Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by becoming a sponsor.
Recognized Client Metadata that have an effect on the exposed functionality.
IANA OAuth Client Registration Metadata registry
[metadata: string]: undefined | JsonValue
• client_id: string
Client identifier.
• optional [clockSkew]: number
See clockSkew.
• optional [clockTolerance]: number
See clockTolerance.
• optional authorization_signed_response_alg: string
JWS alg algorithm required for signing authorization responses. When not configured the
default is to allow only algorithms listed in
as.authorization_signing_alg_values_supported
and fall back to RS256 when the authorization server metadata is not set.
• optional default_max_age: number
Default Maximum Authentication Age.
• optional id_token_signed_response_alg: string
JWS alg algorithm required for signing the ID Token issued to this Client. When not
configured the default is to allow only algorithms listed in
as.id_token_signing_alg_values_supported
and fall back to RS256 when the authorization server metadata is not set.
• optional introspection_signed_response_alg: string
JWS alg algorithm REQUIRED for signed introspection responses. When not configured the
default is to allow only algorithms listed in
as.introspection_signing_alg_values_supported
and fall back to RS256 when the authorization server metadata is not set.
• optional require_auth_time: boolean
Boolean value specifying whether the auth_time Claim in the ID Token
is REQUIRED. Default is false.
• optional use_mtls_endpoint_aliases: boolean
Indicates the requirement for a client to use mutual TLS endpoint aliases defined by the AS
where present. Default is false.
When combined with customFetch (to use a Fetch API implementation that supports client certificates) this can be used to target security profiles that utilize Mutual-TLS for either client authentication or sender constraining.
(Node.js) Using nodejs/undici for Mutual-TLS Client Authentication and Certificate-Bound Access Tokens support.
import * as undici from 'undici'
let as!: oauth.AuthorizationServer
let client!: oauth.Client & { use_mtls_endpoint_aliases: true }
let params!: URLSearchParams
let key!: string // PEM-encoded key
let cert!: string // PEM-encoded certificate
let clientAuth = oauth.TlsClientAuth()
let agent = new undici.Agent({ connect: { key, cert } })
let response = await oauth.pushedAuthorizationRequest(as, client, clientAuth, params, {
// @ts-ignore
[oauth.customFetch]: (...args) =>
undici.fetch(args[0], { ...args[1], dispatcher: agent }),
})(Deno) Using Deno.createHttpClient API for Mutual-TLS Client Authentication and Certificate-Bound Access Tokens support.
let as!: oauth.AuthorizationServer
let client!: oauth.Client & { use_mtls_endpoint_aliases: true }
let params!: URLSearchParams
let key!: string // PEM-encoded key
let cert!: string // PEM-encoded certificate
let clientAuth = oauth.TlsClientAuth()
// @ts-ignore
let agent = Deno.createHttpClient({ key, cert })
let response = await oauth.pushedAuthorizationRequest(as, client, clientAuth, params, {
// @ts-ignore
[oauth.customFetch]: (...args) => fetch(args[0], { ...args[1], client: agent }),
})RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
• optional userinfo_signed_response_alg: string
JWS alg algorithm REQUIRED for signing UserInfo Responses. When not configured the default is
to allow only algorithms listed in
as.userinfo_signing_alg_values_supported
and fail otherwise.