feat: add experimental support for validating JWT Access Tokens

README.md

@@ -15,6 +15,7 @@ The following features are currently in scope and implemented in this software:
 - UserInfo and Protected Resource Requests
 - Authorization Server Issuer Identification
 - JWT Secured Introspection, Response Mode (JARM), Authorization Request (JAR), and UserInfo
+- Validating incoming JWT Access Tokens
 
 ## [Certification](https://openid.net/certification/faq/)
 

docs/README.md

@@ -67,11 +67,16 @@
 - [experimental\_customFetch](variables/experimental_customFetch.md)
 - [experimental\_useMtlsAlias](variables/experimental_useMtlsAlias.md)
 - [experimental\_validateDetachedSignatureResponse](functions/experimental_validateDetachedSignatureResponse.md)
+- [experimental\_validateJwtAccessToken](functions/experimental_validateJwtAccessToken.md)
 
 ### FAPI 1.0 Advanced
 
 - [experimental\_validateDetachedSignatureResponse](functions/experimental_validateDetachedSignatureResponse.md)
 
+### JWT Access Tokens
+
+- [experimental\_validateJwtAccessToken](functions/experimental_validateJwtAccessToken.md)
+
 ### JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
 
 - [validateJwtAuthResponse](functions/validateJwtAuthResponse.md)
@@ -141,6 +146,7 @@
 - [Client](interfaces/Client.md)
 - [ClientCredentialsGrantRequestOptions](interfaces/ClientCredentialsGrantRequestOptions.md)
 - [ClientCredentialsGrantResponse](interfaces/ClientCredentialsGrantResponse.md)
+- [ConfirmationClaims](interfaces/ConfirmationClaims.md)
 - [DPoPOptions](interfaces/DPoPOptions.md)
 - [DPoPRequestOptions](interfaces/DPoPRequestOptions.md)
 - [DeviceAuthorizationRequestOptions](interfaces/DeviceAuthorizationRequestOptions.md)
@@ -150,9 +156,9 @@
 - [GenerateKeyPairOptions](interfaces/GenerateKeyPairOptions.md)
 - [HttpRequestOptions](interfaces/HttpRequestOptions.md)
 - [IDToken](interfaces/IDToken.md)
-- [IntrospectionConfirmationClaims](interfaces/IntrospectionConfirmationClaims.md)
 - [IntrospectionRequestOptions](interfaces/IntrospectionRequestOptions.md)
 - [IntrospectionResponse](interfaces/IntrospectionResponse.md)
+- [JWTAccessTokenClaims](interfaces/JWTAccessTokenClaims.md)
 - [MTLSEndpointAliases](interfaces/MTLSEndpointAliases.md)
 - [OAuth2Error](interfaces/OAuth2Error.md)
 - [OAuth2TokenEndpointResponse](interfaces/OAuth2TokenEndpointResponse.md)
@@ -167,6 +173,7 @@
 - [UserInfoAddress](interfaces/UserInfoAddress.md)
 - [UserInfoRequestOptions](interfaces/UserInfoRequestOptions.md)
 - [UserInfoResponse](interfaces/UserInfoResponse.md)
+- [ValidateJWTAccessTokenOptions](interfaces/ValidateJWTAccessTokenOptions.md)
 - [WWWAuthenticateChallenge](interfaces/WWWAuthenticateChallenge.md)
 - [WWWAuthenticateChallengeParameters](interfaces/WWWAuthenticateChallengeParameters.md)
 

docs/functions/experimental_validateJwtAccessToken.md

@@ -0,0 +1,44 @@
+# Function: experimental\_validateJwtAccessToken
+
+[💗 Help the project](https://github.com/sponsors/panva)
+
+▸ **experimental_validateJwtAccessToken**(`as`, `request`, `expectedAudience`, `options?`): [`Promise`]( https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise )\<[`JWTAccessTokenClaims`](../interfaces/JWTAccessTokenClaims.md)\>
+
+This is an experimental feature, it is not subject to semantic versioning rules. Non-backward
+compatible changes or removal may occur in any future release.
+
+Validates use of JSON Web Token (JWT) OAuth 2.0 Access Tokens for a given Request as per
+RFC 9068 and optionally also RFC 9449.
+
+This does validate the presence and type of all required claims as well as the values of the
+[`iss`](../interfaces/JWTAccessTokenClaims.md#iss), [`exp`](../interfaces/JWTAccessTokenClaims.md#exp),
+[`aud`](../interfaces/JWTAccessTokenClaims.md#aud) claims.
+
+This does NOT validate the [`sub`](../interfaces/JWTAccessTokenClaims.md#sub),
+[`jti`](../interfaces/JWTAccessTokenClaims.md#jti), and [`client_id`](../interfaces/JWTAccessTokenClaims.md#client_id)
+claims beyond just checking that they're present and that their type is a string. If you need to
+validate these values further you would do so after this function's execution.
+
+This does NOT validate the DPoP Proof JWT nonce. If your server indicates RS-provided nonces to
+clients you would check these after this function's execution.
+
+This does NOT validate authorization claims such as `scope` either, you would do so after this
+function's execution.
+
+#### Parameters
+
+| Name | Type | Description |
+| :------ | :------ | :------ |
+| `as` | [`AuthorizationServer`](../interfaces/AuthorizationServer.md) | Authorization Server to accept JWT Access Tokens from. |
+| `request` | [`Request`]( https://developer.mozilla.org/docs/Web/API/Request ) |  |
+| `expectedAudience` | `string` | Audience identifier the resource server expects for itself. |
+| `options?` | [`ValidateJWTAccessTokenOptions`](../interfaces/ValidateJWTAccessTokenOptions.md) |  |
+
+#### Returns
+
+[`Promise`]( https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise )\<[`JWTAccessTokenClaims`](../interfaces/JWTAccessTokenClaims.md)\>
+
+**`See`**
+
+ - [RFC 9068 - JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens](https://www.rfc-editor.org/rfc/rfc9068.html)
+ - [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html)

docs/interfaces/IntrospectionConfirmationClaims.md → docs/interfaces/ConfirmationClaims.md

@@ -1,4 +1,4 @@
-# Interface: IntrospectionConfirmationClaims
+# Interface: ConfirmationClaims
 
 [💗 Help the project](https://github.com/sponsors/panva)
 
@@ -10,8 +10,8 @@
 
 ### Properties
 
-- [jkt](IntrospectionConfirmationClaims.md#jkt)
-- [x5t#S256](IntrospectionConfirmationClaims.md#x5t#s256)
+- [jkt](ConfirmationClaims.md#jkt)
+- [x5t#S256](ConfirmationClaims.md#x5t#s256)
 
 ## Properties
 

docs/interfaces/HttpRequestOptions.md

@@ -68,3 +68,5 @@ const signal = () => AbortSignal.timeout(5_000) // Note: AbortSignal.timeout may
   ↳ [`IntrospectionRequestOptions`](IntrospectionRequestOptions.md)
 
   ↳ [`DeviceAuthorizationRequestOptions`](DeviceAuthorizationRequestOptions.md)
+
+  ↳ [`ValidateJWTAccessTokenOptions`](ValidateJWTAccessTokenOptions.md)

docs/interfaces/IDToken.md

@@ -2,6 +2,10 @@
 
 [💗 Help the project](https://github.com/sponsors/panva)
 
+## Indexable
+
+▪ [claim: `string`]: [`JsonValue`](../types/JsonValue.md) \| `undefined`
+
 ## Table of contents
 
 ### Properties
@@ -13,6 +17,7 @@
 - [sub](IDToken.md#sub)
 - [auth\_time](IDToken.md#auth_time)
 - [azp](IDToken.md#azp)
+- [cnf](IDToken.md#cnf)
 - [jti](IDToken.md#jti)
 - [nbf](IDToken.md#nbf)
 - [nonce](IDToken.md#nonce)
@@ -61,6 +66,12 @@ ___
 
 ___
 
+### cnf
+
+• `Optional` `Readonly` **cnf**: [`ConfirmationClaims`](ConfirmationClaims.md)
+
+___
+
 ### jti
 
 • `Optional` `Readonly` **jti**: `string`

docs/interfaces/IntrospectionResponse.md

@@ -53,7 +53,7 @@ ___
 
 ### cnf
 
-• `Optional` `Readonly` **cnf**: [`IntrospectionConfirmationClaims`](IntrospectionConfirmationClaims.md)
+• `Optional` `Readonly` **cnf**: [`ConfirmationClaims`](ConfirmationClaims.md)
 
 ___
 

docs/interfaces/JWTAccessTokenClaims.md

@@ -0,0 +1,81 @@
+# Interface: JWTAccessTokenClaims
+
+[💗 Help the project](https://github.com/sponsors/panva)
+
+## Indexable
+
+▪ [claim: `string`]: [`JsonValue`](../types/JsonValue.md) \| `undefined`
+
+## Table of contents
+
+### Properties
+
+- [aud](JWTAccessTokenClaims.md#aud)
+- [client\_id](JWTAccessTokenClaims.md#client_id)
+- [exp](JWTAccessTokenClaims.md#exp)
+- [iat](JWTAccessTokenClaims.md#iat)
+- [iss](JWTAccessTokenClaims.md#iss)
+- [jti](JWTAccessTokenClaims.md#jti)
+- [sub](JWTAccessTokenClaims.md#sub)
+- [cnf](JWTAccessTokenClaims.md#cnf)
+- [nbf](JWTAccessTokenClaims.md#nbf)
+
+## Properties
+
+### aud
+
+• `Readonly` **aud**: `string` \| `string`[]
+
+___
+
+### client\_id
+
+• `Readonly` **client\_id**: `string`
+
+___
+
+### exp
+
+• `Readonly` **exp**: `number`
+
+___
+
+### iat
+
+• `Readonly` **iat**: `number`
+
+___
+
+### iss
+
+• `Readonly` **iss**: `string`
+
+___
+
+### jti
+
+• `Readonly` **jti**: `string`
+
+___
+
+### sub
+
+• `Readonly` **sub**: `string`
+
+___
+
+### cnf
+
+• `Optional` `Readonly` **cnf**: [`ConfirmationClaims`](ConfirmationClaims.md)
+
+___
+
+### nbf
+
+• `Optional` `Readonly` **nbf**: `number`
+
+## Hierarchy
+
+- `JWTPayload`
+
+  ↳ **`JWTAccessTokenClaims`**

docs/interfaces/ValidateJWTAccessTokenOptions.md

@@ -0,0 +1,83 @@
+# Interface: ValidateJWTAccessTokenOptions
+
+[💗 Help the project](https://github.com/sponsors/panva)
+
+## Table of contents
+
+### Experimental
+
+- [[experimental\_customFetch]](ValidateJWTAccessTokenOptions.md#experimental_customfetch)
+
+### Properties
+
+- [[clockSkew]](ValidateJWTAccessTokenOptions.md#clockskew)
+- [[clockTolerance]](ValidateJWTAccessTokenOptions.md#clocktolerance)
+- [headers](ValidateJWTAccessTokenOptions.md#headers)
+- [requireDPoP](ValidateJWTAccessTokenOptions.md#requiredpop)
+- [signal](ValidateJWTAccessTokenOptions.md#signal)
+
+## Experimental
+
+### [experimental\_customFetch]
+
+• `Optional` **[experimental\_customFetch]**: (`input`: `RequestInfo` \| [`URL`]( https://developer.mozilla.org/docs/Web/API/URL ), `init?`: `RequestInit`) => [`Promise`]( https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise )\<[`Response`]( https://developer.mozilla.org/docs/Web/API/Response )\>
+
+This is an experimental feature, it is not subject to semantic versioning rules. Non-backward
+compatible changes or removal may occur in any future release.
+
+See [experimental_customFetch](../variables/experimental_customFetch.md) for its documentation.
+
+## Properties
+
+### [clockSkew]
+
+• `Optional` **[clockSkew]**: `number`
+
+Same functionality as in [Client](Client.md)
+
+___
+
+### [clockTolerance]
+
+• `Optional` **[clockTolerance]**: `number`
+
+Same functionality as in [Client](Client.md)
+
+___
+
+### headers
+
+• `Optional` **headers**: [`Record`]( https://www.typescriptlang.org/docs/handbook/utility-types.html#recordkeys-type )\<`string`, `string`\> \| [`string`, `string`][] \| [`Headers`]( https://developer.mozilla.org/docs/Web/API/Headers )
+
+Headers to additionally send with the HTTP Request(s) triggered by this function's invocation.
+
+___
+
+### requireDPoP
+
+• `Optional` **requireDPoP**: `boolean`
+
+Indicates whether DPoP use is required.
+
+___
+
+### signal
+
+• `Optional` **signal**: [`AbortSignal`]( https://developer.mozilla.org/docs/Web/API/AbortSignal ) \| () => [`AbortSignal`]( https://developer.mozilla.org/docs/Web/API/AbortSignal )
+
+An AbortSignal instance, or a factory returning one, to abort the HTTP Request(s) triggered by
+this function's invocation.
+
+**`Example`**
+
+A 5000ms timeout AbortSignal for every request
+
+```js
+const signal = () => AbortSignal.timeout(5_000) // Note: AbortSignal.timeout may not yet be available in all runtimes.
+```
+
+## Hierarchy
+
+- [`HttpRequestOptions`](HttpRequestOptions.md)
+
+  ↳ **`ValidateJWTAccessTokenOptions`**

package.json

@@ -3,6 +3,7 @@
   "version": "2.7.0",
   "description": "OAuth 2 / OpenID Connect for JavaScript Runtimes",
   "keywords": [
+    "access token",
     "auth",
     "authentication",
     "authorization",
@@ -17,6 +18,7 @@
     "electron",
     "fapi",
     "javascript",
+    "jwt",
     "netlify",
     "next",
     "nextjs",