stricter PRM check overridable w/ OAuthClientProvider.validateProtectedResourceMetadata

ochafik · ochafik · commit 4b3db9bbebb1 · 2025-06-18T15:06:16.000+01:00
diff --git a/src/client/auth.ts b/src/client/auth.ts
@@ -72,6 +72,13 @@ export interface OAuthClientProvider {
    * the authorization result.
    */
   codeVerifier(): string | Promise<string>;
+
+  /**
+   * If defined, overrides the OAuth Protected Resource Metadata (RFC 9728).
+   *
+   * Implementations must verify the provider
+   */
+  validateProtectedResourceMetadata?(metadata?: OAuthProtectedResourceMetadata): Promise<void>;
 }
 
 export type AuthResult = "AUTHORIZED" | "REDIRECT";
@@ -109,11 +116,13 @@ export async function auth(
   } catch (error) {
     console.warn("Could not load OAuth Protected Resource metadata, falling back to /.well-known/oauth-authorization-server", error)
   }
-  if (resourceMetadata) {
+  if (provider.validateProtectedResourceMetadata) {
+    await provider.validateProtectedResourceMetadata(resourceMetadata);
+  } else if (resourceMetadata) {
     if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) {
       authorizationServerUrl = resourceMetadata.authorization_servers[0];
     }
-    if (resourceMetadata.resource && resourceMetadata.resource !== resource.href) {
+    if (resourceMetadata.resource !== resource.href) {
       throw new Error(`Protected resource ${resourceMetadata.resource} does not match expected ${resource}`);
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,13 @@ export interface OAuthClientProvider {`
`72`	`72`	`* the authorization result.`
`73`	`73`	`*/`
`74`	`74`	`codeVerifier(): string \| Promise<string>;`
	`75`	`+`
	`76`	`+ /**`
	`77`	`+ * If defined, overrides the OAuth Protected Resource Metadata (RFC 9728).`
	`78`	`+ *`
	`79`	`+ * Implementations must verify the provider`
	`80`	`+ */`
	`81`	`+ validateProtectedResourceMetadata?(metadata?: OAuthProtectedResourceMetadata): Promise<void>;`
`75`	`82`	`}`
`76`	`83`
`77`	`84`	`export type AuthResult = "AUTHORIZED" \| "REDIRECT";`
`@@ -109,11 +116,13 @@ export async function auth(`
`109`	`116`	`} catch (error) {`
`110`	`117`	`console.warn("Could not load OAuth Protected Resource metadata, falling back to /.well-known/oauth-authorization-server", error)`
`111`	`118`	`}`
`112`		`- if (resourceMetadata) {`
	`119`	`+ if (provider.validateProtectedResourceMetadata) {`
	`120`	`+ await provider.validateProtectedResourceMetadata(resourceMetadata);`
	`121`	`+ } else if (resourceMetadata) {`
`113`	`122`	`if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) {`
`114`	`123`	`authorizationServerUrl = resourceMetadata.authorization_servers[0];`
`115`	`124`	`}`
`116`		`- if (resourceMetadata.resource && resourceMetadata.resource !== resource.href) {`
	`125`	`+ if (resourceMetadata.resource !== resource.href) {`
`117`	`126`	throw new Error(`Protected resource ${resourceMetadata.resource} does not match expected ${resource}`);
`118`	`127`	`}`
`119`	`128`	`}`