@opentdf/sdk 0.3.0 → 0.3.2-beta.1

package/src/access.ts

@@ -1,25 +1,22 @@
 import { type AuthProvider } from './auth/auth.js';
+import { ServiceError } from './errors.js';
+import { RewrapResponse } from './platform/kas/kas_pb.js';
+import { getPlatformUrlFromKasEndpoint, validateSecureUrl } from './utils.js';
+
 import {
-  ConfigurationError,
-  InvalidFileError,
-  NetworkError,
-  PermissionDeniedError,
-  ServiceError,
-  UnauthenticatedError,
-} from './errors.js';
-import { pemToCryptoPublicKey, validateSecureUrl } from './utils.js';
+  fetchKasBasePubKey,
+  fetchKeyAccessServers as fetchKeyAccessServersRpc,
+} from './access/access-rpc.js';
+import { fetchKeyAccessServers as fetchKeyAccessServersLegacy } from './access/access-fetch.js';
+import { fetchWrappedKey as fetchWrappedKeysRpc } from './access/access-rpc.js';
+import { fetchWrappedKey as fetchWrappedKeysLegacy } from './access/access-fetch.js';
+import { fetchKasPubKey as fetchKasPubKeyRpc } from './access/access-rpc.js';
+import { fetchKasPubKey as fetchKasPubKeyLegacy } from './access/access-fetch.js';
 
 export type RewrapRequest = {
   signedRequestToken: string;
 };
 
-export type RewrapResponse = {
-  metadata: Record<string, unknown>;
-  entityWrappedKey: string;
-  sessionPublicKey: string;
-  schemaVersion: string;
-};
-
 /**
  * Get a rewrapped access key to the document, if possible
  * @param url Key access server rewrap endpoint
@@ -29,85 +26,60 @@ export type RewrapResponse = {
  */
 export async function fetchWrappedKey(
   url: string,
-  requestBody: RewrapRequest,
-  authProvider: AuthProvider,
-  clientVersion: string
+  signedRequestToken: string,
+  authProvider: AuthProvider
 ): Promise<RewrapResponse> {
-  const req = await authProvider.withCreds({
-    url,
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-    },
-    body: JSON.stringify(requestBody),
-  });
-
-  let response: Response;
-
-  try {
-    response = await fetch(req.url, {
-      method: req.method,
-      mode: 'cors', // no-cors, *cors, same-origin
-      cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached
-      credentials: 'same-origin', // include, *same-origin, omit
-      headers: req.headers,
-      redirect: 'follow', // manual, *follow, error
-      referrerPolicy: 'no-referrer', // no-referrer, *no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url
-      body: req.body as BodyInit,
-    });
-  } catch (e) {
-    throw new NetworkError(`unable to fetch wrapped key from [${url}]`, e);
-  }
-
-  if (!response.ok) {
-    switch (response.status) {
-      case 400:
-        throw new InvalidFileError(
-          `400 for [${req.url}]: rewrap bad request [${await response.text()}]`
-        );
-      case 401:
-        throw new UnauthenticatedError(`401 for [${req.url}]; rewrap auth failure`);
-      case 403:
-        throw new PermissionDeniedError(`403 for [${req.url}]; rewrap permission denied`);
-      default:
-        if (response.status >= 500) {
-          throw new ServiceError(
-            `${response.status} for [${req.url}]: rewrap failure due to service error [${await response.text()}]`
-          );
-        }
-        throw new NetworkError(
-          `${req.method} ${req.url} => ${response.status} ${response.statusText}`
-        );
-    }
-  }
-
-  return response.json();
+  const platformUrl = getPlatformUrlFromKasEndpoint(url);
+
+  return await tryPromisesUntilFirstSuccess(
+    () => fetchWrappedKeysRpc(platformUrl, signedRequestToken, authProvider),
+    () =>
+      fetchWrappedKeysLegacy(
+        url,
+        { signedRequestToken },
+        authProvider
+      ) as unknown as Promise<RewrapResponse>
+  );
 }
 
-export type KasPublicKeyAlgorithm = 'ec:secp256r1' | 'rsa:2048';
+export type KasPublicKeyAlgorithm =
+  | 'ec:secp256r1'
+  | 'ec:secp384r1'
+  | 'ec:secp521r1'
+  | 'rsa:2048'
+  | 'rsa:4096';
 
 export const isPublicKeyAlgorithm = (a: string): a is KasPublicKeyAlgorithm => {
   return a === 'ec:secp256r1' || a === 'rsa:2048';
 };
 
-export const keyAlgorithmToPublicKeyAlgorithm = (a: KeyAlgorithm): KasPublicKeyAlgorithm => {
+export const keyAlgorithmToPublicKeyAlgorithm = (k: CryptoKey): KasPublicKeyAlgorithm => {
+  const a = k.algorithm;
   if (a.name === 'ECDSA' || a.name === 'ECDH') {
     const eca = a as EcKeyAlgorithm;
-    if (eca.namedCurve === 'P-256') {
-      return 'ec:secp256r1';
+    switch (eca.namedCurve) {
+      case 'P-256':
+        return 'ec:secp256r1';
+      case 'P-384':
+        return 'ec:secp384r1';
+      case 'P-521':
+        return 'ec:secp521r1';
+      default:
+        throw new Error(`unsupported EC curve: ${eca.namedCurve}`);
     }
-    throw new Error(`unsupported EC curve: ${eca.namedCurve}`);
   }
-  if (a.name === 'RSA-OAEP') {
+  if (a.name === 'RSA-OAEP' || a.name === 'RSASSA-PKCS1-v1_5') {
     const rsaa = a as RsaHashedKeyAlgorithm;
-    if (rsaa.modulusLength === 2048) {
-      // if (rsaa.hash.name !== 'RSASSA-PKCS1-v1_5') {
-      //   throw new Error(`unsupported RSA hash: ${rsaa.hash.name}`);
-      // }
-      if (rsaa.publicExponent.toString() !== '1,0,1') {
-        throw new Error(`unsupported RSA public exponent: ${rsaa.publicExponent}`);
-      }
-      return 'rsa:2048';
+    if (rsaa.publicExponent.toString() !== '1,0,1') {
+      throw new Error(`unsupported RSA public exponent: ${rsaa.publicExponent}`);
+    }
+    switch (rsaa.modulusLength) {
+      case 2048:
+        return 'rsa:2048';
+      case 4096:
+        return 'rsa:4096';
+      default:
+        throw new Error(`unsupported RSA modulus length: ${rsaa.modulusLength}`);
     }
   }
   throw new Error(`unsupported key algorithm: ${a.name}`);
@@ -119,6 +91,14 @@ export const publicKeyAlgorithmToJwa = (a: KasPublicKeyAlgorithm): string => {
       return 'ES256';
     case 'rsa:2048':
       return 'RS256';
+    case 'rsa:4096':
+      return 'RS512';
+    case 'ec:secp384r1':
+      return 'ES384';
+    case 'ec:secp521r1':
+      return 'ES512';
+    default:
+      throw new Error(`unsupported public key algorithm: ${a}`);
   }
 };
 
@@ -145,7 +125,7 @@ export type KasPublicKeyInfo = {
   key: Promise<CryptoKey>;
 };
 
-async function noteInvalidPublicKey(url: URL, r: Promise<CryptoKey>): Promise<CryptoKey> {
+export async function noteInvalidPublicKey(url: URL, r: Promise<CryptoKey>): Promise<CryptoKey> {
   try {
     return await r;
   } catch (e) {
@@ -156,76 +136,49 @@ async function noteInvalidPublicKey(url: URL, r: Promise<CryptoKey>): Promise<Cr
   }
 }
 
+export async function fetchKeyAccessServers(
+  platformUrl: string,
+  authProvider: AuthProvider
+): Promise<OriginAllowList> {
+  return await tryPromisesUntilFirstSuccess(
+    () => fetchKeyAccessServersRpc(platformUrl, authProvider),
+    () => fetchKeyAccessServersLegacy(platformUrl, authProvider)
+  );
+}
+
 /**
- * If we have KAS url but not public key we can fetch it from KAS, fetching
- * the value from `${kas}/kas_public_key`.
+ * Fetch the EC (secp256r1) public key for a KAS endpoint.
+ * @param kasEndpoint The KAS endpoint URL.
+ * @returns The public key information for the KAS endpoint.
  */
 export async function fetchECKasPubKey(kasEndpoint: string): Promise<KasPublicKeyInfo> {
   return fetchKasPubKey(kasEndpoint, 'ec:secp256r1');
 }
 
+/**
+ * Fetch the public key for a KAS endpoint.
+ * This function will first try to fetch the base public key,
+ * then it will try to fetch the public key using the RPC method,
+ * and finally it will try to fetch the public key using the legacy method.
+ * If all attempts fail, it will return the error from RPC Public Key fetch.
+ * @param kasEndpoint The KAS endpoint URL.
+ * @param algorithm Optional algorithm to fetch the public key for.
+ * @returns The public key information.
+ */
 export async function fetchKasPubKey(
   kasEndpoint: string,
   algorithm?: KasPublicKeyAlgorithm
 ): Promise<KasPublicKeyInfo> {
-  if (!kasEndpoint) {
-    throw new ConfigurationError('KAS definition not found');
-  }
-  // Logs insecure KAS. Secure is enforced in constructor
-  validateSecureUrl(kasEndpoint);
-
-  // Parse kasEndpoint to URL, then append to its path and update its query parameters
-  let pkUrlV2: URL;
   try {
-    pkUrlV2 = new URL(kasEndpoint);
+    return await fetchKasBasePubKey(kasEndpoint);
   } catch (e) {
-    throw new ConfigurationError(`KAS definition invalid: [${kasEndpoint}]`, e);
-  }
-  if (!pkUrlV2.pathname.endsWith('kas_public_key')) {
-    if (!pkUrlV2.pathname.endsWith('/')) {
-      pkUrlV2.pathname += '/';
-    }
-    pkUrlV2.pathname += 'v2/kas_public_key';
-  }
-  pkUrlV2.searchParams.set('algorithm', algorithm || 'rsa:2048');
-  if (!pkUrlV2.searchParams.get('v')) {
-    pkUrlV2.searchParams.set('v', '2');
+    console.log(e);
   }
 
-  let kasPubKeyResponseV2: Response;
-  try {
-    kasPubKeyResponseV2 = await fetch(pkUrlV2);
-  } catch (e) {
-    throw new NetworkError(`unable to fetch public key from [${pkUrlV2}]`, e);
-  }
-  if (!kasPubKeyResponseV2.ok) {
-    switch (kasPubKeyResponseV2.status) {
-      case 404:
-        throw new ConfigurationError(`404 for [${pkUrlV2}]`);
-      case 401:
-        throw new UnauthenticatedError(`401 for [${pkUrlV2}]`);
-      case 403:
-        throw new PermissionDeniedError(`403 for [${pkUrlV2}]`);
-      default:
-        throw new NetworkError(
-          `${pkUrlV2} => ${kasPubKeyResponseV2.status} ${kasPubKeyResponseV2.statusText}`
-        );
-    }
-  }
-  const jsonContent = await kasPubKeyResponseV2.json();
-  const { publicKey, kid }: KasPublicKeyInfo = jsonContent;
-  if (!publicKey) {
-    throw new NetworkError(
-      `invalid response from public key endpoint [${JSON.stringify(jsonContent)}]`
-    );
-  }
-  return {
-    key: noteInvalidPublicKey(pkUrlV2, pemToCryptoPublicKey(publicKey)),
-    publicKey,
-    url: kasEndpoint,
-    algorithm: algorithm || 'rsa:2048',
-    ...(kid && { kid }),
-  };
+  return await tryPromisesUntilFirstSuccess(
+    () => fetchKasPubKeyRpc(kasEndpoint, algorithm),
+    () => fetchKasPubKeyLegacy(kasEndpoint, algorithm)
+  );
 }
 
 const origin = (u: string): string => {
@@ -252,3 +205,25 @@ export class OriginAllowList {
     return this.origins.includes(origin(url));
   }
 }
+
+/**
+ * Tries two promise-returning functions in order and returns the first successful result.
+ * If both fail, throws the error from the second.
+ * @param first First function returning a promise to try.
+ * @param second Second function returning a promise to try if the first fails.
+ */
+async function tryPromisesUntilFirstSuccess<T>(
+  first: () => Promise<T>,
+  second: () => Promise<T>
+): Promise<T> {
+  try {
+    return await first();
+  } catch (e1) {
+    console.info('v2 request error', e1);
+    try {
+      return await second();
+    } catch (err) {
+      throw err;
+    }
+  }
+}

package/src/auth/oidc.ts

@@ -222,7 +222,7 @@ export class AccessToken {
         return this.data.access_token;
       } catch (e) {
         console.log('access_token fails on user_info endpoint; attempting to renew', e);
-        if (this.data.refresh_token) {
+        if (this.data?.refresh_token) {
           // Prefer the latest refresh_token if present over creds passed in
           // to constructor
           this.config = {

package/src/nanotdf/Client.ts

@@ -2,7 +2,12 @@ import * as base64 from '../encodings/base64.js';
 import { generateKeyPair, keyAgreement } from '../nanotdf-crypto/index.js';
 import getHkdfSalt from './helpers/getHkdfSalt.js';
 import DefaultParams from './models/DefaultParams.js';
-import { fetchWrappedKey, KasPublicKeyInfo, OriginAllowList } from '../access.js';
+import {
+  fetchKeyAccessServers,
+  fetchWrappedKey,
+  KasPublicKeyInfo,
+  OriginAllowList,
+} from '../access.js';
 import { AuthProvider, isAuthProvider, reqSignature } from '../auth/providers.js';
 import { ConfigurationError, DecryptError, TdfError, UnsafeUrlError } from '../errors.js';
 import { cryptoPublicToPem, pemToCryptoPublicKey, validateSecureUrl } from '../utils.js';
@@ -15,6 +20,7 @@ export interface ClientConfig {
   dpopKeys?: Promise<CryptoKeyPair>;
   ephemeralKeyPair?: Promise<CryptoKeyPair>;
   kasEndpoint: string;
+  platformUrl: string;
 }
 
 function toJWSAlg(c: CryptoKey): string {
@@ -99,12 +105,13 @@ export default class Client {
   static readonly INITIAL_RELEASE_IV_SIZE = 3;
   static readonly IV_SIZE = 12;
 
-  allowedKases: OriginAllowList;
+  allowedKases?: OriginAllowList;
   /*
     These variables are expected to be either assigned during initialization or within the methods.
     This is needed as the flow is very specific. Errors should be thrown if the necessary step is not completed.
   */
   protected kasUrl: string;
+  readonly platformUrl: string;
   kasPubKey?: KasPublicKeyInfo;
   readonly authProvider: AuthProvider;
   readonly dpopEnabled: boolean;
@@ -150,7 +157,6 @@ export default class Client {
       // TODO Disallow http KAS. For now just log as error
       validateSecureUrl(kasUrl);
       this.kasUrl = kasUrl;
-      this.allowedKases = new OriginAllowList([kasUrl]);
       this.dpopEnabled = dpopEnabled;
 
       if (ephemeralKeyPair) {
@@ -168,12 +174,16 @@ export default class Client {
         dpopKeys,
         ephemeralKeyPair,
         kasEndpoint,
+        platformUrl,
       } = optsOrOldAuthProvider;
       this.authProvider = enwrapAuthProvider(authProvider);
       // TODO Disallow http KAS. For now just log as error
       validateSecureUrl(kasEndpoint);
       this.kasUrl = kasEndpoint;
-      this.allowedKases = new OriginAllowList(allowedKases || [kasEndpoint], !!ignoreAllowList);
+      this.platformUrl = platformUrl;
+      if (allowedKases?.length || ignoreAllowList) {
+        this.allowedKases = new OriginAllowList(allowedKases || [], ignoreAllowList);
+      }
       this.dpopEnabled = !!dpopEnabled;
       if (dpopKeys) {
         this.requestSignerKeyPair = dpopKeys;
@@ -214,8 +224,14 @@ export default class Client {
     magicNumberVersion: ArrayBufferLike,
     clientVersion: string
   ): Promise<CryptoKey> {
-    if (!this.allowedKases.allows(kasRewrapUrl)) {
-      throw new UnsafeUrlError(`request URL ∉ ${this.allowedKases.origins};`, kasRewrapUrl);
+    let allowedKases = this.allowedKases;
+
+    if (!allowedKases) {
+      allowedKases = await fetchKeyAccessServers(this.platformUrl, this.authProvider);
+    }
+
+    if (!allowedKases.allows(kasRewrapUrl)) {
+      throw new UnsafeUrlError(`request URL ∉ ${allowedKases.origins};`, kasRewrapUrl);
     }
 
     const ephemeralKeyPair = await this.ephemeralKeyPair;
@@ -243,22 +259,16 @@ export default class Client {
     });
 
     const jwtPayload = { requestBody: requestBodyStr };
-    const requestBody = {
-      signedRequestToken: await reqSignature(jwtPayload, requestSignerKeyPair.privateKey, {
-        alg: toJWSAlg(requestSignerKeyPair.publicKey),
-      }),
-    };
+
+    const signedRequestToken = await reqSignature(jwtPayload, requestSignerKeyPair.privateKey, {
+      alg: toJWSAlg(requestSignerKeyPair.publicKey),
+    });
 
     // Wrapped
-    const wrappedKey = await fetchWrappedKey(
-      kasRewrapUrl,
-      requestBody,
-      this.authProvider,
-      clientVersion
-    );
+    const wrappedKey = await fetchWrappedKey(kasRewrapUrl, signedRequestToken, this.authProvider);
 
     // Extract the iv and ciphertext
-    const entityWrappedKey = new Uint8Array(base64.decodeArrayBuffer(wrappedKey.entityWrappedKey));
+    const entityWrappedKey = wrappedKey.entityWrappedKey;
     const ivLength =
       clientVersion == Client.SDK_INITIAL_RELEASE ? Client.INITIAL_RELEASE_IV_SIZE : Client.IV_SIZE;
     const iv = entityWrappedKey.subarray(0, ivLength);

package/src/nanotdf/models/Header.ts

@@ -314,7 +314,7 @@ export default class Header {
    */
   getKasRewrapUrl(): string {
     try {
-      return `${rstrip(this.kas.url, '/')}/v2/rewrap`;
+      return `${rstrip(this.kas.url, '/')}`;
     } catch (e) {
       throw new ConfigurationError(`cannot construct KAS Rewrap URL: ${e.message}`);
     }

package/src/nanotdf-crypto/keyAgreement.ts

@@ -71,7 +71,7 @@ export async function keyAgreement(
   }
 ): Promise<CryptoKey> {
   for (const k of [privateKey, publicKey]) {
-    const mechanism = keyAlgorithmToPublicKeyAlgorithm(k.algorithm);
+    const mechanism = keyAlgorithmToPublicKeyAlgorithm(k);
     if (mechanism !== 'ec:secp256r1') {
       throw new ConfigurationError(
         `${k.type} CryptoKey is expected to be of type ECDSA or ECDH, not [${k.algorithm?.name}]`

package/src/opentdf.ts

@@ -13,7 +13,12 @@ import {
   AssertionConfig,
   AssertionVerificationKeys,
 } from '../tdf3/src/assertions.js';
-import { type KasPublicKeyAlgorithm, OriginAllowList, isPublicKeyAlgorithm } from './access.js';
+import {
+  type KasPublicKeyAlgorithm,
+  OriginAllowList,
+  fetchKeyAccessServers,
+  isPublicKeyAlgorithm,
+} from './access.js';
 import { type Manifest } from '../tdf3/src/models/manifest.js';
 import { type Payload } from '../tdf3/src/models/payload.js';
 import {
@@ -87,6 +92,7 @@ export type CreateNanoTDFOptions = CreateOptions & {
 };
 
 export type CreateNanoTDFCollectionOptions = CreateNanoTDFOptions & {
+  platformUrl: string;
   // The maximum number of key iterations to use for a single DEK.
   maxKeyIterations?: number;
 };
@@ -136,6 +142,8 @@ export type CreateZTDFOptions = CreateOptions & {
 export type ReadOptions = {
   // ciphertext
   source: Source;
+  // Platform URL
+  platformUrl?: string;
   // list of KASes that may be contacted for a rewrap
   allowedKASEndpoints?: string[];
   // Optionally disable checking the allowlist
@@ -157,6 +165,9 @@ export type OpenTDFOptions = {
   // Policy service endpoint
   policyEndpoint?: string;
 
+  // Platform URL
+  platformUrl?: string;
+
   // Auth provider for connections to the policy service and KASes.
   authProvider: AuthProvider;
 
@@ -286,6 +297,7 @@ export type TDFReader = {
 // SDK for dealing with OpenTDF data and policy services.
 export class OpenTDF {
   // Configuration service and more is at this URL/connectRPC endpoint
+  readonly platformUrl: string;
   readonly policyEndpoint: string;
   readonly authProvider: AuthProvider;
   readonly dpopEnabled: boolean;
@@ -305,17 +317,25 @@ export class OpenTDF {
     disableDPoP,
     policyEndpoint,
     rewrapCacheOptions,
+    platformUrl,
   }: OpenTDFOptions) {
     this.authProvider = authProvider;
     this.defaultCreateOptions = defaultCreateOptions || {};
     this.defaultReadOptions = defaultReadOptions || {};
     this.dpopEnabled = !!disableDPoP;
+    if (platformUrl) {
+      this.platformUrl = platformUrl;
+    } else {
+      console.warn(
+        "Warning: 'platformUrl' is required for security to ensure the SDK uses the platform-configured Key Access Server list"
+      );
+    }
     this.policyEndpoint = policyEndpoint || '';
     this.rewrapCache = new RewrapCache(rewrapCacheOptions);
     this.tdf3Client = new TDF3Client({
       authProvider,
       dpopKeys,
-      kasEndpoint: 'https://disallow.all.invalid',
+      kasEndpoint: this.platformUrl || 'https://disallow.all.invalid',
       policyEndpoint,
     });
     this.dpopKeys =
@@ -333,8 +353,14 @@ export class OpenTDF {
   }
 
   async createNanoTDF(opts: CreateNanoTDFOptions): Promise<DecoratedStream> {
-    opts = { ...this.defaultCreateOptions, ...opts };
-    const collection = await this.createNanoTDFCollection(opts);
+    opts = {
+      ...this.defaultCreateOptions,
+      ...opts,
+    };
+    const collection = await this.createNanoTDFCollection({
+      ...opts,
+      platformUrl: this.platformUrl,
+    });
     try {
       return await collection.encrypt(opts.source);
     } finally {
@@ -369,7 +395,7 @@ export class OpenTDF {
       splitPlan: opts.splitPlan,
       windowSize: opts.windowSize,
       wrappingKeyAlgorithm: opts.wrappingKeyAlgorithm,
-      tdfSpecVersion: opts.tdfSpecVersion ?? '4.3.0',
+      tdfSpecVersion: opts.tdfSpecVersion,
     });
     const stream: DecoratedStream = oldStream.stream;
     stream.manifest = Promise.resolve(oldStream.manifest);
@@ -415,6 +441,9 @@ class UnknownTypeReader {
     this.state = 'resolving';
     const chunker = await fromSource(this.opts.source);
     const prefix = await chunker(0, 3);
+    if (!this.opts.platformUrl && this.outer.platformUrl) {
+      this.opts.platformUrl = this.outer.platformUrl;
+    }
     if (prefix[0] === 0x50 && prefix[1] === 0x4b) {
       this.state = 'loaded';
       return new ZTDFReader(this.outer.tdf3Client, this.opts, chunker);
@@ -466,6 +495,13 @@ class NanoTDFReader {
     readonly chunker: Chunker,
     private readonly rewrapCache: RewrapCache
   ) {
+    if (
+      !this.opts.ignoreAllowlist &&
+      !this.opts.platformUrl &&
+      !this.opts.allowedKASEndpoints?.length
+    ) {
+      throw new ConfigurationError('platformUrl is required when allowedKasEndpoints is empty');
+    }
     // lazily load the container
     this.container = new Promise(async (resolve, reject) => {
       try {
@@ -486,13 +522,17 @@ class NanoTDFReader {
       r.header = nanotdf.header;
       return r;
     }
+    const platformUrl = this.opts.platformUrl || this.outer.platformUrl;
+    const kasEndpoint =
+      this.opts.allowedKASEndpoints?.[0] || platformUrl || 'https://disallow.all.invalid';
     const nc = new Client({
       allowedKases: this.opts.allowedKASEndpoints,
       authProvider: this.outer.authProvider,
       ignoreAllowList: this.opts.ignoreAllowlist,
       dpopEnabled: this.outer.dpopEnabled,
       dpopKeys: this.outer.dpopKeys,
-      kasEndpoint: this.opts.allowedKASEndpoints?.[0] || 'https://disallow.all.invalid',
+      kasEndpoint,
+      platformUrl,
     });
     // TODO: The version number should be fetched from the API
     const version = '0.0.1';
@@ -550,10 +590,11 @@ class ZTDFReader {
       noVerify: noVerifyAssertions,
       wrappingKeyAlgorithm,
     } = this.opts;
-    const allowList = new OriginAllowList(
-      this.opts.allowedKASEndpoints ?? [],
-      this.opts.ignoreAllowlist
-    );
+
+    if (!this.opts.ignoreAllowlist && !this.opts.allowedKASEndpoints && !this.opts.platformUrl) {
+      throw new ConfigurationError('platformUrl is required when allowedKasEndpoints is empty');
+    }
+
     const dpopKeys = await this.client.dpopKeys;
 
     const { authProvider, cryptoService } = this.client;
@@ -561,6 +602,17 @@ class ZTDFReader {
       throw new ConfigurationError('authProvider is required');
     }
 
+    let allowList: OriginAllowList | undefined;
+
+    if (this.opts.allowedKASEndpoints?.length || this.opts.ignoreAllowlist) {
+      allowList = new OriginAllowList(
+        this.opts.allowedKASEndpoints || [],
+        this.opts.ignoreAllowlist
+      );
+    } else if (this.opts.platformUrl) {
+      allowList = await fetchKeyAccessServers(this.opts.platformUrl, authProvider);
+    }
+
     const overview = await this.overview;
     const oldStream = await decryptStreamFrom(
       {
@@ -642,10 +694,14 @@ class Collection {
         break;
     }
 
+    const kasEndpoint =
+      opts.defaultKASEndpoint || opts.platformUrl || 'https://disallow.all.invalid';
+
     this.client = new NanoTDFDatasetClient({
       authProvider,
-      kasEndpoint: opts.defaultKASEndpoint ?? 'https://disallow.all.invalid',
+      kasEndpoint: kasEndpoint,
       maxKeyIterations: opts.maxKeyIterations,
+      platformUrl: opts.platformUrl,
     });
   }