feat: add Client-Initiated Backchannel Authentication

Author: panva

README.md

@@ -10,7 +10,7 @@ The following features are currently in scope and implemented in this software:
 
 - Authorization Server Metadata discovery
 - Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, and FAPI 2.0), with PKCE
-- Refresh Token, Device Authorization, and Client Credentials Grants
+- Refresh Token, Device Authorization, Client-Initiated Backchannel Authentication, and Client Credentials Grants
 - Demonstrating Proof-of-Possession at the Application Layer (DPoP)
 - Token Introspection and Revocation
 - Pushed Authorization Requests (PAR)

docs/README.md

@@ -57,6 +57,13 @@ Support from the community to continue maintaining and improving this module is
 - [clientCredentialsGrantRequest](functions/clientCredentialsGrantRequest.md)
 - [processClientCredentialsResponse](functions/processClientCredentialsResponse.md)
 
+## Client-Initiated Backchannel Authentication
+
+- [backchannelAuthenticationGrantRequest](functions/backchannelAuthenticationGrantRequest.md)
+- [backchannelAuthenticationRequest](functions/backchannelAuthenticationRequest.md)
+- [processBackchannelAuthenticationGrantResponse](functions/processBackchannelAuthenticationGrantResponse.md)
+- [processBackchannelAuthenticationResponse](functions/processBackchannelAuthenticationResponse.md)
+
 ## DPoP
 
 - [DPoP](functions/DPoP.md)
@@ -184,6 +191,8 @@ Support from the community to continue maintaining and improving this module is
 
 - [AuthorizationDetails](interfaces/AuthorizationDetails.md)
 - [AuthorizationServer](interfaces/AuthorizationServer.md)
+- [BackchannelAuthenticationRequestOptions](interfaces/BackchannelAuthenticationRequestOptions.md)
+- [BackchannelAuthenticationResponse](interfaces/BackchannelAuthenticationResponse.md)
 - [Client](interfaces/Client.md)
 - [ClientCredentialsGrantRequestOptions](interfaces/ClientCredentialsGrantRequestOptions.md)
 - [ConfirmationClaims](interfaces/ConfirmationClaims.md)

docs/functions/backchannelAuthenticationGrantRequest.md

@@ -0,0 +1,31 @@
+# Function: backchannelAuthenticationGrantRequest()
+
+[💗 Help the project](https://github.com/sponsors/panva)
+
+Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by [becoming a sponsor](https://github.com/sponsors/panva).
+
+***
+
+▸ **backchannelAuthenticationGrantRequest**(`as`, `client`, `clientAuthentication`, `authReqId`, `options`?): [`Promise`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise)\<[`Response`](https://developer.mozilla.org/docs/Web/API/Response)\>
+
+Performs a Backchannel Authentication Grant request at the
+[`as.token_endpoint`](../interfaces/AuthorizationServer.md#token_endpoint).
+
+## Parameters
+
+| Parameter | Type | Description |
+| ------ | ------ | ------ |
+| `as` | [`AuthorizationServer`](../interfaces/AuthorizationServer.md) | Authorization Server Metadata. |
+| `client` | [`Client`](../interfaces/Client.md) | Client Metadata. |
+| `clientAuthentication` | [`ClientAuth`](../type-aliases/ClientAuth.md) | Client Authentication Method. |
+| `authReqId` | `string` | Unique identifier to identify the authentication request. This is the [`auth_req_id`](../interfaces/BackchannelAuthenticationResponse.md#auth_req_id) retrieved from [processBackchannelAuthenticationResponse](processBackchannelAuthenticationResponse.md). |
+| `options`? | [`TokenEndpointRequestOptions`](../interfaces/TokenEndpointRequestOptions.md) | - |
+
+## Returns
+
+[`Promise`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise)\<[`Response`](https://developer.mozilla.org/docs/Web/API/Response)\>
+
+## See
+
+ - [OpenID Connect Client-Initiated Backchannel Authentication](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#token_request)
+ - [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-access-token-request)

docs/functions/backchannelAuthenticationRequest.md

@@ -0,0 +1,30 @@
+# Function: backchannelAuthenticationRequest()
+
+[💗 Help the project](https://github.com/sponsors/panva)
+
+Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by [becoming a sponsor](https://github.com/sponsors/panva).
+
+***
+
+▸ **backchannelAuthenticationRequest**(`as`, `client`, `clientAuthentication`, `parameters`, `options`?): [`Promise`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise)\<[`Response`](https://developer.mozilla.org/docs/Web/API/Response)\>
+
+Performs a Backchannel Authentication Request at the
+[`as.backchannel_authentication_endpoint`](../interfaces/AuthorizationServer.md#backchannel_authentication_endpoint).
+
+## Parameters
+
+| Parameter | Type | Description |
+| ------ | ------ | ------ |
+| `as` | [`AuthorizationServer`](../interfaces/AuthorizationServer.md) | Authorization Server Metadata. |
+| `client` | [`Client`](../interfaces/Client.md) | Client Metadata. |
+| `clientAuthentication` | [`ClientAuth`](../type-aliases/ClientAuth.md) | Client Authentication Method. |
+| `parameters` | [`Record`](https://www.typescriptlang.org/docs/handbook/utility-types.html#recordkeys-type)\<`string`, `string`\> \| [`URLSearchParams`](https://developer.mozilla.org/docs/Web/API/URLSearchParams) \| `string`[][] | Backchannel Authentication Request parameters. |
+| `options`? | [`BackchannelAuthenticationRequestOptions`](../interfaces/BackchannelAuthenticationRequestOptions.md) | - |
+
+## Returns
+
+[`Promise`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise)\<[`Response`](https://developer.mozilla.org/docs/Web/API/Response)\>
+
+## See
+
+[OpenID Connect Client-Initiated Backchannel Authentication](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#auth_request)

docs/functions/deviceCodeGrantRequest.md

@@ -18,7 +18,7 @@ Performs a Device Authorization Grant request at the
 | `as` | [`AuthorizationServer`](../interfaces/AuthorizationServer.md) | Authorization Server Metadata. |
 | `client` | [`Client`](../interfaces/Client.md) | Client Metadata. |
 | `clientAuthentication` | [`ClientAuth`](../type-aliases/ClientAuth.md) | Client Authentication Method. |
-| `deviceCode` | `string` | Device Code. |
+| `deviceCode` | `string` | Device Code. This is the [`device_code`](../interfaces/DeviceAuthorizationResponse.md#device_code) retrieved from [processDeviceAuthorizationResponse](processDeviceAuthorizationResponse.md). |
 | `options`? | [`TokenEndpointRequestOptions`](../interfaces/TokenEndpointRequestOptions.md) | - |
 
 ## Returns

docs/functions/processBackchannelAuthenticationGrantResponse.md

@@ -0,0 +1,33 @@
+# Function: processBackchannelAuthenticationGrantResponse()
+
+[💗 Help the project](https://github.com/sponsors/panva)
+
+Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by [becoming a sponsor](https://github.com/sponsors/panva).
+
+***
+
+▸ **processBackchannelAuthenticationGrantResponse**(`as`, `client`, `response`, `options`?): [`Promise`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise)\<[`TokenEndpointResponse`](../interfaces/TokenEndpointResponse.md)\>
+
+Validates Backchannel Authentication Grant [Response](https://developer.mozilla.org/docs/Web/API/Response) instance to be one coming from the
+[`as.token_endpoint`](../interfaces/AuthorizationServer.md#token_endpoint).
+
+## Parameters
+
+| Parameter | Type | Description |
+| ------ | ------ | ------ |
+| `as` | [`AuthorizationServer`](../interfaces/AuthorizationServer.md) | Authorization Server Metadata. |
+| `client` | [`Client`](../interfaces/Client.md) | Client Metadata. |
+| `response` | [`Response`](https://developer.mozilla.org/docs/Web/API/Response) | Resolved value from [backchannelAuthenticationGrantRequest](backchannelAuthenticationGrantRequest.md). |
+| `options`? | [`JWEDecryptOptions`](../interfaces/JWEDecryptOptions.md) | - |
+
+## Returns
+
+[`Promise`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise)\<[`TokenEndpointResponse`](../interfaces/TokenEndpointResponse.md)\>
+
+Resolves with an object representing the parsed successful response. OAuth 2.0 protocol
+  style errors are rejected using [ResponseBodyError](../classes/ResponseBodyError.md). WWW-Authenticate HTTP Header
+  challenges are rejected with [WWWAuthenticateChallengeError](../classes/WWWAuthenticateChallengeError.md).
+
+## See
+
+[OpenID Connect Client-Initiated Backchannel Authentication](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#token_request)

docs/functions/processBackchannelAuthenticationResponse.md

@@ -0,0 +1,32 @@
+# Function: processBackchannelAuthenticationResponse()
+
+[💗 Help the project](https://github.com/sponsors/panva)
+
+Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by [becoming a sponsor](https://github.com/sponsors/panva).
+
+***
+
+▸ **processBackchannelAuthenticationResponse**(`as`, `client`, `response`): [`Promise`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise)\<[`BackchannelAuthenticationResponse`](../interfaces/BackchannelAuthenticationResponse.md)\>
+
+Validates [Response](https://developer.mozilla.org/docs/Web/API/Response) instance to be one coming from the
+[`as.backchannel_authentication_endpoint`](../interfaces/AuthorizationServer.md#backchannel_authentication_endpoint).
+
+## Parameters
+
+| Parameter | Type | Description |
+| ------ | ------ | ------ |
+| `as` | [`AuthorizationServer`](../interfaces/AuthorizationServer.md) | Authorization Server Metadata. |
+| `client` | [`Client`](../interfaces/Client.md) | Client Metadata. |
+| `response` | [`Response`](https://developer.mozilla.org/docs/Web/API/Response) | Resolved value from [backchannelAuthenticationRequest](backchannelAuthenticationRequest.md). |
+
+## Returns
+
+[`Promise`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise)\<[`BackchannelAuthenticationResponse`](../interfaces/BackchannelAuthenticationResponse.md)\>
+
+Resolves with an object representing the parsed successful response. OAuth 2.0 protocol
+  style errors are rejected using [ResponseBodyError](../classes/ResponseBodyError.md). WWW-Authenticate HTTP Header
+  challenges are rejected with [WWWAuthenticateChallengeError](../classes/WWWAuthenticateChallengeError.md).
+
+## See
+
+[OpenID Connect Client-Initiated Backchannel Authentication](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#auth_request)

docs/interfaces/BackchannelAuthenticationRequestOptions.md

@@ -0,0 +1,61 @@
+# Interface: BackchannelAuthenticationRequestOptions
+
+[💗 Help the project](https://github.com/sponsors/panva)
+
+Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by [becoming a sponsor](https://github.com/sponsors/panva).
+
+***
+
+## Properties
+
+### ~~\[allowInsecureRequests\]?~~
+
+• `optional` **\[allowInsecureRequests\]**: `boolean`
+
+See [allowInsecureRequests](../variables/allowInsecureRequests.md).
+
+#### Deprecated
+
+***
+
+### \[customFetch\]()?
+
+• `optional` **\[customFetch\]**: (`url`, `options`) => [`Promise`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise)\<[`Response`](https://developer.mozilla.org/docs/Web/API/Response)\>
+
+See [customFetch](../variables/customFetch.md).
+
+#### Parameters
+
+| Parameter | Type | Description |
+| ------ | ------ | ------ |
+| `url` | `string` | URL the request is being made sent to [fetch](https://developer.mozilla.org/docs/Web/API/Window/fetch) as the `resource` argument |
+| `options` | [`CustomFetchOptions`](CustomFetchOptions.md)\<`"POST"`, [`URLSearchParams`](https://developer.mozilla.org/docs/Web/API/URLSearchParams)\> | Options otherwise sent to [fetch](https://developer.mozilla.org/docs/Web/API/Window/fetch) as the `options` argument |
+
+#### Returns
+
+[`Promise`](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise)\<[`Response`](https://developer.mozilla.org/docs/Web/API/Response)\>
+
+***
+
+### headers?
+
+• `optional` **headers**: [`Record`](https://www.typescriptlang.org/docs/handbook/utility-types.html#recordkeys-type)\<`string`, `string`\> \| [`string`, `string`][] \| [`Headers`](https://developer.mozilla.org/docs/Web/API/Headers)
+
+Headers to additionally send with the HTTP request(s) triggered by this function's invocation.
+
+***
+
+### signal?
+
+• `optional` **signal**: [`AbortSignal`](https://developer.mozilla.org/docs/Web/API/AbortSignal) \| () => [`AbortSignal`](https://developer.mozilla.org/docs/Web/API/AbortSignal)
+
+An AbortSignal instance, or a factory returning one, to abort the HTTP request(s) triggered by
+this function's invocation.
+
+#### Example
+
+A 5000ms timeout AbortSignal for every request
+
+```js
+let signal = () => AbortSignal.timeout(5_000) // Note: AbortSignal.timeout may not yet be available in all runtimes.
+```

docs/interfaces/BackchannelAuthenticationResponse.md

@@ -0,0 +1,36 @@
+# Interface: BackchannelAuthenticationResponse
+
+[💗 Help the project](https://github.com/sponsors/panva)
+
+Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by [becoming a sponsor](https://github.com/sponsors/panva).
+
+***
+
+## Indexable
+
+ \[`parameter`: `string`\]: `undefined` \| [`JsonValue`](../type-aliases/JsonValue.md)
+
+## Properties
+
+### auth\_req\_id
+
+• `readonly` **auth\_req\_id**: `string`
+
+Unique identifier to identify the authentication request.
+
+***
+
+### expires\_in
+
+• `readonly` **expires\_in**: `number`
+
+The lifetime in seconds of the "auth_req_id"
+
+***
+
+### interval?
+
+• `readonly` `optional` **interval**: `number`
+
+The minimum amount of time in seconds that the client should wait between polling requests to
+the token endpoint.

examples/backchannel_authentication_grant.ts

@@ -0,0 +1,85 @@
+import * as oauth from 'oauth4webapi'
+
+// Prerequisites
+
+let issuer!: URL // Authorization server's Issuer Identifier URL
+let algorithm!:
+  | 'oauth2' /* For .well-known/oauth-authorization-server discovery */
+  | 'oidc' /* For .well-known/openid-configuration discovery */
+  | undefined /* Defaults to 'oidc' */
+let client_id!: string
+
+// End of prerequisites
+
+const as = await oauth
+  .discoveryRequest(issuer, { algorithm })
+  .then((response) => oauth.processDiscoveryResponse(issuer, response))
+
+const client: oauth.Client = { client_id }
+const clientAuth = oauth.None()
+
+let auth_req_id: string
+let interval: number
+
+// Backchannel Authentication Request & Response
+{
+  const parameters = new URLSearchParams()
+  parameters.set('scope', 'openid')
+
+  const response = await oauth.backchannelAuthenticationRequest(as, client, clientAuth, parameters)
+
+  const result = await oauth.processBackchannelAuthenticationResponse(as, client, response)
+
+  console.log('Backchannel Authentication Response', result)
+  ;({ auth_req_id, interval = 5 } = result)
+}
+
+// Backchannel Authentication Grant Request & Response
+let access_token: string
+let sub: string
+{
+  let success: oauth.TokenEndpointResponse | undefined = undefined
+  function wait() {
+    return new Promise((resolve) => {
+      setTimeout(resolve, interval * 1000)
+    })
+  }
+
+  while (success === undefined) {
+    await wait()
+    const response = await oauth.backchannelAuthenticationGrantRequest(
+      as,
+      client,
+      clientAuth,
+      auth_req_id,
+    )
+
+    success = await oauth
+      .processBackchannelAuthenticationGrantResponse(as, client, response)
+      .catch((err) => {
+        if (err instanceof oauth.ResponseBodyError) {
+          switch (err.error) {
+            case 'slow_down':
+              interval += 5
+            case 'authorization_pending':
+              return undefined
+          }
+        }
+        throw err
+      })
+  }
+
+  console.log('Access Token Response', success)
+  ;({ access_token } = success)
+  const claims = oauth.getValidatedIdTokenClaims(success)!
+  console.log('ID Token Claims', claims)
+  ;({ sub } = claims)
+}
+
+// UserInfo Request
+{
+  const response = await oauth.userInfoRequest(as, client, access_token)
+
+  const result = await oauth.processUserInfoResponse(as, client, sub, response)
+  console.log('UserInfo Response', result)
+}