oauth4webapi 3.4.0 → 3.5.0

package/README.md

@@ -9,6 +9,7 @@ This software provides a collection of routines that can be used to build client
 The following features are currently in scope and implemented in this software:
 
 - Authorization Server Metadata discovery
+- Resource Server Metadata discovery
 - Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, and FAPI 2.0), with PKCE
 - Refresh Token, Device Authorization, Client-Initiated Backchannel Authentication (CIBA), and Client Credentials Grants
 - Demonstrating Proof-of-Possession at the Application Layer (DPoP)
@@ -17,6 +18,7 @@ The following features are currently in scope and implemented in this software:
 - UserInfo and Protected Resource Requests
 - Authorization Server Issuer Identification
 - JWT Secured Introspection, Response Mode (JARM), Authorization Request (JAR), and UserInfo
+- Dynamic Client Registration (DCR)
 - Validating incoming JWT Access Tokens
 
 ## Sponsor
@@ -98,6 +100,6 @@ The supported JavaScript runtimes include those that support the utilized Web AP
 [sponsor-auth0]: https://a0.to/signup/panva
 [Security Policy]: https://github.com/panva/oauth4webapi/security/policy
 
-[^cjs]: CJS style `let oauth = require('oauth4webapi')` is possible in Node.js versions where `process.features.require_module` is `true` by default (^20.19.0 || ^22.12.0 || >= 23.0.0) or with the `--experimental-require-module` Node.js CLI flag.
+[^cjs]: CJS style `let oauth = require('oauth4webapi')` is possible in Node.js versions where the `require(esm)` feature is enabled by default (^20.19.0 || ^22.12.0 || >= 23.0.0).
 
 [^nodejs]: Node.js v20.x as baseline is required

package/build/index.d.ts

@@ -394,6 +394,8 @@ export declare const jwksCache: unique symbol;
 /**
  * Authorization Server Metadata
  *
+ * @group Authorization Server Metadata
+ *
  * @see [IANA OAuth Authorization Server Metadata registry](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata)
  */
 export interface AuthorizationServer {
@@ -709,6 +711,10 @@ export interface AuthorizationServer {
      * Boolean value specifying whether the authorization server supports back-channel logout.
      */
     readonly backchannel_logout_supported?: boolean;
+    /**
+     * JSON array containing a list of resource identifiers for OAuth protected resources.
+     */
+    readonly protected_resources?: string[];
     readonly [metadata: string]: JsonValue | undefined;
 }
 export interface MTLSEndpointAliases extends Pick<AuthorizationServer, 'backchannel_authentication_endpoint' | 'device_authorization_endpoint' | 'introspection_endpoint' | 'pushed_authorization_request_endpoint' | 'revocation_endpoint' | 'token_endpoint' | 'userinfo_endpoint'> {
@@ -935,11 +941,13 @@ export interface DiscoveryRequestOptions extends HttpRequestOptions<'GET'> {
  *
  * @param issuerIdentifier Issuer Identifier to resolve the well-known discovery URI for.
  *
+ * @returns Resolves with a {@link !Response} to then invoke {@link processDiscoveryResponse} with
+ *
  * @group Authorization Server Metadata
  * @group OpenID Connect (OIDC) Discovery
  *
  * @see [RFC 8414 - OAuth 2.0 Authorization Server Metadata](https://www.rfc-editor.org/rfc/rfc8414.html#section-3)
- * @see [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig)
+ * @see [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0-errata2.html#ProviderConfig)
  */
 export declare function discoveryRequest(issuerIdentifier: URL, options?: DiscoveryRequestOptions): Promise<Response>;
 /**
@@ -955,7 +963,7 @@ export declare function discoveryRequest(issuerIdentifier: URL, options?: Discov
  * @group OpenID Connect (OIDC) Discovery
  *
  * @see [RFC 8414 - OAuth 2.0 Authorization Server Metadata](https://www.rfc-editor.org/rfc/rfc8414.html#section-3)
- * @see [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig)
+ * @see [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0-errata2.html#ProviderConfig)
  */
 export declare function processDiscoveryResponse(expectedIssuerIdentifier: URL, response: Response): Promise<AuthorizationServer>;
 /**
@@ -982,7 +990,7 @@ export declare function generateRandomState(): string;
  *
  * @group Utilities
  *
- * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)
+ * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0-errata2.html#IDToken)
  */
 export declare function generateRandomNonce(): string;
 /**
@@ -1035,7 +1043,7 @@ export type ClientAuth = (as: AuthorizationServer, client: Client, body: URLSear
  *
  * @see [OAuth Token Endpoint Authentication Methods](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method)
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3)
- * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)
+ * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0-errata2.html#ClientAuthentication)
  */
 export declare function ClientSecretPost(clientSecret: string): ClientAuth;
 /**
@@ -1056,7 +1064,7 @@ export declare function ClientSecretPost(clientSecret: string): ClientAuth;
  *
  * @see [OAuth Token Endpoint Authentication Methods](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method)
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3)
- * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)
+ * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0-errata2.html#ClientAuthentication)
  */
 export declare function ClientSecretBasic(clientSecret: string): ClientAuth;
 export interface ModifyAssertionOptions {
@@ -1085,7 +1093,7 @@ export interface ModifyAssertionOptions {
  * @group Client Authentication
  *
  * @see [OAuth Token Endpoint Authentication Methods](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method)
- * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)
+ * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0-errata2.html#ClientAuthentication)
  */
 export declare function PrivateKeyJwt(clientPrivateKey: CryptoKey | PrivateKey, options?: ModifyAssertionOptions): ClientAuth;
 /**
@@ -1107,7 +1115,7 @@ export declare function PrivateKeyJwt(clientPrivateKey: CryptoKey | PrivateKey,
  * @group Client Authentication
  *
  * @see [OAuth Token Endpoint Authentication Methods](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method)
- * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)
+ * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0-errata2.html#ClientAuthentication)
  */
 export declare function ClientSecretJwt(clientSecret: string, options?: ModifyAssertionOptions): ClientAuth;
 /**
@@ -1121,7 +1129,7 @@ export declare function ClientSecretJwt(clientSecret: string, options?: ModifyAs
  * @group Client Authentication
  *
  * @see [OAuth Token Endpoint Authentication Methods](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method)
- * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)
+ * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0-errata2.html#ClientAuthentication)
  */
 export declare function None(): ClientAuth;
 /**
@@ -1166,6 +1174,9 @@ export declare function checkProtocol(url: URL, enforceHttps: boolean | undefine
  * @param clientAuthentication Client Authentication Method.
  * @param parameters Authorization Request parameters.
  *
+ * @returns Resolves with a {@link !Response} to then invoke
+ *   {@link processPushedAuthorizationResponse} with
+ *
  * @group Pushed Authorization Requests (PAR)
  *
  * @see [RFC 9126 - OAuth 2.0 Pushed Authorization Requests (PAR)](https://www.rfc-editor.org/rfc/rfc9126.html#name-pushed-authorization-reques)
@@ -1214,7 +1225,7 @@ export declare function isDPoPNonceError(err: unknown): boolean;
  *
  * @group DPoP
  *
- * @see {@link !DPoP RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP)}
+ * @see {@link https://www.rfc-editor.org/rfc/rfc9449.html RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP)}
  */
 export declare function DPoP(client: Pick<Client, typeof clockSkew>, keyPair: CryptoKeyPair, options?: ModifyAssertionOptions): DPoPHandle;
 export interface PushedAuthorizationResponse {
@@ -1315,8 +1326,8 @@ export declare class AuthorizationResponseError extends Error {
     });
 }
 /**
- * Thrown when a server responds with WWW-Authenticate challenges, typically because of expired
- * tokens, or bad client authentication
+ * Thrown when a server responds with a parseable WWW-Authenticate challenges, typically because of
+ * expired tokens, or bad client authentication
  *
  * @example
  *
@@ -1351,24 +1362,66 @@ export declare class WWWAuthenticateChallengeError extends Error {
         response: Response;
     });
 }
+/**
+ * WWW-Authenticate challenge auth-param dictionary with known and unknown parameter names
+ */
 export interface WWWAuthenticateChallengeParameters {
+    /**
+     * Identifies the protection space
+     */
     readonly realm?: string;
+    /**
+     * A machine-readable error code value
+     */
     readonly error?: string;
+    /**
+     * Human-readable ASCII text providing additional information, used to assist the client developer
+     * in understanding the error that occurred
+     */
     readonly error_description?: string;
+    /**
+     * A URI identifying a human-readable web page with information about the error, used to provide
+     * the client developer with additional information about the error
+     */
     readonly error_uri?: string;
+    /**
+     * A comma-delimited list of supported algorithms, used in
+     * {@link https://www.rfc-editor.org/rfc/rfc9449.html RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP)}
+     * challenges
+     */
     readonly algs?: string;
+    /**
+     * The scope necessary to access the protected resource, used with `insufficient_scope` error code
+     */
     readonly scope?: string;
+    /**
+     * The URL of the protected resource metadata
+     */
+    readonly resource_metadata?: string;
     /**
      * NOTE: because the parameter names are case insensitive they are always returned lowercased
      */
     readonly [parameter: Lowercase<string>]: string | undefined;
 }
+/**
+ * Parsed WWW-Authenticate challenge
+ */
 export interface WWWAuthenticateChallenge {
     /**
+     * Parsed WWW-Authenticate challenge auth-scheme
+     *
      * NOTE: because the value is case insensitive it is always returned lowercased
      */
     readonly scheme: Lowercase<string>;
+    /**
+     * Parsed WWW-Authenticate challenge auth-param dictionary (always present but will be empty when
+     * {@link WWWAuthenticateChallenge.token68 token68} is present)
+     */
     readonly parameters: WWWAuthenticateChallengeParameters;
+    /**
+     * Parsed WWW-Authenticate challenge token68
+     */
+    readonly token68?: string;
 }
 /**
  * Validates {@link !Response} instance to be one coming from the
@@ -1422,11 +1475,13 @@ export interface UserInfoRequestOptions extends HttpRequestOptions<'GET'>, DPoPR
  * @param client Client Metadata.
  * @param accessToken Access Token value.
  *
+ * @returns Resolves with a {@link !Response} to then invoke {@link processUserInfoResponse} with
+ *
  * @group Authorization Code Grant w/ OpenID Connect (OIDC)
  * @group OpenID Connect (OIDC) UserInfo
  * @group Accessing Protected Resources
  *
- * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
+ * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0-errata2.html#UserInfo)
  * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-protected-resource-access)
  */
 export declare function userInfoRequest(as: AuthorizationServer, client: Client, accessToken: string, options?: UserInfoRequestOptions): Promise<Response>;
@@ -1473,7 +1528,7 @@ export type JWKSCacheInput = ExportedJWKSCache | Record<string, never>;
  * Use this as a value to {@link processUserInfoResponse} `expectedSubject` parameter to skip the
  * `sub` claim value check.
  *
- * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse)
+ * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0-errata2.html#UserInfoResponse)
  */
 export declare const skipSubjectCheck: unique symbol;
 export interface JWEDecryptOptions {
@@ -1500,7 +1555,7 @@ export interface JWEDecryptOptions {
  * @group OpenID Connect (OIDC) UserInfo
  * @group Accessing Protected Resources
  *
- * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
+ * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0-errata2.html#UserInfo)
  */
 export declare function processUserInfoResponse(as: AuthorizationServer, client: Client, expectedSubject: string | typeof skipSubjectCheck, response: Response, options?: JWEDecryptOptions): Promise<UserInfoResponse>;
 export interface TokenEndpointRequestOptions extends HttpRequestOptions<'POST', URLSearchParams>, DPoPRequestOptions {
@@ -1518,10 +1573,12 @@ export interface TokenEndpointRequestOptions extends HttpRequestOptions<'POST',
  * @param clientAuthentication Client Authentication Method.
  * @param refreshToken Refresh Token value.
  *
+ * @returns Resolves with a {@link !Response} to then invoke {@link processRefreshTokenResponse} with
+ *
  * @group Refreshing an Access Token
  *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-6)
- * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens)
+ * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0-errata2.html#RefreshTokens)
  * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-access-token-request)
  */
 export declare function refreshTokenGrantRequest(as: AuthorizationServer, client: Client, clientAuthentication: ClientAuth, refreshToken: string, options?: TokenEndpointRequestOptions): Promise<Response>;
@@ -1566,7 +1623,7 @@ export interface ValidateSignatureOptions extends HttpRequestOptions<'GET'>, JWK
  * @group Token Introspection
  *
  * @see [RFC 9701 - JWT Response for OAuth Token Introspection](https://www.rfc-editor.org/rfc/rfc9701.html#section-5)
- * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
+ * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0-errata2.html#UserInfo)
  */
 export declare function validateApplicationLevelSignature(as: AuthorizationServer, ref: Response, options?: ValidateSignatureOptions): Promise<void>;
 /**
@@ -1584,7 +1641,7 @@ export declare function validateApplicationLevelSignature(as: AuthorizationServe
  * @group Refreshing an Access Token
  *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-6)
- * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens)
+ * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0-errata2.html#RefreshTokens)
  */
 export declare function processRefreshTokenResponse(as: AuthorizationServer, client: Client, response: Response, options?: JWEDecryptOptions): Promise<TokenEndpointResponse>;
 /**
@@ -1599,11 +1656,14 @@ export declare function processRefreshTokenResponse(as: AuthorizationServer, cli
  * @param redirectUri `redirect_uri` value used in the authorization request.
  * @param codeVerifier PKCE `code_verifier` to send to the token endpoint.
  *
+ * @returns Resolves with a {@link !Response} to then invoke {@link processAuthorizationCodeResponse}
+ *   with
+ *
  * @group Authorization Code Grant
  * @group Authorization Code Grant w/ OpenID Connect (OIDC)
  *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1)
- * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
+ * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0-errata2.html#CodeFlowAuth)
  * @see [RFC 7636 - Proof Key for Code Exchange (PKCE)](https://www.rfc-editor.org/rfc/rfc7636.html#section-4)
  * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-access-token-request)
  */
@@ -1696,7 +1756,7 @@ export interface ProcessAuthorizationCodeResponseOptions extends JWEDecryptOptio
  * @group Authorization Code Grant w/ OpenID Connect (OIDC)
  *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1)
- * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
+ * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0-errata2.html#CodeFlowAuth)
  */
 export declare function processAuthorizationCodeResponse(as: AuthorizationServer, client: Client, response: Response, options?: ProcessAuthorizationCodeResponseOptions): Promise<TokenEndpointResponse>;
 /**
@@ -1836,6 +1896,9 @@ export interface ClientCredentialsGrantRequestOptions extends HttpRequestOptions
  * @param client Client Metadata.
  * @param clientAuthentication Client Authentication Method.
  *
+ * @returns Resolves with a {@link !Response} to then invoke {@link processClientCredentialsResponse}
+ *   with
+ *
  * @group Client Credentials Grant
  *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.4)
@@ -1852,6 +1915,9 @@ export declare function clientCredentialsGrantRequest(as: AuthorizationServer, c
  * @param clientAuthentication Client Authentication Method.
  * @param grantType Grant Type.
  *
+ * @returns Resolves with a {@link !Response} to then invoke
+ *   {@link processGenericTokenEndpointResponse} with
+ *
  * @group JWT Bearer Token Grant Type
  * @group SAML 2.0 Bearer Assertion Grant Type
  * @group Token Exchange Grant Type
@@ -1911,6 +1977,8 @@ export interface RevocationRequestOptions extends HttpRequestOptions<'POST', URL
  * @param token Token to revoke. You can provide the `token_type_hint` parameter via
  *   {@link RevocationRequestOptions.additionalParameters options}.
  *
+ * @returns Resolves with a {@link !Response} to then invoke {@link processRevocationResponse} with
+ *
  * @group Token Revocation
  *
  * @see [RFC 7009 - OAuth 2.0 Token Revocation](https://www.rfc-editor.org/rfc/rfc7009.html#section-2)
@@ -1956,6 +2024,8 @@ export interface IntrospectionRequestOptions extends HttpRequestOptions<'POST',
  * @param token Token to introspect. You can provide the `token_type_hint` parameter via
  *   {@link IntrospectionRequestOptions.additionalParameters options}.
  *
+ * @returns Resolves with a {@link !Response} to then invoke {@link processIntrospectionResponse} with
+ *
  * @group Token Introspection
  *
  * @see [RFC 7662 - OAuth 2.0 Token Introspection](https://www.rfc-editor.org/rfc/rfc7662.html#section-2)
@@ -2024,7 +2094,7 @@ export type JweDecryptFunction = (jwe: string) => Promise<string>;
  * @group FAPI 2.0 Message Signing
  * @group FAPI 1.0 Advanced
  *
- * @see [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm.html)
+ * @see [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm-final.html)
  */
 export declare function validateJwtAuthResponse(as: AuthorizationServer, client: Client, parameters: URLSearchParams | URL, expectedState?: string | typeof expectNoState | typeof skipStateCheck, options?: ValidateSignatureOptions & JWEDecryptOptions): Promise<URLSearchParams>;
 /**
@@ -2048,7 +2118,7 @@ export declare function validateJwtAuthResponse(as: AuthorizationServer, client:
  *
  * @group FAPI 1.0 Advanced
  *
- * @see [Financial-grade API Security Profile 1.0 - Part 2: Advanced](https://openid.net/specs/openid-financial-api-part-2-1_0.html#id-token-as-detached-signature)
+ * @see [Financial-grade API Security Profile 1.0 - Part 2: Advanced](https://openid.net/specs/openid-financial-api-part-2-1_0-final.html#id-token-as-detached-signature)
  */
 export declare function validateDetachedSignatureResponse(as: AuthorizationServer, client: Client, parameters: URLSearchParams | URL | Request, expectedNonce: string, expectedState?: string | typeof expectNoState, maxAge?: number | typeof skipAuthTimeCheck, options?: ValidateSignatureOptions & JWEDecryptOptions): Promise<URLSearchParams>;
 /**
@@ -2072,7 +2142,7 @@ export declare function validateDetachedSignatureResponse(as: AuthorizationServe
  * @group Authorization Code Grant w/ OpenID Connect (OIDC)
  *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.2)
- * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#HybridFlowAuth)
+ * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0-errata2.html#HybridFlowAuth)
  */
 export declare function validateCodeIdTokenResponse(as: AuthorizationServer, client: Client, parameters: URLSearchParams | URL | Request, expectedNonce: string, expectedState?: string | typeof expectNoState, maxAge?: number | typeof skipAuthTimeCheck, options?: ValidateSignatureOptions & JWEDecryptOptions): Promise<URLSearchParams>;
 /**
@@ -2109,7 +2179,7 @@ export declare const expectNoState: unique symbol;
  * @group Authorization Code Grant w/ OpenID Connect (OIDC)
  *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.2)
- * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
+ * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0-errata2.html#CodeFlowAuth)
  * @see [RFC 9207 - OAuth 2.0 Authorization Server Issuer Identification](https://www.rfc-editor.org/rfc/rfc9207.html)
  */
 export declare function validateAuthResponse(as: AuthorizationServer, client: Client, parameters: URLSearchParams | URL, expectedState?: string | typeof expectNoState | typeof skipStateCheck): URLSearchParams;
@@ -2124,6 +2194,9 @@ export interface DeviceAuthorizationRequestOptions extends HttpRequestOptions<'P
  * @param clientAuthentication Client Authentication Method.
  * @param parameters Device Authorization Request parameters.
  *
+ * @returns Resolves with a {@link !Response} to then invoke
+ *   {@link processDeviceAuthorizationResponse} with
+ *
  * @group Device Authorization Grant
  *
  * @see [RFC 8628 - OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628.html#section-3.1)
@@ -2187,6 +2260,8 @@ export declare function processDeviceAuthorizationResponse(as: AuthorizationServ
  *   {@link DeviceAuthorizationResponse.device_code `device_code`} retrieved from
  *   {@link processDeviceAuthorizationResponse}.
  *
+ * @returns Resolves with a {@link !Response} to then invoke {@link processDeviceCodeResponse} with
+ *
  * @group Device Authorization Grant
  *
  * @see [RFC 8628 - OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628.html#section-3.4)
@@ -2303,9 +2378,12 @@ export interface BackchannelAuthenticationRequestOptions extends HttpRequestOpti
  * @param clientAuthentication Client Authentication Method.
  * @param parameters Backchannel Authentication Request parameters.
  *
+ * @returns Resolves with a {@link !Response} to then invoke
+ *   {@link processBackchannelAuthenticationResponse} with
+ *
  * @group Client-Initiated Backchannel Authentication (CIBA)
  *
- * @see [OpenID Connect Client-Initiated Backchannel Authentication](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#auth_request)
+ * @see [OpenID Connect Client-Initiated Backchannel Authentication](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-final.html#auth_request)
  */
 export declare function backchannelAuthenticationRequest(as: AuthorizationServer, client: Client, clientAuthentication: ClientAuth, parameters: URLSearchParams | Record<string, string> | string[][], options?: BackchannelAuthenticationRequestOptions): Promise<Response>;
 export interface BackchannelAuthenticationResponse {
@@ -2338,7 +2416,7 @@ export interface BackchannelAuthenticationResponse {
  *
  * @group Client-Initiated Backchannel Authentication (CIBA)
  *
- * @see [OpenID Connect Client-Initiated Backchannel Authentication](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#auth_request)
+ * @see [OpenID Connect Client-Initiated Backchannel Authentication](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-final.html#auth_request)
  */
 export declare function processBackchannelAuthenticationResponse(as: AuthorizationServer, client: Client, response: Response): Promise<BackchannelAuthenticationResponse>;
 /**
@@ -2352,9 +2430,12 @@ export declare function processBackchannelAuthenticationResponse(as: Authorizati
  *   {@link BackchannelAuthenticationResponse.auth_req_id `auth_req_id`} retrieved from
  *   {@link processBackchannelAuthenticationResponse}.
  *
+ * @returns Resolves with a {@link !Response} to then invoke
+ *   {@link processBackchannelAuthenticationGrantResponse} with
+ *
  * @group Client-Initiated Backchannel Authentication (CIBA)
  *
- * @see [OpenID Connect Client-Initiated Backchannel Authentication](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#token_request)
+ * @see [OpenID Connect Client-Initiated Backchannel Authentication](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-final.html#token_request)
  * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-access-token-request)
  */
 export declare function backchannelAuthenticationGrantRequest(as: AuthorizationServer, client: Client, clientAuthentication: ClientAuth, authReqId: string, options?: TokenEndpointRequestOptions): Promise<Response>;
@@ -2372,7 +2453,7 @@ export declare function backchannelAuthenticationGrantRequest(as: AuthorizationS
  *
  * @group Client-Initiated Backchannel Authentication (CIBA)
  *
- * @see [OpenID Connect Client-Initiated Backchannel Authentication](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#token_request)
+ * @see [OpenID Connect Client-Initiated Backchannel Authentication](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0-final.html#token_request)
  */
 export declare function processBackchannelAuthenticationGrantResponse(as: AuthorizationServer, client: Client, response: Response, options?: JWEDecryptOptions): Promise<TokenEndpointResponse>;
 /**
@@ -2393,6 +2474,13 @@ export interface DynamicClientRegistrationRequestOptions extends HttpRequestOpti
  * {@link AuthorizationServer.registration_endpoint `as.registration_endpoint`} using the provided
  * client metadata.
  *
+ * @param as Authorization Server Metadata.
+ * @param metadata Requested Client Metadata.
+ * @param options
+ *
+ * @returns Resolves with a {@link !Response} to then invoke
+ *   {@link processDynamicClientRegistrationResponse} with
+ *
  * @group Dynamic Client Registration (DCR)
  *
  * @see [RFC 7591 - OAuth 2.0 Dynamic Client Registration Protocol (DCR)](https://www.rfc-editor.org/rfc/rfc7591.html#section-3.1)
@@ -2416,4 +2504,113 @@ export declare function dynamicClientRegistrationRequest(as: AuthorizationServer
  * @see [OpenID Connect Dynamic Client Registration 1.0 (DCR)](https://openid.net/specs/openid-connect-registration-1_0-errata2.html#RegistrationResponse)
  */
 export declare function processDynamicClientRegistrationResponse(response: Response): Promise<OmitSymbolProperties<Client>>;
+/**
+ * Protected Resource Server Metadata
+ *
+ * @group Resource Server Metadata
+ *
+ * @see [IANA OAuth Protected Resource Server Metadata registry](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#protected-resource-server-metadata)
+ */
+export interface ResourceServer {
+    /**
+     * Resource server's Resource Identifier URL.
+     */
+    readonly resource: string;
+    /**
+     * JSON array containing a list of OAuth authorization server issuer identifiers
+     */
+    readonly authorization_servers?: string[];
+    /**
+     * URL of the protected resource's JWK Set document
+     */
+    readonly jwks_uri?: string;
+    /**
+     * JSON array containing a list of the OAuth 2.0 scope values that are used in authorization
+     * requests to request access to this protected resource
+     */
+    readonly scopes_supported?: string[];
+    /**
+     * JSON array containing a list of the OAuth 2.0 Bearer Token presentation methods that this
+     * protected resource supports
+     */
+    readonly bearer_methods_supported?: string[];
+    /**
+     * JSON array containing a list of the JWS signing algorithms (alg values) supported by the
+     * protected resource for signed content
+     */
+    readonly resource_signing_alg_values_supported?: string[];
+    /**
+     * Human-readable name of the protected resource
+     */
+    readonly resource_name?: string;
+    /**
+     * URL of a page containing human-readable information that developers might want or need to know
+     * when using the protected resource
+     */
+    readonly resource_documentation?: string;
+    /**
+     * URL of a page containing human-readable information about the protected resource's requirements
+     * on how the client can use the data provided by the protected resource
+     */
+    readonly resource_policy_uri?: string;
+    /**
+     * URL of a page containing human-readable information about the protected resource's terms of
+     * service
+     */
+    readonly resource_tos_uri?: string;
+    /**
+     * Boolean value indicating protected resource support for mutual-TLS client certificate-bound
+     * access tokens
+     */
+    readonly tls_client_certificate_bound_access_tokens?: boolean;
+    /**
+     * JSON array containing a list of the authorization details type values supported by the resource
+     * server when the authorization_details request parameter is used
+     */
+    readonly authorization_details_types_supported?: boolean;
+    /**
+     * JSON array containing a list of the JWS alg values supported by the resource server for
+     * validating DPoP proof JWTs
+     */
+    readonly dpop_signing_alg_values_supported?: boolean;
+    /**
+     * Boolean value specifying whether the protected resource always requires the use of DPoP-bound
+     * access tokens
+     */
+    readonly dpop_bound_access_tokens_required?: boolean;
+    /**
+     * Signed JWT containing metadata parameters about the protected resource as claims
+     */
+    readonly signed_metadata?: string;
+    readonly [metadata: string]: JsonValue | undefined;
+}
+/**
+ * Performs a protected resource metadata discovery.
+ *
+ * @param resourceIdentifier Protected resource's resource identifier to resolve the well-known
+ *   discovery URI for
+ *
+ * @returns Resolves with a {@link !Response} to then invoke {@link processResourceDiscoveryResponse}
+ *   with
+ *
+ * @group Resource Server Metadata
+ *
+ * @see [RFC-to-be 9728 - OAuth 2.0 Protected Resource Metadata](https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-13.html#name-protected-resource-metadata-)
+ */
+export declare function resourceDiscoveryRequest(resourceIdentifier: URL, options?: HttpRequestOptions<'GET'>): Promise<Response>;
+/**
+ * Validates {@link !Response} instance to be one coming from the resource server's well-known
+ * discovery endpoint.
+ *
+ * @param expectedResourceIdentifier Expected Resource Identifier value.
+ * @param response Resolved value from {@link resourceDiscoveryRequest} or from a general
+ *   {@link !fetch} following {@link WWWAuthenticateChallengeParameters.resource_metadata}.
+ *
+ * @returns Resolves with the discovered Resource Server Metadata.
+ *
+ * @group Resource Server Metadata
+ *
+ * @see [RFC-to-be 9728 - OAuth 2.0 Protected Resource Metadata](https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-13.html#name-protected-resource-metadata-r)
+ */
+export declare function processResourceDiscoveryResponse(expectedResourceIdentifier: URL, response: Response): Promise<ResourceServer>;
 export {};