What happened?

I'm getting CORS errors with discoveryRequest and GitLab. Some minimal reproducable code:

const issuer = new URL("https://gitlab.com/.well-known/openid-configuration");
const as = await oauth.discoveryRequest(issuer);

I'm not a web developer, but I'm quite sure it is related to the library overriding the user-agent in prepareHeaders. Some minimal reproducable code without using the library:

const issuer = new URL("https://gitlab.com/.well-known/openid-configuration");

const headers = new Headers();
headers.set("user-agent", "oauth4webapi/v1.0.3"); // Works without this line
headers.set("accept", "application/json");

fetch(issuer.href, { headers, method: "GET", redirect: "manual" })
  .then((response) => response.json())
  .then((data) => console.log(data));

Should the user-agent really be the library? Usually it is the browser, isn't it?

Version

v1.0.3

Runtime

Browser

Runtime Details

Linux, Firefox & Chrome

Code to reproduce

const issuer = new URL("https://gitlab.com/.well-known/openid-configuration");
const as = await oauth.discoveryRequest(issuer);

Required

• [X] I have searched the issues tracker and discussions for similar topics and couldn't find anything related.
• [X] I agree to follow this project's Code of Conduct

What happened?

The line here assumes the error of the response has been handled, but the GitHub authorization response returns a 200 with the error property set in JSON. I believe the correct behavior would be to check if error has been set before checking for access_token and return early.

Version

1.0.4

Runtime

Cloudflare Workers

Runtime Details

N/A

Code to reproduce

  const response = await oauth2.authorizationCodeGrantRequest(
    as,
    client,
    parameters,
    getRedirectUri(),
    oauth2.generateRandomCodeVerifier()
  );

  const result = await oauth2.processAuthorizationCodeOAuth2Response(
    as,
    client,
    response
  );

Required

• [X] I have searched the issues tracker and discussions for similar topics and couldn't find anything related.
• [X] I agree to follow this project's Code of Conduct

Bumps workerd from 1.20220926.3 to 1.20221111.4.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

GitHub allows for an empty scope string to request public user information: https://docs.github.com/en/developers/apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes. Alternatively I could add an ignoreScopes option like the other "ignore" flags but that looks like it'll get overwhelming quickly. Happy to modify it as needed.

Edit: Alternatively it could also be a skip symbol. Let me know if either of these work for you and I can update the PR.

naver provider's response is below.

{
  access_token: '...',
  refresh_token: '...',
  token_type: 'bearer',
  expires_in: '3600'
}

expires_in is a string type. so I modified a if condition that allow string type.

What happened?

Running this

const issuer = new URL("...");
const as = await oauth2
  .discoveryRequest(issuer)
  .then((response) => oauth2.processDiscoveryResponse(issuer, response))

causes Cloudflare Workers to issue the following warning:

Your worker called response.clone(), but did not read the body of both clones. This is wasteful, as it forces the system to buffer the entire response body in memory, rather than streaming it through. This may cause your worker to be unexpectedly terminated for going over the memory limit. If you only meant to copy the response headers and metadata (e.g. in order to be able to modify them), use new Response(response.body, response) instead.

Version

v2.0.1

Runtime

Cloudflare Workers

Runtime Details

Wrangler compatibility_date = "2022-11-25"

Code to reproduce

export default {
	async fetch(
		request: Request,
		env: Env,
		ctx: ExecutionContext
	): Promise<Response> {
		const url = new URL(request.url);

		if (url.pathname === "/") {
			const issuer = new URL("...");
			const as = await oauth2
				.discoveryRequest(issuer)
				.then((response) => oauth2.processDiscoveryResponse(issuer, response))

			console.log(as);

			return new Response(null, { headers, status: 302 });
		} else {
			return new Response(null, { status: 404 });
		}
	},
};

Required

• [X] I have searched the issues tracker and discussions for similar topics and couldn't find anything related.
• [X] I agree to follow this project's Code of Conduct

Bumps typedoc-plugin-markdown from 3.11.14 to 3.12.0.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Fetch API and Web Crypto API globals are not yet available in some Node.js versions but they can be enabled via node's CLI.

• Node.js ^16.15.0 requires the --experimental-global-webcrypto and --experimental-fetch command-line flags.
• Node.js ^18.0.0 requires the --experimental-global-webcrypto command-line flag.
• Node.js >=19.0.0 requires no command-line flags 🎉.

These may be provided to the node executable as command-line flags

node --experimental-global-webcrypto --experimental-fetch ...

or via the NODE_OPTIONS environment variables, e.g.

export NODE_OPTIONS='--experimental-global-webcrypto --experimental-fetch'