import type { OAuthProviderAdapter, OAuthProviderUser } from '../interfaces/oauth-provider.interface';
/**
 * Standard OAuth 2.0 token-endpoint response (RFC 6749 §5.1). Subclasses
 * can extend with provider-specific fields (e.g. Azure's `id_token`).
 */
export interface OAuthTokenResponse {
    access_token?: string;
    token_type?: string;
    expires_in?: number;
    refresh_token?: string;
    scope?: string;
}
/**
 * Base class for "Authorization Code" OAuth 2.0 providers. Subclasses declare
 * the provider-specific endpoints, scope, and profile mapping; this class
 * implements the redirect URL build and the `code → access_token → profile`
 * exchange against those endpoints with `globalThis.fetch` (Node 20+).
 *
 * `TProfile` lets each subclass type the userinfo JSON it expects (e.g.
 * `GitHubUser`, `AzureAdUser`) so `mapProfile` can rely on declared fields
 * instead of guarding `unknown` values one by one. The `as TProfile` cast in
 * `fetchProfile` is the single trust boundary — change it to a Zod parse if
 * a target API ever drifts.
 *
 * Subclasses are not Nest providers themselves — they are plain classes
 * intended to be instantiated in the application's bootstrap and passed to
 * `McpAuthModule.forProvider()`.
 */
export declare abstract class OAuthCodeExchangeProvider<TProfile = Record<string, unknown>> implements OAuthProviderAdapter {
    protected readonly config: {
        clientId: string;
        clientSecret: string;
    };
    abstract readonly name: string;
    protected abstract readonly authorizationUrl: string;
    protected abstract readonly tokenUrl: string;
    protected abstract readonly userInfoUrl: string;
    protected abstract readonly scope: string;
    /** Map provider-specific user payload to the common `OAuthProviderUser` shape. */
    protected abstract mapProfile(raw: TProfile): OAuthProviderUser;
    /**
     * Headers sent to the userinfo endpoint. Most providers accept the default
     * `Authorization: Bearer <token>`; override for providers that require
     * something more (e.g. GitHub recommends a `User-Agent`).
     */
    protected userInfoHeaders(accessToken: string): Record<string, string>;
    constructor(config: {
        clientId: string;
        clientSecret: string;
    });
    getAuthorizationUrl(state: string, redirectUri: string): string;
    exchangeToken(code: string, redirectUri: string): Promise<OAuthProviderUser | null>;
    validateUser(req: unknown): Promise<OAuthProviderUser | null>;
    protected fetchProfile(accessToken: string): Promise<OAuthProviderUser | null>;
}
//# sourceMappingURL=oauth-code-exchange.provider.d.ts.map