/** * Authorization Endpoint — GET /oauth/authorize * * Who calls: Browser via the Client (RP). * * When: Start of the flow. * * Purpose: Authenticate the user and obtain consent; returns an authorization code to the client’s redirect URI. * * Notes: Must support PKCE. Implicit/Hybrid are out in OAuth 2.1. */ /** * Typical parameter shapes * * /oauth/authorize (GET) * * response_type=code, client_id, redirect_uri, scope, state, code_challenge, code_challenge_method=S256, (optionally request_uri from PAR) */ import { FlowBase, FlowRunOptions } from "@frontmcp/sdk"; import { z } from "zod"; /** * Quick checklist (security & correctness) * - PKCE (S256) required for public clients (and basically for all). * - Use authorization code grant only (no implicit/hybrid). * - Rotate refresh tokens and bind them to client + user + scopes. * - Prefer private_key_jwt or mTLS for confidential clients. * - PAR + JAR recommended for higher security. * - Consider DPoP (proof-of-possession) to reduce token replay. * - Keep codes very short-lived (e.g., ≤60 s) and single-use. * - Publish discovery and JWKS, rotate keys safely. * - Decide JWT vs opaque access tokens; provide introspection if opaque. */ declare const inputSchema: z.ZodObject<{ request: z.ZodObject<{}, "passthrough", z.ZodTypeAny, z.objectOutputType<{}, z.ZodTypeAny, "passthrough">, z.objectInputType<{}, z.ZodTypeAny, "passthrough">>; response: z.ZodObject<{}, "passthrough", z.ZodTypeAny, z.objectOutputType<{}, z.ZodTypeAny, "passthrough">, z.objectInputType<{}, z.ZodTypeAny, "passthrough">>; next: z.ZodOptional, z.ZodUnknown>>; }, "strip", z.ZodTypeAny, { request: {} & { [k: string]: unknown; }; response: {} & { [k: string]: unknown; }; next?: ((...args: unknown[]) => unknown) | undefined; }, { request: {} & { [k: string]: unknown; }; response: {} & { [k: string]: unknown; }; next?: ((...args: unknown[]) => unknown) | undefined; }>; declare const stateSchema: z.ZodObject<{ isDefaultAuthProvider: z.ZodBoolean; isOrchestrated: z.ZodBoolean; allowAnonymous: z.ZodBoolean; redirectUri: z.ZodOptional; }, "strip", z.ZodTypeAny, { isOrchestrated: boolean; isDefaultAuthProvider: boolean; allowAnonymous: boolean; redirectUri?: string | undefined; }, { isOrchestrated: boolean; isDefaultAuthProvider: boolean; allowAnonymous: boolean; redirectUri?: string | undefined; }>; declare const outputSchema: z.ZodUnion<[z.ZodObject<{ kind: z.ZodLiteral<"redirect">; status: z.ZodDefault>; location: z.ZodString; } & { headers: z.ZodOptional]>]>>>>; cookies: z.ZodOptional; domain: z.ZodOptional; httpOnly: z.ZodDefault; secure: z.ZodOptional; sameSite: z.ZodOptional>; maxAge: z.ZodOptional; expires: z.ZodOptional; }, "strip", z.ZodTypeAny, { name: string; value: string; path: string; httpOnly: boolean; domain?: string | undefined; secure?: boolean | undefined; sameSite?: "lax" | "strict" | "none" | undefined; maxAge?: number | undefined; expires?: Date | undefined; }, { name: string; value: string; path?: string | undefined; domain?: string | undefined; httpOnly?: boolean | undefined; secure?: boolean | undefined; sameSite?: "lax" | "strict" | "none" | undefined; maxAge?: number | undefined; expires?: Date | undefined; }>, "many">>>; }, "strip", z.ZodTypeAny, { status: 301 | 302 | 303 | 307 | 308; kind: "redirect"; location: string; headers?: Record | undefined; cookies?: { name: string; value: string; path: string; httpOnly: boolean; domain?: string | undefined; secure?: boolean | undefined; sameSite?: "lax" | "strict" | "none" | undefined; maxAge?: number | undefined; expires?: Date | undefined; }[] | undefined; }, { kind: "redirect"; location: string; status?: 301 | 302 | 303 | 307 | 308 | undefined; headers?: Record | undefined; cookies?: { name: string; value: string; path?: string | undefined; domain?: string | undefined; httpOnly?: boolean | undefined; secure?: boolean | undefined; sameSite?: "lax" | "strict" | "none" | undefined; maxAge?: number | undefined; expires?: Date | undefined; }[] | undefined; }>, z.ZodObject<{ kind: z.ZodLiteral<"text">; status: z.ZodEffects; body: z.ZodString; contentType: z.ZodDefault; } & { headers: z.ZodOptional]>]>>>>; cookies: z.ZodOptional; domain: z.ZodOptional; httpOnly: z.ZodDefault; secure: z.ZodOptional; sameSite: z.ZodOptional>; maxAge: z.ZodOptional; expires: z.ZodOptional; }, "strip", z.ZodTypeAny, { name: string; value: string; path: string; httpOnly: boolean; domain?: string | undefined; secure?: boolean | undefined; sameSite?: "lax" | "strict" | "none" | undefined; maxAge?: number | undefined; expires?: Date | undefined; }, { name: string; value: string; path?: string | undefined; domain?: string | undefined; httpOnly?: boolean | undefined; secure?: boolean | undefined; sameSite?: "lax" | "strict" | "none" | undefined; maxAge?: number | undefined; expires?: Date | undefined; }>, "many">>>; }, "strip", z.ZodTypeAny, { status: number; kind: "text"; body: string; contentType: string; headers?: Record | undefined; cookies?: { name: string; value: string; path: string; httpOnly: boolean; domain?: string | undefined; secure?: boolean | undefined; sameSite?: "lax" | "strict" | "none" | undefined; maxAge?: number | undefined; expires?: Date | undefined; }[] | undefined; }, { status: number; kind: "text"; body: string; headers?: Record | undefined; cookies?: { name: string; value: string; path?: string | undefined; domain?: string | undefined; httpOnly?: boolean | undefined; secure?: boolean | undefined; sameSite?: "lax" | "strict" | "none" | undefined; maxAge?: number | undefined; expires?: Date | undefined; }[] | undefined; contentType?: string | undefined; }>]>; declare const plan: { readonly pre: ["parseInput", "validateInput", "checkIfAuthorized"]; readonly execute: ["prepareAuthorizationRequest", "buildAuthorizeOutput"]; readonly post: ["validateOutput"]; }; declare global { export interface ExtendFlows { 'oauth:authorize': FlowRunOptions; } } declare const name: "oauth:authorize"; export default class OauthAuthorizeFlow extends FlowBase { parseInput(): Promise; validateInput(): Promise; checkIfAuthorized(): Promise; prepareAuthorizationRequest(): Promise; buildAuthorizeOutput(): Promise; validateOutput(): Promise; } export {};