add client_id

.well-known

@@ -1 +1 @@
-_apis
+well-known

README.md

@@ -5,7 +5,7 @@ oauth3.js
 | [issuer.html](https://git.oauth3.org/OAuth3/issuer.html)
 | [issuer.rest.walnut.js](https://git.oauth3.org/OAuth3/issuer.rest.walnut.js)
 | [issuer.srv](https://git.oauth3.org/OAuth3/issuer.srv)
-| Sponsored by [ppl](https://ppl.family)
+| Sponsored by [Daplie](https://daplie.com)
 
 The world's smallest, fastest, and most secure OAuth3 (and OAuth2) JavaScript implementation
 (Yes! works in browsers and node.js with no extra dependencies or bloat and no hacks!)
@@ -29,7 +29,8 @@ If you have no idea what you're doing
 4. Download [oauth3.js-v1.zip](https://git.oauth3.org/OAuth3/oauth3.js/repository/archive.zip?ref=v1)
 5. Double-click to unzip the folder.
 6. Copy the file `oauth3.core.js` into the folder `example.com/assets/oauth3.org/`
-7. Copy the folder `_apis` into the folder `example.com/`
+7. Copy the folder `well-known` into the folder `example.com/`
+8. Rename the folder `well-known` to `.well-known` (when you do this, it become invisible, that's okay)
 9. Add `<script src="assets/oauth3.org/oauth3.core.js"></script>` to your `index.html`
 9. Add `<script src="app.js"></script>` to your `index.html`
 10. Create files in `example.com` called `app.js` and `index.html` and put this in it:
@@ -58,13 +59,13 @@ If you have no idea what you're doing
 `app.js`:
 ```js
 var OAUTH3 = window.OAUTH3;
-var oauth3 = OAUTH3.create(window.location); // use window.location to set Client URI (your app's id)
+var auth = OAUTH3.create(window.location); // use window.location to set Client URI (your app's id)
 
 
 // this is any OAuth3-compatible provider, such as oauth3.org
 // in v1.1.0 we'll add backwards compatibility for facebook.com, google.com, etc
 //
-function onChangeProvider(providerUri) {
+function onChangeProvider(_providerUri) {
   // example https://oauth3.org
   return oauth3.setIdentityProvider(providerUri);
 }
@@ -86,13 +87,11 @@ function onClickLogin() {
     console.info('Secure PPID (aka subject):', session.token.sub);
 
     return oauth3.request({
-      url: 'https://api.oauth3.org/api/issuer@oauth3.org/jwks/:sub/:kid'
+      url: 'https://oauth3.org/api/issuer@oauth3.org/inspect'
-        .replace(/:sub/g, session.token.sub)
-        .replace(/:kid/g, session.token.kid || session.token.iss)
     , session: session
     }).then(function (resp) {
 
-      console.info("Signing Public Key JWK:");
+      console.info("Inspect Token:");
       console.log(resp.data);
 
     });
@@ -145,13 +144,13 @@ it might look like this:
 example.com
 │
 │
-├── _apis
+├── .well-known (hidden)
-│   └── oauth3.org
+│   └── oauth3
 │       ├── callback.html
 │       ├── directives.json
 │       └── index.html
 ├── assets
-│   └── oauth3.org
+│   └── org.oauth3
 │       └── oauth3.core.js
 │
 │
@@ -172,17 +171,17 @@ Installation (if you know what you're doing)
 pushd /path/to/your/web/app
 
 
-# clone the project as assets/oauth3.org
+# clone the project as assets/org.oauth3
 mkdir -p assets
-git clone git@git.oauth3.org:OAuth3/oauth3.js.git assets/oauth3.org
+git clone git@git.daplie.com:OAuth3/oauth3.js.git assets/org.oauth3
-pushd assets/oauth3.org
+pushd assets/org.oauth3
 git checkout v1
 popd
 
 
-# symlink `_apis/oauth3.org` to `assets/oauth3.org/_apis/oauth3.org`
+# symlink `.well-known/oauth3` to `assets/org.oauth3/.well-known/oauth3`
-mkdir -p _apis
+mkdir -p .well-known
-ln -sf  ../assets/oauth3.org/_apis/oauth3 _apis/oauth3.org
+ln -sf  ../assets/org.oauth3/.well-known/oauth3 .well-known/oauth3
 ```
 
 **Advanced Installation with `bower`**
@@ -192,17 +191,17 @@ ln -sf  ../assets/oauth3.org/_apis/oauth3 _apis/oauth3.org
 bower install oauth3
 
 
-# create a `_apis` folder and an `assets` folder
+# create a `.well-known` folder and an `assets` folder
-mkdir -p _apis assets
+mkdir -p .well-known assets
 
 
-# symlink `_apis/oauth3.org` to `bower_components/oauth3.org/_apis/oauth3.org`
+# symlink `.well-known/oauth3` to `bower_components/oauth3/.well-known/oauth3`
-ln -sf  ../bower_components/oauth3.org/_apis/oauth3.org _apis/oauth3.org
+ln -sf  ../bower_components/oauth3/.well-known/oauth3 .well-known/oauth3
 
 
-# symlink `assets/oauth3.org` to `bower_components/oauth3.org`
+# symlink `assets/org.oauth3` to `bower_components/oauth3`
-ln -sf  ../bower_components/oauth3.org/_apis/oauth3.org _apis/oauth3.org
+ln -sf  ../bower_components/oauth3/.well-known/oauth3 .well-known/oauth3
-ln -sf  ../bower_components/oauth3.org assets/oauth3.org
+ln -sf  ../bower_components/oauth3 assets/org.oauth3
 ```
 
 Usage
@@ -211,7 +210,7 @@ Usage
 Update your HTML to include the the following script tag:
 
 ```html
-<script src="assets/oauth3.org/oauth3.core.js"></script>
+<script src="assets/org.oauth3/oauth3.core.js"></script>
 ```
 
 You can create a very simple demo application like this:
@@ -290,7 +289,7 @@ You're all set. Nothing else is needed.
 We've created an `Oauth3` service just for you:
 
 ```html
-<script src="assets/oauth3.org/oauth3.ng.js"></script>
+<script src="assets/org.oauth3/oauth3.ng.js"></script>
 ```
 
 ```js
@@ -323,7 +322,7 @@ promise = oauth3.init(opts);                        // set and fetch your own si
 // promises your site's config                      // opts = { location, session, issuer, audience }
 
 promise = oauth3.setIdentityProvider(url);          // changes the Identity Provider URI (the site you're logging into),
-// promises the provider's config                   // gets the config for that site (from their _apis/oauth3.org),
+// promises the provider's config                   // gets the config for that site (from their .well-known/oauth3),
                                                     // and caches it in internal state as the default
 
 promise = oauth3.setResourceProvider(url);          // changes the Resource Provider URI (the site you're getting stuff from)
@@ -340,11 +339,12 @@ promise = oauth3.request({ url, method, data });    // make an (authorized) arbi
                                                     // (contacts, photos, whatever)
 
 promise = oauth3.api(apiname, opts);                // make an (authorized) well-known api call to an audience
-                                                    // Ex: oauth3.api('dns.list', { sld: 'example', tld: 'com' });
+                                                    // See https://labs.daplie.com/docs/ for API schemas
+                                                    // Ex: oauth3.api('dns.list', { sld: 'daplie', tld: 'com' });
 
 // TODO
 api = await oauth3.package(audience, schemaname);   // make an (authorized) well-known api call to an audience
-                                                    // Ex: api = await oauth3.package('domains.example.com', 'dns@oauth3.org');
+                                                    // Ex: api = await oauth3.package('domains.daplie.com', 'dns@oauth3.org');
                                                     //     api.list({ sld: 'mydomain', tld: 'com' });
 
 
@@ -353,10 +353,6 @@ promise = oauth3.logout();                          // opens logout window for t
 oauth3.session();                                   // returns the current session, if any
 ```
 
-<!-- TODO
-Track down the old https://labs.daplie.com/docs/ for API schemas
---
-
 
 Real API
 ----------
@@ -498,5 +494,5 @@ can be very ugly and confusing and we definitely need to allow relative paths.
 
 A potential work-around would be to assume all paths are relative (eliminate #4 instead)
 and have the path always key off of the base URL - if oauth3 directives are to be found at
-https://example.com/username/_apis/oauth3.org/index.json then /api/whatever would refer
+https://example.com/username/.well-known/oauth3/directives.json then /api/whatever would refer
 to https://example.com/username/api/whatever.

navigator.auth.js

@@ -7,7 +7,7 @@ function create(myOpts) {
       // TODO pre-generate URL
 
       // deliver existing session if it exists
-      var scope = opts && opts.scope || [];
+      var scope = opts && (opts.scope || opts.claims || myOpts.scope || myOpts.claims || []);
       if (myOpts.session) {
         if (!scope.length || scope.every(function (scp) {
           return -1 !== opts.myOpts.session.scope.indexOf(scp);
@@ -23,6 +23,7 @@ function create(myOpts) {
         // maybe use inline instead?
       , windowType: 'popup'
       , scope: scope
+      , debug: opts.debug || myOpts.debug
       }).then(function (session) {
         return session;
       });
@@ -57,6 +58,7 @@ window.navigator.auth = {
     var conf = {};
     var directives;
     var session;
+    var scope = opts && (opts.scope || opts.claims || []);
 
     opts = opts || {};
     conf.client_uri = opts.client_uri || OAUTH3.clientUri(opts.location || window.location);
@@ -73,12 +75,15 @@ window.navigator.auth = {
         var myOpts = {
           directives: directives
         , conf: conf
+        , debug: opts.debug
+        , scope: scope
         };
 
         return OAUTH3.implicitGrant(directives, {
           client_id: conf.client_uri
         , client_uri: conf.client_uri
         , windowType: 'background'
+        , scope: scope
         }).then(function (_session) {
           session = _session;
           myOpts.session = session;

oauth3.core.js

@@ -12,7 +12,8 @@
     }
   , error: {
       parse: function (providerUri, params) {
-        var err = new Error(params.error_description || params.error.message || "Unknown error with provider '" + providerUri + "'");
+        var msg = decodeURIComponent(params.error_description || params.error.message || "Unknown error with provider '" + providerUri + "'");
+        var err = new Error(msg);
         err.uri = params.error_uri || params.error.uri;
         err.code = params.error.code || params.error;
         return err;
@@ -306,6 +307,8 @@
 
         var params = {
           state: opts.state || OAUTH3.utils.randomState()
+        , client_uri: clientId
+        , client_id: clientId
         , redirect_uri: clientId + (opts.client_callback_path || '/.well-known/oauth3/callback.html#/')
         , response_type: 'rpc'
         , _method: 'GET'
@@ -835,6 +838,9 @@
       );
 
       if (opts.debug) {
+        console.log('[DEBUG] [implicit_grant] url object:');
+        console.log(directives.issuer);
+        console.log(authReq);
         window.alert("DEBUG MODE: Pausing so you can look at logs and whatnot :) Fire at will!");
       }
 
@@ -1012,6 +1018,10 @@
           var headers = preq.headers || {};
           var multipart;
 
+          if (!headers.Accept && !headers.accept) {
+            headers.Accept = 'application/json';
+          }
+
           try {
             xhr = new XMLHttpRequest(_sys);
           } catch(e) {
@@ -1023,7 +1033,7 @@
               return;
             }
 
-            var data, err;
+            var data, err, resp;
             if (xhr.status !== 200) {
               err = new Error('bad status code: ' + xhr.status);
             }
@@ -1046,12 +1056,19 @@
               return;
             }
 
-            resolve({
+            resp = {
               _request: xhr
-            , headers: null // TODO
+            , headers: {}
             , data: data
             , status: xhr.status
+            };
+            (xhr.getAllResponseHeaders()||'').trim().split(/[\n\r]+/).forEach(function (line) {
+              var parts = line.split(': ');
+              var header = parts.shift();
+              var value = parts.join(': ');
+              resp.headers[header] = value;
             });
+            resolve(resp);
           };
           xhr.ontimeout = function () {
             var err = new Error('ETIMEDOUT');

well-known

@@ -1 +0,0 @@
-_apis