oauth4webapi 2.12.2 → 2.14.0

package/README.md

@@ -33,7 +33,7 @@ Support from the community to continue maintaining and improving this module is
 
 ## [API Reference](docs/README.md)
 
-`oauth4webapi` is distributed via [npmjs.com](https://www.npmjs.com/package/oauth4webapi), [deno.land/x](https://deno.land/x/oauth4webapi), [cdnjs.com](https://cdnjs.com/libraries/oauth4webapi), [jsdelivr.com](https://www.jsdelivr.com/package/npm/oauth4webapi), and [github.com](https://github.com/panva/oauth4webapi).
+`oauth4webapi` is distributed via [npmjs.com](https://www.npmjs.com/package/oauth4webapi), [jsr.io](https://jsr.io/@panva/oauth4webapi), [deno.land/x](https://deno.land/x/oauth4webapi), [cdnjs.com](https://cdnjs.com/libraries/oauth4webapi), [jsdelivr.com](https://www.jsdelivr.com/package/npm/oauth4webapi), and [github.com](https://github.com/panva/oauth4webapi).
 
 ## [Examples](examples/README.md)
 
@@ -43,12 +43,6 @@ Support from the community to continue maintaining and improving this module is
 import * as oauth from 'oauth4webapi'
 ```
 
-**`example`** Deno import
-
-```js
-import * as oauth from 'https://deno.land/x/oauth4webapi@v2.12.2/mod.ts'
-```
-
 - Authorization Code Flow (OAuth 2.0) - [source](examples/oauth.ts)
 - Authorization Code Flow (OpenID Connect) - [source](examples/oidc.ts) | [diff](examples/oidc.diff)
 - Extensions

package/build/index.d.ts

@@ -59,7 +59,7 @@ export type ClientAuthenticationMethod = 'client_secret_basic' | 'client_secret_
  *
  * @example
  *
- * CryptoKey algorithm for the `PS256`, `PS384`, or `PS512` JWS Algorithm Identifiers
+ * {@link !CryptoKey.algorithm} for the `PS256`, `PS384`, or `PS512` JWS Algorithm Identifiers
  *
  * ```ts
  * interface PS256 extends RsaHashedKeyAlgorithm {
@@ -80,7 +80,7 @@ export type ClientAuthenticationMethod = 'client_secret_basic' | 'client_secret_
  *
  * @example
  *
- * CryptoKey algorithm for the `ES256`, `ES384`, or `ES512` JWS Algorithm Identifiers
+ * {@link !CryptoKey.algorithm} for the `ES256`, `ES384`, or `ES512` JWS Algorithm Identifiers
  *
  * ```ts
  * interface ES256 extends EcKeyAlgorithm {
@@ -101,7 +101,7 @@ export type ClientAuthenticationMethod = 'client_secret_basic' | 'client_secret_
  *
  * @example
  *
- * CryptoKey algorithm for the `RS256`, `RS384`, or `RS512` JWS Algorithm Identifiers
+ * {@link !CryptoKey.algorithm} for the `RS256`, `RS384`, or `RS512` JWS Algorithm Identifiers
  *
  * ```ts
  * interface RS256 extends RsaHashedKeyAlgorithm {
@@ -122,7 +122,7 @@ export type ClientAuthenticationMethod = 'client_secret_basic' | 'client_secret_
  *
  * @example
  *
- * CryptoKey algorithm for the `EdDSA` JWS Algorithm Identifier (Experimental)
+ * {@link !CryptoKey.algorithm} for the `EdDSA` JWS Algorithm Identifier (Experimental)
  *
  * Runtime support for this algorithm is limited, it depends on the [Secure Curves in the Web
  * Cryptography API](https://wicg.github.io/webcrypto-secure-curves/) proposal which is yet to be
@@ -196,29 +196,29 @@ export declare const clockSkew: unique symbol;
 export declare const clockTolerance: unique symbol;
 /**
  * When configured on an interface that extends {@link HttpRequestOptions}, this applies to `options`
- * parameter for functions that trigger HTTP requests, this replaces the use of global fetch. As a
- * fetch replacement the arguments and expected return are the same as fetch.
+ * parameter for functions that may trigger HTTP requests, this replaces the use of global fetch. As
+ * a fetch replacement the arguments and expected return are the same as fetch.
  *
  * In theory any module that claims to be compatible with the Fetch API can be used but your mileage
- * may vary. No workarounds to allow use of non-conform {@link Response}s will be considered.
+ * may vary. No workarounds to allow use of non-conform {@link !Response}s will be considered.
  *
- * If you only need to update the {@link Request} properties you do not need to use a Fetch API
+ * If you only need to update the {@link !Request} properties you do not need to use a Fetch API
  * module, just change what you need and pass it to globalThis.fetch just like this module would
  * normally do.
  *
  * Its intended use cases are:
  *
- * - {@link Request}/{@link Response} tracing and logging
+ * - {@link !Request}/{@link !Response} tracing and logging
  * - Custom caching strategies for responses of Authorization Server Metadata and JSON Web Key Set
  *   (JWKS) endpoints
- * - Changing the {@link Request} properties like headers, body, credentials, mode before it is passed
+ * - Changing the {@link !Request} properties like headers, body, credentials, mode before it is passed
  *   to fetch
  *
  * Known caveats:
  *
  * - Expect Type-related issues when passing the inputs through to fetch-like modules, they hardly
  *   ever get their typings inline with actual fetch, you should `@ts-expect-error` them.
- * - Returning self-constructed {@link Response} instances prohibits AS/RS-signalled DPoP Nonce
+ * - Returning self-constructed {@link !Response} instances prohibits AS/RS-signalled DPoP Nonce
  *   caching.
  *
  * @example
@@ -288,7 +288,7 @@ export declare const customFetch: unique symbol;
  * is not desirable.
  *
  * When configured on an interface that extends {@link JWKSCacheOptions}, this applies to `options`
- * parameter for functions that trigger HTTP requests for the
+ * parameter for functions that may trigger HTTP requests to
  * {@link AuthorizationServer.jwks_uri `as.jwks_uri`}, this allows the passed in object to:
  *
  * - Serve as an initial value for the JSON Web Key Set that the module would otherwise need to
@@ -851,8 +851,8 @@ export interface DiscoveryRequestOptions extends HttpRequestOptions {
  */
 export declare function discoveryRequest(issuerIdentifier: URL, options?: DiscoveryRequestOptions): Promise<Response>;
 /**
- * Validates Response instance to be one coming from the authorization server's well-known discovery
- * endpoint.
+ * Validates {@link !Response} instance to be one coming from the authorization server's well-known
+ * discovery endpoint.
  *
  * @param expectedIssuerIdentifier Expected Issuer Identifier value.
  * @param response Resolved value from {@link discoveryRequest}.
@@ -1021,7 +1021,7 @@ export interface WWWAuthenticateChallenge {
     readonly parameters: WWWAuthenticateChallengeParameters;
 }
 /**
- * Parses the `WWW-Authenticate` HTTP Header from a Response instance.
+ * Parses the `WWW-Authenticate` HTTP Header from a {@link !Response} instance.
  *
  * @returns Array of {@link WWWAuthenticateChallenge} objects. Their order from the response is
  *   preserved. `undefined` when there wasn't a `WWW-Authenticate` HTTP Header returned.
@@ -1039,7 +1039,7 @@ export interface WWWAuthenticateChallenge {
  */
 export declare function parseWwwAuthenticateChallenges(response: Response): WWWAuthenticateChallenge[] | undefined;
 /**
- * Validates Response instance to be one coming from the
+ * Validates {@link !Response} instance to be one coming from the
  * {@link AuthorizationServer.pushed_authorization_request_endpoint `as.pushed_authorization_request_endpoint`}.
  *
  * @param as Authorization Server Metadata.
@@ -1144,7 +1144,7 @@ export type JWKSCacheInput = ExportedJWKSCache | Record<string, never>;
  */
 export declare const skipSubjectCheck: unique symbol;
 /**
- * Validates Response instance to be one coming from the
+ * Validates {@link !Response} instance to be one coming from the
  * {@link AuthorizationServer.userinfo_endpoint `as.userinfo_endpoint`}.
  *
  * @param as Authorization Server Metadata.
@@ -1205,8 +1205,77 @@ export declare function getValidatedIdTokenClaims(ref: OpenIDTokenEndpointRespon
  * @returns JWT Claims Set from an ID Token, or undefined if there is no ID Token in `ref`.
  */
 export declare function getValidatedIdTokenClaims(ref: TokenEndpointResponse): IDToken | undefined;
+export interface ValidateSignatureOptions extends HttpRequestOptions, JWKSCacheOptions {
+}
+/**
+ * Validates the JWS Signature of an ID Token included in results previously resolved from
+ * {@link processAuthorizationCodeOpenIDResponse}, {@link processRefreshTokenResponse}, or
+ * {@link processDeviceCodeResponse} for non-repudiation purposes.
+ *
+ * Note: Validating signatures of ID Tokens received via direct communication between the Client and
+ * the Token Endpoint (which it is here) is not mandatory since the TLS server validation is used to
+ * validate the issuer instead of checking the token signature. You only need to use this method for
+ * non-repudiation purposes.
+ *
+ * Note: Supports only digital signatures.
+ *
+ * @param as Authorization Server Metadata.
+ * @param ref Value previously resolved from {@link processAuthorizationCodeOpenIDResponse},
+ *   {@link processRefreshTokenResponse}, or {@link processDeviceCodeResponse}.
+ *
+ * @returns Resolves if the signature validates, rejects otherwise.
+ *
+ * @group Authorization Code Grant w/ OpenID Connect (OIDC)
+ * @group FAPI 1.0 Advanced
+ *
+ * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation)
+ */
+export declare function validateIdTokenSignature(as: AuthorizationServer, ref: OpenIDTokenEndpointResponse | TokenEndpointResponse, options?: ValidateSignatureOptions): Promise<void>;
+/**
+ * Validates the JWS Signature of a JWT {@link !Response} body of response previously processed by
+ * {@link processUserInfoResponse} for non-repudiation purposes.
+ *
+ * Note: Validating signatures of JWTs received via direct communication between the Client and a
+ * TLS-secured Endpoint (which it is here) is not mandatory since the TLS server validation is used
+ * to validate the issuer instead of checking the token signature. You only need to use this method
+ * for non-repudiation purposes.
+ *
+ * Note: Supports only digital signatures.
+ *
+ * @param as Authorization Server Metadata.
+ * @param ref Response previously processed by {@link processUserInfoResponse}.
+ *
+ * @returns Resolves if the signature validates, rejects otherwise.
+ *
+ * @group Authorization Code Grant w/ OpenID Connect (OIDC)
+ * @group OpenID Connect (OIDC) UserInfo
+ *
+ * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
+ */
+export declare function validateJwtUserinfoSignature(as: AuthorizationServer, ref: Response, options?: ValidateSignatureOptions): Promise<void>;
 /**
- * Validates Refresh Token Grant Response instance to be one coming from the
+ * Validates the JWS Signature of an JWT {@link !Response} body of responses previously processed by
+ * {@link processIntrospectionResponse} for non-repudiation purposes.
+ *
+ * Note: Validating signatures of JWTs received via direct communication between the Client and a
+ * TLS-secured Endpoint (which it is here) is not mandatory since the TLS server validation is used
+ * to validate the issuer instead of checking the token signature. You only need to use this method
+ * for non-repudiation purposes.
+ *
+ * Note: Supports only digital signatures.
+ *
+ * @param as Authorization Server Metadata.
+ * @param ref Response previously processed by {@link processIntrospectionResponse}.
+ *
+ * @returns Resolves if the signature validates, rejects otherwise.
+ *
+ * @group Token Introspection
+ *
+ * @see [draft-ietf-oauth-jwt-introspection-response-12 - JWT Response for OAuth Token Introspection](https://www.ietf.org/archive/id/draft-ietf-oauth-jwt-introspection-response-12.html#section-5)
+ */
+export declare function validateJwtIntrospectionSignature(as: AuthorizationServer, ref: Response, options?: ValidateSignatureOptions): Promise<void>;
+/**
+ * Validates Refresh Token Grant {@link !Response} instance to be one coming from the
  * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}.
  *
  * @param as Authorization Server Metadata.
@@ -1336,8 +1405,8 @@ export declare const expectNoNonce: unique symbol;
  */
 export declare const skipAuthTimeCheck: unique symbol;
 /**
- * (OpenID Connect only) Validates Authorization Code Grant Response instance to be one coming from
- * the {@link AuthorizationServer.token_endpoint `as.token_endpoint`}.
+ * (OpenID Connect only) Validates Authorization Code Grant {@link !Response} instance to be one
+ * coming from the {@link AuthorizationServer.token_endpoint `as.token_endpoint`}.
  *
  * @param as Authorization Server Metadata.
  * @param client Client Metadata.
@@ -1360,8 +1429,9 @@ export declare const skipAuthTimeCheck: unique symbol;
  */
 export declare function processAuthorizationCodeOpenIDResponse(as: AuthorizationServer, client: Client, response: Response, expectedNonce?: string | typeof expectNoNonce, maxAge?: number | typeof skipAuthTimeCheck): Promise<OpenIDTokenEndpointResponse | OAuth2Error>;
 /**
- * (OAuth 2.0 without OpenID Connect only) Validates Authorization Code Grant Response instance to
- * be one coming from the {@link AuthorizationServer.token_endpoint `as.token_endpoint`}.
+ * (OAuth 2.0 without OpenID Connect only) Validates Authorization Code Grant {@link !Response}
+ * instance to be one coming from the
+ * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}.
  *
  * @param as Authorization Server Metadata.
  * @param client Client Metadata.
@@ -1392,7 +1462,7 @@ export interface ClientCredentialsGrantRequestOptions extends HttpRequestOptions
  */
 export declare function clientCredentialsGrantRequest(as: AuthorizationServer, client: Client, parameters: URLSearchParams | Record<string, string> | string[][], options?: ClientCredentialsGrantRequestOptions): Promise<Response>;
 /**
- * Validates Client Credentials Grant Response instance to be one coming from the
+ * Validates Client Credentials Grant {@link !Response} instance to be one coming from the
  * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}.
  *
  * @param as Authorization Server Metadata.
@@ -1429,7 +1499,7 @@ export interface RevocationRequestOptions extends HttpRequestOptions, Authentica
  */
 export declare function revocationRequest(as: AuthorizationServer, client: Client, token: string, options?: RevocationRequestOptions): Promise<Response>;
 /**
- * Validates Response instance to be one coming from the
+ * Validates {@link !Response} instance to be one coming from the
  * {@link AuthorizationServer.revocation_endpoint `as.revocation_endpoint`}.
  *
  * @param response Resolved value from {@link revocationRequest}.
@@ -1497,7 +1567,7 @@ export interface IntrospectionResponse {
     readonly [claim: string]: JsonValue | undefined;
 }
 /**
- * Validates Response instance to be one coming from the
+ * Validates {@link !Response} instance to be one coming from the
  * {@link AuthorizationServer.introspection_endpoint `as.introspection_endpoint`}.
  *
  * @param as Authorization Server Metadata.
@@ -1517,8 +1587,6 @@ export declare function processIntrospectionResponse(as: AuthorizationServer, cl
 export interface JWKS {
     readonly keys: JWK[];
 }
-export interface ValidateJwtAuthResponseOptions extends HttpRequestOptions, JWKSCacheOptions {
-}
 /**
  * Same as {@link validateAuthResponse} but for signed JARM responses.
  *
@@ -1535,9 +1603,7 @@ export interface ValidateJwtAuthResponseOptions extends HttpRequestOptions, JWKS
  *
  * @see [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm.html)
  */
-export declare function validateJwtAuthResponse(as: AuthorizationServer, client: Client, parameters: URLSearchParams | URL, expectedState?: string | typeof expectNoState | typeof skipStateCheck, options?: ValidateJwtAuthResponseOptions): Promise<URLSearchParams | OAuth2Error>;
-export interface ValidateDetachedSignatureResponseOptions extends HttpRequestOptions, JWKSCacheOptions {
-}
+export declare function validateJwtAuthResponse(as: AuthorizationServer, client: Client, parameters: URLSearchParams | URL, expectedState?: string | typeof expectNoState | typeof skipStateCheck, options?: ValidateSignatureOptions): Promise<URLSearchParams | OAuth2Error>;
 /**
  * Same as {@link validateAuthResponse} but for FAPI 1.0 Advanced Detached Signature authorization
  * responses.
@@ -1560,7 +1626,7 @@ export interface ValidateDetachedSignatureResponseOptions extends HttpRequestOpt
  *
  * @see [Financial-grade API Security Profile 1.0 - Part 2: Advanced](https://openid.net/specs/openid-financial-api-part-2-1_0.html#id-token-as-detached-signature)
  */
-export declare function validateDetachedSignatureResponse(as: AuthorizationServer, client: Client, parameters: URLSearchParams | URL, expectedNonce: string, expectedState?: string | typeof expectNoState, maxAge?: number | typeof skipAuthTimeCheck, options?: ValidateDetachedSignatureResponseOptions): Promise<URLSearchParams | OAuth2Error>;
+export declare function validateDetachedSignatureResponse(as: AuthorizationServer, client: Client, parameters: URLSearchParams | URL, expectedNonce: string, expectedState?: string | typeof expectNoState, maxAge?: number | typeof skipAuthTimeCheck, options?: ValidateSignatureOptions): Promise<URLSearchParams | OAuth2Error>;
 /**
  * DANGER ZONE - This option has security implications that must be understood, assessed for
  * applicability, and accepted before use.
@@ -1623,7 +1689,7 @@ export interface DeviceAuthorizationResponse {
     readonly [parameter: string]: JsonValue | undefined;
 }
 /**
- * Validates Response instance to be one coming from the
+ * Validates {@link !Response} instance to be one coming from the
  * {@link AuthorizationServer.device_authorization_endpoint `as.device_authorization_endpoint`}.
  *
  * @param as Authorization Server Metadata.
@@ -1654,7 +1720,7 @@ export declare function processDeviceAuthorizationResponse(as: AuthorizationServ
  */
 export declare function deviceCodeGrantRequest(as: AuthorizationServer, client: Client, deviceCode: string, options?: TokenEndpointRequestOptions): Promise<Response>;
 /**
- * Validates Device Authorization Grant Response instance to be one coming from the
+ * Validates Device Authorization Grant {@link !Response} instance to be one coming from the
  * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}.
  *
  * @param as Authorization Server Metadata.
@@ -1680,12 +1746,12 @@ export interface GenerateKeyPairOptions {
      */
     modulusLength?: number;
     /**
-     * (EdDSA algorithms only) The EdDSA sub-type. Default is `Ed25519`.
+     * (EdDSA algorithm only) The EdDSA sub-type. Default is `Ed25519`.
      */
     crv?: 'Ed25519' | 'Ed448';
 }
 /**
- * Generates a CryptoKeyPair for a given JWS `alg` Algorithm identifier.
+ * Generates a {@link !CryptoKeyPair} for a given JWS `alg` Algorithm identifier.
  *
  * @param alg Supported JWS `alg` Algorithm identifier.
  *
@@ -1719,7 +1785,7 @@ export interface ValidateJWTAccessTokenOptions extends HttpRequestOptions, JWKSC
     [clockTolerance]?: number;
 }
 /**
- * Validates use of JSON Web Token (JWT) OAuth 2.0 Access Tokens for a given {@link Request} as per
+ * Validates use of JSON Web Token (JWT) OAuth 2.0 Access Tokens for a given {@link !Request} as per
  * RFC 6750, RFC 9068, and RFC 9449.
  *
  * The only supported means of sending access tokens is via the Authorization Request Header Field
@@ -1791,17 +1857,31 @@ export type IntrospectionConfirmationClaims = ConfirmationClaims;
  *
  * @deprecated Use {@link validateDetachedSignatureResponse}.
  */
-export declare const experimental_validateDetachedSignatureResponse: (as: AuthorizationServer, client: Client, parameters: URLSearchParams | URL, expectedNonce: string, expectedState?: string | typeof expectNoState | undefined, maxAge?: number | typeof skipAuthTimeCheck | undefined, options?: ValidateDetachedSignatureResponseOptions | undefined) => Promise<URLSearchParams | OAuth2Error>;
+export declare const experimental_validateDetachedSignatureResponse: (as: AuthorizationServer, client: Client, parameters: URLSearchParams | URL, expectedNonce: string, expectedState?: string | typeof expectNoState | undefined, maxAge?: number | typeof skipAuthTimeCheck | undefined, options?: ValidateSignatureOptions | undefined) => ReturnType<typeof validateDetachedSignatureResponse>;
 /**
  * @ignore
  *
  * @deprecated Use {@link validateJwtAccessToken}.
  */
-export declare const experimental_validateJwtAccessToken: (as: AuthorizationServer, request: Request, expectedAudience: string, options?: ValidateJWTAccessTokenOptions | undefined) => Promise<JWTAccessTokenClaims>;
+export declare const experimental_validateJwtAccessToken: (as: AuthorizationServer, request: Request, expectedAudience: string, options?: ValidateJWTAccessTokenOptions | undefined) => ReturnType<typeof validateJwtAccessToken>;
 /**
  * @ignore
  *
  * @deprecated Use {@link jwksCache}.
  */
 export declare const experimental_jwksCache: symbol;
+/**
+ * @ignore
+ *
+ * @deprecated Use {@link ValidateSignatureOptions}.
+ */
+export interface ValidateJwtResponseSignatureOptions extends ValidateSignatureOptions {
+}
+/**
+ * @ignore
+ *
+ * @deprecated Use {@link ValidateSignatureOptions}.
+ */
+export interface ValidateDetachedSignatureResponseOptions extends ValidateSignatureOptions {
+}
 export {};

package/build/index.js

@@ -1,7 +1,7 @@
 let USER_AGENT;
 if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {
     const NAME = 'oauth4webapi';
-    const VERSION = 'v2.12.2';
+    const VERSION = 'v2.14.0';
     USER_AGENT = `${NAME}/${VERSION}`;
 }
 function looseInstanceOf(input, expected) {
@@ -858,9 +858,11 @@ export async function processUserInfoResponse(as, client, expectedSubject, respo
     let json;
     if (getContentType(response) === 'application/jwt') {
         assertReadableResponse(response);
-        const { claims } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.userinfo_signed_response_alg, as.userinfo_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client))
+        const jwt = await response.text();
+        const { claims } = await validateJwt(jwt, checkSigningAlgorithm.bind(undefined, client.userinfo_signed_response_alg, as.userinfo_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client))
             .then(validateOptionalAudience.bind(undefined, client.client_id))
             .then(validateOptionalIssuer.bind(undefined, as.issuer));
+        jwtResponseBodies.set(response, jwt);
         json = claims;
     }
     else {
@@ -926,6 +928,7 @@ export async function refreshTokenGrantRequest(as, client, refreshToken, options
     return tokenEndpointRequest(as, client, 'refresh_token', parameters, options);
 }
 const idTokenClaims = new WeakMap();
+const jwtResponseBodies = new WeakMap();
 export function getValidatedIdTokenClaims(ref) {
     if (!ref.id_token) {
         return undefined;
@@ -936,6 +939,40 @@ export function getValidatedIdTokenClaims(ref) {
     }
     return claims;
 }
+export async function validateIdTokenSignature(as, ref, options) {
+    assertAs(as);
+    if (!getValidatedIdTokenClaims(ref)) {
+        throw new OPE('"ref" does not contain an ID Token to verify the signature of');
+    }
+    const { 0: protectedHeader, 1: payload, 2: encodedSignature } = ref.id_token.split('.');
+    const header = JSON.parse(buf(b64u(protectedHeader)));
+    if (header.alg.startsWith('HS')) {
+        throw new UnsupportedOperationError();
+    }
+    let key;
+    key = await getPublicSigKeyFromIssuerJwksUri(as, options, header);
+    await validateJwsSignature(protectedHeader, payload, key, b64u(encodedSignature));
+}
+async function validateJwtResponseSignature(as, ref, options) {
+    assertAs(as);
+    if (!jwtResponseBodies.has(ref)) {
+        throw new OPE('"ref" does not contain a processed JWT Response to verify the signature of');
+    }
+    const { 0: protectedHeader, 1: payload, 2: encodedSignature, } = jwtResponseBodies.get(ref).split('.');
+    const header = JSON.parse(buf(b64u(protectedHeader)));
+    if (header.alg.startsWith('HS')) {
+        throw new UnsupportedOperationError();
+    }
+    let key;
+    key = await getPublicSigKeyFromIssuerJwksUri(as, options, header);
+    await validateJwsSignature(protectedHeader, payload, key, b64u(encodedSignature));
+}
+export function validateJwtUserinfoSignature(as, ref, options) {
+    return validateJwtResponseSignature(as, ref, options);
+}
+export function validateJwtIntrospectionSignature(as, ref, options) {
+    return validateJwtResponseSignature(as, ref, options);
+}
 async function processGenericAccessTokenResponse(as, client, response, ignoreIdToken = false, ignoreRefreshToken = false) {
     assertAs(as);
     assertClient(client);
@@ -1233,11 +1270,13 @@ export async function processIntrospectionResponse(as, client, response) {
     let json;
     if (getContentType(response) === 'application/token-introspection+jwt') {
         assertReadableResponse(response);
-        const { claims } = await validateJwt(await response.text(), checkSigningAlgorithm.bind(undefined, client.introspection_signed_response_alg, as.introspection_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client))
+        const jwt = await response.text();
+        const { claims } = await validateJwt(jwt, checkSigningAlgorithm.bind(undefined, client.introspection_signed_response_alg, as.introspection_signing_alg_values_supported), noSignatureCheck, getClockSkew(client), getClockTolerance(client))
             .then(checkJwtType.bind(undefined, 'token-introspection+jwt'))
             .then(validatePresence.bind(undefined, ['aud', 'iat', 'iss']))
             .then(validateIssuer.bind(undefined, as.issuer))
             .then(validateAudience.bind(undefined, client.client_id));
+        jwtResponseBodies.set(response, jwt);
         json = claims.token_introspection;
         if (!isJsonObject(json)) {
             throw new OPE('JWT "token_introspection" claim must be a JSON object');
@@ -1378,6 +1417,13 @@ function keyToSubtle(key) {
     throw new UnsupportedOperationError();
 }
 const noSignatureCheck = Symbol();
+async function validateJwsSignature(protectedHeader, payload, key, signature) {
+    const input = `${protectedHeader}.${payload}`;
+    const verified = await crypto.subtle.verify(keyToSubtle(key), key, signature, buf(input));
+    if (!verified) {
+        throw new OPE('JWT signature verification failed');
+    }
+}
 async function validateJwt(jws, checkAlg, getKey, clockSkew, clockTolerance) {
     const { 0: protectedHeader, 1: payload, 2: encodedSignature, length } = jws.split('.');
     if (length === 5) {
@@ -1404,11 +1450,7 @@ async function validateJwt(jws, checkAlg, getKey, clockSkew, clockTolerance) {
     let key;
     if (getKey !== noSignatureCheck) {
         key = await getKey(header);
-        const input = `${protectedHeader}.${payload}`;
-        const verified = await crypto.subtle.verify(keyToSubtle(key), key, signature, buf(input));
-        if (!verified) {
-            throw new OPE('JWT signature verification failed');
-        }
+        await validateJwsSignature(protectedHeader, payload, key, signature);
     }
     let claims;
     try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oauth4webapi",
-  "version": "2.12.2",
+  "version": "2.14.0",
   "description": "OAuth 2 / OpenID Connect for JavaScript Runtimes",
   "keywords": [
     "access token",
@@ -50,7 +50,7 @@
   ],
   "scripts": {
     "_format": "find src test tap examples conformance -type f -name '*.ts' -o -name '*.mjs' -o -name '*.cjs' | xargs prettier",
-    "build": "rm -rf build && tsc && tsc --declaration true --emitDeclarationOnly true --removeComments false && tsc -p test && tsc -p examples && tsc -p conformance && tsc -p tap",
+    "build": "rm -rf build && tsc && tsc --declaration true --emitDeclarationOnly true --removeComments false && tsc -p test && tsc -p examples && tsc -p conformance && tsc -p tap && npx --yes jsr publish --dry-run --allow-dirty",
     "conformance": "bash -c 'source .node_flags.sh && ava --config conformance/ava.config.ts'",
     "docs": "patch-package && typedoc",
     "format": "npm run _format -- --write",
@@ -74,7 +74,7 @@
     "chrome-launcher": "^1.1.2",
     "edge-runtime": "^3.0.3",
     "esbuild": "^0.23.1",
-    "jose": "^5.8.0",
+    "jose": "^5.9.2",
     "oidc-provider": "^8.5.1",
     "patch-package": "^8.0.0",
     "prettier": "^3.3.3",
@@ -84,8 +84,8 @@
     "raw-body": "^3.0.0",
     "selfsigned": "^2.4.1",
     "timekeeper": "^2.3.1",
-    "tsx": "^4.19.0",
-    "typedoc": "^0.26.6",
+    "tsx": "^4.19.1",
+    "typedoc": "^0.26.7",
     "typedoc-plugin-markdown": "^4.2.7",
     "typedoc-plugin-mdn-links": "^3.2.12",
     "typescript": "~5.5.4",