [...ctx.oidc.requestParamScopes].join(' '),
+  });
+
+  if (ctx.oidc.client.clientAuthMethod === 'attest_jwt_client_auth') {
+    await request.setAttestBinding(ctx);
+  }
+
+  // eslint-disable-next-line default-case
+  switch (request.resource.length) {
+    case 0:
+      delete request.resource;
+      break;
+    case 1:
+      [request.resource] = request.resource;
+      break;
+  }
+
+  ctx.oidc.entity('BackchannelAuthenticationRequest', request);
+
+  const id = await request.save();
+
+  ctx.body = {
+    expires_in: request.expiration,
+    auth_req_id: id,
+  };
+
+  await ciba.triggerAuthenticationDevice(ctx, request, ctx.oidc.account, ctx.oidc.client);
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/check_ciba_context.js

@@ -0,0 +1,12 @@
+import instance from '../../helpers/weak_cache.js';
+
+export default async function checkCibaContext(ctx, next) {
+  const { ciba } = instance(ctx.oidc.provider).features;
+
+  await Promise.all([
+    ciba.validateRequestContext(ctx, ctx.oidc.params.request_context),
+    ciba.validateBindingMessage(ctx, ctx.oidc.params.binding_message),
+  ]);
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/check_claims.js

@@ -0,0 +1,68 @@
+import { InvalidRequest } from '../../helpers/errors.js';
+import instance from '../../helpers/weak_cache.js';
+import isPlainObject from '../../helpers/_/is_plain_object.js';
+
+/*
+ * If claims parameter is provided and supported handles its validation
+ * - should not be combined with rt none
+ * - should be JSON serialized object with id_token or userinfo properties as objects
+ * - claims.userinfo should not be used if authorization result is not access_token
+ *
+ * Merges requested claims with auth_time as requested if max_age is provided or require_auth_time
+ * is configured for the client.
+ *
+ * Merges requested claims with acr as requested if acr_values is provided
+ */
+export default async function checkClaims(ctx, next) {
+  const { params } = ctx.oidc;
+
+  if (params.claims !== undefined) {
+    const { claimsParameter, userinfo } = instance(ctx.oidc.provider).features;
+
+    if (claimsParameter.enabled) {
+      if (params.response_type === 'none') {
+        throw new InvalidRequest('claims parameter should not be combined with response_type none');
+      }
+
+      let claims;
+
+      try {
+        claims = JSON.parse(params.claims);
+      } catch (err) {
+        throw new InvalidRequest('could not parse the claims parameter JSON');
+      }
+
+      if (!isPlainObject(claims)) {
+        throw new InvalidRequest('claims parameter should be a JSON object');
+      }
+
+      if (claims.userinfo === undefined && claims.id_token === undefined) {
+        throw new InvalidRequest('claims parameter should have userinfo or id_token properties');
+      }
+
+      if (claims.userinfo !== undefined && !isPlainObject(claims.userinfo)) {
+        throw new InvalidRequest('claims.userinfo should be an object');
+      }
+
+      if (claims.id_token !== undefined && !isPlainObject(claims.id_token)) {
+        throw new InvalidRequest('claims.id_token should be an object');
+      }
+
+      if (claims.userinfo && !userinfo.enabled) {
+        throw new InvalidRequest('claims.userinfo should not be used since userinfo endpoint is not supported');
+      }
+
+      if (params.response_type === 'id_token' && claims.userinfo) {
+        throw new InvalidRequest('claims.userinfo should not be used if access_token is not issued');
+      }
+
+      await claimsParameter.assertClaimsParameter?.(
+        ctx,
+        claims,
+        ctx.oidc.client,
+      );
+    }
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/check_client.js

@@ -0,0 +1,21 @@
+import presence from '../../helpers/validate_presence.js';
+import { InvalidClient } from '../../helpers/errors.js';
+
+/*
+ * Checks client_id
+ */
+export default async function checkClient(ctx, next) {
+  presence(ctx, 'client_id');
+
+  const client = await ctx.oidc.provider.Client.find(ctx.oidc.params.client_id);
+
+  if (!client) {
+    // there's no point in checking again in authorization error handler
+    ctx.oidc.noclient = true;
+    throw new InvalidClient('client is invalid', 'client not found');
+  }
+
+  ctx.oidc.entity('Client', client);
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/check_client_grant_type.js

@@ -0,0 +1,21 @@
+import { InvalidRequest } from '../../helpers/errors.js';
+
+export default function checkClientGrantType({ oidc: { route, client } }, next) {
+  let grantType;
+  switch (route) {
+    case 'device_authorization':
+      grantType = 'urn:ietf:params:oauth:grant-type:device_code';
+      break;
+    case 'backchannel_authentication':
+      grantType = 'urn:openid:params:grant-type:ciba';
+      break;
+    default:
+      throw new Error('not implemented');
+  }
+
+  if (!client.grantTypeAllowed(grantType)) {
+    throw new InvalidRequest(`${grantType} is not allowed for this client`);
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/check_dpop_jkt.js

@@ -0,0 +1,35 @@
+import { InvalidRequest } from '../../helpers/errors.js';
+import dpopValidate, { CHALLENGE_OK_WINDOW } from '../../helpers/validate_dpop.js';
+import epochTime from '../../helpers/epoch_time.js';
+import instance from '../../helpers/weak_cache.js';
+
+/*
+ * Validates dpop_jkt equals the used DPoP proof thumbprint
+ * when provided, otherwise defaults dpop_jkt to it.
+ */
+export default async function checkDpopJkt(ctx, next) {
+  const { params } = ctx.oidc;
+
+  const dPoP = await dpopValidate(ctx);
+  if (dPoP) {
+    const { allowReplay } = instance(ctx.oidc.provider).features.dPoP;
+    if (!allowReplay) {
+      const { ReplayDetection } = ctx.oidc.provider;
+      const unique = await ReplayDetection.unique(
+        ctx.oidc.client.clientId,
+        dPoP.jti,
+        epochTime() + CHALLENGE_OK_WINDOW,
+      );
+
+      ctx.assert(unique, new InvalidRequest('DPoP proof JWT Replay detected'));
+    }
+
+    if (params.dpop_jkt && params.dpop_jkt !== dPoP.thumbprint) {
+      throw new InvalidRequest('DPoP proof key thumbprint does not match dpop_jkt');
+    } else if (!params.dpop_jkt) {
+      params.dpop_jkt = dPoP.thumbprint;
+    }
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/check_extra_params.js

@@ -0,0 +1,18 @@
+import instance from '../../helpers/weak_cache.js';
+
+/*
+ * Executes registered extraParams validators.
+ */
+export default async function checkExtraParams(ctx, next) {
+  const { extraParamsValidations } = instance(ctx.oidc.provider).configuration;
+
+  if (!extraParamsValidations) {
+    return next();
+  }
+
+  for (const [param, validator] of extraParamsValidations) {
+    await validator(ctx, ctx.oidc.params[param], ctx.oidc.client);
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/check_id_token_hint.js

@@ -0,0 +1,23 @@
+import { InvalidRequest, OIDCProviderError } from '../../helpers/errors.js';
+
+/*
+ * Validates the incoming id_token_hint
+ */
+export default async function checkIdTokenHint(ctx, next) {
+  const { oidc } = ctx;
+  if (oidc.params.id_token_hint !== undefined) {
+    let idTokenHint;
+    try {
+      idTokenHint = await oidc.provider.IdToken.validate(oidc.params.id_token_hint, oidc.client);
+    } catch (err) {
+      if (err instanceof OIDCProviderError) {
+        throw err;
+      }
+
+      throw new InvalidRequest('could not validate id_token_hint', undefined, err.message);
+    }
+    ctx.oidc.entity('IdTokenHint', idTokenHint);
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/check_max_age.js

@@ -0,0 +1,25 @@
+import { InvalidRequest } from '../../helpers/errors.js';
+
+/*
+ * Validates the max_age parameter and handles max_age=0 to prompt=login translation
+ */
+export default function checkMaxAge(ctx, next) {
+  if (ctx.oidc.params.max_age !== undefined) {
+    const maxAge = +ctx.oidc.params.max_age;
+
+    if (!Number.isSafeInteger(maxAge) || Math.sign(maxAge) === -1) {
+      throw new InvalidRequest('invalid max_age parameter value');
+    }
+
+    if (maxAge === 0) {
+      const { prompts } = ctx.oidc;
+      ctx.oidc.params.max_age = undefined;
+      if (!prompts.has('login')) {
+        prompts.add('login');
+        ctx.oidc.params.prompt = [...prompts].join(' ');
+      }
+    }
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/check_openid_scope.js

@@ -0,0 +1,47 @@
+import { InvalidRequest } from '../../helpers/errors.js';
+
+const GATED_CLIENT = Object.entries({
+  defaultAcrValues: 'default_acr_values',
+  defaultMaxAge: 'default_max_age',
+  requireAuthTime: 'require_auth_time',
+});
+
+const GATED = [
+  'acr_values',
+  'claims',
+  'claims_locales',
+  'id_token_hint',
+  'max_age',
+  'nonce',
+];
+
+/*
+ * Validates that openid scope is requested when openid specific parameters are provided
+ */
+export default function checkOpenIdScope(PARAM_LIST, ctx, next) {
+  if (ctx.oidc.params.scope?.split(' ').includes('openid')) {
+    return next();
+  }
+
+  if (PARAM_LIST.has('response_type') && ctx.oidc.params.response_type.includes('id_token')) {
+    throw new InvalidRequest('openid scope must be requested for this response_type');
+  }
+
+  GATED_CLIENT.forEach(([prop, msg]) => {
+    if (ctx.oidc.client[prop]) {
+      throw new InvalidRequest(`openid scope must be requested for clients with ${msg}`);
+    }
+  });
+
+  GATED.forEach((param) => {
+    if (ctx.oidc.params[param] !== undefined) {
+      throw new InvalidRequest(`openid scope must be requested when using the ${param} parameter`);
+    }
+  });
+
+  if (ctx.oidc.route === 'backchannel_authentication') {
+    throw new InvalidRequest('openid scope must be requested for this request');
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/check_pkce.js

@@ -0,0 +1,41 @@
+import { InvalidRequest } from '../../helpers/errors.js';
+import instance from '../../helpers/weak_cache.js';
+import checkFormat from '../../helpers/pkce_format.js';
+
+/*
+ * - assign default code_challenge_method if a code_challenge is provided
+ * - check presence of code code_challenge if code_challenge_method is provided
+ * - enforce PKCE use for native clients using hybrid or code flow
+ */
+export default function checkPKCE(ctx, next) {
+  const { params } = ctx.oidc;
+  const { pkce } = instance(ctx.oidc.provider).configuration;
+
+  if (!params.code_challenge_method && params.code_challenge) {
+    throw new InvalidRequest('code_challenge_method must be provided');
+  }
+
+  if (params.code_challenge_method) {
+    if (params.code_challenge_method !== 'S256') {
+      throw new InvalidRequest('not supported value of code_challenge_method');
+    }
+
+    if (!params.code_challenge) {
+      throw new InvalidRequest('code_challenge must be provided with code_challenge_method');
+    }
+  }
+
+  if (params.response_type.includes('code')) {
+    if (!params.code_challenge) {
+      if (pkce.required(ctx, ctx.oidc.client)) {
+        throw new InvalidRequest('Authorization Server policy requires PKCE to be used for this request');
+      }
+    }
+  }
+
+  if (params.code_challenge !== undefined) {
+    checkFormat(params.code_challenge, 'code_challenge');
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/check_prompt.js

@@ -0,0 +1,25 @@
+import { InvalidRequest } from '../../helpers/errors.js';
+import instance from '../../helpers/weak_cache.js';
+
+/*
+ * Checks that all requested prompts are supported and validates prompt none is not combined with
+ * other prompts
+ */
+export default function checkPrompt(ctx, next) {
+  if (ctx.oidc.params.prompt !== undefined) {
+    const { prompts } = ctx.oidc;
+    const supported = instance(ctx.oidc.provider).configuration.prompts;
+
+    for (const prompt of prompts) {
+      if (!supported.has(prompt)) {
+        throw new InvalidRequest('unsupported prompt value requested');
+      }
+    }
+
+    if (prompts.has('none') && prompts.size !== 1) {
+      throw new InvalidRequest('prompt none must only be used alone');
+    }
+  }
+
+  return next();
+}