n8n 2.0.2 → 2.1.0

package/dist/modules/dynamic-credentials.ee/credential-resolvers/identifiers/oauth2-introspection-identifier.js

@@ -0,0 +1,223 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuth2TokenIntrospectionIdentifier = exports.TokenIntrospectionResponseSchema = exports.OAuth2IntrospectionOptionsSchema = void 0;
+const backend_common_1 = require("@n8n/backend-common");
+const constants_1 = require("@n8n/constants");
+const di_1 = require("@n8n/di");
+const axios_1 = __importDefault(require("axios"));
+const zod_1 = require("zod");
+const cache_service_1 = require("../../../../services/cache/cache.service");
+const identifier_interface_1 = require("./identifier-interface");
+const oauth2_utils_1 = require("./oauth2-utils");
+const MIN_TOKEN_CACHE_TIMEOUT = 30 * constants_1.Time.seconds.toMilliseconds;
+const MAX_TOKEN_CACHE_TIMEOUT = 5 * constants_1.Time.minutes.toMilliseconds;
+const DEFAULT_CACHE_TIMEOUT = 60 * constants_1.Time.seconds.toMilliseconds;
+const METADATA_CACHE_TIMEOUT = 1 * constants_1.Time.hours.toMilliseconds;
+exports.OAuth2IntrospectionOptionsSchema = zod_1.z.object({
+    ...oauth2_utils_1.OAuth2OptionsSchema.shape,
+    validation: zod_1.z.literal('oauth2-introspection'),
+    clientId: zod_1.z.string(),
+    clientSecret: zod_1.z.string(),
+});
+const OAuth2MetadataSchema = zod_1.z.object({
+    issuer: zod_1.z.string().url(),
+    introspection_endpoint: zod_1.z.string().url(),
+    introspection_endpoint_auth_methods_supported: zod_1.z.array(zod_1.z.string()).optional(),
+});
+exports.TokenIntrospectionResponseSchema = zod_1.z
+    .object({
+    active: zod_1.z.boolean(),
+    scope: zod_1.z.string().optional(),
+    client_id: zod_1.z.string().optional(),
+    username: zod_1.z.string().optional(),
+    token_type: zod_1.z.string().optional(),
+    exp: zod_1.z.number().int().optional(),
+    iat: zod_1.z.number().int().optional(),
+    nbf: zod_1.z.number().int().optional(),
+    sub: zod_1.z.string().optional(),
+    aud: zod_1.z.union([zod_1.z.string(), zod_1.z.array(zod_1.z.string())]).optional(),
+    iss: zod_1.z.string().optional(),
+    jti: zod_1.z.string().optional(),
+})
+    .passthrough();
+const CACHE_PREFIX = 'oauth2-introspection-identifier';
+let OAuth2TokenIntrospectionIdentifier = class OAuth2TokenIntrospectionIdentifier {
+    constructor(logger, cache) {
+        this.logger = logger;
+        this.cache = cache;
+    }
+    async validateOptions(identifierOptions) {
+        const options = this.parseOptions(identifierOptions);
+        const metadata = await this.fetchMetadata(options, true);
+        if (!metadata.introspection_endpoint) {
+            this.logger.error('Metadata does not contain an introspection endpoint');
+            throw new identifier_interface_1.IdentifierValidationError('Metadata does not contain an introspection endpoint');
+        }
+        if (metadata.introspection_endpoint_auth_methods_supported) {
+            const supportedMethods = metadata.introspection_endpoint_auth_methods_supported;
+            if (!supportedMethods.includes('client_secret_basic') &&
+                !supportedMethods.includes('client_secret_post')) {
+                this.logger.error('No supported client authentication method for introspection endpoint, supported options are client_secret_basic and client_secret_post');
+                throw new identifier_interface_1.IdentifierValidationError('No supported client authentication method for introspection endpoint, supported options are client_secret_basic and client_secret_post');
+            }
+        }
+    }
+    async resolve(context, identifierOptions) {
+        const options = this.parseOptions(identifierOptions);
+        const metadata = await this.fetchMetadata(options);
+        const hashedToken = (0, oauth2_utils_1.sha256)(context.identity);
+        const identifierCacheKey = `${CACHE_PREFIX}:subject:${metadata.issuer}:${hashedToken}`;
+        const cached = await this.cache.get(identifierCacheKey);
+        if (cached) {
+            return cached;
+        }
+        let ttl = DEFAULT_CACHE_TIMEOUT;
+        const { subject, ttl: ttlOverwrite } = await this.resolveBasedOnTokenIntrospection(metadata, options, context);
+        if (ttlOverwrite) {
+            ttl = ttlOverwrite;
+        }
+        await this.cache.set(identifierCacheKey, subject, ttl);
+        return subject;
+    }
+    parseOptions(options) {
+        try {
+            return exports.OAuth2IntrospectionOptionsSchema.parse(options);
+        }
+        catch (error) {
+            this.logger.error('Invalid OAuth2 identifier options', { error });
+            throw new identifier_interface_1.IdentifierValidationError('Invalid OAuth2 identifier options', {
+                cause: error,
+            });
+        }
+    }
+    async fetchMetadata(options, skipCache = false) {
+        const cacheKey = `${CACHE_PREFIX}:metadata:${options.metadataUri}`;
+        if (!skipCache) {
+            const cached = await this.cache.get(cacheKey);
+            if (cached) {
+                return cached;
+            }
+        }
+        const response = await axios_1.default.get(options.metadataUri, {
+            validateStatus: () => true,
+            timeout: 10 * constants_1.Time.seconds.toMilliseconds,
+        });
+        if (response.status !== 200) {
+            this.logger.error(`Failed to fetch OAuth2 metadata from ${options.metadataUri}, status code: ${response.status}`);
+            throw new identifier_interface_1.IdentifierValidationError(`Failed to fetch OAuth2 metadata, status code: ${response.status}`);
+        }
+        try {
+            const metadata = OAuth2MetadataSchema.parse(response.data);
+            if (!skipCache) {
+                await this.cache.set(cacheKey, metadata, METADATA_CACHE_TIMEOUT);
+            }
+            return metadata;
+        }
+        catch (error) {
+            this.logger.error('Invalid OAuth2 metadata format', { error });
+            throw new identifier_interface_1.IdentifierValidationError('Invalid OAuth2 metadata format', { cause: error });
+        }
+    }
+    buildClientBasicRequest(options) {
+        const authHeaders = {};
+        const authParams = {};
+        const credentials = Buffer.from(`${encodeURIComponent(options.clientId)}:${encodeURIComponent(options.clientSecret)}`).toString('base64');
+        authHeaders['Authorization'] = `Basic ${credentials}`;
+        return { headers: authHeaders, params: authParams };
+    }
+    buildClientPostRequest(options) {
+        const authHeaders = {};
+        const authParams = {};
+        authParams['client_id'] = options.clientId;
+        authParams['client_secret'] = options.clientSecret;
+        return { headers: authHeaders, params: authParams };
+    }
+    parseIntrospectionResponse(data) {
+        try {
+            return exports.TokenIntrospectionResponseSchema.parse(data);
+        }
+        catch (error) {
+            this.logger.error('Invalid token introspection response format', { error });
+            throw new identifier_interface_1.IdentifierValidationError('Invalid token introspection response format');
+        }
+    }
+    async resolveBasedOnTokenIntrospection(metadata, options, context) {
+        const supportedMethods = metadata.introspection_endpoint_auth_methods_supported;
+        const useBasic = !supportedMethods || supportedMethods.includes('client_secret_basic');
+        const usePost = !useBasic && supportedMethods?.includes('client_secret_post');
+        let authHeaders = {};
+        let authParams = {};
+        if (useBasic) {
+            const result = this.buildClientBasicRequest(options);
+            authHeaders = result.headers;
+            authParams = result.params;
+        }
+        else if (usePost) {
+            const result = this.buildClientPostRequest(options);
+            authHeaders = result.headers;
+            authParams = result.params;
+        }
+        else {
+            this.logger.error('No supported client authentication method for introspection endpoint');
+            throw new identifier_interface_1.IdentifierValidationError('No supported client authentication method for introspection endpoint');
+        }
+        const params = new URLSearchParams({
+            token: context.identity,
+            ...authParams,
+        });
+        const response = await axios_1.default.post(metadata.introspection_endpoint, params, {
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded', ...authHeaders },
+            validateStatus: () => true,
+            timeout: 10 * constants_1.Time.seconds.toMilliseconds,
+        });
+        if (response.status !== 200) {
+            this.logger.error('Token introspection failed', {
+                status: response.status,
+                data: response.data,
+            });
+            throw new identifier_interface_1.IdentifierValidationError('Token introspection failed');
+        }
+        const introspectionData = this.parseIntrospectionResponse(response.data);
+        if (!introspectionData.active) {
+            this.logger.error('Token is not active according to introspection response');
+            throw new identifier_interface_1.IdentifierValidationError('Token is not active');
+        }
+        const subject = introspectionData[options.subjectClaim];
+        if (!subject) {
+            this.logger.error(`Token introspection response missing subject claim (${options.subjectClaim})`);
+            throw new identifier_interface_1.IdentifierValidationError(`Token introspection response missing subject claim (${options.subjectClaim})`);
+        }
+        const subjectStr = String(subject);
+        this.logger.debug('Token introspected successfully', { subject: subjectStr });
+        let ttl = undefined;
+        if (introspectionData.exp) {
+            const expiresIn = introspectionData.exp * 1000 - Date.now();
+            if (expiresIn > 0) {
+                ttl = Math.max(MIN_TOKEN_CACHE_TIMEOUT, Math.min(expiresIn, MAX_TOKEN_CACHE_TIMEOUT));
+            }
+            else {
+                ttl = MIN_TOKEN_CACHE_TIMEOUT;
+            }
+        }
+        return { subject: subjectStr, ttl };
+    }
+};
+exports.OAuth2TokenIntrospectionIdentifier = OAuth2TokenIntrospectionIdentifier;
+exports.OAuth2TokenIntrospectionIdentifier = OAuth2TokenIntrospectionIdentifier = __decorate([
+    (0, di_1.Service)(),
+    __metadata("design:paramtypes", [backend_common_1.Logger,
+        cache_service_1.CacheService])
+], OAuth2TokenIntrospectionIdentifier);
+//# sourceMappingURL=oauth2-introspection-identifier.js.map

package/dist/modules/dynamic-credentials.ee/credential-resolvers/identifiers/oauth2-introspection-identifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth2-introspection-identifier.js","sourceRoot":"","sources":["../../../../../src/modules/dynamic-credentials.ee/credential-resolvers/identifiers/oauth2-introspection-identifier.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,wDAA6C;AAC7C,8CAAsC;AACtC,gCAAkC;AAClC,kDAA0B;AAE1B,6BAAwB;AAExB,kEAA8D;AAE9D,iEAAqF;AACrF,iDAA6D;AAI7D,MAAM,uBAAuB,GAAG,EAAE,GAAG,gBAAI,CAAC,OAAO,CAAC,cAAc,CAAC;AACjE,MAAM,uBAAuB,GAAG,CAAC,GAAG,gBAAI,CAAC,OAAO,CAAC,cAAc,CAAC;AAChE,MAAM,qBAAqB,GAAG,EAAE,GAAG,gBAAI,CAAC,OAAO,CAAC,cAAc,CAAC;AAC/D,MAAM,sBAAsB,GAAG,CAAC,GAAG,gBAAI,CAAC,KAAK,CAAC,cAAc,CAAC;AAEhD,QAAA,gCAAgC,GAAG,OAAC,CAAC,MAAM,CAAC;IACxD,GAAG,kCAAmB,CAAC,KAAK;IAC5B,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,sBAAsB,CAAC;IAC7C,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE;IACpB,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE;CACxB,CAAC,CAAC;AAIH,MAAM,oBAAoB,GAAG,OAAC,CAAC,MAAM,CAAC;IACrC,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IACxB,sBAAsB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAGxC,6CAA6C,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CAC7E,CAAC,CAAC;AAIU,QAAA,gCAAgC,GAAG,OAAC;KAC/C,MAAM,CAAC;IAEP,MAAM,EAAE,OAAC,CAAC,OAAO,EAAE;IAGnB,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAChC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IAC1D,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC1B,CAAC;KACD,WAAW,EAAE,CAAC;AAIhB,MAAM,YAAY,GAAG,iCAAiC,CAAC;AAGhD,IAAM,kCAAkC,GAAxC,MAAM,kCAAkC;IAC9C,YACkB,MAAc,EACd,KAAmB;QADnB,WAAM,GAAN,MAAM,CAAQ;QACd,UAAK,GAAL,KAAK,CAAc;IAClC,CAAC;IAEJ,KAAK,CAAC,eAAe,CAAC,iBAA0C;QAC/D,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC;QACrD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACzD,IAAI,CAAC,QAAQ,CAAC,sBAAsB,EAAE,CAAC;YACtC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,qDAAqD,CAAC,CAAC;YACzE,MAAM,IAAI,gDAAyB,CAAC,qDAAqD,CAAC,CAAC;QAC5F,CAAC;QACD,IAAI,QAAQ,CAAC,6CAA6C,EAAE,CAAC;YAC5D,MAAM,gBAAgB,GAAG,QAAQ,CAAC,6CAA6C,CAAC;YAChF,IACC,CAAC,gBAAgB,CAAC,QAAQ,CAAC,qBAAqB,CAAC;gBACjD,CAAC,gBAAgB,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAC/C,CAAC;gBACF,IAAI,CAAC,MAAM,CAAC,KAAK,CAChB,wIAAwI,CACxI,CAAC;gBACF,MAAM,IAAI,gDAAyB,CAClC,wIAAwI,CACxI,CAAC;YACH,CAAC;QACF,CAAC;IACF,CAAC;IAED,KAAK,CAAC,OAAO,CACZ,OAA2B,EAC3B,iBAA0C;QAE1C,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC;QACrD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QAEnD,MAAM,WAAW,GAAG,IAAA,qBAAM,EAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAE7C,MAAM,kBAAkB,GAAG,GAAG,YAAY,YAAY,QAAQ,CAAC,MAAM,IAAI,WAAW,EAAE,CAAC;QACvF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAS,kBAAkB,CAAC,CAAC;QAChE,IAAI,MAAM,EAAE,CAAC;YACZ,OAAO,MAAM,CAAC;QACf,CAAC;QAED,IAAI,GAAG,GAAG,qBAAqB,CAAC;QAChC,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,YAAY,EAAE,GAAG,MAAM,IAAI,CAAC,gCAAgC,CACjF,QAAQ,EACR,OAAO,EACP,OAAO,CACP,CAAC;QACF,IAAI,YAAY,EAAE,CAAC;YAClB,GAAG,GAAG,YAAY,CAAC;QACpB,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QACvD,OAAO,OAAO,CAAC;IAChB,CAAC;IAIO,YAAY,CAAC,OAAgC;QACpD,IAAI,CAAC;YACJ,OAAO,wCAAgC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACxD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YAClE,MAAM,IAAI,gDAAyB,CAAC,mCAAmC,EAAE;gBACxE,KAAK,EAAE,KAAK;aACZ,CAAC,CAAC;QACJ,CAAC;IACF,CAAC;IAEO,KAAK,CAAC,aAAa,CAC1B,OAAmC,EACnC,YAAqB,KAAK;QAE1B,MAAM,QAAQ,GAAG,GAAG,YAAY,aAAa,OAAO,CAAC,WAAW,EAAE,CAAC;QACnE,IAAI,CAAC,SAAS,EAAE,CAAC;YAChB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAiB,QAAQ,CAAC,CAAC;YAC9D,IAAI,MAAM,EAAE,CAAC;gBACZ,OAAO,MAAM,CAAC;YACf,CAAC;QACF,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,eAAK,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE;YACrD,cAAc,EAAE,GAAG,EAAE,CAAC,IAAI;YAC1B,OAAO,EAAE,EAAE,GAAG,gBAAI,CAAC,OAAO,CAAC,cAAc;SACzC,CAAC,CAAC;QAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC7B,IAAI,CAAC,MAAM,CAAC,KAAK,CAChB,wCAAwC,OAAO,CAAC,WAAW,kBAAkB,QAAQ,CAAC,MAAM,EAAE,CAC9F,CAAC;YACF,MAAM,IAAI,gDAAyB,CAClC,iDAAiD,QAAQ,CAAC,MAAM,EAAE,CAClE,CAAC;QACH,CAAC;QAED,IAAI,CAAC;YACJ,MAAM,QAAQ,GAAG,oBAAoB,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC3D,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChB,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,sBAAsB,CAAC,CAAC;YAClE,CAAC;YACD,OAAO,QAAQ,CAAC;QACjB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YAC/D,MAAM,IAAI,gDAAyB,CAAC,gCAAgC,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QACzF,CAAC;IACF,CAAC;IAEO,uBAAuB,CAAC,OAAmC;QAIlE,MAAM,WAAW,GAA2B,EAAE,CAAC;QAC/C,MAAM,UAAU,GAA2B,EAAE,CAAC;QAE9C,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAC9B,GAAG,kBAAkB,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,kBAAkB,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CACrF,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACrB,WAAW,CAAC,eAAe,CAAC,GAAG,SAAS,WAAW,EAAE,CAAC;QAEtD,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;IACrD,CAAC;IAEO,sBAAsB,CAAC,OAAmC;QAIjE,MAAM,WAAW,GAA2B,EAAE,CAAC;QAC/C,MAAM,UAAU,GAA2B,EAAE,CAAC;QAE9C,UAAU,CAAC,WAAW,CAAC,GAAG,OAAO,CAAC,QAAQ,CAAC;QAC3C,UAAU,CAAC,eAAe,CAAC,GAAG,OAAO,CAAC,YAAY,CAAC;QAEnD,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;IACrD,CAAC;IAEO,0BAA0B,CAAC,IAAa;QAC/C,IAAI,CAAC;YACJ,OAAO,wCAAgC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACrD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6CAA6C,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YAC5E,MAAM,IAAI,gDAAyB,CAAC,6CAA6C,CAAC,CAAC;QACpF,CAAC;IACF,CAAC;IAEO,KAAK,CAAC,gCAAgC,CAC7C,QAAwB,EACxB,OAAmC,EACnC,OAA2B;QAG3B,MAAM,gBAAgB,GAAG,QAAQ,CAAC,6CAA6C,CAAC;QAChF,MAAM,QAAQ,GAAG,CAAC,gBAAgB,IAAI,gBAAgB,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC;QACvF,MAAM,OAAO,GAAG,CAAC,QAAQ,IAAI,gBAAgB,EAAE,QAAQ,CAAC,oBAAoB,CAAC,CAAC;QAE9E,IAAI,WAAW,GAA2B,EAAE,CAAC;QAC7C,IAAI,UAAU,GAA2B,EAAE,CAAC;QAE5C,IAAI,QAAQ,EAAE,CAAC;YACd,MAAM,MAAM,GAAG,IAAI,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;YACrD,WAAW,GAAG,MAAM,CAAC,OAAO,CAAC;YAC7B,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC;QAC5B,CAAC;aAAM,IAAI,OAAO,EAAE,CAAC;YACpB,MAAM,MAAM,GAAG,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;YACpD,WAAW,GAAG,MAAM,CAAC,OAAO,CAAC;YAC7B,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC;QAC5B,CAAC;aAAM,CAAC;YACP,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sEAAsE,CAAC,CAAC;YAC1F,MAAM,IAAI,gDAAyB,CAClC,sEAAsE,CACtE,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YAClC,KAAK,EAAE,OAAO,CAAC,QAAQ;YACvB,GAAG,UAAU;SACb,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,eAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,sBAAsB,EAAE,MAAM,EAAE;YAC1E,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE,GAAG,WAAW,EAAE;YAChF,cAAc,EAAE,GAAG,EAAE,CAAC,IAAI;YAC1B,OAAO,EAAE,EAAE,GAAG,gBAAI,CAAC,OAAO,CAAC,cAAc;SACzC,CAAC,CAAC;QAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC7B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,4BAA4B,EAAE;gBAC/C,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,IAAI,EAAE,QAAQ,CAAC,IAAI;aACnB,CAAC,CAAC;YACH,MAAM,IAAI,gDAAyB,CAAC,4BAA4B,CAAC,CAAC;QACnE,CAAC;QAED,MAAM,iBAAiB,GAAG,IAAI,CAAC,0BAA0B,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAEzE,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,CAAC;YAC/B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yDAAyD,CAAC,CAAC;YAC7E,MAAM,IAAI,gDAAyB,CAAC,qBAAqB,CAAC,CAAC;QAC5D,CAAC;QAED,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QACxD,IAAI,CAAC,OAAO,EAAE,CAAC;YACd,IAAI,CAAC,MAAM,CAAC,KAAK,CAChB,uDAAuD,OAAO,CAAC,YAAY,GAAG,CAC9E,CAAC;YACF,MAAM,IAAI,gDAAyB,CAClC,uDAAuD,OAAO,CAAC,YAAY,GAAG,CAC9E,CAAC;QACH,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;QAEnC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iCAAiC,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC;QAE9E,IAAI,GAAG,GAAuB,SAAS,CAAC;QACxC,IAAI,iBAAiB,CAAC,GAAG,EAAE,CAAC;YAC3B,MAAM,SAAS,GAAG,iBAAiB,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAC5D,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;gBACnB,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,uBAAuB,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,uBAAuB,CAAC,CAAC,CAAC;YACvF,CAAC;iBAAM,CAAC;gBACP,GAAG,GAAG,uBAAuB,CAAC;YAC/B,CAAC;QACF,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;IACrC,CAAC;CACD,CAAA;AAlOY,gFAAkC;6CAAlC,kCAAkC;IAD9C,IAAA,YAAO,GAAE;qCAGiB,uBAAM;QACP,4BAAY;GAHzB,kCAAkC,CAkO9C"}

package/dist/modules/dynamic-credentials.ee/credential-resolvers/identifiers/oauth2-userinfo-identifier.d.ts

@@ -0,0 +1,37 @@
+import { Logger } from '@n8n/backend-common';
+import type { ICredentialContext } from 'n8n-workflow';
+import { z } from 'zod';
+import { CacheService } from '../../../../services/cache/cache.service';
+import { ITokenIdentifier } from './identifier-interface';
+export declare const OAuth2UserInfoOptionsSchema: z.ZodObject<{
+    validation: z.ZodLiteral<"oauth2-userinfo">;
+    metadataUri: z.ZodString;
+    subjectClaim: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+}, "strip", z.ZodTypeAny, {
+    validation: "oauth2-userinfo";
+    metadataUri: string;
+    subjectClaim: string;
+}, {
+    validation: "oauth2-userinfo";
+    metadataUri: string;
+    subjectClaim?: string | undefined;
+}>;
+export declare const UserInfoResponseSchema: z.ZodObject<{
+    sub: z.ZodOptional<z.ZodString>;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    sub: z.ZodOptional<z.ZodString>;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    sub: z.ZodOptional<z.ZodString>;
+}, z.ZodTypeAny, "passthrough">>;
+export type UserInfoResponse = z.infer<typeof UserInfoResponseSchema>;
+export declare class OAuth2UserInfoIdentifier implements ITokenIdentifier {
+    private readonly logger;
+    private readonly cache;
+    constructor(logger: Logger, cache: CacheService);
+    validateOptions(identifierOptions: Record<string, unknown>): Promise<void>;
+    resolve(context: ICredentialContext, identifierOptions: Record<string, unknown>): Promise<string>;
+    private parseOptions;
+    private fetchMetadata;
+    private parseUserInfoResponse;
+    private resolveBasedOnUserInfo;
+}

package/dist/modules/dynamic-credentials.ee/credential-resolvers/identifiers/oauth2-userinfo-identifier.js

@@ -0,0 +1,160 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuth2UserInfoIdentifier = exports.UserInfoResponseSchema = exports.OAuth2UserInfoOptionsSchema = void 0;
+const backend_common_1 = require("@n8n/backend-common");
+const constants_1 = require("@n8n/constants");
+const di_1 = require("@n8n/di");
+const axios_1 = __importDefault(require("axios"));
+const zod_1 = require("zod");
+const cache_service_1 = require("../../../../services/cache/cache.service");
+const identifier_interface_1 = require("./identifier-interface");
+const oauth2_utils_1 = require("./oauth2-utils");
+const MIN_TOKEN_CACHE_TIMEOUT = 30 * constants_1.Time.seconds.toMilliseconds;
+const MAX_TOKEN_CACHE_TIMEOUT = 5 * constants_1.Time.minutes.toMilliseconds;
+const DEFAULT_CACHE_TIMEOUT = 60 * constants_1.Time.seconds.toMilliseconds;
+const METADATA_CACHE_TIMEOUT = 1 * constants_1.Time.hours.toMilliseconds;
+exports.OAuth2UserInfoOptionsSchema = zod_1.z.object({
+    ...oauth2_utils_1.OAuth2OptionsSchema.shape,
+    validation: zod_1.z.literal('oauth2-userinfo'),
+});
+const OAuth2MetadataSchema = zod_1.z.object({
+    issuer: zod_1.z.string().url(),
+    userinfo_endpoint: zod_1.z.string().url(),
+});
+exports.UserInfoResponseSchema = zod_1.z
+    .object({
+    sub: zod_1.z.string().optional(),
+})
+    .passthrough();
+const CACHE_PREFIX = 'oauth2-userinfo-identifier';
+let OAuth2UserInfoIdentifier = class OAuth2UserInfoIdentifier {
+    constructor(logger, cache) {
+        this.logger = logger;
+        this.cache = cache;
+    }
+    async validateOptions(identifierOptions) {
+        const options = this.parseOptions(identifierOptions);
+        const metadata = await this.fetchMetadata(options, true);
+        if (!metadata.userinfo_endpoint) {
+            this.logger.error('Metadata does not contain an userinfo endpoint');
+            throw new identifier_interface_1.IdentifierValidationError('Metadata does not contain an userinfo endpoint');
+        }
+    }
+    async resolve(context, identifierOptions) {
+        const options = this.parseOptions(identifierOptions);
+        const metadata = await this.fetchMetadata(options);
+        const hashedToken = (0, oauth2_utils_1.sha256)(context.identity);
+        const identifierCacheKey = `${CACHE_PREFIX}:subject:${metadata.issuer}:${hashedToken}`;
+        const cached = await this.cache.get(identifierCacheKey);
+        if (cached) {
+            return cached;
+        }
+        let ttl = DEFAULT_CACHE_TIMEOUT;
+        const { subject, ttl: ttlOverwrite } = await this.resolveBasedOnUserInfo(metadata, options, context);
+        if (ttlOverwrite) {
+            ttl = ttlOverwrite;
+        }
+        await this.cache.set(identifierCacheKey, subject, ttl);
+        return subject;
+    }
+    parseOptions(options) {
+        try {
+            return exports.OAuth2UserInfoOptionsSchema.parse(options);
+        }
+        catch (error) {
+            this.logger.error('Invalid OAuth2 identifier options', { error });
+            throw new identifier_interface_1.IdentifierValidationError('Invalid OAuth2 identifier options', {
+                cause: error,
+            });
+        }
+    }
+    async fetchMetadata(options, skipCache = false) {
+        const cacheKey = `${CACHE_PREFIX}:metadata:${options.metadataUri}`;
+        if (!skipCache) {
+            const cached = await this.cache.get(cacheKey);
+            if (cached) {
+                return cached;
+            }
+        }
+        const response = await axios_1.default.get(options.metadataUri, {
+            validateStatus: () => true,
+            timeout: 10 * constants_1.Time.seconds.toMilliseconds,
+        });
+        if (response.status !== 200) {
+            this.logger.error(`Failed to fetch OAuth2 metadata from ${options.metadataUri}, status code: ${response.status}`);
+            throw new identifier_interface_1.IdentifierValidationError(`Failed to fetch OAuth2 metadata, status code: ${response.status}`);
+        }
+        try {
+            const metadata = OAuth2MetadataSchema.parse(response.data);
+            if (!skipCache) {
+                await this.cache.set(cacheKey, metadata, METADATA_CACHE_TIMEOUT);
+            }
+            return metadata;
+        }
+        catch (error) {
+            this.logger.error('Invalid OAuth2 metadata format', { error });
+            throw new identifier_interface_1.IdentifierValidationError('Invalid OAuth2 metadata format', { cause: error });
+        }
+    }
+    parseUserInfoResponse(data) {
+        try {
+            return exports.UserInfoResponseSchema.parse(data);
+        }
+        catch (error) {
+            this.logger.error('Invalid userinfo response format', { error });
+            throw new identifier_interface_1.IdentifierValidationError('Invalid userinfo response format');
+        }
+    }
+    async resolveBasedOnUserInfo(metadata, options, context) {
+        const response = await axios_1.default.get(metadata.userinfo_endpoint, {
+            headers: { authorization: `Bearer ${context.identity}` },
+            validateStatus: () => true,
+            timeout: 10 * constants_1.Time.seconds.toMilliseconds,
+        });
+        if (response.status !== 200) {
+            this.logger.error('UserInfo failed', {
+                status: response.status,
+                data: response.data,
+            });
+            throw new identifier_interface_1.IdentifierValidationError('UserInfo query failed');
+        }
+        const userData = this.parseUserInfoResponse(response.data);
+        const subject = userData[options.subjectClaim];
+        if (!subject) {
+            this.logger.error(`UserInfo response missing subject claim (${options.subjectClaim})`);
+            throw new identifier_interface_1.IdentifierValidationError(`UserInfo response missing subject claim (${options.subjectClaim})`);
+        }
+        const subjectStr = String(subject);
+        this.logger.debug('UserInfo successfully', { subject: subjectStr });
+        let ttl = undefined;
+        if (userData.exp && typeof userData.exp === 'number') {
+            const expiresIn = userData.exp * 1000 - Date.now();
+            if (expiresIn > 0) {
+                ttl = Math.max(MIN_TOKEN_CACHE_TIMEOUT, Math.min(expiresIn, MAX_TOKEN_CACHE_TIMEOUT));
+            }
+            else {
+                ttl = MIN_TOKEN_CACHE_TIMEOUT;
+            }
+        }
+        return { subject: subjectStr, ttl };
+    }
+};
+exports.OAuth2UserInfoIdentifier = OAuth2UserInfoIdentifier;
+exports.OAuth2UserInfoIdentifier = OAuth2UserInfoIdentifier = __decorate([
+    (0, di_1.Service)(),
+    __metadata("design:paramtypes", [backend_common_1.Logger,
+        cache_service_1.CacheService])
+], OAuth2UserInfoIdentifier);
+//# sourceMappingURL=oauth2-userinfo-identifier.js.map

package/dist/modules/dynamic-credentials.ee/credential-resolvers/identifiers/oauth2-userinfo-identifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth2-userinfo-identifier.js","sourceRoot":"","sources":["../../../../../src/modules/dynamic-credentials.ee/credential-resolvers/identifiers/oauth2-userinfo-identifier.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,wDAA6C;AAC7C,8CAAsC;AACtC,gCAAkC;AAClC,kDAA0B;AAE1B,6BAAwB;AAExB,kEAA8D;AAE9D,iEAAqF;AACrF,iDAA6D;AAI7D,MAAM,uBAAuB,GAAG,EAAE,GAAG,gBAAI,CAAC,OAAO,CAAC,cAAc,CAAC;AACjE,MAAM,uBAAuB,GAAG,CAAC,GAAG,gBAAI,CAAC,OAAO,CAAC,cAAc,CAAC;AAChE,MAAM,qBAAqB,GAAG,EAAE,GAAG,gBAAI,CAAC,OAAO,CAAC,cAAc,CAAC;AAC/D,MAAM,sBAAsB,GAAG,CAAC,GAAG,gBAAI,CAAC,KAAK,CAAC,cAAc,CAAC;AAEhD,QAAA,2BAA2B,GAAG,OAAC,CAAC,MAAM,CAAC;IACnD,GAAG,kCAAmB,CAAC,KAAK;IAC5B,UAAU,EAAE,OAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC;CACxC,CAAC,CAAC;AAIH,MAAM,oBAAoB,GAAG,OAAC,CAAC,MAAM,CAAC;IACrC,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IACxB,iBAAiB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;CACnC,CAAC,CAAC;AAIU,QAAA,sBAAsB,GAAG,OAAC;KACrC,MAAM,CAAC;IAEP,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC1B,CAAC;KACD,WAAW,EAAE,CAAC;AAIhB,MAAM,YAAY,GAAG,4BAA4B,CAAC;AAG3C,IAAM,wBAAwB,GAA9B,MAAM,wBAAwB;IACpC,YACkB,MAAc,EACd,KAAmB;QADnB,WAAM,GAAN,MAAM,CAAQ;QACd,UAAK,GAAL,KAAK,CAAc;IAClC,CAAC;IAEJ,KAAK,CAAC,eAAe,CAAC,iBAA0C;QAC/D,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC;QACrD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACzD,IAAI,CAAC,QAAQ,CAAC,iBAAiB,EAAE,CAAC;YACjC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;YACpE,MAAM,IAAI,gDAAyB,CAAC,gDAAgD,CAAC,CAAC;QACvF,CAAC;IACF,CAAC;IAED,KAAK,CAAC,OAAO,CACZ,OAA2B,EAC3B,iBAA0C;QAE1C,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC;QACrD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QAEnD,MAAM,WAAW,GAAG,IAAA,qBAAM,EAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAE7C,MAAM,kBAAkB,GAAG,GAAG,YAAY,YAAY,QAAQ,CAAC,MAAM,IAAI,WAAW,EAAE,CAAC;QACvF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAS,kBAAkB,CAAC,CAAC;QAChE,IAAI,MAAM,EAAE,CAAC;YACZ,OAAO,MAAM,CAAC;QACf,CAAC;QAED,IAAI,GAAG,GAAG,qBAAqB,CAAC;QAChC,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,YAAY,EAAE,GAAG,MAAM,IAAI,CAAC,sBAAsB,CACvE,QAAQ,EACR,OAAO,EACP,OAAO,CACP,CAAC;QACF,IAAI,YAAY,EAAE,CAAC;YAClB,GAAG,GAAG,YAAY,CAAC;QACpB,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,kBAAkB,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QACvD,OAAO,OAAO,CAAC;IAChB,CAAC;IAIO,YAAY,CAAC,OAAgC;QACpD,IAAI,CAAC;YACJ,OAAO,mCAA2B,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACnD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YAClE,MAAM,IAAI,gDAAyB,CAAC,mCAAmC,EAAE;gBACxE,KAAK,EAAE,KAAK;aACZ,CAAC,CAAC;QACJ,CAAC;IACF,CAAC;IAEO,KAAK,CAAC,aAAa,CAC1B,OAA8B,EAC9B,YAAqB,KAAK;QAE1B,MAAM,QAAQ,GAAG,GAAG,YAAY,aAAa,OAAO,CAAC,WAAW,EAAE,CAAC;QACnE,IAAI,CAAC,SAAS,EAAE,CAAC;YAChB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAiB,QAAQ,CAAC,CAAC;YAC9D,IAAI,MAAM,EAAE,CAAC;gBACZ,OAAO,MAAM,CAAC;YACf,CAAC;QACF,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,eAAK,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE;YACrD,cAAc,EAAE,GAAG,EAAE,CAAC,IAAI;YAC1B,OAAO,EAAE,EAAE,GAAG,gBAAI,CAAC,OAAO,CAAC,cAAc;SACzC,CAAC,CAAC;QAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC7B,IAAI,CAAC,MAAM,CAAC,KAAK,CAChB,wCAAwC,OAAO,CAAC,WAAW,kBAAkB,QAAQ,CAAC,MAAM,EAAE,CAC9F,CAAC;YACF,MAAM,IAAI,gDAAyB,CAClC,iDAAiD,QAAQ,CAAC,MAAM,EAAE,CAClE,CAAC;QACH,CAAC;QAED,IAAI,CAAC;YACJ,MAAM,QAAQ,GAAG,oBAAoB,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC3D,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChB,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,sBAAsB,CAAC,CAAC;YAClE,CAAC;YACD,OAAO,QAAQ,CAAC;QACjB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YAC/D,MAAM,IAAI,gDAAyB,CAAC,gCAAgC,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QACzF,CAAC;IACF,CAAC;IAEO,qBAAqB,CAAC,IAAa;QAC1C,IAAI,CAAC;YACJ,OAAO,8BAAsB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YACjE,MAAM,IAAI,gDAAyB,CAAC,kCAAkC,CAAC,CAAC;QACzE,CAAC;IACF,CAAC;IAEO,KAAK,CAAC,sBAAsB,CACnC,QAAwB,EACxB,OAA8B,EAC9B,OAA2B;QAE3B,MAAM,QAAQ,GAAG,MAAM,eAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,iBAAiB,EAAE;YAC5D,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,OAAO,CAAC,QAAQ,EAAE,EAAE;YACxD,cAAc,EAAE,GAAG,EAAE,CAAC,IAAI;YAC1B,OAAO,EAAE,EAAE,GAAG,gBAAI,CAAC,OAAO,CAAC,cAAc;SACzC,CAAC,CAAC;QAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC7B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iBAAiB,EAAE;gBACpC,MAAM,EAAE,QAAQ,CAAC,MAAM;gBACvB,IAAI,EAAE,QAAQ,CAAC,IAAI;aACnB,CAAC,CAAC;YACH,MAAM,IAAI,gDAAyB,CAAC,uBAAuB,CAAC,CAAC;QAC9D,CAAC;QAGD,MAAM,QAAQ,GAAG,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAC3D,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QAC/C,IAAI,CAAC,OAAO,EAAE,CAAC;YACd,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,4CAA4C,OAAO,CAAC,YAAY,GAAG,CAAC,CAAC;YACvF,MAAM,IAAI,gDAAyB,CAClC,4CAA4C,OAAO,CAAC,YAAY,GAAG,CACnE,CAAC;QACH,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;QAEnC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC;QAEpE,IAAI,GAAG,GAAuB,SAAS,CAAC;QACxC,IAAI,QAAQ,CAAC,GAAG,IAAI,OAAO,QAAQ,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YACtD,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACnD,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;gBACnB,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,uBAAuB,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,uBAAuB,CAAC,CAAC,CAAC;YACvF,CAAC;iBAAM,CAAC;gBACP,GAAG,GAAG,uBAAuB,CAAC;YAC/B,CAAC;QACF,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC;IACrC,CAAC;CACD,CAAA;AArJY,4DAAwB;mCAAxB,wBAAwB;IADpC,IAAA,YAAO,GAAE;qCAGiB,uBAAM;QACP,4BAAY;GAHzB,wBAAwB,CAqJpC"}

package/dist/modules/dynamic-credentials.ee/credential-resolvers/identifiers/oauth2-utils.d.ts

@@ -0,0 +1,13 @@
+import z from 'zod';
+export declare const OAuth2OptionsSchema: z.ZodObject<{
+    metadataUri: z.ZodString;
+    subjectClaim: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+}, "strip", z.ZodTypeAny, {
+    metadataUri: string;
+    subjectClaim: string;
+}, {
+    metadataUri: string;
+    subjectClaim?: string | undefined;
+}>;
+export type OAuth2Options = z.infer<typeof OAuth2OptionsSchema>;
+export declare function sha256(token: string): string;

package/dist/modules/dynamic-credentials.ee/credential-resolvers/identifiers/oauth2-utils.js

@@ -0,0 +1,17 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuth2OptionsSchema = void 0;
+exports.sha256 = sha256;
+const crypto_1 = __importDefault(require("crypto"));
+const zod_1 = __importDefault(require("zod"));
+exports.OAuth2OptionsSchema = zod_1.default.object({
+    metadataUri: zod_1.default.string().url(),
+    subjectClaim: zod_1.default.string().optional().default('sub'),
+});
+function sha256(token) {
+    return crypto_1.default.createHash('sha256').update(token).digest('hex');
+}
+//# sourceMappingURL=oauth2-utils.js.map

package/dist/modules/dynamic-credentials.ee/credential-resolvers/identifiers/oauth2-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth2-utils.js","sourceRoot":"","sources":["../../../../../src/modules/dynamic-credentials.ee/credential-resolvers/identifiers/oauth2-utils.ts"],"names":[],"mappings":";;;;;;AAUA,wBAEC;AAZD,oDAA4B;AAC5B,8CAAoB;AAEP,QAAA,mBAAmB,GAAG,aAAC,CAAC,MAAM,CAAC;IAC3C,WAAW,EAAE,aAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;IAC7B,YAAY,EAAE,aAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CAClD,CAAC,CAAC;AAIH,SAAgB,MAAM,CAAC,KAAa;IACnC,OAAO,gBAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAChE,CAAC"}

package/dist/modules/dynamic-credentials.ee/credential-resolvers/index.d.ts

@@ -0,0 +1,2 @@
+import './stub-credential-resolver';
+import './oauth-credential-resolver';

package/dist/modules/dynamic-credentials.ee/credential-resolvers/index.js

@@ -0,0 +1,5 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+require("./stub-credential-resolver");
+require("./oauth-credential-resolver");
+//# sourceMappingURL=index.js.map

package/dist/modules/dynamic-credentials.ee/credential-resolvers/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/modules/dynamic-credentials.ee/credential-resolvers/index.ts"],"names":[],"mappings":";;AAAA,sCAAoC;AACpC,uCAAqC"}

package/dist/modules/dynamic-credentials.ee/credential-resolvers/oauth-credential-resolver.d.ts

@@ -0,0 +1,103 @@
+import { Logger } from '@n8n/backend-common';
+import { CredentialResolverConfiguration, CredentialResolverHandle, ICredentialResolver } from '@n8n/decorators';
+import { Cipher } from 'n8n-core';
+import { ICredentialContext, ICredentialDataDecryptedObject } from 'n8n-workflow';
+import { OAuth2TokenIntrospectionIdentifier } from './identifiers/oauth2-introspection-identifier';
+import { OAuth2UserInfoIdentifier } from './identifiers/oauth2-userinfo-identifier';
+import { DynamicCredentialEntryStorage } from './storage/dynamic-credential-entry-storage';
+export declare class OAuthCredentialResolver implements ICredentialResolver {
+    private readonly logger;
+    private readonly oAuth2TokenIntrospectionIdentifier;
+    private readonly oAuth2UserInfoIdentifier;
+    private readonly storage;
+    private readonly cipher;
+    constructor(logger: Logger, oAuth2TokenIntrospectionIdentifier: OAuth2TokenIntrospectionIdentifier, oAuth2UserInfoIdentifier: OAuth2UserInfoIdentifier, storage: DynamicCredentialEntryStorage, cipher: Cipher);
+    metadata: {
+        name: string;
+        description: string;
+        displayName: string;
+        options: ({
+            displayName: string;
+            name: string;
+            type: "string";
+            required: boolean;
+            default: string;
+            placeholder: string;
+            description: string;
+            options?: undefined;
+            displayOptions?: undefined;
+            typeOptions?: undefined;
+        } | {
+            displayName: string;
+            name: string;
+            type: "options";
+            options: {
+                name: string;
+                value: string;
+                description: string;
+            }[];
+            default: string;
+            description: string;
+            required?: undefined;
+            placeholder?: undefined;
+            displayOptions?: undefined;
+            typeOptions?: undefined;
+        } | {
+            displayName: string;
+            name: string;
+            type: "string";
+            default: string;
+            description: string;
+            displayOptions: {
+                hide: {
+                    validation: string[];
+                };
+                show: {
+                    validation: string[];
+                };
+            };
+            required?: undefined;
+            placeholder?: undefined;
+            options?: undefined;
+            typeOptions?: undefined;
+        } | {
+            displayName: string;
+            name: string;
+            type: "string";
+            default: string;
+            typeOptions: {
+                password: boolean;
+            };
+            description: string;
+            displayOptions: {
+                hide: {
+                    validation: string[];
+                };
+                show: {
+                    validation: string[];
+                };
+            };
+            required?: undefined;
+            placeholder?: undefined;
+            options?: undefined;
+        } | {
+            displayName: string;
+            name: string;
+            type: "string";
+            default: string;
+            description: string;
+            required?: undefined;
+            placeholder?: undefined;
+            options?: undefined;
+            displayOptions?: undefined;
+            typeOptions?: undefined;
+        })[];
+    };
+    getSecret(credentialId: string, context: ICredentialContext, handle: CredentialResolverHandle): Promise<ICredentialDataDecryptedObject>;
+    setSecret(credentialId: string, context: ICredentialContext, data: ICredentialDataDecryptedObject, handle: CredentialResolverHandle): Promise<void>;
+    deleteSecret(credentialId: string, context: ICredentialContext, handle: CredentialResolverHandle): Promise<void>;
+    private parseOptions;
+    validateOptions(options: CredentialResolverConfiguration): Promise<void>;
+    private getIdentifier;
+    private resolveIdentifier;
+}