@nocobase/plugin-idp-oauth 2.1.0-alpha.10

package/dist/node_modules/oidc-provider/lib/actions/authorization/check_redirect_uri.js

@@ -0,0 +1,41 @@
+import { InvalidRedirectUri, InvalidRequest } from '../../helpers/errors.js';
+import instance from '../../helpers/weak_cache.js';
+
+function allowUnregisteredUri(ctx) {
+  const { pushedAuthorizationRequests } = instance(ctx.oidc.provider).features;
+
+  return (ctx.oidc.route === 'pushed_authorization_request' || ('PushedAuthorizationRequest' in ctx.oidc.entities))
+    && pushedAuthorizationRequests.allowUnregisteredRedirectUris
+    && ctx.oidc.client.sectorIdentifierUri === undefined
+    && ctx.oidc.client.clientAuthMethod !== 'none';
+}
+
+function validateUnregisteredUri(ctx) {
+  const { redirectUris: validator } = ctx.oidc.provider.Client.Schema.prototype;
+
+  validator.call({
+    ...ctx.oidc.client.metadata(),
+    invalidate(detail) {
+      throw new InvalidRequest(detail.replace('redirect_uris', 'redirect_uri'));
+    },
+  }, [ctx.oidc.params.redirect_uri]);
+
+  return true;
+}
+
+/*
+ * Checks that provided redirect_uri is allowed
+ */
+export default function checkRedirectUri(ctx, next) {
+  if (!ctx.oidc.client.redirectUriAllowed(ctx.oidc.params.redirect_uri)) {
+    if (!allowUnregisteredUri(ctx)) {
+      throw new InvalidRedirectUri();
+    }
+
+    validateUnregisteredUri(ctx);
+  }
+
+  ctx.oidc.redirectUriCheckPerformed = true;
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/check_requested_expiry.js

@@ -0,0 +1,16 @@
+import { InvalidRequest } from '../../helpers/errors.js';
+
+/*
+ * Validates the requested_expiry parameter
+ */
+export default function checkRequestedExpiry(ctx, next) {
+  if (ctx.oidc.params.requested_expiry !== undefined) {
+    const requestedExpiry = +ctx.oidc.params.requested_expiry;
+
+    if (!Number.isSafeInteger(requestedExpiry) || Math.sign(requestedExpiry) !== 1) {
+      throw new InvalidRequest('invalid requested_expiry parameter value');
+    }
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/check_response_mode.js

@@ -0,0 +1,54 @@
+import { InvalidRequest, UnsupportedResponseMode } from '../../helpers/errors.js';
+import instance from '../../helpers/weak_cache.js';
+import { isFrontChannel } from '../../helpers/resolve_response_mode.js';
+
+/*
+ * Resolves and assigns params.response_mode if it was not explicitly requested. Validates id_token
+ * and token containing responses do not use response_mode query.
+ */
+export default function checkResponseMode(ctx, next) {
+  const { params, client } = ctx.oidc;
+
+  const frontChannel = isFrontChannel(params.response_type);
+
+  const mode = ctx.oidc.responseMode;
+
+  if (
+    mode !== undefined
+    && !instance(ctx.oidc.provider).responseModes.has(mode)
+  ) {
+    params.response_mode = undefined;
+    throw new UnsupportedResponseMode();
+  }
+
+  if (!ctx.oidc.client.responseModeAllowed(mode, params.response_type, ctx.oidc.fapiProfile)) {
+    throw new InvalidRequest('requested response_mode is not allowed for this client or request');
+  }
+
+  const JWT = /jwt/.test(mode);
+
+  if (
+    mode !== undefined && JWT
+    && (
+      /^HS/.test(client.authorizationSignedResponseAlg)
+      || /^(A|dir$)/.test(client.authorizationEncryptedResponseAlg)
+    )
+  ) {
+    try {
+      client.checkClientSecretExpiration('client secret is expired, cannot issue a JWT Authorization response');
+    } catch (err) {
+      const [explicit] = mode === 'jwt' ? [undefined] : mode.split('.');
+      params.response_mode = explicit || undefined;
+      throw err;
+    }
+  }
+
+  const msg = 'requested response_mode is not allowed for the requested response_type';
+  if (mode === 'query' && frontChannel) {
+    throw new InvalidRequest(msg);
+  } else if (mode === 'query.jwt' && frontChannel && !client.authorizationEncryptedResponseAlg) {
+    throw new InvalidRequest(`${msg} unless encrypted`);
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/check_response_type.js

@@ -0,0 +1,26 @@
+import instance from '../../helpers/weak_cache.js';
+import {
+  UnsupportedResponseType,
+  InvalidRequest,
+} from '../../helpers/errors.js';
+
+/*
+ * Validates requested response_type is supported by the provided and allowed in the client
+ * configuration
+ */
+export default function checkResponseType(ctx, next) {
+  const { params } = ctx.oidc;
+  const supported = instance(ctx.oidc.provider).configuration.responseTypes;
+
+  params.response_type = [...new Set(params.response_type.split(' '))].sort().join(' ');
+
+  if (!supported.includes(params.response_type)) {
+    throw new UnsupportedResponseType();
+  }
+
+  if (!ctx.oidc.client.responseTypeAllowed(params.response_type)) {
+    throw new InvalidRequest('requested response_type is not allowed for this client');
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/check_scope.js

@@ -0,0 +1,53 @@
+import { InvalidScope } from '../../helpers/errors.js';
+import instance from '../../helpers/weak_cache.js';
+
+/*
+ * Validates that all requested scopes are supported by the provider, and that offline_access prompt
+ * is requested together with consent prompt
+ */
+export default async function checkScope(PARAM_LIST, ctx, next) {
+  const { scopes: statics } = instance(ctx.oidc.provider).configuration;
+  const { prompts, client } = ctx.oidc;
+
+  const scopes = [...new Set(ctx.oidc.params.scope?.split(' '))];
+
+  const responseType = ctx.oidc.params.response_type;
+
+  /*
+   * Upon receipt of a scope parameter containing the offline_access value, the Authorization Server
+   *
+   * MUST ensure that the prompt parameter contains consent
+   * MUST ignore the offline_access request unless the Client is using a response_type value that
+   *  would result in an Authorization Code being returned,
+   *
+   * Furthermore no offline_access will be granted if the client doesn't have the grant allowed
+   */
+
+  if (scopes.includes('offline_access')) {
+    if (
+      (PARAM_LIST.has('response_type') && !responseType.includes('code'))
+      || (PARAM_LIST.has('prompt') && !prompts.has('consent'))
+      || !client.grantTypeAllowed('refresh_token')
+    ) {
+      scopes.splice(scopes.indexOf('offline_access'), 1);
+    }
+  }
+
+  if (scopes.length) {
+    ctx.oidc.params.scope = scopes.join(' ');
+  } else {
+    ctx.oidc.params.scope = undefined;
+  }
+
+  if (client.scope) {
+    const allowList = new Set(client.scope.split(' '));
+
+    for (const scope of scopes.filter(Set.prototype.has.bind(statics))) {
+      if (!allowList.has(scope)) {
+        throw new InvalidScope('requested scope is not allowed', scope);
+      }
+    }
+  }
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/ciba_load_account.js

@@ -0,0 +1,58 @@
+import { InvalidRequest, UnknownUserId } from '../../helpers/errors.js';
+import omitBy from '../../helpers/_/omit_by.js';
+import instance from '../../helpers/weak_cache.js';
+
+import checkIdTokenHint from './check_id_token_hint.js';
+
+export default async function cibaLoadAccount(ctx, next) {
+  const mechanisms = omitBy({
+    login_hint_token: ctx.oidc.params.login_hint_token,
+    id_token_hint: ctx.oidc.params.id_token_hint,
+    login_hint: ctx.oidc.params.login_hint,
+  }, (value) => typeof value !== 'string' || !value);
+
+  let mechanism;
+  let length;
+  let value;
+
+  try {
+    ({ 0: [mechanism, value], length } = Object.entries(mechanisms));
+  } catch (err) {}
+
+  if (!length) {
+    throw new InvalidRequest('missing one of required parameters login_hint_token, id_token_hint, or login_hint');
+  } else if (length !== 1) {
+    throw new InvalidRequest('only one of required parameters login_hint_token, id_token_hint, or login_hint must be provided');
+  }
+
+  const { findAccount, features } = instance(ctx.oidc.provider).configuration;
+  const { ciba } = features;
+
+  let accountId;
+  // eslint-disable-next-line default-case
+  switch (mechanism) {
+    case 'id_token_hint':
+      await checkIdTokenHint(ctx, () => {});
+      ({ payload: { sub: accountId } } = ctx.oidc.entities.IdTokenHint);
+      break;
+    case 'login_hint_token':
+      accountId = await ciba.processLoginHintToken(ctx, value);
+      break;
+    case 'login_hint':
+      accountId = await ciba.processLoginHint(ctx, value);
+      break;
+  }
+
+  if (!accountId) {
+    throw new UnknownUserId('could not identify end-user');
+  }
+  const account = await findAccount(ctx, accountId);
+  if (!account) {
+    throw new UnknownUserId('could not identify end-user');
+  }
+  ctx.oidc.entity('Account', account);
+
+  await ciba.verifyUserCode(ctx, account, value);
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/ciba_required.js

@@ -0,0 +1,13 @@
+import presence from '../../helpers/validate_presence.js';
+
+export default function oidcRequired(ctx, next) {
+  const required = new Set(['scope']);
+
+  if (ctx.oidc.client.backchannelTokenDeliveryMode !== 'poll') {
+    required.add('client_notification_token');
+  }
+
+  presence(ctx, ...required);
+
+  return next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/device_authorization_response.js

@@ -0,0 +1,31 @@
+import { generate, normalize } from '../../helpers/user_codes.js';
+import instance from '../../helpers/weak_cache.js';
+
+export default async function deviceAuthorizationResponse(ctx) {
+  const { charset, mask, deviceInfo } = instance(ctx.oidc.provider).features.deviceFlow;
+  const userCode = generate(charset, mask);
+
+  const dc = new ctx.oidc.provider.DeviceCode({
+    client: ctx.oidc.client,
+    deviceInfo: deviceInfo(ctx),
+    params: ctx.oidc.params.toPlainObject(),
+    userCode: normalize(userCode),
+  });
+
+  if (ctx.oidc.client.clientAuthMethod === 'attest_jwt_client_auth') {
+    await dc.setAttestBinding(ctx);
+  }
+
+  ctx.oidc.entity('DeviceCode', dc);
+  ctx.body = {
+    device_code: await dc.save(),
+    user_code: userCode,
+    verification_uri: ctx.oidc.urlFor('code_verification'),
+    verification_uri_complete: ctx.oidc.urlFor('code_verification', {
+      query: { user_code: userCode },
+    }),
+    expires_in: dc.expiration,
+  };
+
+  ctx.oidc.provider.emit('device_authorization.success', ctx, ctx.body);
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/device_user_flow.js

@@ -0,0 +1,31 @@
+import Params from '../../helpers/params.js';
+import {
+  NotFoundError, ExpiredError, AlreadyUsedError,
+} from '../../helpers/re_render_errors.js';
+
+export default async function deviceUserFlow(allowList, ctx, next) {
+  if (ctx.oidc.route === 'device_resume') {
+    const code = await ctx.oidc.provider.DeviceCode.find(
+      ctx.oidc.entities.Interaction.deviceCode,
+      { ignoreExpiration: true, ignoreSessionBinding: true },
+    );
+
+    if (!code) {
+      throw new NotFoundError();
+    }
+
+    if (code.isExpired) {
+      throw new ExpiredError();
+    }
+
+    if (code.error || code.accountId) {
+      throw new AlreadyUsedError();
+    }
+
+    ctx.oidc.entity('DeviceCode', code);
+  } else {
+    ctx.oidc.params = new (Params(allowList))(ctx.oidc.deviceCode.params);
+  }
+
+  await next();
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/device_user_flow_errors.js

@@ -0,0 +1,37 @@
+import { AccessDenied } from '../../helpers/errors.js';
+import errOut from '../../helpers/err_out.js';
+import {
+  ReRenderError, AbortedError,
+} from '../../helpers/re_render_errors.js';
+
+export default async function deviceUserFlowErrors(ctx, next) {
+  try {
+    await next();
+  } catch (err) {
+    if (!(err instanceof ReRenderError)) {
+      const out = errOut(err);
+
+      let code = ctx.oidc.deviceCode;
+
+      if (!code && ctx.oidc.entities.Interaction?.deviceCode) {
+        code = await ctx.oidc.provider.DeviceCode.find(
+          ctx.oidc.entities.Interaction.deviceCode,
+          { ignoreExpiration: true, ignoreSessionBinding: true },
+        );
+      }
+
+      if (code) {
+        Object.assign(code, {
+          error: out.error,
+          errorDescription: out.error_description,
+        });
+        await code.save();
+        if (err instanceof AccessDenied) {
+          throw new AbortedError();
+        }
+      }
+    }
+
+    throw err;
+  }
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/device_user_flow_response.js

@@ -0,0 +1,55 @@
+import instance from '../../helpers/weak_cache.js';
+import combinedScope from '../../helpers/combined_scope.js';
+
+export default async function deviceVerificationResponse(ctx) {
+  const { configuration, features } = instance(ctx.oidc.provider);
+  const code = ctx.oidc.deviceCode;
+
+  const scopeSet = combinedScope(
+    ctx.oidc.grant,
+    ctx.oidc.requestParamScopes,
+    ctx.oidc.resourceServers,
+  );
+
+  Object.assign(code, {
+    accountId: ctx.oidc.session.accountId,
+    acr: ctx.oidc.acr,
+    amr: ctx.oidc.amr,
+    authTime: ctx.oidc.session.authTime(),
+    claims: ctx.oidc.claims,
+    grantId: ctx.oidc.session.grantIdFor(ctx.oidc.client.clientId),
+    scope: [...scopeSet].join(' '),
+    sessionUid: ctx.oidc.session.uid,
+    resource: Object.keys(ctx.oidc.resourceServers),
+  });
+
+  if (Object.keys(code.claims).length === 0) {
+    delete code.claims;
+  }
+
+  // eslint-disable-next-line default-case
+  switch (code.resource.length) {
+    case 0:
+      delete code.resource;
+      break;
+    case 1:
+      [code.resource] = code.resource;
+      break;
+  }
+
+  if (await configuration.expiresWithSession(ctx, code)) {
+    code.expiresWithSession = true;
+  } else {
+    ctx.oidc.session.authorizationFor(ctx.oidc.client.clientId).persistsLogout = true;
+  }
+
+  if (ctx.oidc.client.includeSid() || (ctx.oidc.claims.id_token && 'sid' in ctx.oidc.claims.id_token)) {
+    code.sid = ctx.oidc.session.sidFor(ctx.oidc.client.clientId);
+  }
+
+  await code.save();
+
+  await features.deviceFlow.successSource(ctx);
+
+  ctx.oidc.provider.emit('authorization.success', ctx);
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/index.js

@@ -0,0 +1,200 @@
+import noCache from '../../shared/no_cache.js';
+import bodyParser from '../../shared/conditional_body.js';
+import rejectDupes from '../../shared/reject_dupes.js';
+import paramsMiddleware from '../../shared/assemble_params.js';
+import sessionMiddleware from '../../shared/session.js';
+import instance from '../../helpers/weak_cache.js';
+import { PARAM_LIST } from '../../consts/index.js';
+import checkRar from '../../shared/check_rar.js';
+import checkResource from '../../shared/check_resource.js';
+import getClientAuth from '../../shared/client_auth.js';
+
+import checkClient from './check_client.js';
+import checkResponseMode from './check_response_mode.js';
+import rejectUnsupported from './reject_unsupported.js';
+import rejectRegistration from './reject_registration.js';
+import oauthRequired from './oauth_required.js';
+import oneRedirectUriClients from './one_redirect_uri_clients.js';
+import loadPushedAuthorizationRequest from './load_pushed_authorization_request.js';
+import processRequestObject from './process_request_object.js';
+import oidcRequired from './oidc_required.js';
+import cibaRequired from './ciba_required.js';
+import checkPrompt from './check_prompt.js';
+import checkMaxAge from './check_max_age.js';
+import checkIdTokenHint from './check_id_token_hint.js';
+import checkScope from './check_scope.js';
+import checkResponseType from './check_response_type.js';
+import checkRedirectUri from './check_redirect_uri.js';
+import assignDefaults from './assign_defaults.js';
+import checkClaims from './check_claims.js';
+import assignClaims from './assign_claims.js';
+import loadAccount from './load_account.js';
+import loadGrant from './load_grant.js';
+import interactions from './interactions.js';
+import respond from './respond.js';
+import checkPKCE from './check_pkce.js';
+import interactionEmit from './interaction_emit.js';
+import getResume from './resume.js';
+import checkClientGrantType from './check_client_grant_type.js';
+import checkOpenidScope from './check_openid_scope.js';
+import deviceAuthorizationResponse from './device_authorization_response.js';
+import authenticatedClientId from './authenticated_client_id.js';
+import deviceUserFlow from './device_user_flow.js';
+import deviceUserFlowErrors from './device_user_flow_errors.js';
+import deviceUserFlowResponse from './device_user_flow_response.js';
+import pushedAuthorizationRequestRemapErrors from './pushed_authorization_request_remap_errors.js';
+import backchannelRequestRemapErrors from './backchannel_request_remap_errors.js';
+import stripOutsideJarParams from './strip_outside_jar_params.js';
+import pushedAuthorizationRequestResponse from './pushed_authorization_request_response.js';
+import cibaLoadAccount from './ciba_load_account.js';
+import checkRequestedExpiry from './check_requested_expiry.js';
+import backchannelRequestResponse from './backchannel_request_response.js';
+import checkCibaContext from './check_ciba_context.js';
+import checkDpopJkt from './check_dpop_jkt.js';
+import checkExtraParams from './check_extra_params.js';
+import unsupportedRar from './unsupported_rar.js';
+
+const A = 'authorization';
+const R = 'resume';
+const DA = 'device_authorization';
+const CV = 'code_verification';
+const DR = 'device_resume';
+const PAR = 'pushed_authorization_request';
+const BA = 'backchannel_authentication';
+
+const authRequired = new Set([DA, PAR, BA]);
+
+const parseBody = bodyParser.bind(undefined, 'application/x-www-form-urlencoded');
+
+export default function authorizationAction(provider, endpoint) {
+  const {
+    features: {
+      claimsParameter,
+      dPoP,
+      resourceIndicators,
+      richAuthorizationRequests,
+      webMessageResponseMode,
+    },
+    extraParams,
+  } = instance(provider).configuration;
+
+  const allowList = new Set(PARAM_LIST);
+
+  if (webMessageResponseMode.enabled) {
+    allowList.add('web_message_uri'); // adding it just so that it can be rejected when detected
+  }
+
+  if (claimsParameter.enabled) {
+    allowList.add('claims');
+  }
+
+  let rejectDupesMiddleware = rejectDupes.bind(undefined, {});
+  if (resourceIndicators.enabled) {
+    allowList.add('resource');
+    rejectDupesMiddleware = rejectDupes.bind(undefined, { except: new Set(['resource']) });
+  }
+
+  if (richAuthorizationRequests.enabled) {
+    allowList.add('authorization_details');
+  }
+
+  extraParams.forEach(Set.prototype.add.bind(allowList));
+
+  if ([DA, CV, DR, BA].includes(endpoint)) {
+    allowList.delete('web_message_uri');
+    allowList.delete('response_type');
+    allowList.delete('response_mode');
+    allowList.delete('code_challenge_method');
+    allowList.delete('code_challenge');
+    allowList.delete('state');
+    allowList.delete('redirect_uri');
+    allowList.delete('prompt');
+  }
+
+  if (endpoint === BA) {
+    allowList.add('client_notification_token');
+    allowList.add('login_hint_token');
+    allowList.add('binding_message');
+    allowList.add('user_code');
+    allowList.add('request_context');
+    allowList.add('requested_expiry');
+  }
+
+  if (dPoP && [A, R, PAR].includes(endpoint)) {
+    allowList.add('dpop_jkt');
+  }
+
+  const stack = [];
+
+  const use = (middleware, ...only) => {
+    if (only.includes(endpoint)) {
+      stack.push(middleware());
+    }
+  };
+  const returnTo = /^(code|device)_/.test(endpoint) ? 'device_resume' : 'resume';
+
+  /* eslint-disable no-multi-spaces, space-in-parens, function-paren-newline */
+  use(() => noCache,                                        A, DA, R, CV, DR, PAR, BA);
+  use(() => sessionMiddleware,                              A,     R,     DR         );
+  use(() => deviceUserFlowErrors,                                     CV, DR         );
+  use(() => getResume.bind(undefined, allowList, returnTo),        R,     DR         );
+  use(() => deviceUserFlow.bind(undefined, allowList),                CV, DR         );
+  use(() => parseBody,                                      A, DA,            PAR, BA);
+  if (authRequired.has(endpoint)) {
+    const { params: authParams, middleware: clientAuth } = getClientAuth(provider);
+    use(() => paramsMiddleware.bind(undefined, authParams),    DA,            PAR, BA);
+    for (const clientAuthMiddlware of clientAuth) {
+      use(() => clientAuthMiddlware,                           DA,            PAR, BA);
+    }
+  }
+  use(() => authenticatedClientId,                             DA,                 BA);
+  use(() => paramsMiddleware.bind(undefined, allowList),    A, DA,            PAR, BA);
+  use(() => rejectDupesMiddleware,                          A, DA,            PAR, BA);
+  use(() => rejectUnsupported,                              A, DA,            PAR, BA);
+  use(() => stripOutsideJarParams,                                            PAR, BA);
+  use(() => checkClient,                                    A, DA, R, CV, DR         );
+  use(() => checkClientGrantType,                              DA,                 BA);
+  use(() => pushedAuthorizationRequestRemapErrors,                            PAR    );
+  use(() => backchannelRequestRemapErrors,                                         BA);
+  use(() => loadPushedAuthorizationRequest,                 A                        );
+  use(() => processRequestObject.bind(
+    undefined, allowList, rejectDupesMiddleware,
+  ),                                                        A, DA,            PAR, BA);
+  use(() => checkResponseMode,                              A,                PAR    );
+  use(() => oneRedirectUriClients,                          A,                PAR    );
+  use(() => oauthRequired,                                  A,                PAR    );
+  use(() => rejectRegistration,                             A, DA,            PAR, BA);
+  use(() => checkResponseType,                              A,                PAR    );
+  use(() => oidcRequired,                                   A,                PAR    );
+  use(() => cibaRequired,                                                          BA);
+  use(() => assignDefaults,                                 A, DA,                 BA);
+  use(() => checkPrompt,                                    A,                PAR    );
+  use(() => checkScope.bind(undefined, allowList),          A, DA,            PAR, BA);
+  use(() => checkOpenidScope.bind(undefined, allowList),    A, DA,            PAR, BA);
+  use(() => checkRedirectUri,                               A,                PAR    );
+  use(() => checkPKCE,                                      A,                PAR    );
+  use(() => checkClaims,                                    A, DA,            PAR, BA);
+  use(() => unsupportedRar,                                    DA                    );
+  use(() => checkRar,                                       A,                PAR, BA);
+  use(() => checkResource,                                  A, DA, R, CV, DR, PAR, BA);
+  use(() => checkMaxAge,                                    A, DA,            PAR, BA);
+  use(() => checkRequestedExpiry,                                                  BA);
+  use(() => checkCibaContext,                                                      BA);
+  use(() => checkIdTokenHint,                               A, DA,            PAR    );
+  use(() => checkDpopJkt,                                                     PAR    );
+  use(() => checkExtraParams,                               A, DA,            PAR, BA);
+  use(() => interactionEmit,                                     A,     R, CV, DR    );
+  use(() => assignClaims,                                   A,     R, CV, DR,      BA);
+  use(() => cibaLoadAccount,                                                       BA);
+  use(() => loadAccount,                                    A,     R, CV, DR         );
+  use(() => loadGrant,                                      A,     R, CV, DR         );
+  use(() => interactions.bind(undefined, returnTo),         A,     R, CV, DR         );
+  use(() => respond,                                        A,     R                 );
+  use(() => deviceAuthorizationResponse,                       DA                    );
+  use(() => deviceUserFlowResponse,                                   CV, DR         );
+  use(() => pushedAuthorizationRequestResponse,                               PAR    );
+  use(() => backchannelRequestResponse,                                            BA);
+  /* eslint-enable no-multi-spaces, space-in-parens, function-paren-newline */
+
+  return stack;
+}

package/dist/node_modules/oidc-provider/lib/actions/authorization/interaction_emit.js

@@ -0,0 +1,9 @@
+const resumeRoutes = new Set(['resume', 'device_resume']);
+
+export default function interactionEmit(ctx, next) {
+  if (resumeRoutes.has(ctx.oidc.route)) {
+    ctx.oidc.provider.emit('interaction.ended', ctx);
+  }
+
+  return next();
+}