oauth4webapi 2.4.4 → 2.5.0

package/README.md

@@ -43,7 +43,7 @@ import * as oauth2 from 'oauth4webapi'
 **`example`** Deno import
 
 ```js
-import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.4.4/mod.ts'
+import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.5.0/mod.ts'
 ```
 
 - Authorization Code Flow - OpenID Connect [source](examples/code.ts), or plain OAuth 2 [source](examples/oauth.ts)
@@ -74,6 +74,5 @@ The following features are currently out of scope:
 
 - CommonJS
 - Implicit, Hybrid, and Resource Owner Password Credentials Flows
-- Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
 - JSON Web Encryption (JWE)
 - Automatic polyfills of any kind

package/build/index.d.ts

@@ -127,10 +127,160 @@ export type ClientAuthenticationMethod = 'client_secret_basic' | 'client_secret_
  * ```
  */
 export type JWSAlgorithm = 'PS256' | 'ES256' | 'RS256' | 'EdDSA' | 'ES384' | 'PS384' | 'RS384' | 'ES512' | 'PS512' | 'RS512';
-/** @ignore during Documentation generation but part of the public API */
 export declare const clockSkew: unique symbol;
-/** @ignore during Documentation generation but part of the public API */
 export declare const clockTolerance: unique symbol;
+/**
+ * This is an experimental feature, it is not subject to semantic versioning rules. Non-backward
+ * compatible changes or removal may occur in any future release.
+ *
+ * When configured on an interface that extends {@link HttpRequestOptions}, that's every `options`
+ * parameter for functions that trigger HTTP Requests, this replaces the use of global fetch. As a
+ * fetch replacement the arguments and expected return are the same as fetch.
+ *
+ * In theory any module that claims to be compatible with the Fetch API can be used but your mileage
+ * may vary. No workarounds to allow use of non-conform {@link Response}s will be considered.
+ *
+ * If you only need to update the {@link Request} properties you do not need to use a Fetch API
+ * module, just change what you need and pass it to globalThis.fetch just like this module would
+ * normally do.
+ *
+ * Its intended use cases are:
+ *
+ * - {@link Request}/{@link Response} tracing and logging
+ * - Custom caching strategies for responses of Authorization Server Metadata and JSON Web Key Set
+ *   (JWKS) endpoints
+ * - Changing the {@link Request} properties like headers, body, credentials, mode before it is passed
+ *   to fetch
+ *
+ * Known caveats:
+ *
+ * - Expect Type-related issues when passing the inputs through to fetch-like modules, they hardly
+ *   ever get their typings inline with actual fetch, you should `@ts-expect-error` them.
+ * - Returning self-constructed {@link Response} instances prohibits AS-signalled DPoP Nonce caching.
+ *
+ * @example
+ *
+ * Using [sindresorhus/ky](https://github.com/sindresorhus/ky) hooks feature for logging outgoing
+ * requests and their responses.
+ *
+ * ```js
+ * import ky from 'ky'
+ * import * as oauth from 'oauth4webapi'
+ *
+ * // example use
+ * await oauth.discoveryRequest(new URL('https://as.example.com'), {
+ *   [oauth.experimentalCustomFetch]: (...args) =>
+ *     ky(args[0], {
+ *       ...args[1],
+ *       hooks: {
+ *         beforeRequest: [
+ *           (request) => {
+ *             logRequest(request)
+ *           },
+ *         ],
+ *         beforeRetry: [
+ *           ({ request, error, retryCount }) => {
+ *             logRetry(request, error, retryCount)
+ *           },
+ *         ],
+ *         afterResponse: [
+ *           (request, _, response) => {
+ *             logResponse(request, response)
+ *           },
+ *         ],
+ *       },
+ *     }),
+ * })
+ * ```
+ *
+ * @example
+ *
+ * Using [nodejs/undici](https://github.com/nodejs/undici) for mocking.
+ *
+ * ```js
+ * import * as undici from 'undici'
+ * import * as oauth from 'oauth4webapi'
+ *
+ * const mockAgent = new undici.MockAgent()
+ * mockAgent.disableNetConnect()
+ * undici.setGlobalDispatcher(mockAgent)
+ *
+ * // continue as per undici documentation
+ * // https://github.com/nodejs/undici/blob/v6.2.1/docs/api/MockAgent.md#example---basic-mocked-request
+ *
+ * // example use
+ * await oauth.discoveryRequest(new URL('https://as.example.com'), {
+ *   [oauth.experimentalCustomFetch]: undici.fetch,
+ * })
+ * ```
+ */
+export declare const experimentalCustomFetch: unique symbol;
+/**
+ * This is an experimental feature, it is not subject to semantic versioning rules. Non-backward
+ * compatible changes or removal may occur in any future release.
+ *
+ * When combined with {@link experimentalCustomFetch} (to use a Fetch API implementation that
+ * supports client certificates) this can be used to target FAPI 2.0 profiles that utilize
+ * Mutual-TLS for either client authentication or sender constraining. FAPI 1.0 Advanced profiles
+ * that use PAR and JARM can also be targetted.
+ *
+ * When configured on an interface that extends {@link ExperimentalUseMTLSAliasOptions} this makes
+ * the client prioritize an endpoint URL present in
+ * {@link AuthorizationServer.mtls_endpoint_aliases `as.mtls_endpoint_aliases`}.
+ *
+ * @example
+ *
+ * (Node.js) Using [nodejs/undici](https://github.com/nodejs/undici) for Mutual-TLS Client
+ * Authentication and Certificate-Bound Access Tokens support.
+ *
+ * ```js
+ * import * as undici from 'undici'
+ * import * as oauth from 'oauth4webapi'
+ *
+ * const response = await oauth.pushedAuthorizationRequest(as, client, params, {
+ *   [oauth.experimentalUseMtlsAlias]: true,
+ *   [oauth.experimentalCustomFetch]: (...args) => {
+ *     return undici.fetch(args[0], {
+ *       ...args[1],
+ *       dispatcher: new undici.Agent({
+ *         connect: {
+ *           key: clientKey,
+ *           cert: clientCertificate,
+ *         },
+ *       }),
+ *     })
+ *   },
+ * })
+ * ```
+ *
+ * @example
+ *
+ * (Deno) Using Deno.createHttpClient API for Mutual-TLS Client Authentication and Certificate-Bound
+ * Access Tokens support. This is currently (Jan 2023) locked behind the --unstable command line
+ * flag.
+ *
+ * ```js
+ * import * as oauth from 'oauth4webapi'
+ *
+ * const agent = Deno.createHttpClient({
+ *   certChain: clientCertificate,
+ *   privateKey: clientKey,
+ * })
+ *
+ * const response = await oauth.pushedAuthorizationRequest(as, client, params, {
+ *   [oauth.experimentalUseMtlsAlias]: true,
+ *   [oauth.experimentalCustomFetch]: (...args) => {
+ *     return fetch(args[0], {
+ *       ...args[1],
+ *       client: agent,
+ *     })
+ *   },
+ * })
+ * ```
+ *
+ * @see [RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens](https://www.rfc-editor.org/rfc/rfc8705.html)
+ */
+export declare const experimentalUseMtlsAlias: unique symbol;
 /**
  * Authorization Server Metadata
  *
@@ -456,9 +606,9 @@ export interface Client {
      * Use to adjust the client's assumed current time. Positive and negative finite values
      * representing seconds are allowed. Default is `0` (Date.now() + 0 seconds is used).
      *
-     * @ignore during Documentation generation but part of the public API
+     * @example
      *
-     * @example Client's local clock is mistakenly 1 hour in the past
+     * When the client's local clock is mistakenly 1 hour in the past
      *
      * ```ts
      * const client: oauth.Client = {
@@ -468,7 +618,9 @@ export interface Client {
      * }
      * ```
      *
-     * @example Client's local clock is mistakenly 1 hour in the future
+     * @example
+     *
+     * When the client's local clock is mistakenly 1 hour in the future
      *
      * ```ts
      * const client: oauth.Client = {
@@ -483,9 +635,9 @@ export interface Client {
      * Use to set allowed client's clock tolerance when checking DateTime JWT Claims. Only positive
      * finite values representing seconds are allowed. Default is `30` (30 seconds).
      *
-     * @ignore during Documentation generation but part of the public API
+     * @example
      *
-     * @example Tolerate 30 seconds clock skew when validating JWT claims like exp or nbf.
+     * Tolerate 30 seconds clock skew when validating JWT claims like exp or nbf.
      *
      * ```ts
      * const client: oauth.Client = {
@@ -522,11 +674,15 @@ export interface HttpRequestOptions {
      * ```
      */
     signal?: (() => AbortSignal) | AbortSignal;
+    /** Headers to additionally send with the HTTP Request(s) triggered by this function's invocation. */
+    headers?: [string, string][] | Record<string, string> | Headers;
     /**
-     * A Headers instance to additionally send with the HTTP Request(s) triggered by this function's
-     * invocation.
+     * This is an experimental feature, it is not subject to semantic versioning rules. Non-backward
+     * compatible changes or removal may occur in any future release.
+     *
+     * See {@link experimentalCustomFetch} for its documentation.
      */
-    headers?: Headers;
+    [experimentalCustomFetch]?: typeof fetch;
 }
 export interface DiscoveryRequestOptions extends HttpRequestOptions {
     /** The issuer transformation algorithm to use. */
@@ -625,7 +781,16 @@ export interface DPoPRequestOptions {
     /** DPoP-related options. */
     DPoP?: DPoPOptions;
 }
-export interface AuthenticatedRequestOptions {
+export interface ExperimentalUseMTLSAliasOptions {
+    /**
+     * This is an experimental feature, it is not subject to semantic versioning rules. Non-backward
+     * compatible changes or removal may occur in any future release.
+     *
+     * See {@link experimentalUseMtlsAlias} for its documentation.
+     */
+    [experimentalUseMtlsAlias]?: boolean;
+}
+export interface AuthenticatedRequestOptions extends ExperimentalUseMTLSAliasOptions {
     /**
      * Private key to use for `private_key_jwt`
      * {@link ClientAuthenticationMethod client authentication}. Its algorithm must be compatible with
@@ -747,10 +912,8 @@ export interface ProtectedResourceRequestOptions extends Omit<HttpRequestOptions
      *
      * This option only affects the request if the {@link ProtectedResourceRequestOptions.DPoP DPoP}
      * option is also used.
-     *
-     * @ignore during Documentation generation but part of the public API
      */
-    clockSkew?: number;
+    [clockSkew]?: number;
 }
 /**
  * Performs a protected resource request at an arbitrary URL.
@@ -769,7 +932,7 @@ export interface ProtectedResourceRequestOptions extends Omit<HttpRequestOptions
  * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-protected-resource-access)
  */
 export declare function protectedResourceRequest(accessToken: string, method: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | string, url: URL, headers: Headers, body?: ReadableStream | Blob | ArrayBufferView | ArrayBuffer | FormData | URLSearchParams | string | null, options?: ProtectedResourceRequestOptions): Promise<Response>;
-export interface UserInfoRequestOptions extends HttpRequestOptions, DPoPRequestOptions {
+export interface UserInfoRequestOptions extends HttpRequestOptions, DPoPRequestOptions, ExperimentalUseMTLSAliasOptions {
 }
 /**
  * Performs a UserInfo Request at the

package/build/index.js

@@ -1,11 +1,25 @@
 let USER_AGENT;
 if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {
     const NAME = 'oauth4webapi';
-    const VERSION = 'v2.4.4';
+    const VERSION = 'v2.5.0';
     USER_AGENT = `${NAME}/${VERSION}`;
 }
+function looseInstanceOf(input, expected) {
+    if (input == null) {
+        return false;
+    }
+    try {
+        return (input instanceof expected ||
+            Object.getPrototypeOf(input)[Symbol.toStringTag] === expected.prototype[Symbol.toStringTag]);
+    }
+    catch {
+        return false;
+    }
+}
 export const clockSkew = Symbol();
 export const clockTolerance = Symbol();
+export const experimentalCustomFetch = Symbol();
+export const experimentalUseMtlsAlias = Symbol();
 const encoder = new TextEncoder();
 const decoder = new TextDecoder();
 function buf(input) {
@@ -148,8 +162,8 @@ function isJsonObject(input) {
     return true;
 }
 function prepareHeaders(input) {
-    if (input !== undefined && !(input instanceof Headers)) {
-        throw new TypeError('"options.headers" must be an instance of Headers');
+    if (looseInstanceOf(input, Headers)) {
+        input = Object.fromEntries(input.entries());
     }
     const headers = new Headers(input);
     if (USER_AGENT && !headers.has('user-agent')) {
@@ -198,13 +212,12 @@ export async function discoveryRequest(issuerIdentifier, options) {
     }
     const headers = prepareHeaders(options?.headers);
     headers.set('accept', 'application/json');
-    const request = new Request(url.href, {
-        headers,
+    return (options?.[experimentalCustomFetch] || fetch)(url.href, {
+        headers: Object.fromEntries(headers.entries()),
         method: 'GET',
         redirect: 'manual',
         signal: options?.signal ? signal(options.signal) : null,
-    });
-    return fetch(request).then(processDpopNonce);
+    }).then(processDpopNonce);
 }
 function validateString(input) {
     return typeof input === 'string' && input.length !== 0;
@@ -213,7 +226,7 @@ export async function processDiscoveryResponse(expectedIssuerIdentifier, respons
     if (!(expectedIssuerIdentifier instanceof URL)) {
         throw new TypeError('"expectedIssuer" must be an instance of URL');
     }
-    if (!(response instanceof Response)) {
+    if (!looseInstanceOf(response, Response)) {
         throw new TypeError('"response" must be an instance of Response');
     }
     if (response.status !== 200) {
@@ -427,9 +440,11 @@ async function clientAuthentication(as, client, body, headers, clientPrivateKey)
             body.set('client_assertion', await privateKeyJwt(as, client, key, kid));
             break;
         }
+        case 'tls_client_auth':
+        case 'self_signed_tls_client_auth':
         case 'none': {
-            assertNoClientSecret('none', client.client_secret);
-            assertNoClientPrivateKey('none', clientPrivateKey);
+            assertNoClientSecret(client.token_endpoint_auth_method, client.client_secret);
+            assertNoClientPrivateKey(client.token_endpoint_auth_method, clientPrivateKey);
             body.set('client_id', client.client_id);
             break;
         }
@@ -531,13 +546,29 @@ async function publicJwk(key) {
     jwkCache.set(key, jwk);
     return jwk;
 }
+function validateEndpoint(value, endpoint, options) {
+    if (typeof value !== 'string') {
+        if (options?.[experimentalUseMtlsAlias]) {
+            throw new TypeError(`"as.mtls_endpoint_aliases.${endpoint}" must be a string`);
+        }
+        else {
+            throw new TypeError(`"as.${endpoint}" must be a string`);
+        }
+    }
+    return new URL(value);
+}
+function resolveEndpoint(as, endpoint, options) {
+    if (options?.[experimentalUseMtlsAlias] &&
+        as.mtls_endpoint_aliases &&
+        endpoint in as.mtls_endpoint_aliases) {
+        return validateEndpoint(as.mtls_endpoint_aliases[endpoint], endpoint, options);
+    }
+    return validateEndpoint(as[endpoint], endpoint);
+}
 export async function pushedAuthorizationRequest(as, client, parameters, options) {
     assertAs(as);
     assertClient(client);
-    if (typeof as.pushed_authorization_request_endpoint !== 'string') {
-        throw new TypeError('"as.pushed_authorization_request_endpoint" must be a string');
-    }
-    const url = new URL(as.pushed_authorization_request_endpoint);
+    const url = resolveEndpoint(as, 'pushed_authorization_request_endpoint', options);
     const body = new URLSearchParams(parameters);
     body.set('client_id', client.client_id);
     const headers = prepareHeaders(options?.headers);
@@ -585,7 +616,7 @@ function wwwAuth(scheme, params) {
     };
 }
 export function parseWwwAuthenticateChallenges(response) {
-    if (!(response instanceof Response)) {
+    if (!looseInstanceOf(response, Response)) {
         throw new TypeError('"response" must be an instance of Response');
     }
     if (!response.headers.has('www-authenticate')) {
@@ -615,7 +646,7 @@ export function parseWwwAuthenticateChallenges(response) {
 export async function processPushedAuthorizationResponse(as, client, response) {
     assertAs(as);
     assertClient(client);
-    if (!(response instanceof Response)) {
+    if (!looseInstanceOf(response, Response)) {
         throw new TypeError('"response" must be an instance of Response');
     }
     if (response.status !== 201) {
@@ -656,25 +687,21 @@ export async function protectedResourceRequest(accessToken, method, url, headers
         headers.set('authorization', `Bearer ${accessToken}`);
     }
     else {
-        await dpopProofJwt(headers, options.DPoP, url, 'GET', getClockSkew({ [clockSkew]: options?.clockSkew }), accessToken);
+        await dpopProofJwt(headers, options.DPoP, url, 'GET', getClockSkew({ [clockSkew]: options?.[clockSkew] }), accessToken);
         headers.set('authorization', `DPoP ${accessToken}`);
     }
-    const request = new Request(url.href, {
+    return (options?.[experimentalCustomFetch] || fetch)(url.href, {
         body,
-        headers,
+        headers: Object.fromEntries(headers.entries()),
         method,
         redirect: 'manual',
         signal: options?.signal ? signal(options.signal) : null,
-    });
-    return fetch(request).then(processDpopNonce);
+    }).then(processDpopNonce);
 }
 export async function userInfoRequest(as, client, accessToken, options) {
     assertAs(as);
     assertClient(client);
-    if (typeof as.userinfo_endpoint !== 'string') {
-        throw new TypeError('"as.userinfo_endpoint" must be a string');
-    }
-    const url = new URL(as.userinfo_endpoint);
+    const url = resolveEndpoint(as, 'userinfo_endpoint', options);
     const headers = prepareHeaders(options?.headers);
     if (client.userinfo_signed_response_alg) {
         headers.set('accept', 'application/jwt');
@@ -685,7 +712,7 @@ export async function userInfoRequest(as, client, accessToken, options) {
     }
     return protectedResourceRequest(accessToken, 'GET', url, headers, null, {
         ...options,
-        clockSkew: getClockSkew(client),
+        [clockSkew]: getClockSkew(client),
     });
 }
 let jwksCache;
@@ -778,7 +805,7 @@ function getContentType(response) {
 export async function processUserInfoResponse(as, client, expectedSubject, response) {
     assertAs(as);
     assertClient(client);
-    if (!(response instanceof Response)) {
+    if (!looseInstanceOf(response, Response)) {
         throw new TypeError('"response" must be an instance of Response');
     }
     if (response.status !== 200) {
@@ -826,20 +853,16 @@ export async function processUserInfoResponse(as, client, expectedSubject, respo
 async function authenticatedRequest(as, client, method, url, body, headers, options) {
     await clientAuthentication(as, client, body, headers, options?.clientPrivateKey);
     headers.set('content-type', 'application/x-www-form-urlencoded;charset=UTF-8');
-    const request = new Request(url.href, {
+    return (options?.[experimentalCustomFetch] || fetch)(url.href, {
         body,
-        headers,
+        headers: Object.fromEntries(headers.entries()),
         method,
         redirect: 'manual',
         signal: options?.signal ? signal(options.signal) : null,
-    });
-    return fetch(request).then(processDpopNonce);
+    }).then(processDpopNonce);
 }
 async function tokenEndpointRequest(as, client, grantType, parameters, options) {
-    if (typeof as.token_endpoint !== 'string') {
-        throw new TypeError('"as.token_endpoint" must be a string');
-    }
-    const url = new URL(as.token_endpoint);
+    const url = resolveEndpoint(as, 'token_endpoint', options);
     parameters.set('grant_type', grantType);
     const headers = prepareHeaders(options?.headers);
     headers.set('accept', 'application/json');
@@ -872,7 +895,7 @@ export function getValidatedIdTokenClaims(ref) {
 async function processGenericAccessTokenResponse(as, client, response, ignoreIdToken = false, ignoreRefreshToken = false) {
     assertAs(as);
     assertClient(client);
-    if (!(response instanceof Response)) {
+    if (!looseInstanceOf(response, Response)) {
         throw new TypeError('"response" must be an instance of Response');
     }
     if (response.status !== 200) {
@@ -1092,10 +1115,7 @@ export async function revocationRequest(as, client, token, options) {
     if (!validateString(token)) {
         throw new TypeError('"token" must be a non-empty string');
     }
-    if (typeof as.revocation_endpoint !== 'string') {
-        throw new TypeError('"as.revocation_endpoint" must be a string');
-    }
-    const url = new URL(as.revocation_endpoint);
+    const url = resolveEndpoint(as, 'revocation_endpoint', options);
     const body = new URLSearchParams(options?.additionalParameters);
     body.set('token', token);
     const headers = prepareHeaders(options?.headers);
@@ -1103,7 +1123,7 @@ export async function revocationRequest(as, client, token, options) {
     return authenticatedRequest(as, client, 'POST', url, body, headers, options);
 }
 export async function processRevocationResponse(response) {
-    if (!(response instanceof Response)) {
+    if (!looseInstanceOf(response, Response)) {
         throw new TypeError('"response" must be an instance of Response');
     }
     if (response.status !== 200) {
@@ -1126,10 +1146,7 @@ export async function introspectionRequest(as, client, token, options) {
     if (!validateString(token)) {
         throw new TypeError('"token" must be a non-empty string');
     }
-    if (typeof as.introspection_endpoint !== 'string') {
-        throw new TypeError('"as.introspection_endpoint" must be a string');
-    }
-    const url = new URL(as.introspection_endpoint);
+    const url = resolveEndpoint(as, 'introspection_endpoint', options);
     const body = new URLSearchParams(options?.additionalParameters);
     body.set('token', token);
     const headers = prepareHeaders(options?.headers);
@@ -1144,7 +1161,7 @@ export async function introspectionRequest(as, client, token, options) {
 export async function processIntrospectionResponse(as, client, response) {
     assertAs(as);
     assertClient(client);
-    if (!(response instanceof Response)) {
+    if (!looseInstanceOf(response, Response)) {
         throw new TypeError('"response" must be an instance of Response');
     }
     if (response.status !== 200) {
@@ -1186,23 +1203,19 @@ export async function processIntrospectionResponse(as, client, response) {
 }
 async function jwksRequest(as, options) {
     assertAs(as);
-    if (typeof as.jwks_uri !== 'string') {
-        throw new TypeError('"as.jwks_uri" must be a string');
-    }
-    const url = new URL(as.jwks_uri);
+    const url = resolveEndpoint(as, 'jwks_uri');
     const headers = prepareHeaders(options?.headers);
     headers.set('accept', 'application/json');
     headers.append('accept', 'application/jwk-set+json');
-    const request = new Request(url.href, {
-        headers,
+    return (options?.[experimentalCustomFetch] || fetch)(url.href, {
+        headers: Object.fromEntries(headers.entries()),
         method: 'GET',
         redirect: 'manual',
         signal: options?.signal ? signal(options.signal) : null,
-    });
-    return fetch(request).then(processDpopNonce);
+    }).then(processDpopNonce);
 }
 async function processJwksResponse(response) {
-    if (!(response instanceof Response)) {
+    if (!looseInstanceOf(response, Response)) {
         throw new TypeError('"response" must be an instance of Response');
     }
     if (response.status !== 200) {
@@ -1525,10 +1538,7 @@ async function importJwk(alg, jwk) {
 export async function deviceAuthorizationRequest(as, client, parameters, options) {
     assertAs(as);
     assertClient(client);
-    if (typeof as.device_authorization_endpoint !== 'string') {
-        throw new TypeError('"as.device_authorization_endpoint" must be a string');
-    }
-    const url = new URL(as.device_authorization_endpoint);
+    const url = resolveEndpoint(as, 'device_authorization_endpoint', options);
     const body = new URLSearchParams(parameters);
     body.set('client_id', client.client_id);
     const headers = prepareHeaders(options?.headers);
@@ -1538,7 +1548,7 @@ export async function deviceAuthorizationRequest(as, client, parameters, options
 export async function processDeviceAuthorizationResponse(as, client, response) {
     assertAs(as);
     assertClient(client);
-    if (!(response instanceof Response)) {
+    if (!looseInstanceOf(response, Response)) {
         throw new TypeError('"response" must be an instance of Response');
     }
     if (response.status !== 200) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "oauth4webapi",
-  "version": "2.4.4",
+  "version": "2.5.0",
   "description": "OAuth 2 / OpenID Connect for JavaScript Runtimes",
   "keywords": [
     "auth",
@@ -80,6 +80,7 @@
     "puppeteer-core": "^21.7.0",
     "qunit": "^2.20.0",
     "raw-body": "^2.5.2",
+    "selfsigned": "^2.4.1",
     "timekeeper": "^2.3.1",
     "tsx": "^4.7.0",
     "typedoc": "^0.25.7",