Class InMemoryClientRepository

Implements

ClientRepository

Index

Constructors

Methods

authenticate findById

Constructors

constructor

new InMemoryClientRepository(
    clients: Map<
        string,
        {
            allowedAudiences: string[];
            allowedAzpForFederationToken: boolean;
            allowedGrantTypes?: string[];
            allowedRedirectUris: string[];
            allowedScopes: string[];
            backchannelLogoutSessionRequired: boolean;
            backchannelLogoutUri?: string;
            clientSecret?: string;
            frontchannelLogoutSessionRequired: boolean;
            frontchannelLogoutUri?: string;
            postLogoutRedirectUris?: string[];
            tokenEndpointAuthMethod: | "none"
            | "client_secret_basic"
            | "client_secret_post";
        },
    >,
): InMemoryClientRepository
Parameters
- clients: Map<
      string,
      {
          allowedAudiences: string[];
          allowedAzpForFederationToken: boolean;
          allowedGrantTypes?: string[];
          allowedRedirectUris: string[];
          allowedScopes: string[];
          backchannelLogoutSessionRequired: boolean;
          backchannelLogoutUri?: string;
          clientSecret?: string;
          frontchannelLogoutSessionRequired: boolean;
          frontchannelLogoutUri?: string;
          postLogoutRedirectUris?: string[];
          tokenEndpointAuthMethod: | "none"
          | "client_secret_basic"
          | "client_secret_post";
      },
  >
Returns InMemoryClientRepository
- Defined in packages/core/src/repositories/InMemoryClientRepository.mts:123

Methods

authenticate

authenticate(clientId: string, secret: string): Promise<PublicClient | null>
Authenticate a confidential client by clientId + secret pair. Returns the public projection on success, null when the client does not exist or the secret does not match. Implementations MUST return null (and SHOULD NOT throw) when called for a tokenEndpointAuthMethod === "none" client — public clients have no secret to authenticate against, and accepting any string would silently promote them to confidential.
Parameters
- clientId: string
- secret: string
Returns Promise<PublicClient | null>
Implementation of ClientRepository.authenticate
- Defined in packages/core/src/repositories/InMemoryClientRepository.mts:158

findById

findById(clientId: string): Promise<PublicClient | null>
Look up a client without authentication. Returns the client's public fields (everything except clientSecret) or null when the client does not exist. Used by clientAuthMw for the public-client (tokenEndpoint- AuthMethod === "none") path and by /authorize for redirect-URI / scope validation that does not require credential authentication.

Naming convention (AS-10, since v0.5.1): repositories use findBy<Field> for primary-key and alternate-key lookups returning a public projection without authentication. Single-object stores (e.g. UserSessionStore) use get(<id>) instead. Operation-specific names like consumeByCode denote atomic single-use semantics; they are NOT subject to the findBy convention. The convention is currently enforced by code review on PRs that add or rename repository methods; a lint rule and contributor-guide section may follow once the convention has settled across all repositories.
Parameters
- clientId: string
Returns Promise<PublicClient | null>
Implementation of ClientRepository.findById
- Defined in packages/core/src/repositories/InMemoryClientRepository.mts:131