/** * @dotdo/oauth - OAuth 2.1 Server Implementation * * Creates a Hono app that implements OAuth 2.1 authorization server endpoints: * - /.well-known/oauth-authorization-server (RFC 8414) * - /.well-known/oauth-protected-resource (draft-ietf-oauth-resource-metadata) * - /.well-known/jwks.json (JWKS endpoint) * - /authorize (authorization endpoint) * - /callback (upstream OAuth callback) * - /token (token endpoint) * - /introspect (token introspection - RFC 7662) * - /register (dynamic client registration - RFC 7591) * - /revoke (token revocation - RFC 7009) * * This server acts as a federated OAuth 2.1 server: * - It is an OAuth SERVER to downstream clients (Claude, ChatGPT, etc.) * - It is an OAuth CLIENT to upstream providers (WorkOS, Auth0, etc.) */ import { Hono } from 'hono'; import type { OAuthStorage } from './storage.js'; import type { OAuthUser, UpstreamOAuthConfig } from './types.js'; import { type DevModeConfig, type TestHelpers } from './dev.js'; import type { SigningKeyManager } from './jwt-signing.js'; /** * Configuration for the OAuth 2.1 server */ export interface OAuth21ServerConfig { /** Server issuer URL (e.g., https://mcp.do) */ issuer: string; /** Storage backend for users, clients, tokens */ storage: OAuthStorage; /** Upstream OAuth provider configuration (optional if devMode enabled) */ upstream?: UpstreamOAuthConfig; /** Development mode configuration (no upstream provider needed) */ devMode?: DevModeConfig; /** Supported scopes */ scopes?: string[]; /** Access token lifetime in seconds (default: 3600) */ accessTokenTtl?: number; /** Refresh token lifetime in seconds (default: 2592000 = 30 days) */ refreshTokenTtl?: number; /** Authorization code lifetime in seconds (default: 600 = 10 minutes) */ authCodeTtl?: number; /** Enable dynamic client registration */ enableDynamicRegistration?: boolean; /** Callback after successful user authentication */ onUserAuthenticated?: (user: OAuthUser) => void | Promise; /** Enable debug logging */ debug?: boolean; /** Allowed CORS origins (default: issuer origin only in production, '*' in dev mode) */ allowedOrigins?: string[]; /** * Signing key manager for JWT access tokens (optional) * If provided, access tokens will be signed JWTs instead of opaque tokens. * This enables the JWKS and introspection endpoints. */ signingKeyManager?: SigningKeyManager; /** * Use JWT access tokens instead of opaque tokens (default: false) * Requires signingKeyManager to be set, or will auto-create one in memory. */ useJwtAccessTokens?: boolean; } /** * Extended Hono app with test helpers and signing key manager */ export interface OAuth21Server extends Hono { /** Test helpers for E2E testing (only available in devMode) */ testHelpers?: TestHelpers; /** Signing key manager (available if useJwtAccessTokens is enabled) */ signingKeyManager?: SigningKeyManager; } /** * Create an OAuth 2.1 server as a Hono app * * @example * ```typescript * import { createOAuth21Server, MemoryOAuthStorage } from '@dotdo/oauth' * * const oauthServer = createOAuth21Server({ * issuer: 'https://mcp.do', * storage: new MemoryOAuthStorage(), * upstream: { * provider: 'workos', * apiKey: env.WORKOS_API_KEY, * clientId: env.WORKOS_CLIENT_ID, * }, * }) * * // Mount on your main app * app.route('/', oauthServer) * ``` * * @example Development mode (no upstream provider) * ```typescript * const oauthServer = createOAuth21Server({ * issuer: 'https://test.mcp.do', * storage: new MemoryOAuthStorage(), * devMode: { * enabled: true, * users: [ * { id: 'test-user', email: 'test@example.com', password: 'test123' } * ], * allowAnyCredentials: true, // Create users on the fly * }, * }) * * // Access test helpers for Playwright * const { accessToken } = await oauthServer.testHelpers.getAccessToken('user-id', 'client-id') * ``` */ export declare function createOAuth21Server(config: OAuth21ServerConfig): OAuth21Server; export { verifyJWT, decodeJWT, isJWTExpired, clearJWKSCache } from './jwt.js'; export type { JWTVerifyResult, JWTVerifyOptions, JWTPayload, JWTHeader } from './jwt.js'; //# sourceMappingURL=server.d.ts.map