@nocobase/plugin-idp-oauth 2.1.0-alpha.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (451) hide show
  1. package/LICENSE.txt +107 -0
  2. package/README.md +14 -0
  3. package/build.config.ts +46 -0
  4. package/client.d.ts +2 -0
  5. package/client.js +1 -0
  6. package/dist/client/ErrorPage.d.ts +11 -0
  7. package/dist/client/InteractionPage.d.ts +11 -0
  8. package/dist/client/index.d.ts +9 -0
  9. package/dist/client/index.js +10 -0
  10. package/dist/client/locale.d.ts +10 -0
  11. package/dist/client/models/index.d.ts +11 -0
  12. package/dist/client/plugin.d.ts +13 -0
  13. package/dist/externalVersion.js +18 -0
  14. package/dist/index.d.ts +10 -0
  15. package/dist/index.js +48 -0
  16. package/dist/locale/en-US.json +1 -0
  17. package/dist/locale/zh-CN.json +1 -0
  18. package/dist/node_modules/eta/LICENSE +7 -0
  19. package/dist/node_modules/eta/README.md +185 -0
  20. package/dist/node_modules/eta/dist/core.d.ts +179 -0
  21. package/dist/node_modules/eta/dist/core.d.ts.map +1 -0
  22. package/dist/node_modules/eta/dist/core.js +42 -0
  23. package/dist/node_modules/eta/dist/core.js.map +1 -0
  24. package/dist/node_modules/eta/dist/index.cjs +542 -0
  25. package/dist/node_modules/eta/dist/index.cjs.map +1 -0
  26. package/dist/node_modules/eta/dist/index.d.cts +187 -0
  27. package/dist/node_modules/eta/dist/index.d.cts.map +1 -0
  28. package/dist/node_modules/eta/dist/index.d.mts +187 -0
  29. package/dist/node_modules/eta/dist/index.d.mts.map +1 -0
  30. package/dist/node_modules/eta/dist/index.mjs +512 -0
  31. package/dist/node_modules/eta/dist/index.mjs.map +1 -0
  32. package/dist/node_modules/eta/package.json +75 -0
  33. package/dist/node_modules/jose/LICENSE.md +21 -0
  34. package/dist/node_modules/jose/README.md +153 -0
  35. package/dist/node_modules/jose/dist/types/index.d.ts +55 -0
  36. package/dist/node_modules/jose/dist/types/jwe/compact/decrypt.d.ts +31 -0
  37. package/dist/node_modules/jose/dist/types/jwe/compact/encrypt.d.ts +65 -0
  38. package/dist/node_modules/jose/dist/types/jwe/flattened/decrypt.d.ts +31 -0
  39. package/dist/node_modules/jose/dist/types/jwe/flattened/encrypt.d.ts +83 -0
  40. package/dist/node_modules/jose/dist/types/jwe/general/decrypt.d.ts +38 -0
  41. package/dist/node_modules/jose/dist/types/jwe/general/encrypt.d.ts +74 -0
  42. package/dist/node_modules/jose/dist/types/jwk/embedded.d.ts +17 -0
  43. package/dist/node_modules/jose/dist/types/jwk/thumbprint.d.ts +32 -0
  44. package/dist/node_modules/jose/dist/types/jwks/local.d.ts +29 -0
  45. package/dist/node_modules/jose/dist/types/jwks/remote.d.ts +237 -0
  46. package/dist/node_modules/jose/dist/types/jws/compact/sign.d.ts +36 -0
  47. package/dist/node_modules/jose/dist/types/jws/compact/verify.d.ts +33 -0
  48. package/dist/node_modules/jose/dist/types/jws/flattened/sign.d.ts +42 -0
  49. package/dist/node_modules/jose/dist/types/jws/flattened/verify.d.ts +33 -0
  50. package/dist/node_modules/jose/dist/types/jws/general/sign.d.ts +53 -0
  51. package/dist/node_modules/jose/dist/types/jws/general/verify.d.ts +41 -0
  52. package/dist/node_modules/jose/dist/types/jwt/decrypt.d.ts +35 -0
  53. package/dist/node_modules/jose/dist/types/jwt/encrypt.d.ts +91 -0
  54. package/dist/node_modules/jose/dist/types/jwt/sign.d.ts +43 -0
  55. package/dist/node_modules/jose/dist/types/jwt/unsecured.d.ts +43 -0
  56. package/dist/node_modules/jose/dist/types/jwt/verify.d.ts +37 -0
  57. package/dist/node_modules/jose/dist/types/key/export.d.ts +33 -0
  58. package/dist/node_modules/jose/dist/types/key/generate_key_pair.d.ts +47 -0
  59. package/dist/node_modules/jose/dist/types/key/generate_secret.d.ts +35 -0
  60. package/dist/node_modules/jose/dist/types/key/import.d.ts +83 -0
  61. package/dist/node_modules/jose/dist/types/types.d.ts +852 -0
  62. package/dist/node_modules/jose/dist/types/util/base64url.d.ts +9 -0
  63. package/dist/node_modules/jose/dist/types/util/decode_jwt.d.ts +18 -0
  64. package/dist/node_modules/jose/dist/types/util/decode_protected_header.d.ts +17 -0
  65. package/dist/node_modules/jose/dist/types/util/errors.d.ts +213 -0
  66. package/dist/node_modules/jose/dist/webapi/index.js +32 -0
  67. package/dist/node_modules/jose/dist/webapi/jwe/compact/decrypt.js +27 -0
  68. package/dist/node_modules/jose/dist/webapi/jwe/compact/encrypt.js +27 -0
  69. package/dist/node_modules/jose/dist/webapi/jwe/flattened/decrypt.js +155 -0
  70. package/dist/node_modules/jose/dist/webapi/jwe/flattened/encrypt.js +165 -0
  71. package/dist/node_modules/jose/dist/webapi/jwe/general/decrypt.js +31 -0
  72. package/dist/node_modules/jose/dist/webapi/jwe/general/encrypt.js +182 -0
  73. package/dist/node_modules/jose/dist/webapi/jwk/embedded.js +17 -0
  74. package/dist/node_modules/jose/dist/webapi/jwk/thumbprint.js +68 -0
  75. package/dist/node_modules/jose/dist/webapi/jwks/local.js +119 -0
  76. package/dist/node_modules/jose/dist/webapi/jwks/remote.js +179 -0
  77. package/dist/node_modules/jose/dist/webapi/jws/compact/sign.js +18 -0
  78. package/dist/node_modules/jose/dist/webapi/jws/compact/verify.js +21 -0
  79. package/dist/node_modules/jose/dist/webapi/jws/flattened/sign.js +89 -0
  80. package/dist/node_modules/jose/dist/webapi/jws/flattened/verify.js +110 -0
  81. package/dist/node_modules/jose/dist/webapi/jws/general/sign.js +70 -0
  82. package/dist/node_modules/jose/dist/webapi/jws/general/verify.js +24 -0
  83. package/dist/node_modules/jose/dist/webapi/jwt/decrypt.js +23 -0
  84. package/dist/node_modules/jose/dist/webapi/jwt/encrypt.js +101 -0
  85. package/dist/node_modules/jose/dist/webapi/jwt/sign.js +52 -0
  86. package/dist/node_modules/jose/dist/webapi/jwt/unsecured.js +63 -0
  87. package/dist/node_modules/jose/dist/webapi/jwt/verify.js +15 -0
  88. package/dist/node_modules/jose/dist/webapi/key/export.js +11 -0
  89. package/dist/node_modules/jose/dist/webapi/key/generate_key_pair.js +97 -0
  90. package/dist/node_modules/jose/dist/webapi/key/generate_secret.js +40 -0
  91. package/dist/node_modules/jose/dist/webapi/key/import.js +57 -0
  92. package/dist/node_modules/jose/dist/webapi/lib/aesgcmkw.js +15 -0
  93. package/dist/node_modules/jose/dist/webapi/lib/aeskw.js +25 -0
  94. package/dist/node_modules/jose/dist/webapi/lib/asn1.js +243 -0
  95. package/dist/node_modules/jose/dist/webapi/lib/base64.js +22 -0
  96. package/dist/node_modules/jose/dist/webapi/lib/buffer_utils.js +43 -0
  97. package/dist/node_modules/jose/dist/webapi/lib/check_key_type.js +122 -0
  98. package/dist/node_modules/jose/dist/webapi/lib/content_encryption.js +217 -0
  99. package/dist/node_modules/jose/dist/webapi/lib/crypto_key.js +136 -0
  100. package/dist/node_modules/jose/dist/webapi/lib/deflate.js +44 -0
  101. package/dist/node_modules/jose/dist/webapi/lib/ecdhes.js +52 -0
  102. package/dist/node_modules/jose/dist/webapi/lib/helpers.js +19 -0
  103. package/dist/node_modules/jose/dist/webapi/lib/invalid_key_input.js +27 -0
  104. package/dist/node_modules/jose/dist/webapi/lib/is_key_like.js +17 -0
  105. package/dist/node_modules/jose/dist/webapi/lib/jwk_to_key.js +107 -0
  106. package/dist/node_modules/jose/dist/webapi/lib/jwt_claims_set.js +238 -0
  107. package/dist/node_modules/jose/dist/webapi/lib/key_management.js +186 -0
  108. package/dist/node_modules/jose/dist/webapi/lib/key_to_jwk.js +31 -0
  109. package/dist/node_modules/jose/dist/webapi/lib/normalize_key.js +166 -0
  110. package/dist/node_modules/jose/dist/webapi/lib/pbes2kw.js +39 -0
  111. package/dist/node_modules/jose/dist/webapi/lib/rsaes.js +24 -0
  112. package/dist/node_modules/jose/dist/webapi/lib/signing.js +68 -0
  113. package/dist/node_modules/jose/dist/webapi/lib/type_checks.js +40 -0
  114. package/dist/node_modules/jose/dist/webapi/lib/validate_algorithms.js +10 -0
  115. package/dist/node_modules/jose/dist/webapi/lib/validate_crit.js +33 -0
  116. package/dist/node_modules/jose/dist/webapi/util/base64url.js +30 -0
  117. package/dist/node_modules/jose/dist/webapi/util/decode_jwt.js +32 -0
  118. package/dist/node_modules/jose/dist/webapi/util/decode_protected_header.js +34 -0
  119. package/dist/node_modules/jose/dist/webapi/util/errors.js +99 -0
  120. package/dist/node_modules/jose/package.json +200 -0
  121. package/dist/node_modules/light-my-request/.gitattributes +2 -0
  122. package/dist/node_modules/light-my-request/.github/dependabot.yml +13 -0
  123. package/dist/node_modules/light-my-request/.github/stale.yml +21 -0
  124. package/dist/node_modules/light-my-request/.github/workflows/benchmark.yml +30 -0
  125. package/dist/node_modules/light-my-request/.github/workflows/ci.yml +23 -0
  126. package/dist/node_modules/light-my-request/LICENSE +32 -0
  127. package/dist/node_modules/light-my-request/benchmark/benchmark.js +164 -0
  128. package/dist/node_modules/light-my-request/build/build-validation.js +100 -0
  129. package/dist/node_modules/light-my-request/eslint.config.js +9 -0
  130. package/dist/node_modules/light-my-request/index.js +2 -0
  131. package/dist/node_modules/light-my-request/lib/config-validator.js +919 -0
  132. package/dist/node_modules/light-my-request/lib/form-data.js +79 -0
  133. package/dist/node_modules/light-my-request/lib/parse-url.js +47 -0
  134. package/dist/node_modules/light-my-request/lib/request.js +290 -0
  135. package/dist/node_modules/light-my-request/lib/response.js +240 -0
  136. package/dist/node_modules/light-my-request/node_modules/process-warning/.gitattributes +2 -0
  137. package/dist/node_modules/light-my-request/node_modules/process-warning/.github/dependabot.yml +13 -0
  138. package/dist/node_modules/light-my-request/node_modules/process-warning/.github/workflows/ci.yml +24 -0
  139. package/dist/node_modules/light-my-request/node_modules/process-warning/.taprc +2 -0
  140. package/dist/node_modules/light-my-request/node_modules/process-warning/benchmarks/warn.js +25 -0
  141. package/dist/node_modules/light-my-request/node_modules/process-warning/eslint.config.js +6 -0
  142. package/dist/node_modules/light-my-request/node_modules/process-warning/examples/example.js +11 -0
  143. package/dist/node_modules/light-my-request/node_modules/process-warning/index.js +124 -0
  144. package/dist/node_modules/light-my-request/node_modules/process-warning/package.json +73 -0
  145. package/dist/node_modules/light-my-request/node_modules/process-warning/test/emit-interpolated-string.test.js +29 -0
  146. package/dist/node_modules/light-my-request/node_modules/process-warning/test/emit-once-only.test.js +28 -0
  147. package/dist/node_modules/light-my-request/node_modules/process-warning/test/emit-reset.test.js +36 -0
  148. package/dist/node_modules/light-my-request/node_modules/process-warning/test/emit-set.test.js +30 -0
  149. package/dist/node_modules/light-my-request/node_modules/process-warning/test/emit-unlimited.test.js +37 -0
  150. package/dist/node_modules/light-my-request/node_modules/process-warning/test/index.test.js +99 -0
  151. package/dist/node_modules/light-my-request/node_modules/process-warning/test/issue-88.test.js +33 -0
  152. package/dist/node_modules/light-my-request/node_modules/process-warning/test/jest.test.js +22 -0
  153. package/dist/node_modules/light-my-request/node_modules/process-warning/test/no-warnings.test.js +80 -0
  154. package/dist/node_modules/light-my-request/node_modules/process-warning/types/index.d.ts +37 -0
  155. package/dist/node_modules/light-my-request/node_modules/process-warning/types/index.test-d.ts +36 -0
  156. package/dist/node_modules/light-my-request/package.json +1 -0
  157. package/dist/node_modules/light-my-request/test/async-await.test.js +55 -0
  158. package/dist/node_modules/light-my-request/test/index.test.js +2316 -0
  159. package/dist/node_modules/light-my-request/test/request.test.js +16 -0
  160. package/dist/node_modules/light-my-request/test/response.test.js +19 -0
  161. package/dist/node_modules/light-my-request/test/stream.test.js +359 -0
  162. package/dist/node_modules/light-my-request/types/index.d.ts +128 -0
  163. package/dist/node_modules/light-my-request/types/index.test-d.ts +149 -0
  164. package/dist/node_modules/oidc-provider/LICENSE.md +21 -0
  165. package/dist/node_modules/oidc-provider/README.md +174 -0
  166. package/dist/node_modules/oidc-provider/lib/actions/authorization/assign_claims.js +28 -0
  167. package/dist/node_modules/oidc-provider/lib/actions/authorization/assign_defaults.js +17 -0
  168. package/dist/node_modules/oidc-provider/lib/actions/authorization/authenticated_client_id.js +6 -0
  169. package/dist/node_modules/oidc-provider/lib/actions/authorization/backchannel_request_remap_errors.js +17 -0
  170. package/dist/node_modules/oidc-provider/lib/actions/authorization/backchannel_request_response.js +41 -0
  171. package/dist/node_modules/oidc-provider/lib/actions/authorization/check_ciba_context.js +12 -0
  172. package/dist/node_modules/oidc-provider/lib/actions/authorization/check_claims.js +68 -0
  173. package/dist/node_modules/oidc-provider/lib/actions/authorization/check_client.js +21 -0
  174. package/dist/node_modules/oidc-provider/lib/actions/authorization/check_client_grant_type.js +21 -0
  175. package/dist/node_modules/oidc-provider/lib/actions/authorization/check_dpop_jkt.js +35 -0
  176. package/dist/node_modules/oidc-provider/lib/actions/authorization/check_extra_params.js +18 -0
  177. package/dist/node_modules/oidc-provider/lib/actions/authorization/check_id_token_hint.js +23 -0
  178. package/dist/node_modules/oidc-provider/lib/actions/authorization/check_max_age.js +25 -0
  179. package/dist/node_modules/oidc-provider/lib/actions/authorization/check_openid_scope.js +47 -0
  180. package/dist/node_modules/oidc-provider/lib/actions/authorization/check_pkce.js +41 -0
  181. package/dist/node_modules/oidc-provider/lib/actions/authorization/check_prompt.js +25 -0
  182. package/dist/node_modules/oidc-provider/lib/actions/authorization/check_redirect_uri.js +41 -0
  183. package/dist/node_modules/oidc-provider/lib/actions/authorization/check_requested_expiry.js +16 -0
  184. package/dist/node_modules/oidc-provider/lib/actions/authorization/check_response_mode.js +54 -0
  185. package/dist/node_modules/oidc-provider/lib/actions/authorization/check_response_type.js +26 -0
  186. package/dist/node_modules/oidc-provider/lib/actions/authorization/check_scope.js +53 -0
  187. package/dist/node_modules/oidc-provider/lib/actions/authorization/ciba_load_account.js +58 -0
  188. package/dist/node_modules/oidc-provider/lib/actions/authorization/ciba_required.js +13 -0
  189. package/dist/node_modules/oidc-provider/lib/actions/authorization/device_authorization_response.js +31 -0
  190. package/dist/node_modules/oidc-provider/lib/actions/authorization/device_user_flow.js +31 -0
  191. package/dist/node_modules/oidc-provider/lib/actions/authorization/device_user_flow_errors.js +37 -0
  192. package/dist/node_modules/oidc-provider/lib/actions/authorization/device_user_flow_response.js +55 -0
  193. package/dist/node_modules/oidc-provider/lib/actions/authorization/index.js +200 -0
  194. package/dist/node_modules/oidc-provider/lib/actions/authorization/interaction_emit.js +9 -0
  195. package/dist/node_modules/oidc-provider/lib/actions/authorization/interactions.js +149 -0
  196. package/dist/node_modules/oidc-provider/lib/actions/authorization/load_account.js +15 -0
  197. package/dist/node_modules/oidc-provider/lib/actions/authorization/load_grant.js +29 -0
  198. package/dist/node_modules/oidc-provider/lib/actions/authorization/load_pushed_authorization_request.js +36 -0
  199. package/dist/node_modules/oidc-provider/lib/actions/authorization/oauth_required.js +11 -0
  200. package/dist/node_modules/oidc-provider/lib/actions/authorization/oidc_required.js +27 -0
  201. package/dist/node_modules/oidc-provider/lib/actions/authorization/one_redirect_uri_clients.js +20 -0
  202. package/dist/node_modules/oidc-provider/lib/actions/authorization/process_request_object.js +214 -0
  203. package/dist/node_modules/oidc-provider/lib/actions/authorization/pushed_authorization_request_remap_errors.js +17 -0
  204. package/dist/node_modules/oidc-provider/lib/actions/authorization/pushed_authorization_request_response.js +65 -0
  205. package/dist/node_modules/oidc-provider/lib/actions/authorization/reject_registration.js +12 -0
  206. package/dist/node_modules/oidc-provider/lib/actions/authorization/reject_request_and_uri.js +12 -0
  207. package/dist/node_modules/oidc-provider/lib/actions/authorization/reject_unsupported.js +33 -0
  208. package/dist/node_modules/oidc-provider/lib/actions/authorization/respond.js +46 -0
  209. package/dist/node_modules/oidc-provider/lib/actions/authorization/resume.js +111 -0
  210. package/dist/node_modules/oidc-provider/lib/actions/authorization/strip_outside_jar_params.js +19 -0
  211. package/dist/node_modules/oidc-provider/lib/actions/authorization/unsupported_rar.js +9 -0
  212. package/dist/node_modules/oidc-provider/lib/actions/challenge.js +22 -0
  213. package/dist/node_modules/oidc-provider/lib/actions/code_verification.js +122 -0
  214. package/dist/node_modules/oidc-provider/lib/actions/discovery.js +151 -0
  215. package/dist/node_modules/oidc-provider/lib/actions/end_session.js +222 -0
  216. package/dist/node_modules/oidc-provider/lib/actions/grants/authorization_code.js +144 -0
  217. package/dist/node_modules/oidc-provider/lib/actions/grants/ciba.js +127 -0
  218. package/dist/node_modules/oidc-provider/lib/actions/grants/client_credentials.js +79 -0
  219. package/dist/node_modules/oidc-provider/lib/actions/grants/device_code.js +125 -0
  220. package/dist/node_modules/oidc-provider/lib/actions/grants/index.js +7 -0
  221. package/dist/node_modules/oidc-provider/lib/actions/grants/refresh_token.js +229 -0
  222. package/dist/node_modules/oidc-provider/lib/actions/index.js +25 -0
  223. package/dist/node_modules/oidc-provider/lib/actions/interaction.js +150 -0
  224. package/dist/node_modules/oidc-provider/lib/actions/introspection.js +164 -0
  225. package/dist/node_modules/oidc-provider/lib/actions/jwks.js +7 -0
  226. package/dist/node_modules/oidc-provider/lib/actions/registration.js +274 -0
  227. package/dist/node_modules/oidc-provider/lib/actions/revocation.js +81 -0
  228. package/dist/node_modules/oidc-provider/lib/actions/token.js +74 -0
  229. package/dist/node_modules/oidc-provider/lib/actions/userinfo.js +183 -0
  230. package/dist/node_modules/oidc-provider/lib/adapters/memory_adapter.js +95 -0
  231. package/dist/node_modules/oidc-provider/lib/consts/client_attributes.js +211 -0
  232. package/dist/node_modules/oidc-provider/lib/consts/dev_keystore.js +18 -0
  233. package/dist/node_modules/oidc-provider/lib/consts/index.js +13 -0
  234. package/dist/node_modules/oidc-provider/lib/consts/jwa.js +47 -0
  235. package/dist/node_modules/oidc-provider/lib/consts/non_rejectable_claims.js +1 -0
  236. package/dist/node_modules/oidc-provider/lib/consts/param_list.js +23 -0
  237. package/dist/node_modules/oidc-provider/lib/helpers/_/camel_case.js +1 -0
  238. package/dist/node_modules/oidc-provider/lib/helpers/_/defaults.js +28 -0
  239. package/dist/node_modules/oidc-provider/lib/helpers/_/difference.js +1 -0
  240. package/dist/node_modules/oidc-provider/lib/helpers/_/is_plain_object.js +1 -0
  241. package/dist/node_modules/oidc-provider/lib/helpers/_/map_keys.js +9 -0
  242. package/dist/node_modules/oidc-provider/lib/helpers/_/merge.js +25 -0
  243. package/dist/node_modules/oidc-provider/lib/helpers/_/omit_by.js +11 -0
  244. package/dist/node_modules/oidc-provider/lib/helpers/_/pick.js +10 -0
  245. package/dist/node_modules/oidc-provider/lib/helpers/_/pick_by.js +10 -0
  246. package/dist/node_modules/oidc-provider/lib/helpers/_/remove.js +9 -0
  247. package/dist/node_modules/oidc-provider/lib/helpers/_/set.js +18 -0
  248. package/dist/node_modules/oidc-provider/lib/helpers/_/snake_case.js +1 -0
  249. package/dist/node_modules/oidc-provider/lib/helpers/_/upper_first.js +1 -0
  250. package/dist/node_modules/oidc-provider/lib/helpers/account_claims.js +6 -0
  251. package/dist/node_modules/oidc-provider/lib/helpers/add_client.js +14 -0
  252. package/dist/node_modules/oidc-provider/lib/helpers/als.js +3 -0
  253. package/dist/node_modules/oidc-provider/lib/helpers/append_www_authenticate.js +9 -0
  254. package/dist/node_modules/oidc-provider/lib/helpers/attention.js +23 -0
  255. package/dist/node_modules/oidc-provider/lib/helpers/base64url.js +11 -0
  256. package/dist/node_modules/oidc-provider/lib/helpers/certificate_thumbprint.js +15 -0
  257. package/dist/node_modules/oidc-provider/lib/helpers/challenge.js +111 -0
  258. package/dist/node_modules/oidc-provider/lib/helpers/check_attest_binding.js +10 -0
  259. package/dist/node_modules/oidc-provider/lib/helpers/claims.js +79 -0
  260. package/dist/node_modules/oidc-provider/lib/helpers/client_id_metadata_document.js +198 -0
  261. package/dist/node_modules/oidc-provider/lib/helpers/client_schema.js +700 -0
  262. package/dist/node_modules/oidc-provider/lib/helpers/combined_scope.js +17 -0
  263. package/dist/node_modules/oidc-provider/lib/helpers/configuration.js +544 -0
  264. package/dist/node_modules/oidc-provider/lib/helpers/constant_equals.js +20 -0
  265. package/dist/node_modules/oidc-provider/lib/helpers/defaults.js +3510 -0
  266. package/dist/node_modules/oidc-provider/lib/helpers/epoch_time.js +1 -0
  267. package/dist/node_modules/oidc-provider/lib/helpers/err_out.js +17 -0
  268. package/dist/node_modules/oidc-provider/lib/helpers/errors.js +161 -0
  269. package/dist/node_modules/oidc-provider/lib/helpers/features.js +51 -0
  270. package/dist/node_modules/oidc-provider/lib/helpers/fetch_body_check.js +25 -0
  271. package/dist/node_modules/oidc-provider/lib/helpers/fetch_request.js +221 -0
  272. package/dist/node_modules/oidc-provider/lib/helpers/filter_claims.js +16 -0
  273. package/dist/node_modules/oidc-provider/lib/helpers/formatters.js +24 -0
  274. package/dist/node_modules/oidc-provider/lib/helpers/grant_common.js +214 -0
  275. package/dist/node_modules/oidc-provider/lib/helpers/html_safe.js +19 -0
  276. package/dist/node_modules/oidc-provider/lib/helpers/initialize_adapter.js +24 -0
  277. package/dist/node_modules/oidc-provider/lib/helpers/initialize_app.js +243 -0
  278. package/dist/node_modules/oidc-provider/lib/helpers/initialize_clients.js +24 -0
  279. package/dist/node_modules/oidc-provider/lib/helpers/initialize_keystore.js +310 -0
  280. package/dist/node_modules/oidc-provider/lib/helpers/interaction_policy/check.js +21 -0
  281. package/dist/node_modules/oidc-provider/lib/helpers/interaction_policy/index.js +43 -0
  282. package/dist/node_modules/oidc-provider/lib/helpers/interaction_policy/prompt.js +95 -0
  283. package/dist/node_modules/oidc-provider/lib/helpers/interaction_policy/prompts/consent.js +105 -0
  284. package/dist/node_modules/oidc-provider/lib/helpers/interaction_policy/prompts/login.js +162 -0
  285. package/dist/node_modules/oidc-provider/lib/helpers/jwt.js +211 -0
  286. package/dist/node_modules/oidc-provider/lib/helpers/keystore.js +301 -0
  287. package/dist/node_modules/oidc-provider/lib/helpers/nanoid.js +5 -0
  288. package/dist/node_modules/oidc-provider/lib/helpers/oidc_context.js +284 -0
  289. package/dist/node_modules/oidc-provider/lib/helpers/params.js +27 -0
  290. package/dist/node_modules/oidc-provider/lib/helpers/pkce.js +30 -0
  291. package/dist/node_modules/oidc-provider/lib/helpers/pkce_format.js +17 -0
  292. package/dist/node_modules/oidc-provider/lib/helpers/process_response_types.js +202 -0
  293. package/dist/node_modules/oidc-provider/lib/helpers/re_render_errors.js +39 -0
  294. package/dist/node_modules/oidc-provider/lib/helpers/redirect_uri.js +16 -0
  295. package/dist/node_modules/oidc-provider/lib/helpers/resolve_resource.js +33 -0
  296. package/dist/node_modules/oidc-provider/lib/helpers/resolve_response_mode.js +7 -0
  297. package/dist/node_modules/oidc-provider/lib/helpers/resource_server.js +20 -0
  298. package/dist/node_modules/oidc-provider/lib/helpers/revoke.js +27 -0
  299. package/dist/node_modules/oidc-provider/lib/helpers/script_src_sha.js +21 -0
  300. package/dist/node_modules/oidc-provider/lib/helpers/sector_identifier.js +19 -0
  301. package/dist/node_modules/oidc-provider/lib/helpers/sector_validate.js +55 -0
  302. package/dist/node_modules/oidc-provider/lib/helpers/set_rt_bindings.js +21 -0
  303. package/dist/node_modules/oidc-provider/lib/helpers/token_find.js +51 -0
  304. package/dist/node_modules/oidc-provider/lib/helpers/type_validators.js +8 -0
  305. package/dist/node_modules/oidc-provider/lib/helpers/user_code_form.js +19 -0
  306. package/dist/node_modules/oidc-provider/lib/helpers/user_codes.js +38 -0
  307. package/dist/node_modules/oidc-provider/lib/helpers/valid_url.js +8 -0
  308. package/dist/node_modules/oidc-provider/lib/helpers/validate_dpop.js +129 -0
  309. package/dist/node_modules/oidc-provider/lib/helpers/validate_presence.js +17 -0
  310. package/dist/node_modules/oidc-provider/lib/helpers/weak_cache.js +11 -0
  311. package/dist/node_modules/oidc-provider/lib/index.js +21 -0
  312. package/dist/node_modules/oidc-provider/lib/models/access_token.js +31 -0
  313. package/dist/node_modules/oidc-provider/lib/models/authorization_code.js +27 -0
  314. package/dist/node_modules/oidc-provider/lib/models/backchannel_authentication_request.js +26 -0
  315. package/dist/node_modules/oidc-provider/lib/models/base_model.js +141 -0
  316. package/dist/node_modules/oidc-provider/lib/models/base_token.js +86 -0
  317. package/dist/node_modules/oidc-provider/lib/models/client.js +593 -0
  318. package/dist/node_modules/oidc-provider/lib/models/client_credentials.js +19 -0
  319. package/dist/node_modules/oidc-provider/lib/models/device_code.js +44 -0
  320. package/dist/node_modules/oidc-provider/lib/models/formats/dynamic.js +21 -0
  321. package/dist/node_modules/oidc-provider/lib/models/formats/index.js +14 -0
  322. package/dist/node_modules/oidc-provider/lib/models/formats/jwt.js +198 -0
  323. package/dist/node_modules/oidc-provider/lib/models/formats/opaque.js +58 -0
  324. package/dist/node_modules/oidc-provider/lib/models/grant.js +243 -0
  325. package/dist/node_modules/oidc-provider/lib/models/id_token.js +271 -0
  326. package/dist/node_modules/oidc-provider/lib/models/index.js +37 -0
  327. package/dist/node_modules/oidc-provider/lib/models/initial_access_token.js +12 -0
  328. package/dist/node_modules/oidc-provider/lib/models/interaction.js +73 -0
  329. package/dist/node_modules/oidc-provider/lib/models/mixins/apply.js +4 -0
  330. package/dist/node_modules/oidc-provider/lib/models/mixins/consumable.js +17 -0
  331. package/dist/node_modules/oidc-provider/lib/models/mixins/has_format.js +46 -0
  332. package/dist/node_modules/oidc-provider/lib/models/mixins/has_grant_id.js +12 -0
  333. package/dist/node_modules/oidc-provider/lib/models/mixins/has_grant_type.js +8 -0
  334. package/dist/node_modules/oidc-provider/lib/models/mixins/has_policies.js +38 -0
  335. package/dist/node_modules/oidc-provider/lib/models/mixins/is_attestation_constrained.js +15 -0
  336. package/dist/node_modules/oidc-provider/lib/models/mixins/is_sender_constrained.js +50 -0
  337. package/dist/node_modules/oidc-provider/lib/models/mixins/is_session_bound.js +38 -0
  338. package/dist/node_modules/oidc-provider/lib/models/mixins/set_audience.js +21 -0
  339. package/dist/node_modules/oidc-provider/lib/models/mixins/stores_auth.js +16 -0
  340. package/dist/node_modules/oidc-provider/lib/models/mixins/stores_pkce.js +9 -0
  341. package/dist/node_modules/oidc-provider/lib/models/pushed_authorization_request.js +21 -0
  342. package/dist/node_modules/oidc-provider/lib/models/refresh_token.js +47 -0
  343. package/dist/node_modules/oidc-provider/lib/models/registration_access_token.js +8 -0
  344. package/dist/node_modules/oidc-provider/lib/models/replay_detection.js +31 -0
  345. package/dist/node_modules/oidc-provider/lib/models/session.js +192 -0
  346. package/dist/node_modules/oidc-provider/lib/provider.js +453 -0
  347. package/dist/node_modules/oidc-provider/lib/response_modes/form_post.js +36 -0
  348. package/dist/node_modules/oidc-provider/lib/response_modes/fragment.js +7 -0
  349. package/dist/node_modules/oidc-provider/lib/response_modes/index.js +15 -0
  350. package/dist/node_modules/oidc-provider/lib/response_modes/jwt.js +43 -0
  351. package/dist/node_modules/oidc-provider/lib/response_modes/query.js +7 -0
  352. package/dist/node_modules/oidc-provider/lib/response_modes/web_message.js +55 -0
  353. package/dist/node_modules/oidc-provider/lib/shared/assemble_params.js +7 -0
  354. package/dist/node_modules/oidc-provider/lib/shared/attest_client_auth.js +111 -0
  355. package/dist/node_modules/oidc-provider/lib/shared/authorization_error_handler.js +104 -0
  356. package/dist/node_modules/oidc-provider/lib/shared/check_rar.js +75 -0
  357. package/dist/node_modules/oidc-provider/lib/shared/check_resource.js +77 -0
  358. package/dist/node_modules/oidc-provider/lib/shared/client_auth.js +263 -0
  359. package/dist/node_modules/oidc-provider/lib/shared/conditional_body.js +9 -0
  360. package/dist/node_modules/oidc-provider/lib/shared/cors.js +49 -0
  361. package/dist/node_modules/oidc-provider/lib/shared/error_handler.js +59 -0
  362. package/dist/node_modules/oidc-provider/lib/shared/jwt_client_auth.js +79 -0
  363. package/dist/node_modules/oidc-provider/lib/shared/no_cache.js +4 -0
  364. package/dist/node_modules/oidc-provider/lib/shared/reject_dupes.js +45 -0
  365. package/dist/node_modules/oidc-provider/lib/shared/reject_structured_tokens.js +18 -0
  366. package/dist/node_modules/oidc-provider/lib/shared/selective_body.js +60 -0
  367. package/dist/node_modules/oidc-provider/lib/shared/session.js +68 -0
  368. package/dist/node_modules/oidc-provider/lib/shared/set_www_authenticate_header.js +52 -0
  369. package/dist/node_modules/oidc-provider/lib/views/index.js +22 -0
  370. package/dist/node_modules/oidc-provider/lib/views/interaction.js +171 -0
  371. package/dist/node_modules/oidc-provider/lib/views/layout.js +237 -0
  372. package/dist/node_modules/oidc-provider/lib/views/login.js +43 -0
  373. package/dist/node_modules/oidc-provider/node_modules/@koa/router/LICENSE +21 -0
  374. package/dist/node_modules/oidc-provider/node_modules/@koa/router/README.md +1370 -0
  375. package/dist/node_modules/oidc-provider/node_modules/@koa/router/dist/index.d.mts +1003 -0
  376. package/dist/node_modules/oidc-provider/node_modules/@koa/router/dist/index.d.ts +1003 -0
  377. package/dist/node_modules/oidc-provider/node_modules/@koa/router/dist/index.js +1616 -0
  378. package/dist/node_modules/oidc-provider/node_modules/@koa/router/dist/index.mjs +1573 -0
  379. package/dist/node_modules/oidc-provider/node_modules/@koa/router/package.json +122 -0
  380. package/dist/node_modules/oidc-provider/node_modules/debug/LICENSE +20 -0
  381. package/dist/node_modules/oidc-provider/node_modules/debug/README.md +481 -0
  382. package/dist/node_modules/oidc-provider/node_modules/debug/package.json +64 -0
  383. package/dist/node_modules/oidc-provider/node_modules/debug/src/browser.js +272 -0
  384. package/dist/node_modules/oidc-provider/node_modules/debug/src/common.js +292 -0
  385. package/dist/node_modules/oidc-provider/node_modules/debug/src/index.js +10 -0
  386. package/dist/node_modules/oidc-provider/node_modules/debug/src/node.js +263 -0
  387. package/dist/node_modules/oidc-provider/node_modules/http-errors/HISTORY.md +186 -0
  388. package/dist/node_modules/oidc-provider/node_modules/http-errors/LICENSE +23 -0
  389. package/dist/node_modules/oidc-provider/node_modules/http-errors/README.md +169 -0
  390. package/dist/node_modules/oidc-provider/node_modules/http-errors/index.js +290 -0
  391. package/dist/node_modules/oidc-provider/node_modules/http-errors/package.json +54 -0
  392. package/dist/node_modules/oidc-provider/node_modules/jsesc/LICENSE-MIT.txt +20 -0
  393. package/dist/node_modules/oidc-provider/node_modules/jsesc/README.md +422 -0
  394. package/dist/node_modules/oidc-provider/node_modules/jsesc/bin/jsesc +148 -0
  395. package/dist/node_modules/oidc-provider/node_modules/jsesc/jsesc.js +337 -0
  396. package/dist/node_modules/oidc-provider/node_modules/jsesc/man/jsesc.1 +94 -0
  397. package/dist/node_modules/oidc-provider/node_modules/jsesc/package.json +56 -0
  398. package/dist/node_modules/oidc-provider/node_modules/nanoid/LICENSE +20 -0
  399. package/dist/node_modules/oidc-provider/node_modules/nanoid/README.md +38 -0
  400. package/dist/node_modules/oidc-provider/node_modules/nanoid/bin/nanoid.js +55 -0
  401. package/dist/node_modules/oidc-provider/node_modules/nanoid/index.browser.js +29 -0
  402. package/dist/node_modules/oidc-provider/node_modules/nanoid/index.d.ts +106 -0
  403. package/dist/node_modules/oidc-provider/node_modules/nanoid/index.js +47 -0
  404. package/dist/node_modules/oidc-provider/node_modules/nanoid/nanoid.js +1 -0
  405. package/dist/node_modules/oidc-provider/node_modules/nanoid/non-secure/index.d.ts +48 -0
  406. package/dist/node_modules/oidc-provider/node_modules/nanoid/non-secure/index.js +21 -0
  407. package/dist/node_modules/oidc-provider/node_modules/nanoid/package.json +46 -0
  408. package/dist/node_modules/oidc-provider/node_modules/nanoid/url-alphabet/index.js +2 -0
  409. package/dist/node_modules/oidc-provider/node_modules/path-to-regexp/LICENSE +21 -0
  410. package/dist/node_modules/oidc-provider/node_modules/path-to-regexp/Readme.md +224 -0
  411. package/dist/node_modules/oidc-provider/node_modules/path-to-regexp/dist/index.d.ts +144 -0
  412. package/dist/node_modules/oidc-provider/node_modules/path-to-regexp/dist/index.js +409 -0
  413. package/dist/node_modules/oidc-provider/node_modules/path-to-regexp/dist/index.js.map +1 -0
  414. package/dist/node_modules/oidc-provider/node_modules/path-to-regexp/package.json +64 -0
  415. package/dist/node_modules/oidc-provider/node_modules/statuses/HISTORY.md +87 -0
  416. package/dist/node_modules/oidc-provider/node_modules/statuses/LICENSE +23 -0
  417. package/dist/node_modules/oidc-provider/node_modules/statuses/README.md +139 -0
  418. package/dist/node_modules/oidc-provider/node_modules/statuses/codes.json +65 -0
  419. package/dist/node_modules/oidc-provider/node_modules/statuses/index.js +146 -0
  420. package/dist/node_modules/oidc-provider/node_modules/statuses/package.json +49 -0
  421. package/dist/node_modules/oidc-provider/package.json +95 -0
  422. package/dist/node_modules/quick-lru/index.d.ts +178 -0
  423. package/dist/node_modules/quick-lru/index.js +329 -0
  424. package/dist/node_modules/quick-lru/license +9 -0
  425. package/dist/node_modules/quick-lru/package.json +54 -0
  426. package/dist/node_modules/quick-lru/readme.md +236 -0
  427. package/dist/node_modules/statuses/HISTORY.md +65 -0
  428. package/dist/node_modules/statuses/LICENSE +23 -0
  429. package/dist/node_modules/statuses/README.md +127 -0
  430. package/dist/node_modules/statuses/codes.json +66 -0
  431. package/dist/node_modules/statuses/index.js +113 -0
  432. package/dist/node_modules/statuses/package.json +48 -0
  433. package/dist/server/cache-adapter.d.ts +33 -0
  434. package/dist/server/cache-adapter.js +159 -0
  435. package/dist/server/index.d.ts +10 -0
  436. package/dist/server/index.js +48 -0
  437. package/dist/server/interaction.d.ts +26 -0
  438. package/dist/server/interaction.js +172 -0
  439. package/dist/server/paths.d.ts +19 -0
  440. package/dist/server/paths.js +64 -0
  441. package/dist/server/plugin.d.ts +16 -0
  442. package/dist/server/plugin.js +108 -0
  443. package/dist/server/provider-dispatch.d.ts +32 -0
  444. package/dist/server/provider-dispatch.js +252 -0
  445. package/dist/server/service.d.ts +63 -0
  446. package/dist/server/service.js +540 -0
  447. package/dist/server/utils.d.ts +12 -0
  448. package/dist/server/utils.js +58 -0
  449. package/package.json +24 -0
  450. package/server.d.ts +2 -0
  451. package/server.js +1 -0
package/dist/node_modules/oidc-provider/lib/helpers/check_attest_binding.js ADDED
@@ -0,0 +1,10 @@
1
+ import * as jose from 'jose';
2
+
3
+ import { InvalidGrant } from './errors.js';
4
+
5
+ export async function checkAttestBinding(ctx, model) {
6
+ const { cnf: { jwk } } = jose.decodeJwt(ctx.get('oauth-client-attestation'));
7
+ if (model.attestationJkt !== await jose.calculateJwkThumbprint(jwk)) {
8
+ throw new InvalidGrant('oauth-client-attestation instance public key mismatch');
9
+ }
10
+ }
package/dist/node_modules/oidc-provider/lib/helpers/claims.js ADDED
@@ -0,0 +1,79 @@
1
+ import instance from './weak_cache.js';
2
+ import pick from './_/pick.js';
3
+ import merge from './_/merge.js';
4
+ import isPlainObject from './_/is_plain_object.js';
5
+
6
+ export default function getClaims(provider) {
7
+ const {
8
+ claims: claimConfig, claimsSupported, pairwiseIdentifier,
9
+ } = instance(provider).configuration;
10
+
11
+ return class Claims {
12
+ constructor(available, { ctx, client = ctx ? ctx.oidc.client : undefined }) {
13
+ if (!isPlainObject(available)) {
14
+ throw new TypeError('expected claims to be an object, are you sure claims() method resolves with or returns one?');
15
+ }
16
+ if (!(client instanceof provider.Client)) {
17
+ throw new TypeError('second argument must be a Client instance');
18
+ }
19
+ this.available = available;
20
+ this.client = client;
21
+ this.ctx = ctx;
22
+ this.filter = {};
23
+ }
24
+
25
+ scope(value = '') {
26
+ if (Object.keys(this.filter).length) {
27
+ throw new Error('scope cannot be assigned after mask has been set');
28
+ }
29
+ value.split(' ').forEach((scope) => {
30
+ this.mask(claimConfig[scope]);
31
+ });
32
+ return this;
33
+ }
34
+
35
+ mask(value) {
36
+ merge(this.filter, value);
37
+ }
38
+
39
+ rejected(value = []) {
40
+ value.forEach((claim) => {
41
+ delete this.filter[claim];
42
+ });
43
+ }
44
+
45
+ async result() {
46
+ const { available } = this;
47
+ const include = Object.entries(this.filter)
48
+ .map(([key, value]) => {
49
+ if (value === null || isPlainObject(value)) {
50
+ return key;
51
+ }
52
+
53
+ return undefined;
54
+ })
55
+ .filter((key) => key && claimsSupported.has(key));
56
+
57
+ const claims = pick(available, ...include);
58
+
59
+ if (available._claim_names && available._claim_sources) {
60
+ claims._claim_names = pick(available._claim_names, ...include);
61
+ claims._claim_sources = pick(
62
+ available._claim_sources,
63
+ ...Object.values(claims._claim_names),
64
+ );
65
+
66
+ if (!Object.keys(claims._claim_names).length) {
67
+ delete claims._claim_names;
68
+ delete claims._claim_sources;
69
+ }
70
+ }
71
+
72
+ if (this.client.subjectType === 'pairwise' && claims.sub) {
73
+ claims.sub = await pairwiseIdentifier(this.ctx, claims.sub, this.client);
74
+ }
75
+
76
+ return claims;
77
+ }
78
+ };
79
+ }
package/dist/node_modules/oidc-provider/lib/helpers/client_id_metadata_document.js ADDED
@@ -0,0 +1,198 @@
1
+ import { WEB_URI } from '../consts/client_attributes.js';
2
+
3
+ import instance from './weak_cache.js';
4
+ import addClient from './add_client.js';
5
+ import als from './als.js';
6
+ import { InvalidClient, InvalidClientMetadata } from './errors.js';
7
+ import fetchBodyCheck from './fetch_body_check.js';
8
+ import fetchRequest from './fetch_request.js';
9
+
10
+ const FORBIDDEN_AUTH_METHODS = new Set([
11
+ 'client_secret_basic',
12
+ 'client_secret_post',
13
+ 'client_secret_jwt',
14
+ ]);
15
+
16
+ const cache = new WeakMap();
17
+
18
+ function getCache(provider) {
19
+ let entries = cache.get(provider);
20
+ if (!entries) {
21
+ entries = new Map();
22
+ cache.set(provider, entries);
23
+ }
24
+ return entries;
25
+ }
26
+
27
+ export function isValidClientIdUrl(id) {
28
+ const url = URL.parse(id);
29
+
30
+ if (!url) {
31
+ return false;
32
+ }
33
+
34
+ // MUST have an "https" scheme
35
+ if (url.protocol !== 'https:') {
36
+ return false;
37
+ }
38
+
39
+ // MUST contain a path component (not just "/")
40
+ if (!url.pathname || url.pathname === '/') {
41
+ return false;
42
+ }
43
+
44
+ // MUST NOT contain single-dot or double-dot path segments
45
+ // URL.parse normalizes dot segments, so check the raw input
46
+ const rawPath = id.replace(/^https:\/\/[^/]*/i, '').split('?')[0].split('#')[0];
47
+ const rawSegments = rawPath.split('/');
48
+ if (rawSegments.some((seg) => seg === '.' || seg === '..')) {
49
+ return false;
50
+ }
51
+
52
+ // MUST NOT contain a fragment component
53
+ if (url.hash) {
54
+ return false;
55
+ }
56
+
57
+ // MUST NOT contain a username or password
58
+ if (url.username || url.password) {
59
+ return false;
60
+ }
61
+
62
+ return true;
63
+ }
64
+
65
+ function parseCacheDuration(response, { min, max }) {
66
+ let duration;
67
+
68
+ const cacheControl = response.headers.get('cache-control');
69
+ if (cacheControl) {
70
+ const maxAgeMatch = cacheControl.match(/(?:^|,)\s*max-age\s*=\s*(\d+)/i);
71
+ if (maxAgeMatch) {
72
+ duration = parseInt(maxAgeMatch[1], 10);
73
+ }
74
+ }
75
+
76
+ if (duration === undefined) {
77
+ const expires = response.headers.get('expires');
78
+ if (expires) {
79
+ const expiresDate = Date.parse(expires);
80
+ if (!Number.isNaN(expiresDate)) {
81
+ duration = Math.floor((expiresDate - Date.now()) / 1000);
82
+ }
83
+ }
84
+ }
85
+
86
+ if (duration === undefined) {
87
+ duration = min;
88
+ }
89
+
90
+ return Math.max(min, Math.min(max, duration));
91
+ }
92
+
93
+ export async function resolveClientByMetadataDocument(provider, id) {
94
+ const {
95
+ features: { clientIdMetadataDocument: feature },
96
+ } = instance(provider).configuration;
97
+
98
+ const ctx = als.getStore();
99
+
100
+ const entries = getCache(provider);
101
+
102
+ // Check cache
103
+ const cached = entries.get(id);
104
+ if (cached && cached.freshUntil > Date.now()) {
105
+ const client = await addClient(provider, cached.properties, { store: false });
106
+ Object.defineProperty(client, 'clientIdMetadataDocument', { value: true });
107
+
108
+ if (!(await feature.allowClient(ctx, client))) {
109
+ throw new InvalidClient('client is not allowed');
110
+ }
111
+
112
+ return client;
113
+ }
114
+
115
+ // Gate the fetch
116
+ if (!(await feature.allowFetch(ctx, id))) {
117
+ throw new InvalidClient('client_id metadata document fetch not allowed');
118
+ }
119
+
120
+ let response;
121
+ try {
122
+ response = await fetchRequest(provider, id, {
123
+ method: 'GET',
124
+ headers: {
125
+ accept: 'application/json',
126
+ },
127
+ redirect: 'manual',
128
+ });
129
+ } catch (err) {
130
+ throw new InvalidClient('client_id metadata document fetch failed', err.message);
131
+ }
132
+
133
+ if (response.status !== 200) {
134
+ throw new InvalidClient('client_id metadata document fetch failed', `unexpected response status ${response.status}`);
135
+ }
136
+
137
+ let bodyText;
138
+ try {
139
+ bodyText = (await fetchBodyCheck(provider, 'client_id metadata document', response)).toString();
140
+ } catch (err) {
141
+ throw new InvalidClient('client_id metadata document fetch failed', err.message);
142
+ }
143
+
144
+ let properties;
145
+ try {
146
+ properties = JSON.parse(bodyText);
147
+ } catch {
148
+ throw new InvalidClient('client_id metadata document fetch failed', 'invalid JSON');
149
+ }
150
+
151
+ if (typeof properties !== 'object' || properties === null || Array.isArray(properties)) {
152
+ throw new InvalidClientMetadata('client_id metadata document is not a JSON object');
153
+ }
154
+
155
+ // client_id property MUST match the URL via simple string comparison
156
+ if (properties.client_id !== id) {
157
+ throw new InvalidClientMetadata('client_id metadata document client_id does not match the expected value');
158
+ }
159
+
160
+ // token_endpoint_auth_method MUST NOT be a shared-secret method
161
+ if (FORBIDDEN_AUTH_METHODS.has(properties.token_endpoint_auth_method)) {
162
+ throw new InvalidClientMetadata('client_id metadata document must not use shared-secret token endpoint authentication methods');
163
+ }
164
+
165
+ // client_secret and client_secret_expires_at MUST NOT be present
166
+ if ('client_secret' in properties || 'client_secret_expires_at' in properties) {
167
+ throw new InvalidClientMetadata('client_id metadata document must not contain client_secret or client_secret_expires_at');
168
+ }
169
+
170
+ // URI properties MUST be absolute URIs using the https: scheme
171
+ for (const prop of WEB_URI) {
172
+ if (prop in properties) {
173
+ const uri = URL.parse(properties[prop]);
174
+ if (!uri || uri.protocol !== 'https:') {
175
+ throw new InvalidClientMetadata(`client_id metadata document ${prop} must be an https: URL`);
176
+ }
177
+ }
178
+ }
179
+
180
+ // Compute cache TTL
181
+ const ttl = parseCacheDuration(response, feature.cacheDuration);
182
+
183
+ const client = await addClient(provider, properties, { store: false });
184
+
185
+ Object.defineProperty(client, 'clientIdMetadataDocument', { value: true });
186
+
187
+ // Cache the valid properties
188
+ entries.set(id, {
189
+ properties,
190
+ freshUntil: Date.now() + (ttl * 1000),
191
+ });
192
+
193
+ if (!(await feature.allowClient(ctx, client))) {
194
+ throw new InvalidClient('client is not allowed');
195
+ }
196
+
197
+ return client;
198
+ }