Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

…R provider (#60)

* feat(auth): add resource indicator, refresh, and client caching to DCR provider

Extend createDcrProvider so RFC 7591 DCR consumers can cover three cases the
factory previously forced them to hand-roll a bespoke AuthProvider for:

- RFC 8707 resource indicator: new `resource` option, threaded into the
  authorize URL and the authorization_code + refresh_token token requests so
  the AS issues a token whose audience targets the protected resource.
- refreshToken: the DCR provider now implements it (previously only
  createPkceProvider did), honouring the handshake client auth (public None /
  client_secret_post / RFC-3986 Basic), the resource indicator, and a 10s
  timeout, mapping invalid_grant -> AUTH_REFRESH_EXPIRED else
  AUTH_REFRESH_TRANSIENT.
- client caching: optional loadClient/saveClient hooks let a consumer reuse a
  registered client across logins (cache hit skips the registration round-trip
  and the oauth4webapi load); cli-core stays storage-agnostic.

Factor the shared refresh-error mapping into oauth.ts (mapRefreshError) and
reuse it from createPkceProvider, and add an optional additionalParameters
field to buildPkceAuthorizeUrl.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(auth): address DCR provider review

- buildPkceAuthorizeUrl: apply additionalParameters before the standard PKCE
  params so the latter always win (the loop previously ran after, enabling the
  clobbering the doc claimed to prevent).
- Validate the loadClient cache shape (string clientId, supported
  tokenEndpointAuthMethod) so a cached client behaves like a freshly registered
  one instead of failing later or silently using the wrong auth method.
- Resolve tokenUrl/authorizeUrl and the resource indicator concurrently
  (Promise.all) on the authorize, exchange, and refresh paths.
- Document the loadClient redirect-URI binding (registration is bound to its
  redirect_uris; cache must be keyed on PrepareInput.redirectUri) and the DCR
  refresh handshake contract (clientId must be supplied on the refresh
  handshake, reconstructed from persisted account metadata).
- Tests: make the refresh auth-method test prove handshake-over-config
  precedence (differing values), exercise async loadClient/saveClient, and
  cover malformed-cache rejection.
- README: document resource indicators, refresh, and client caching; drop the
  stale "does not cache" claim.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* feat(auth): surface token-response scope on ExchangeResult

Add an optional `scope` to `ExchangeResult` carrying the raw `scope` from the
token response (RFC 6749 §5.1). Populate it from the authorization_code and
refresh_token grants in both createPkceProvider and createDcrProvider (and from
postTokenEndpoint). Lets a provider's validateToken record the
server-authoritative granted scope instead of re-deriving it from the request —
important when the server narrows scope relative to what was asked for.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

## [0.25.0](v0.24.0...v0.25.0) (2026-06-05)

### Features

* **auth:** add resource indicator, refresh, and client caching to DCR provider ([#60](#60)) ([0db0cf3](0db0cf3))