use client info scope

Author: dr3s

src/client/auth.test.ts

@@ -3,7 +3,6 @@ import {
   startAuthorization,
   exchangeAuthorization,
   refreshAuthorization,
-  registerClient,
   discoverOAuthProtectedResourceMetadata,
   extractResourceMetadataUrl,
   auth,
@@ -17,6 +16,7 @@ global.fetch = mockFetch;
 describe("OAuth Authorization", () => {
   beforeEach(() => {
     mockFetch.mockReset();
+    jest.clearAllMocks();
   });
 
   describe("extractResourceMetadataUrl", () => {
@@ -626,89 +626,93 @@ describe("OAuth Authorization", () => {
   });
 
   describe("registerClient", () => {
-    const validClientMetadata = {
-      redirect_uris: ["http://localhost:3000/callback"],
-      client_name: "Test Client",
+    // ...existing tests...
+  });
+
+  describe("auth", () => {
+    // Patch pkce-challenge to return deterministic values
+    jest.mock("pkce-challenge", () => () => ({
+      code_verifier: "test_verifier",
+      code_challenge: "test_challenge",
+    }));
+
+    const validMetadata = {
+      issuer: "https://auth.example.com",
+      authorization_endpoint: "https://auth.example.com/authorize",
+      token_endpoint: "https://auth.example.com/token",
+      registration_endpoint: "https://auth.example.com/register",
+      response_types_supported: ["code"],
+      code_challenge_methods_supported: ["S256"],
     };
 
     const validClientInfo = {
       client_id: "client123",
       client_secret: "secret123",
-      client_id_issued_at: 1612137600,
-      client_secret_expires_at: 1612224000,
-      ...validClientMetadata,
+      redirect_uris: ["http://localhost:3000/callback"],
+      client_name: "Test Client",
     };
 
-    it("registers client and returns client information", async () => {
-      mockFetch.mockResolvedValueOnce({
-        ok: true,
-        status: 200,
-        json: async () => validClientInfo,
-      });
-
-      const clientInfo = await registerClient("https://auth.example.com", {
-        clientMetadata: validClientMetadata,
-      });
-
-      expect(clientInfo).toEqual(validClientInfo);
-      expect(mockFetch).toHaveBeenCalledWith(
-        expect.objectContaining({
-          href: "https://auth.example.com/register",
-        }),
-        expect.objectContaining({
-          method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-          },
-          body: JSON.stringify(validClientMetadata),
-        })
-      );
-    });
-
-    it("validates client information response schema", async () => {
-      mockFetch.mockResolvedValueOnce({
-        ok: true,
-        status: 200,
-        json: async () => ({
-          // Missing required fields
-          client_secret: "secret123",
-        }),
-      });
-
-      await expect(
-        registerClient("https://auth.example.com", {
-          clientMetadata: validClientMetadata,
-        })
-      ).rejects.toThrow();
-    });
-
-    it("throws when registration endpoint not available in metadata", async () => {
-      const metadata = {
-        issuer: "https://auth.example.com",
-        authorization_endpoint: "https://auth.example.com/authorize",
-        token_endpoint: "https://auth.example.com/token",
-        response_types_supported: ["code"],
+    it("uses scope from registered client information if not present in clientMetadata", async () => {
+      // Mock fetch for metadata discovery and registration
+      mockFetch
+        .mockResolvedValueOnce({
+          ok: true,
+          status: 200,
+          json: async () => ({}),
+        }) // protected resource metadata
+        .mockResolvedValueOnce({
+          ok: true,
+          status: 200,
+          json: async () => validMetadata,
+        }) // discovery
+        .mockResolvedValueOnce({
+          ok: true,
+          status: 200,
+          json: async () => ({
+            ...validClientInfo,
+            scope: "dynamic scope from registration",
+          }),
+        }); // registration
+
+      // Provider: clientInformation returns undefined first, then fullInformation after registration
+      const fullInformation = {
+        ...validClientInfo,
+        scope: "dynamic scope from registration",
+      };
+      const clientInformationMock = jest
+        .fn()
+        .mockResolvedValueOnce(undefined)
+        .mockResolvedValueOnce(fullInformation);
+
+      const provider = {
+        get redirectUrl() {
+          return "http://localhost:3000/callback";
+        },
+        get clientMetadata() {
+          // No scope here!
+          return validClientInfo;
+        },
+        clientInformation: clientInformationMock,
+        tokens: jest.fn().mockResolvedValue(undefined),
+        saveTokens: jest.fn(),
+        saveCodeVerifier: jest.fn(),
+        codeVerifier: jest.fn(),
+        redirectToAuthorization: jest.fn(),
+        saveClientInformation: jest.fn(),
       };
 
-      await expect(
-        registerClient("https://auth.example.com", {
-          metadata,
-          clientMetadata: validClientMetadata,
-        })
-      ).rejects.toThrow(/does not support dynamic client registration/);
-    });
-
-    it("throws on error response", async () => {
-      mockFetch.mockResolvedValueOnce({
-        ok: false,
-        status: 400,
+      await auth(provider, {
+        serverUrl: "https://auth.example.com",
       });
 
-      await expect(
-        registerClient("https://auth.example.com", {
-          clientMetadata: validClientMetadata,
-        })
-      ).rejects.toThrow("Dynamic client registration failed");
+      // Check saveClientInformation was called with fullInformation
+      expect(provider.saveClientInformation).toHaveBeenCalledWith(fullInformation);
+
+      // Check that redirectToAuthorization was called with a URL containing the correct scope from registration
+      expect(provider.redirectToAuthorization).toHaveBeenCalledTimes(1);
+      const urlArg = provider.redirectToAuthorization.mock.calls[0][0];
+      expect(urlArg).toBeInstanceOf(URL);
+      expect(urlArg.searchParams.get("scope")).toBe("dynamic scope from registration");
     });
   });
 

src/client/auth.ts

@@ -175,7 +175,7 @@ export async function auth(
     clientInformation,
     state,
     redirectUrl: provider.redirectUrl,
-    scope: scope || provider.clientMetadata.scope,
+    scope: scope || provider.clientMetadata.scope || (clientInformation as OAuthClientInformationFull).scope,
   });
 
   await provider.saveCodeVerifier(codeVerifier);