Validate clientMetadataUrl at construction time rather than during auth flow (SEP-991/CIMD) #1159
Description
Problem
The clientMetadataUrl property in OAuthClientProvider is currently only validated during the auth() flow (specifically in authInternal() at src/client/auth.ts:404-407). This means that an invalid URL-based client ID won't be caught until runtime when authentication is attempted.
The current validation:
if (clientMetadataUrl && !isHttpsUrl(clientMetadataUrl)) {
throw new InvalidClientMetadataError(
`clientMetadataUrl must be a valid HTTPS URL with a non-root pathname, got: ${clientMetadataUrl}`
);
}Suggested Improvement
Move the URL validation to occur earlier - ideally at construction time when the OAuthClientProvider is created. This provides:
- Fail-fast behavior: Developers discover configuration errors immediately rather than at runtime
- Better debugging: Errors are caught closer to the source of the problem
- Clearer error messages: The stack trace points to where the provider was configured, not deep in the auth flow
Possible Approaches
- Add validation in a factory function or builder that creates
OAuthClientProviderimplementations - Document that implementations should validate in their constructor
- Provide a utility validation function that can be called at construction time
Related
- SEP-991: URL-based Client IDs (CIMD)
isHttpsUrl()helper function already exists and can be reused