+5

.changeset/eager-lands-invite.md

reviewed

··· 1 1 + --- 2 2 + '@atcute/oauth-browser-client': patch 3 3 + --- 4 4 + 5 5 + remove `iss` field from dpop jwt tokens

+1 -1

packages/oauth/browser-client/lib/agents/server-agent.ts

reviewed

··· 17 17 18 18 constructor(metadata: PersistedAuthorizationServerMetadata, dpopKey: DPoPKey) { 19 19 this.#metadata = metadata; 20 20 - this.#fetch = createDPoPFetch(CLIENT_ID, dpopKey, true); 20 20 + this.#fetch = createDPoPFetch(dpopKey, true); 21 21 } 22 22 23 23 async request(

+1 -2

packages/oauth/browser-client/lib/agents/user-agent.ts

reviewed

··· 2 2 import type { Did } from '@atcute/lexicons'; 3 3 4 4 import { createDPoPFetch } from '../dpop.js'; 5 5 - import { CLIENT_ID } from '../environment.js'; 6 5 import type { Session } from '../types/token.js'; 7 6 8 7 import { OAuthServerAgent } from './server-agent.js'; ··· 13 12 #getSessionPromise: Promise<Session> | undefined; 14 13 15 14 constructor(public session: Session) { 16 16 - this.#fetch = createDPoPFetch(CLIENT_ID, session.dpopKey, false); 15 15 + this.#fetch = createDPoPFetch(session.dpopKey, false); 17 16 } 18 17 19 18 get sub(): Did {

+3 -4

packages/oauth/browser-client/lib/dpop.ts

reviewed

··· 23 23 }; 24 24 }; 25 25 26 26 - export const createDPoPSignage = (issuer: string, dpopKey: DPoPKey) => { 26 26 + export const createDPoPSignage = (dpopKey: DPoPKey) => { 27 27 const headerString = dpopKey.jwt; 28 28 const keyPromise = crypto.subtle.importKey('pkcs8', fromBase64Url(dpopKey.key), ES256_ALG, true, ['sign']); 29 29 ··· 34 34 ath: string | undefined, 35 35 ) => { 36 36 const payload = { 37 37 - iss: issuer, 38 37 iat: Math.floor(Date.now() / 1_000), 39 38 jti: nanoid(24), 40 39 htm: method, ··· 61 60 }; 62 61 }; 63 62 64 64 - export const createDPoPFetch = (issuer: string, dpopKey: DPoPKey, isAuthServer?: boolean): typeof fetch => { 63 63 + export const createDPoPFetch = (dpopKey: DPoPKey, isAuthServer?: boolean): typeof fetch => { 65 64 const nonces = database.dpopNonces; 66 65 const pending = database.inflightDpop; 67 66 68 68 - const sign = createDPoPSignage(issuer, dpopKey); 67 67 + const sign = createDPoPSignage(dpopKey); 69 68 70 69 return async (input, init) => { 71 70 const request: Request = init == null && input instanceof Request ? input : new Request(input, init);