fix: metadata as a class var

mattzcarey · mattzcarey · commit 6724a9408fbb · 2025-11-11T17:57:35.000Z
diff --git a/src/client/auth.test.ts b/src/client/auth.test.ts
@@ -2528,6 +2528,7 @@ describe('OAuth Authorization', () => {
             get redirectUrl() {
                 return 'http://localhost:3000/callback';
             },
+            clientMetadataUrl: 'https://example.com/client-metadata.json',
             get clientMetadata() {
                 return validClientMetadata;
             },
@@ -2625,12 +2626,7 @@ describe('OAuth Authorization', () => {
         it('falls back to DCR when client_uri is not an HTTPS URL', async () => {
             const providerWithInvalidUri = {
                 ...mockProvider,
-                get clientMetadata() {
-                    return {
-                        ...validClientMetadata,
-                        client_uri: 'http://example.com/metadata' // HTTP not HTTPS
-                    };
-                }
+                clientMetadataUrl: 'http://example.com/metadata'
             };
 
             // Mock protected resource metadata discovery (404 to skip)
@@ -2681,13 +2677,7 @@ describe('OAuth Authorization', () => {
         it('falls back to DCR when client_uri is missing', async () => {
             const providerWithoutUri = {
                 ...mockProvider,
-                get clientMetadata() {
-                    return {
-                        redirect_uris: ['http://localhost:3000/callback'],
-                        client_name: 'Test Client'
-                        // No client_uri
-                    };
-                }
+                clientMetadataUrl: undefined
             };
 
             // Mock protected resource metadata discovery (404 to skip)
diff --git a/src/client/auth.ts b/src/client/auth.ts
@@ -42,6 +42,11 @@ export interface OAuthClientProvider {
      */
     get redirectUrl(): string | URL;
 
+    /**
+     * External URL the server should use to fetch client metadata document
+     */
+    clientMetadataUrl?: string;
+
     /**
      * Metadata about this OAuth client.
      */
@@ -379,13 +384,13 @@ async function authInternal(
         }
 
         const supportsUrlBasedClientId = metadata?.client_id_metadata_document_supported === true;
-        const clientUri = provider.clientMetadata.client_uri;
-        const shouldUseUrlBasedClientId = supportsUrlBasedClientId && clientUri && isHttpsUrl(clientUri);
+        const clientMetadataUrl = provider.clientMetadataUrl;
+        const shouldUseUrlBasedClientId = supportsUrlBasedClientId && clientMetadataUrl && isHttpsUrl(clientMetadataUrl);
 
         if (shouldUseUrlBasedClientId) {
             // SEP-991: URL-based Client IDs
             clientInformation = {
-                client_id: clientUri
+                client_id: clientMetadataUrl
             };
             await provider.saveClientInformation?.(clientInformation);
         } else {
