monahk
diff --git a/‎src/client/auth.ts‎
Lines changed: 11 additions & 2 deletions b/‎src/client/auth.ts‎
Lines changed: 11 additions & 2 deletions
@@ -72,6 +72,13 @@ export interface OAuthClientProvider {
  * the authorization result.
  */
  codeVerifier(): string | Promise<string>;
+
+ /**
+ * If defined, overrides the OAuth Protected Resource Metadata (RFC 9728).
+ *
+ * Implementations must verify the provider
+ */
+ validateProtectedResourceMetadata?(metadata?: OAuthProtectedResourceMetadata): Promise<void>;
 }
 
 export type AuthResult = "AUTHORIZED" | "REDIRECT";
@@ -109,11 +116,13 @@ export async function auth(
  } catch (error) {
  console.warn("Could not load OAuth Protected Resource metadata, falling back to /.well-known/oauth-authorization-server", error)
  }
- if (resourceMetadata) {
+ if (provider.validateProtectedResourceMetadata) {
+ await provider.validateProtectedResourceMetadata(resourceMetadata);
+ } else if (resourceMetadata) {
  if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) {
  authorizationServerUrl = resourceMetadata.authorization_servers[0];
  }
- if (resourceMetadata.resource && resourceMetadata.resource !== resource.href) {
+ if (resourceMetadata.resource !== resource.href) {
  throw new Error(`Protected resource ${resourceMetadata.resource} does not match expected ${resource}`);
  }
  }
Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,13 @@ export interface OAuthClientProvider {`
`72`	`72`	`* the authorization result.`
`73`	`73`	`*/`
`74`	`74`	`codeVerifier(): string \| Promise<string>;`
	`75`	`+`
	`76`	`+ /**`
	`77`	`+ * If defined, overrides the OAuth Protected Resource Metadata (RFC 9728).`
	`78`	`+ *`
	`79`	`+ * Implementations must verify the provider`
	`80`	`+ */`
	`81`	`+ validateProtectedResourceMetadata?(metadata?: OAuthProtectedResourceMetadata): Promise<void>;`
`75`	`82`	`}`
`76`	`83`
`77`	`84`	`export type AuthResult = "AUTHORIZED" \| "REDIRECT";`
`@@ -109,11 +116,13 @@ export async function auth(`
`109`	`116`	`} catch (error) {`
`110`	`117`	`console.warn("Could not load OAuth Protected Resource metadata, falling back to /.well-known/oauth-authorization-server", error)`
`111`	`118`	`}`
`112`		`- if (resourceMetadata) {`
	`119`	`+ if (provider.validateProtectedResourceMetadata) {`
	`120`	`+ await provider.validateProtectedResourceMetadata(resourceMetadata);`
	`121`	`+ } else if (resourceMetadata) {`
`113`	`122`	`if (resourceMetadata.authorization_servers && resourceMetadata.authorization_servers.length > 0) {`
`114`	`123`	`authorizationServerUrl = resourceMetadata.authorization_servers[0];`
`115`	`124`	`}`
`116`		`- if (resourceMetadata.resource && resourceMetadata.resource !== resource.href) {`
	`125`	`+ if (resourceMetadata.resource !== resource.href) {`
`117`	`126`	throw new Error(`Protected resource ${resourceMetadata.resource} does not match expected ${resource}`);
`118`	`127`	`}`
`119`	`128`	`}`