feat: add support for Dynamic Client Registration

panva · panva · commit 15f69538d671 · 2025-04-03T17:44:07.000+02:00
diff --git a/docs/README.md b/docs/README.md
@@ -69,6 +69,10 @@ Support from the community to continue maintaining and improving this module is
 - [getDPoPHandle](functions/getDPoPHandle.md)
 - [randomDPoPKeyPair](functions/randomDPoPKeyPair.md)
 
+## Dynamic Client Registration
+
+- [dynamicClientRegistration](functions/dynamicClientRegistration.md)
+
 ## OpenID Connect 1.0
 
 - [authorizationCodeGrant](functions/authorizationCodeGrant.md)
@@ -110,6 +114,7 @@ Support from the community to continue maintaining and improving this module is
 - [DiscoveryRequestOptions](interfaces/DiscoveryRequestOptions.md)
 - [DPoPHandle](interfaces/DPoPHandle.md)
 - [DPoPOptions](interfaces/DPoPOptions.md)
+- [DynamicClientRegistrationRequestOptions](interfaces/DynamicClientRegistrationRequestOptions.md)
 - [ExportedJWKSCache](interfaces/ExportedJWKSCache.md)
 - [GenerateKeyPairOptions](interfaces/GenerateKeyPairOptions.md)
 - [IDToken](interfaces/IDToken.md)
@@ -138,6 +143,7 @@ Support from the community to continue maintaining and improving this module is
 - [JsonPrimitive](type-aliases/JsonPrimitive.md)
 - [JsonValue](type-aliases/JsonValue.md)
 - [JWSAlgorithm](type-aliases/JWSAlgorithm.md)
+- [OmitSymbolProperties](type-aliases/OmitSymbolProperties.md)
 
 ## Variables
 
diff --git a/docs/functions/dynamicClientRegistration.md b/docs/functions/dynamicClientRegistration.md
@@ -0,0 +1,31 @@
+# Function: dynamicClientRegistration()
+
+[💗 Help the project](https://github.com/sponsors/panva)
+
+Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by [becoming a sponsor](https://github.com/sponsors/panva).
+
+***
+
+▸ **dynamicClientRegistration**(`server`, `metadata`, `clientAuthentication`?, `options`?): [`Promise`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise)\<[`Configuration`](../classes/Configuration.md)\>
+
+Performs Authorization Server Metadata discovery and subsequently a Dynamic
+Client Registration at the discovered Authorization Server's
+[ServerMetadata.registration\_endpoint](../interfaces/ServerMetadata.md#registration_endpoint) using the provided client
+metadata.
+
+Note: This method also accepts a URL pointing directly to the Authorization
+Server's discovery document. Doing so is NOT RECOMMENDED as it disables the
+[ServerMetadata.issuer](../interfaces/ServerMetadata.md#issuer) validation.
+
+## Parameters
+
+| Parameter | Type | Description |
+| ------ | ------ | ------ |
+| `server` | [`URL`](https://developer.mozilla.org/docs/Web/API/URL) | URL representation of the Authorization Server's Issuer Identifier |
+| `metadata` | [`Partial`](https://www.typescriptlang.org/docs/handbook/utility-types.html#partialtype)\<[`ClientMetadata`](../interfaces/ClientMetadata.md)\> | Client Metadata to register at the Authorization Server |
+| `clientAuthentication`? | [`ClientAuth`](../type-aliases/ClientAuth.md) | Implementation of the Client's Authentication Method at the Authorization Server. Default is [ClientSecretPost](ClientSecretPost.md) using the [ClientMetadata.client\_secret](../interfaces/ClientMetadata.md#client_secret) that the Authorization Server issued. |
+| `options`? | [`DynamicClientRegistrationRequestOptions`](../interfaces/DynamicClientRegistrationRequestOptions.md) |  |
+
+## Returns
+
+[`Promise`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise)\<[`Configuration`](../classes/Configuration.md)\>
diff --git a/docs/interfaces/AuthorizationCodeGrantOptions.md b/docs/interfaces/AuthorizationCodeGrantOptions.md
@@ -13,7 +13,7 @@ Support from the community to continue maintaining and improving this module is
 • `optional` **DPoP**: [`DPoPHandle`](DPoPHandle.md)
 
 DPoP handle to use for requesting a sender-constrained access token.
-Obtained from [getDPoPHandle](../functions/getDPoPHandle.md)
+Usually obtained from [getDPoPHandle](../functions/getDPoPHandle.md)
 
 #### See
 
diff --git a/docs/interfaces/BackchannelAuthenticationGrantPollOptions.md b/docs/interfaces/BackchannelAuthenticationGrantPollOptions.md
@@ -13,7 +13,7 @@ Support from the community to continue maintaining and improving this module is
 • `optional` **DPoP**: [`DPoPHandle`](DPoPHandle.md)
 
 DPoP handle to use for requesting a sender-constrained access token.
-Obtained from [getDPoPHandle](../functions/getDPoPHandle.md)
+Usually obtained from [getDPoPHandle](../functions/getDPoPHandle.md)
 
 #### See
 
diff --git a/docs/interfaces/ConfigurationMethods.md b/docs/interfaces/ConfigurationMethods.md
@@ -10,6 +10,18 @@ Public methods available on a [Configuration](../classes/Configuration.md) insta
 
 ## Methods
 
+### clientMetadata()
+
+▸ **clientMetadata**(): [`Readonly`](https://www.typescriptlang.org/docs/handbook/utility-types.html#readonlytype)\<[`OmitSymbolProperties`](../type-aliases/OmitSymbolProperties.md)\<[`ClientMetadata`](ClientMetadata.md)\>\>
+
+Used to retrieve the Client Metadata
+
+#### Returns
+
+[`Readonly`](https://www.typescriptlang.org/docs/handbook/utility-types.html#readonlytype)\<[`OmitSymbolProperties`](../type-aliases/OmitSymbolProperties.md)\<[`ClientMetadata`](ClientMetadata.md)\>\>
+
+***
+
 ### serverMetadata()
 
 ▸ **serverMetadata**(): [`Readonly`](https://www.typescriptlang.org/docs/handbook/utility-types.html#readonlytype)\<[`ServerMetadata`](ServerMetadata.md)\> & [`ServerMetadataHelpers`](ServerMetadataHelpers.md)
diff --git a/docs/interfaces/DPoPOptions.md b/docs/interfaces/DPoPOptions.md
@@ -13,7 +13,7 @@ Support from the community to continue maintaining and improving this module is
 • `optional` **DPoP**: [`DPoPHandle`](DPoPHandle.md)
 
 DPoP handle to use for requesting a sender-constrained access token.
-Obtained from [getDPoPHandle](../functions/getDPoPHandle.md)
+Usually obtained from [getDPoPHandle](../functions/getDPoPHandle.md)
 
 #### See
 
diff --git a/docs/interfaces/DeviceAuthorizationGrantPollOptions.md b/docs/interfaces/DeviceAuthorizationGrantPollOptions.md
@@ -13,7 +13,7 @@ Support from the community to continue maintaining and improving this module is
 • `optional` **DPoP**: [`DPoPHandle`](DPoPHandle.md)
 
 DPoP handle to use for requesting a sender-constrained access token.
-Obtained from [getDPoPHandle](../functions/getDPoPHandle.md)
+Usually obtained from [getDPoPHandle](../functions/getDPoPHandle.md)
 
 #### See
 
diff --git a/docs/interfaces/DynamicClientRegistrationRequestOptions.md b/docs/interfaces/DynamicClientRegistrationRequestOptions.md
@@ -0,0 +1,136 @@
+# Interface: DynamicClientRegistrationRequestOptions
+
+[💗 Help the project](https://github.com/sponsors/panva)
+
+Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by [becoming a sponsor](https://github.com/sponsors/panva).
+
+***
+
+## Properties
+
+### \[customFetch\]?
+
+• `optional` **\[customFetch\]**: [`CustomFetch`](../type-aliases/CustomFetch.md)
+
+Custom [Fetch API](https://developer.mozilla.org/docs/Web/API/Window/fetch) implementation to use for the HTTP Requests
+the client will be making. If this option is used, then the customFetch
+value will be assigned to the resolved [Configuration](../classes/Configuration.md) instance for
+use with all its future individual HTTP requests.
+
+#### See
+
+[customFetch](../variables/customFetch.md)
+
+***
+
+### algorithm?
+
+• `optional` **algorithm**: `"oidc"` \| `"oauth2"`
+
+The issuer transformation algorithm to use. Default is `oidc`.
+
+#### Example
+
+```txt
+Given the Issuer Identifier is https://example.com
+  oidc  => https://example.com/.well-known/openid-configuration
+  oauth => https://example.com/.well-known/oauth-authorization-server
+
+Given the Issuer Identifier is https://example.com/pathname
+  oidc  => https://example.com/pathname/.well-known/openid-configuration
+  oauth => https://example.com/.well-known/oauth-authorization-server/pathname
+```
+
+#### See
+
+ - [OpenID Connect Discovery 1.0 (oidc)](https://openid.net/specs/openid-connect-discovery-1_0.html)
+ - [RFC8414 - OAuth 2.0 Authorization Server Metadata (oauth)](https://www.rfc-editor.org/rfc/rfc8414.html)
+
+***
+
+### DPoP?
+
+• `optional` **DPoP**: [`DPoPHandle`](DPoPHandle.md)
+
+DPoP handle to use for requesting a sender-constrained access token.
+Usually obtained from [getDPoPHandle](../functions/getDPoPHandle.md)
+
+#### See
+
+[RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html)
+
+***
+
+### execute?
+
+• `optional` **execute**: (`config`) => `void`[]
+
+Methods (available list linked below) to execute with the
+[Configuration](../classes/Configuration.md) instance as argument after it is instantiated
+
+Note: Presence of [allowInsecureRequests](../functions/allowInsecureRequests.md) in this option also enables
+the use of insecure HTTP requests for the Authorization Server Metadata
+discovery request itself.
+
+#### Parameters
+
+| Parameter | Type |
+| ------ | ------ |
+| `config` | [`Configuration`](../classes/Configuration.md) |
+
+#### Returns
+
+`void`
+
+#### Example
+
+Disable the HTTPS-only restriction for the discovery call and subsequently
+for all requests made with the resulting [Configuration](../classes/Configuration.md) instance.
+
+```ts
+let server!: URL
+let clientId!: string
+let clientMetadata!:
+  | Partial<client.ClientMetadata>
+  | undefined
+  | string
+let clientAuth!: client.ClientAuth | undefined
+
+let config = await client.discovery(
+  server,
+  clientId,
+  clientMetadata,
+  clientAuth,
+  {
+    execute: [client.allowInsecureRequests],
+  },
+)
+```
+
+#### See
+
+ - [allowInsecureRequests](../functions/allowInsecureRequests.md)
+ - [enableNonRepudiationChecks](../functions/enableNonRepudiationChecks.md)
+ - [useCodeIdTokenResponseType](../functions/useCodeIdTokenResponseType.md)
+ - [enableDetachedSignatureResponseChecks](../functions/enableDetachedSignatureResponseChecks.md)
+ - [useJwtResponseMode](../functions/useJwtResponseMode.md)
+
+***
+
+### initialAccessToken?
+
+• `optional` **initialAccessToken**: `string`
+
+Access token optionally issued by an authorization server used to authorize
+calls to the client registration endpoint.
+
+***
+
+### timeout?
+
+• `optional` **timeout**: `number`
+
+Timeout (in seconds) for the Authorization Server Metadata discovery. If
+this option is used, then the same timeout value will be assigned to the
+resolved [Configuration](../classes/Configuration.md) instance for use with all its future
+individual HTTP requests. Default is `30` (seconds)
diff --git a/docs/type-aliases/OmitSymbolProperties.md b/docs/type-aliases/OmitSymbolProperties.md
@@ -0,0 +1,17 @@
+# Type Alias: OmitSymbolProperties\<T\>
+
+[💗 Help the project](https://github.com/sponsors/panva)
+
+Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by [becoming a sponsor](https://github.com/sponsors/panva).
+
+***
+
+• **OmitSymbolProperties**\<`T`\>: `{ [K in keyof T as K extends symbol ? never : K]: T[K] }`
+
+Removes all Symbol properties from a type
+
+## Type Parameters
+
+| Type Parameter |
+| ------ |
+| `T` |
diff --git a/src/index.ts b/src/index.ts
diff --git a/tap/helper.ts b/tap/helper.ts
diff --git a/test/dcr-dpop.test.ts b/test/dcr-dpop.test.ts
