oauth4webapi 2.2.3 → 2.3.0

package/README.md

@@ -39,7 +39,7 @@ import * as oauth2 from 'oauth4webapi'
 **`example`** Deno import
 
 ```js
-import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.2.3/mod.ts'
+import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.3.0/mod.ts'
 ```
 
 - Authorization Code Flow - OpenID Connect [source](examples/code.ts), or plain OAuth 2 [source](examples/oauth.ts)

package/build/index.d.ts

@@ -613,7 +613,7 @@ export interface PushedAuthorizationRequestOptions extends HttpRequestOptions, A
  *
  * @see [RFC 9101 - The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)](https://www.rfc-editor.org/rfc/rfc9101.html#name-request-object-2)
  */
-export declare function issueRequestObject(as: AuthorizationServer, client: Client, parameters: URLSearchParams, privateKey: CryptoKey | PrivateKey): Promise<string>;
+export declare function issueRequestObject(as: AuthorizationServer, client: Client, parameters: URLSearchParams | Record<string, string> | string[][], privateKey: CryptoKey | PrivateKey): Promise<string>;
 /**
  * Performs a Pushed Authorization Request at the
  * {@link AuthorizationServer.pushed_authorization_request_endpoint `as.pushed_authorization_request_endpoint`}.
@@ -623,9 +623,9 @@ export declare function issueRequestObject(as: AuthorizationServer, client: Clie
  * @param parameters Authorization Request parameters.
  *
  * @see [RFC 9126 - OAuth 2.0 Pushed Authorization Requests](https://www.rfc-editor.org/rfc/rfc9126.html#name-pushed-authorization-reques)
- * @see [draft-ietf-oauth-dpop-11 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-11.html#name-dpop-with-pushed-authorizat)
+ * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-dpop-with-pushed-authorizat)
  */
-export declare function pushedAuthorizationRequest(as: AuthorizationServer, client: Client, parameters: URLSearchParams, options?: PushedAuthorizationRequestOptions): Promise<Response>;
+export declare function pushedAuthorizationRequest(as: AuthorizationServer, client: Client, parameters: URLSearchParams | Record<string, string> | string[][], options?: PushedAuthorizationRequestOptions): Promise<Response>;
 export interface PushedAuthorizationResponse {
     readonly request_uri: string;
     readonly expires_in: number;
@@ -701,7 +701,7 @@ export interface ProtectedResourceRequestOptions extends Omit<HttpRequestOptions
  * @param body Request body compatible with the Fetch API and the request's method.
  *
  * @see [RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://www.rfc-editor.org/rfc/rfc6750.html#section-2.1)
- * @see [draft-ietf-oauth-dpop-11 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-11.html#name-protected-resource-access)
+ * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-protected-resource-access)
  */
 export declare function protectedResourceRequest(accessToken: string, method: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | string, url: URL, headers: Headers, body: RequestInit['body'], options?: ProtectedResourceRequestOptions): Promise<Response>;
 export interface UserInfoRequestOptions extends HttpRequestOptions, DPoPRequestOptions {
@@ -717,7 +717,7 @@ export interface UserInfoRequestOptions extends HttpRequestOptions, DPoPRequestO
  * @param accessToken Access Token value.
  *
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
- * @see [draft-ietf-oauth-dpop-11 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-11.html#name-protected-resource-access)
+ * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-protected-resource-access)
  */
 export declare function userInfoRequest(as: AuthorizationServer, client: Client, accessToken: string, options?: UserInfoRequestOptions): Promise<Response>;
 export interface UserInfoAddress {
@@ -779,7 +779,7 @@ export declare const skipSubjectCheck: unique symbol;
 export declare function processUserInfoResponse(as: AuthorizationServer, client: Client, expectedSubject: string | typeof skipSubjectCheck, response: Response): Promise<UserInfoResponse>;
 export interface TokenEndpointRequestOptions extends HttpRequestOptions, AuthenticatedRequestOptions, DPoPRequestOptions {
     /** Any additional parameters to send. This cannot override existing parameter values. */
-    additionalParameters?: URLSearchParams;
+    additionalParameters?: URLSearchParams | Record<string, string> | string[][];
 }
 /**
  * Performs a Refresh Token Grant request at the
@@ -791,7 +791,7 @@ export interface TokenEndpointRequestOptions extends HttpRequestOptions, Authent
  *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-6)
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens)
- * @see [draft-ietf-oauth-dpop-11 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-11.html#name-dpop-access-token-request)
+ * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-dpop-access-token-request)
  */
 export declare function refreshTokenGrantRequest(as: AuthorizationServer, client: Client, refreshToken: string, options?: TokenEndpointRequestOptions): Promise<Response>;
 /**
@@ -841,9 +841,9 @@ export declare function processRefreshTokenResponse(as: AuthorizationServer, cli
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1)
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
  * @see [RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients (PKCE)](https://www.rfc-editor.org/rfc/rfc7636.html#section-4)
- * @see [draft-ietf-oauth-dpop-11 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-11.html#name-dpop-access-token-request)
+ * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-dpop-access-token-request)
  */
-export declare function authorizationCodeGrantRequest(as: AuthorizationServer, client: Client, callbackParameters: CallbackParameters, redirectUri: string, codeVerifier: string, options?: TokenEndpointRequestOptions): Promise<Response>;
+export declare function authorizationCodeGrantRequest(as: AuthorizationServer, client: Client, callbackParameters: URLSearchParams, redirectUri: string, codeVerifier: string, options?: TokenEndpointRequestOptions): Promise<Response>;
 interface JWTPayload {
     readonly iss?: string;
     readonly sub?: string;
@@ -958,9 +958,9 @@ export interface ClientCredentialsGrantRequestOptions extends HttpRequestOptions
  * @param client Client Metadata.
  *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.4)
- * @see [draft-ietf-oauth-dpop-11 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-11.html#name-dpop-access-token-request)
+ * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-dpop-access-token-request)
  */
-export declare function clientCredentialsGrantRequest(as: AuthorizationServer, client: Client, parameters: URLSearchParams, options?: ClientCredentialsGrantRequestOptions): Promise<Response>;
+export declare function clientCredentialsGrantRequest(as: AuthorizationServer, client: Client, parameters: URLSearchParams | Record<string, string> | string[][], options?: ClientCredentialsGrantRequestOptions): Promise<Response>;
 /**
  * Validates Client Credentials Grant Response instance to be one coming from the
  * {@link AuthorizationServer.token_endpoint `as.token_endpoint`}.
@@ -977,7 +977,7 @@ export declare function clientCredentialsGrantRequest(as: AuthorizationServer, c
 export declare function processClientCredentialsResponse(as: AuthorizationServer, client: Client, response: Response): Promise<ClientCredentialsGrantResponse | OAuth2Error>;
 export interface RevocationRequestOptions extends HttpRequestOptions, AuthenticatedRequestOptions {
     /** Any additional parameters to send. This cannot override existing parameter values. */
-    additionalParameters?: URLSearchParams;
+    additionalParameters?: URLSearchParams | Record<string, string> | string[][];
 }
 /**
  * Performs a Revocation Request at the
@@ -1003,7 +1003,7 @@ export declare function revocationRequest(as: AuthorizationServer, client: Clien
 export declare function processRevocationResponse(response: Response): Promise<undefined | OAuth2Error>;
 export interface IntrospectionRequestOptions extends HttpRequestOptions, AuthenticatedRequestOptions {
     /** Any additional parameters to send. This cannot override existing parameter values. */
-    additionalParameters?: URLSearchParams;
+    additionalParameters?: URLSearchParams | Record<string, string> | string[][];
     /**
      * Request a JWT Response from the
      * {@link AuthorizationServer.introspection_endpoint `as.introspection_endpoint`}. Default is
@@ -1076,7 +1076,7 @@ export declare function processIntrospectionResponse(as: AuthorizationServer, cl
  *
  * @see [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm.html)
  */
-export declare function validateJwtAuthResponse(as: AuthorizationServer, client: Client, parameters: URLSearchParams | URL, expectedState?: string | typeof expectNoState | typeof skipStateCheck, options?: HttpRequestOptions): Promise<CallbackParameters | OAuth2Error>;
+export declare function validateJwtAuthResponse(as: AuthorizationServer, client: Client, parameters: URLSearchParams | URL, expectedState?: string | typeof expectNoState | typeof skipStateCheck, options?: HttpRequestOptions): Promise<URLSearchParams | OAuth2Error>;
 /**
  * DANGER ZONE
  *
@@ -1093,8 +1093,6 @@ export declare const skipStateCheck: unique symbol;
  * authorization request.
  */
 export declare const expectNoState: unique symbol;
-declare class CallbackParameters extends URLSearchParams {
-}
 /**
  * Validates an OAuth 2.0 Authorization Response or Authorization Error Response message returned
  * from the authorization server's
@@ -1111,7 +1109,7 @@ declare class CallbackParameters extends URLSearchParams {
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)
  * @see [RFC 9207 - OAuth 2.0 Authorization Server Issuer Identification](https://www.rfc-editor.org/rfc/rfc9207.html)
  */
-export declare function validateAuthResponse(as: AuthorizationServer, client: Client, parameters: URLSearchParams | URL, expectedState?: string | typeof expectNoState | typeof skipStateCheck): CallbackParameters | OAuth2Error;
+export declare function validateAuthResponse(as: AuthorizationServer, client: Client, parameters: URLSearchParams | URL, expectedState?: string | typeof expectNoState | typeof skipStateCheck): URLSearchParams | OAuth2Error;
 type ReturnTypes = TokenEndpointResponse | OAuth2TokenEndpointResponse | OpenIDTokenEndpointResponse | ClientCredentialsGrantResponse | DeviceAuthorizationResponse | IntrospectionResponse | OAuth2Error | PushedAuthorizationResponse | URLSearchParams | UserInfoResponse;
 export interface DeviceAuthorizationRequestOptions extends HttpRequestOptions, AuthenticatedRequestOptions {
 }
@@ -1125,7 +1123,7 @@ export interface DeviceAuthorizationRequestOptions extends HttpRequestOptions, A
  *
  * @see [RFC 8628 - OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628.html#section-3.1)
  */
-export declare function deviceAuthorizationRequest(as: AuthorizationServer, client: Client, parameters: URLSearchParams, options?: DeviceAuthorizationRequestOptions): Promise<Response>;
+export declare function deviceAuthorizationRequest(as: AuthorizationServer, client: Client, parameters: URLSearchParams | Record<string, string> | string[][], options?: DeviceAuthorizationRequestOptions): Promise<Response>;
 export interface DeviceAuthorizationResponse {
     readonly device_code: string;
     readonly user_code: string;
@@ -1158,7 +1156,7 @@ export declare function processDeviceAuthorizationResponse(as: AuthorizationServ
  * @param deviceCode Device Code.
  *
  * @see [RFC 8628 - OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628.html#section-3.4)
- * @see [draft-ietf-oauth-dpop-11 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-11.html#name-dpop-access-token-request)
+ * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-dpop-access-token-request)
  */
 export declare function deviceCodeGrantRequest(as: AuthorizationServer, client: Client, deviceCode: string, options?: TokenEndpointRequestOptions): Promise<Response>;
 /**

package/build/index.js

@@ -1,7 +1,7 @@
 let USER_AGENT;
 if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {
     const NAME = 'oauth4webapi';
-    const VERSION = 'v2.2.3';
+    const VERSION = 'v2.3.0';
     USER_AGENT = `${NAME}/${VERSION}`;
 }
 export const clockSkew = Symbol();
@@ -443,9 +443,6 @@ async function jwt(header, claimsSet, key) {
 export async function issueRequestObject(as, client, parameters, privateKey) {
     assertAs(as);
     assertClient(client);
-    if (!(parameters instanceof URLSearchParams)) {
-        throw new TypeError('"parameters" must be an instance of URLSearchParams');
-    }
     parameters = new URLSearchParams(parameters);
     const { key, kid } = getKeyAndKid(privateKey);
     if (!isPrivateKey(key)) {
@@ -534,9 +531,6 @@ async function publicJwk(key) {
 export async function pushedAuthorizationRequest(as, client, parameters, options) {
     assertAs(as);
     assertClient(client);
-    if (!(parameters instanceof URLSearchParams)) {
-        throw new TypeError('"parameters" must be an instance of URLSearchParams');
-    }
     if (typeof as.pushed_authorization_request_endpoint !== 'string') {
         throw new TypeError('"as.pushed_authorization_request_endpoint" must be a string');
     }
@@ -968,11 +962,16 @@ function validateIssuer(expected, result) {
     }
     return result;
 }
+const branded = new WeakSet();
+function brand(searchParams) {
+    branded.add(searchParams);
+    return searchParams;
+}
 export async function authorizationCodeGrantRequest(as, client, callbackParameters, redirectUri, codeVerifier, options) {
     assertAs(as);
     assertClient(client);
-    if (!(callbackParameters instanceof CallbackParameters)) {
-        throw new TypeError('"callbackParameters" must be an instance of CallbackParameters obtained from "validateAuthResponse()", or "validateJwtAuthResponse()');
+    if (!branded.has(callbackParameters)) {
+        throw new TypeError('"callbackParameters" must be an instance of URLSearchParams obtained from "validateAuthResponse()", or "validateJwtAuthResponse()');
     }
     if (!validateString(redirectUri)) {
         throw new TypeError('"redirectUri" must be a non-empty string');
@@ -1430,8 +1429,6 @@ function getURLSearchParameter(parameters, name) {
 }
 export const skipStateCheck = Symbol();
 export const expectNoState = Symbol();
-class CallbackParameters extends URLSearchParams {
-}
 export function validateAuthResponse(as, client, parameters, expectedState) {
     assertAs(as);
     assertClient(client);
@@ -1485,7 +1482,7 @@ export function validateAuthResponse(as, client, parameters, expectedState) {
     if (id_token !== undefined || token !== undefined) {
         throw new UnsupportedOperationError('implicit and hybrid flows are not supported');
     }
-    return new CallbackParameters(parameters);
+    return brand(new URLSearchParams(parameters));
 }
 function algToSubtle(alg, crv) {
     switch (alg) {
@@ -1523,9 +1520,6 @@ async function importJwk(alg, jwk) {
 export async function deviceAuthorizationRequest(as, client, parameters, options) {
     assertAs(as);
     assertClient(client);
-    if (!(parameters instanceof URLSearchParams)) {
-        throw new TypeError('"parameters" must be an instance of URLSearchParams');
-    }
     if (typeof as.device_authorization_endpoint !== 'string') {
         throw new TypeError('"as.device_authorization_endpoint" must be a string');
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oauth4webapi",
-  "version": "2.2.3",
+  "version": "2.3.0",
   "description": "OAuth 2 / OpenID Connect for Web Platform API JavaScript runtimes",
   "keywords": [
     "auth",
@@ -63,18 +63,18 @@
   },
   "devDependencies": {
     "@esbuild-kit/esm-loader": "^2.5.5",
-    "@types/node": "^18.15.13",
+    "@types/node": "^18.16.1",
     "@types/qunit": "^2.19.4",
     "ava": "^5.2.0",
     "edge-runtime": "^2.1.4",
-    "esbuild": "^0.17.17",
+    "esbuild": "^0.17.18",
     "jose": "^4.14.1",
-    "patch-package": "^6.5.1",
-    "prettier": "^2.8.7",
+    "patch-package": "^7.0.0",
+    "prettier": "^2.8.8",
     "prettier-plugin-jsdoc": "^0.4.2",
     "qunit": "^2.19.4",
     "timekeeper": "^2.2.0",
-    "typedoc": "^0.24.4",
+    "typedoc": "^0.24.6",
     "typedoc-plugin-markdown": "^3.15.2",
     "typedoc-plugin-mdn-links": "^3.0.3",
     "typescript": "^5.0.4",