oauth4webapi 2.0.6 → 2.2.0

package/README.md

@@ -39,7 +39,7 @@ import * as oauth2 from 'oauth4webapi'
 **`example`** Deno import
 
 ```js
-import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.0.6/mod.ts'
+import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.2.0/mod.ts'
 ```
 
 - Authorization Code Flow - OpenID Connect [source](examples/code.ts), or plain OAuth 2 [source](examples/oauth.ts)

package/build/index.d.ts

@@ -45,31 +45,67 @@ export type ClientAuthenticationMethod = 'client_secret_basic' | 'client_secret_
 /**
  * Supported JWS `alg` Algorithm identifiers.
  *
- * @example CryptoKey algorithm for the `PS256` JWS Algorithm Identifier
+ * @example CryptoKey algorithm for the `PS256`, `PS384`, or `PS512` JWS Algorithm Identifiers
  *
  * ```ts
- * interface Ps256Algorithm extends RsaHashedKeyAlgorithm {
+ * interface RSAPSSAlgorithm extends RsaHashedKeyAlgorithm {
  *   name: 'RSA-PSS'
+ *   hash: { name: 'SHA-256' | 'SHA-384' | 'SHA-512' }
+ * }
+ *
+ * interface PS256 extends RSAPSSAlgorithm {
  *   hash: { name: 'SHA-256' }
  * }
+ *
+ * interface PS384 extends RSAPSSAlgorithm {
+ *   hash: { name: 'SHA-384' }
+ * }
+ *
+ * interface PS512 extends RSAPSSAlgorithm {
+ *   hash: { name: 'SHA-512' }
+ * }
  * ```
  *
- * @example CryptoKey algorithm for the `ES256` JWS Algorithm Identifier
+ * @example CryptoKey algorithm for the `ES256`, `ES384`, or `ES512` JWS Algorithm Identifiers
  *
  * ```ts
- * interface Es256Algorithm extends EcKeyAlgorithm {
+ * interface ECDSAAlgorithm extends EcKeyAlgorithm {
  *   name: 'ECDSA'
+ *   namedCurve: 'P-256' | 'P-384' | 'P-521'
+ * }
+ *
+ * interface ES256 extends ECDSAAlgorithm {
  *   namedCurve: 'P-256'
  * }
+ *
+ * interface ES384 extends ECDSAAlgorithm {
+ *   namedCurve: 'P-384'
+ * }
+ *
+ * interface ES512 extends ECDSAAlgorithm {
+ *   namedCurve: 'P-521'
+ * }
  * ```
  *
- * @example CryptoKey algorithm for the `RS256` JWS Algorithm Identifier
+ * @example CryptoKey algorithm for the `RS256`, `RS384`, or `RS512` JWS Algorithm Identifiers
  *
  * ```ts
- * interface Rs256Algorithm extends RsaHashedKeyAlgorithm {
+ * interface ECDSAAlgorithm extends RsaHashedKeyAlgorithm {
  *   name: 'RSASSA-PKCS1-v1_5'
+ *   hash: { name: 'SHA-256' | 'SHA-384' | 'SHA-512' }
+ * }
+ *
+ * interface RS256 extends ECDSAAlgorithm {
  *   hash: { name: 'SHA-256' }
  * }
+ *
+ * interface RS384 extends ECDSAAlgorithm {
+ *   hash: { name: 'SHA-384' }
+ * }
+ *
+ * interface RS512 extends ECDSAAlgorithm {
+ *   hash: { name: 'SHA-512' }
+ * }
  * ```
  *
  * @example CryptoKey algorithm for the `EdDSA` JWS Algorithm Identifier (Experimental)
@@ -79,12 +115,16 @@ export type ClientAuthenticationMethod = 'client_secret_basic' | 'client_secret_
  * widely adopted. If the proposal changes this implementation will follow up with a minor release.
  *
  * ```ts
- * interface EdDSAAlgorithm extends KeyAlgorithm {
- *   name: 'Ed25519'
+ * interface EdDSA extends KeyAlgorithm {
+ *   name: 'Ed25519' | 'Ed448'
  * }
  * ```
  */
-export type JWSAlgorithm = 'PS256' | 'ES256' | 'RS256' | 'EdDSA';
+export type JWSAlgorithm = 'PS256' | 'ES256' | 'RS256' | 'EdDSA' | 'ES384' | 'PS384' | 'RS384' | 'ES512' | 'PS512' | 'RS512';
+/** @ignore during Documentation generation but part of the public API */
+export declare const clockSkew: unique symbol;
+/** @ignore during Documentation generation but part of the public API */
+export declare const clockTolerance: unique symbol;
 /**
  * Authorization Server Metadata
  *
@@ -406,6 +446,50 @@ export interface Client {
     introspection_signed_response_alg?: string;
     /** Default Maximum Authentication Age. */
     default_max_age?: number;
+    /**
+     * Use to adjust the client's assumed current time. Positive and negative finite values
+     * representing seconds are allowed. Default is `0` (Date.now() + 0 seconds is used).
+     *
+     * @ignore during Documentation generation but part of the public API
+     *
+     * @example Client's local clock is mistakenly 1 hour in the past
+     *
+     * ```ts
+     * const client: oauth.Client = {
+     *   client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428',
+     *   // ... other metadata
+     *   [oauth.clockSkew]: +(60 * 60),
+     * }
+     * ```
+     *
+     * @example Client's local clock is mistakenly 1 hour in the future
+     *
+     * ```ts
+     * const client: oauth.Client = {
+     *   client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428',
+     *   // ... other metadata
+     *   [oauth.clockSkew]: -(60 * 60),
+     * }
+     * ```
+     */
+    [clockSkew]?: number;
+    /**
+     * Use to set allowed client's clock tolerance when checking DateTime JWT Claims. Only positive
+     * finite values representing seconds are allowed. Default is `30` (30 seconds).
+     *
+     * @ignore during Documentation generation but part of the public API
+     *
+     * @example Tolerate 30 seconds clock skew when validating JWT claims like `exp` or `nbf`.
+     *
+     * ```ts
+     * const client: oauth.Client = {
+     *   client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428',
+     *   // ... other metadata
+     *   [oauth.clockTolerance]: 30,
+     * }
+     * ```
+     */
+    [clockTolerance]?: number;
     [metadata: string]: JsonValue | undefined;
 }
 export declare class UnsupportedOperationError extends Error {
@@ -593,6 +677,16 @@ export declare function parseWwwAuthenticateChallenges(response: Response): WWWA
  */
 export declare function processPushedAuthorizationResponse(as: AuthorizationServer, client: Client, response: Response): Promise<PushedAuthorizationResponse | OAuth2Error>;
 export interface ProtectedResourceRequestOptions extends Omit<HttpRequestOptions, 'headers'>, DPoPRequestOptions {
+    /**
+     * Use to adjust the client's assumed current time. Positive and negative finite values
+     * representing seconds are allowed. Default is `0` (Date.now() + 0 seconds is used).
+     *
+     * This option only affects the request if the {@link ProtectedResourceRequestOptions.DPoP DPoP}
+     * option is also used.
+     *
+     * @ignore during Documentation generation but part of the public API
+     */
+    clockSkew?: number;
 }
 /**
  * Performs a protected resource request at an arbitrary URL.
@@ -1082,6 +1176,8 @@ export interface GenerateKeyPairOptions {
     extractable?: boolean;
     /** (RSA algorithms only) The length, in bits, of the RSA modulus. Default is `2048`. */
     modulusLength?: number;
+    /** (EdDSA algorithms only) The EdDSA sub-type. Default is `Ed25519`. */
+    crv?: 'Ed25519' | 'Ed448';
 }
 /**
  * Generates a CryptoKeyPair for a given JWS `alg` Algorithm identifier.

package/build/index.js

@@ -1,9 +1,11 @@
 let USER_AGENT;
 if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {
     const NAME = 'oauth4webapi';
-    const VERSION = 'v2.0.6';
+    const VERSION = 'v2.2.0';
     USER_AGENT = `${NAME}/${VERSION}`;
 }
+export const clockSkew = Symbol();
+export const clockTolerance = Symbol();
 const encoder = new TextEncoder();
 const decoder = new TextDecoder();
 function buf(input) {
@@ -113,7 +115,18 @@ function isPrivateKey(key) {
 function isPublicKey(key) {
     return isCryptoKey(key) && key.type === 'public';
 }
-const SUPPORTED_JWS_ALGS = ['PS256', 'ES256', 'RS256', 'EdDSA'];
+const SUPPORTED_JWS_ALGS = [
+    'PS256',
+    'ES256',
+    'RS256',
+    'PS384',
+    'ES384',
+    'RS384',
+    'PS512',
+    'ES512',
+    'RS512',
+    'EdDSA',
+];
 function processDpopNonce(response) {
     const url = new URL(response.url);
     if (response.headers.has('dpop-nonce')) {
@@ -263,6 +276,10 @@ function psAlg(key) {
     switch (key.algorithm.hash.name) {
         case 'SHA-256':
             return 'PS256';
+        case 'SHA-384':
+            return 'PS384';
+        case 'SHA-512':
+            return 'PS512';
         default:
             throw new UnsupportedOperationError('unsupported RsaHashedKeyAlgorithm hash name');
     }
@@ -271,6 +288,10 @@ function rsAlg(key) {
     switch (key.algorithm.hash.name) {
         case 'SHA-256':
             return 'RS256';
+        case 'SHA-384':
+            return 'RS384';
+        case 'SHA-512':
+            return 'RS512';
         default:
             throw new UnsupportedOperationError('unsupported RsaHashedKeyAlgorithm hash name');
     }
@@ -279,11 +300,15 @@ function esAlg(key) {
     switch (key.algorithm.namedCurve) {
         case 'P-256':
             return 'ES256';
+        case 'P-384':
+            return 'ES384';
+        case 'P-521':
+            return 'ES512';
         default:
             throw new UnsupportedOperationError('unsupported EcKeyAlgorithm namedCurve');
     }
 }
-function determineJWSAlgorithm(key) {
+function keyToJws(key) {
     switch (key.algorithm.name) {
         case 'RSA-PSS':
             return psAlg(key);
@@ -292,16 +317,30 @@ function determineJWSAlgorithm(key) {
         case 'ECDSA':
             return esAlg(key);
         case 'Ed25519':
+        case 'Ed448':
             return 'EdDSA';
         default:
             throw new UnsupportedOperationError('unsupported CryptoKey algorithm name');
     }
 }
+function getClockSkew(client) {
+    if (Number.isFinite(client[clockSkew])) {
+        return client[clockSkew];
+    }
+    return 0;
+}
+function getClockTolerance(client) {
+    const tolerance = client[clockTolerance];
+    if (Number.isFinite(tolerance) && Math.sign(tolerance) !== -1) {
+        return tolerance;
+    }
+    return 30;
+}
 function epochTime() {
     return Math.floor(Date.now() / 1000);
 }
 function clientAssertion(as, client) {
-    const now = epochTime();
+    const now = epochTime() + getClockSkew(client);
     return {
         jti: randomBytes(),
         aud: [as.issuer, as.token_endpoint],
@@ -314,7 +353,7 @@ function clientAssertion(as, client) {
 }
 async function privateKeyJwt(as, client, key, kid) {
     return jwt({
-        alg: determineJWSAlgorithm(key),
+        alg: keyToJws(key),
         kid,
     }, clientAssertion(as, client), key);
 }
@@ -398,7 +437,7 @@ async function jwt(header, claimsSet, key) {
         throw new TypeError('CryptoKey instances used for signing assertions must include "sign" in their "usages"');
     }
     const input = `${b64u(buf(JSON.stringify(header)))}.${b64u(buf(JSON.stringify(claimsSet)))}`;
-    const signature = b64u(await crypto.subtle.sign(subtleAlgorithm(key), key, buf(input)));
+    const signature = b64u(await crypto.subtle.sign(keyToSubtle(key), key, buf(input)));
     return `${input}.${signature}`;
 }
 export async function issueRequestObject(as, client, parameters, privateKey) {
@@ -413,7 +452,7 @@ export async function issueRequestObject(as, client, parameters, privateKey) {
         throw new TypeError('"privateKey.key" must be a private CryptoKey');
     }
     parameters.set('client_id', client.client_id);
-    const now = epochTime();
+    const now = epochTime() + getClockSkew(client);
     const claims = {
         ...Object.fromEntries(parameters.entries()),
         jti: randomBytes(),
@@ -445,12 +484,12 @@ export async function issueRequestObject(as, client, parameters, privateKey) {
         }
     }
     return jwt({
-        alg: determineJWSAlgorithm(key),
+        alg: keyToJws(key),
         typ: 'oauth-authz-req+jwt',
         kid,
     }, claims, key);
 }
-async function dpopProofJwt(headers, options, url, htm, accessToken) {
+async function dpopProofJwt(headers, options, url, htm, clockSkew, accessToken) {
     const { privateKey, publicKey, nonce = dpopNonces.get(url.origin) } = options;
     if (!isPrivateKey(privateKey)) {
         throw new TypeError('"DPoP.privateKey" must be a private CryptoKey');
@@ -464,9 +503,9 @@ async function dpopProofJwt(headers, options, url, htm, accessToken) {
     if (!publicKey.extractable) {
         throw new TypeError('"DPoP.publicKey.extractable" must be true');
     }
-    const now = epochTime();
+    const now = epochTime() + clockSkew;
     const proof = await jwt({
-        alg: determineJWSAlgorithm(privateKey),
+        alg: keyToJws(privateKey),
         typ: 'dpop+jwt',
         jwk: await publicJwk(publicKey),
     }, {
@@ -507,7 +546,7 @@ export async function pushedAuthorizationRequest(as, client, parameters, options
     const headers = prepareHeaders(options?.headers);
     headers.set('accept', 'application/json');
     if (options?.DPoP !== undefined) {
-        await dpopProofJwt(headers, options.DPoP, url, 'POST');
+        await dpopProofJwt(headers, options.DPoP, url, 'POST', getClockSkew(client));
     }
     return authenticatedRequest(as, client, 'POST', url, body, headers, options);
 }
@@ -620,7 +659,7 @@ export async function protectedResourceRequest(accessToken, method, url, headers
         headers.set('authorization', `Bearer ${accessToken}`);
     }
     else {
-        await dpopProofJwt(headers, options.DPoP, url, 'GET', accessToken);
+        await dpopProofJwt(headers, options.DPoP, url, 'GET', getClockSkew({ [clockSkew]: options?.clockSkew }), accessToken);
         headers.set('authorization', `DPoP ${accessToken}`);
     }
     return fetch(url.href, {
@@ -646,7 +685,10 @@ export async function userInfoRequest(as, client, accessToken, options) {
         headers.set('accept', 'application/json');
         headers.append('accept', 'application/jwt');
     }
-    return protectedResourceRequest(accessToken, 'GET', url, headers, null, options);
+    return protectedResourceRequest(accessToken, 'GET', url, headers, null, {
+        ...options,
+        clockSkew: getClockSkew(client),
+    });
 }
 let jwksCache;
 async function getPublicSigKeyFromIssuerJwksUri(as, options, header) {
@@ -707,7 +749,9 @@ async function getPublicSigKeyFromIssuerJwksUri(as, options, header) {
         }
         switch (true) {
             case alg === 'ES256' && jwk.crv !== 'P-256':
-            case alg === 'EdDSA' && jwk.crv !== 'Ed25519':
+            case alg === 'ES384' && jwk.crv !== 'P-384':
+            case alg === 'ES512' && jwk.crv !== 'P-521':
+            case alg === 'EdDSA' && !(jwk.crv === 'Ed25519' || jwk.crv === 'Ed448'):
                 return false;
         }
         return true;
@@ -745,7 +789,7 @@ export async function processUserInfoResponse(as, client, expectedSubject, respo
     let json;
     if (getContentType(response) === 'application/jwt') {
         assertReadableResponse(response);
-        const { claims } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.userinfo_signed_response_alg, as.userinfo_signing_alg_values_supported), noSignatureCheck)
+        const { claims } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.userinfo_signed_response_alg, as.userinfo_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client))
             .then(validateOptionalAudience.bind(undefined, client.client_id))
             .then(validateOptionalIssuer.bind(undefined, as.issuer));
         json = claims;
@@ -801,7 +845,7 @@ async function tokenEndpointRequest(as, client, grantType, parameters, options)
     const headers = prepareHeaders(options?.headers);
     headers.set('accept', 'application/json');
     if (options?.DPoP !== undefined) {
-        await dpopProofJwt(headers, options.DPoP, url, 'POST');
+        await dpopProofJwt(headers, options.DPoP, url, 'POST', getClockSkew(client));
     }
     return authenticatedRequest(as, client, 'POST', url, parameters, headers, options);
 }
@@ -873,7 +917,7 @@ async function processGenericAccessTokenResponse(as, client, response, ignoreIdT
             throw new OPE('"response" body "id_token" property must be a non-empty string');
         }
         if (json.id_token) {
-            const { claims } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported), noSignatureCheck)
+            const { claims } = await validateJwt(json.id_token, checkSigningAlgorithm.bind(undefined, client.id_token_signed_response_alg, as.id_token_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client))
                 .then(validatePresence.bind(undefined, ['aud', 'exp', 'iat', 'iss', 'sub']))
                 .then(validateIssuer.bind(undefined, as.issuer))
                 .then(validateAudience.bind(undefined, client.client_id));
@@ -977,8 +1021,8 @@ export async function processAuthorizationCodeOpenIDResponse(as, client, respons
         if (typeof maxAge !== 'number' || maxAge < 0) {
             throw new TypeError('"options.max_age" must be a non-negative number');
         }
-        const now = epochTime();
-        const tolerance = 30;
+        const now = epochTime() + getClockSkew(client);
+        const tolerance = getClockTolerance(client);
         if (claims.auth_time + maxAge < now - tolerance) {
             throw new OPE('too much time has elapsed since the last End-User authentication');
         }
@@ -1105,7 +1149,7 @@ export async function processIntrospectionResponse(as, client, response) {
     let json;
     if (getContentType(response) === 'application/token-introspection+jwt') {
         assertReadableResponse(response);
-        const { claims } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.introspection_signed_response_alg, as.introspection_signing_alg_values_supported), noSignatureCheck)
+        const { claims } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.introspection_signed_response_alg, as.introspection_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client))
             .then(checkJwtType.bind(undefined, 'token-introspection+jwt'))
             .then(validatePresence.bind(undefined, ['aud', 'iat', 'iss']))
             .then(validateIssuer.bind(undefined, as.issuer))
@@ -1210,26 +1254,50 @@ function checkRsaKeyAlgorithm(algorithm) {
         throw new OPE(`${algorithm.name} modulusLength must be at least 2048 bits`);
     }
 }
-function subtleAlgorithm(key) {
+function ecdsaHashName(namedCurve) {
+    switch (namedCurve) {
+        case 'P-256':
+            return 'SHA-256';
+        case 'P-384':
+            return 'SHA-384';
+        case 'P-521':
+            return 'SHA-512';
+        default:
+            throw new UnsupportedOperationError();
+    }
+}
+function keyToSubtle(key) {
     switch (key.algorithm.name) {
         case 'ECDSA':
-            return { name: key.algorithm.name, hash: { name: 'SHA-256' } };
-        case 'RSA-PSS':
-            checkRsaKeyAlgorithm(key.algorithm);
             return {
                 name: key.algorithm.name,
-                saltLength: 256 >> 3,
+                hash: { name: ecdsaHashName(key.algorithm.namedCurve) },
             };
+        case 'RSA-PSS': {
+            checkRsaKeyAlgorithm(key.algorithm);
+            switch (key.algorithm.hash.name) {
+                case 'SHA-256':
+                case 'SHA-384':
+                case 'SHA-512':
+                    return {
+                        name: key.algorithm.name,
+                        saltLength: parseInt(key.algorithm.hash.name.slice(-3), 10) >> 3,
+                    };
+                default:
+                    throw new UnsupportedOperationError();
+            }
+        }
         case 'RSASSA-PKCS1-v1_5':
             checkRsaKeyAlgorithm(key.algorithm);
             return { name: key.algorithm.name };
+        case 'Ed448':
         case 'Ed25519':
             return { name: key.algorithm.name };
     }
     throw new UnsupportedOperationError();
 }
 const noSignatureCheck = Symbol();
-async function validateJwt(jws, checkAlg, getKey) {
+async function validateJwt(jws, checkAlg, getKey, clockSkew, clockTolerance) {
     const { 0: protectedHeader, 1: payload, 2: encodedSignature, length } = jws.split('.');
     if (length === 5) {
         throw new UnsupportedOperationError('JWE structure JWTs are not supported');
@@ -1255,7 +1323,7 @@ async function validateJwt(jws, checkAlg, getKey) {
     if (getKey !== noSignatureCheck) {
         const key = await getKey(header);
         const input = `${protectedHeader}.${payload}`;
-        const verified = await crypto.subtle.verify(subtleAlgorithm(key), key, signature, buf(input));
+        const verified = await crypto.subtle.verify(keyToSubtle(key), key, signature, buf(input));
         if (!verified) {
             throw new OPE('JWT signature verification failed');
         }
@@ -1270,13 +1338,12 @@ async function validateJwt(jws, checkAlg, getKey) {
     if (!isJsonObject(claims)) {
         throw new OPE('JWT Payload must be a top level object');
     }
-    const now = epochTime();
-    const tolerance = 30;
+    const now = epochTime() + clockSkew;
     if (claims.exp !== undefined) {
         if (typeof claims.exp !== 'number') {
             throw new OPE('unexpected JWT "exp" (expiration time) claim type');
         }
-        if (claims.exp <= now - tolerance) {
+        if (claims.exp <= now - clockTolerance) {
             throw new OPE('unexpected JWT "exp" (expiration time) claim value, timestamp is <= now()');
         }
     }
@@ -1294,7 +1361,7 @@ async function validateJwt(jws, checkAlg, getKey) {
         if (typeof claims.nbf !== 'number') {
             throw new OPE('unexpected JWT "nbf" (not before) claim type');
         }
-        if (claims.nbf > now + tolerance) {
+        if (claims.nbf > now + clockTolerance) {
             throw new OPE('unexpected JWT "nbf" (not before) claim value, timestamp is > now()');
         }
     }
@@ -1321,7 +1388,7 @@ export async function validateJwtAuthResponse(as, client, parameters, expectedSt
     if (typeof as.jwks_uri !== 'string') {
         throw new TypeError('"as.jwks_uri" must be a string');
     }
-    const { claims } = await validateJwt(response, checkSigningAlgorithm.bind(undefined, client.authorization_signed_response_alg, as.authorization_signing_alg_values_supported), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options))
+    const { claims } = await validateJwt(response, checkSigningAlgorithm.bind(undefined, client.authorization_signed_response_alg, as.authorization_signing_alg_values_supported), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options), getClockSkew(client), getClockTolerance(client))
         .then(validatePresence.bind(undefined, ['aud', 'exp', 'iss']))
         .then(validateIssuer.bind(undefined, as.issuer))
         .then(validateAudience.bind(undefined, client.client_id));
@@ -1416,26 +1483,38 @@ export function validateAuthResponse(as, client, parameters, expectedState) {
     }
     return new CallbackParameters(parameters);
 }
-async function importJwk(alg, jwk) {
-    const { ext, key_ops, use, ...key } = jwk;
-    let algorithm;
+function algToSubtle(alg, crv) {
     switch (alg) {
         case 'PS256':
-            algorithm = { name: 'RSA-PSS', hash: { name: 'SHA-256' } };
-            break;
+        case 'PS384':
+        case 'PS512':
+            return { name: 'RSA-PSS', hash: { name: `SHA-${alg.slice(-3)}` } };
         case 'RS256':
-            algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: { name: 'SHA-256' } };
-            break;
+        case 'RS384':
+        case 'RS512':
+            return { name: 'RSASSA-PKCS1-v1_5', hash: { name: `SHA-${alg.slice(-3)}` } };
         case 'ES256':
-            algorithm = { name: 'ECDSA', namedCurve: 'P-256' };
-            break;
-        case 'EdDSA':
-            algorithm = { name: 'Ed25519' };
-            break;
+        case 'ES384':
+            return { name: 'ECDSA', namedCurve: `P-${alg.slice(-3)}` };
+        case 'ES512':
+            return { name: 'ECDSA', namedCurve: 'P-521' };
+        case 'EdDSA': {
+            switch (crv) {
+                case 'Ed25519':
+                    return { name: 'Ed25519' };
+                case 'Ed448':
+                    return { name: 'Ed448' };
+                default:
+                    throw new UnsupportedOperationError();
+            }
+        }
         default:
             throw new UnsupportedOperationError();
     }
-    return crypto.subtle.importKey('jwk', key, algorithm, true, ['verify']);
+}
+async function importJwk(alg, jwk) {
+    const { ext, key_ops, use, ...key } = jwk;
+    return crypto.subtle.importKey('jwk', key, algToSubtle(alg, jwk.crv), true, ['verify']);
 }
 export async function deviceAuthorizationRequest(as, client, parameters, options) {
     assertAs(as);
@@ -1512,35 +1591,15 @@ export async function processDeviceCodeResponse(as, client, response) {
     return processGenericAccessTokenResponse(as, client, response);
 }
 export async function generateKeyPair(alg, options) {
-    let algorithm;
     if (!validateString(alg)) {
         throw new TypeError('"alg" must be a non-empty string');
     }
-    switch (alg) {
-        case 'PS256':
-            algorithm = {
-                name: 'RSA-PSS',
-                hash: { name: 'SHA-256' },
-                modulusLength: options?.modulusLength ?? 2048,
-                publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
-            };
-            break;
-        case 'RS256':
-            algorithm = {
-                name: 'RSASSA-PKCS1-v1_5',
-                hash: { name: 'SHA-256' },
-                modulusLength: options?.modulusLength ?? 2048,
-                publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
-            };
-            break;
-        case 'ES256':
-            algorithm = { name: 'ECDSA', namedCurve: 'P-256' };
-            break;
-        case 'EdDSA':
-            algorithm = { name: 'Ed25519' };
-            break;
-        default:
-            throw new UnsupportedOperationError();
+    const algorithm = algToSubtle(alg, alg === 'EdDSA' ? options?.crv ?? 'Ed25519' : undefined);
+    if (alg.startsWith('PS') || alg.startsWith('RS')) {
+        Object.assign(algorithm, {
+            modulusLength: options?.modulusLength ?? 2048,
+            publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
+        });
     }
     return (crypto.subtle.generateKey(algorithm, options?.extractable ?? false, ['sign', 'verify']));
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oauth4webapi",
-  "version": "2.0.6",
+  "version": "2.2.0",
   "description": "OAuth 2 / OpenID Connect for Web Platform API JavaScript runtimes",
   "keywords": [
     "auth",
@@ -62,21 +62,21 @@
     "test": "bash -c 'source .node_flags.sh && ava'"
   },
   "devDependencies": {
-    "@esbuild-kit/esm-loader": "^2.5.1",
-    "@types/node": "^18.11.9",
-    "@types/qunit": "^2.19.3",
-    "ava": "^5.1.0",
-    "edge-runtime": "^2.0.2",
-    "esbuild": "^0.16.1",
-    "jose": "^4.11.1",
-    "patch-package": "^6.5.0",
-    "prettier": "^2.8.0",
+    "@esbuild-kit/esm-loader": "^2.5.5",
+    "@types/node": "^18.15.0",
+    "@types/qunit": "^2.19.4",
+    "ava": "^5.2.0",
+    "edge-runtime": "^2.1.2",
+    "esbuild": "^0.17.11",
+    "jose": "^4.13.1",
+    "patch-package": "^6.5.1",
+    "prettier": "^2.8.4",
     "prettier-plugin-jsdoc": "^0.4.2",
-    "qunit": "^2.19.3",
+    "qunit": "^2.19.4",
     "timekeeper": "^2.2.0",
-    "typedoc": "^0.23.21",
-    "typedoc-plugin-markdown": "^3.13.6",
-    "typescript": "^4.9.3",
-    "undici": "^5.13.0"
+    "typedoc": "^0.23.26",
+    "typedoc-plugin-markdown": "^3.14.0",
+    "typescript": "^4.9.5",
+    "undici": "^5.20.0"
   }
 }