@sigstore/cli/dist/oauth/client.js

Sigstore CLI

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.initializeOAuthClient = initializeOAuthClient;
const openid_client_1 = require("openid-client");
// Returns an openid Client instance configured by looking up
// the issuer's configuration from the well-known endpoint.
async function initializeOAuthClient(options) {
    const authMethod = options.clientSecret ? 'client_secret_basic' : 'none';
    const client = await openid_client_1.Issuer.discover(options.issuer).then((issuer) => new issuer.Client({
        client_id: options.clientID,
        client_secret: options.clientSecret,
        token_endpoint_auth_method: authMethod,
    }));
    return new OAuthClient(client, options.redirectURL);
}
// Wrapper around an openid-client Client instance to maintain
// state for the authorization flow.
class OAuthClient {
    constructor(client, redirectURL) {
        this.client = client;
        this.redirectURL = redirectURL;
        this.verifier = openid_client_1.generators.codeVerifier(32);
        this.nonce = openid_client_1.generators.nonce(32);
        this.state = openid_client_1.generators.state(16);
    }
    get authorizationUrl() {
        return this.client.authorizationUrl({
            scope: 'openid email',
            redirect_uri: this.redirectURL,
            code_challenge: openid_client_1.generators.codeChallenge(this.verifier),
            code_challenge_method: 'S256',
            state: this.state,
            nonce: this.nonce,
        });
    }
    async getIDToken(callbackURL) {
        const params = this.client.callbackParams(callbackURL);
        return (this.client
            .callback(this.redirectURL, params, {
            response_type: 'code',
            code_verifier: this.verifier,
            state: this.state,
            nonce: this.nonce,
        })
            .then((tokenSet) => tokenSet.id_token));
    }
}