import type { Context } from "../context.ts"; import { Secret } from "../secret.ts"; import { type CloudflareApiOptions } from "./api.ts"; /** * Supported Access identity provider types. The five most common providers * have strict {@link AccessIdentityProviderProps} variants below; everything * else falls back to {@link OtherIdentityProviderProps} with a permissive * `config` shape. */ export type AccessIdentityProviderType = "onetimepin" | "google" | "google-apps" | "github" | "okta" | "azureAD" | "oidc" | "saml" | "centrify" | "facebook" | "linkedin" | "onelogin" | "pingone" | "yandex" | (string & {}); interface BaseAccessIdpProps extends CloudflareApiOptions { /** * Display name shown on the Access login page. * * @default ${app}-${stage}-${id} */ name?: string; /** * Adopt an existing IdP with the same name instead of failing. * * @default false */ adopt?: boolean; /** * Whether to delete the IdP when removed from Alchemy. * * @default true */ delete?: boolean; } /** * One-Time PIN — Cloudflare emails a code to the user. No external IdP * configuration required. */ export interface OneTimePinIdentityProviderProps extends BaseAccessIdpProps { type: "onetimepin"; } /** * Google OAuth identity provider. */ export interface GoogleIdentityProviderProps extends BaseAccessIdpProps { type: "google"; /** * OAuth 2.0 client ID issued by Google for your application. * This is a public identifier (not a secret). */ clientId: string; /** * OAuth 2.0 client secret issued by Google. Use {@link alchemy.secret} so * the value is encrypted at rest in the Alchemy state file. */ clientSecret: string | Secret; /** * Custom claims to request from the IdP and forward into the Access JWT. */ claims?: string[]; /** * Override the OIDC claim Cloudflare reads as the user's email * (defaults to `email`). */ emailClaimName?: string; } /** * Okta identity provider (OIDC under the hood). */ export interface OktaIdentityProviderProps extends BaseAccessIdpProps { type: "okta"; /** * Your Okta tenant subdomain, e.g. `acme` for `acme.okta.com`. */ oktaAccount: string; /** * Custom Okta authorization server ID. Omit to use Okta's default * authorization server. */ authorizationServerId?: string; /** * OAuth 2.0 client ID of the Okta app integration. */ clientId: string; /** * OAuth 2.0 client secret of the Okta app integration. Use * {@link alchemy.secret} for at-rest encryption. */ clientSecret: string | Secret; /** * Custom claims to request from Okta and forward into the Access JWT. */ claims?: string[]; /** * Override the OIDC claim Cloudflare reads as the user's email * (defaults to `email`). */ emailClaimName?: string; } /** * Generic OpenID Connect identity provider. */ export interface OidcIdentityProviderProps extends BaseAccessIdpProps { type: "oidc"; /** * IdP authorization endpoint URL (the page users are redirected to to * sign in). */ authUrl: string; /** * IdP token endpoint URL (used by Cloudflare to exchange the auth code * for tokens). */ tokenUrl: string; /** * JWKS endpoint URL — public keys Cloudflare uses to verify ID-token * signatures. */ certsUrl: string; /** * OAuth 2.0 client ID registered with the IdP. */ clientId: string; /** * OAuth 2.0 client secret registered with the IdP. Use * {@link alchemy.secret} for at-rest encryption. */ clientSecret: string | Secret; /** * OIDC scopes to request. Defaults to `["openid", "email", "profile"]` * server-side if omitted. */ scopes?: string[]; /** * Custom claims to request from the IdP and forward into the Access JWT. */ claims?: string[]; /** * Override the OIDC claim Cloudflare reads as the user's email * (defaults to `email`). */ emailClaimName?: string; /** * Enable PKCE on the authorization code flow. Recommended for public * clients and required by some IdPs. */ pkceEnabled?: boolean; } /** * Generic SAML 2.0 identity provider. */ export interface SamlIdentityProviderProps extends BaseAccessIdpProps { type: "saml"; /** * SAML issuer (entity ID) of the IdP, used to validate the `Issuer` * element of incoming assertions. */ issuerUrl: string; /** * IdP single sign-on URL — Cloudflare redirects users here to start * the SAML flow. */ ssoTargetUrl: string; /** * PEM-encoded x509 certificates the IdP will use to sign assertions. * Multiple entries support certificate rotation. */ idpPublicCerts: string[]; /** * SAML attributes to forward from the assertion into the Access JWT. */ attributes?: string[]; /** * Override the SAML attribute Cloudflare reads as the user's email * (defaults to `email`). */ emailAttributeName?: string; /** * Map SAML attributes to HTTP headers Cloudflare will inject when * forwarding requests to the origin. */ headerAttributes?: { headerName: string; attributeName: string; }[]; /** * Sign outgoing AuthnRequests with Cloudflare's signing key. */ signRequest?: boolean; } /** * Catch-all for IdP types not covered by a strict variant * (`azureAD`, `github`, `google-apps`, `centrify`, `facebook`, `linkedin`, * `onelogin`, `pingone`, `yandex`, or future providers). * * Pass a free-form camelCase `config` object — keys are converted to * snake_case at the API boundary. This nested escape hatch is an * intentional exception to the flat-props convention used by the strict * variants above. */ export interface OtherIdentityProviderProps extends BaseAccessIdpProps { type: Exclude; /** * Free-form provider configuration. Use {@link alchemy.secret} for any * sensitive values; they are unwrapped before sending to Cloudflare. */ config: { clientId?: string; clientSecret?: string | Secret; } & Record; } /** * Properties for creating or updating an {@link AccessIdentityProvider}. */ export type AccessIdentityProviderProps = OneTimePinIdentityProviderProps | GoogleIdentityProviderProps | OktaIdentityProviderProps | OidcIdentityProviderProps | SamlIdentityProviderProps | OtherIdentityProviderProps; /** * Output for an {@link AccessIdentityProvider}. */ export type AccessIdentityProvider = Omit & { /** Cloudflare-assigned IdP UUID. */ id: string; /** Display name. */ name: string; }; /** * Type guard for {@link AccessIdentityProvider}. */ export declare function isAccessIdentityProvider(resource: any): resource is AccessIdentityProvider; /** * Creates a Cloudflare Zero Trust [Access identity provider](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/) * which lets users sign in to Access-protected applications. * * @example * // Built-in One-Time PIN (no IdP setup required). * const otp = await AccessIdentityProvider("otp", { * type: "onetimepin", * name: "Email OTP", * }); * * @example * // Google OAuth. clientId is a public OAuth identifier (not a secret). * const google = await AccessIdentityProvider("google", { * type: "google", * name: "Google", * clientId: process.env.GOOGLE_CLIENT_ID!, * clientSecret: alchemy.secret.env.GOOGLE_CLIENT_SECRET, * }); * * @example * // Generic OIDC provider. * const oidc = await AccessIdentityProvider("idp", { * type: "oidc", * name: "Corporate IdP", * authUrl: "https://idp.example.com/oauth2/authorize", * tokenUrl: "https://idp.example.com/oauth2/token", * certsUrl: "https://idp.example.com/oauth2/certs", * clientId: "my-app", * clientSecret: alchemy.secret.env.IDP_CLIENT_SECRET, * scopes: ["openid", "email", "profile"], * pkceEnabled: true, * }); */ export declare const AccessIdentityProvider: (((this: any, id: string, props?: {}) => never) & (new (_: never) => never)) | ((this: Context, id: string, props: AccessIdentityProviderProps) => Promise); export {}; //# sourceMappingURL=access-identity-provider.d.ts.map