oauth4webapi 2.3.0 → 2.4.0

package/README.md

@@ -1,13 +1,13 @@
-# OAuth 2 / OpenID Connect for Web Platform API JavaScript runtimes
+# OAuth 2 / OpenID Connect for JavaScript Runtimes
 
-This software is a collection of routines upon which framework-specific client modules may be written. Its objective is to support and, where possible, enforce secure and current best practices using only capabilities common to Browser and Non-Browser JavaScript-based runtime environments.
+This software provides a collection of routines that can be used to build client modules for OAuth 2.1, OAuth 2.0 with the latest Security Best Current Practices (BCP), and FAPI 2.0, as well as OpenID Connect where applicable. The primary goal of this software is to promote secure and up-to-date best practices while using only the capabilities common to both browser and non-browser JavaScript runtimes.
 
-Target profiles of this software are OAuth 2.1, OAuth 2.0 complemented by the latest Security BCP, and FAPI 2.0. Where applicable OpenID Connect is also supported.
+## Features
 
-## In Scope & Implemented
+The following features are currently in scope and implemented in this software:
 
 - Authorization Server Metadata discovery
-- Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, and FAPI 2.0), PKCE
+- Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, and FAPI 2.0), with PKCE
 - Refresh Token, Device Authorization, and Client Credentials Grants
 - Demonstrating Proof-of-Possession at the Application Layer (DPoP)
 - Token Introspection and Revocation
@@ -26,6 +26,8 @@ Target profiles of this software are OAuth 2.1, OAuth 2.0 complemented by the la
 
 ## Dependencies: 0
 
+`oauth4webapi` has no dependencies and it exports tree-shakeable ESM.
+
 ## [Documentation](docs/README.md)
 
 ## [Examples](examples/README.md)
@@ -39,7 +41,7 @@ import * as oauth2 from 'oauth4webapi'
 **`example`** Deno import
 
 ```js
-import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.3.0/mod.ts'
+import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.4.0/mod.ts'
 ```
 
 - Authorization Code Flow - OpenID Connect [source](examples/code.ts), or plain OAuth 2 [source](examples/oauth.ts)
@@ -54,9 +56,8 @@ import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.3.0/mod.ts'
 
 ## Supported Runtimes
 
-The supported JavaScript runtimes include ones that support the utilized Web API globals and standard built-in objects
+The supported JavaScript runtimes include those that support the utilized Web API globals and standard built-in objects. These are _(but are not limited to)_:
 
-These are _(this is not an exhaustive list)_:
 - Browsers
 - Bun
 - Cloudflare Workers
@@ -67,6 +68,8 @@ These are _(this is not an exhaustive list)_:
 
 ## Out of scope
 
+The following features are currently out of scope:
+
 - CommonJS
 - Implicit, Hybrid, and Resource Owner Password Credentials Flows
 - Mutual-TLS Client Authentication and Certificate-Bound Access Tokens

package/build/index.d.ts

@@ -48,41 +48,37 @@ export type ClientAuthenticationMethod = 'client_secret_basic' | 'client_secret_
  * @example CryptoKey algorithm for the `PS256`, `PS384`, or `PS512` JWS Algorithm Identifiers
  *
  * ```ts
- * interface RSAPSSAlgorithm extends RsaHashedKeyAlgorithm {
+ * interface PS256 extends RsaHashedKeyAlgorithm {
  *   name: 'RSA-PSS'
- *   hash: { name: 'SHA-256' | 'SHA-384' | 'SHA-512' }
+ *   hash: 'SHA-256'
  * }
  *
- * interface PS256 extends RSAPSSAlgorithm {
- *   hash: { name: 'SHA-256' }
- * }
- *
- * interface PS384 extends RSAPSSAlgorithm {
- *   hash: { name: 'SHA-384' }
+ * interface PS384 extends RsaHashedKeyAlgorithm {
+ *   name: 'RSA-PSS'
+ *   hash: 'SHA-384'
  * }
  *
- * interface PS512 extends RSAPSSAlgorithm {
- *   hash: { name: 'SHA-512' }
+ * interface PS512 extends RsaHashedKeyAlgorithm {
+ *   name: 'RSA-PSS'
+ *   hash: 'SHA-512'
  * }
  * ```
  *
  * @example CryptoKey algorithm for the `ES256`, `ES384`, or `ES512` JWS Algorithm Identifiers
  *
  * ```ts
- * interface ECDSAAlgorithm extends EcKeyAlgorithm {
+ * interface ES256 extends EcKeyAlgorithm {
  *   name: 'ECDSA'
- *   namedCurve: 'P-256' | 'P-384' | 'P-521'
- * }
- *
- * interface ES256 extends ECDSAAlgorithm {
  *   namedCurve: 'P-256'
  * }
  *
- * interface ES384 extends ECDSAAlgorithm {
+ * interface ES384 extends EcKeyAlgorithm {
+ *   name: 'ECDSA'
  *   namedCurve: 'P-384'
  * }
  *
- * interface ES512 extends ECDSAAlgorithm {
+ * interface ES512 extends EcKeyAlgorithm {
+ *   name: 'ECDSA'
  *   namedCurve: 'P-521'
  * }
  * ```
@@ -90,21 +86,19 @@ export type ClientAuthenticationMethod = 'client_secret_basic' | 'client_secret_
  * @example CryptoKey algorithm for the `RS256`, `RS384`, or `RS512` JWS Algorithm Identifiers
  *
  * ```ts
- * interface ECDSAAlgorithm extends RsaHashedKeyAlgorithm {
+ * interface RS256 extends RsaHashedKeyAlgorithm {
  *   name: 'RSASSA-PKCS1-v1_5'
- *   hash: { name: 'SHA-256' | 'SHA-384' | 'SHA-512' }
- * }
- *
- * interface RS256 extends ECDSAAlgorithm {
- *   hash: { name: 'SHA-256' }
+ *   hash: 'SHA-256'
  * }
  *
- * interface RS384 extends ECDSAAlgorithm {
- *   hash: { name: 'SHA-384' }
+ * interface RS384 extends RsaHashedKeyAlgorithm {
+ *   name: 'RSASSA-PKCS1-v1_5'
+ *   hash: 'SHA-384'
  * }
  *
- * interface RS512 extends ECDSAAlgorithm {
- *   hash: { name: 'SHA-512' }
+ * interface RS512 extends RsaHashedKeyAlgorithm {
+ *   name: 'RSASSA-PKCS1-v1_5'
+ *   hash: 'SHA-512'
  * }
  * ```
  *
@@ -496,7 +490,9 @@ export declare class UnsupportedOperationError extends Error {
     constructor(message?: string);
 }
 export declare class OperationProcessingError extends Error {
-    constructor(message: string);
+    constructor(message: string, options?: {
+        cause?: unknown;
+    });
 }
 export interface HttpRequestOptions {
     /**
@@ -623,7 +619,7 @@ export declare function issueRequestObject(as: AuthorizationServer, client: Clie
  * @param parameters Authorization Request parameters.
  *
  * @see [RFC 9126 - OAuth 2.0 Pushed Authorization Requests](https://www.rfc-editor.org/rfc/rfc9126.html#name-pushed-authorization-reques)
- * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-dpop-with-pushed-authorizat)
+ * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-with-pushed-authorizat)
  */
 export declare function pushedAuthorizationRequest(as: AuthorizationServer, client: Client, parameters: URLSearchParams | Record<string, string> | string[][], options?: PushedAuthorizationRequestOptions): Promise<Response>;
 export interface PushedAuthorizationResponse {
@@ -674,6 +670,7 @@ export declare function parseWwwAuthenticateChallenges(response: Response): WWWA
  * @returns Resolves with an object representing the parsed successful response, or an object
  *   representing an OAuth 2.0 protocol style error. Use {@link isOAuth2Error} to determine if an
  *   OAuth 2.0 error was returned.
+ *
  * @see [RFC 9126 - OAuth 2.0 Pushed Authorization Requests](https://www.rfc-editor.org/rfc/rfc9126.html#name-pushed-authorization-reques)
  */
 export declare function processPushedAuthorizationResponse(as: AuthorizationServer, client: Client, response: Response): Promise<PushedAuthorizationResponse | OAuth2Error>;
@@ -701,7 +698,7 @@ export interface ProtectedResourceRequestOptions extends Omit<HttpRequestOptions
  * @param body Request body compatible with the Fetch API and the request's method.
  *
  * @see [RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://www.rfc-editor.org/rfc/rfc6750.html#section-2.1)
- * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-protected-resource-access)
+ * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-protected-resource-access)
  */
 export declare function protectedResourceRequest(accessToken: string, method: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | string, url: URL, headers: Headers, body: RequestInit['body'], options?: ProtectedResourceRequestOptions): Promise<Response>;
 export interface UserInfoRequestOptions extends HttpRequestOptions, DPoPRequestOptions {
@@ -717,7 +714,7 @@ export interface UserInfoRequestOptions extends HttpRequestOptions, DPoPRequestO
  * @param accessToken Access Token value.
  *
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
- * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-protected-resource-access)
+ * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-protected-resource-access)
  */
 export declare function userInfoRequest(as: AuthorizationServer, client: Client, accessToken: string, options?: UserInfoRequestOptions): Promise<Response>;
 export interface UserInfoAddress {
@@ -774,6 +771,7 @@ export declare const skipSubjectCheck: unique symbol;
  * @returns Resolves with an object representing the parsed successful response, or an object
  *   representing an OAuth 2.0 protocol style error. Use {@link isOAuth2Error} to determine if an
  *   OAuth 2.0 error was returned.
+ *
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
  */
 export declare function processUserInfoResponse(as: AuthorizationServer, client: Client, expectedSubject: string | typeof skipSubjectCheck, response: Response): Promise<UserInfoResponse>;
@@ -791,7 +789,7 @@ export interface TokenEndpointRequestOptions extends HttpRequestOptions, Authent
  *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-6)
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens)
- * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-dpop-access-token-request)
+ * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-access-token-request)
  */
 export declare function refreshTokenGrantRequest(as: AuthorizationServer, client: Client, refreshToken: string, options?: TokenEndpointRequestOptions): Promise<Response>;
 /**
@@ -823,6 +821,7 @@ export declare function getValidatedIdTokenClaims(ref: TokenEndpointResponse): I
  * @returns Resolves with an object representing the parsed successful response, or an object
  *   representing an OAuth 2.0 protocol style error. Use {@link isOAuth2Error} to determine if an
  *   OAuth 2.0 error was returned.
+ *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-6)
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens)
  */
@@ -841,7 +840,7 @@ export declare function processRefreshTokenResponse(as: AuthorizationServer, cli
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1)
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
  * @see [RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients (PKCE)](https://www.rfc-editor.org/rfc/rfc7636.html#section-4)
- * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-dpop-access-token-request)
+ * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-access-token-request)
  */
 export declare function authorizationCodeGrantRequest(as: AuthorizationServer, client: Client, callbackParameters: URLSearchParams, redirectUri: string, codeVerifier: string, options?: TokenEndpointRequestOptions): Promise<Response>;
 interface JWTPayload {
@@ -930,6 +929,7 @@ export declare const skipAuthTimeCheck: unique symbol;
  * @returns Resolves with an object representing the parsed successful response, or an object
  *   representing an OAuth 2.0 protocol style error. Use {@link isOAuth2Error} to determine if an
  *   OAuth 2.0 error was returned.
+ *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1)
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
  */
@@ -945,6 +945,7 @@ export declare function processAuthorizationCodeOpenIDResponse(as: Authorization
  * @returns Resolves with an object representing the parsed successful response, or an object
  *   representing an OAuth 2.0 protocol style error. Use {@link isOAuth2Error} to determine if an
  *   OAuth 2.0 error was returned.
+ *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1)
  */
 export declare function processAuthorizationCodeOAuth2Response(as: AuthorizationServer, client: Client, response: Response): Promise<OAuth2TokenEndpointResponse | OAuth2Error>;
@@ -958,7 +959,7 @@ export interface ClientCredentialsGrantRequestOptions extends HttpRequestOptions
  * @param client Client Metadata.
  *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.4)
- * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-dpop-access-token-request)
+ * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-access-token-request)
  */
 export declare function clientCredentialsGrantRequest(as: AuthorizationServer, client: Client, parameters: URLSearchParams | Record<string, string> | string[][], options?: ClientCredentialsGrantRequestOptions): Promise<Response>;
 /**
@@ -972,6 +973,7 @@ export declare function clientCredentialsGrantRequest(as: AuthorizationServer, c
  * @returns Resolves with an object representing the parsed successful response, or an object
  *   representing an OAuth 2.0 protocol style error. Use {@link isOAuth2Error} to determine if an
  *   OAuth 2.0 error was returned.
+ *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.4)
  */
 export declare function processClientCredentialsResponse(as: AuthorizationServer, client: Client, response: Response): Promise<ClientCredentialsGrantResponse | OAuth2Error>;
@@ -987,6 +989,7 @@ export interface RevocationRequestOptions extends HttpRequestOptions, Authentica
  * @param client Client Metadata.
  * @param token Token to revoke. You can provide the `token_type_hint` parameter via
  *   {@link RevocationRequestOptions.additionalParameters options}.
+ *
  * @see [RFC 7009 - OAuth 2.0 Token Revocation](https://www.rfc-editor.org/rfc/rfc7009.html#section-2)
  */
 export declare function revocationRequest(as: AuthorizationServer, client: Client, token: string, options?: RevocationRequestOptions): Promise<Response>;
@@ -998,6 +1001,7 @@ export declare function revocationRequest(as: AuthorizationServer, client: Clien
  *
  * @returns Resolves with `undefined` when the request was successful, or an object representing an
  *   OAuth 2.0 protocol style error.
+ *
  * @see [RFC 7009 - OAuth 2.0 Token Revocation](https://www.rfc-editor.org/rfc/rfc7009.html#section-2)
  */
 export declare function processRevocationResponse(response: Response): Promise<undefined | OAuth2Error>;
@@ -1023,6 +1027,7 @@ export interface IntrospectionRequestOptions extends HttpRequestOptions, Authent
  * @param client Client Metadata.
  * @param token Token to introspect. You can provide the `token_type_hint` parameter via
  *   {@link IntrospectionRequestOptions.additionalParameters options}.
+ *
  * @see [RFC 7662 - OAuth 2.0 Token Introspection](https://www.rfc-editor.org/rfc/rfc7662.html#section-2)
  * @see [draft-ietf-oauth-jwt-introspection-response-12 - JWT Response for OAuth Token Introspection](https://www.ietf.org/archive/id/draft-ietf-oauth-jwt-introspection-response-12.html#section-4)
  */
@@ -1060,6 +1065,7 @@ export interface IntrospectionResponse {
  * @returns Resolves with an object representing the parsed successful response, or an object
  *   representing an OAuth 2.0 protocol style error. Use {@link isOAuth2Error} to determine if an
  *   OAuth 2.0 error was returned.
+ *
  * @see [RFC 7662 - OAuth 2.0 Token Introspection](https://www.rfc-editor.org/rfc/rfc7662.html#section-2)
  * @see [draft-ietf-oauth-jwt-introspection-response-12 - JWT Response for OAuth Token Introspection](https://www.ietf.org/archive/id/draft-ietf-oauth-jwt-introspection-response-12.html#section-5)
  */
@@ -1144,6 +1150,7 @@ export interface DeviceAuthorizationResponse {
  * @returns Resolves with an object representing the parsed successful response, or an object
  *   representing an OAuth 2.0 protocol style error. Use {@link isOAuth2Error} to determine if an
  *   OAuth 2.0 error was returned.
+ *
  * @see [RFC 8628 - OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628.html#section-3.1)
  */
 export declare function processDeviceAuthorizationResponse(as: AuthorizationServer, client: Client, response: Response): Promise<DeviceAuthorizationResponse | OAuth2Error>;
@@ -1156,7 +1163,7 @@ export declare function processDeviceAuthorizationResponse(as: AuthorizationServ
  * @param deviceCode Device Code.
  *
  * @see [RFC 8628 - OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628.html#section-3.4)
- * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-dpop-access-token-request)
+ * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-access-token-request)
  */
 export declare function deviceCodeGrantRequest(as: AuthorizationServer, client: Client, deviceCode: string, options?: TokenEndpointRequestOptions): Promise<Response>;
 /**
@@ -1170,6 +1177,7 @@ export declare function deviceCodeGrantRequest(as: AuthorizationServer, client:
  * @returns Resolves with an object representing the parsed successful response, or an object
  *   representing an OAuth 2.0 protocol style error. Use {@link isOAuth2Error} to determine if an
  *   OAuth 2.0 error was returned.
+ *
  * @see [RFC 8628 - OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628.html#section-3.4)
  */
 export declare function processDeviceCodeResponse(as: AuthorizationServer, client: Client, response: Response): Promise<TokenEndpointResponse | OAuth2Error>;

package/build/index.js

@@ -1,7 +1,7 @@
 let USER_AGENT;
 if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {
     const NAME = 'oauth4webapi';
-    const VERSION = 'v2.3.0';
+    const VERSION = 'v2.4.0';
     USER_AGENT = `${NAME}/${VERSION}`;
 }
 export const clockSkew = Symbol();
@@ -34,8 +34,8 @@ function decodeBase64Url(input) {
         }
         return bytes;
     }
-    catch {
-        throw new TypeError('The input to be decoded is not correctly encoded.');
+    catch (cause) {
+        throw new OPE('The input to be decoded is not correctly encoded.', { cause });
     }
 }
 function b64u(input) {
@@ -98,8 +98,8 @@ export class UnsupportedOperationError extends Error {
     }
 }
 export class OperationProcessingError extends Error {
-    constructor(message) {
-        super(message);
+    constructor(message, options) {
+        super(message, options);
         this.name = this.constructor.name;
         Error.captureStackTrace?.(this, this.constructor);
     }
@@ -219,8 +219,8 @@ export async function processDiscoveryResponse(expectedIssuerIdentifier, respons
     try {
         json = await response.json();
     }
-    catch {
-        throw new OPE('failed to parse "response" body as JSON');
+    catch (cause) {
+        throw new OPE('failed to parse "response" body as JSON', { cause });
     }
     if (!isJsonObject(json)) {
         throw new OPE('"response" body must be a top level object');
@@ -249,7 +249,7 @@ export async function calculatePKCECodeChallenge(codeVerifier) {
     if (!validateString(codeVerifier)) {
         throw new TypeError('"codeVerifier" must be a non-empty string');
     }
-    return b64u(await crypto.subtle.digest({ name: 'SHA-256' }, buf(codeVerifier)));
+    return b64u(await crypto.subtle.digest('SHA-256', buf(codeVerifier)));
 }
 function getKeyAndKid(input) {
     if (input instanceof CryptoKey) {
@@ -473,8 +473,8 @@ export async function issueRequestObject(as, client, parameters, privateKey) {
         try {
             claims.claims = JSON.parse(value);
         }
-        catch {
-            throw new OPE('failed to parse the "claims" parameter as JSON');
+        catch (cause) {
+            throw new OPE('failed to parse the "claims" parameter as JSON', { cause });
         }
         if (!isJsonObject(claims.claims)) {
             throw new OPE('"claims" parameter must be a top level object');
@@ -511,9 +511,7 @@ async function dpopProofJwt(headers, options, url, htm, clockSkew, accessToken)
         htm,
         nonce,
         htu: `${url.origin}${url.pathname}`,
-        ath: accessToken
-            ? b64u(await crypto.subtle.digest({ name: 'SHA-256' }, buf(accessToken)))
-            : undefined,
+        ath: accessToken ? b64u(await crypto.subtle.digest('SHA-256', buf(accessToken))) : undefined,
     }, privateKey);
     headers.set('dpop', proof);
 }
@@ -627,8 +625,8 @@ export async function processPushedAuthorizationResponse(as, client, response) {
     try {
         json = await response.json();
     }
-    catch {
-        throw new OPE('failed to parse "response" body as JSON');
+    catch (cause) {
+        throw new OPE('failed to parse "response" body as JSON', { cause });
     }
     if (!isJsonObject(json)) {
         throw new OPE('"response" body must be a top level object');
@@ -796,8 +794,8 @@ export async function processUserInfoResponse(as, client, expectedSubject, respo
         try {
             json = await response.json();
         }
-        catch {
-            throw new OPE('failed to parse "response" body as JSON');
+        catch (cause) {
+            throw new OPE('failed to parse "response" body as JSON', { cause });
         }
     }
     if (!isJsonObject(json)) {
@@ -882,8 +880,8 @@ async function processGenericAccessTokenResponse(as, client, response, ignoreIdT
     try {
         json = await response.json();
     }
-    catch {
-        throw new OPE('failed to parse "response" body as JSON');
+    catch (cause) {
+        throw new OPE('failed to parse "response" body as JSON', { cause });
     }
     if (!isJsonObject(json)) {
         throw new OPE('"response" body must be a top level object');
@@ -1167,8 +1165,8 @@ export async function processIntrospectionResponse(as, client, response) {
         try {
             json = await response.json();
         }
-        catch {
-            throw new OPE('failed to parse "response" body as JSON');
+        catch (cause) {
+            throw new OPE('failed to parse "response" body as JSON', { cause });
         }
         if (!isJsonObject(json)) {
             throw new OPE('"response" body must be a top level object');
@@ -1207,8 +1205,8 @@ async function processJwksResponse(response) {
     try {
         json = await response.json();
     }
-    catch {
-        throw new OPE('failed to parse "response" body as JSON');
+    catch (cause) {
+        throw new OPE('failed to parse "response" body as JSON', { cause });
     }
     if (!isJsonObject(json)) {
         throw new OPE('"response" body must be a top level object');
@@ -1274,7 +1272,7 @@ function keyToSubtle(key) {
         case 'ECDSA':
             return {
                 name: key.algorithm.name,
-                hash: { name: ecdsaHashName(key.algorithm.namedCurve) },
+                hash: ecdsaHashName(key.algorithm.namedCurve),
             };
         case 'RSA-PSS': {
             checkRsaKeyAlgorithm(key.algorithm);
@@ -1292,10 +1290,10 @@ function keyToSubtle(key) {
         }
         case 'RSASSA-PKCS1-v1_5':
             checkRsaKeyAlgorithm(key.algorithm);
-            return { name: key.algorithm.name };
+            return key.algorithm.name;
         case 'Ed448':
         case 'Ed25519':
-            return { name: key.algorithm.name };
+            return key.algorithm.name;
     }
     throw new UnsupportedOperationError();
 }
@@ -1312,8 +1310,8 @@ async function validateJwt(jws, checkAlg, getKey, clockSkew, clockTolerance) {
     try {
         header = JSON.parse(buf(b64u(protectedHeader)));
     }
-    catch {
-        throw new OPE('failed to parse JWT Header body as base64url encoded JSON');
+    catch (cause) {
+        throw new OPE('failed to parse JWT Header body as base64url encoded JSON', { cause });
     }
     if (!isJsonObject(header)) {
         throw new OPE('JWT Header must be a top level object');
@@ -1335,8 +1333,8 @@ async function validateJwt(jws, checkAlg, getKey, clockSkew, clockTolerance) {
     try {
         claims = JSON.parse(buf(b64u(payload)));
     }
-    catch {
-        throw new OPE('failed to parse JWT Payload body as base64url encoded JSON');
+    catch (cause) {
+        throw new OPE('failed to parse JWT Payload body as base64url encoded JSON', { cause });
     }
     if (!isJsonObject(claims)) {
         throw new OPE('JWT Payload must be a top level object');
@@ -1489,11 +1487,11 @@ function algToSubtle(alg, crv) {
         case 'PS256':
         case 'PS384':
         case 'PS512':
-            return { name: 'RSA-PSS', hash: { name: `SHA-${alg.slice(-3)}` } };
+            return { name: 'RSA-PSS', hash: `SHA-${alg.slice(-3)}` };
         case 'RS256':
         case 'RS384':
         case 'RS512':
-            return { name: 'RSASSA-PKCS1-v1_5', hash: { name: `SHA-${alg.slice(-3)}` } };
+            return { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${alg.slice(-3)}` };
         case 'ES256':
         case 'ES384':
             return { name: 'ECDSA', namedCurve: `P-${alg.slice(-3)}` };
@@ -1502,9 +1500,8 @@ function algToSubtle(alg, crv) {
         case 'EdDSA': {
             switch (crv) {
                 case 'Ed25519':
-                    return { name: 'Ed25519' };
                 case 'Ed448':
-                    return { name: 'Ed448' };
+                    return crv;
                 default:
                     throw new UnsupportedOperationError();
             }
@@ -1548,8 +1545,8 @@ export async function processDeviceAuthorizationResponse(as, client, response) {
     try {
         json = await response.json();
     }
-    catch {
-        throw new OPE('failed to parse "response" body as JSON');
+    catch (cause) {
+        throw new OPE('failed to parse "response" body as JSON', { cause });
     }
     if (!isJsonObject(json)) {
         throw new OPE('"response" body must be a top level object');

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "oauth4webapi",
-  "version": "2.3.0",
-  "description": "OAuth 2 / OpenID Connect for Web Platform API JavaScript runtimes",
+  "version": "2.4.0",
+  "description": "OAuth 2 / OpenID Connect for JavaScript Runtimes",
   "keywords": [
     "auth",
     "authentication",
@@ -28,6 +28,7 @@
     "openid-connect",
     "openid",
     "vercel",
+    "workerd",
     "workers"
   ],
   "homepage": "https://github.com/panva/oauth4webapi",
@@ -58,26 +59,26 @@
     "tap:edge-runtime": "./tap/.edge-runtime.sh",
     "tap:electron": "./tap/.electron.sh",
     "tap:node": "bash -c './tap/.node.sh'",
-    "tap:workers": "./tap/.workers.sh",
+    "tap:workerd": "./tap/.workerd.sh",
     "test": "bash -c 'source .node_flags.sh && ava'"
   },
   "devDependencies": {
-    "@esbuild-kit/esm-loader": "^2.5.5",
-    "@types/node": "^18.16.1",
-    "@types/qunit": "^2.19.4",
-    "ava": "^5.2.0",
-    "edge-runtime": "^2.1.4",
-    "esbuild": "^0.17.18",
-    "jose": "^4.14.1",
-    "patch-package": "^7.0.0",
-    "prettier": "^2.8.8",
-    "prettier-plugin-jsdoc": "^0.4.2",
-    "qunit": "^2.19.4",
-    "timekeeper": "^2.2.0",
-    "typedoc": "^0.24.6",
-    "typedoc-plugin-markdown": "^3.15.2",
-    "typedoc-plugin-mdn-links": "^3.0.3",
-    "typescript": "^5.0.4",
-    "undici": "^5.22.0"
+    "@esbuild-kit/esm-loader": "^2.6.5",
+    "@types/node": "^20.9.0",
+    "@types/qunit": "^2.19.8",
+    "ava": "^5.3.1",
+    "edge-runtime": "^2.5.7",
+    "esbuild": "^0.19.5",
+    "jose": "^5.1.1",
+    "patch-package": "^8.0.0",
+    "prettier": "^3.1.0",
+    "prettier-plugin-jsdoc": "^1.1.1",
+    "qunit": "^2.20.0",
+    "timekeeper": "^2.3.1",
+    "typedoc": "^0.25.3",
+    "typedoc-plugin-markdown": "^3.17.1",
+    "typedoc-plugin-mdn-links": "^3.1.0",
+    "typescript": "^5.2.2",
+    "undici": "^5.27.2"
   }
 }