@opentdf/sdk 0.13.0-beta.122 → 0.13.0-beta.124

package/src/platform.ts

@@ -3,7 +3,8 @@ export * as platformConnectWeb from '@connectrpc/connect-web';
 export * as platformConnect from '@connectrpc/connect';
 
 import { createConnectTransport } from '@connectrpc/connect-web';
-import { AuthProvider } from '../tdf3/index.js';
+import type { AuthProvider } from '../tdf3/index.js';
+import { authProviderInterceptor } from './auth/interceptors.js';
 
 import { Client, createClient, Interceptor } from '@connectrpc/connect';
 import { WellKnownService } from './platform/wellknownconfiguration/wellknown_configuration_pb.js';
@@ -44,9 +45,12 @@ export interface PlatformServicesV2 {
 }
 
 export interface PlatformClientOptions {
-  /** Optional authentication provider for generating auth interceptor. */
+  /**
+   * Authentication provider for generating auth interceptor.
+   * @deprecated since 0.14.0. Use `interceptors` with `authTokenInterceptor()` or `authTokenDPoPInterceptor()` instead.
+   */
   authProvider?: AuthProvider;
-  /** Array of custom interceptors to apply to rpc requests. */
+  /** Array of interceptors to apply to rpc requests. Preferred over authProvider. */
   interceptors?: Interceptor[];
   /** Base URL of the platform API. */
   platformUrl: string;
@@ -85,8 +89,7 @@ export class PlatformClient {
     const interceptors: Interceptor[] = [];
 
     if (options.authProvider) {
-      const authInterceptor = createAuthInterceptor(options.authProvider);
-      interceptors.push(authInterceptor);
+      interceptors.push(authProviderInterceptor(options.authProvider));
     }
 
     if (options.interceptors?.length) {
@@ -120,50 +123,3 @@ export class PlatformClient {
     };
   }
 }
-
-/**
- * Creates an interceptor that adds authentication headers to outgoing requests.
- *
- * This function uses the provided `AuthProvider` to generate authentication credentials
- * for each request. The `AuthProvider` is expected to implement a `withCreds` method
- * that returns an object containing authentication headers. These headers are then
- * added to the request before it is sent to the server.
- *
- */
-function createAuthInterceptor(authProvider: AuthProvider): Interceptor {
-  const authInterceptor: Interceptor = (next) => async (req) => {
-    const url = new URL(req.url);
-    const pathOnly = url.pathname;
-    // Signs only the path of the url in the request
-    let token;
-    try {
-      token = await authProvider.withCreds({
-        url: pathOnly,
-        method: 'POST',
-        // Start with any headers Connect already has
-        headers: {
-          ...Object.fromEntries(req.header.entries()),
-          'Content-Type': 'application/json',
-        },
-      });
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : String(err);
-      if (msg.includes('public key') || msg.includes('updateClientPublicKey')) {
-        throw new Error(
-          'PlatformClient: DPoP key binding is not complete. ' +
-            'If you are using OpenTDF with PlatformClient, create OpenTDF first and ' +
-            '`await client.ready` before constructing PlatformClient. ' +
-            `Original error: ${msg}`
-        );
-      }
-      throw err;
-    }
-
-    Object.entries(token.headers).forEach(([key, value]) => {
-      req.header.set(key, value);
-    });
-
-    return await next(req);
-  };
-  return authInterceptor;
-}

package/src/policy/api.ts

@@ -1,5 +1,5 @@
 import { NetworkError } from '../errors.js';
-import { AuthProvider } from '../auth/auth.js';
+import { type AuthConfig, resolveInterceptors } from '../auth/interceptors.js';
 import { extractRpcErrorMessage, getPlatformUrlFromKasEndpoint } from '../utils.js';
 import { PlatformClient } from '../platform.js';
 import { Value } from './attributes.js';
@@ -12,11 +12,11 @@ import { ValueSchema } from '../platform/policy/objects_pb.js';
 // TODO KAS: go over web-sdk and remove policyEndpoint that is only defined to be used here
 export async function attributeFQNsAsValues(
   platformUrl: string,
-  authProvider: AuthProvider,
+  auth: AuthConfig,
   ...fqns: string[]
 ): Promise<Value[]> {
   platformUrl = getPlatformUrlFromKasEndpoint(platformUrl);
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({ interceptors: resolveInterceptors(auth), platformUrl });
 
   let response: GetAttributeValuesByFqnsResponse;
   try {
@@ -52,7 +52,7 @@ export async function attributeFQNsAsValues(
 // Get root certificates from a namespace
 export async function getRootCertsFromNamespace(
   platformUrl: string,
-  authProvider?: AuthProvider,
+  auth?: AuthConfig,
   namespaceId?: string,
   fqn?: string
 ): Promise<Certificate[]> {
@@ -63,7 +63,10 @@ export async function getRootCertsFromNamespace(
     throw new Error('Either namespaceId or fqn must be provided');
   }
 
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({
+    ...(auth ? { interceptors: resolveInterceptors(auth) } : {}),
+    platformUrl,
+  });
 
   let response: GetNamespaceResponse;
   try {

package/src/policy/discovery.ts

@@ -1,6 +1,6 @@
 import { ConnectError, Code } from '@connectrpc/connect';
 import { AttributeNotFoundError, ConfigurationError, NetworkError } from '../errors.js';
-import { type AuthProvider } from '../auth/auth.js';
+import { type AuthConfig, resolveInterceptors } from '../auth/interceptors.js';
 import { extractRpcErrorMessage, validateSecureUrl } from '../utils.js';
 import { PlatformClient } from '../platform.js';
 import type { Attribute } from '../platform/policy/objects_pb.js';
@@ -49,13 +49,13 @@ const ATTRIBUTE_FQN_RE = /^https?:\/\/[a-zA-Z0-9._~%-]+\/attr\/[a-zA-Z0-9._~%-]+
  */
 export async function listAttributes(
   platformUrl: string,
-  authProvider: AuthProvider,
+  auth: AuthConfig,
   namespace?: string
 ): Promise<Attribute[]> {
   if (!validateSecureUrl(platformUrl)) {
     throw new ConfigurationError('platformUrl must use HTTPS protocol');
   }
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({ interceptors: resolveInterceptors(auth), platformUrl });
   const result: Attribute[] = [];
   let nextOffset = 0;
 
@@ -106,7 +106,7 @@ export async function listAttributes(
  */
 export async function validateAttributes(
   platformUrl: string,
-  authProvider: AuthProvider,
+  auth: AuthConfig,
   fqns: string[]
 ): Promise<void> {
   if (!fqns || fqns.length === 0) {
@@ -129,7 +129,7 @@ export async function validateAttributes(
     }
   }
 
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({ interceptors: resolveInterceptors(auth), platformUrl });
   let resp;
   try {
     resp = await platform.v1.attributes.getAttributeValuesByFqns({ fqns });
@@ -159,7 +159,7 @@ export async function validateAttributes(
  */
 export async function attributeExists(
   platformUrl: string,
-  authProvider: AuthProvider,
+  auth: AuthConfig,
   attributeFqn: string
 ): Promise<boolean> {
   if (!validateSecureUrl(platformUrl)) {
@@ -170,7 +170,7 @@ export async function attributeExists(
     throw new ConfigurationError('invalid attribute FQN format');
   }
 
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({ interceptors: resolveInterceptors(auth), platformUrl });
   try {
     await platform.v1.attributes.getAttribute({
       identifier: { case: 'fqn', value: attributeFqn },
@@ -199,7 +199,7 @@ export async function attributeExists(
  */
 export async function attributeValueExists(
   platformUrl: string,
-  authProvider: AuthProvider,
+  auth: AuthConfig,
   valueFqn: string
 ): Promise<boolean> {
   if (!validateSecureUrl(platformUrl)) {
@@ -210,7 +210,7 @@ export async function attributeValueExists(
     throw new ConfigurationError('invalid attribute value FQN format');
   }
 
-  const platform = new PlatformClient({ authProvider, platformUrl });
+  const platform = new PlatformClient({ interceptors: resolveInterceptors(auth), platformUrl });
   let resp;
   try {
     resp = await platform.v1.attributes.getAttributeValuesByFqns({ fqns: [valueFqn] });

package/tdf3/src/client/index.ts

@@ -19,6 +19,8 @@ import { OIDCRefreshTokenProvider } from '../../../src/auth/oidc-refreshtoken-pr
 import { OIDCExternalJwtProvider } from '../../../src/auth/oidc-externaljwt-provider.js';
 import { CryptoService } from '../crypto/declarations.js';
 import { type AuthProvider, HttpRequest, withHeaders } from '../../../src/auth/auth.js';
+import { type AuthConfig } from '../../../src/auth/interceptors.js';
+import { type Interceptor } from '@connectrpc/connect';
 import { getPlatformUrlFromKasEndpoint, rstrip, validateSecureUrl } from '../../../src/utils.js';
 
 import {
@@ -154,7 +156,10 @@ export interface ClientConfig {
   kasPublicKey?: string;
   oidcOrigin?: string;
   externalJwt?: string;
+  /** @deprecated since 0.14.0. Use `interceptors` instead. */
   authProvider?: AuthProvider;
+  /** Connect RPC interceptors for authentication. Preferred over authProvider. */
+  interceptors?: Interceptor[];
   readerUrl?: string;
   entityObjectEndpoint?: string;
   fileStreamServiceWorker?: string;
@@ -347,7 +352,11 @@ export class Client {
 
   readonly clientId?: string;
 
-  readonly authProvider?: AuthProvider;
+  /**
+   * Resolved auth configuration. Set once in the constructor from either
+   * authProvider or interceptors. Threaded through all internal layers.
+   */
+  readonly auth?: AuthConfig;
 
   readonly readerUrl?: string;
 
@@ -424,13 +433,16 @@ export class Client {
       this.easEndpoint = clientConfig.easEndpoint;
     }
 
-    this.authProvider = config.authProvider;
     this.clientConfig = clientConfig;
 
+    // Resolve auth once at the boundary. Internally, only `this.auth` is used.
+    let authProvider = config.authProvider;
     this.clientId = clientConfig.clientId;
-    if (!this.authProvider) {
+    if (!authProvider && !config.interceptors?.length) {
       if (!clientConfig.clientId) {
-        throw new ConfigurationError('Client ID or custom AuthProvider must be defined');
+        throw new ConfigurationError(
+          'Client ID, custom AuthProvider, or interceptors must be defined'
+        );
       }
 
       //Are we exchanging a refreshToken for a bearer token (normal AuthCode browser auth flow)?
@@ -438,7 +450,7 @@ export class Client {
       //browser-based OIDC login and authentication process against the OIDC endpoint using their chosen method,
       //and provide us with a valid refresh token/clientId obtained from that process.
       if (clientConfig.refreshToken) {
-        this.authProvider = new OIDCRefreshTokenProvider(
+        authProvider = new OIDCRefreshTokenProvider(
           {
             clientId: clientConfig.clientId,
             refreshToken: clientConfig.refreshToken,
@@ -448,7 +460,7 @@ export class Client {
         );
       } else if (clientConfig.externalJwt) {
         //Are we exchanging a JWT previously issued by a trusted external entity (e.g. Google) for a bearer token?
-        this.authProvider = new OIDCExternalJwtProvider(
+        authProvider = new OIDCExternalJwtProvider(
           {
             clientId: clientConfig.clientId,
             externalJwt: clientConfig.externalJwt,
@@ -458,11 +470,25 @@ export class Client {
         );
       }
     }
-    this.dpopKeys = createSessionKeys({
-      authProvider: this.authProvider,
-      cryptoService: this.cryptoService,
-      dpopKeys: clientConfig.dpopKeys,
-    });
+
+    // Resolve to AuthConfig: interceptors take precedence over authProvider.
+    if (config.interceptors?.length) {
+      this.auth = { interceptors: config.interceptors };
+    } else if (authProvider) {
+      this.auth = authProvider;
+    }
+
+    if (config.interceptors?.length && !authProvider) {
+      // Interceptor path: no updateClientPublicKey needed.
+      // Still need dpopKeys for request body signing (reqSignature).
+      this.dpopKeys = clientConfig.dpopKeys ?? this.cryptoService.generateSigningKeyPair();
+    } else {
+      this.dpopKeys = createSessionKeys({
+        authProvider,
+        cryptoService: this.cryptoService,
+        dpopKeys: clientConfig.dpopKeys,
+      });
+    }
   }
 
   /** Necessary only for testing. A dependency-injection approach should be preferred, but that is difficult currently */
@@ -566,9 +592,12 @@ export class Client {
         if (!this.platformUrl) {
           throw new ConfigurationError('platformUrl not set in TDF3 Client constructor');
         }
+        if (!this.auth) {
+          throw new ConfigurationError('AuthProvider or interceptors required for autoconfigure');
+        }
         const fetchedFQNValues = await attributeFQNsAsValues(
           this.platformUrl,
-          this.authProvider as AuthProvider,
+          this.auth,
           ...fqnsWithoutValues
         );
         fetchedFQNValues.forEach((fetchedValue) => {
@@ -739,7 +768,7 @@ export class Client {
       contentStream: opts.source,
       mimeType,
       policy: policyObject,
-      authProvider: this.authProvider,
+      auth: this.auth,
       progressHandler: this.clientConfig.progressHandler,
       keyForEncryption,
       keyForManifest,
@@ -775,14 +804,14 @@ export class Client {
     fulfillableObligationFQNs = [],
   }: DecryptParams): Promise<DecoratedReadableStream> {
     const dpopKeys = await this.dpopKeys;
-    if (!this.authProvider) {
-      throw new ConfigurationError('AuthProvider missing');
+    if (!this.auth) {
+      throw new ConfigurationError('AuthProvider or interceptors missing');
     }
     const chunker = await makeChunkable(source);
     if (!allowList && this.allowedKases) {
       allowList = this.allowedKases;
     } else if (this.platformUrl) {
-      allowList = await fetchKeyAccessServers(this.platformUrl, this.authProvider);
+      allowList = await fetchKeyAccessServers(this.platformUrl, this.auth);
     } else {
       throw new ConfigurationError('platformUrl is required when allowedKases is empty');
     }
@@ -798,7 +827,7 @@ export class Client {
     return await (streamMiddleware as DecryptStreamMiddleware)(
       await readStream({
         allowList,
-        authProvider: this.authProvider,
+        auth: this.auth,
         chunker,
         concurrencyLimit,
         cryptoService: this.cryptoService,

package/tdf3/src/tdf.ts

@@ -15,6 +15,7 @@ import {
   UnsignedRewrapRequest_WithKeyAccessObjectSchema,
 } from '../../src/platform/kas/kas_pb.js';
 import { type AuthProvider, reqSignature } from '../../src/auth/auth.js';
+import { type AuthConfig } from '../../src/auth/interceptors.js';
 import { handleRpcRewrapErrorString } from '../../src/access/access-rpc.js';
 import { allPool, anyPool } from '../../src/concurrency.js';
 import { base64, hex } from '../../src/encodings/index.js';
@@ -152,7 +153,8 @@ export type EncryptConfiguration = {
   contentStream: ReadableStream<Uint8Array>;
   mimeType?: string;
   policy: Policy;
-  authProvider?: AuthProvider;
+  /** Auth configuration: AuthProvider or { interceptors }. */
+  auth?: AuthConfig;
   byteLimit: number;
   progressHandler?: (bytesProcessed: number) => void;
   keyForEncryption: KeyInfo;
@@ -166,7 +168,8 @@ export type DecryptConfiguration = {
   fulfillableObligations: string[];
   allowedKases?: string[];
   allowList?: OriginAllowList;
-  authProvider: AuthProvider;
+  /** Auth configuration: AuthProvider or { interceptors }. */
+  auth?: AuthConfig;
   cryptoService: CryptoService;
 
   dpopKeys: KeyPair;
@@ -371,7 +374,7 @@ function isTargetSpecLegacyTDF(targetSpecVersion?: string): boolean {
 }
 
 export async function writeStream(cfg: EncryptConfiguration): Promise<DecoratedReadableStream> {
-  if (!cfg.authProvider) {
+  if (!cfg.auth) {
     throw new ConfigurationError('No authorization middleware defined');
   }
   if (!cfg.contentStream) {
@@ -737,7 +740,7 @@ type RewrapResponseData = {
 async function unwrapKey({
   manifest,
   allowedKases,
-  authProvider,
+  auth,
   dpopKeys,
   concurrencyLimit,
   cryptoService,
@@ -746,18 +749,18 @@ async function unwrapKey({
 }: {
   manifest: Manifest;
   allowedKases: OriginAllowList;
-  authProvider: AuthProvider;
+  /** Auth configuration: AuthProvider or { interceptors }. */
+  auth?: AuthConfig;
   concurrencyLimit?: number;
   dpopKeys: KeyPair;
   cryptoService: CryptoService;
   wrappingKeyAlgorithm?: KasPublicKeyAlgorithm;
   fulfillableObligations: string[];
 }) {
-  if (authProvider === undefined) {
-    throw new ConfigurationError(
-      'rewrap requires auth provider; must be configured in client constructor'
-    );
+  if (!auth) {
+    throw new ConfigurationError('rewrap requires auth; must be configured in client constructor');
   }
+  const resolvedAuth: AuthConfig = auth;
   const { keyAccess } = manifest.encryptionInformation;
   const splitPotentials = splitLookupTableFactory(keyAccess, allowedKases);
 
@@ -829,7 +832,7 @@ async function unwrapKey({
     const rewrapResp = await fetchWrappedKey(
       url,
       signedRequestToken,
-      authProvider,
+      resolvedAuth,
       fulfillableObligations
     );
     // Upgrade V1 response to V2 format if needed
@@ -1143,7 +1146,7 @@ export async function decryptStreamFrom(
   const { metadata, reconstructedKey, requiredObligations } = await unwrapKey({
     fulfillableObligations: cfg.fulfillableObligations,
     manifest,
-    authProvider: cfg.authProvider,
+    auth: cfg.auth,
     allowedKases: allowList,
     dpopKeys: cfg.dpopKeys,
     cryptoService: cfg.cryptoService,