oauth4webapi 1.4.1 → 2.0.1

package/README.md

@@ -39,7 +39,7 @@ import * as oauth2 from 'oauth4webapi'
 **`example`** Deno import
 
 ```js
-import * as oauth2 from 'https://deno.land/x/oauth4webapi/mod.ts'
+import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.0.1/mod.ts'
 ```
 
 - Authorization Code Flow - OpenID Connect [source](examples/code.ts), or plain OAuth 2 [source](examples/oauth.ts)
@@ -71,5 +71,4 @@ These are _(this is not an exhaustive list)_:
 - Implicit, Hybrid, and Resource Owner Password Credentials Flows
 - Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
 - JSON Web Encryption (JWE)
-- JSON Web Signature (JWS) rarely used algorithms and HMAC
 - Automatic polyfills of any kind

package/build/index.d.ts

@@ -1,13 +1,9 @@
-/** @ignore */
-export declare type JsonObject = {
+declare type JsonObject = {
     [Key in string]?: JsonValue;
 };
-/** @ignore */
-export declare type JsonArray = JsonValue[];
-/** @ignore */
-export declare type JsonPrimitive = string | number | boolean | null;
-/** @ignore */
-export declare type JsonValue = JsonPrimitive | JsonObject | JsonArray;
+declare type JsonArray = JsonValue[];
+declare type JsonPrimitive = string | number | boolean | null;
+declare type JsonValue = JsonPrimitive | JsonObject | JsonArray;
 /**
  * Interface to pass an asymmetric private key and, optionally, its associated JWK Key ID to be
  * added as a `kid` JOSE Header Parameter.
@@ -89,42 +85,6 @@ export declare type ClientAuthenticationMethod = 'client_secret_basic' | 'client
  * ```
  */
 export declare type JWSAlgorithm = 'PS256' | 'ES256' | 'RS256' | 'EdDSA';
-/**
- * JSON Web Key
- *
- * @ignore
- */
-export interface JWK {
-    /** Key Type */
-    readonly kty?: string;
-    /** Key ID */
-    readonly kid?: string;
-    /** Algorithm */
-    readonly alg?: string;
-    /** Public Key Use */
-    readonly use?: string;
-    /** Key Operations */
-    readonly key_ops?: string[];
-    /** (RSA) Exponent */
-    readonly e?: string;
-    /** (RSA) Modulus */
-    readonly n?: string;
-    /**
-     * (EC) Curve
-     *
-     * (OKP) The subtype of key pair
-     */
-    readonly crv?: string;
-    /**
-     * (EC) X Coordinate
-     *
-     * (OKP) The public key
-     */
-    readonly x?: string;
-    /** (EC) Y Coordinate */
-    readonly y?: string;
-    readonly [parameter: string]: JsonValue | undefined;
-}
 /**
  * Authorization Server Metadata
  *
@@ -413,11 +373,11 @@ export interface Client {
     token_endpoint_auth_method?: ClientAuthenticationMethod;
     /**
      * JWS `alg` algorithm required for signing the ID Token issued to this Client. When not
-     * configured the default is to allow only {@link JWSAlgorithm supported algorithms} listed in
+     * configured the default is to allow only algorithms listed in
      * {@link AuthorizationServer.id_token_signing_alg_values_supported `as.id_token_signing_alg_values_supported`}
      * and fall back to `RS256` when the authorization server metadata is not set.
      */
-    id_token_signed_response_alg?: JWSAlgorithm;
+    id_token_signed_response_alg?: string;
     /**
      * JWS `alg` algorithm required for signing authorization responses. When not configured the
      * default is to allow only {@link JWSAlgorithm supported algorithms} listed in
@@ -432,18 +392,18 @@ export interface Client {
     require_auth_time?: boolean;
     /**
      * JWS `alg` algorithm REQUIRED for signing UserInfo Responses. When not configured the default is
-     * to allow only {@link JWSAlgorithm supported algorithms} listed in
+     * to allow only algorithms listed in
      * {@link AuthorizationServer.userinfo_signing_alg_values_supported `as.userinfo_signing_alg_values_supported`}
      * and fall back to `RS256` when the authorization server metadata is not set.
      */
-    userinfo_signed_response_alg?: JWSAlgorithm;
+    userinfo_signed_response_alg?: string;
     /**
      * JWS `alg` algorithm REQUIRED for signed introspection responses. When not configured the
-     * default is to allow only {@link JWSAlgorithm supported algorithms} listed in
+     * default is to allow only algorithms listed in
      * {@link AuthorizationServer.introspection_signing_alg_values_supported `as.introspection_signing_alg_values_supported`}
      * and fall back to `RS256` when the authorization server metadata is not set.
      */
-    introspection_signed_response_alg?: JWSAlgorithm;
+    introspection_signed_response_alg?: string;
     /** Default Maximum Authentication Age. */
     default_max_age?: number;
     [metadata: string]: JsonValue | undefined;
@@ -579,7 +539,7 @@ export declare function issueRequestObject(as: AuthorizationServer, client: Clie
  * @param parameters Authorization Request parameters.
  *
  * @see [RFC 9126 - OAuth 2.0 Pushed Authorization Requests](https://www.rfc-editor.org/rfc/rfc9126.html#name-pushed-authorization-reques)
- * @see [draft-ietf-oauth-dpop-10 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-10.html#name-dpop-with-pushed-authorizat)
+ * @see [draft-ietf-oauth-dpop-11 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-11.html#name-dpop-with-pushed-authorizat)
  */
 export declare function pushedAuthorizationRequest(as: AuthorizationServer, client: Client, parameters: URLSearchParams, options?: PushedAuthorizationRequestOptions): Promise<Response>;
 export interface PushedAuthorizationResponse {
@@ -646,7 +606,7 @@ export interface ProtectedResourceRequestOptions extends Omit<HttpRequestOptions
  * @param body Request body compatible with the Fetch API and the request's method.
  *
  * @see [RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://www.rfc-editor.org/rfc/rfc6750.html#section-2.1)
- * @see [draft-ietf-oauth-dpop-10 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-10.html#name-protected-resource-access)
+ * @see [draft-ietf-oauth-dpop-11 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-11.html#name-protected-resource-access)
  */
 export declare function protectedResourceRequest(accessToken: string, method: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | string, url: URL, headers: Headers, body: RequestInit['body'], options?: ProtectedResourceRequestOptions): Promise<Response>;
 export interface UserInfoRequestOptions extends HttpRequestOptions, DPoPRequestOptions {
@@ -662,7 +622,7 @@ export interface UserInfoRequestOptions extends HttpRequestOptions, DPoPRequestO
  * @param accessToken Access Token value.
  *
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
- * @see [draft-ietf-oauth-dpop-10 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-10.html#name-protected-resource-access)
+ * @see [draft-ietf-oauth-dpop-11 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-11.html#name-protected-resource-access)
  */
 export declare function userInfoRequest(as: AuthorizationServer, client: Client, accessToken: string, options?: UserInfoRequestOptions): Promise<Response>;
 export interface UserInfoResponse {
@@ -703,31 +663,6 @@ export interface UserInfoResponse {
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse)
  */
 export declare const skipSubjectCheck: unique symbol;
-export interface SkipJWTSignatureCheckOptions {
-    /**
-     * DANGER ZONE
-     *
-     * When JWT assertions are received via direct communication between the Client and the
-     * Token/UserInfo/Introspection endpoint (which they are in this library's supported profiles and
-     * exposed functions) the TLS server validation MAY be used to validate the issuer in place of
-     * checking the assertion's signature.
-     *
-     * Set this to `true` to omit verifying the JWT assertion's signature (e.g. ID Token, JWT Signed
-     * Introspection, or JWT Signed UserInfo Response).
-     *
-     * Setting this to `true` also means that:
-     *
-     * - The Authorization Server's JSON Web Key Set will not be requested. That is useful for
-     *   javascript runtimes that execute on the edge and cannot reliably share an in-memory cache of
-     *   the JSON Web Key Set in between invocations.
-     * - Any JWS Algorithm may be used, not just the {@link JWSAlgorithm supported ones}.
-     *
-     * Default is `false`.
-     */
-    skipJwtSignatureCheck?: boolean;
-}
-export interface ProcessUserInfoResponseOptions extends HttpRequestOptions, SkipJWTSignatureCheckOptions {
-}
 /**
  * Validates Response instance to be one coming from the
  * {@link AuthorizationServer.userinfo_endpoint `as.userinfo_endpoint`}.
@@ -744,7 +679,7 @@ export interface ProcessUserInfoResponseOptions extends HttpRequestOptions, Skip
  *   OAuth 2.0 error was returned.
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
  */
-export declare function processUserInfoResponse(as: AuthorizationServer, client: Client, expectedSubject: string | typeof skipSubjectCheck, response: Response, options?: ProcessUserInfoResponseOptions): Promise<UserInfoResponse>;
+export declare function processUserInfoResponse(as: AuthorizationServer, client: Client, expectedSubject: string | typeof skipSubjectCheck, response: Response): Promise<UserInfoResponse>;
 export interface TokenEndpointRequestOptions extends HttpRequestOptions, AuthenticatedRequestOptions, DPoPRequestOptions {
     /** Any additional parameters to send. This cannot override existing parameter values. */
     additionalParameters?: URLSearchParams;
@@ -759,7 +694,7 @@ export interface TokenEndpointRequestOptions extends HttpRequestOptions, Authent
  *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-6)
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens)
- * @see [draft-ietf-oauth-dpop-10 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-10.html#name-dpop-access-token-request)
+ * @see [draft-ietf-oauth-dpop-11 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-11.html#name-dpop-access-token-request)
  */
 export declare function refreshTokenGrantRequest(as: AuthorizationServer, client: Client, refreshToken: string, options?: TokenEndpointRequestOptions): Promise<Response>;
 /**
@@ -780,8 +715,6 @@ export declare function getValidatedIdTokenClaims(ref: OpenIDTokenEndpointRespon
  * @returns JWT Claims Set from an ID Token, or undefined if there is no ID Token in `ref`.
  */
 export declare function getValidatedIdTokenClaims(ref: TokenEndpointResponse): IDToken | undefined;
-export interface ProcessRefreshTokenResponseOptions extends HttpRequestOptions, SkipJWTSignatureCheckOptions {
-}
 /**
  * Validates Refresh Token Grant Response instance to be one coming from the
  * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}.
@@ -796,7 +729,7 @@ export interface ProcessRefreshTokenResponseOptions extends HttpRequestOptions,
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-6)
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens)
  */
-export declare function processRefreshTokenResponse(as: AuthorizationServer, client: Client, response: Response, options?: ProcessRefreshTokenResponseOptions): Promise<TokenEndpointResponse | OAuth2Error>;
+export declare function processRefreshTokenResponse(as: AuthorizationServer, client: Client, response: Response): Promise<TokenEndpointResponse | OAuth2Error>;
 /**
  * Performs an Authorization Code grant request at the
  * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}.
@@ -811,7 +744,7 @@ export declare function processRefreshTokenResponse(as: AuthorizationServer, cli
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1)
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
  * @see [RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients (PKCE)](https://www.rfc-editor.org/rfc/rfc7636.html#section-4)
- * @see [draft-ietf-oauth-dpop-10 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-10.html#name-dpop-access-token-request)
+ * @see [draft-ietf-oauth-dpop-11 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-11.html#name-dpop-access-token-request)
  */
 export declare function authorizationCodeGrantRequest(as: AuthorizationServer, client: Client, callbackParameters: CallbackParameters, redirectUri: string, codeVerifier: string, options?: TokenEndpointRequestOptions): Promise<Response>;
 interface JWTPayload {
@@ -883,8 +816,6 @@ export declare const expectNoNonce: unique symbol;
  * indicate no `auth_time` ID Token claim value check should be performed.
  */
 export declare const skipAuthTimeCheck: unique symbol;
-export interface ProcessAuthorizationCodeOpenIDResponseOptions extends HttpRequestOptions, SkipJWTSignatureCheckOptions {
-}
 /**
  * (OpenID Connect only) Validates Authorization Code Grant Response instance to be one coming from
  * the {@link AuthorizationServer.token_endpoint `as.token_endpoint`}.
@@ -905,7 +836,7 @@ export interface ProcessAuthorizationCodeOpenIDResponseOptions extends HttpReque
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1)
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
  */
-export declare function processAuthorizationCodeOpenIDResponse(as: AuthorizationServer, client: Client, response: Response, expectedNonce?: string | typeof expectNoNonce, maxAge?: number | typeof skipAuthTimeCheck, options?: ProcessAuthorizationCodeOpenIDResponseOptions): Promise<OpenIDTokenEndpointResponse | OAuth2Error>;
+export declare function processAuthorizationCodeOpenIDResponse(as: AuthorizationServer, client: Client, response: Response, expectedNonce?: string | typeof expectNoNonce, maxAge?: number | typeof skipAuthTimeCheck): Promise<OpenIDTokenEndpointResponse | OAuth2Error>;
 /**
  * (OAuth 2.0 without OpenID Connect only) Validates Authorization Code Grant Response instance to
  * be one coming from the {@link AuthorizationServer.token_endpoint `as.token_endpoint`}.
@@ -930,7 +861,7 @@ export interface ClientCredentialsGrantRequestOptions extends HttpRequestOptions
  * @param client Client Metadata.
  *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.4)
- * @see [draft-ietf-oauth-dpop-10 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-10.html#name-dpop-access-token-request)
+ * @see [draft-ietf-oauth-dpop-11 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-11.html#name-dpop-access-token-request)
  */
 export declare function clientCredentialsGrantRequest(as: AuthorizationServer, client: Client, parameters: URLSearchParams, options?: ClientCredentialsGrantRequestOptions): Promise<Response>;
 /**
@@ -1020,8 +951,6 @@ export interface IntrospectionResponse {
     };
     readonly [claim: string]: JsonValue | undefined;
 }
-export interface ProcessIntrospectionResponseOptions extends HttpRequestOptions, SkipJWTSignatureCheckOptions {
-}
 /**
  * Validates Response instance to be one coming from the
  * {@link AuthorizationServer.introspection_endpoint `as.introspection_endpoint`}.
@@ -1036,44 +965,7 @@ export interface ProcessIntrospectionResponseOptions extends HttpRequestOptions,
  * @see [RFC 7662 - OAuth 2.0 Token Introspection](https://www.rfc-editor.org/rfc/rfc7662.html#section-2)
  * @see [draft-ietf-oauth-jwt-introspection-response-12 - JWT Response for OAuth Token Introspection](https://www.ietf.org/archive/id/draft-ietf-oauth-jwt-introspection-response-12.html#section-5)
  */
-export declare function processIntrospectionResponse(as: AuthorizationServer, client: Client, response: Response, options?: ProcessIntrospectionResponseOptions): Promise<IntrospectionResponse | OAuth2Error>;
-/** @ignore */
-export interface JwksRequestOptions extends HttpRequestOptions {
-}
-/**
- * Performs a request to the {@link AuthorizationServer.jwks_uri `as.jwks_uri`}.
- *
- * @ignore
- *
- * @param as Authorization Server Metadata.
- *
- * @see [JWK Set Format](https://www.rfc-editor.org/rfc/rfc7517.html#section-5)
- * @see [RFC 8414 - OAuth 2.0 Authorization Server Metadata](https://www.rfc-editor.org/rfc/rfc8414.html#section-3)
- * @see [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig)
- */
-export declare function jwksRequest(as: AuthorizationServer, options?: JwksRequestOptions): Promise<Response>;
-/**
- * JSON Web Key Set
- *
- * @ignore
- */
-export interface JsonWebKeySet {
-    /** Array of JWK Values */
-    readonly keys: JWK[];
-}
-/**
- * Validates Response instance to be one coming from the
- * {@link AuthorizationServer.jwks_uri `as.jwks_uri`}.
- *
- * @ignore
- *
- * @param response Resolved value from {@link jwksRequest}.
- *
- * @returns Resolves with an object representing the parsed successful response.
- *
- * @see [JWK Set Format](https://www.rfc-editor.org/rfc/rfc7517.html#section-5)
- */
-export declare function processJwksResponse(response: Response): Promise<JsonWebKeySet>;
+export declare function processIntrospectionResponse(as: AuthorizationServer, client: Client, response: Response): Promise<IntrospectionResponse | OAuth2Error>;
 /**
  * Same as {@link validateAuthResponse} but for signed JARM responses.
  *
@@ -1168,11 +1060,9 @@ export declare function processDeviceAuthorizationResponse(as: AuthorizationServ
  * @param deviceCode Device Code.
  *
  * @see [RFC 8628 - OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628.html#section-3.4)
- * @see [draft-ietf-oauth-dpop-10 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-10.html#name-dpop-access-token-request)
+ * @see [draft-ietf-oauth-dpop-11 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-11.html#name-dpop-access-token-request)
  */
 export declare function deviceCodeGrantRequest(as: AuthorizationServer, client: Client, deviceCode: string, options?: TokenEndpointRequestOptions): Promise<Response>;
-export interface ProcessDeviceCodeResponseOptions extends HttpRequestOptions, SkipJWTSignatureCheckOptions {
-}
 /**
  * Validates Device Authorization Grant Response instance to be one coming from the
  * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}.
@@ -1186,7 +1076,7 @@ export interface ProcessDeviceCodeResponseOptions extends HttpRequestOptions, Sk
  *   OAuth 2.0 error was returned.
  * @see [RFC 8628 - OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628.html#section-3.4)
  */
-export declare function processDeviceCodeResponse(as: AuthorizationServer, client: Client, response: Response, options?: ProcessDeviceCodeResponseOptions): Promise<TokenEndpointResponse | OAuth2Error>;
+export declare function processDeviceCodeResponse(as: AuthorizationServer, client: Client, response: Response): Promise<TokenEndpointResponse | OAuth2Error>;
 export interface GenerateKeyPairOptions {
     /** Indicates whether or not the private key may be exported. Default is `false`. */
     extractable?: boolean;
@@ -1199,14 +1089,4 @@ export interface GenerateKeyPairOptions {
  * @param alg Supported JWS `alg` Algorithm identifier.
  */
 export declare function generateKeyPair(alg: JWSAlgorithm, options?: GenerateKeyPairOptions): Promise<CryptoKeyPair>;
-/**
- * Calculates a base64url-encoded SHA-256 JWK Thumbprint.
- *
- * @ignore
- *
- * @param key A public extractable CryptoKey.
- *
- * @see [RFC 7638 - JSON Web Key (JWK) Thumbprint](https://www.rfc-editor.org/rfc/rfc7638.html)
- */
-export declare function calculateJwkThumbprint(key: CryptoKey): Promise<string>;
 export {};

package/build/index.js

@@ -1,7 +1,7 @@
 let USER_AGENT;
 if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {
     const NAME = 'oauth4webapi';
-    const VERSION = 'v1.4.1';
+    const VERSION = 'v2.0.1';
     USER_AGENT = `${NAME}/${VERSION}`;
 }
 const encoder = new TextEncoder();
@@ -432,6 +432,21 @@ export async function issueRequestObject(as, client, parameters, privateKey) {
         resource.length > 1) {
         claims.resource = resource;
     }
+    if (parameters.has('claims')) {
+        const value = parameters.get('claims');
+        if (value === '[object Object]') {
+            throw new OPE('"claims" parameter must be passed as a UTF-8 encoded JSON');
+        }
+        try {
+            claims.claims = JSON.parse(value);
+        }
+        catch {
+            throw new OPE('failed to parse the "claims" parameter as JSON');
+        }
+        if (!isJsonObject(claims.claims)) {
+            throw new OPE('"claims" parameter must be a top level object');
+        }
+    }
     return jwt({
         alg: determineJWSAlgorithm(key),
         typ: 'oauth-authz-req+jwt',
@@ -469,9 +484,14 @@ async function dpopProofJwt(headers, options, url, htm, accessToken) {
     }, privateKey);
     headers.set('dpop', proof);
 }
+const jwkCache = Symbol();
 async function publicJwk(key) {
+    if (key[jwkCache]) {
+        return key[jwkCache];
+    }
     const { kty, e, n, x, y, crv } = await crypto.subtle.exportKey('jwk', key);
-    return { kty, crv, e, n, x, y };
+    const jwk = (key[jwkCache] = { kty, e, n, x, y, crv });
+    return jwk;
 }
 export async function pushedAuthorizationRequest(as, client, parameters, options) {
     assertAs(as);
@@ -489,9 +509,6 @@ export async function pushedAuthorizationRequest(as, client, parameters, options
     headers.set('accept', 'application/json');
     if (options?.DPoP !== undefined) {
         await dpopProofJwt(headers, options.DPoP, url, 'POST');
-        if (!body.has('dpop_jkt')) {
-            body.set('dpop_jkt', await calculateJwkThumbprint(options.DPoP.publicKey));
-        }
     }
     return authenticatedRequest(as, client, 'POST', url, body, headers, options);
 }
@@ -631,31 +648,30 @@ export async function userInfoRequest(as, client, accessToken, options) {
     }
     return protectedResourceRequest(accessToken, 'GET', url, headers, null, options);
 }
-const jwksCache = new LRU(20);
-const cryptoKeyCaches = {};
+const jwksCache = Symbol();
 async function getPublicSigKeyFromIssuerJwksUri(as, options, header) {
     const { alg, kid } = header;
     checkSupportedJwsAlg(alg);
     let jwks;
     let age;
-    if (jwksCache.has(as.jwks_uri)) {
+    if (as[jwksCache]) {
         ;
-        ({ jwks, age } = jwksCache.get(as.jwks_uri));
+        ({ jwks, age } = as[jwksCache]);
         if (age >= 300) {
-            jwksCache.delete(as.jwks_uri);
+            as[jwksCache] = undefined;
             return getPublicSigKeyFromIssuerJwksUri(as, options, header);
         }
     }
     else {
         jwks = await jwksRequest(as, options).then(processJwksResponse);
         age = 0;
-        jwksCache.set(as.jwks_uri, {
+        as[jwksCache] = {
             jwks,
             iat: epochTime(),
             get age() {
                 return epochTime() - this.iat;
             },
-        });
+        };
     }
     let kty;
     switch (alg.slice(0, 2)) {
@@ -698,7 +714,7 @@ async function getPublicSigKeyFromIssuerJwksUri(as, options, header) {
     const { 0: jwk, length } = candidates;
     if (!length) {
         if (age >= 60) {
-            jwksCache.delete(as.jwks_uri);
+            as[jwksCache] = undefined;
             return getPublicSigKeyFromIssuerJwksUri(as, options, header);
         }
         throw new OPE('error when selecting a JWT verification key, no applicable keys found');
@@ -706,14 +722,9 @@ async function getPublicSigKeyFromIssuerJwksUri(as, options, header) {
     else if (length !== 1) {
         throw new OPE('error when selecting a JWT verification key, multiple applicable keys found, a "kid" JWT Header Parameter is required');
     }
-    cryptoKeyCaches[alg] || (cryptoKeyCaches[alg] = new WeakMap());
-    let key = cryptoKeyCaches[alg].get(jwk);
-    if (!key) {
-        key = await importJwk({ ...jwk, alg });
-        if (key.type !== 'public') {
-            throw new OPE('jwks_uri must only contain public keys');
-        }
-        cryptoKeyCaches[alg].set(jwk, key);
+    const key = await importJwk(alg, jwk);
+    if (key.type !== 'public') {
+        throw new OPE('jwks_uri must only contain public keys');
     }
     return key;
 }
@@ -721,7 +732,7 @@ export const skipSubjectCheck = Symbol();
 function getContentType(response) {
     return response.headers.get('content-type')?.split(';')[0];
 }
-export async function processUserInfoResponse(as, client, expectedSubject, response, options) {
+export async function processUserInfoResponse(as, client, expectedSubject, response) {
     assertAs(as);
     assertClient(client);
     if (!(response instanceof Response)) {
@@ -732,9 +743,7 @@ export async function processUserInfoResponse(as, client, expectedSubject, respo
     }
     let json;
     if (getContentType(response) === 'application/jwt') {
-        const { claims } = await validateJwt(await preserveBodyStream(response).text(), checkSigningAlgorithm.bind(undefined, client.userinfo_signed_response_alg, as.userinfo_signing_alg_values_supported), options?.skipJwtSignatureCheck !== true
-            ? getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options)
-            : noSignatureCheck)
+        const { claims } = await validateJwt(await preserveBodyStream(response).text(), checkSigningAlgorithm.bind(undefined, client.userinfo_signed_response_alg, as.userinfo_signing_alg_values_supported), noSignatureCheck)
             .then(validateOptionalAudience.bind(undefined, client.client_id))
             .then(validateOptionalIssuer.bind(undefined, as.issuer));
         json = claims;
@@ -810,7 +819,7 @@ export function getValidatedIdTokenClaims(ref) {
     }
     return idTokenClaims.get(ref);
 }
-async function processGenericAccessTokenResponse(as, client, response, options, ignoreIdToken = false, ignoreRefreshToken = false, skipSignatureCheck = false) {
+async function processGenericAccessTokenResponse(as, client, response, ignoreIdToken = false, ignoreRefreshToken = false) {
     assertAs(as);
     assertClient(client);
     if (!(response instanceof Response)) {
@@ -860,9 +869,7 @@ async function processGenericAccessTokenResponse(as, client, response, options,
             throw new OPE('"response" body "id_token" property must be a non-empty string');
         }
         if (json.id_token) {
-            const { claims } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported), skipSignatureCheck !== true
-                ? getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options)
-                : noSignatureCheck)
+            const { claims } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported), noSignatureCheck)
                 .then(validatePresence.bind(undefined, ['aud', 'exp', 'iat', 'iss', 'sub']))
                 .then(validateIssuer.bind(undefined, as.issuer))
                 .then(validateAudience.bind(undefined, client.client_id));
@@ -877,8 +884,8 @@ async function processGenericAccessTokenResponse(as, client, response, options,
     }
     return json;
 }
-export async function processRefreshTokenResponse(as, client, response, options) {
-    return processGenericAccessTokenResponse(as, client, response, options, undefined, undefined, options?.skipJwtSignatureCheck === true);
+export async function processRefreshTokenResponse(as, client, response) {
+    return processGenericAccessTokenResponse(as, client, response);
 }
 function validateOptionalAudience(expected, result) {
     if (result.claims.aud !== undefined) {
@@ -948,8 +955,8 @@ function validatePresence(required, result) {
 }
 export const expectNoNonce = Symbol();
 export const skipAuthTimeCheck = Symbol();
-export async function processAuthorizationCodeOpenIDResponse(as, client, response, expectedNonce, maxAge, options) {
-    const result = await processGenericAccessTokenResponse(as, client, response, options, undefined, undefined, options?.skipJwtSignatureCheck === true);
+export async function processAuthorizationCodeOpenIDResponse(as, client, response, expectedNonce, maxAge) {
+    const result = await processGenericAccessTokenResponse(as, client, response);
     if (isOAuth2Error(result)) {
         return result;
     }
@@ -993,7 +1000,7 @@ export async function processAuthorizationCodeOpenIDResponse(as, client, respons
     return result;
 }
 export async function processAuthorizationCodeOAuth2Response(as, client, response) {
-    const result = await processGenericAccessTokenResponse(as, client, response, undefined, true);
+    const result = await processGenericAccessTokenResponse(as, client, response, true);
     if (isOAuth2Error(result)) {
         return result;
     }
@@ -1017,7 +1024,7 @@ export async function clientCredentialsGrantRequest(as, client, parameters, opti
     return tokenEndpointRequest(as, client, 'client_credentials', new URLSearchParams(parameters), options);
 }
 export async function processClientCredentialsResponse(as, client, response) {
-    const result = await processGenericAccessTokenResponse(as, client, response, undefined, true, true);
+    const result = await processGenericAccessTokenResponse(as, client, response, true, true);
     if (isOAuth2Error(result)) {
         return result;
     }
@@ -1078,7 +1085,7 @@ export async function introspectionRequest(as, client, token, options) {
     }
     return authenticatedRequest(as, client, 'POST', url, body, headers, options);
 }
-export async function processIntrospectionResponse(as, client, response, options) {
+export async function processIntrospectionResponse(as, client, response) {
     assertAs(as);
     assertClient(client);
     if (!(response instanceof Response)) {
@@ -1093,9 +1100,7 @@ export async function processIntrospectionResponse(as, client, response, options
     }
     let json;
     if (getContentType(response) === 'application/token-introspection+jwt') {
-        const { claims } = await validateJwt(await preserveBodyStream(response).text(), checkSigningAlgorithm.bind(undefined, client.introspection_signed_response_alg, as.introspection_signing_alg_values_supported), options?.skipJwtSignatureCheck !== true
-            ? getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options)
-            : noSignatureCheck)
+        const { claims } = await validateJwt(await preserveBodyStream(response).text(), checkSigningAlgorithm.bind(undefined, client.introspection_signed_response_alg, as.introspection_signing_alg_values_supported), noSignatureCheck)
             .then(checkJwtType.bind(undefined, 'token-introspection+jwt'))
             .then(validatePresence.bind(undefined, ['aud', 'iat', 'iss']))
             .then(validateIssuer.bind(undefined, as.issuer))
@@ -1121,7 +1126,7 @@ export async function processIntrospectionResponse(as, client, response, options
     }
     return json;
 }
-export async function jwksRequest(as, options) {
+async function jwksRequest(as, options) {
     assertAs(as);
     if (typeof as.jwks_uri !== 'string') {
         throw new TypeError('"as.jwks_uri" must be a string');
@@ -1137,7 +1142,7 @@ export async function jwksRequest(as, options) {
         signal: options?.signal ? signal(options.signal) : null,
     }).then(processDpopNonce);
 }
-export async function processJwksResponse(response) {
+async function processJwksResponse(response) {
     if (!(response instanceof Response)) {
         throw new TypeError('"response" must be an instance of Response');
     }
@@ -1403,8 +1408,8 @@ export function validateAuthResponse(as, client, parameters, expectedState) {
     }
     return new CallbackParameters(parameters);
 }
-async function importJwk(jwk) {
-    const { alg, ext, key_ops, use, ...key } = jwk;
+async function importJwk(alg, jwk) {
+    const { ext, key_ops, use, ...key } = jwk;
     let algorithm;
     switch (alg) {
         case 'PS256':
@@ -1494,8 +1499,8 @@ export async function deviceCodeGrantRequest(as, client, deviceCode, options) {
     parameters.set('device_code', deviceCode);
     return tokenEndpointRequest(as, client, 'urn:ietf:params:oauth:grant-type:device_code', parameters, options);
 }
-export async function processDeviceCodeResponse(as, client, response, options) {
-    return processGenericAccessTokenResponse(as, client, response, options, undefined, undefined, options?.skipJwtSignatureCheck === true);
+export async function processDeviceCodeResponse(as, client, response) {
+    return processGenericAccessTokenResponse(as, client, response);
 }
 export async function generateKeyPair(alg, options) {
     let algorithm;
@@ -1530,25 +1535,3 @@ export async function generateKeyPair(alg, options) {
     }
     return (crypto.subtle.generateKey(algorithm, options?.extractable ?? false, ['sign', 'verify']));
 }
-export async function calculateJwkThumbprint(key) {
-    if (!isPublicKey(key) || !key.extractable) {
-        throw new TypeError('"key" must be an extractable public CryptoKey');
-    }
-    determineJWSAlgorithm(key);
-    const jwk = await crypto.subtle.exportKey('jwk', key);
-    let components;
-    switch (jwk.kty) {
-        case 'EC':
-            components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y };
-            break;
-        case 'OKP':
-            components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x };
-            break;
-        case 'RSA':
-            components = { e: jwk.e, kty: jwk.kty, n: jwk.n };
-            break;
-        default:
-            throw new UnsupportedOperationError();
-    }
-    return b64u(await crypto.subtle.digest({ name: 'SHA-256' }, buf(JSON.stringify(components))));
-}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oauth4webapi",
-  "version": "1.4.1",
+  "version": "2.0.1",
   "description": "OAuth 2 / OpenID Connect for Web Platform API JavaScript runtimes",
   "keywords": [
     "auth",