oauth4webapi 1.2.1 → 1.3.0

package/README.md

@@ -52,26 +52,18 @@ import * as oauth2 from 'https://deno.land/x/oauth4webapi/src/index.ts'
 - FAPI 2.0 (Private Key JWT, PAR, DPoP) - [source](examples/fapi2.ts)
 - FAPI 2.0 Message Signing (Private Key JWT, PAR, DPoP, JAR, JARM) - [source](examples/fapi2-message-signing.ts) | [diff](examples/fapi2-message-signing.diff)
 
-## Runtime requirements
-
-The supported JavaScript runtimes include ones that
-
-- are reasonably up to date ECMAScript (targets ES2020, but may be further transpiled for compatibility)
-- support required Web API globals and standard built-in objects
-  - [Fetch API][] and its related globals [fetch][], [Response][], [Headers][]
-  - [Web Crypto API][] and its related globals [crypto][], [CryptoKey][]
-  - [Encoding API][] and its related globals [TextEncoder][], [TextDecoder][]
-  - [URL API][] and its related globals [URL][], [URLSearchParams][]
-  - [atob][] and [btoa][]
-  - [Uint8Array][]
-- These are (not an exhaustive list):
-  - Browsers
-  - Cloudflare Workers
-  - Deno (^1.21.0)
-  - Electron
-  - Next.js Middlewares
-  - Node.js ([runtime flags may be needed](https://github.com/panva/oauth4webapi/issues/8))
-  - Vercel Edge Functions
+## Supported Runtimes
+
+The supported JavaScript runtimes include ones that support the utilized Web API globals and standard built-in objects
+
+These are _(this is not an exhaustive list)_:
+- Browsers
+- Cloudflare Workers
+- Deno
+- Electron
+- Netlify Edge
+- Node.js ([runtime flags may be needed](https://github.com/panva/oauth4webapi/issues/8))
+- Vercel's Edge Runtime
 
 ## Out of scope
 
@@ -81,20 +73,3 @@ The supported JavaScript runtimes include ones that
 - JSON Web Encryption (JWE)
 - JSON Web Signature (JWS) rarely used algorithms and HMAC
 - Automatic polyfills of any kind
-
-[web crypto api]: https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API
-[fetch api]: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
-[fetch]: https://developer.mozilla.org/en-US/docs/Web/API/fetch
-[textdecoder]: https://developer.mozilla.org/en-US/docs/Web/API/TextDecoder
-[textencoder]: https://developer.mozilla.org/en-US/docs/Web/API/TextEncoder
-[btoa]: https://developer.mozilla.org/en-US/docs/Web/API/btoa
-[atob]: https://developer.mozilla.org/en-US/docs/Web/API/atob
-[uint8array]: https://developer.mozilla.org/en-US/docs/Web/API/Uint8Array
-[response]: https://developer.mozilla.org/en-US/docs/Web/API/Response
-[headers]: https://developer.mozilla.org/en-US/docs/Web/API/Headers
-[crypto]: https://developer.mozilla.org/en-US/docs/Web/API/crypto
-[cryptokey]: https://developer.mozilla.org/en-US/docs/Web/API/CryptoKey
-[urlsearchparams]: https://developer.mozilla.org/en-US/docs/Web/API/URLSearchParams
-[encoding api]: https://developer.mozilla.org/en-US/docs/Web/API/Encoding_API
-[url api]: https://developer.mozilla.org/en-US/docs/Web/API/URL_API
-[url]: https://developer.mozilla.org/en-US/docs/Web/API/URL

package/build/index.d.ts

@@ -537,7 +537,7 @@ export interface DPoPOptions extends CryptoKeyPair {
      * Its algorithm must be compatible with a supported {@link JWSAlgorithm JWS `alg` Algorithm}.
      */
     privateKey: CryptoKey;
-    /** The public key corresponding to {@link DPoPOptions.privateKey} */
+    /** The public key corresponding to {@link DPoPOptions.privateKey}. */
     publicKey: CryptoKey;
     /**
      * Server-Provided Nonce to use in the request. This option serves as an override in case the
@@ -703,6 +703,31 @@ export interface UserInfoResponse {
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse)
  */
 export declare const skipSubjectCheck: unique symbol;
+export interface SkipJWTSignatureCheckOptions {
+    /**
+     * DANGER ZONE
+     *
+     * When JWT assertions are received via direct communication between the Client and the
+     * Token/UserInfo/Introspection endpoint (which they are in this library's supported profiles and
+     * exposed functions) the TLS server validation MAY be used to validate the issuer in place of
+     * checking the assertion's signature.
+     *
+     * Set this to `true` to omit verifying the JWT assertion's signature (e.g. ID Token, JWT Signed
+     * Introspection, or JWT Signed UserInfo Response).
+     *
+     * Setting this to `true` also means that:
+     *
+     * - The Authorization Server's JSON Web Key Set will not be requested. That is useful for
+     *   javascript runtimes that execute on the edge and cannot reliably share an in-memory cache of
+     *   the JSON Web Key Set in between invocations.
+     * - Any JWS Algorithm may be used, not just the {@link JWSAlgorithm supported ones}.
+     *
+     * Default is `false`.
+     */
+    skipJwtSignatureCheck?: boolean;
+}
+export interface ProcessUserInfoResponseOptions extends HttpRequestOptions, SkipJWTSignatureCheckOptions {
+}
 /**
  * Validates Response instance to be one coming from the
  * {@link AuthorizationServer.userinfo_endpoint `as.userinfo_endpoint`}.
@@ -719,7 +744,7 @@ export declare const skipSubjectCheck: unique symbol;
  *   OAuth 2.0 error was returned.
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
  */
-export declare function processUserInfoResponse(as: AuthorizationServer, client: Client, expectedSubject: string | typeof skipSubjectCheck, response: Response, options?: HttpRequestOptions): Promise<UserInfoResponse>;
+export declare function processUserInfoResponse(as: AuthorizationServer, client: Client, expectedSubject: string | typeof skipSubjectCheck, response: Response, options?: ProcessUserInfoResponseOptions): Promise<UserInfoResponse>;
 export interface TokenEndpointRequestOptions extends HttpRequestOptions, AuthenticatedRequestOptions, DPoPRequestOptions {
     /** Any additional parameters to send. This cannot override existing parameter values. */
     additionalParameters?: URLSearchParams;
@@ -755,6 +780,8 @@ export declare function getValidatedIdTokenClaims(ref: OpenIDTokenEndpointRespon
  * @returns JWT Claims Set from an ID Token, or undefined if there is no ID Token in `ref`.
  */
 export declare function getValidatedIdTokenClaims(ref: TokenEndpointResponse): IDToken | undefined;
+export interface ProcessRefreshTokenResponseOptions extends HttpRequestOptions, SkipJWTSignatureCheckOptions {
+}
 /**
  * Validates Refresh Token Grant Response instance to be one coming from the
  * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}.
@@ -769,7 +796,7 @@ export declare function getValidatedIdTokenClaims(ref: TokenEndpointResponse): I
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-6)
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens)
  */
-export declare function processRefreshTokenResponse(as: AuthorizationServer, client: Client, response: Response, options?: HttpRequestOptions): Promise<TokenEndpointResponse | OAuth2Error>;
+export declare function processRefreshTokenResponse(as: AuthorizationServer, client: Client, response: Response, options?: ProcessRefreshTokenResponseOptions): Promise<TokenEndpointResponse | OAuth2Error>;
 /**
  * Performs an Authorization Code grant request at the
  * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}.
@@ -856,6 +883,8 @@ export declare const expectNoNonce: unique symbol;
  * indicate no `auth_time` ID Token claim value check should be performed.
  */
 export declare const skipAuthTimeCheck: unique symbol;
+export interface ProcessAuthorizationCodeOpenIDResponseOptions extends HttpRequestOptions, SkipJWTSignatureCheckOptions {
+}
 /**
  * (OpenID Connect only) Validates Authorization Code Grant Response instance to be one coming from
  * the {@link AuthorizationServer.token_endpoint `as.token_endpoint`}.
@@ -876,7 +905,7 @@ export declare const skipAuthTimeCheck: unique symbol;
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1)
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
  */
-export declare function processAuthorizationCodeOpenIDResponse(as: AuthorizationServer, client: Client, response: Response, expectedNonce?: string | typeof expectNoNonce, maxAge?: number | typeof skipAuthTimeCheck, options?: HttpRequestOptions): Promise<OpenIDTokenEndpointResponse | OAuth2Error>;
+export declare function processAuthorizationCodeOpenIDResponse(as: AuthorizationServer, client: Client, response: Response, expectedNonce?: string | typeof expectNoNonce, maxAge?: number | typeof skipAuthTimeCheck, options?: ProcessAuthorizationCodeOpenIDResponseOptions): Promise<OpenIDTokenEndpointResponse | OAuth2Error>;
 /**
  * (OAuth 2.0 without OpenID Connect only) Validates Authorization Code Grant Response instance to
  * be one coming from the {@link AuthorizationServer.token_endpoint `as.token_endpoint`}.
@@ -991,6 +1020,8 @@ export interface IntrospectionResponse {
     };
     readonly [claim: string]: JsonValue | undefined;
 }
+export interface ProcessIntrospectionResponseOptions extends HttpRequestOptions, SkipJWTSignatureCheckOptions {
+}
 /**
  * Validates Response instance to be one coming from the
  * {@link AuthorizationServer.introspection_endpoint `as.introspection_endpoint`}.
@@ -1005,7 +1036,7 @@ export interface IntrospectionResponse {
  * @see [RFC 7662 - OAuth 2.0 Token Introspection](https://www.rfc-editor.org/rfc/rfc7662.html#section-2)
  * @see [draft-ietf-oauth-jwt-introspection-response-12 - JWT Response for OAuth Token Introspection](https://www.ietf.org/archive/id/draft-ietf-oauth-jwt-introspection-response-12.html#section-5)
  */
-export declare function processIntrospectionResponse(as: AuthorizationServer, client: Client, response: Response, options?: HttpRequestOptions): Promise<IntrospectionResponse | OAuth2Error>;
+export declare function processIntrospectionResponse(as: AuthorizationServer, client: Client, response: Response, options?: ProcessIntrospectionResponseOptions): Promise<IntrospectionResponse | OAuth2Error>;
 /** @ignore */
 export interface JwksRequestOptions extends HttpRequestOptions {
 }
@@ -1140,6 +1171,8 @@ export declare function processDeviceAuthorizationResponse(as: AuthorizationServ
  * @see [draft-ietf-oauth-dpop-10 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-10.html#name-dpop-access-token-request)
  */
 export declare function deviceCodeGrantRequest(as: AuthorizationServer, client: Client, deviceCode: string, options?: TokenEndpointRequestOptions): Promise<Response>;
+export interface ProcessDeviceCodeResponseOptions extends HttpRequestOptions, SkipJWTSignatureCheckOptions {
+}
 /**
  * Validates Device Authorization Grant Response instance to be one coming from the
  * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}.
@@ -1153,7 +1186,7 @@ export declare function deviceCodeGrantRequest(as: AuthorizationServer, client:
  *   OAuth 2.0 error was returned.
  * @see [RFC 8628 - OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628.html#section-3.4)
  */
-export declare function processDeviceCodeResponse(as: AuthorizationServer, client: Client, response: Response, options?: HttpRequestOptions): Promise<TokenEndpointResponse | OAuth2Error>;
+export declare function processDeviceCodeResponse(as: AuthorizationServer, client: Client, response: Response, options?: ProcessDeviceCodeResponseOptions): Promise<TokenEndpointResponse | OAuth2Error>;
 export interface GenerateKeyPairOptions {
     /** Indicates whether or not the private key may be exported. Default is `false`. */
     extractable?: boolean;

package/build/index.js

@@ -1,7 +1,7 @@
 let USER_AGENT;
 if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {
     const NAME = 'oauth4webapi';
-    const VERSION = 'v1.2.1';
+    const VERSION = 'v1.3.0';
     USER_AGENT = `${NAME}/${VERSION}`;
 }
 const encoder = new TextEncoder();
@@ -151,11 +151,17 @@ function prepareHeaders(input) {
     return headers;
 }
 function signal(value) {
-    return typeof value === 'function' ? value() : value;
+    if (typeof value === 'function') {
+        value = value();
+    }
+    if (!(value instanceof AbortSignal)) {
+        throw new TypeError('"options.signal" must return or be an instance of AbortSignal');
+    }
+    return value;
 }
 export async function discoveryRequest(issuerIdentifier, options) {
     if (!(issuerIdentifier instanceof URL)) {
-        throw new TypeError('"issuer" must be an instance of URL');
+        throw new TypeError('"issuerIdentifier" must be an instance of URL');
     }
     if (issuerIdentifier.protocol !== 'https:' && issuerIdentifier.protocol !== 'http:') {
         throw new TypeError('"issuer.protocol" must be "https:" or "http:"');
@@ -315,20 +321,20 @@ async function privateKeyJwt(as, client, key, kid) {
         kid,
     }, clientAssertion(as, client), key);
 }
-function assertIssuer(metadata) {
-    if (typeof metadata !== 'object' || metadata === null) {
-        throw new TypeError('"issuer" must be an object');
+function assertAs(as) {
+    if (typeof as !== 'object' || as === null) {
+        throw new TypeError('"as" must be an object');
     }
-    if (!validateString(metadata.issuer)) {
-        throw new TypeError('"issuer.issuer" property must be a non-empty string');
+    if (!validateString(as.issuer)) {
+        throw new TypeError('"as.issuer" property must be a non-empty string');
     }
     return true;
 }
-function assertClient(metadata) {
-    if (typeof metadata !== 'object' || metadata === null) {
+function assertClient(client) {
+    if (typeof client !== 'object' || client === null) {
         throw new TypeError('"client" must be an object');
     }
-    if (!validateString(metadata.client_id)) {
+    if (!validateString(client.client_id)) {
         throw new TypeError('"client.client_id" property must be a non-empty string');
     }
     return true;
@@ -399,7 +405,7 @@ async function jwt(header, claimsSet, key) {
     return `${input}.${signature}`;
 }
 export async function issueRequestObject(as, client, parameters, privateKey) {
-    assertIssuer(as);
+    assertAs(as);
     assertClient(client);
     if (!(parameters instanceof URLSearchParams)) {
         throw new TypeError('"parameters" must be an instance of URLSearchParams');
@@ -468,13 +474,13 @@ async function publicJwk(key) {
     return { kty, crv, e, n, x, y };
 }
 export async function pushedAuthorizationRequest(as, client, parameters, options) {
-    assertIssuer(as);
+    assertAs(as);
     assertClient(client);
     if (!(parameters instanceof URLSearchParams)) {
         throw new TypeError('"parameters" must be an instance of URLSearchParams');
     }
     if (typeof as.pushed_authorization_request_endpoint !== 'string') {
-        throw new TypeError('"issuer.pushed_authorization_request_endpoint" must be a string');
+        throw new TypeError('"as.pushed_authorization_request_endpoint" must be a string');
     }
     const url = new URL(as.pushed_authorization_request_endpoint);
     const body = new URLSearchParams(parameters);
@@ -555,7 +561,7 @@ export function parseWwwAuthenticateChallenges(response) {
     return challenges;
 }
 export async function processPushedAuthorizationResponse(as, client, response) {
-    assertIssuer(as);
+    assertAs(as);
     assertClient(client);
     if (!(response instanceof Response)) {
         throw new TypeError('"response" must be an instance of Response');
@@ -609,10 +615,10 @@ export async function protectedResourceRequest(accessToken, method, url, headers
     }).then(processDpopNonce);
 }
 export async function userInfoRequest(as, client, accessToken, options) {
-    assertIssuer(as);
+    assertAs(as);
     assertClient(client);
     if (typeof as.userinfo_endpoint !== 'string') {
-        throw new TypeError('"issuer.userinfo_endpoint" must be a string');
+        throw new TypeError('"as.userinfo_endpoint" must be a string');
     }
     const url = new URL(as.userinfo_endpoint);
     const headers = prepareHeaders(options?.headers);
@@ -716,7 +722,7 @@ function getContentType(response) {
     return response.headers.get('content-type')?.split(';')[0];
 }
 export async function processUserInfoResponse(as, client, expectedSubject, response, options) {
-    assertIssuer(as);
+    assertAs(as);
     assertClient(client);
     if (!(response instanceof Response)) {
         throw new TypeError('"response" must be an instance of Response');
@@ -726,10 +732,9 @@ export async function processUserInfoResponse(as, client, expectedSubject, respo
     }
     let json;
     if (getContentType(response) === 'application/jwt') {
-        if (typeof as.jwks_uri !== 'string') {
-            throw new TypeError('"issuer.jwks_uri" must be a string');
-        }
-        const { claims } = await validateJwt(await preserveBodyStream(response).text(), checkSigningAlgorithm.bind(undefined, client.userinfo_signed_response_alg, as.userinfo_signing_alg_values_supported), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options))
+        const { claims } = await validateJwt(await preserveBodyStream(response).text(), checkSigningAlgorithm.bind(undefined, client.userinfo_signed_response_alg, as.userinfo_signing_alg_values_supported), options?.skipJwtSignatureCheck !== true
+            ? getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options)
+            : noSignatureCheck)
             .then(validateOptionalAudience.bind(undefined, client.client_id))
             .then(validateOptionalIssuer.bind(undefined, as.issuer));
         json = claims;
@@ -764,43 +769,6 @@ export async function processUserInfoResponse(as, client, expectedSubject, respo
     }
     return json;
 }
-function padded(buf, length) {
-    const out = new Uint8Array(length);
-    out.set(buf);
-    return out;
-}
-function timingSafeEqual(a, b) {
-    const len = Math.max(a.byteLength, b.byteLength);
-    a = padded(a, len);
-    b = padded(b, len);
-    let out = 0;
-    let i = -1;
-    while (++i < len) {
-        out |= a[i] ^ b[i];
-    }
-    return out === 0;
-}
-async function idTokenHash(alg, data) {
-    let algorithm;
-    switch (alg) {
-        case 'RS256':
-        case 'PS256':
-        case 'ES256':
-            algorithm = { name: 'SHA-256' };
-            break;
-        case 'EdDSA':
-            algorithm = { name: 'SHA-512' };
-            break;
-        default:
-            throw new UnsupportedOperationError();
-    }
-    const digest = await crypto.subtle.digest(algorithm, buf(data));
-    return b64u(digest.slice(0, digest.byteLength / 2));
-}
-async function idTokenHashMatches(alg, data, actual) {
-    const expected = await idTokenHash(alg, data);
-    return timingSafeEqual(buf(actual), buf(expected));
-}
 async function authenticatedRequest(as, client, method, url, body, headers, options) {
     await clientAuthentication(as, client, body, headers, options?.clientPrivateKey);
     return fetch(url.href, {
@@ -813,7 +781,7 @@ async function authenticatedRequest(as, client, method, url, body, headers, opti
 }
 async function tokenEndpointRequest(as, client, grantType, parameters, options) {
     if (typeof as.token_endpoint !== 'string') {
-        throw new TypeError('"issuer.token_endpoint" must be a string');
+        throw new TypeError('"as.token_endpoint" must be a string');
     }
     const url = new URL(as.token_endpoint);
     parameters.set('grant_type', grantType);
@@ -825,7 +793,7 @@ async function tokenEndpointRequest(as, client, grantType, parameters, options)
     return authenticatedRequest(as, client, 'POST', url, parameters, headers, options);
 }
 export async function refreshTokenGrantRequest(as, client, refreshToken, options) {
-    assertIssuer(as);
+    assertAs(as);
     assertClient(client);
     if (!validateString(refreshToken)) {
         throw new TypeError('"refreshToken" must be a non-empty string');
@@ -841,8 +809,8 @@ export function getValidatedIdTokenClaims(ref) {
     }
     return idTokenClaims.get(ref);
 }
-async function processGenericAccessTokenResponse(as, client, response, options, ignoreIdToken = false, ignoreRefreshToken = false) {
-    assertIssuer(as);
+async function processGenericAccessTokenResponse(as, client, response, options, ignoreIdToken = false, ignoreRefreshToken = false, skipSignatureCheck = false) {
+    assertAs(as);
     assertClient(client);
     if (!(response instanceof Response)) {
         throw new TypeError('"response" must be an instance of Response');
@@ -891,10 +859,9 @@ async function processGenericAccessTokenResponse(as, client, response, options,
             throw new OPE('"response" body "id_token" property must be a non-empty string');
         }
         if (json.id_token) {
-            if (typeof as.jwks_uri !== 'string') {
-                throw new TypeError('"issuer.jwks_uri" must be a string');
-            }
-            const { header, claims } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options))
+            const { claims } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported), skipSignatureCheck !== true
+                ? getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options)
+                : noSignatureCheck)
                 .then(validatePresence.bind(undefined, ['aud', 'exp', 'iat', 'iss', 'sub']))
                 .then(validateIssuer.bind(undefined, as.issuer))
                 .then(validateAudience.bind(undefined, client.client_id));
@@ -904,19 +871,13 @@ async function processGenericAccessTokenResponse(as, client, response, options,
             if (client.require_auth_time && typeof claims.auth_time !== 'number') {
                 throw new OPE('unexpected ID Token "auth_time" (authentication time) claim value');
             }
-            if (claims.at_hash !== undefined) {
-                if (typeof claims.at_hash !== 'string' ||
-                    !(await idTokenHashMatches(header.alg, json.access_token, claims.at_hash))) {
-                    throw new OPE('unexpected ID Token "at_hash" (access token hash) claim value');
-                }
-            }
             idTokenClaims.set(json, claims);
         }
     }
     return json;
 }
 export async function processRefreshTokenResponse(as, client, response, options) {
-    return processGenericAccessTokenResponse(as, client, response, options);
+    return processGenericAccessTokenResponse(as, client, response, options, undefined, undefined, options?.skipJwtSignatureCheck === true);
 }
 function validateOptionalAudience(expected, result) {
     if (result.claims.aud !== undefined) {
@@ -948,7 +909,7 @@ function validateIssuer(expected, result) {
     return result;
 }
 export async function authorizationCodeGrantRequest(as, client, callbackParameters, redirectUri, codeVerifier, options) {
-    assertIssuer(as);
+    assertAs(as);
     assertClient(client);
     if (!(callbackParameters instanceof CallbackParameters)) {
         throw new TypeError('"callbackParameters" must be an instance of CallbackParameters obtained from "validateAuthResponse()", or "validateJwtAuthResponse()');
@@ -987,7 +948,7 @@ function validatePresence(required, result) {
 export const expectNoNonce = Symbol();
 export const skipAuthTimeCheck = Symbol();
 export async function processAuthorizationCodeOpenIDResponse(as, client, response, expectedNonce, maxAge, options) {
-    const result = await processGenericAccessTokenResponse(as, client, response, options);
+    const result = await processGenericAccessTokenResponse(as, client, response, options, undefined, undefined, options?.skipJwtSignatureCheck === true);
     if (isOAuth2Error(result)) {
         return result;
     }
@@ -1050,7 +1011,7 @@ function checkJwtType(expected, result) {
     return result;
 }
 export async function clientCredentialsGrantRequest(as, client, parameters, options) {
-    assertIssuer(as);
+    assertAs(as);
     assertClient(client);
     return tokenEndpointRequest(as, client, 'client_credentials', new URLSearchParams(parameters), options);
 }
@@ -1062,13 +1023,13 @@ export async function processClientCredentialsResponse(as, client, response) {
     return result;
 }
 export async function revocationRequest(as, client, token, options) {
-    assertIssuer(as);
+    assertAs(as);
     assertClient(client);
     if (!validateString(token)) {
         throw new TypeError('"token" must be a non-empty string');
     }
     if (typeof as.revocation_endpoint !== 'string') {
-        throw new TypeError('"issuer.revocation_endpoint" must be a string');
+        throw new TypeError('"as.revocation_endpoint" must be a string');
     }
     const url = new URL(as.revocation_endpoint);
     const body = new URLSearchParams(options?.additionalParameters);
@@ -1096,13 +1057,13 @@ function assertReadableResponse(response) {
     }
 }
 export async function introspectionRequest(as, client, token, options) {
-    assertIssuer(as);
+    assertAs(as);
     assertClient(client);
     if (!validateString(token)) {
         throw new TypeError('"token" must be a non-empty string');
     }
     if (typeof as.introspection_endpoint !== 'string') {
-        throw new TypeError('"issuer.introspection_endpoint" must be a string');
+        throw new TypeError('"as.introspection_endpoint" must be a string');
     }
     const url = new URL(as.introspection_endpoint);
     const body = new URLSearchParams(options?.additionalParameters);
@@ -1117,7 +1078,7 @@ export async function introspectionRequest(as, client, token, options) {
     return authenticatedRequest(as, client, 'POST', url, body, headers, options);
 }
 export async function processIntrospectionResponse(as, client, response, options) {
-    assertIssuer(as);
+    assertAs(as);
     assertClient(client);
     if (!(response instanceof Response)) {
         throw new TypeError('"response" must be an instance of Response');
@@ -1131,10 +1092,9 @@ export async function processIntrospectionResponse(as, client, response, options
     }
     let json;
     if (getContentType(response) === 'application/token-introspection+jwt') {
-        if (typeof as.jwks_uri !== 'string') {
-            throw new TypeError('"issuer.jwks_uri" must be a string');
-        }
-        const { claims } = await validateJwt(await preserveBodyStream(response).text(), checkSigningAlgorithm.bind(undefined, client.introspection_signed_response_alg, as.introspection_signing_alg_values_supported), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options))
+        const { claims } = await validateJwt(await preserveBodyStream(response).text(), checkSigningAlgorithm.bind(undefined, client.introspection_signed_response_alg, as.introspection_signing_alg_values_supported), options?.skipJwtSignatureCheck !== true
+            ? getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options)
+            : noSignatureCheck)
             .then(checkJwtType.bind(undefined, 'token-introspection+jwt'))
             .then(validatePresence.bind(undefined, ['aud', 'iat', 'iss']))
             .then(validateIssuer.bind(undefined, as.issuer))
@@ -1161,9 +1121,9 @@ export async function processIntrospectionResponse(as, client, response, options
     return json;
 }
 export async function jwksRequest(as, options) {
-    assertIssuer(as);
+    assertAs(as);
     if (typeof as.jwks_uri !== 'string') {
-        throw new TypeError('"issuer.jwks_uri" must be a string');
+        throw new TypeError('"as.jwks_uri" must be a string');
     }
     const url = new URL(as.jwks_uri);
     const headers = prepareHeaders(options?.headers);
@@ -1254,8 +1214,9 @@ function subtleAlgorithm(key) {
     }
     throw new UnsupportedOperationError();
 }
+const noSignatureCheck = Symbol();
 async function validateJwt(jws, checkAlg, getKey) {
-    const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split('.');
+    const { 0: protectedHeader, 1: payload, 2: encodedSignature, length } = jws.split('.');
     if (length === 5) {
         throw new UnsupportedOperationError('JWE structure JWTs are not supported');
     }
@@ -1276,11 +1237,14 @@ async function validateJwt(jws, checkAlg, getKey) {
     if (header.crit !== undefined) {
         throw new OPE('unexpected JWT "crit" header parameter');
     }
-    const key = await getKey(header);
-    const input = `${protectedHeader}.${payload}`;
-    const verified = await crypto.subtle.verify(subtleAlgorithm(key), key, b64u(signature), buf(input));
-    if (!verified) {
-        throw new OPE('JWT signature verification failed');
+    const signature = b64u(encodedSignature);
+    if (getKey !== noSignatureCheck) {
+        const key = await getKey(header);
+        const input = `${protectedHeader}.${payload}`;
+        const verified = await crypto.subtle.verify(subtleAlgorithm(key), key, signature, buf(input));
+        if (!verified) {
+            throw new OPE('JWT signature verification failed');
+        }
     }
     let claims;
     try {
@@ -1325,10 +1289,10 @@ async function validateJwt(jws, checkAlg, getKey) {
             throw new OPE('unexpected JWT "aud" (audience) claim type');
         }
     }
-    return { header, claims };
+    return { header, claims, signature };
 }
 export async function validateJwtAuthResponse(as, client, parameters, expectedState, options) {
-    assertIssuer(as);
+    assertAs(as);
     assertClient(client);
     if (parameters instanceof URL) {
         parameters = parameters.searchParams;
@@ -1341,7 +1305,7 @@ export async function validateJwtAuthResponse(as, client, parameters, expectedSt
         throw new OPE('"parameters" does not contain a JARM response');
     }
     if (typeof as.jwks_uri !== 'string') {
-        throw new TypeError('"issuer.jwks_uri" must be a string');
+        throw new TypeError('"as.jwks_uri" must be a string');
     }
     const { claims } = await validateJwt(response, checkSigningAlgorithm.bind(undefined, client.authorization_signed_response_alg, as.authorization_signing_alg_values_supported), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options))
         .then(validatePresence.bind(undefined, ['aud', 'exp', 'iss']))
@@ -1384,7 +1348,7 @@ export const expectNoState = Symbol();
 class CallbackParameters extends URLSearchParams {
 }
 export function validateAuthResponse(as, client, parameters, expectedState) {
-    assertIssuer(as);
+    assertAs(as);
     assertClient(client);
     if (parameters instanceof URL) {
         parameters = parameters.searchParams;
@@ -1460,13 +1424,13 @@ async function importJwk(jwk) {
     return crypto.subtle.importKey('jwk', key, algorithm, true, ['verify']);
 }
 export async function deviceAuthorizationRequest(as, client, parameters, options) {
-    assertIssuer(as);
+    assertAs(as);
     assertClient(client);
     if (!(parameters instanceof URLSearchParams)) {
         throw new TypeError('"parameters" must be an instance of URLSearchParams');
     }
     if (typeof as.device_authorization_endpoint !== 'string') {
-        throw new TypeError('"issuer.device_authorization_endpoint" must be a string');
+        throw new TypeError('"as.device_authorization_endpoint" must be a string');
     }
     const url = new URL(as.device_authorization_endpoint);
     const body = new URLSearchParams(parameters);
@@ -1476,7 +1440,7 @@ export async function deviceAuthorizationRequest(as, client, parameters, options
     return authenticatedRequest(as, client, 'POST', url, body, headers, options);
 }
 export async function processDeviceAuthorizationResponse(as, client, response) {
-    assertIssuer(as);
+    assertAs(as);
     assertClient(client);
     if (!(response instanceof Response)) {
         throw new TypeError('"response" must be an instance of Response');
@@ -1520,7 +1484,7 @@ export async function processDeviceAuthorizationResponse(as, client, response) {
     return json;
 }
 export async function deviceCodeGrantRequest(as, client, deviceCode, options) {
-    assertIssuer(as);
+    assertAs(as);
     assertClient(client);
     if (!validateString(deviceCode)) {
         throw new TypeError('"deviceCode" must be a non-empty string');
@@ -1530,7 +1494,7 @@ export async function deviceCodeGrantRequest(as, client, deviceCode, options) {
     return tokenEndpointRequest(as, client, 'urn:ietf:params:oauth:grant-type:device_code', parameters, options);
 }
 export async function processDeviceCodeResponse(as, client, response, options) {
-    return processGenericAccessTokenResponse(as, client, response, options);
+    return processGenericAccessTokenResponse(as, client, response, options, undefined, undefined, options?.skipJwtSignatureCheck === true);
 }
 export async function generateKeyPair(alg, options) {
     let algorithm;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oauth4webapi",
-  "version": "1.2.1",
+  "version": "1.3.0",
   "description": "OAuth 2 / OpenID Connect for Web Platform API JavaScript runtimes",
   "keywords": [
     "auth",
@@ -10,11 +10,14 @@
     "browser",
     "certified",
     "client",
-    "cloudflare-workers",
+    "cloudflare",
     "deno",
+    "edge",
     "electron",
     "fapi",
     "javascript",
+    "netlify",
+    "next",
     "nextjs",
     "node",
     "nodejs",
@@ -23,7 +26,8 @@
     "oidc",
     "openid-connect",
     "openid",
-    "vercel-edge"
+    "vercel",
+    "workers"
   ],
   "homepage": "https://github.com/panva/oauth4webapi",
   "repository": "panva/oauth4webapi",
@@ -43,38 +47,36 @@
   "scripts": {
     "_format": "find src test tap examples conformance -type f -name '*.ts' -o -name '*.mjs' | xargs prettier",
     "build": "rm -rf build && tsc && tsc --declaration true --emitDeclarationOnly true --removeComments false && tsc -p test && tsc -p examples && tsc -p conformance && tsc -p tap",
-    "conformance": "patch-package && NODE_OPTIONS='--no-warnings --loader=@esbuild-kit/esm-loader' ava --config conformance/ava.config.ts",
-    "coverage": "patch-package && c8 ava",
+    "conformance": "bash -c 'patch-package && source .node_flags.sh && ava --config conformance/ava.config.ts'",
     "docs": "patch-package && typedoc",
     "format": "npm run _format -- --write",
     "format-check": "npm run _format -- --check",
     "prepack": "npm run format && npm run docs && ./examples/.update-diffs.sh && git diff --quiet && npm run test && npm run build",
     "tap:deno": "./tap/.deno.sh",
     "tap:edge-runtime": "./tap/.edge-runtime.sh",
-    "tap:node": "./tap/.node.sh",
+    "tap:node": "bash -c './tap/.node.sh'",
     "tap:workers": "./tap/.workers.sh",
     "tap:browsers": "./tap/.browsers.sh",
-    "test": "ava"
+    "test": "bash -c 'source .node_flags.sh && ava'"
   },
   "devDependencies": {
     "@esbuild-kit/esm-loader": "^2.5.0",
-    "@types/node": "^18.8.3",
+    "@types/node": "^18.11.7",
     "@types/qunit": "^2.19.3",
-    "ava": "^4.3.3",
-    "c8": "^7.12.0",
-    "edge-runtime": "^1.1.0-beta.31",
-    "jose": "^4.10.0",
-    "patch-package": "^6.4.7",
+    "ava": "^5.0.1",
+    "edge-runtime": "^2.0.0",
+    "jose": "^4.10.4",
+    "patch-package": "^6.5.0",
     "prettier": "^2.7.1",
     "prettier-plugin-jsdoc": "^0.4.2",
-    "qunit": "^2.19.1",
+    "qunit": "^2.19.3",
     "testcafe": "^2.0.1",
     "testcafe-browser-provider-browserstack": "^1.14.0",
     "timekeeper": "^2.2.0",
-    "typedoc": "^0.23.15",
+    "typedoc": "^0.23.19",
     "typedoc-plugin-markdown": "^3.13.6",
     "typescript": "^4.8.4",
-    "undici": "^5.11.0",
+    "undici": "^5.12.0",
     "workerd": "^1.20220926.3"
   }
 }