fix(deps): update dependency @cloudflare/workers-oauth-provider to ^0.7.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@cloudflare/workers-oauth-provider	^0.4.0 → ^0.7.0

---

Release Notes

cloudflare/workers-oauth-provider (@​cloudflare/workers-oauth-provider)

v0.7.2

Compare Source

Patch Changes

• #​222 45397d8 Thanks @​mattzcarey! - Add an opt-in allowPublicClients flag to enterpriseManagedAuthorization.

  By default the enterprise-managed authorization (ID-JAG) grant requires client authentication, so public clients (token_endpoint_auth_method: 'none') are rejected. Setting allowPublicClients: true also accepts public clients on this grant — for example clients registered via a Client ID Metadata Document (CIMD), which are always public and cannot present a client secret. The default remains false, preserving existing behavior.

v0.7.1

Compare Source

Patch Changes

• #​221 8e3f08c Thanks @​mattzcarey! - Preserve RFC 7591 §2.2 internationalized client metadata variants.

  Localized variants of the human-readable client metadata fields — expressed
  with a #<BCP 47 language tag> suffix on the member name (e.g.
  client_name#ja, tos_uri#fr) — were previously dropped during client
  registration. They are now captured for client_name, client_uri,
  logo_uri, tos_uri, and policy_uri, stored on the client record under a
  new optional i18n map (keyed by the raw field#tag name), and echoed back in
  the registration response alongside their canonical fields. The same handling
  applies to Client ID Metadata Document ingestion.

  Localized values are validated with the same rules as their canonical field:
  URI variants must be absolute http: or https: URLs, and all variants must
  be strings. Fields that are not part of RFC 7591 §2.2 (such as jwks_uri and
  redirect_uris) are not collected.

• #​218 1f8737d Thanks @​mattzcarey! - Validate the URI scheme of client metadata fields during client registration.

  The client_uri, logo_uri, policy_uri, tos_uri, and jwks_uri fields
  were previously only checked to be strings. They are now required to be
  absolute http: or https: URLs, consistent with how redirect_uris are
  already validated. Registration (and Client ID Metadata Document ingestion)
  now rejects values using other schemes with an invalid_client_metadata
  error.

  These fields are commonly surfaced in consent UIs (for example as link or
  image targets), so restricting them to standard web URLs avoids non-http(s)
  schemes flowing through to consumers.

v0.7.0

Compare Source

Minor Changes

• #​208 c59c37b Thanks @​mattzcarey! - Experimentally support MCP Enterprise-Managed Authorization ID-JAG assertions through the JWT bearer grant.

• #​206 13ff269 Thanks @​itsandy-canva! - Expose grantId to tokenExchangeCallback via TokenExchangeCallbackOptions.

  Implementations of tokenExchangeCallback already received userId and
  clientId, but had no way to identify which specific grant the library was
  operating on. This made it impossible to surgically revoke a single grant from
  the callback (e.g. on a terminal upstream refresh failure) — implementations had
  to either sweep all grants for a (userId, clientId) pair (racy under
  concurrent refreshes) or maintain their own out-of-band mapping.

  grantId is now provided alongside userId so callbacks can pass them
  directly to OAuthHelpers.revokeGrant. Populated for all three grant types
  (authorization_code, refresh_token, token_exchange). Stable across
  refreshes for the lifetime of the grant.

v0.6.0

Compare Source

Minor Changes

• #​199 bf7d91e Thanks @​mattzcarey! - Convert OAuthError thrown from tokenExchangeCallback into structured
  /token responses and convert token storage KV rate limits into retryable OAuth errors.

  Previously, an error thrown from tokenExchangeCallback during the
  authorization_code or refresh_token grant flows would bubble up as an
  unhandled exception and be served as 500 Internal Server Error. This forced
  clients to keep retrying with the same dead refresh token, producing
  "refresh-token retry storms" against upstream providers.

  The provider now catches OAuthError thrown from the callback (or any code
  it calls — errors propagate naturally up through deep call stacks) and
  returns a standard { error, error_description } response with the supplied
  status code and headers. KV 429 Too Many Requests write failures while issuing
  tokens are also returned as temporarily_unavailable with Retry-After: 30,
  so transient storage pressure does not leak Worker 500 responses from the
  token endpoint.

  import { OAuthError } from '@​cloudflare/workers-oauth-provider';
  
  tokenExchangeCallback: async (options) => {
    if (options.grantType === 'refresh_token') {
      // `refreshUpstream` may throw `OAuthError` from any depth.
      return { newProps: await refreshUpstream(options.props) };
    }
  };
  
  async function refreshUpstream(props) {
    const res = await fetch(/* upstream token endpoint */);
    if (res.status === 401) {
      throw new OAuthError('invalid_grant', {
        description: 'upstream refresh token is invalid',
      });
    }
    if (res.status === 429) {
      throw new OAuthError('temporarily_unavailable', {
        description: 'upstream rate limited',
        statusCode: 429,
        headers: { 'Retry-After': res.headers.get('retry-after') ?? '60' },
      });
    }
    return await res.json();
  }

  OAuthError(code, options) takes:

  • code (positional, required) — the OAuth error code returned in the
    error field. For standard codes, this package exports the
    OAuthTokenErrorCode type.
  • options.description — human-readable text returned in error_description.
  • options.statusCode — HTTP status code (default 400).
  • options.headers — additional response headers. Set Retry-After here
    for transient failures so well-behaved clients back off; per RFC 7231
    §7.1.3 the value may be either seconds or an HTTP-date. No implicit
    default — if you don't set it, no Retry-After is sent.

  Throwing this package's OAuthError class is the supported form. Anything
  else — plain Error, plain objects with a code field, app-local OAuth
  error classes, etc. — continues to surface as 500 Internal Server Error
  so unexpected failures stay visible. The provider does not
  catch-everything-and-return-400.

  The exported OAuthError class supersedes the previously-internal one: the
  constructor signature is now (code, options) rather than (code, message).
  Internal call sites are updated; description now lives alongside
  statusCode and headers in the options object.

  New exports: OAuthError (class), OAuthErrorOptions (interface),
  OAuthTokenErrorCode (type union of registered codes).

v0.5.0

Compare Source

Minor Changes

• #​182 251d641 Thanks @​threepointone! - Prevent unbounded KV namespace growth with TTL defaults, cascade deletes, and garbage collection.

  Default TTLs to prevent unbounded storage growth:

  • refreshTokenTTL now defaults to 30 days (previously infinite). Grants auto-expire via KV TTL. Set to undefined explicitly to restore the previous behavior of never expiring.
  • clientRegistrationTTL (new option) defaults to 90 days. Dynamically registered clients (DCR) auto-expire. Clients created via OAuthHelpers.createClient() are not affected. Set to undefined for clients that never expire.

  deleteClient() now cascades to grants and tokens:

  Previously, deleting a client only removed the client:{id} record, leaving all associated grants and tokens orphaned in KV. Now deleteClient() scans all grants, revokes those belonging to the deleted client (which also deletes their tokens), and then deletes the client record.

  New purgeExpiredData() method for scheduled garbage collection:

  Defense-in-depth cleanup method designed to be called from a Cron Trigger. Processes records in configurable batches (default: 50) to stay within Cloudflare's subrequest limits. Performs two sweep phases: (1) grant sweep removes orphaned grants (client deleted) and expired grants, (2) token sweep removes orphaned tokens (grant deleted). Safe for CIMD clients — grants with URL-based client IDs are never incorrectly treated as orphaned. Available on both OAuthHelpers (via env.OAUTH_PROVIDER.purgeExpiredData()) and directly on OAuthProvider (via oauthProvider.purgeExpiredData(env)) for use in scheduled handlers without a request context.

  New exports: PurgeOptions, PurgeResult

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.