diff --git a/examples/oauth.ts b/examples/jar.ts index d55e62d..456e1fb 100644 --- a/examples/oauth.ts +++ b/examples/jar.ts @@ -15,6 +15,11 @@ let client_secret!: string * Server. */ let redirect_uri!: string +/** + * A key that is pre-registered at the Authorization Server that the client is supposed to sign its + * Request Objects with. + */ +let jarPrivateKey!: oauth.CryptoKey // End of prerequisites @@ -35,15 +40,16 @@ const code_verifier = oauth.generateRandomCodeVerifier() const code_challenge = await oauth.calculatePKCECodeChallenge(code_verifier) let state: string | undefined +// Signed Request Object (JAR) +let request: string { - // redirect user to as.authorization_endpoint - const authorizationUrl = new URL(as.authorization_endpoint!) - authorizationUrl.searchParams.set('client_id', client.client_id) - authorizationUrl.searchParams.set('redirect_uri', redirect_uri) - authorizationUrl.searchParams.set('response_type', 'code') - authorizationUrl.searchParams.set('scope', 'api:read') - authorizationUrl.searchParams.set('code_challenge', code_challenge) - authorizationUrl.searchParams.set('code_challenge_method', code_challenge_method) + const params = new URLSearchParams() + params.set('client_id', client.client_id) + params.set('redirect_uri', redirect_uri) + params.set('response_type', 'code') + params.set('scope', 'api:read') + params.set('code_challenge', code_challenge) + params.set('code_challenge_method', code_challenge_method) /** * We cannot be sure the AS supports PKCE so we're going to use state too. Use of PKCE is @@ -51,9 +57,18 @@ let state: string | undefined */ if (as.code_challenge_methods_supported?.includes('S256') !== true) { state = oauth.generateRandomState() - authorizationUrl.searchParams.set('state', state) + params.set('state', state) } + request = await oauth.issueRequestObject(as, client, params, jarPrivateKey) +} + +{ + // redirect user to as.authorization_endpoint + const authorizationUrl = new URL(as.authorization_endpoint!) + authorizationUrl.searchParams.set('client_id', client.client_id) + authorizationUrl.searchParams.set('request', request) + // now redirect the user to authorizationUrl.href }