{"version":3,"sources":["../../src/oauth2/types.ts"],"sourcesContent":["// reference: https://datatracker.ietf.org/doc/html/rfc7636\nexport interface PkceParameters {\n  code_verifier: string;\n  code_challenge: string;\n  code_challenge_method: 'S256' | 'plain';\n}\n\nexport interface OAuth2AuthorizationRequest {\n  state: string;\n  registrationId: string;\n  authorizationRequestUri: string;\n  additionalParameters: PkceParameters;\n}\n\ninterface CreateAuthorizationUriParams {\n  state: string;\n  clientId: string;\n  redirectUri: string;\n  scope: string[] | undefined;\n  pkce?: Omit<PkceParameters, 'code_verifier'>;\n}\n\nexport interface ExchangeCodeParams {\n  code: string;\n  clientId: string;\n  clientSecret: string;\n  redirectUri: string;\n  pkce?: Omit<PkceParameters, 'code_challenge' | 'code_challenge_method'>;\n}\n\nexport interface RefreshTokenParams {\n  clientId: string;\n  clientSecret: string;\n  refreshToken: string;\n}\n\nexport interface RevokeTokenParams {\n  token: string;\n  clientId: string;\n  clientSecret: string;\n}\n\nexport interface LoginOAuth2NativeParams {\n  clientId: string;\n  clientSecret: string;\n  redirectUri: string;\n  pkce?: PkceParameters;\n  credentials: NativeCredential;\n}\n\n// reference: https://datatracker.ietf.org/doc/html/rfc6749#section-5.1\nexport interface OAuth2Token {\n  /**\n   * REQUIRED.\n   * The access token issued by the authorization server.\n   */\n  access_token: string;\n\n  /**\n   * REQUIRED.\n   * The type of the token issued as described in Section 7.1.  Value is case insensitive.\n   */\n  token_type: 'Bearer' | 'bearer' | 'mac' | (string & {});\n\n  /**\n   * RECOMMENDED.\n   * The lifetime in seconds of the access token. For example, the value \"3600\" denotes that the\n   * access token will expire in one hour from the time the response was generated. If omitted, the\n   * authorization server SHOULD provide the expiration time via other means or document the default\n   * value.\n   */\n  expires_in?: number;\n\n  /**\n   * OPTIONAL.\n   * The refresh token, which can be used to obtain new access tokens using the same authorization\n   * grant as described in Section 6.\n   */\n  refresh_token?: string;\n\n  /**\n   * OPTIONAL.\n   * If identical to the scope requested by the client; otherwise, REQUIRED. The scope of the\n   * access token as described by Section 3.3.\n   */\n  scope?: string;\n\n  id_token?: string;\n\n  [key: string]: unknown;\n}\n\nexport interface OidcToken extends OAuth2Token {\n  id_token: string;\n}\n\nexport type NativeCredential = {\n  state?: string;\n  code?: string;\n  client_id?: string;\n  redirect_uri?: string;\n  id_token?: string;\n  access_token?: string;\n};\n\nexport enum OidcScopes {\n  openid = 'openid',\n  profile = 'profile',\n  email = 'email',\n  phone = 'phone',\n  address = 'address',\n  offline_access = 'offline_access',\n}\n\n// https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims\nexport interface StandardClaims {\n  sub: string;\n  name?: string;\n  given_name?: string;\n  family_name?: string;\n  middle_name?: string;\n  nickname?: string;\n  preferred_username?: string;\n  profile?: string;\n  picture?: string;\n  website?: string;\n  email?: string;\n  email_verified?: boolean;\n  gender?: 'female' | 'male' | string;\n  birthdate?: string; // ISO 8601-1 [ISO8601‑1] YYYY-MM-DD format.\n  zoneinfo?: string; // IANA Time Zone Database [IANA.time‑zones]\n  locale?: string; // BCP47 [RFC5646] language tag.\n  phone_number?: string; // E.164\n  phone_number_verified?: boolean;\n  address?: {\n    formatted: string;\n    street_address: string;\n    locality: string;\n    region: string;\n    postal_code: string;\n    country: string;\n  }; // [RFC8259] JSON object\n  updated_at?: number;\n}\n\nexport interface UserInfo<T = unknown> {\n  claims: StandardClaims;\n  data: T;\n}\n\nexport interface Provider {\n  /** Authorization URI for the provider. */\n  authorizationUri: string;\n\n  /** Token URI for the provider. */\n  tokenUri: string;\n\n  /** Token revoke URI for the provider. */\n  tokenRevokeUri?: string;\n\n  /** Token refresh URI for the provider. */\n  tokenRefreshUri?: string;\n\n  /** User info URI for the provider. */\n  userInfoUri?: string;\n\n  /** User info authentication method for the provider. */\n  userInfoAuthenticationMethod?: string;\n\n  /**\n   * Name of the attribute that will be used to extract the username from the call to 'userInfoUri'.\n   * */\n  userNameAttribute?: string;\n\n  /** JWK set URI for the provider */\n  jwkSetUri?: string;\n\n  /**\n   * URI that can either be an OpenID Connect discovery endpoint or an OAuth 2.0 Authorization\n   * Server Metadata endpoint defined by RFC 8414.\n   * */\n  issuerUri?: string;\n\n  /** Default scopes for the provider. */\n  defaultScope: string[];\n\n  /** step 1: generate authorization uri and redirect user to it */\n  createAuthorizationUri: (params: CreateAuthorizationUriParams) => URL;\n\n  /** step 2: exchange code for token */\n  exchangeAuthorizationCode: (params: ExchangeCodeParams) => Promise<OAuth2Token>;\n\n  /** step 3: get user info */\n  getUserInfo: (token: OAuth2Token) => Promise<UserInfo>;\n\n  /** others: refresh access token */\n  refreshAccessToken?: (params: RefreshTokenParams) => Promise<OAuth2Token>;\n\n  /** others: revoke token */\n  revokeToken?: (params: RevokeTokenParams) => Promise<void>;\n\n  loginOAuth2Native?: (\n    params: LoginOAuth2NativeParams\n  ) => Promise<{ token: OAuth2Token; userInfo: UserInfo }>;\n}\n\nexport interface OneTapProvider extends Provider {\n  getTokenInfo: (id_token: string) => Promise<{ token: OAuth2Token; userInfo: UserInfo }>;\n}\n\nexport interface Registration {\n  /**\n   * Reference to the OAuth 2.0 provider to use. May reference an element from the 'provider'\n   * property or used one of the commonly used providers (google, github, facebook, okta).\n   * */\n  provider?: string;\n\n  /** Client ID for the registration. */\n  clientId: string;\n\n  /** Client secret of the registration. */\n  clientSecret: string;\n\n  /** Client authentication method. May be left blank when using a pre-defined provider. */\n  clientAuthenticationMethod?: string;\n\n  /** Authorization grant type. May be left blank when using a pre-defined provider. */\n  authorizationGrantType?:\n    | 'authorization_code' // default\n    | 'client_credentials'\n    | 'device_code'\n    | 'jwt_bearer'\n    // Deprecated. The latest OAuth 2.0 Security Best Current Practice disallows the use of the\n    // Resource Owner Password Credentials grant.\n    | 'password'\n    | 'refresh_token'\n    | 'token_exchange';\n\n  /** Redirect URI. May be left blank when using a pre-defined provider. */\n  redirectUri?: string;\n\n  /** Authorization scopes. When left blank the provider's default scopes, if any, will be used. */\n  scope?: string[];\n\n  /** Client name. May be left blank when using a pre-defined provider. */\n  clientName?: string;\n}\n\nexport interface OAuth2ClientConfig {\n  baseUri: string;\n  errorUri: string;\n  successUri: string;\n  provider: { [name: string]: Provider | undefined };\n  registration:\n    | { [name: string]: Registration | undefined }\n    | (() => Promise<{ [name: string]: Registration | undefined }>);\n}\n"],"mappings":";AAyGO,IAAK,aAAL,kBAAKA,gBAAL;AACL,EAAAA,YAAA,YAAS;AACT,EAAAA,YAAA,aAAU;AACV,EAAAA,YAAA,WAAQ;AACR,EAAAA,YAAA,WAAQ;AACR,EAAAA,YAAA,aAAU;AACV,EAAAA,YAAA,oBAAiB;AANP,SAAAA;AAAA,GAAA;","names":["OidcScopes"]}