@sentropic/auth-hono 0.4.0 → 0.7.0

package/src/oauth/authorize-handler.ts

@@ -4,9 +4,11 @@ import type { AuthHonoPorts } from '../ports.js';
 import type { OauthClientRecord } from './state-store-types.js';
 import type { OAuthContinuationCodec, OAuthContinuationState } from './state-codec.js';
 import { appendParams, oauthJsonError, redirectWithOAuthError } from './http-utils.js';
+import { issueAuthorizedCode } from './issue-authorized-code.js';
 import { resolveOAuthAcr, resolveOAuthSession } from './session-resolver.js';
 
 export interface OAuthAuthorizeHandlerOptions {
+  authorizationCodeTtlSeconds?: number;
   consentUrl: string;
   issuer: string;
   loginUrl: string;
@@ -21,6 +23,7 @@ interface ValidatedAuthorizeRequest {
   dpopJkt: string | null;
   nonce: string | null;
   redirectUri: string;
+  resource: string | null;
   scope: string;
   state: string | null;
 }
@@ -48,19 +51,56 @@ export const createOAuthAuthorizeHandler =
       return c.redirect(appendParams(options.loginUrl, { continue: continuation }, c.req.url), 302);
     }
 
-    if (prompt === 'none') {
-      return redirectWithOAuthError(validation.redirectUri, 'consent_required', validation.state, c.req.url);
-    }
-
-    const sealedState = await sealContinuation(c, options, validation, {
+    const consentState: Pick<OAuthContinuationState, 'acr' | 'authTime' | 'userId'> = {
       acr: resolveOAuthAcr(session.sessionRecord),
       authTime: session.sessionRecord.createdAt.toISOString(),
       userId: session.user.id,
-    });
+    };
+
+    // Consent persistence (optional): skip the consent screen and issue the code directly
+    // when a stored grant for the exact (user, client) covers every requested scope.
+    // `prompt=consent` ALWAYS forces the screen; coverage is a strict set-superset check,
+    // so any requested scope absent from the grant re-shows consent (scope-escalation guard).
+    const skipConsent =
+      prompt !== 'consent' &&
+      (await hasCoveringGrant(options.ports, session.user.id, validation.client.clientId, validation.scope));
 
-    return c.redirect(appendParams(options.consentUrl, { state: sealedState }, c.req.url), 302);
+    if (prompt === 'none') {
+      if (!skipConsent) {
+        return redirectWithOAuthError(validation.redirectUri, 'consent_required', validation.state, c.req.url);
+      }
+    } else if (!skipConsent) {
+      const sealedState = await sealContinuation(c, options, validation, consentState);
+      return c.redirect(appendParams(options.consentUrl, { state: sealedState }, c.req.url), 302);
+    }
+
+    const sealedState = await sealContinuation(c, options, validation, consentState);
+    const payload = await options.stateCodec.unseal(sealedState);
+    if (!payload) {
+      return oauthJsonError(c, 400, 'invalid_request', 'OAuth continuation is invalid.');
+    }
+    return issueAuthorizedCode(c, options, payload);
   };
 
+/**
+ * True iff `consentStore` is wired AND a stored grant for `(userId, clientId)` covers every
+ * requested scope (stored ⊇ requested). No store ⇒ false (legacy always-consent). The
+ * superset check is the scope-escalation invariant: a single uncovered scope forces consent.
+ */
+const hasCoveringGrant = async (
+  ports: AuthHonoPorts,
+  userId: string,
+  clientId: string,
+  requestedScope: string
+): Promise<boolean> => {
+  if (!ports.consentStore) return false;
+  const grant = await ports.consentStore.getGrant(userId, clientId);
+  if (!grant) return false;
+  const granted = new Set(grant.scopes);
+  const requested = requestedScope.split(/\s+/).filter(Boolean);
+  return requested.every((scope) => granted.has(scope));
+};
+
 const resumeLoginContinuation = async (
   c: Context,
   options: OAuthAuthorizeHandlerOptions,
@@ -129,12 +169,16 @@ const validateAuthorizeRequest = async (
   const scopeResult = validateScope(c.req.query('scope') ?? '', client, redirectUri, state, c.req.url);
   if (scopeResult instanceof Response) return scopeResult;
 
+  const resourceResult = validateResource(c.req.queries('resource'), client, redirectUri, state, c.req.url);
+  if (resourceResult instanceof Response) return resourceResult;
+
   return {
     client,
     codeChallenge,
     dpopJkt: c.req.query('dpop_jkt') ?? null,
     nonce: c.req.query('nonce') ?? null,
     redirectUri,
+    resource: resourceResult,
     scope: scopeResult,
     state,
   };
@@ -174,6 +218,34 @@ const validateScope = (
   return requestedScopes.join(' ');
 };
 
+/**
+ * RFC 8707 resource indicator validation on the `authorization_code` flow (BR-39l Lot 2).
+ * - C1 single-aud: more than one `resource` value ⇒ `invalid_target` (no multi-audience tokens).
+ * - C2 default-deny allowlist: a requested `resource` must be in `client.resourceIndicators`,
+ *   else `invalid_target`. No `resource` ⇒ `null` (default-aud = userinfo, byte-identical to 0.5.0).
+ * The validated value is sealed into the continuation and becomes the access-token `aud`.
+ */
+const validateResource = (
+  resources: string[] | undefined,
+  client: OauthClientRecord,
+  redirectUri: string,
+  state: string | null,
+  baseUrl: string
+): string | null | Response => {
+  const requested = (resources ?? []).filter((value) => value.length > 0);
+  if (requested.length === 0) return null;
+  if (requested.length > 1) {
+    return redirectWithOAuthError(redirectUri, 'invalid_target', state, baseUrl);
+  }
+
+  const value = requested[0];
+  const allowlist = client.resourceIndicators ?? [];
+  if (!allowlist.includes(value)) {
+    return redirectWithOAuthError(redirectUri, 'invalid_target', state, baseUrl);
+  }
+  return value;
+};
+
 const sealContinuation = async (
   c: Context,
   options: OAuthAuthorizeHandlerOptions,
@@ -182,6 +254,26 @@ const sealContinuation = async (
 ): Promise<string> => {
   const now = options.ports.clock.now();
   const expiresAt = options.ports.clock.addSeconds(now, options.stateTtlSeconds ?? 10 * 60);
+
+  // BR-39e: derive the tenant bound to this auth code from the user's VALIDATED membership,
+  // never from the raw client/param. Legacy behavior (client tenant) when no tenancy spine is
+  // wired. An explicit `?tenant=` selection is honored ONLY if it is an approved membership.
+  let tenantId: string | null = request.client.tenantId;
+  if (options.ports.tenant) {
+    tenantId = null;
+    if (session?.userId) {
+      const approved = await options.ports.tenant.listApprovedTenantIds(session.userId);
+      const requested = c.req.query('tenant') ?? null;
+      if (requested) {
+        tenantId = approved.includes(requested) ? requested : null;
+      } else if (approved.length === 1) {
+        tenantId = approved[0];
+      }
+      // 0 or >1 approved tenants without a valid explicit selection → no tenant claim
+      // (a multi-tenant selection screen is deferred; the RP may re-request with ?tenant=).
+    }
+  }
+
   return options.stateCodec.seal({
     acr: session?.acr,
     authTime: session?.authTime,
@@ -193,9 +285,10 @@ const sealContinuation = async (
     expiresAt: expiresAt.toISOString(),
     nonce: request.nonce,
     redirectUri: request.redirectUri,
+    resource: request.resource,
     scope: request.scope,
     state: request.state,
-    tenantId: request.client.tenantId,
+    tenantId,
     userId: session?.userId,
   });
 };

package/src/oauth/consent-decision-handler.ts

@@ -2,6 +2,7 @@ import type { Context } from 'hono';
 
 import type { AuthHonoPorts } from '../ports.js';
 import { appendParams, oauthJsonError, redirectOrJson } from './http-utils.js';
+import { issueAuthorizedCode } from './issue-authorized-code.js';
 import type { OAuthContinuationCodec, OAuthContinuationState } from './state-codec.js';
 import { resolveOAuthSession } from './session-resolver.js';
 
@@ -46,32 +47,17 @@ export const createOAuthConsentDecisionHandler =
       );
     }
 
-    const code = options.ports.random.token(32);
-    const now = options.ports.clock.now();
-    await options.ports.oauthStateStore.saveAuthCode(
-      code,
-      {
-        acr: payload.acr ?? 'urn:sentropic:loa:bearer',
-        authTime: new Date(payload.authTime ?? now.toISOString()),
-        clientId: payload.clientId,
-        codeChallenge: payload.codeChallenge,
-        codeChallengeMethod: 'S256',
-        createdAt: now,
-        dpopJkt: payload.dpopJkt,
-        expiresAt: options.ports.clock.addSeconds(now, options.authorizationCodeTtlSeconds ?? 60),
-        nonce: payload.nonce,
-        redirectUri: payload.redirectUri,
-        scope: payload.scope,
-        tenantId: payload.tenantId,
-        userId: payload.userId ?? '',
-      },
-      options.authorizationCodeTtlSeconds ?? 60
-    );
+    // Persist the grant so subsequent authorize requests for a covered scope set skip consent.
+    // Approve-only: a deny never records a grant. Absent consentStore ⇒ legacy (no persistence).
+    if (options.ports.consentStore && payload.userId) {
+      await options.ports.consentStore.saveGrant(
+        payload.userId,
+        payload.clientId,
+        payload.scope.split(/\s+/).filter(Boolean)
+      );
+    }
 
-    return redirectOrJson(
-      c,
-      appendParams(payload.redirectUri, { code, state: payload.state }, c.req.url)
-    );
+    return issueAuthorizedCode(c, options, payload);
   };
 
 const validateConsentState = async (

package/src/oauth/dpop.ts

@@ -1,14 +1,10 @@
 import {
-  calculateJwkThumbprint,
-  decodeProtectedHeader,
-  importJWK,
-  jwtVerify,
-  type JWK,
-  type JWTPayload,
-} from 'jose';
+  DpopVerifyError,
+  verifyDpopProof,
+  type VerifiedDpop,
+} from '@sentropic/oauth-verify';
 
 import type { AuthHonoPorts } from '../ports.js';
-import { sha256Base64url } from './crypto-utils.js';
 
 export interface VerifyDpopProofOptions {
   accessToken?: string;
@@ -19,10 +15,7 @@ export interface VerifyDpopProofOptions {
   proof: string;
 }
 
-export interface VerifiedDpopProof {
-  jkt: string;
-  jti: string;
-}
+export type VerifiedDpopProof = VerifiedDpop;
 
 export class OAuthDpopProofError extends Error {
   constructor(message: string) {
@@ -31,63 +24,33 @@ export class OAuthDpopProofError extends Error {
   }
 }
 
+/**
+ * AS-side DPoP proof verification. Thin adapter over `@sentropic/oauth-verify`'s shared
+ * `verifyDpopProof`: it binds the IdP's clock + replay store and re-maps verification
+ * failures onto `OAuthDpopProofError` for the OAuth handlers (token/userinfo/revoke).
+ */
 export const verifyOAuthDpopProof = async (
   options: VerifyDpopProofOptions
 ): Promise<VerifiedDpopProof> => {
-  const header = decodeProtectedHeader(options.proof);
-  const publicJwk = header.jwk as JWK | undefined;
-  if (!publicJwk || !header.alg || header.typ !== 'dpop+jwt') {
-    throw new OAuthDpopProofError('DPoP proof header is invalid.');
-  }
-
-  const key = await importJWK(publicJwk, header.alg);
-  const { payload } = await jwtVerify(options.proof, key);
-  await validateDpopPayload(payload, options);
-
-  const expiresAt = options.ports.clock.addSeconds(
-    options.ports.clock.now(),
-    options.iatSkewSeconds ?? 60
-  );
-  const recorded = await options.ports.oauthStateStore.recordDpopJti(String(payload.jti), expiresAt);
-  if (!recorded) {
-    throw new OAuthDpopProofError('DPoP proof jti was already used.');
-  }
-
-  return {
-    jkt: await calculateJwkThumbprint(publicJwk),
-    jti: String(payload.jti),
-  };
-};
-
-const validateDpopPayload = async (
-  payload: JWTPayload,
-  options: VerifyDpopProofOptions
-): Promise<void> => {
-  if (payload.htm !== options.htm.toUpperCase()) {
-    throw new OAuthDpopProofError('DPoP htm claim does not match the request method.');
-  }
-  if (payload.htu !== options.htu) {
-    throw new OAuthDpopProofError('DPoP htu claim does not match the request URL.');
-  }
-  if (!payload.jti || typeof payload.jti !== 'string') {
-    throw new OAuthDpopProofError('DPoP jti claim is required.');
-  }
-  if (typeof payload.iat !== 'number') {
-    throw new OAuthDpopProofError('DPoP iat claim is required.');
-  }
-
-  const nowSeconds = Math.floor(options.ports.clock.now().getTime() / 1000);
-  if (Math.abs(payload.iat - nowSeconds) > (options.iatSkewSeconds ?? 60)) {
-    throw new OAuthDpopProofError('DPoP iat claim is outside the allowed skew.');
-  }
-
-  if (options.accessToken) {
-    await validateAth(payload, options.accessToken);
-  }
-};
-
-const validateAth = async (payload: JWTPayload, accessToken: string): Promise<void> => {
-  if (payload.ath !== (await sha256Base64url(accessToken))) {
-    throw new OAuthDpopProofError('DPoP ath claim does not match the access token.');
+  const iatSkewSec = options.iatSkewSeconds ?? 60;
+  try {
+    return await verifyDpopProof({
+      accessToken: options.accessToken,
+      htm: options.htm,
+      htu: options.htu,
+      iatSkewSec,
+      now: options.ports.clock.now(),
+      proof: options.proof,
+      replay: (jti) =>
+        options.ports.oauthStateStore.recordDpopJti(
+          jti,
+          options.ports.clock.addSeconds(options.ports.clock.now(), iatSkewSec)
+        ),
+    });
+  } catch (error) {
+    if (error instanceof DpopVerifyError) {
+      throw new OAuthDpopProofError(error.message);
+    }
+    throw error;
   }
 };

package/src/oauth/issue-authorized-code.ts

@@ -0,0 +1,50 @@
+import type { Context } from 'hono';
+
+import type { AuthHonoPorts } from '../ports.js';
+import { appendParams, redirectOrJson } from './http-utils.js';
+import type { OAuthContinuationState } from './state-codec.js';
+
+export interface IssueAuthorizedCodeOptions {
+  authorizationCodeTtlSeconds?: number;
+  ports: AuthHonoPorts;
+}
+
+/**
+ * Single source of truth for issuing an authorization code: mint a single-use code,
+ * persist its sealed payload, and redirect (or JSON) back to the RP `redirect_uri` with
+ * `code` + `state`. Called by BOTH the consent-approve path and the authorize skip-path
+ * (FL-1: never duplicate the seal / single-use-code / redirect logic).
+ */
+export const issueAuthorizedCode = async (
+  c: Context,
+  options: IssueAuthorizedCodeOptions,
+  payload: OAuthContinuationState
+): Promise<Response> => {
+  const code = options.ports.random.token(32);
+  const now = options.ports.clock.now();
+  await options.ports.oauthStateStore.saveAuthCode(
+    code,
+    {
+      acr: payload.acr ?? 'urn:sentropic:loa:bearer',
+      authTime: new Date(payload.authTime ?? now.toISOString()),
+      clientId: payload.clientId,
+      codeChallenge: payload.codeChallenge,
+      codeChallengeMethod: 'S256',
+      createdAt: now,
+      dpopJkt: payload.dpopJkt,
+      expiresAt: options.ports.clock.addSeconds(now, options.authorizationCodeTtlSeconds ?? 60),
+      nonce: payload.nonce,
+      redirectUri: payload.redirectUri,
+      resource: payload.resource ?? null,
+      scope: payload.scope,
+      tenantId: payload.tenantId,
+      userId: payload.userId ?? '',
+    },
+    options.authorizationCodeTtlSeconds ?? 60
+  );
+
+  return redirectOrJson(
+    c,
+    appendParams(payload.redirectUri, { code, state: payload.state }, c.req.url)
+  );
+};

package/src/oauth/jwks-service.ts

@@ -1,6 +1,6 @@
+import { fromJwksPort } from '@sentropic/oauth-verify';
 import {
   decodeProtectedHeader,
-  importJWK,
   jwtVerify,
   SignJWT,
   type JWTVerifyOptions,
@@ -85,17 +85,13 @@ export const createJwksService = ({ clock, jwksPort }: CreateJwksServiceOptions)
 
   async verifyJwt(jwt, options = {}) {
     const protectedHeader = decodeProtectedHeader(jwt);
-    const kid = protectedHeader.kid;
-    if (!kid) {
+    if (!protectedHeader.kid) {
       throw new Error('JWT protected header is missing kid.');
     }
 
-    const key = await jwksPort.findKeyByKid(kid);
-    if (!key) {
-      throw new Error(`Unknown JWKS kid: ${kid}`);
-    }
-
-    const publicKey = await importJWK(key.publicJwk, key.alg);
+    // Key resolution is shared with @sentropic/oauth-verify (single verify core); the
+    // AS-side claim assertions (iss/aud/currentDate) stay here via jose JWTVerifyOptions.
+    const publicKey = await fromJwksPort(jwksPort).resolveKey(protectedHeader);
     return jwtVerify(jwt, publicKey, options);
   },
 });

package/src/oauth/service-auth-middleware.ts

@@ -1,15 +1,21 @@
+// COMPAT WRAPPER (architect verdict E2/F8). The CANONICAL home of this RS middleware is now
+// `@sentropic/mcp-auth/hono` (`createRequireServiceAuth`). auth-hono keeps this signature-stable
+// wrapper — same behavior, sharing the SAME verification core (`@sentropic/oauth-verify`), no
+// fourth copy of verify code — for ≥1 minor so pinned RPs are not forced to bump; it is dropped
+// at auth-hono 1.0. The wrapper builds on oauth-verify primitives directly (NOT on mcp-auth) to
+// respect the dependency DAG (auth-hono and mcp-auth never import each other).
 import {
-  calculateJwkThumbprint,
-  decodeProtectedHeader,
-  importJWK,
-  jwtVerify,
-  type JWK,
-  type JWTPayload,
-} from 'jose';
+  DpopVerifyError,
+  fromJwksPort,
+  parseScopes,
+  TokenVerifyError,
+  verifyAccessToken,
+  verifyDpopProof,
+  type AccessTokenClaims,
+} from '@sentropic/oauth-verify';
 import type { Context, MiddlewareHandler } from 'hono';
 
 import type { AuthHonoClockPort } from '../ports.js';
-import { sha256Base64url } from './crypto-utils.js';
 import type { JwksPort, OauthStateStorePort } from './state-store-types.js';
 
 /**
@@ -62,7 +68,7 @@ export const createRequireServiceAuth = (
   return async (c, next) => {
     try {
       const { scheme, token } = parseAuthorization(c.req.header('authorization'));
-      const payload = await verifyAccessToken(token, options.ports, issuer, options.resource);
+      const payload = await verifyServiceAccessToken(token, options.ports, issuer, options.resource);
       const scopes = parseScopes(payload.scope);
       assertScopes(scopes, requiredScopes);
 
@@ -98,44 +104,33 @@ const parseAuthorization = (header: string | undefined): { scheme: 'Bearer' | 'D
   throw new ServiceAuthError(401, 'invalid_token', 'Unsupported authorization scheme.');
 };
 
-const verifyAccessToken = async (
+/**
+ * RS-side access-token verification. Delegates to `@sentropic/oauth-verify`'s shared
+ * `verifyAccessToken` over an in-process JWKS key source, mapping any failure onto the
+ * RFC 6750 `invalid_token` 401 the middleware emits.
+ */
+const verifyServiceAccessToken = async (
   token: string,
   ports: ServiceAuthPorts,
   issuer: string,
   resource: string
-): Promise<JWTPayload & { scope?: unknown; client_id?: unknown; cnf?: { jkt?: string } }> => {
-  let kid: string | undefined;
+): Promise<AccessTokenClaims> => {
   try {
-    kid = decodeProtectedHeader(token).kid;
-  } catch {
-    throw new ServiceAuthError(401, 'invalid_token', 'Access token header is invalid.');
-  }
-  if (!kid) {
-    throw new ServiceAuthError(401, 'invalid_token', 'Access token is missing a key id.');
-  }
-
-  const key = await ports.jwks.findKeyByKid(kid);
-  if (!key) {
-    throw new ServiceAuthError(401, 'invalid_token', 'Access token signing key is unknown.');
-  }
-
-  const publicKey = await importJWK(key.publicJwk, key.alg);
-  const currentDate = ports.clock.now();
-  try {
-    const { payload } = await jwtVerify(token, publicKey, {
+    return await verifyAccessToken({
       audience: resource,
-      currentDate,
       issuer,
+      keySource: fromJwksPort(ports.jwks),
+      now: ports.clock.now(),
+      token,
     });
-    return payload;
-  } catch {
-    throw new ServiceAuthError(401, 'invalid_token', 'Access token is invalid, expired, or has the wrong audience.');
+  } catch (error) {
+    if (error instanceof TokenVerifyError) {
+      throw new ServiceAuthError(401, 'invalid_token', 'Access token is invalid, expired, or has the wrong audience.');
+    }
+    throw error;
   }
 };
 
-const parseScopes = (scope: unknown): string[] =>
-  typeof scope === 'string' ? scope.split(/\s+/).filter(Boolean) : [];
-
 const assertScopes = (scopes: string[], requiredScopes: string[]): void => {
   const granted = new Set(scopes);
   const missing = requiredScopes.filter((scope) => !granted.has(scope));
@@ -146,7 +141,7 @@ const assertScopes = (scopes: string[], requiredScopes: string[]): void => {
 
 const enforceDpop = async (
   c: Context,
-  payload: { cnf?: { jkt?: string } },
+  payload: { cnf?: { jkt: string } },
   accessToken: string,
   scheme: 'Bearer' | 'DPoP',
   options: CreateRequireServiceAuthOptions
@@ -188,53 +183,37 @@ interface VerifyServiceDpopProofOptions {
   proof: string;
 }
 
+/**
+ * RS-side DPoP proof verification. Delegates to `@sentropic/oauth-verify`'s shared
+ * `verifyDpopProof`, wiring the optional RS replay port and remapping failures onto the
+ * RFC 9449 `invalid_dpop_proof` 401. The `jkt`↔`cnf.jkt` binding is enforced by the caller
+ * (`enforceDpop`) AFTER replay recording, preserving the original consume-then-compare order.
+ */
 const verifyServiceDpopProof = async (options: VerifyServiceDpopProofOptions): Promise<string> => {
-  const header = decodeProtectedHeader(options.proof);
-  const publicJwk = header.jwk as JWK | undefined;
-  if (!publicJwk || !header.alg || header.typ !== 'dpop+jwt') {
-    throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP proof header is invalid.', 'DPoP');
-  }
-
-  const key = await importJWK(publicJwk, header.alg);
-  let payload: JWTPayload;
+  const iatSkewSec = options.iatSkewSeconds ?? 60;
   try {
-    ({ payload } = await jwtVerify(options.proof, key));
-  } catch {
-    throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP proof signature is invalid.', 'DPoP');
-  }
-
-  const skew = options.iatSkewSeconds ?? 60;
-  if (payload.htm !== options.htm.toUpperCase()) {
-    throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP htm claim does not match the request method.', 'DPoP');
-  }
-  if (payload.htu !== options.htu) {
-    throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP htu claim does not match the request URL.', 'DPoP');
-  }
-  if (!payload.jti || typeof payload.jti !== 'string') {
-    throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP jti claim is required.', 'DPoP');
-  }
-  if (typeof payload.iat !== 'number') {
-    throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP iat claim is required.', 'DPoP');
-  }
-  const nowSeconds = Math.floor(options.ports.clock.now().getTime() / 1000);
-  if (Math.abs(payload.iat - nowSeconds) > skew) {
-    throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP iat claim is outside the allowed skew.', 'DPoP');
-  }
-
-  // RFC 9449 §4.3: bind the proof to the access token (BR39d-D7).
-  if (payload.ath !== (await sha256Base64url(options.accessToken))) {
-    throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP ath claim does not match the access token.', 'DPoP');
-  }
-
-  if (options.ports.dpopReplay) {
-    const expiresAt = options.ports.clock.addSeconds(options.ports.clock.now(), skew);
-    const recorded = await options.ports.dpopReplay.recordDpopJti(payload.jti, expiresAt);
-    if (!recorded) {
-      throw new ServiceAuthError(401, 'invalid_dpop_proof', 'DPoP proof jti was already used.', 'DPoP');
+    const { jkt } = await verifyDpopProof({
+      accessToken: options.accessToken,
+      htm: options.htm,
+      htu: options.htu,
+      iatSkewSec,
+      now: options.ports.clock.now(),
+      proof: options.proof,
+      replay: options.ports.dpopReplay
+        ? (jti) =>
+            options.ports.dpopReplay!.recordDpopJti(
+              jti,
+              options.ports.clock.addSeconds(options.ports.clock.now(), iatSkewSec)
+            )
+        : undefined,
+    });
+    return jkt;
+  } catch (error) {
+    if (error instanceof DpopVerifyError) {
+      throw new ServiceAuthError(401, 'invalid_dpop_proof', error.message, 'DPoP');
     }
+    throw error;
   }
-
-  return calculateJwkThumbprint(publicJwk);
 };
 
 const serviceAuthErrorResponse = (c: Context, error: ServiceAuthError): Response => {

package/src/oauth/state-codec.ts

@@ -9,6 +9,8 @@ export interface OAuthContinuationState {
   expiresAt: string;
   nonce: string | null;
   redirectUri: string;
+  /** RFC 8707 resource sealed at authorize time (BR-39l Lot 2); carried authorize → consent → code. */
+  resource?: string | null;
   scope: string;
   state: string | null;
   tenantId: string | null;

package/src/oauth/state-store-types.ts

@@ -16,6 +16,12 @@ export interface OauthClientRecord {
   requirePkce: boolean;
   tenantId: string | null;
   ownerUserId: string | null;
+  /**
+   * RFC 8707 resource-indicator allowlist for the `authorization_code` flow (BR-39l Lot 2).
+   * Additive, default-deny: an empty/absent allowlist means the client may NOT request any
+   * `resource` (any value ⇒ `invalid_target`). Mirrors `ServiceClientRecord.resourceIndicators`.
+   */
+  resourceIndicators?: string[];
   createdAt: Date;
   updatedAt: Date;
 }
@@ -30,6 +36,12 @@ export interface AuthCodePayload {
   codeChallengeMethod: 'S256';
   dpopJkt: string | null;
   nonce: string | null;
+  /**
+   * RFC 8707 resource sealed at authorize time (BR-39l Lot 2). When present, it becomes the
+   * access-token `aud`; the token-leg `resource` (if sent) MUST equal it. Absent ⇒ default-aud
+   * (userinfo URL), byte-identical to auth-hono 0.5.0.
+   */
+  resource?: string | null;
   acr: string;
   authTime: Date;
   expiresAt: Date;