oauth2-cli 0.5.1 → 0.7.0

package/CHANGELOG.md

@@ -2,6 +2,39 @@
 
 All notable changes to this project will be documented in this file. See [commit-and-tag-version](https://github.com/absolute-version/commit-and-tag-version) for commit guidelines.
 
+## [0.7.0](https://github.com/battis/oauth2-cli/compare/oauth2-cli/0.6.0...oauth2-cli/0.7.0) (2026-02-16)
+
+
+### ⚠ BREAKING CHANGES
+
+* make more properties of Client accessible to subclasses
+
+### Features
+
+* make more properties of Client accessible to subclasses ([74ef874](https://github.com/battis/oauth2-cli/commit/74ef874804323a9c3c496ddf7b0e24bac9e671e1))
+
+## [0.6.0](https://github.com/battis/oauth2-cli/compare/oauth2-cli/0.5.1...oauth2-cli/0.6.0) (2026-02-15)
+
+
+### ⚠ BREAKING CHANGES
+
+* limit TokenStorage to storing _only_ refresh_tokens
+* improve express shutdown, refactor entire package
+
+### Features
+
+* compatible with @battis/google-cloud-run-to-localhost ([3e449b1](https://github.com/battis/oauth2-cli/commit/3e449b14d546759f7e6543c86350ea83b60a80a7))
+* display authorization starting URL on command line as well as opening browser ([fb72bcf](https://github.com/battis/oauth2-cli/commit/fb72bcffafaf66453f8f8f0f8af4b27ef11827c6))
+* externalize path/port identification to gcrtl ([0f6c28b](https://github.com/battis/oauth2-cli/commit/0f6c28b31a7888eac524b28bcdc9c8eabbf57d91))
+* fallback to package templates if ejs present but no alternative template providedd ([6b05454](https://github.com/battis/oauth2-cli/commit/6b05454976b1fb4144f91ba51fc1c9331f1c0f34))
+* limit TokenStorage to storing _only_ refresh_tokens ([3de9c96](https://github.com/battis/oauth2-cli/commit/3de9c96510d15eebd51a0be7d8df278614541f95))
+
+
+### Bug Fixes
+
+* attempt to authorize and retry when encountering 401 error ([bc75fed](https://github.com/battis/oauth2-cli/commit/bc75fed052b548e41411287f7d98fa78c3f27ee5))
+* improve express shutdown, refactor entire package ([a740313](https://github.com/battis/oauth2-cli/commit/a740313c33d26f07ebab5b282607d8828cf3c3a7))
+
 ## [0.5.1](https://github.com/battis/oauth2-cli/compare/oauth2-cli/0.5.0...oauth2-cli/0.5.1) (2026-01-20)
 
 

package/README.md

@@ -13,4 +13,90 @@ npm i oauth2-cli
 
 ## Usage
 
-See [examples/get-token](../../examples/get-token).
+```ts
+import { Client, FileStorage } from 'oauth2-cli';
+
+type ExpectedResponse = {
+  value: string;
+};
+
+const client = new Client({
+  client_id: 'm3C6dGQJPJrvgwN97mTP4pWVH9smZGrr',
+  client_secret: '2XUktyxU2KQmQAoVHxQXNaHZ4G7XqJdP',
+  redirect_uri: 'http://localhost:3000/example/redirect',
+  authorization_endpoint: 'https://example.com/oauth2/auth',
+  token_endpoint: 'https://example.com/oauth2/token',
+  storage: new FileStorage('/path/to/token/file.json');
+});
+console.log(
+  client.fetchJSON<ExpectedResponse>('https://example.com/path/to/api/endpoint')
+);
+```
+
+Broadly speaking, having provided the configuration, the client is immediately ready to accept requests. If an stored access token is available, it will be used (and transparently refreshed as necessary, if possible). If no access token is available, the authorization flow will be triggered by the request, opening a browser window for the user to sign in and provide their authoriztion.
+
+### Instantiate a `Client`
+
+A `Client` requires some minimal information in order to interact with an OAuth 2.0 authorized API. The OAuth 2.0 base set is a `client_id`, `client_secret`, `authorization_endpoint`, `token_endpoint`, and a `redirect_uri`. For an OpenID-authenticated API, you could provide a `client_id`, `client_secret`, `issuer`, and `redirect_uri` and the Client will query the issuer for further details regarding required connection parameters (it is built on to of [openid-client](https://www.npmjs.com/package/openid-client)).
+
+In both cases, the token can be persisted by passing an implementation of [`TokenStorage`](https://github.com/battis/oauth2-cli/blob/main/packages/oauth2-cli/src/Token/TokenStorage.ts), such as [`FileStorage`](https://github.com/battis/oauth2-cli/blob/main/packages/oauth2-cli/src/Token/FileStorage.ts) which expects a path to a location to store a JSON file of access token data. _There are more secure ways to store your tokens, such as [@oauth2-cli/qui-cli](https://www.npmjs.com/package/@oauth2-cli/qui-cli)'s [`EnvironmentStorage`](https://github.com/battis/oauth2-cli/blob/main/packages/qui-cli/src/EnvironmentStorage.ts) which can be linked to a [1Password vault](https://github.com/battis/qui-cli/tree/main/packages/env#1password-integration)._
+
+#### `redirect_uri` to Localhost
+
+Since the `redirect_uri` is receiving the authorization code in the Authorization Code token flow, the Client needs to be able to "catch" that redirect. The easy way to do this is to register a localhost address with the API (e.g. `http://localhost:3000/my/redirect/path`). When such a redirect URI is given to the client, it stands up (briefly) a local web server to receive that request at the port and path provided.
+
+Not every API accepts a `localhost` redirect (it creates the possibility of CORS exploits that could lead to XSS vulnerabilities). For these APIs, using [gcrtl](https://github.com/battis/google-cloud-run-to-localhost#readme) or a similar system will work as well. (In the specific case of `gcrtl`, `oauth2-cli` will trim the leading `/http/localhost:<port>` from provided `redirect_uri` and expect the _remainder_ of the path.)
+
+#### `http` protocol
+
+If you would prefer an `https` connection to localhost, you have to roll your own SSL certificate.
+
+### Request an endpoint
+
+#### `request()`
+
+As noted above, `oauth2-cli` is built on top of [openid-client](https://www.npmjs.com/package/openid-client). The `request()` method is a pass-through to the `openid-client` [fetchProtectedResource()](https://github.com/panva/openid-client/blob/b77d87c1e2f5fef6fab501de615fb83a74a0251f/docs/functions/fetchProtectedResource.md) function, with the configuration and accessToken managed by the Client.
+
+```ts
+class Client {
+  // ...
+
+  public async request(
+    url: Req.URL.ish,
+    method = 'GET',
+    body?: OpenIDClient.FetchBody,
+    headers: Req.Headers.ish = {},
+    dPoPOptions?: OpenIDClient.DPoPOptions
+  ) {
+    // ...
+  }
+}
+```
+
+[`Req.URL.ish`](https://github.com/battis/oauth2-cli/blob/main/packages/oauth2-cli/src/Request/URL.ts#L3) and [`Req.Headers.ish`](https://github.com/battis/oauth2-cli/blob/main/packages/oauth2-cli/src/Request/Headers.ts#L1) are more forgiving types accepting not just those specific types, but reasonable facsimiles of them.
+
+### `requestJSON<T>()`
+
+Given that many APIs return JSON-formatted responses, it is convenient to just get that JSON (optionally pre-typed based on what you expect to receive) rather than having to process the response yourself.
+
+```ts
+class Client {
+  // ...
+
+  public async requestJSON<
+    T extends OpenIDClient.JsonValue = OpenIDClient.JsonValue
+  >(
+    url: Req.URL.ish,
+    method = 'GET',
+    body?: OpenIDClient.FetchBody,
+    headers: Req.Headers.ish = {},
+    dPoPOptions?: OpenIDClient.DPoPOptions
+  ) {
+    // ...
+  }
+}
+```
+
+## Examples
+
+[Refer to examples for more detailed usage.](https://github.com/battis/oauth2-cli/tree/main/examples/oauth2-cli#readme)

package/dist/Client.d.ts

@@ -1,57 +1,113 @@
-import * as Configuration from '@battis/oauth2-configure';
-import { JSONValue } from '@battis/typescript-tricks';
+import { PathString } from '@battis/descriptive-types';
+import { Request } from 'express';
+import { EventEmitter } from 'node:events';
 import * as OpenIDClient from 'openid-client';
-import { Token } from './Token.js';
-import { TokenStorage } from './TokenStorage.js';
-export type Credentials = Configuration.Options & {
-    scope?: string;
-    headers?: Record<string, string>;
-    parameters?: Record<string, string>;
-    store?: TokenStorage | string;
+import * as requestish from 'requestish';
+import * as Credentials from './Credentials.js';
+import * as Req from './Request/index.js';
+import { Session, SessionOptions } from './Session.js';
+import * as Token from './Token/index.js';
+/**
+ * A generic `redirect_uri` to use if the server does not require pre-registered
+ * `redirect_uri` values
+ */
+export declare const DEFAULT_REDIRECT_URI = "http://localhost:3000/oauth2-cli/redirect";
+export type ClientOptions = {
+    /** Credentials for server access */
+    credentials: Credentials.Combined;
+    /** Optional request components to inject */
+    inject?: {
+        search?: requestish.URLSearchParams.ish;
+        headers?: requestish.Headers.ish;
+        body?: requestish.Body.ish;
+    };
+    /**
+     * Optional absolute path to EJS view templates directory, see
+     * [WebServer.setViews()](./Webserver.ts)
+     */
+    views?: PathString;
+    /** Optional {@link TokenStorage} implementation to manage tokens */
+    storage?: Token.TokenStorage;
 };
-/** Wrap an OpenID configuration in an object-oriented API client. */
-export declare class Client {
-    private credentials;
-    private tokenMutex;
-    private config?;
-    private token?;
-    private store?;
-    constructor(credentials: Credentials);
-    /** Acquire a valid, unexpired API access token. */
-    getToken(): Promise<Token | undefined>;
-    /** Refresh Token Grant */
-    protected refreshToken(token: Token): Promise<Token | undefined>;
-    /** Acquire a valid OpenID configuration. */
-    protected getConfiguration(): Promise<OpenIDClient.Configuration>;
-    /** Authorization Code Grant */
-    protected authorize(): Promise<Token | undefined>;
-    /**
-     * Make an authorized request to the API, acquiring an unexpired acess token
-     * if necessary.
-     */
-    request(url: URL | string, method?: string, body?: OpenIDClient.FetchBody, headers?: Headers, dPoPOptions?: OpenIDClient.DPoPOptions): Promise<Response>;
-    /**
-     * Make an authorized request to the API, acquiring an unexpired acess token
-     * if necessary.
+type RefreshOptions = {
+    /**
+     * Optional refresh token
      *
-     * This converts the Fetch API request into an OpenID request. To directly
-     * make this request, use {@link request()}
+     * If using {@link TokenStorage}, the refresh token should be stored with the
+     * access token and does not need to be separately managed and stored
      */
-    fetch(endpoint: string | URL | Request, init?: RequestInit): Promise<Response>;
+    refresh_token?: string;
+    /** Additional request injection for refresh grant flow */
+    inject?: Req.Injection;
+};
+type GetTokenOptions = {
     /**
-     * Make an authorized request to the API, acquiring an unexpired acess token
-     * if necessary and parse the JSON respomse.
+     * Optional access token
      *
-     * @param validator Optional validator function test that the JSON response is
-     *   the expected type.
+     * If using {@link TokenStorage}, the access token does not need to be
+     * separately managed and stored
      */
-    requestJSON<T extends JSONValue = JSONValue>(url: URL | string, method?: string, body?: OpenIDClient.FetchBody, headers?: Headers, dPoPOptions?: OpenIDClient.DPoPOptions): Promise<T>;
+    token?: Token.Response;
     /**
-     * Make an authorized request to the API, acquiring an unexpired acess token
-     * if necessary and parse the JSON respomse.
+     * Additional request injection for authorization code grant and/or refresh
+     * grant flows
+     */
+    inject?: Req.Injection;
+};
+/**
+ * Wrap {@link https://www.npmjs.com/package/openid-client openid-client} in a
+ * class instance specific to a particular OAuth/OpenID server credential-set,
+ * abstracting away most flows into {@link getToken}
+ *
+ * Emits {@link Client.TokenEvent} whenever a new access token is received
+ */
+export declare class Client extends EventEmitter {
+    static readonly TokenEvent = "token";
+    protected credentials: Credentials.Combined;
+    protected config?: OpenIDClient.Configuration;
+    protected views?: PathString;
+    protected inject?: Req.Injection;
+    private token?;
+    private tokenLock;
+    private storage?;
+    constructor({ credentials, views, inject, storage }: ClientOptions);
+    get redirect_uri(): requestish.URL.ish;
+    /**
+     * @throws IndeterminateConfiguration if provided credentials combined with
+     *   OpenID discovery fail to generate a complete configuration
+     */
+    getConfiguration(): Promise<OpenIDClient.Configuration>;
+    protected getParameters(session: Session): Promise<URLSearchParams>;
+    getAuthorizationUrl(session: Session): Promise<URL>;
+    createSession({ views, ...options }: Omit<SessionOptions, 'client'>): Session;
+    authorize(options?: Omit<SessionOptions, 'client'>): Promise<Token.Response>;
+    handleAuthorizationCodeRedirect(req: Request, session: Session): Promise<void>;
+    protected refreshTokenGrant({ refresh_token, inject: request }?: RefreshOptions): Promise<Token.Response | undefined>;
+    /**
+     * Get an unexpired access token
      *
-     * This converts the Fetch API request into an OpenID request. To directly
-     * make this request, use {@link requestJSON()}
+     * Depending on provided and/or stored access token and refresh token values,
+     * this may require interactive authorization
+     */
+    getToken({ token, inject: request }?: GetTokenOptions): Promise<Token.Response>;
+    /** @throws MissingAccessToken If response does not include `access_token` */
+    protected save(token: Token.Response): Promise<Token.Response>;
+    /**
+     * @param url If an `issuer` has been defined, `url` accepts paths relative to
+     *   the `issuer` URL as well as absolute URLs
+     * @param method Optional, defaults to `GET` unless otherwise specified
+     * @param body Optional
+     * @param headers Optional
+     * @param dPoPOptions Optional
+     */
+    request(url: requestish.URL.ish, method?: string, body?: OpenIDClient.FetchBody, headers?: requestish.Headers.ish, dPoPOptions?: OpenIDClient.DPoPOptions): Promise<Response>;
+    private toJSON;
+    /**
+     * Returns the result of {@link request} as a parsed JSON object, optionally
+     * typed as `T`
      */
-    fetchJSON<T extends JSONValue = JSONValue>(endpoint: string | URL | Request, init?: RequestInit): Promise<T>;
+    requestJSON<T extends OpenIDClient.JsonValue = OpenIDClient.JsonValue>(url: requestish.URL.ish, method?: string, body?: OpenIDClient.FetchBody, headers?: requestish.Headers.ish, dPoPOptions?: OpenIDClient.DPoPOptions): Promise<T>;
+    fetch(input: requestish.URL.ish, init?: RequestInit, dPoPOptions?: OpenIDClient.DPoPOptions): Promise<Response>;
+    fetchJSON<T extends OpenIDClient.JsonValue = OpenIDClient.JsonValue>(input: requestish.URL.ish, init?: RequestInit, dPoPOptions?: OpenIDClient.DPoPOptions): Promise<T>;
 }
+export {};

package/dist/Client.js

@@ -1,140 +1,203 @@
-import * as Configuration from '@battis/oauth2-configure';
 import { Mutex } from 'async-mutex';
+import { EventEmitter } from 'node:events';
 import * as OpenIDClient from 'openid-client';
-import { FileStorage } from './FileStorage.js';
-import * as Localhost from './Localhost.js';
-import { Token } from './Token.js';
-/** Wrap an OpenID configuration in an object-oriented API client. */
-export class Client {
+import * as requestish from 'requestish';
+import * as Errors from './Errors/index.js';
+import * as Req from './Request/index.js';
+import { Session } from './Session.js';
+/**
+ * A generic `redirect_uri` to use if the server does not require pre-registered
+ * `redirect_uri` values
+ */
+export const DEFAULT_REDIRECT_URI = 'http://localhost:3000/oauth2-cli/redirect';
+/**
+ * Wrap {@link https://www.npmjs.com/package/openid-client openid-client} in a
+ * class instance specific to a particular OAuth/OpenID server credential-set,
+ * abstracting away most flows into {@link getToken}
+ *
+ * Emits {@link Client.TokenEvent} whenever a new access token is received
+ */
+export class Client extends EventEmitter {
+    static TokenEvent = 'token';
     credentials;
-    tokenMutex = new Mutex();
     config;
+    views;
+    inject;
     token;
-    store;
-    constructor(credentials) {
+    tokenLock = new Mutex();
+    storage;
+    constructor({ credentials, views, inject, storage }) {
+        super();
         this.credentials = credentials;
-        if (this.credentials.store) {
-            if (typeof this.credentials.store === 'string') {
-                this.store = new FileStorage(this.credentials.store);
-            }
-            else {
-                this.store = this.credentials.store;
-            }
-        }
+        this.views = views;
+        this.inject = inject;
+        this.storage = storage;
     }
-    /** Acquire a valid, unexpired API access token. */
-    async getToken() {
-        return await this.tokenMutex.runExclusive((async () => {
-            if (!this.token) {
-                this.token = await this.store?.load();
-            }
-            if (this.token?.hasExpired()) {
-                this.token = await this.refreshToken(this.token);
-            }
-            if (!this.token) {
-                this.token = await this.authorize();
-            }
-            return this.token;
-        }).bind(this));
-    }
-    /** Refresh Token Grant */
-    async refreshToken(token) {
-        if (token.refresh_token) {
-            const { headers, parameters } = this.credentials;
-            let freshTokens;
-            if ((freshTokens = Token.fromResponse(await OpenIDClient.refreshTokenGrant(await Configuration.acquire(this.credentials), token.refresh_token, parameters, 
-            // @ts-expect-error 2322 undocumented arg pass-through to oauth4webapi
-            { headers }), token.refresh_token))) {
-                if (this.store) {
-                    await this.store.save(freshTokens);
-                }
-                return freshTokens;
-            }
-        }
-        return this.authorize();
+    get redirect_uri() {
+        return this.credentials.redirect_uri;
     }
-    /** Acquire a valid OpenID configuration. */
+    /**
+     * @throws IndeterminateConfiguration if provided credentials combined with
+     *   OpenID discovery fail to generate a complete configuration
+     */
     async getConfiguration() {
+        if (!this.config && this.credentials.issuer) {
+            this.config = await OpenIDClient.discovery(requestish.URL.from(this.credentials.issuer), this.credentials.client_id, { client_secret: this.credentials.client_secret });
+        }
+        if (!this.config && this.credentials?.authorization_endpoint) {
+            this.config = new OpenIDClient.Configuration({
+                issuer: `https://${requestish.URL.from(this.credentials.authorization_endpoint).hostname}`,
+                authorization_endpoint: requestish.URL.toString(this.credentials.authorization_endpoint),
+                token_endpoint: requestish.URL.toString(this.credentials.token_endpoint ||
+                    this.credentials.authorization_endpoint)
+            }, this.credentials.client_id, { client_secret: this.credentials.client_secret });
+        }
         if (!this.config) {
-            this.config = await Configuration.acquire(this.credentials);
+            throw new Errors.IndeterminateConfiguration();
         }
         return this.config;
     }
-    /** Authorization Code Grant */
-    async authorize() {
-        const { scope, redirect_uri, parameters: additionalParameters } = this.credentials;
-        return new Promise((resolve, reject) => {
-            const code_verifier = OpenIDClient.randomPKCECodeVerifier();
-            OpenIDClient.calculatePKCECodeChallenge(code_verifier).then(async (code_challenge) => {
-                let state = undefined;
-                const parameters = {
-                    ...additionalParameters,
-                    redirect_uri,
-                    code_challenge,
-                    code_challenge_method: 'S256' // TODO make code challenge method configurable?
-                };
-                if (scope) {
-                    parameters.scope = scope;
-                }
-                if (!(await this.getConfiguration()).serverMetadata().supportsPKCE()) {
-                    state = OpenIDClient.randomState();
-                    parameters.state = state;
-                }
-                await Localhost.redirectServer({
-                    ...this.credentials,
-                    authorization_url: OpenIDClient.buildAuthorizationUrl(await this.getConfiguration(), parameters).href,
-                    code_verifier,
-                    state,
-                    resolve: (async (response) => {
-                        this.token = Token.fromResponse(response);
-                        if (this.token && this.store) {
-                            await this.store.save(this.token);
-                        }
-                        resolve(this.token);
-                    }).bind(this),
-                    reject
-                });
-            });
+    async getParameters(session) {
+        const params = requestish.URLSearchParams.merge(this.inject?.search, session.inject?.search) || new URLSearchParams();
+        params.set('redirect_uri', requestish.URL.toString(this.credentials.redirect_uri));
+        params.set('code_challenge', await OpenIDClient.calculatePKCECodeChallenge(session.code_verifier));
+        params.set('code_challenge_method', 'S256');
+        params.set('state', session.state);
+        if (this.credentials.scope) {
+            params.set('scope', Req.Scope.toString(this.credentials.scope));
+        }
+        return params;
+    }
+    async getAuthorizationUrl(session) {
+        return OpenIDClient.buildAuthorizationUrl(await this.getConfiguration(), await this.getParameters(session));
+    }
+    createSession({ views, ...options }) {
+        return new Session({
+            client: this,
+            views: views || this.views,
+            ...options
         });
     }
-    /**
-     * Make an authorized request to the API, acquiring an unexpired acess token
-     * if necessary.
-     */
-    async request(url, method = 'GET', body, headers, dPoPOptions) {
-        for (const header in this.credentials.headers) {
-            headers?.append(header, this.credentials.headers[header]);
+    async authorize(options = {}) {
+        const session = this.createSession(options);
+        const token = await this.save(await session.authorizationCodeGrant());
+        return token;
+    }
+    async handleAuthorizationCodeRedirect(req, session) {
+        try {
+            const response = await OpenIDClient.authorizationCodeGrant(await this.getConfiguration(), new URL(req.url, this.redirect_uri), {
+                pkceCodeVerifier: session.code_verifier,
+                expectedState: session.state
+            }, this.inject?.search
+                ? requestish.URLSearchParams.from(this.inject.search)
+                : undefined);
+            await session.resolve(response);
+        }
+        catch (error) {
+            await session.resolve(undefined, error);
+        }
+    }
+    async refreshTokenGrant({ refresh_token = this.token?.refresh_token, inject: request } = {}) {
+        if (!refresh_token && !this.token && this.storage) {
+            refresh_token = await this.storage.load();
+        }
+        if (!refresh_token || refresh_token === '') {
+            return undefined;
         }
-        return await OpenIDClient.fetchProtectedResource(await this.getConfiguration(), (await this.getToken()).access_token, new URL(url), method, body, headers, dPoPOptions);
+        const token = await OpenIDClient.refreshTokenGrant(await this.getConfiguration(), refresh_token, this.inject?.search
+            ? requestish.URLSearchParams.from(this.inject.search)
+            : undefined, {
+            // @ts-expect-error 2322 undocumented arg pass-through to oauth4webapi
+            headers: Req.Headers.merge(this.headers, request?.headers)
+        });
+        return await this.save(token);
     }
     /**
-     * Make an authorized request to the API, acquiring an unexpired acess token
-     * if necessary.
+     * Get an unexpired access token
      *
-     * This converts the Fetch API request into an OpenID request. To directly
-     * make this request, use {@link request()}
+     * Depending on provided and/or stored access token and refresh token values,
+     * this may require interactive authorization
      */
-    async fetch(endpoint, init) {
-        return this.request(endpoint.toString(), init?.method, init?.body?.toString(), new Headers(init?.headers));
+    async getToken({ token, inject: request } = {}) {
+        return await this.tokenLock.runExclusive(async () => {
+            token = token || this.token;
+            if (!this.token?.expiresIn() && this.storage) {
+                this.token = await this.refreshTokenGrant({ inject: request });
+            }
+            if (!this.token) {
+                this.token = await this.authorize({ inject: request });
+            }
+            return this.token;
+        });
+    }
+    /** @throws MissingAccessToken If response does not include `access_token` */
+    async save(token) {
+        this.token = token;
+        if (!token.access_token) {
+            throw new Errors.MissingAccessToken();
+        }
+        if (this.storage && this.token.refresh_token) {
+            await this.storage.save(this.token.refresh_token);
+        }
+        this.emit(Client.TokenEvent, this.token);
+        return this.token;
     }
     /**
-     * Make an authorized request to the API, acquiring an unexpired acess token
-     * if necessary and parse the JSON respomse.
-     *
-     * @param validator Optional validator function test that the JSON response is
-     *   the expected type.
+     * @param url If an `issuer` has been defined, `url` accepts paths relative to
+     *   the `issuer` URL as well as absolute URLs
+     * @param method Optional, defaults to `GET` unless otherwise specified
+     * @param body Optional
+     * @param headers Optional
+     * @param dPoPOptions Optional
      */
-    async requestJSON(url, method = 'GET', body, headers, dPoPOptions) {
-        return (await (await this.request(url, method, body, headers, dPoPOptions)).json());
+    async request(url, method = 'GET', body, headers = {}, dPoPOptions) {
+        try {
+            url = requestish.URL.from(url);
+        }
+        catch (error) {
+            if (this.credentials.issuer) {
+                url = new URL(url, this.credentials.issuer);
+            }
+            else {
+                throw error;
+            }
+        }
+        const request = async () => await OpenIDClient.fetchProtectedResource(await this.getConfiguration(), (await this.getToken()).access_token, requestish.URL.from(requestish.URLSearchParams.appendTo(url, this.inject?.search || {})), method, body, requestish.Headers.merge(this.inject?.headers, headers), dPoPOptions);
+        try {
+            return await request();
+        }
+        catch (error) {
+            if (typeof error === 'object' &&
+                error !== null &&
+                'status' in error &&
+                error.status === 401) {
+                await this.authorize();
+                return await request();
+            }
+            else {
+                throw error;
+            }
+        }
+    }
+    async toJSON(response) {
+        if (response.ok) {
+            return (await response.json());
+        }
+        else {
+            throw new Errors.BadResponse(response);
+        }
     }
     /**
-     * Make an authorized request to the API, acquiring an unexpired acess token
-     * if necessary and parse the JSON respomse.
-     *
-     * This converts the Fetch API request into an OpenID request. To directly
-     * make this request, use {@link requestJSON()}
+     * Returns the result of {@link request} as a parsed JSON object, optionally
+     * typed as `T`
      */
-    async fetchJSON(endpoint, init) {
-        return (await (await this.fetch(endpoint, init)).json());
+    async requestJSON(url, method = 'GET', body, headers = {}, dPoPOptions) {
+        return await this.toJSON(await this.request(url, method, body, headers, dPoPOptions));
+    }
+    async fetch(input, init, dPoPOptions) {
+        return await this.request(input, init?.method, await requestish.Body.from(init?.body), requestish.Headers.from(init?.headers), dPoPOptions);
+    }
+    async fetchJSON(input, init, dPoPOptions) {
+        return await this.toJSON(await this.fetch(input, init, dPoPOptions));
     }
 }

package/dist/Credentials.d.ts

@@ -0,0 +1,30 @@
+import * as requestish from 'requestish';
+import * as Req from './Request/index.js';
+export type OAuth2 = {
+    client_id: string;
+    client_secret: string;
+    redirect_uri: requestish.URL.ish;
+    authorization_endpoint: requestish.URL.ish;
+    token_endpoint: requestish.URL.ish;
+    scope?: Req.Scope.ish;
+};
+export type OpenID = {
+    issuer: requestish.URL.ish;
+    client_id: string;
+    client_secret: string;
+    redirect_uri: requestish.URL.ish;
+};
+export type Combined = {
+    client_id: string;
+    client_secret: string;
+    redirect_uri: requestish.URL.ish;
+    scope?: Req.Scope.ish;
+} & ({
+    issuer?: requestish.URL.ish;
+    authorization_endpoint: requestish.URL.ish;
+    token_endpoint: requestish.URL.ish;
+} | {
+    issuer: requestish.URL.ish;
+    authorization_endpoint?: requestish.URL.ish;
+    token_endpoint?: requestish.URL.ish;
+});

package/dist/Errors/BadResponse.d.ts

@@ -0,0 +1,3 @@
+export declare class BadResponse extends Error {
+    constructor(response: Response);
+}

package/dist/Errors/BadResponse.js

@@ -0,0 +1,7 @@
+export class BadResponse extends Error {
+    constructor(response) {
+        super(`Response error ${response.status}: ${response.statusText}`, {
+            cause: response
+        });
+    }
+}