@sentropic/auth-ui 0.2.0 → 0.3.0

package/README.md

@@ -45,12 +45,13 @@ npm install @sentropic/auth-ui
 
 | Export path | Contents |
 | --- | --- |
-| `@sentropic/auth-ui` | `AuthUiTransport`, `AuthUiSession`, `AuthUiError`, `AuthUiLabels`, `createDefaultAuthUiLabels`, `createFrenchAuthUiLabels`, `createDefaultAuthUiBranding`, `assertAuthUiTransport`, `normalizeAuthEmail`, `createAuthUiError`, `createDefaultFetchTransport`, WebAuthn helpers |
+| `@sentropic/auth-ui` | `AuthUiTransport`, `AuthUiSession`, `AuthUiError`, `AuthUiLabels`, `createDefaultAuthUiLabels`, `createFrenchAuthUiLabels`, `createDefaultAuthUiBranding`, `assertAuthUiTransport`, `normalizeAuthEmail`, `createAuthUiError`, `createDefaultFetchTransport`, WebAuthn helpers; **+ OAuth (0.3.0)**: `createOAuthClient`, `OAuthConsentTransport`, `OAuthConsentDetails`, `OAuthConsentDecision`, `OAuthConsentLabels`, `createDefaultOAuthConsentLabels`, `createFrenchOAuthConsentLabels` |
 | `@sentropic/auth-ui/components/AuthLogin.svelte` | Passkey login screen (discoverable credentials, lost-device path) |
 | `@sentropic/auth-ui/components/AuthRegister.svelte` | Email-code → passkey registration; optional `skipEmailVerification` for hosts that own pre-auth |
 | `@sentropic/auth-ui/components/AuthMagicLinkVerify.svelte` | Verifies a magic-link token from a host-supplied source |
 | `@sentropic/auth-ui/components/AuthDevices.svelte` | Lists / renames / revokes registered passkeys |
 | `@sentropic/auth-ui/components/AuthDevicePair.svelte` | Approves a device-code pairing (`approveDevicePairing` contract) |
+| `@sentropic/auth-ui/components/OAuthConsent.svelte` | OAuth2 consent screen (since 0.3.0) |
 
 All five components accept a `labels?: Partial<AuthUiLabels>` prop so hosts can override copy without forking. Each takes a `transport: AuthUiTransport` and one or more host callbacks (`onLoggedIn`, `onRegistered`, `onVerified`, `onPaired`, `onUnauthorized`, `onError`). Visual customisation flows through CSS custom properties (`--auth-primary`, `--auth-bg`, `--auth-text`, `--auth-radius`, `--auth-font-family`, …) and slots (`no-account`, `register-new-device`, `back-to-login`, `back-to-devices`, `pair-cta`, `add-device`, `login-link`, `cancel`).
 
@@ -142,9 +143,87 @@ See `tests/example-admin-fetch-transport.test.ts` for a full walkthrough.
 - **French labels**: `createFrenchAuthUiLabels(overrides?)` ships a complete FR baseline; partial overrides keep the unchanged keys.
 - **Post-login redirects**: never built into the components — call `goto(returnUrl)` / `location.assign(...)` from `onLoggedIn` / `onRegistered` / `onVerified` / `onRedirect`. `AuthMagicLinkVerify` exposes `redirectDelayMs` (defaults to 1000 ms) so the success screen has time to render before the host redirect fires.
 
-## Backend coupling (BR-39b)
+## OAuth Consent + RP Client Helper (since 0.3.0)
 
-`@sentropic/auth-hono` provides reusable Hono route factories that match this transport shape 1:1. It is **not required** to adopt this UI package — any backend that exposes the routes listed above will work. BR-39b removes the duplicated backend code from Sentropic, but the UI package was usable before that landed.
+### OAuthConsent component
+
+`<OAuthConsent />` renders the consent screen displayed to users when an external RP requests access.
+
+Props:
+
+| Prop | Type | Description |
+| --- | --- | --- |
+| `state` | `string` | Sealed OAuth state token from the authorize redirect query param |
+| `transport` | `OAuthConsentTransport` | Calls the IdP to fetch consent details and submit the decision |
+| `labels` | `Partial<OAuthConsentLabels>` | Override EN defaults (or use `createFrenchOAuthConsentLabels()`) |
+| `onRedirect` | `(url: string) => void` | Called with the RP redirect URL after approve or deny |
+| `onError` | `(error: unknown) => void` | Called on transport errors |
+
+Named slots: `branding` (client logo / name override), `scope-description` (per-scope explanations), `footer` (custom legal copy).
+
+```svelte
+<script lang="ts">
+  import { goto } from '$app/navigation';
+  import OAuthConsent from '@sentropic/auth-ui/components/OAuthConsent.svelte';
+  import { createSentropicOAuthConsentTransport } from '$lib/services/oauth-transport';
+  import { page } from '$app/stores';
+
+  const state = $page.url.searchParams.get('state') ?? '';
+  const transport = createSentropicOAuthConsentTransport();
+</script>
+
+<OAuthConsent {state} {transport} onRedirect={(url) => goto(url)} />
+```
+
+### createOAuthClient helper
+
+`createOAuthClient` handles discovery, PKCE generation, code exchange, token revocation, and optional DPoP proof generation for RP-side code in the browser.
+
+```ts
+import { createOAuthClient } from '@sentropic/auth-ui';
+
+const client = createOAuthClient({
+  issuer: 'https://api.example.com',
+  clientId: 'my-rp',
+  redirectUri: 'https://myapp.example.com/auth/callback',
+  scopes: ['openid', 'profile', 'email'],
+  // Optional: enable DPoP (RFC 9449)
+  // dpop: { generateKeyPair: ..., store: ... }
+});
+
+// Build the authorization URL (redirects user to IdP)
+const { url, codeVerifier, state, nonce } = await client.startAuthorization();
+location.assign(url);
+
+// On callback page: exchange code for tokens
+const tokens = await client.exchangeCode(code, codeVerifier);
+
+// Fetch user claims
+const userInfo = await client.userInfo(tokens.access_token);
+
+// Revoke access token when done
+await client.revoke(tokens.access_token);
+```
+
+The client caches the OIDC discovery document on first call. When `dpop` is enabled it generates an Ed25519 keypair via SubtleCrypto, stores it through the injected `store` adapter, and attaches a signed DPoP proof header to every token/userinfo/revoke request.
+
+### Downstream RP example (immo, diag, paas)
+
+```ts
+// In a downstream SvelteKit app that uses Sentropic as its IdP
+import { createOAuthClient } from '@sentropic/auth-ui';
+
+export const oauthClient = createOAuthClient({
+  issuer: import.meta.env.VITE_SENTROPIC_API_URL,   // e.g. https://api.sentropic.io
+  clientId: import.meta.env.VITE_OAUTH_CLIENT_ID,
+  redirectUri: `${location.origin}/auth/callback`,
+  scopes: ['openid', 'profile', 'email'],
+});
+```
+
+## Backend coupling (BR-39b / BR-39c)
+
+`@sentropic/auth-hono` provides reusable Hono route factories that match this transport shape 1:1. It is **not required** to adopt this UI package — any backend that exposes the routes listed above will work. BR-39b removes the duplicated backend code from Sentropic; BR-39c adds the OAuth2/OIDC IdP surface consumed by `<OAuthConsent />` and `createOAuthClient`.
 
 ## Versioning
 

package/dist/contracts.d.ts

@@ -1,5 +1,6 @@
 export * from './errors.js';
 export * from './labels.js';
+export * from './oauth-consent.js';
 export * from './transport.js';
 export * from './transport-fetch.js';
 export * from './transport-types.js';

package/dist/contracts.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"contracts.d.ts","sourceRoot":"","sources":["../src/contracts.ts"],"names":[],"mappings":"AAAA,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,sBAAsB,CAAC;AACrC,cAAc,sBAAsB,CAAC;AACrC,cAAc,YAAY,CAAC"}
+{"version":3,"file":"contracts.d.ts","sourceRoot":"","sources":["../src/contracts.ts"],"names":[],"mappings":"AAAA,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,oBAAoB,CAAC;AACnC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,sBAAsB,CAAC;AACrC,cAAc,sBAAsB,CAAC;AACrC,cAAc,YAAY,CAAC"}

package/dist/contracts.js

@@ -1,5 +1,6 @@
 export * from './errors.js';
 export * from './labels.js';
+export * from './oauth-consent.js';
 export * from './transport.js';
 export * from './transport-fetch.js';
 export * from './transport-types.js';

package/dist/contracts.js.map

@@ -1 +1 @@
-{"version":3,"file":"contracts.js","sourceRoot":"","sources":["../src/contracts.ts"],"names":[],"mappings":"AAAA,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,sBAAsB,CAAC;AACrC,cAAc,sBAAsB,CAAC;AACrC,cAAc,YAAY,CAAC"}
+{"version":3,"file":"contracts.js","sourceRoot":"","sources":["../src/contracts.ts"],"names":[],"mappings":"AAAA,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,oBAAoB,CAAC;AACnC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,sBAAsB,CAAC;AACrC,cAAc,sBAAsB,CAAC;AACrC,cAAc,YAAY,CAAC"}

package/dist/index.d.ts

@@ -1,3 +1,5 @@
 export * from './contracts.js';
+export * from './oauth-client.js';
+export * from './oauth-consent.js';
 export * from './webauthn.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,eAAe,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,eAAe,CAAC"}

package/dist/index.js

@@ -1,3 +1,5 @@
 export * from './contracts.js';
+export * from './oauth-client.js';
+export * from './oauth-consent.js';
 export * from './webauthn.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,eAAe,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,gBAAgB,CAAC;AAC/B,cAAc,mBAAmB,CAAC;AAClC,cAAc,oBAAoB,CAAC;AACnC,cAAc,eAAe,CAAC"}

package/dist/labels.d.ts

@@ -1,5 +1,8 @@
+import type { OAuthConsentLabels } from './oauth-consent.js';
 import type { AuthUiBranding, AuthUiLabels } from './types.js';
 export declare const createDefaultAuthUiLabels: (overrides?: Partial<AuthUiLabels>) => AuthUiLabels;
 export declare const createFrenchAuthUiLabels: (overrides?: Partial<AuthUiLabels>) => AuthUiLabels;
 export declare const createDefaultAuthUiBranding: (overrides?: Partial<AuthUiBranding>) => AuthUiBranding;
+export declare const createDefaultOAuthConsentLabels: (overrides?: Partial<OAuthConsentLabels>) => OAuthConsentLabels;
+export declare const createFrenchOAuthConsentLabels: (overrides?: Partial<OAuthConsentLabels>) => OAuthConsentLabels;
 //# sourceMappingURL=labels.d.ts.map

package/dist/labels.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"labels.d.ts","sourceRoot":"","sources":["../src/labels.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/D,eAAO,MAAM,yBAAyB,eAAe,QAAQ,YAAY,CAAC,KAAQ,YAoFhF,CAAC;AAEH,eAAO,MAAM,wBAAwB,eAAe,QAAQ,YAAY,CAAC,KAAQ,YAmF7E,CAAC;AAEL,eAAO,MAAM,2BAA2B,eAAe,QAAQ,cAAc,CAAC,KAAQ,cAYrF,CAAC"}
+{"version":3,"file":"labels.d.ts","sourceRoot":"","sources":["../src/labels.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAC7D,OAAO,KAAK,EAAE,cAAc,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/D,eAAO,MAAM,yBAAyB,eAAe,QAAQ,YAAY,CAAC,KAAQ,YAoFhF,CAAC;AAEH,eAAO,MAAM,wBAAwB,eAAe,QAAQ,YAAY,CAAC,KAAQ,YAmF7E,CAAC;AAEL,eAAO,MAAM,2BAA2B,eAAe,QAAQ,cAAc,CAAC,KAAQ,cAYrF,CAAC;AAEF,eAAO,MAAM,+BAA+B,eAC/B,QAAQ,kBAAkB,CAAC,KACrC,kBAiBD,CAAC;AAEH,eAAO,MAAM,8BAA8B,eAC9B,QAAQ,kBAAkB,CAAC,KACrC,kBAiBC,CAAC"}

package/dist/labels.js

@@ -177,4 +177,39 @@ export const createDefaultAuthUiBranding = (overrides = {}) => {
     }
     return branding;
 };
+export const createDefaultOAuthConsentLabels = (overrides = {}) => ({
+    approve: 'Approve',
+    approving: 'Approving...',
+    deny: 'Deny',
+    denying: 'Denying...',
+    errorGeneric: 'Unable to load the authorization request.',
+    loading: 'Loading authorization request...',
+    redirectUriLabel: 'Redirect destination',
+    scopeDescriptions: {
+        email: 'Access your email address and email verification status.',
+        openid: 'Confirm your identity with this account.',
+        profile: 'Access your profile name.',
+        ...(overrides.scopeDescriptions ?? {}),
+    },
+    scopesTitle: 'This application requests access to:',
+    title: 'Authorize application',
+    ...overrides,
+});
+export const createFrenchOAuthConsentLabels = (overrides = {}) => createDefaultOAuthConsentLabels({
+    approve: 'Autoriser',
+    approving: 'Autorisation...',
+    deny: 'Refuser',
+    denying: 'Refus...',
+    errorGeneric: "Impossible de charger la demande d'autorisation.",
+    loading: "Chargement de la demande d'autorisation...",
+    redirectUriLabel: 'Destination de redirection',
+    scopeDescriptions: {
+        email: "Accéder à votre adresse email et à son statut de vérification.",
+        openid: 'Confirmer votre identité avec ce compte.',
+        profile: 'Accéder au nom de votre profil.',
+    },
+    scopesTitle: 'Cette application demande accès à :',
+    title: "Autoriser l'application",
+    ...overrides,
+});
 //# sourceMappingURL=labels.js.map

package/dist/labels.js.map

@@ -1 +1 @@
-{"version":3,"file":"labels.js","sourceRoot":"","sources":["../src/labels.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,YAAmC,EAAE,EAAgB,EAAE,CAAC,CAAC;IACjG,OAAO,EAAE,YAAY;IACrB,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,QAAQ;IAChB,gBAAgB,EAAE,iBAAiB;IACnC,sBAAsB,EAAE,yFAAyF;IACjH,gBAAgB,EAAE,6BAA6B;IAC/C,oBAAoB,EAAE,kCAAkC;IACxD,iBAAiB,EAAE,6CAA6C;IAChE,UAAU,EAAE,SAAS;IACrB,kBAAkB,EAAE,4BAA4B;IAChD,gBAAgB,EAAE,6CAA6C;IAC/D,uBAAuB,EAAE,+FAA+F;IACxH,WAAW,EAAE,sBAAsB;IACnC,kBAAkB,EAAE,eAAe;IACnC,eAAe,EAAE,mBAAmB;IACpC,oBAAoB,EAAE,aAAa;IACnC,cAAc,EAAE,gCAAgC;IAChD,sBAAsB,EAAE,uBAAuB;IAC/C,gBAAgB,EAAE,iBAAiB;IACnC,aAAa,EAAE,mBAAmB;IAClC,gBAAgB,EAAE,sCAAsC;IACxD,+BAA+B,EAAE,uBAAuB;IACxD,0BAA0B,EAAE,+FAA+F;IAC3H,kBAAkB,EAAE,OAAO;IAC3B,eAAe,EAAE,uBAAuB;IACxC,mBAAmB,EAAE,iBAAiB;IACtC,0BAA0B,EAAE,kCAAkC;IAC9D,iBAAiB,EAAE,mBAAmB;IACtC,gBAAgB,EAAE,6CAA6C;IAC/D,kBAAkB,EAAE,aAAa;IACjC,qBAAqB,EAAE,cAAc;IACrC,mBAAmB,EAAE,cAAc;IACnC,yBAAyB,EAAE,eAAe;IAC1C,qBAAqB,EAAE,6BAA6B;IACpD,mBAAmB,EAAE,gBAAgB;IACrC,oBAAoB,EAAE,iBAAiB;IACvC,uBAAuB,EAAE,kCAAkC;IAC3D,0BAA0B,EAAE,iCAAiC;IAC7D,yBAAyB,EAAE,qCAAqC;IAChE,qBAAqB,EAAE,uCAAuC;IAC9D,cAAc,EAAE,sBAAsB;IACtC,kBAAkB,EAAE,wBAAwB;IAC5C,gBAAgB,EAAE,oBAAoB;IACtC,qBAAqB,EAAE,YAAY;IACnC,mBAAmB,EAAE,qBAAqB;IAC1C,oBAAoB,EAAE,iBAAiB;IACvC,0BAA0B,EAAE,6BAA6B;IACzD,0BAA0B,EAAE,kCAAkC;IAC9D,YAAY,EAAE,YAAY;IAC1B,eAAe,EAAE,sDAAsD;IACvE,YAAY,EAAE,4BAA4B;IAC1C,eAAe,EAAE,mBAAmB;IACpC,aAAa,EAAE,kBAAkB;IACjC,aAAa,EAAE,QAAQ;IACvB,aAAa,EAAE,QAAQ;IACvB,gBAAgB,EAAE,YAAY;IAC9B,cAAc,EAAE,iBAAiB;IACjC,eAAe,EAAE,mBAAmB;IACpC,oBAAoB,EAAE,2GAA2G;IACjI,gBAAgB,EAAE,yBAAyB;IAC3C,kBAAkB,EAAE,gBAAgB;IACpC,kBAAkB,EAAE,gBAAgB;IACpC,eAAe,EAAE,eAAe;IAChC,kBAAkB,EAAE,oEAAoE;IACxF,mBAAmB,EAAE,cAAc;IACnC,yBAAyB,EAAE,WAAW;IACtC,yBAAyB,EAAE,aAAa;IACxC,+BAA+B,EAAE,gBAAgB;IACjD,iBAAiB,EAAE,aAAa;IAChC,oBAAoB,EAAE,YAAY;IAClC,iBAAiB,EAAE,qDAAqD;IACxE,cAAc,EAAE,iBAAiB;IACjC,2BAA2B,EAAE,+BAA+B;IAC5D,uBAAuB,EAAE,0BAA0B;IACnD,sBAAsB,EAAE,4BAA4B;IACpD,mBAAmB,EAAE,2CAA2C;IAChE,gBAAgB,EAAE,qCAAqC;IACvD,wBAAwB,EAAE,0CAA0C;IACpE,8BAA8B,EAAE,iCAAiC;IACjE,gCAAgC,EAAE,qCAAqC;IACvE,4BAA4B,EAAE,iCAAiC;IAC/D,8BAA8B,EAAE,mCAAmC;IACnE,GAAG,SAAS;CACb,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,wBAAwB,GAAG,CAAC,YAAmC,EAAE,EAAgB,EAAE,CAC9F,yBAAyB,CAAC;IACxB,OAAO,EAAE,aAAa;IACtB,IAAI,EAAE,aAAa;IACnB,MAAM,EAAE,SAAS;IACjB,gBAAgB,EAAE,kBAAkB;IACpC,sBAAsB,EAAE,mGAAmG;IAC3H,gBAAgB,EAAE,wBAAwB;IAC1C,oBAAoB,EAAE,sCAAsC;IAC5D,iBAAiB,EAAE,2DAA2D;IAC9E,UAAU,EAAE,WAAW;IACvB,kBAAkB,EAAE,qCAAqC;IACzD,gBAAgB,EAAE,2CAA2C;IAC7D,uBAAuB,EAAE,4GAA4G;IACrI,WAAW,EAAE,4BAA4B;IACzC,kBAAkB,EAAE,YAAY;IAChC,eAAe,EAAE,yBAAyB;IAC1C,oBAAoB,EAAE,kBAAkB;IACxC,cAAc,EAAE,mCAAmC;IACnD,sBAAsB,EAAE,mDAAmD;IAC3E,gBAAgB,EAAE,+BAA+B;IACjD,aAAa,EAAE,iBAAiB;IAChC,gBAAgB,EAAE,0CAA0C;IAC5D,+BAA+B,EAAE,2BAA2B;IAC5D,0BAA0B,EAAE,4GAA4G;IACxI,kBAAkB,EAAE,OAAO;IAC3B,eAAe,EAAE,iBAAiB;IAClC,mBAAmB,EAAE,QAAQ;IAC7B,0BAA0B,EAAE,+BAA+B;IAC3D,iBAAiB,EAAE,mBAAmB;IACtC,gBAAgB,EAAE,kCAAkC;IACpD,kBAAkB,EAAE,kBAAkB;IACtC,qBAAqB,EAAE,eAAe;IACtC,mBAAmB,EAAE,kBAAkB;IACvC,yBAAyB,EAAE,gBAAgB;IAC3C,qBAAqB,EAAE,mCAAmC;IAC1D,mBAAmB,EAAE,iBAAiB;IACtC,oBAAoB,EAAE,uBAAuB;IAC7C,uBAAuB,EAAE,uBAAuB;IAChD,0BAA0B,EAAE,oCAAoC;IAChE,yBAAyB,EAAE,0CAA0C;IACrE,qBAAqB,EAAE,gCAAgC;IACvD,cAAc,EAAE,8BAA8B;IAC9C,kBAAkB,EAAE,wBAAwB;IAC5C,gBAAgB,EAAE,qBAAqB;IACvC,qBAAqB,EAAE,qBAAqB;IAC5C,mBAAmB,EAAE,wBAAwB;IAC7C,oBAAoB,EAAE,uBAAuB;IAC7C,0BAA0B,EAAE,4BAA4B;IACxD,0BAA0B,EAAE,gDAAgD;IAC5E,YAAY,EAAE,eAAe;IAC7B,eAAe,EAAE,kEAAkE;IACnF,YAAY,EAAE,2BAA2B;IACzC,eAAe,EAAE,yBAAyB;IAC1C,aAAa,EAAE,4BAA4B;IAC3C,aAAa,EAAE,UAAU;IACzB,aAAa,EAAE,UAAU;IACzB,gBAAgB,EAAE,YAAY;IAC9B,cAAc,EAAE,kBAAkB;IAClC,eAAe,EAAE,+BAA+B;IAChD,oBAAoB,EAAE,uHAAuH;IAC7I,gBAAgB,EAAE,yCAAyC;IAC3D,kBAAkB,EAAE,+BAA+B;IACnD,kBAAkB,EAAE,8BAA8B;IAClD,eAAe,EAAE,sBAAsB;IACvC,kBAAkB,EAAE,mFAAmF;IACvG,mBAAmB,EAAE,kBAAkB;IACvC,yBAAyB,EAAE,WAAW;IACtC,yBAAyB,EAAE,mBAAmB;IAC9C,+BAA+B,EAAE,sBAAsB;IACvD,iBAAiB,EAAE,qBAAqB;IACxC,oBAAoB,EAAE,YAAY;IAClC,iBAAiB,EAAE,sFAAsF;IACzG,cAAc,EAAE,sBAAsB;IACtC,2BAA2B,EAAE,iCAAiC;IAC9D,uBAAuB,EAAE,0BAA0B;IACnD,sBAAsB,EAAE,qCAAqC;IAC7D,4BAA4B,EAAE,gCAAgC;IAC9D,8BAA8B,EAAE,qCAAqC;IACrE,wBAAwB,EAAE,kCAAkC;IAC5D,8BAA8B,EAAE,wBAAwB;IACxD,gCAAgC,EAAE,yCAAyC;IAC3E,GAAG,SAAS;CACb,CAAC,CAAC;AAEL,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC,YAAqC,EAAE,EAAkB,EAAE;IACrG,MAAM,QAAQ,GAAmB;QAC/B,YAAY,EAAE,SAAS;QACvB,WAAW,EAAE,SAAS;QACtB,GAAG,SAAS;KACb,CAAC;IAEF,IAAI,QAAQ,CAAC,WAAW,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;QAC9C,QAAQ,CAAC,OAAO,GAAG,QAAQ,CAAC,WAAW,CAAC;IAC1C,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC,CAAC"}
+{"version":3,"file":"labels.js","sourceRoot":"","sources":["../src/labels.ts"],"names":[],"mappings":"AAGA,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,YAAmC,EAAE,EAAgB,EAAE,CAAC,CAAC;IACjG,OAAO,EAAE,YAAY;IACrB,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,QAAQ;IAChB,gBAAgB,EAAE,iBAAiB;IACnC,sBAAsB,EAAE,yFAAyF;IACjH,gBAAgB,EAAE,6BAA6B;IAC/C,oBAAoB,EAAE,kCAAkC;IACxD,iBAAiB,EAAE,6CAA6C;IAChE,UAAU,EAAE,SAAS;IACrB,kBAAkB,EAAE,4BAA4B;IAChD,gBAAgB,EAAE,6CAA6C;IAC/D,uBAAuB,EAAE,+FAA+F;IACxH,WAAW,EAAE,sBAAsB;IACnC,kBAAkB,EAAE,eAAe;IACnC,eAAe,EAAE,mBAAmB;IACpC,oBAAoB,EAAE,aAAa;IACnC,cAAc,EAAE,gCAAgC;IAChD,sBAAsB,EAAE,uBAAuB;IAC/C,gBAAgB,EAAE,iBAAiB;IACnC,aAAa,EAAE,mBAAmB;IAClC,gBAAgB,EAAE,sCAAsC;IACxD,+BAA+B,EAAE,uBAAuB;IACxD,0BAA0B,EAAE,+FAA+F;IAC3H,kBAAkB,EAAE,OAAO;IAC3B,eAAe,EAAE,uBAAuB;IACxC,mBAAmB,EAAE,iBAAiB;IACtC,0BAA0B,EAAE,kCAAkC;IAC9D,iBAAiB,EAAE,mBAAmB;IACtC,gBAAgB,EAAE,6CAA6C;IAC/D,kBAAkB,EAAE,aAAa;IACjC,qBAAqB,EAAE,cAAc;IACrC,mBAAmB,EAAE,cAAc;IACnC,yBAAyB,EAAE,eAAe;IAC1C,qBAAqB,EAAE,6BAA6B;IACpD,mBAAmB,EAAE,gBAAgB;IACrC,oBAAoB,EAAE,iBAAiB;IACvC,uBAAuB,EAAE,kCAAkC;IAC3D,0BAA0B,EAAE,iCAAiC;IAC7D,yBAAyB,EAAE,qCAAqC;IAChE,qBAAqB,EAAE,uCAAuC;IAC9D,cAAc,EAAE,sBAAsB;IACtC,kBAAkB,EAAE,wBAAwB;IAC5C,gBAAgB,EAAE,oBAAoB;IACtC,qBAAqB,EAAE,YAAY;IACnC,mBAAmB,EAAE,qBAAqB;IAC1C,oBAAoB,EAAE,iBAAiB;IACvC,0BAA0B,EAAE,6BAA6B;IACzD,0BAA0B,EAAE,kCAAkC;IAC9D,YAAY,EAAE,YAAY;IAC1B,eAAe,EAAE,sDAAsD;IACvE,YAAY,EAAE,4BAA4B;IAC1C,eAAe,EAAE,mBAAmB;IACpC,aAAa,EAAE,kBAAkB;IACjC,aAAa,EAAE,QAAQ;IACvB,aAAa,EAAE,QAAQ;IACvB,gBAAgB,EAAE,YAAY;IAC9B,cAAc,EAAE,iBAAiB;IACjC,eAAe,EAAE,mBAAmB;IACpC,oBAAoB,EAAE,2GAA2G;IACjI,gBAAgB,EAAE,yBAAyB;IAC3C,kBAAkB,EAAE,gBAAgB;IACpC,kBAAkB,EAAE,gBAAgB;IACpC,eAAe,EAAE,eAAe;IAChC,kBAAkB,EAAE,oEAAoE;IACxF,mBAAmB,EAAE,cAAc;IACnC,yBAAyB,EAAE,WAAW;IACtC,yBAAyB,EAAE,aAAa;IACxC,+BAA+B,EAAE,gBAAgB;IACjD,iBAAiB,EAAE,aAAa;IAChC,oBAAoB,EAAE,YAAY;IAClC,iBAAiB,EAAE,qDAAqD;IACxE,cAAc,EAAE,iBAAiB;IACjC,2BAA2B,EAAE,+BAA+B;IAC5D,uBAAuB,EAAE,0BAA0B;IACnD,sBAAsB,EAAE,4BAA4B;IACpD,mBAAmB,EAAE,2CAA2C;IAChE,gBAAgB,EAAE,qCAAqC;IACvD,wBAAwB,EAAE,0CAA0C;IACpE,8BAA8B,EAAE,iCAAiC;IACjE,gCAAgC,EAAE,qCAAqC;IACvE,4BAA4B,EAAE,iCAAiC;IAC/D,8BAA8B,EAAE,mCAAmC;IACnE,GAAG,SAAS;CACb,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,wBAAwB,GAAG,CAAC,YAAmC,EAAE,EAAgB,EAAE,CAC9F,yBAAyB,CAAC;IACxB,OAAO,EAAE,aAAa;IACtB,IAAI,EAAE,aAAa;IACnB,MAAM,EAAE,SAAS;IACjB,gBAAgB,EAAE,kBAAkB;IACpC,sBAAsB,EAAE,mGAAmG;IAC3H,gBAAgB,EAAE,wBAAwB;IAC1C,oBAAoB,EAAE,sCAAsC;IAC5D,iBAAiB,EAAE,2DAA2D;IAC9E,UAAU,EAAE,WAAW;IACvB,kBAAkB,EAAE,qCAAqC;IACzD,gBAAgB,EAAE,2CAA2C;IAC7D,uBAAuB,EAAE,4GAA4G;IACrI,WAAW,EAAE,4BAA4B;IACzC,kBAAkB,EAAE,YAAY;IAChC,eAAe,EAAE,yBAAyB;IAC1C,oBAAoB,EAAE,kBAAkB;IACxC,cAAc,EAAE,mCAAmC;IACnD,sBAAsB,EAAE,mDAAmD;IAC3E,gBAAgB,EAAE,+BAA+B;IACjD,aAAa,EAAE,iBAAiB;IAChC,gBAAgB,EAAE,0CAA0C;IAC5D,+BAA+B,EAAE,2BAA2B;IAC5D,0BAA0B,EAAE,4GAA4G;IACxI,kBAAkB,EAAE,OAAO;IAC3B,eAAe,EAAE,iBAAiB;IAClC,mBAAmB,EAAE,QAAQ;IAC7B,0BAA0B,EAAE,+BAA+B;IAC3D,iBAAiB,EAAE,mBAAmB;IACtC,gBAAgB,EAAE,kCAAkC;IACpD,kBAAkB,EAAE,kBAAkB;IACtC,qBAAqB,EAAE,eAAe;IACtC,mBAAmB,EAAE,kBAAkB;IACvC,yBAAyB,EAAE,gBAAgB;IAC3C,qBAAqB,EAAE,mCAAmC;IAC1D,mBAAmB,EAAE,iBAAiB;IACtC,oBAAoB,EAAE,uBAAuB;IAC7C,uBAAuB,EAAE,uBAAuB;IAChD,0BAA0B,EAAE,oCAAoC;IAChE,yBAAyB,EAAE,0CAA0C;IACrE,qBAAqB,EAAE,gCAAgC;IACvD,cAAc,EAAE,8BAA8B;IAC9C,kBAAkB,EAAE,wBAAwB;IAC5C,gBAAgB,EAAE,qBAAqB;IACvC,qBAAqB,EAAE,qBAAqB;IAC5C,mBAAmB,EAAE,wBAAwB;IAC7C,oBAAoB,EAAE,uBAAuB;IAC7C,0BAA0B,EAAE,4BAA4B;IACxD,0BAA0B,EAAE,gDAAgD;IAC5E,YAAY,EAAE,eAAe;IAC7B,eAAe,EAAE,kEAAkE;IACnF,YAAY,EAAE,2BAA2B;IACzC,eAAe,EAAE,yBAAyB;IAC1C,aAAa,EAAE,4BAA4B;IAC3C,aAAa,EAAE,UAAU;IACzB,aAAa,EAAE,UAAU;IACzB,gBAAgB,EAAE,YAAY;IAC9B,cAAc,EAAE,kBAAkB;IAClC,eAAe,EAAE,+BAA+B;IAChD,oBAAoB,EAAE,uHAAuH;IAC7I,gBAAgB,EAAE,yCAAyC;IAC3D,kBAAkB,EAAE,+BAA+B;IACnD,kBAAkB,EAAE,8BAA8B;IAClD,eAAe,EAAE,sBAAsB;IACvC,kBAAkB,EAAE,mFAAmF;IACvG,mBAAmB,EAAE,kBAAkB;IACvC,yBAAyB,EAAE,WAAW;IACtC,yBAAyB,EAAE,mBAAmB;IAC9C,+BAA+B,EAAE,sBAAsB;IACvD,iBAAiB,EAAE,qBAAqB;IACxC,oBAAoB,EAAE,YAAY;IAClC,iBAAiB,EAAE,sFAAsF;IACzG,cAAc,EAAE,sBAAsB;IACtC,2BAA2B,EAAE,iCAAiC;IAC9D,uBAAuB,EAAE,0BAA0B;IACnD,sBAAsB,EAAE,qCAAqC;IAC7D,4BAA4B,EAAE,gCAAgC;IAC9D,8BAA8B,EAAE,qCAAqC;IACrE,wBAAwB,EAAE,kCAAkC;IAC5D,8BAA8B,EAAE,wBAAwB;IACxD,gCAAgC,EAAE,yCAAyC;IAC3E,GAAG,SAAS;CACb,CAAC,CAAC;AAEL,MAAM,CAAC,MAAM,2BAA2B,GAAG,CAAC,YAAqC,EAAE,EAAkB,EAAE;IACrG,MAAM,QAAQ,GAAmB;QAC/B,YAAY,EAAE,SAAS;QACvB,WAAW,EAAE,SAAS;QACtB,GAAG,SAAS;KACb,CAAC;IAEF,IAAI,QAAQ,CAAC,WAAW,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC;QAC9C,QAAQ,CAAC,OAAO,GAAG,QAAQ,CAAC,WAAW,CAAC;IAC1C,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,+BAA+B,GAAG,CAC7C,YAAyC,EAAE,EACvB,EAAE,CAAC,CAAC;IACxB,OAAO,EAAE,SAAS;IAClB,SAAS,EAAE,cAAc;IACzB,IAAI,EAAE,MAAM;IACZ,OAAO,EAAE,YAAY;IACrB,YAAY,EAAE,2CAA2C;IACzD,OAAO,EAAE,kCAAkC;IAC3C,gBAAgB,EAAE,sBAAsB;IACxC,iBAAiB,EAAE;QACjB,KAAK,EAAE,0DAA0D;QACjE,MAAM,EAAE,0CAA0C;QAClD,OAAO,EAAE,2BAA2B;QACpC,GAAG,CAAC,SAAS,CAAC,iBAAiB,IAAI,EAAE,CAAC;KACvC;IACD,WAAW,EAAE,sCAAsC;IACnD,KAAK,EAAE,uBAAuB;IAC9B,GAAG,SAAS;CACb,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,8BAA8B,GAAG,CAC5C,YAAyC,EAAE,EACvB,EAAE,CACtB,+BAA+B,CAAC;IAC9B,OAAO,EAAE,WAAW;IACpB,SAAS,EAAE,iBAAiB;IAC5B,IAAI,EAAE,SAAS;IACf,OAAO,EAAE,UAAU;IACnB,YAAY,EAAE,kDAAkD;IAChE,OAAO,EAAE,4CAA4C;IACrD,gBAAgB,EAAE,4BAA4B;IAC9C,iBAAiB,EAAE;QACjB,KAAK,EAAE,gEAAgE;QACvE,MAAM,EAAE,0CAA0C;QAClD,OAAO,EAAE,iCAAiC;KAC3C;IACD,WAAW,EAAE,qCAAqC;IAClD,KAAK,EAAE,yBAAyB;IAChC,GAAG,SAAS;CACb,CAAC,CAAC"}

package/dist/oauth-client.d.ts

@@ -0,0 +1,57 @@
+export type OAuthFetchLike = (input: string, init?: RequestInit) => Promise<Response>;
+export interface OAuthDiscoveryDocument {
+    authorization_endpoint: string;
+    revocation_endpoint?: string;
+    token_endpoint: string;
+    userinfo_endpoint?: string;
+}
+export interface OAuthTokenResponse {
+    access_token: string;
+    token_type: 'Bearer' | 'DPoP' | (string & {});
+    expires_in?: number;
+    id_token?: string;
+    scope?: string;
+}
+export interface OAuthAuthorizationRequest {
+    codeChallenge: string;
+    codeVerifier: string;
+    nonce?: string;
+    state?: string;
+    url: string;
+}
+export interface OAuthStartAuthorizationInput {
+    codeVerifier?: string;
+    nonce?: string;
+    state?: string;
+}
+export interface OAuthDpopKeyPair {
+    privateKey?: CryptoKey;
+    publicJwk: JsonWebKey;
+    sign?: (data: Uint8Array) => Promise<ArrayBuffer | Uint8Array>;
+}
+export interface OAuthDpopStore {
+    get(): Promise<OAuthDpopKeyPair | null> | OAuthDpopKeyPair | null;
+    set(keyPair: OAuthDpopKeyPair): Promise<void> | void;
+}
+export interface OAuthDpopOptions {
+    generateKeyPair?: () => Promise<OAuthDpopKeyPair>;
+    jti?: () => string;
+    now?: () => Date;
+    store: OAuthDpopStore;
+}
+export interface CreateOAuthClientOptions {
+    clientId: string;
+    dpop?: OAuthDpopOptions;
+    fetch?: OAuthFetchLike;
+    issuer: string;
+    redirectUri: string;
+    scopes: string[];
+}
+export interface OAuthClient {
+    exchangeCode(code: string, codeVerifier: string): Promise<OAuthTokenResponse>;
+    revoke(token: string): Promise<void>;
+    startAuthorization(input?: OAuthStartAuthorizationInput): Promise<OAuthAuthorizationRequest>;
+    userInfo<T = Record<string, unknown>>(token: string): Promise<T>;
+}
+export declare const createOAuthClient: (options: CreateOAuthClientOptions) => OAuthClient;
+//# sourceMappingURL=oauth-client.d.ts.map

package/dist/oauth-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-client.d.ts","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,cAAc,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;AAEtF,MAAM,WAAW,sBAAsB;IACrC,sBAAsB,EAAE,MAAM,CAAC;IAC/B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,cAAc,EAAE,MAAM,CAAC;IACvB,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,QAAQ,GAAG,MAAM,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAC9C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,yBAAyB;IACxC,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,4BAA4B;IAC3C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,gBAAgB;IAC/B,UAAU,CAAC,EAAE,SAAS,CAAC;IACvB,SAAS,EAAE,UAAU,CAAC;IACtB,IAAI,CAAC,EAAE,CAAC,IAAI,EAAE,UAAU,KAAK,OAAO,CAAC,WAAW,GAAG,UAAU,CAAC,CAAC;CAChE;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,IAAI,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,GAAG,gBAAgB,GAAG,IAAI,CAAC;IAClE,GAAG,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;CACtD;AAED,MAAM,WAAW,gBAAgB;IAC/B,eAAe,CAAC,EAAE,MAAM,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAClD,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,MAAM,IAAI,CAAC;IACjB,KAAK,EAAE,cAAc,CAAC;CACvB;AAED,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,gBAAgB,CAAC;IACxB,KAAK,CAAC,EAAE,cAAc,CAAC;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC9E,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACrC,kBAAkB,CAAC,KAAK,CAAC,EAAE,4BAA4B,GAAG,OAAO,CAAC,yBAAyB,CAAC,CAAC;IAC7F,QAAQ,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;CAClE;AAED,eAAO,MAAM,iBAAiB,YAAa,wBAAwB,KAAG,WAiHrE,CAAC"}

package/dist/oauth-client.js

@@ -0,0 +1,218 @@
+import { createAuthUiError } from './errors.js';
+export const createOAuthClient = (options) => {
+    const issuer = options.issuer.replace(/\/+$/u, '');
+    const fetchImpl = options.fetch ?? (typeof fetch === 'function' ? fetch.bind(globalThis) : undefined);
+    if (!fetchImpl) {
+        throw createAuthUiError('invalid_input', 'No global fetch found; pass options.fetch when constructing the OAuth client.');
+    }
+    let discoveryPromise = null;
+    const getDiscovery = () => {
+        discoveryPromise ??= requestJson(fetchImpl, `${issuer}/.well-known/openid-configuration`, { headers: { Accept: 'application/json' }, method: 'GET' });
+        return discoveryPromise;
+    };
+    return {
+        async startAuthorization(input = {}) {
+            const [discovery, dpopJkt] = await Promise.all([
+                getDiscovery(),
+                options.dpop ? getDpopJkt(options.dpop) : Promise.resolve(null),
+            ]);
+            const codeVerifier = input.codeVerifier ?? generateCodeVerifier();
+            const codeChallenge = await sha256Base64url(codeVerifier);
+            const url = new URL(discovery.authorization_endpoint);
+            url.searchParams.set('response_type', 'code');
+            url.searchParams.set('client_id', options.clientId);
+            url.searchParams.set('redirect_uri', options.redirectUri);
+            url.searchParams.set('scope', options.scopes.join(' '));
+            url.searchParams.set('code_challenge', codeChallenge);
+            url.searchParams.set('code_challenge_method', 'S256');
+            if (input.state)
+                url.searchParams.set('state', input.state);
+            if (input.nonce)
+                url.searchParams.set('nonce', input.nonce);
+            if (dpopJkt)
+                url.searchParams.set('dpop_jkt', dpopJkt);
+            return {
+                codeChallenge,
+                codeVerifier,
+                nonce: input.nonce,
+                state: input.state,
+                url: url.toString(),
+            };
+        },
+        async exchangeCode(code, codeVerifier) {
+            const discovery = await getDiscovery();
+            const headers = {
+                Accept: 'application/json',
+                'Content-Type': 'application/x-www-form-urlencoded',
+            };
+            if (options.dpop) {
+                headers.DPoP = await createDpopProof(options.dpop, {
+                    htm: 'POST',
+                    htu: discovery.token_endpoint,
+                });
+            }
+            return requestJson(fetchImpl, discovery.token_endpoint, {
+                body: formBody({
+                    client_id: options.clientId,
+                    code,
+                    code_verifier: codeVerifier,
+                    grant_type: 'authorization_code',
+                    redirect_uri: options.redirectUri,
+                }),
+                headers,
+                method: 'POST',
+            });
+        },
+        async userInfo(token) {
+            const discovery = await getDiscovery();
+            if (!discovery.userinfo_endpoint) {
+                throw createAuthUiError('invalid_input', 'OAuth discovery document is missing userinfo_endpoint.');
+            }
+            const headers = {
+                Accept: 'application/json',
+                Authorization: `${options.dpop ? 'DPoP' : 'Bearer'} ${token}`,
+            };
+            if (options.dpop) {
+                headers.DPoP = await createDpopProof(options.dpop, {
+                    accessToken: token,
+                    htm: 'GET',
+                    htu: discovery.userinfo_endpoint,
+                });
+            }
+            return requestJson(fetchImpl, discovery.userinfo_endpoint, { headers, method: 'GET' });
+        },
+        async revoke(token) {
+            const discovery = await getDiscovery();
+            if (!discovery.revocation_endpoint) {
+                throw createAuthUiError('invalid_input', 'OAuth discovery document is missing revocation_endpoint.');
+            }
+            const headers = {
+                Accept: 'application/json',
+                'Content-Type': 'application/x-www-form-urlencoded',
+            };
+            if (options.dpop) {
+                headers.DPoP = await createDpopProof(options.dpop, {
+                    accessToken: token,
+                    htm: 'POST',
+                    htu: discovery.revocation_endpoint,
+                });
+            }
+            await requestJson(fetchImpl, discovery.revocation_endpoint, {
+                body: formBody({ token }),
+                headers,
+                method: 'POST',
+            });
+        },
+    };
+};
+const requestJson = async (fetchImpl, url, init) => {
+    let response;
+    try {
+        response = await fetchImpl(url, init);
+    }
+    catch (cause) {
+        throw createAuthUiError('transport_error', 'Network request failed', { retryable: true, cause });
+    }
+    const payload = await safeJson(response);
+    if (!response.ok) {
+        throw createAuthUiError('transport_error', extractErrorMessage(payload, `Request failed with status ${response.status}`), {
+            cause: payload,
+            retryable: response.status >= 500,
+        });
+    }
+    return payload;
+};
+const safeJson = async (response) => {
+    const text = await response.text();
+    if (!text)
+        return null;
+    try {
+        return JSON.parse(text);
+    }
+    catch {
+        return text;
+    }
+};
+const extractErrorMessage = (payload, fallback) => {
+    if (payload && typeof payload === 'object') {
+        const record = payload;
+        if (typeof record.error === 'string' && record.error)
+            return record.error;
+        if (typeof record.message === 'string' && record.message)
+            return record.message;
+    }
+    return fallback;
+};
+const createDpopProof = async (options, input) => {
+    const keyPair = await getDpopKeyPair(options);
+    const header = base64urlJson({
+        alg: 'EdDSA',
+        jwk: keyPair.publicJwk,
+        typ: 'dpop+jwt',
+    });
+    const payload = base64urlJson({
+        ...(input.accessToken ? { ath: await sha256Base64url(input.accessToken) } : {}),
+        htm: input.htm,
+        htu: input.htu,
+        iat: Math.floor((options.now?.() ?? new Date()).getTime() / 1000),
+        jti: options.jti?.() ?? randomToken(16),
+    });
+    const signingInput = `${header}.${payload}`;
+    const signature = keyPair.sign
+        ? await keyPair.sign(textEncoder.encode(signingInput))
+        : await crypto.subtle.sign('Ed25519', requirePrivateKey(keyPair), textEncoder.encode(signingInput));
+    return `${signingInput}.${base64urlEncode(new Uint8Array(signature))}`;
+};
+const getDpopKeyPair = async (options) => {
+    const existing = await options.store.get();
+    if (existing)
+        return existing;
+    const generated = options.generateKeyPair ? await options.generateKeyPair() : await generateDefaultDpopKeyPair();
+    await options.store.set(generated);
+    return generated;
+};
+const getDpopJkt = async (options) => sha256Base64url(canonicalizeJwk((await getDpopKeyPair(options)).publicJwk));
+const generateDefaultDpopKeyPair = async () => {
+    const keyPair = await crypto.subtle.generateKey('Ed25519', true, ['sign', 'verify']);
+    return {
+        privateKey: keyPair.privateKey,
+        publicJwk: await crypto.subtle.exportKey('jwk', keyPair.publicKey),
+    };
+};
+const requirePrivateKey = (keyPair) => {
+    if (!keyPair.privateKey) {
+        throw createAuthUiError('invalid_input', 'OAuth DPoP key pair is missing private key material.');
+    }
+    return keyPair.privateKey;
+};
+const canonicalizeJwk = (jwk) => {
+    const keys = ['crv', 'kty', 'x', 'e', 'n'].filter((key) => typeof jwk[key] === 'string');
+    return `{${keys.sort().map((key) => `"${key}":"${jwk[key]}"`).join(',')}}`;
+};
+const formBody = (input) => {
+    const form = new URLSearchParams();
+    for (const [key, value] of Object.entries(input)) {
+        form.set(key, value);
+    }
+    return form.toString();
+};
+const generateCodeVerifier = () => randomToken(32);
+const randomToken = (byteLength) => {
+    const bytes = new Uint8Array(byteLength);
+    crypto.getRandomValues(bytes);
+    return base64urlEncode(bytes);
+};
+const sha256Base64url = async (value) => {
+    const digest = await crypto.subtle.digest('SHA-256', textEncoder.encode(value));
+    return base64urlEncode(new Uint8Array(digest));
+};
+const base64urlJson = (value) => base64urlEncode(textEncoder.encode(JSON.stringify(value)));
+const base64urlEncode = (bytes) => {
+    let binary = '';
+    for (const byte of bytes) {
+        binary += String.fromCharCode(byte);
+    }
+    return btoa(binary).replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/u, '');
+};
+const textEncoder = new TextEncoder();
+//# sourceMappingURL=oauth-client.js.map

package/dist/oauth-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-client.js","sourceRoot":"","sources":["../src/oauth-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAmEhD,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,OAAiC,EAAe,EAAE;IAClF,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IACnD,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,IAAI,CAAC,OAAO,KAAK,KAAK,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IACtG,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,iBAAiB,CAAC,eAAe,EAAE,+EAA+E,CAAC,CAAC;IAC5H,CAAC;IAED,IAAI,gBAAgB,GAA2C,IAAI,CAAC;IACpE,MAAM,YAAY,GAAG,GAAoC,EAAE;QACzD,gBAAgB,KAAK,WAAW,CAC9B,SAAS,EACT,GAAG,MAAM,mCAAmC,EAC5C,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAC3D,CAAC;QACF,OAAO,gBAAgB,CAAC;IAC1B,CAAC,CAAC;IAEF,OAAO;QACL,KAAK,CAAC,kBAAkB,CAAC,KAAK,GAAG,EAAE;YACjC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;gBAC7C,YAAY,EAAE;gBACd,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAgB,IAAI,CAAC;aAC/E,CAAC,CAAC;YACH,MAAM,YAAY,GAAG,KAAK,CAAC,YAAY,IAAI,oBAAoB,EAAE,CAAC;YAClE,MAAM,aAAa,GAAG,MAAM,eAAe,CAAC,YAAY,CAAC,CAAC;YAC1D,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC;YACtD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;YAC9C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;YACpD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;YAC1D,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;YACxD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;YACtD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;YACtD,IAAI,KAAK,CAAC,KAAK;gBAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YAC5D,IAAI,KAAK,CAAC,KAAK;gBAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YAC5D,IAAI,OAAO;gBAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YAEvD,OAAO;gBACL,aAAa;gBACb,YAAY;gBACZ,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,GAAG,EAAE,GAAG,CAAC,QAAQ,EAAE;aACpB,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,YAAY;YACnC,MAAM,SAAS,GAAG,MAAM,YAAY,EAAE,CAAC;YACvC,MAAM,OAAO,GAA2B;gBACtC,MAAM,EAAE,kBAAkB;gBAC1B,cAAc,EAAE,mCAAmC;aACpD,CAAC;YACF,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,OAAO,CAAC,IAAI,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,IAAI,EAAE;oBACjD,GAAG,EAAE,MAAM;oBACX,GAAG,EAAE,SAAS,CAAC,cAAc;iBAC9B,CAAC,CAAC;YACL,CAAC;YAED,OAAO,WAAW,CAAqB,SAAS,EAAE,SAAS,CAAC,cAAc,EAAE;gBAC1E,IAAI,EAAE,QAAQ,CAAC;oBACb,SAAS,EAAE,OAAO,CAAC,QAAQ;oBAC3B,IAAI;oBACJ,aAAa,EAAE,YAAY;oBAC3B,UAAU,EAAE,oBAAoB;oBAChC,YAAY,EAAE,OAAO,CAAC,WAAW;iBAClC,CAAC;gBACF,OAAO;gBACP,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;QAED,KAAK,CAAC,QAAQ,CAAC,KAAK;YAClB,MAAM,SAAS,GAAG,MAAM,YAAY,EAAE,CAAC;YACvC,IAAI,CAAC,SAAS,CAAC,iBAAiB,EAAE,CAAC;gBACjC,MAAM,iBAAiB,CAAC,eAAe,EAAE,wDAAwD,CAAC,CAAC;YACrG,CAAC;YACD,MAAM,OAAO,GAA2B;gBACtC,MAAM,EAAE,kBAAkB;gBAC1B,aAAa,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,IAAI,KAAK,EAAE;aAC9D,CAAC;YACF,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,OAAO,CAAC,IAAI,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,IAAI,EAAE;oBACjD,WAAW,EAAE,KAAK;oBAClB,GAAG,EAAE,KAAK;oBACV,GAAG,EAAE,SAAS,CAAC,iBAAiB;iBACjC,CAAC,CAAC;YACL,CAAC;YACD,OAAO,WAAW,CAAC,SAAS,EAAE,SAAS,CAAC,iBAAiB,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACzF,CAAC;QAED,KAAK,CAAC,MAAM,CAAC,KAAK;YAChB,MAAM,SAAS,GAAG,MAAM,YAAY,EAAE,CAAC;YACvC,IAAI,CAAC,SAAS,CAAC,mBAAmB,EAAE,CAAC;gBACnC,MAAM,iBAAiB,CAAC,eAAe,EAAE,0DAA0D,CAAC,CAAC;YACvG,CAAC;YACD,MAAM,OAAO,GAA2B;gBACtC,MAAM,EAAE,kBAAkB;gBAC1B,cAAc,EAAE,mCAAmC;aACpD,CAAC;YACF,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,OAAO,CAAC,IAAI,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,IAAI,EAAE;oBACjD,WAAW,EAAE,KAAK;oBAClB,GAAG,EAAE,MAAM;oBACX,GAAG,EAAE,SAAS,CAAC,mBAAmB;iBACnC,CAAC,CAAC;YACL,CAAC;YACD,MAAM,WAAW,CAAC,SAAS,EAAE,SAAS,CAAC,mBAAmB,EAAE;gBAC1D,IAAI,EAAE,QAAQ,CAAC,EAAE,KAAK,EAAE,CAAC;gBACzB,OAAO;gBACP,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,WAAW,GAAG,KAAK,EACvB,SAAyB,EACzB,GAAW,EACX,IAAiB,EACL,EAAE;IACd,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACxC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,iBAAiB,CAAC,iBAAiB,EAAE,wBAAwB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACnG,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACzC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,iBAAiB,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,OAAO,EAAE,8BAA8B,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE;YACxH,KAAK,EAAE,OAAO;YACd,SAAS,EAAE,QAAQ,CAAC,MAAM,IAAI,GAAG;SAClC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,OAAY,CAAC;AACtB,CAAC,CAAC;AAEF,MAAM,QAAQ,GAAG,KAAK,EAAE,QAAkB,EAAoB,EAAE;IAC9D,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IACnC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,mBAAmB,GAAG,CAAC,OAAgB,EAAE,QAAgB,EAAU,EAAE;IACzE,IAAI,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC3C,MAAM,MAAM,GAAG,OAAkC,CAAC;QAClD,IAAI,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,IAAI,MAAM,CAAC,KAAK;YAAE,OAAO,MAAM,CAAC,KAAK,CAAC;QAC1E,IAAI,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ,IAAI,MAAM,CAAC,OAAO;YAAE,OAAO,MAAM,CAAC,OAAO,CAAC;IAClF,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC,CAAC;AAEF,MAAM,eAAe,GAAG,KAAK,EAC3B,OAAyB,EACzB,KAAyD,EACxC,EAAE;IACnB,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,OAAO,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAG,aAAa,CAAC;QAC3B,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,OAAO,CAAC,SAAS;QACtB,GAAG,EAAE,UAAU;KAChB,CAAC,CAAC;IACH,MAAM,OAAO,GAAG,aAAa,CAAC;QAC5B,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,eAAe,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/E,GAAG,EAAE,KAAK,CAAC,GAAG;QACd,GAAG,EAAE,KAAK,CAAC,GAAG;QACd,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC;QACjE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE,IAAI,WAAW,CAAC,EAAE,CAAC;KACxC,CAAC,CAAC;IACH,MAAM,YAAY,GAAG,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC;IAC5C,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI;QAC5B,CAAC,CAAC,MAAM,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QACtD,CAAC,CAAC,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC,OAAO,CAAC,EAAE,WAAW,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;IACtG,OAAO,GAAG,YAAY,IAAI,eAAe,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;AACzE,CAAC,CAAC;AAEF,MAAM,cAAc,GAAG,KAAK,EAAE,OAAyB,EAA6B,EAAE;IACpF,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;IAC3C,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC9B,MAAM,SAAS,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,MAAM,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC,MAAM,0BAA0B,EAAE,CAAC;IACjH,MAAM,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACnC,OAAO,SAAS,CAAC;AACnB,CAAC,CAAC;AAEF,MAAM,UAAU,GAAG,KAAK,EAAE,OAAyB,EAAmB,EAAE,CACtE,eAAe,CAAC,eAAe,CAAC,CAAC,MAAM,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC;AAE9E,MAAM,0BAA0B,GAAG,KAAK,IAA+B,EAAE;IACvE,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;IACrF,OAAO;QACL,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,SAAS,EAAE,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,SAAS,CAAC;KACnE,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,iBAAiB,GAAG,CAAC,OAAyB,EAAa,EAAE;IACjE,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;QACxB,MAAM,iBAAiB,CAAC,eAAe,EAAE,sDAAsD,CAAC,CAAC;IACnG,CAAC;IACD,OAAO,OAAO,CAAC,UAAU,CAAC;AAC5B,CAAC,CAAC;AAEF,MAAM,eAAe,GAAG,CAAC,GAAe,EAAU,EAAE;IAClD,MAAM,IAAI,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,OAAQ,GAA+B,CAAC,GAAG,CAAC,KAAK,QAAQ,CAAC,CAAC;IACtH,OAAO,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,GAAG,MAAO,GAA8B,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;AACzG,CAAC,CAAC;AAEF,MAAM,QAAQ,GAAG,CAAC,KAA6B,EAAU,EAAE;IACzD,MAAM,IAAI,GAAG,IAAI,eAAe,EAAE,CAAC;IACnC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACjD,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACvB,CAAC;IACD,OAAO,IAAI,CAAC,QAAQ,EAAE,CAAC;AACzB,CAAC,CAAC;AAEF,MAAM,oBAAoB,GAAG,GAAW,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;AAE3D,MAAM,WAAW,GAAG,CAAC,UAAkB,EAAU,EAAE;IACjD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;IACzC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,eAAe,CAAC,KAAK,CAAC,CAAC;AAChC,CAAC,CAAC;AAEF,MAAM,eAAe,GAAG,KAAK,EAAE,KAAa,EAAmB,EAAE;IAC/D,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IAChF,OAAO,eAAe,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;AACjD,CAAC,CAAC;AAEF,MAAM,aAAa,GAAG,CAAC,KAAc,EAAU,EAAE,CAC/C,eAAe,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAE7D,MAAM,eAAe,GAAG,CAAC,KAAiB,EAAU,EAAE;IACpD,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACpF,CAAC,CAAC;AAEF,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC"}

package/dist/oauth-consent.d.ts

@@ -0,0 +1,30 @@
+export type OAuthConsentDecision = 'approve' | 'deny';
+export interface OAuthConsentDetails {
+    clientName: string;
+    redirectUri: string;
+    scopes: string[];
+}
+export interface OAuthConsentTransport {
+    getConsent(input: {
+        state: string;
+    }): Promise<OAuthConsentDetails>;
+    submitConsentDecision(input: {
+        decision: OAuthConsentDecision;
+        state: string;
+    }): Promise<{
+        redirectTo: string;
+    }>;
+}
+export interface OAuthConsentLabels {
+    approve: string;
+    approving: string;
+    deny: string;
+    denying: string;
+    errorGeneric: string;
+    loading: string;
+    redirectUriLabel: string;
+    scopeDescriptions: Record<string, string>;
+    scopesTitle: string;
+    title: string;
+}
+//# sourceMappingURL=oauth-consent.d.ts.map

package/dist/oauth-consent.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-consent.d.ts","sourceRoot":"","sources":["../src/oauth-consent.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,oBAAoB,GAAG,SAAS,GAAG,MAAM,CAAC;AAEtD,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,qBAAqB;IACpC,UAAU,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACnE,qBAAqB,CAAC,KAAK,EAAE;QAC3B,QAAQ,EAAE,oBAAoB,CAAC;QAC/B,KAAK,EAAE,MAAM,CAAC;KACf,GAAG,OAAO,CAAC;QAAE,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACrC;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,EAAE,MAAM,CAAC;IACzB,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;CACf"}

package/dist/oauth-consent.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=oauth-consent.js.map

package/dist/oauth-consent.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-consent.js","sourceRoot":"","sources":["../src/oauth-consent.ts"],"names":[],"mappings":""}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sentropic/auth-ui",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Reusable Svelte authentication UI contracts and browser passkey helpers for Sentropic-compatible apps.",
   "type": "module",
   "license": "MIT",
@@ -32,6 +32,16 @@
       "svelte": "./src/transport-fetch.ts",
       "import": "./src/transport-fetch.ts"
     },
+    "./oauth-client": {
+      "types": "./src/oauth-client.ts",
+      "svelte": "./src/oauth-client.ts",
+      "import": "./src/oauth-client.ts"
+    },
+    "./oauth-consent": {
+      "types": "./src/oauth-consent.ts",
+      "svelte": "./src/oauth-consent.ts",
+      "import": "./src/oauth-consent.ts"
+    },
     "./components/AuthLogin.svelte": {
       "types": "./src/components/AuthLogin.svelte.d.ts",
       "svelte": "./src/components/AuthLogin.svelte",
@@ -56,6 +66,11 @@
       "types": "./src/components/AuthDevicePair.svelte.d.ts",
       "svelte": "./src/components/AuthDevicePair.svelte",
       "import": "./src/components/AuthDevicePair.svelte"
+    },
+    "./components/OAuthConsent.svelte": {
+      "types": "./src/components/OAuthConsent.svelte.d.ts",
+      "svelte": "./src/components/OAuthConsent.svelte",
+      "import": "./src/components/OAuthConsent.svelte"
     }
   },
   "files": [
@@ -76,6 +91,7 @@
     "test": "vitest run tests"
   },
   "peerDependencies": {
+    "@sentropic/auth-hono": "^0.3.0",
     "@simplewebauthn/browser": "^13.2.2",
     "svelte": "^5.0.0"
   },

package/src/components/OAuthConsent.svelte

@@ -0,0 +1,240 @@
+<script lang="ts">
+  import { onMount } from 'svelte';
+  import {
+    createDefaultOAuthConsentLabels,
+    type AuthUiError,
+    type OAuthConsentDetails,
+    type OAuthConsentLabels,
+    type OAuthConsentTransport,
+  } from '../contracts.js';
+  import { createAuthUiError } from '../errors.js';
+
+  interface Props {
+    labels?: Partial<OAuthConsentLabels>;
+    onError?: (error: AuthUiError) => void;
+    onRedirect?: (url: string) => void;
+    state: string;
+    transport: OAuthConsentTransport;
+  }
+
+  let { labels, onError, onRedirect, state: consentState, transport }: Props = $props();
+
+  const resolvedLabels = $derived(createDefaultOAuthConsentLabels(labels ?? {}));
+
+  let details = $state<OAuthConsentDetails | null>(null);
+  let error = $state('');
+  let loading = $state(true);
+  let submitting = $state<'approve' | 'deny' | null>(null);
+
+  onMount(loadConsent);
+
+  async function loadConsent(): Promise<void> {
+    loading = true;
+    error = '';
+    try {
+      details = await transport.getConsent({ state: consentState });
+    } catch (cause) {
+      handleError(createAuthUiError('transport_error', resolvedLabels.errorGeneric, { cause }));
+    } finally {
+      loading = false;
+    }
+  }
+
+  async function submit(decision: 'approve' | 'deny'): Promise<void> {
+    submitting = decision;
+    error = '';
+    try {
+      const result = await transport.submitConsentDecision({ decision, state: consentState });
+      onRedirect?.(result.redirectTo);
+    } catch (cause) {
+      handleError(createAuthUiError('transport_error', resolvedLabels.errorGeneric, { cause }));
+    } finally {
+      submitting = null;
+    }
+  }
+
+  function handleError(err: AuthUiError): void {
+    error = err.message;
+    onError?.(err);
+  }
+</script>
+
+<div class="auth-ui-oauth-consent">
+  <slot name="branding"></slot>
+
+  {#if loading}
+    <div class="auth-ui-loading" role="status">
+      <div class="auth-ui-spinner" aria-hidden="true"></div>
+      <p class="auth-ui-loading__label">{resolvedLabels.loading}</p>
+    </div>
+  {:else if error}
+    <div class="auth-ui-alert auth-ui-alert--error" role="alert">{error}</div>
+  {:else if details}
+    <header class="auth-ui-header">
+      <h2 class="auth-ui-title">{resolvedLabels.title}</h2>
+      <p class="auth-ui-subtitle">{details.clientName}</p>
+    </header>
+
+    <section class="auth-ui-section" aria-labelledby="oauth-consent-scopes">
+      <h3 id="oauth-consent-scopes" class="auth-ui-section__title">{resolvedLabels.scopesTitle}</h3>
+      <ul class="auth-ui-scope-list">
+        {#each details.scopes as scope (scope)}
+          <li class="auth-ui-scope-list__item">
+            <strong>{scope}</strong>
+            <slot name="scope-description" scope={scope}>
+              <span>{resolvedLabels.scopeDescriptions[scope] ?? scope}</span>
+            </slot>
+          </li>
+        {/each}
+      </ul>
+    </section>
+
+    <section class="auth-ui-section">
+      <h3 class="auth-ui-section__title">{resolvedLabels.redirectUriLabel}</h3>
+      <p class="auth-ui-redirect-uri">{details.redirectUri}</p>
+    </section>
+
+    <div class="auth-ui-actions">
+      <button
+        type="button"
+        class="auth-ui-button auth-ui-button--primary"
+        disabled={submitting !== null}
+        onclick={() => submit('approve')}
+      >
+        {submitting === 'approve' ? resolvedLabels.approving : resolvedLabels.approve}
+      </button>
+      <button
+        type="button"
+        class="auth-ui-button auth-ui-button--secondary"
+        disabled={submitting !== null}
+        onclick={() => submit('deny')}
+      >
+        {submitting === 'deny' ? resolvedLabels.denying : resolvedLabels.deny}
+      </button>
+    </div>
+
+    <slot name="footer"></slot>
+  {/if}
+</div>
+
+<style>
+  .auth-ui-oauth-consent {
+    display: flex;
+    flex-direction: column;
+    gap: 1.5rem;
+    max-width: 32rem;
+    margin: 0 auto;
+    padding: 2rem 1rem;
+    font-family: var(--auth-font-family, system-ui, -apple-system, sans-serif);
+    color: var(--auth-text, #111827);
+  }
+  .auth-ui-header {
+    display: flex;
+    flex-direction: column;
+    gap: 0.25rem;
+    text-align: center;
+  }
+  .auth-ui-title {
+    margin: 0;
+    font-size: 1.5rem;
+    font-weight: 700;
+  }
+  .auth-ui-subtitle {
+    margin: 0;
+    font-size: 0.95rem;
+    color: var(--auth-muted, #6b7280);
+  }
+  .auth-ui-section {
+    display: flex;
+    flex-direction: column;
+    gap: 0.75rem;
+  }
+  .auth-ui-section__title {
+    margin: 0;
+    font-size: 0.875rem;
+    font-weight: 600;
+  }
+  .auth-ui-scope-list {
+    display: flex;
+    flex-direction: column;
+    gap: 0.75rem;
+    margin: 0;
+    padding: 0;
+    list-style: none;
+  }
+  .auth-ui-scope-list__item {
+    display: flex;
+    flex-direction: column;
+    gap: 0.25rem;
+    padding: 0.75rem;
+    border: 1px solid var(--auth-border, #e5e7eb);
+    border-radius: var(--auth-radius, 0.375rem);
+    font-size: 0.875rem;
+  }
+  .auth-ui-scope-list__item span {
+    color: var(--auth-muted, #6b7280);
+  }
+  .auth-ui-redirect-uri {
+    margin: 0;
+    overflow-wrap: anywhere;
+    font-size: 0.875rem;
+    color: var(--auth-muted, #6b7280);
+  }
+  .auth-ui-actions {
+    display: grid;
+    grid-template-columns: 1fr 1fr;
+    gap: 0.75rem;
+  }
+  .auth-ui-button {
+    padding: 0.625rem 1rem;
+    border: none;
+    border-radius: var(--auth-radius, 0.375rem);
+    font-size: 0.875rem;
+    font-weight: 500;
+    cursor: pointer;
+  }
+  .auth-ui-button:disabled {
+    opacity: 0.5;
+    cursor: not-allowed;
+  }
+  .auth-ui-button--primary {
+    background: var(--auth-primary, #4f46e5);
+    color: var(--auth-primary-text, #ffffff);
+  }
+  .auth-ui-button--secondary {
+    background: var(--auth-surface-muted, #f3f4f6);
+    color: var(--auth-text, #111827);
+  }
+  .auth-ui-alert {
+    padding: 0.75rem 1rem;
+    border-radius: var(--auth-radius, 0.375rem);
+    font-size: 0.875rem;
+  }
+  .auth-ui-alert--error {
+    background: var(--auth-error-bg, #fef2f2);
+    color: var(--auth-error-text, #991b1b);
+  }
+  .auth-ui-loading {
+    text-align: center;
+    padding: 3rem 0;
+  }
+  .auth-ui-spinner {
+    display: inline-block;
+    width: 3rem;
+    height: 3rem;
+    border: 2px solid transparent;
+    border-bottom-color: var(--auth-primary, #4f46e5);
+    border-radius: 50%;
+    animation: auth-ui-spin 0.75s linear infinite;
+  }
+  .auth-ui-loading__label {
+    margin-top: 1rem;
+    font-size: 0.875rem;
+    color: var(--auth-muted, #6b7280);
+  }
+  @keyframes auth-ui-spin {
+    to {
+      transform: rotate(360deg);
+    }
+  }
+</style>

package/src/components/OAuthConsent.svelte.d.ts

@@ -0,0 +1,17 @@
+import type { Component } from 'svelte';
+import type {
+  AuthUiError,
+  OAuthConsentLabels,
+  OAuthConsentTransport,
+} from '../contracts.js';
+
+export interface OAuthConsentProps {
+  labels?: Partial<OAuthConsentLabels>;
+  onError?: (error: AuthUiError) => void;
+  onRedirect?: (url: string) => void;
+  state: string;
+  transport: OAuthConsentTransport;
+}
+
+declare const OAuthConsent: Component<OAuthConsentProps>;
+export default OAuthConsent;

package/src/contracts.ts

@@ -1,5 +1,6 @@
 export * from './errors.js';
 export * from './labels.js';
+export * from './oauth-consent.js';
 export * from './transport.js';
 export * from './transport-fetch.js';
 export * from './transport-types.js';

package/src/index.ts

@@ -1,2 +1,4 @@
 export * from './contracts.js';
+export * from './oauth-client.js';
+export * from './oauth-consent.js';
 export * from './webauthn.js';

package/src/labels.ts

@@ -1,3 +1,4 @@
+import type { OAuthConsentLabels } from './oauth-consent.js';
 import type { AuthUiBranding, AuthUiLabels } from './types.js';
 
 export const createDefaultAuthUiLabels = (overrides: Partial<AuthUiLabels> = {}): AuthUiLabels => ({
@@ -184,3 +185,45 @@ export const createDefaultAuthUiBranding = (overrides: Partial<AuthUiBranding> =
 
   return branding;
 };
+
+export const createDefaultOAuthConsentLabels = (
+  overrides: Partial<OAuthConsentLabels> = {},
+): OAuthConsentLabels => ({
+  approve: 'Approve',
+  approving: 'Approving...',
+  deny: 'Deny',
+  denying: 'Denying...',
+  errorGeneric: 'Unable to load the authorization request.',
+  loading: 'Loading authorization request...',
+  redirectUriLabel: 'Redirect destination',
+  scopeDescriptions: {
+    email: 'Access your email address and email verification status.',
+    openid: 'Confirm your identity with this account.',
+    profile: 'Access your profile name.',
+    ...(overrides.scopeDescriptions ?? {}),
+  },
+  scopesTitle: 'This application requests access to:',
+  title: 'Authorize application',
+  ...overrides,
+});
+
+export const createFrenchOAuthConsentLabels = (
+  overrides: Partial<OAuthConsentLabels> = {},
+): OAuthConsentLabels =>
+  createDefaultOAuthConsentLabels({
+    approve: 'Autoriser',
+    approving: 'Autorisation...',
+    deny: 'Refuser',
+    denying: 'Refus...',
+    errorGeneric: "Impossible de charger la demande d'autorisation.",
+    loading: "Chargement de la demande d'autorisation...",
+    redirectUriLabel: 'Destination de redirection',
+    scopeDescriptions: {
+      email: "Accéder à votre adresse email et à son statut de vérification.",
+      openid: 'Confirmer votre identité avec ce compte.',
+      profile: 'Accéder au nom de votre profil.',
+    },
+    scopesTitle: 'Cette application demande accès à :',
+    title: "Autoriser l'application",
+    ...overrides,
+  });

package/src/oauth-client.ts

@@ -0,0 +1,312 @@
+import { createAuthUiError } from './errors.js';
+
+export type OAuthFetchLike = (input: string, init?: RequestInit) => Promise<Response>;
+
+export interface OAuthDiscoveryDocument {
+  authorization_endpoint: string;
+  revocation_endpoint?: string;
+  token_endpoint: string;
+  userinfo_endpoint?: string;
+}
+
+export interface OAuthTokenResponse {
+  access_token: string;
+  token_type: 'Bearer' | 'DPoP' | (string & {});
+  expires_in?: number;
+  id_token?: string;
+  scope?: string;
+}
+
+export interface OAuthAuthorizationRequest {
+  codeChallenge: string;
+  codeVerifier: string;
+  nonce?: string;
+  state?: string;
+  url: string;
+}
+
+export interface OAuthStartAuthorizationInput {
+  codeVerifier?: string;
+  nonce?: string;
+  state?: string;
+}
+
+export interface OAuthDpopKeyPair {
+  privateKey?: CryptoKey;
+  publicJwk: JsonWebKey;
+  sign?: (data: Uint8Array) => Promise<ArrayBuffer | Uint8Array>;
+}
+
+export interface OAuthDpopStore {
+  get(): Promise<OAuthDpopKeyPair | null> | OAuthDpopKeyPair | null;
+  set(keyPair: OAuthDpopKeyPair): Promise<void> | void;
+}
+
+export interface OAuthDpopOptions {
+  generateKeyPair?: () => Promise<OAuthDpopKeyPair>;
+  jti?: () => string;
+  now?: () => Date;
+  store: OAuthDpopStore;
+}
+
+export interface CreateOAuthClientOptions {
+  clientId: string;
+  dpop?: OAuthDpopOptions;
+  fetch?: OAuthFetchLike;
+  issuer: string;
+  redirectUri: string;
+  scopes: string[];
+}
+
+export interface OAuthClient {
+  exchangeCode(code: string, codeVerifier: string): Promise<OAuthTokenResponse>;
+  revoke(token: string): Promise<void>;
+  startAuthorization(input?: OAuthStartAuthorizationInput): Promise<OAuthAuthorizationRequest>;
+  userInfo<T = Record<string, unknown>>(token: string): Promise<T>;
+}
+
+export const createOAuthClient = (options: CreateOAuthClientOptions): OAuthClient => {
+  const issuer = options.issuer.replace(/\/+$/u, '');
+  const fetchImpl = options.fetch ?? (typeof fetch === 'function' ? fetch.bind(globalThis) : undefined);
+  if (!fetchImpl) {
+    throw createAuthUiError('invalid_input', 'No global fetch found; pass options.fetch when constructing the OAuth client.');
+  }
+
+  let discoveryPromise: Promise<OAuthDiscoveryDocument> | null = null;
+  const getDiscovery = (): Promise<OAuthDiscoveryDocument> => {
+    discoveryPromise ??= requestJson<OAuthDiscoveryDocument>(
+      fetchImpl,
+      `${issuer}/.well-known/openid-configuration`,
+      { headers: { Accept: 'application/json' }, method: 'GET' }
+    );
+    return discoveryPromise;
+  };
+
+  return {
+    async startAuthorization(input = {}) {
+      const [discovery, dpopJkt] = await Promise.all([
+        getDiscovery(),
+        options.dpop ? getDpopJkt(options.dpop) : Promise.resolve<string | null>(null),
+      ]);
+      const codeVerifier = input.codeVerifier ?? generateCodeVerifier();
+      const codeChallenge = await sha256Base64url(codeVerifier);
+      const url = new URL(discovery.authorization_endpoint);
+      url.searchParams.set('response_type', 'code');
+      url.searchParams.set('client_id', options.clientId);
+      url.searchParams.set('redirect_uri', options.redirectUri);
+      url.searchParams.set('scope', options.scopes.join(' '));
+      url.searchParams.set('code_challenge', codeChallenge);
+      url.searchParams.set('code_challenge_method', 'S256');
+      if (input.state) url.searchParams.set('state', input.state);
+      if (input.nonce) url.searchParams.set('nonce', input.nonce);
+      if (dpopJkt) url.searchParams.set('dpop_jkt', dpopJkt);
+
+      return {
+        codeChallenge,
+        codeVerifier,
+        nonce: input.nonce,
+        state: input.state,
+        url: url.toString(),
+      };
+    },
+
+    async exchangeCode(code, codeVerifier) {
+      const discovery = await getDiscovery();
+      const headers: Record<string, string> = {
+        Accept: 'application/json',
+        'Content-Type': 'application/x-www-form-urlencoded',
+      };
+      if (options.dpop) {
+        headers.DPoP = await createDpopProof(options.dpop, {
+          htm: 'POST',
+          htu: discovery.token_endpoint,
+        });
+      }
+
+      return requestJson<OAuthTokenResponse>(fetchImpl, discovery.token_endpoint, {
+        body: formBody({
+          client_id: options.clientId,
+          code,
+          code_verifier: codeVerifier,
+          grant_type: 'authorization_code',
+          redirect_uri: options.redirectUri,
+        }),
+        headers,
+        method: 'POST',
+      });
+    },
+
+    async userInfo(token) {
+      const discovery = await getDiscovery();
+      if (!discovery.userinfo_endpoint) {
+        throw createAuthUiError('invalid_input', 'OAuth discovery document is missing userinfo_endpoint.');
+      }
+      const headers: Record<string, string> = {
+        Accept: 'application/json',
+        Authorization: `${options.dpop ? 'DPoP' : 'Bearer'} ${token}`,
+      };
+      if (options.dpop) {
+        headers.DPoP = await createDpopProof(options.dpop, {
+          accessToken: token,
+          htm: 'GET',
+          htu: discovery.userinfo_endpoint,
+        });
+      }
+      return requestJson(fetchImpl, discovery.userinfo_endpoint, { headers, method: 'GET' });
+    },
+
+    async revoke(token) {
+      const discovery = await getDiscovery();
+      if (!discovery.revocation_endpoint) {
+        throw createAuthUiError('invalid_input', 'OAuth discovery document is missing revocation_endpoint.');
+      }
+      const headers: Record<string, string> = {
+        Accept: 'application/json',
+        'Content-Type': 'application/x-www-form-urlencoded',
+      };
+      if (options.dpop) {
+        headers.DPoP = await createDpopProof(options.dpop, {
+          accessToken: token,
+          htm: 'POST',
+          htu: discovery.revocation_endpoint,
+        });
+      }
+      await requestJson(fetchImpl, discovery.revocation_endpoint, {
+        body: formBody({ token }),
+        headers,
+        method: 'POST',
+      });
+    },
+  };
+};
+
+const requestJson = async <T>(
+  fetchImpl: OAuthFetchLike,
+  url: string,
+  init: RequestInit
+): Promise<T> => {
+  let response: Response;
+  try {
+    response = await fetchImpl(url, init);
+  } catch (cause) {
+    throw createAuthUiError('transport_error', 'Network request failed', { retryable: true, cause });
+  }
+
+  const payload = await safeJson(response);
+  if (!response.ok) {
+    throw createAuthUiError('transport_error', extractErrorMessage(payload, `Request failed with status ${response.status}`), {
+      cause: payload,
+      retryable: response.status >= 500,
+    });
+  }
+
+  return payload as T;
+};
+
+const safeJson = async (response: Response): Promise<unknown> => {
+  const text = await response.text();
+  if (!text) return null;
+  try {
+    return JSON.parse(text);
+  } catch {
+    return text;
+  }
+};
+
+const extractErrorMessage = (payload: unknown, fallback: string): string => {
+  if (payload && typeof payload === 'object') {
+    const record = payload as Record<string, unknown>;
+    if (typeof record.error === 'string' && record.error) return record.error;
+    if (typeof record.message === 'string' && record.message) return record.message;
+  }
+  return fallback;
+};
+
+const createDpopProof = async (
+  options: OAuthDpopOptions,
+  input: { accessToken?: string; htm: string; htu: string }
+): Promise<string> => {
+  const keyPair = await getDpopKeyPair(options);
+  const header = base64urlJson({
+    alg: 'EdDSA',
+    jwk: keyPair.publicJwk,
+    typ: 'dpop+jwt',
+  });
+  const payload = base64urlJson({
+    ...(input.accessToken ? { ath: await sha256Base64url(input.accessToken) } : {}),
+    htm: input.htm,
+    htu: input.htu,
+    iat: Math.floor((options.now?.() ?? new Date()).getTime() / 1000),
+    jti: options.jti?.() ?? randomToken(16),
+  });
+  const signingInput = `${header}.${payload}`;
+  const signature = keyPair.sign
+    ? await keyPair.sign(textEncoder.encode(signingInput))
+    : await crypto.subtle.sign('Ed25519', requirePrivateKey(keyPair), textEncoder.encode(signingInput));
+  return `${signingInput}.${base64urlEncode(new Uint8Array(signature))}`;
+};
+
+const getDpopKeyPair = async (options: OAuthDpopOptions): Promise<OAuthDpopKeyPair> => {
+  const existing = await options.store.get();
+  if (existing) return existing;
+  const generated = options.generateKeyPair ? await options.generateKeyPair() : await generateDefaultDpopKeyPair();
+  await options.store.set(generated);
+  return generated;
+};
+
+const getDpopJkt = async (options: OAuthDpopOptions): Promise<string> =>
+  sha256Base64url(canonicalizeJwk((await getDpopKeyPair(options)).publicJwk));
+
+const generateDefaultDpopKeyPair = async (): Promise<OAuthDpopKeyPair> => {
+  const keyPair = await crypto.subtle.generateKey('Ed25519', true, ['sign', 'verify']);
+  return {
+    privateKey: keyPair.privateKey,
+    publicJwk: await crypto.subtle.exportKey('jwk', keyPair.publicKey),
+  };
+};
+
+const requirePrivateKey = (keyPair: OAuthDpopKeyPair): CryptoKey => {
+  if (!keyPair.privateKey) {
+    throw createAuthUiError('invalid_input', 'OAuth DPoP key pair is missing private key material.');
+  }
+  return keyPair.privateKey;
+};
+
+const canonicalizeJwk = (jwk: JsonWebKey): string => {
+  const keys = ['crv', 'kty', 'x', 'e', 'n'].filter((key) => typeof (jwk as Record<string, unknown>)[key] === 'string');
+  return `{${keys.sort().map((key) => `"${key}":"${(jwk as Record<string, string>)[key]}"`).join(',')}}`;
+};
+
+const formBody = (input: Record<string, string>): string => {
+  const form = new URLSearchParams();
+  for (const [key, value] of Object.entries(input)) {
+    form.set(key, value);
+  }
+  return form.toString();
+};
+
+const generateCodeVerifier = (): string => randomToken(32);
+
+const randomToken = (byteLength: number): string => {
+  const bytes = new Uint8Array(byteLength);
+  crypto.getRandomValues(bytes);
+  return base64urlEncode(bytes);
+};
+
+const sha256Base64url = async (value: string): Promise<string> => {
+  const digest = await crypto.subtle.digest('SHA-256', textEncoder.encode(value));
+  return base64urlEncode(new Uint8Array(digest));
+};
+
+const base64urlJson = (value: unknown): string =>
+  base64urlEncode(textEncoder.encode(JSON.stringify(value)));
+
+const base64urlEncode = (bytes: Uint8Array): string => {
+  let binary = '';
+  for (const byte of bytes) {
+    binary += String.fromCharCode(byte);
+  }
+  return btoa(binary).replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/u, '');
+};
+
+const textEncoder = new TextEncoder();

package/src/oauth-consent.ts

@@ -0,0 +1,28 @@
+export type OAuthConsentDecision = 'approve' | 'deny';
+
+export interface OAuthConsentDetails {
+  clientName: string;
+  redirectUri: string;
+  scopes: string[];
+}
+
+export interface OAuthConsentTransport {
+  getConsent(input: { state: string }): Promise<OAuthConsentDetails>;
+  submitConsentDecision(input: {
+    decision: OAuthConsentDecision;
+    state: string;
+  }): Promise<{ redirectTo: string }>;
+}
+
+export interface OAuthConsentLabels {
+  approve: string;
+  approving: string;
+  deny: string;
+  denying: string;
+  errorGeneric: string;
+  loading: string;
+  redirectUriLabel: string;
+  scopeDescriptions: Record<string, string>;
+  scopesTitle: string;
+  title: string;
+}