oauth4webapi 2.12.1 → 2.12.2

package/README.md

@@ -21,7 +21,7 @@ The following features are currently in scope and implemented in this software:
 
 [<img width="96" height="50" align="right" src="https://user-images.githubusercontent.com/241506/166977513-7cd710a9-7f60-4944-aebe-a658e9f36375.png" alt="OpenID Certification">](#certification)
 
-[Filip Skokan](https://github.com/panva) has certified that [this software](https://github.com/panva/oauth4webapi) conforms to the Basic, FAPI 1.0, and FAPI 2.0 Relying Party Conformance Profiles of the OpenID Connect™ protocol.
+[Filip Skokan](https://github.com/panva) has [certified](https://openid.net/certification) that [this software](https://github.com/panva/oauth4webapi) conforms to the Basic, FAPI 1.0, and FAPI 2.0 Relying Party Conformance Profiles of the OpenID Connect™ protocol.
 
 ## [💗 Help the project](https://github.com/sponsors/panva)
 
@@ -46,7 +46,7 @@ import * as oauth from 'oauth4webapi'
 **`example`** Deno import
 
 ```js
-import * as oauth from 'https://deno.land/x/oauth4webapi@v2.12.1/mod.ts'
+import * as oauth from 'https://deno.land/x/oauth4webapi@v2.12.2/mod.ts'
 ```
 
 - Authorization Code Flow (OAuth 2.0) - [source](examples/oauth.ts)

package/build/index.d.ts

@@ -1741,9 +1741,7 @@ export interface ValidateJWTAccessTokenOptions extends HttpRequestOptions, JWKSC
  * function's execution.
  *
  * @param as Authorization Server to accept JWT Access Tokens from.
- * @param request
  * @param expectedAudience Audience identifier the resource server expects for itself.
- * @param options
  *
  * @group JWT Access Tokens
  *

package/build/index.js

@@ -1,7 +1,7 @@
 let USER_AGENT;
 if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {
     const NAME = 'oauth4webapi';
-    const VERSION = 'v2.12.1';
+    const VERSION = 'v2.12.2';
     USER_AGENT = `${NAME}/${VERSION}`;
 }
 function looseInstanceOf(input, expected) {
@@ -991,8 +991,13 @@ async function processGenericAccessTokenResponse(as, client, response, ignoreIdT
                 .then(validatePresence.bind(undefined, ['aud', 'exp', 'iat', 'iss', 'sub']))
                 .then(validateIssuer.bind(undefined, as.issuer))
                 .then(validateAudience.bind(undefined, client.client_id));
-            if (Array.isArray(claims.aud) && claims.aud.length !== 1 && claims.azp !== client.client_id) {
-                throw new OPE('unexpected ID Token "azp" (authorized party) claim value');
+            if (Array.isArray(claims.aud) && claims.aud.length !== 1) {
+                if (claims.azp === undefined) {
+                    throw new OPE('ID Token "aud" (audience) claim includes additional untrusted audiences');
+                }
+                if (claims.azp !== client.client_id) {
+                    throw new OPE('unexpected ID Token "azp" (authorized party) claim value');
+                }
             }
             if (claims.auth_time !== undefined &&
                 (!Number.isFinite(claims.auth_time) || Math.sign(claims.auth_time) !== 1)) {
@@ -1462,9 +1467,6 @@ export async function validateJwtAuthResponse(as, client, parameters, expectedSt
     if (!response) {
         throw new OPE('"parameters" does not contain a JARM response');
     }
-    if (typeof as.jwks_uri !== 'string') {
-        throw new TypeError('"as.jwks_uri" must be a string');
-    }
     const { claims } = await validateJwt(response, checkSigningAlgorithm.bind(undefined, client.authorization_signed_response_alg, as.authorization_signing_alg_values_supported), getPublicSigKeyFromIssuerJwksUri.bind(undefined, as, options), getClockSkew(client), getClockTolerance(client))
         .then(validatePresence.bind(undefined, ['aud', 'exp', 'iss']))
         .then(validateIssuer.bind(undefined, as.issuer))
@@ -1549,9 +1551,6 @@ export async function validateDetachedSignatureResponse(as, client, parameters,
     if (!code) {
         throw new OPE('"parameters" does not contain an Authorization Code');
     }
-    if (typeof as.jwks_uri !== 'string') {
-        throw new TypeError('"as.jwks_uri" must be a string');
-    }
     const requiredClaims = [
         'aud',
         'exp',
@@ -1610,8 +1609,13 @@ export async function validateDetachedSignatureResponse(as, client, parameters,
     if (claims.nonce !== expectedNonce) {
         throw new OPE('unexpected ID Token "nonce" claim value');
     }
-    if (Array.isArray(claims.aud) && claims.aud.length !== 1 && claims.azp !== client.client_id) {
-        throw new OPE('unexpected ID Token "azp" (authorized party) claim value');
+    if (Array.isArray(claims.aud) && claims.aud.length !== 1) {
+        if (claims.azp === undefined) {
+            throw new OPE('ID Token "aud" (audience) claim includes additional untrusted audiences');
+        }
+        if (claims.azp !== client.client_id) {
+            throw new OPE('unexpected ID Token "azp" (authorized party) claim value');
+        }
     }
     return result;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oauth4webapi",
-  "version": "2.12.1",
+  "version": "2.12.2",
   "description": "OAuth 2 / OpenID Connect for JavaScript Runtimes",
   "keywords": [
     "access token",
@@ -67,7 +67,7 @@
   "devDependencies": {
     "@koa/cors": "^5.0.0",
     "@types/koa__cors": "^5.0.0",
-    "@types/node": "^20.16.3",
+    "@types/node": "^20.16.5",
     "@types/qunit": "^2.19.10",
     "archiver": "^7.0.1",
     "ava": "^6.1.3",
@@ -79,15 +79,15 @@
     "patch-package": "^8.0.0",
     "prettier": "^3.3.3",
     "prettier-plugin-jsdoc": "^1.3.0",
-    "puppeteer-core": "^23.2.2",
+    "puppeteer-core": "^23.3.0",
     "qunit": "^2.22.0",
     "raw-body": "^3.0.0",
     "selfsigned": "^2.4.1",
     "timekeeper": "^2.3.1",
     "tsx": "^4.19.0",
     "typedoc": "^0.26.6",
-    "typedoc-plugin-markdown": "^4.2.6",
-    "typedoc-plugin-mdn-links": "^3.2.11",
+    "typedoc-plugin-markdown": "^4.2.7",
+    "typedoc-plugin-mdn-links": "^3.2.12",
     "typescript": "~5.5.4",
     "undici": "^6.19.8"
   }