refactor: update the CryptoKey workarounds without affecting docs

conformance/runner.ts

@@ -308,7 +308,7 @@ export const flow = (options?: MacroOptions) => {
         authorizationUrl.searchParams.set('response_type', response_type)
       }
 
-      let DPoP!: oauth.CryptoKeyPairType
+      let DPoP!: oauth.CryptoKeyPair
       if (usesDpop(variant)) {
         DPoP = await oauth.generateKeyPair(JWS_ALGORITHM as oauth.JWSAlgorithm)
         authorizationUrl.searchParams.set(

examples/client_secret_post.diff

@@ -1,8 +1,8 @@
 diff --git a/examples/oauth.ts b/examples/client_secret_post.ts
-index a3b923c..6185acc 100644
+index 6f4b65e..c2a7f6a 100644
 --- a/examples/oauth.ts
 +++ b/examples/client_secret_post.ts
-@@ -24,7 +24,7 @@ const as = await oauth
+@@ -25,7 +25,7 @@ const as = await oauth
  const client: oauth.Client = {
    client_id,
    client_secret,

examples/dpop.diff

@@ -1,8 +1,8 @@
 diff --git a/examples/oauth.ts b/examples/dpop.ts
-index a3b923c..412494c 100644
+index 6f4b65e..ff21863 100644
 --- a/examples/oauth.ts
 +++ b/examples/dpop.ts
-@@ -14,6 +14,12 @@ let client_secret!: string
+@@ -15,6 +15,12 @@ let client_secret!: string
   * Server.
   */
  let redirect_uri!: string
@@ -11,7 +11,7 @@ index a3b923c..412494c 100644
 + * session. In the browser environment you shall use IndexedDB to persist the generated
 + * CryptoKeyPair.
 + */
-+let DPoP!: oauth.CryptoKeyPairType
++let DPoP!: oauth.CryptoKeyPair
 
  // End of prerequisites
 

examples/dpop.ts

@@ -20,7 +20,7 @@ let redirect_uri!: string
  * session. In the browser environment you shall use IndexedDB to persist the generated
  * CryptoKeyPair.
  */
-let DPoP!: oauth.CryptoKeyPairType
+let DPoP!: oauth.CryptoKeyPair
 
 // End of prerequisites
 

examples/fapi1-advanced.diff

@@ -1,13 +1,18 @@
 diff --git a/examples/oauth.ts b/examples/fapi1-advanced.ts
-index a3b923c..32526fa 100644
+index 6f4b65e..6c35755 100644
 --- a/examples/oauth.ts
 +++ b/examples/fapi1-advanced.ts
-@@ -1,3 +1,4 @@
+@@ -1,20 +1,39 @@
 +import * as undici from 'undici'
  import * as oauth from 'oauth4webapi'
-
+ 
  // Prerequisites
-@@ -8,12 +9,30 @@ let algorithm!:
+
+-let getCurrentUrl!: (...args: any) => URL
++let getAuthorizationResponseOrURLWithFragment!: (...args: any) => URL
+ let issuer!: URL // Authorization server's Issuer Identifier URL
+ let algorithm!:
+   | 'oauth2' /* For .well-known/oauth-authorization-server discovery */
    | 'oidc' /* For .well-known/openid-configuration discovery */
    | undefined /* Defaults to 'oidc' */
  let client_id!: string
@@ -30,26 +35,26 @@ index a3b923c..32526fa 100644
 + * A key that is pre-registered at the Authorization Server that the client is supposed to sign its
 + * Request Objects with.
 + */
-+let jarPrivateKey!: oauth.CryptoKeyType
++let jarPrivateKey!: oauth.CryptoKey
 +/**
 + * A key that the client has pre-registered at the Authorization Server for use with Private Key JWT
 + * client authentication method.
 + */
-+let clientPrivateKey!: oauth.CryptoKeyType
-
++let clientPrivateKey!: oauth.CryptoKey
+ 
  // End of prerequisites
-
-@@ -23,8 +42,7 @@ const as = await oauth
-
+ 
+@@ -24,8 +43,7 @@ const as = await oauth
+ 
  const client: oauth.Client = {
    client_id,
 -  client_secret,
 -  token_endpoint_auth_method: 'client_secret_basic',
 +  token_endpoint_auth_method: 'private_key_jwt',
  }
-
+ 
  const code_challenge_method = 'S256'
-@@ -33,39 +51,46 @@ const code_challenge_method = 'S256'
+@@ -34,38 +52,45 @@ const code_challenge_method = 'S256'
   * the code_verifier and nonce in the end-user session such that it can be recovered as the user
   * gets redirected from the authorization server back to your application.
   */
@@ -71,7 +76,7 @@ index a3b923c..32526fa 100644
 +
 +  request = await oauth.issueRequestObject(as, client, params, jarPrivateKey)
 +}
-
+ 
  {
    // redirect user to as.authorization_endpoint
    const authorizationUrl = new URL(as.authorization_endpoint!)
@@ -91,16 +96,15 @@ index a3b923c..32526fa 100644
 -    authorizationUrl.searchParams.set('state', state)
 -  }
 +  authorizationUrl.searchParams.set('request', request)
-
+ 
    // now redirect the user to authorizationUrl.href
  }
-
+ 
  // one eternity later, the user lands back on the redirect_uri
 +// Detached Signature ID Token Validation
  // Authorization Code Grant Request & Response
  let access_token: string
  {
-
 -  const currentUrl: URL = getCurrentUrl()
 -  const params = oauth.validateAuthResponse(as, client, currentUrl, state)
 +  const authorizationResponse: URLSearchParams | URL = getAuthorizationResponseOrURLWithFragment()
@@ -110,7 +114,7 @@ index a3b923c..32526fa 100644
 +    authorizationResponse,
 +    nonce,
 +  )
-
+ 
    const response = await oauth.authorizationCodeGrantRequest(
      as,
 @@ -73,9 +98,26 @@ let access_token: string
@@ -132,13 +136,13 @@ index a3b923c..32526fa 100644
 +      },
 +    },
    )
-
+ 
 -  const result = await oauth.processAuthorizationCodeOAuth2Response(as, client, response)
 +  const result = await oauth.processAuthorizationCodeOpenIDResponse(as, client, response)
 +
 +  // Check ID Token signature for non-repudiation purposes
 +  await oauth.validateIdTokenSignature(as, result)
-
+ 
    console.log('Access Token Response', result)
    ;({ access_token } = result)
 @@ -87,6 +129,21 @@ let access_token: string
@@ -161,5 +165,5 @@ index a3b923c..32526fa 100644
 +      },
 +    },
    )
-
+ 
    console.log('Protected Resource Response', await response.json())

examples/fapi1-advanced.ts

@@ -28,12 +28,12 @@ let mtlsClientCertificate!: string
  * A key that is pre-registered at the Authorization Server that the client is supposed to sign its
  * Request Objects with.
  */
-let jarPrivateKey!: oauth.CryptoKeyType
+let jarPrivateKey!: oauth.CryptoKey
 /**
  * A key that the client has pre-registered at the Authorization Server for use with Private Key JWT
  * client authentication method.
  */
-let clientPrivateKey!: oauth.CryptoKeyType
+let clientPrivateKey!: oauth.CryptoKey
 
 // End of prerequisites
 

examples/fapi2-message-signing.diff

@@ -1,31 +1,31 @@
 diff --git a/examples/fapi2.ts b/examples/fapi2-message-signing.ts
-index ca2ed9b..968eac8 100644
+index 8de0d2e..fe2dc9a 100644
 --- a/examples/fapi2.ts
 +++ b/examples/fapi2-message-signing.ts
-@@ -24,6 +24,11 @@ let DPoP!: oauth.CryptoKeyPairType
+@@ -25,6 +25,11 @@ let DPoP!: oauth.CryptoKeyPair
   * client authentication method.
   */
- let clientPrivateKey!: oauth.CryptoKeyType
+ let clientPrivateKey!: oauth.CryptoKey
 +/**
 + * A key that is pre-registered at the Authorization Server that the client is supposed to sign its
 + * Request Objects with.
 + */
-+let jarPrivateKey!: oauth.CryptoKeyType
-
++let jarPrivateKey!: oauth.CryptoKey
+ 
  // End of prerequisites
-
-@@ -45,8 +50,8 @@ const code_challenge_method = 'S256'
+ 
+@@ -46,8 +51,8 @@ const code_challenge_method = 'S256'
  const code_verifier = oauth.generateRandomCodeVerifier()
  const code_challenge = await oauth.calculatePKCECodeChallenge(code_verifier)
-
+ 
 -// Pushed Authorization Request & Response (PAR)
 -let request_uri: string
 +// Signed Request Object (JAR)
 +let request: string
  {
    const params = new URLSearchParams()
    params.set('client_id', client.client_id)
-@@ -54,7 +59,18 @@ let request_uri: string
+@@ -55,7 +60,18 @@ let request_uri: string
    params.set('code_challenge_method', code_challenge_method)
    params.set('redirect_uri', redirect_uri)
    params.set('response_type', 'code')
@@ -42,26 +42,26 @@ index ca2ed9b..968eac8 100644
 +  const params = new URLSearchParams()
 +  params.set('client_id', client.client_id)
 +  params.set('request', request)
-
+ 
    const pushedAuthorizationRequest = () =>
      oauth.pushedAuthorizationRequest(as, client, params, {
-@@ -94,27 +110,30 @@ let access_token: string
+@@ -94,27 +110,30 @@ let request_uri: string
+ let access_token: string
  {
-
    const currentUrl: URL = getCurrentUrl()
 -  const params = oauth.validateAuthResponse(as, client, currentUrl)
 +  const params = await oauth.validateJwtAuthResponse(as, client, currentUrl)
-
+ 
    const authorizationCodeGrantRequest = () =>
      oauth.authorizationCodeGrantRequest(as, client, params, redirect_uri, code_verifier, { DPoP })
-
+ 
    let response = await authorizationCodeGrantRequest()
-
+ 
 -  const processAuthorizationCodeOAuth2Response = () =>
 -    oauth.processAuthorizationCodeOAuth2Response(as, client, response)
 +  const processAuthorizationCodeOpenIDResponse = () =>
 +    oauth.processAuthorizationCodeOpenIDResponse(as, client, response)
-
+ 
 -  let result = await processAuthorizationCodeOAuth2Response().catch(async (err) => {
 +  let result = await processAuthorizationCodeOpenIDResponse().catch(async (err) => {
      if (err instanceof oauth.ResponseBodyError) {
@@ -74,7 +74,7 @@ index ca2ed9b..968eac8 100644
      }
      throw err
    })
-
+ 
 +  // Check ID Token signature for non-repudiation purposes
 +  await oauth.validateIdTokenSignature(as, result)
 +

examples/fapi2-message-signing.ts

@@ -19,17 +19,17 @@ let redirect_uri!: string
  * session. In the browser environment you shall use IndexedDB to persist the generated
  * CryptoKeyPair.
  */
-let DPoP!: oauth.CryptoKeyPairType
+let DPoP!: oauth.CryptoKeyPair
 /**
  * A key that the client has pre-registered at the Authorization Server for use with Private Key JWT
  * client authentication method.
  */
-let clientPrivateKey!: oauth.CryptoKeyType
+let clientPrivateKey!: oauth.CryptoKey
 /**
  * A key that is pre-registered at the Authorization Server that the client is supposed to sign its
  * Request Objects with.
  */
-let jarPrivateKey!: oauth.CryptoKeyType
+let jarPrivateKey!: oauth.CryptoKey
 
 // End of prerequisites
 

examples/fapi2.diff

@@ -1,8 +1,8 @@
 diff --git a/examples/oauth.ts b/examples/fapi2.ts
-index a3b923c..ca2ed9b 100644
+index 6f4b65e..8de0d2e 100644
 --- a/examples/oauth.ts
 +++ b/examples/fapi2.ts
-@@ -8,12 +8,22 @@ let algorithm!:
+@@ -9,12 +9,22 @@ let algorithm!:
    | 'oidc' /* For .well-known/openid-configuration discovery */
    | undefined /* Defaults to 'oidc' */
  let client_id!: string
@@ -17,24 +17,24 @@ index a3b923c..ca2ed9b 100644
 + * session. In the browser environment you shall use IndexedDB to persist the generated
 + * CryptoKeyPair.
 + */
-+let DPoP!: oauth.CryptoKeyPairType
++let DPoP!: oauth.CryptoKeyPair
 +/**
 + * A key that the client has pre-registered at the Authorization Server for use with Private Key JWT
 + * client authentication method.
 + */
-+let clientPrivateKey!: oauth.CryptoKeyType
-
++let clientPrivateKey!: oauth.CryptoKey
+ 
  // End of prerequisites
-
-@@ -23,38 +33,57 @@ const as = await oauth
-
+ 
+@@ -24,38 +34,57 @@ const as = await oauth
+ 
  const client: oauth.Client = {
    client_id,
 -  client_secret,
 -  token_endpoint_auth_method: 'client_secret_basic',
 +  token_endpoint_auth_method: 'private_key_jwt',
  }
-
+ 
  const code_challenge_method = 'S256'
  /**
   * The following MUST be generated for every redirect to the authorization_endpoint. You must store
@@ -80,7 +80,7 @@ index a3b923c..ca2ed9b 100644
 +
 +  ;({ request_uri } = result)
 +}
-
+ 
  {
    // redirect user to as.authorization_endpoint
    const authorizationUrl = new URL(as.authorization_endpoint!)
@@ -100,12 +100,12 @@ index a3b923c..ca2ed9b 100644
 -    authorizationUrl.searchParams.set('state', state)
 -  }
 +  authorizationUrl.searchParams.set('request_uri', request_uri)
-
+ 
    // now redirect the user to authorizationUrl.href
  }
-@@ -65,17 +94,26 @@ let access_token: string
+@@ -65,17 +94,26 @@ let state: string | undefined
+ let access_token: string
  {
-
    const currentUrl: URL = getCurrentUrl()
 -  const params = oauth.validateAuthResponse(as, client, currentUrl, state)
 +  const params = oauth.validateAuthResponse(as, client, currentUrl)
@@ -114,7 +114,7 @@ index a3b923c..ca2ed9b 100644
 +    oauth.authorizationCodeGrantRequest(as, client, params, redirect_uri, code_verifier, { DPoP })
 +
 +  let response = await authorizationCodeGrantRequest()
-
+ 
 -  const response = await oauth.authorizationCodeGrantRequest(
 -    as,
 -    client,
@@ -124,7 +124,7 @@ index a3b923c..ca2ed9b 100644
 -  )
 +  const processAuthorizationCodeOAuth2Response = () =>
 +    oauth.processAuthorizationCodeOAuth2Response(as, client, response)
-
+ 
 -  const result = await oauth.processAuthorizationCodeOAuth2Response(as, client, response)
 +  let result = await processAuthorizationCodeOAuth2Response().catch(async (err) => {
 +    if (err instanceof oauth.ResponseBodyError) {
@@ -136,11 +136,11 @@ index a3b923c..ca2ed9b 100644
 +    }
 +    throw err
 +  })
-
+ 
    console.log('Access Token Response', result)
    ;({ access_token } = result)
 @@ -83,11 +121,29 @@ let access_token: string
-
+ 
  // Protected Resource Request
  {
 -  const response = await oauth.protectedResourceRequest(
@@ -171,6 +171,6 @@ index a3b923c..ca2ed9b 100644
 +    }
 +    throw err
 +  })
-
+ 
    console.log('Protected Resource Response', await response.json())
  }