Metadata fields are defined as required when they are actually optional

[ThisIsMissEm]

The ServerMetadata and ClientMetadata define the following properties as required, however, they are optional by specification:

• ServerMetadata https://www.rfc-editor.org/rfc/rfc8414.html

  • responseTypesSupported
  • grantTypesSupported
  • codeChallengeMethodsSupported
  • tokenEndpointAuthMethodsSupported
  • tokenEndpointAuthSigningAlgValuesSupported
  • scopesSupported
  • authorizationResponseIssParameterSupported
  • requirePushedAuthorizationRequests
  • pushedAuthorizationRequestEndpoint
  • dpopSigningAlgValuesSupported
  • requireRequestUriRegistration
  • clientIdMetadataDocumentSupported

• ClientMetadata (I'm the co-author of CIMDs, technically all properties other than client_id are optional)

  • dpopBoundAccessTokens

This could result in parsing errors from servers that are otherwise compliant.

This does create an issue in the Bluesky provider when building the TokenHandling as Bluesky (well, AT Protocol) requires Pushed Authorization Requests (PAR), however, for majority of OAuth servers, PAR isn't used. The tokenHandling method can't throw from what I can tell, so there's not really a good place to assert that PAR support is required.

[mattmassicotte]

Absolutely need to update the definitions to match the spec here. Thank you!

I do think I see what you are saying. This could now make it possible for Bluesky.tokenHandling(account:server:jwtGenerator:pkce:) to receive an invalid ServerMetadata object. I think it's ok big to update this function to throw. It seems like that's appropriate given the potential inputs, and while source-incompatible, this is an easy one for clients to update.

[ThisIsMissEm]

Yeah, because with those properties all being required you'd probably get all sorts of parsing errors loading exotic OAuth Authorization Server Metadata.

[ThisIsMissEm]

It'd also mean we should check ClientMetadata / ServerMetadata for whether or not to use DPoP (basically if client.dpopBoundAccessTokens)