import { InferOptionSchema } from "../../types/plugins.mjs"; import { schema } from "./schema.mjs"; import { AuthorizationQuery, Client, CodeVerificationValue, OAuthAccessToken, OIDCMetadata, OIDCOptions, TokenBody } from "./types.mjs"; import { GenericEndpointContext } from "@better-auth/core"; import * as _better_auth_core_db0 from "@better-auth/core/db"; import * as better_call0 from "better-call"; import { OpenAPIParameter } from "better-call"; import * as z from "zod"; //#region src/plugins/oidc-provider/index.d.ts declare module "@better-auth/core" { interface BetterAuthPluginRegistry { "oidc-provider": { creator: typeof oidcProvider; }; } } /** * Get a client by ID, checking trusted clients first, then database */ declare function getClient(clientId: string, trustedClients?: (Client & { skipConsent?: boolean | undefined; })[]): Promise<(Client & { skipConsent?: boolean | undefined; }) | null>; declare const getMetadata: (ctx: GenericEndpointContext, options?: OIDCOptions | undefined) => OIDCMetadata; /** * OpenID Connect (OIDC) plugin for Better Auth. This plugin implements the * authorization code flow and the token exchange flow. It also implements the * userinfo endpoint. * * @deprecated Use `@better-auth/oauth-provider` instead. This plugin will be removed in the next major version. * @see https://www.better-auth.com/docs/plugins/oauth-provider * * @param options - The options for the OIDC plugin. * @returns A Better Auth plugin. */ declare const oidcProvider: (options: OIDCOptions) => { id: "oidc-provider"; version: string; hooks: { after: { matcher(): true; handler: (inputContext: better_call0.MiddlewareInputContext) => Promise; }[]; }; endpoints: { getOpenIdConfig: better_call0.StrictEndpoint<"/.well-known/openid-configuration", { method: "GET"; operationId: string; metadata: { readonly scope: "server"; }; }, OIDCMetadata>; oAuth2authorize: better_call0.StrictEndpoint<"/oauth2/authorize", { method: "GET"; operationId: string; query: z.ZodRecord; metadata: { openapi: { description: string; responses: { "200": { description: string; content: { "application/json": { schema: { type: "object"; additionalProperties: boolean; description: string; }; }; }; }; }; }; }; }, Response | { redirect: boolean; url: string; }>; oAuthConsent: better_call0.StrictEndpoint<"/oauth2/consent", { method: "POST"; operationId: string; body: z.ZodObject<{ accept: z.ZodBoolean; consent_code: z.ZodOptional>>; }, z.core.$strip>; use: ((inputContext: better_call0.MiddlewareInputContext) => Promise<{ session: { session: Record & { id: string; createdAt: Date; updatedAt: Date; userId: string; expiresAt: Date; token: string; ipAddress?: string | null | undefined; userAgent?: string | null | undefined; }; user: Record & { id: string; createdAt: Date; updatedAt: Date; email: string; emailVerified: boolean; name: string; image?: string | null | undefined; }; }; }>)[]; metadata: { openapi: { description: string; requestBody: { required: boolean; content: { "application/json": { schema: { type: "object"; properties: { accept: { type: string; description: string; }; consent_code: { type: string; description: string; }; }; required: string[]; }; }; }; }; responses: { "200": { description: string; content: { "application/json": { schema: { type: "object"; properties: { redirectURI: { type: string; format: string; description: string; }; }; required: string[]; }; }; }; }; }; }; }; }, { redirectURI: string; }>; oAuth2token: better_call0.StrictEndpoint<"/oauth2/token", { method: "POST"; operationId: string; body: z.ZodRecord; metadata: { allowedMediaTypes: string[]; scope: "server"; }; }, { access_token: string; token_type: string; expires_in: number; refresh_token: string; scope: string; } | { access_token: string; token_type: string; expires_in: number; refresh_token: string | undefined; scope: string; id_token: string | undefined; }>; oAuth2userInfo: better_call0.StrictEndpoint<"/oauth2/userinfo", { method: "GET"; operationId: string; metadata: { openapi: { description: string; responses: { "200": { description: string; content: { "application/json": { schema: { type: "object"; properties: { sub: { type: string; description: string; }; email: { type: string; format: string; nullable: boolean; description: string; }; name: { type: string; nullable: boolean; description: string; }; picture: { type: string; format: string; nullable: boolean; description: string; }; given_name: { type: string; nullable: boolean; description: string; }; family_name: { type: string; nullable: boolean; description: string; }; email_verified: { type: string; nullable: boolean; description: string; }; }; required: string[]; }; }; }; }; }; }; scope: "server"; }; }, { sub: string; email: string | undefined; name: string | undefined; picture: string | null | undefined; given_name: string | undefined; family_name: string | undefined; email_verified: boolean | undefined; } | { sub: string; email: string | undefined; name: string | undefined; picture: string | null | undefined; given_name: string | undefined; family_name: string | undefined; email_verified: boolean | undefined; }>; /** * ### Endpoint * * POST `/oauth2/register` * * ### API Methods * * **server:** * `auth.api.registerOAuthApplication` * * **client:** * `authClient.oauth2.register` * * @see [Read our docs to learn more.](https://better-auth.com/docs/plugins/oidc-provider#api-method-oauth2-register) */ registerOAuthApplication: better_call0.StrictEndpoint<"/oauth2/register", { method: "POST"; body: z.ZodObject<{ redirect_uris: z.ZodArray; token_endpoint_auth_method: z.ZodOptional>>; grant_types: z.ZodOptional>>>; response_types: z.ZodOptional>>>; client_name: z.ZodOptional; client_uri: z.ZodOptional; logo_uri: z.ZodOptional; scope: z.ZodOptional; contacts: z.ZodOptional>; tos_uri: z.ZodOptional; policy_uri: z.ZodOptional; jwks_uri: z.ZodOptional; jwks: z.ZodOptional>; metadata: z.ZodOptional>; software_id: z.ZodOptional; software_version: z.ZodOptional; software_statement: z.ZodOptional; }, z.core.$strip>; metadata: { openapi: { description: string; responses: { "200": { description: string; content: { "application/json": { schema: { type: "object"; properties: { name: { type: string; description: string; }; icon: { type: string; nullable: boolean; description: string; }; metadata: { type: string; additionalProperties: boolean; nullable: boolean; description: string; }; clientId: { type: string; description: string; }; clientSecret: { type: string; description: string; }; redirectURLs: { type: string; items: { type: string; format: string; }; description: string; }; type: { type: string; description: string; enum: string[]; }; authenticationScheme: { type: string; description: string; enum: string[]; }; disabled: { type: string; description: string; enum: boolean[]; }; userId: { type: string; nullable: boolean; description: string; }; createdAt: { type: string; format: string; description: string; }; updatedAt: { type: string; format: string; description: string; }; }; required: string[]; }; }; }; }; }; }; }; }, { client_id_issued_at: number; client_secret_expires_at: number; redirect_uris: string[]; token_endpoint_auth_method: "none" | "client_secret_basic" | "client_secret_post"; grant_types: string[]; response_types: string[]; client_name: string | undefined; client_uri: string | undefined; logo_uri: string | undefined; scope: string | undefined; contacts: string[] | undefined; tos_uri: string | undefined; policy_uri: string | undefined; jwks_uri: string | undefined; jwks: Record | undefined; software_id: string | undefined; software_version: string | undefined; software_statement: string | undefined; metadata: Record | undefined; client_secret?: string | undefined; client_id: string; }>; getOAuthClient: better_call0.StrictEndpoint<"/oauth2/client/:id", { method: "GET"; use: ((inputContext: better_call0.MiddlewareInputContext) => Promise<{ session: { session: Record & { id: string; createdAt: Date; updatedAt: Date; userId: string; expiresAt: Date; token: string; ipAddress?: string | null | undefined; userAgent?: string | null | undefined; }; user: Record & { id: string; createdAt: Date; updatedAt: Date; email: string; emailVerified: boolean; name: string; image?: string | null | undefined; }; }; }>)[]; metadata: { openapi: { description: string; responses: { "200": { description: string; content: { "application/json": { schema: { type: "object"; properties: { clientId: { type: string; description: string; }; name: { type: string; description: string; }; icon: { type: string; nullable: boolean; description: string; }; }; required: string[]; }; }; }; }; }; }; }; }, { clientId: string; name: string; icon: string | null; }>; /** * ### Endpoint * * GET/POST `/oauth2/endsession` * * Implements RP-Initiated Logout as per OpenID Connect RP-Initiated Logout 1.0. * Allows relying parties to request that an OpenID Provider log out the end-user. * * @see [OpenID Connect RP-Initiated Logout Spec](https://openid.net/specs/openid-connect-rpinitiated-1_0.html) */ endSession: better_call0.StrictEndpoint<"/oauth2/endsession", { method: ("GET" | "POST")[]; query: z.ZodOptional; logout_hint: z.ZodOptional; client_id: z.ZodOptional; post_logout_redirect_uri: z.ZodOptional; state: z.ZodOptional; ui_locales: z.ZodOptional; }, z.core.$strip>>; metadata: { openapi: { description: string; parameters: OpenAPIParameter[]; responses: { "302": { description: string; }; "200": { description: string; }; }; }; scope: "server"; }; }, { status: ("OK" | "CREATED" | "ACCEPTED" | "NO_CONTENT" | "MULTIPLE_CHOICES" | "MOVED_PERMANENTLY" | "FOUND" | "SEE_OTHER" | "NOT_MODIFIED" | "TEMPORARY_REDIRECT" | "BAD_REQUEST" | "UNAUTHORIZED" | "PAYMENT_REQUIRED" | "FORBIDDEN" | "NOT_FOUND" | "METHOD_NOT_ALLOWED" | "NOT_ACCEPTABLE" | "PROXY_AUTHENTICATION_REQUIRED" | "REQUEST_TIMEOUT" | "CONFLICT" | "GONE" | "LENGTH_REQUIRED" | "PRECONDITION_FAILED" | "PAYLOAD_TOO_LARGE" | "URI_TOO_LONG" | "UNSUPPORTED_MEDIA_TYPE" | "RANGE_NOT_SATISFIABLE" | "EXPECTATION_FAILED" | "I'M_A_TEAPOT" | "MISDIRECTED_REQUEST" | "UNPROCESSABLE_ENTITY" | "LOCKED" | "FAILED_DEPENDENCY" | "TOO_EARLY" | "UPGRADE_REQUIRED" | "PRECONDITION_REQUIRED" | "TOO_MANY_REQUESTS" | "REQUEST_HEADER_FIELDS_TOO_LARGE" | "UNAVAILABLE_FOR_LEGAL_REASONS" | "INTERNAL_SERVER_ERROR" | "NOT_IMPLEMENTED" | "BAD_GATEWAY" | "SERVICE_UNAVAILABLE" | "GATEWAY_TIMEOUT" | "HTTP_VERSION_NOT_SUPPORTED" | "VARIANT_ALSO_NEGOTIATES" | "INSUFFICIENT_STORAGE" | "LOOP_DETECTED" | "NOT_EXTENDED" | "NETWORK_AUTHENTICATION_REQUIRED") | better_call0.Status; body: ({ message?: string; code?: string; cause?: unknown; } & Record) | undefined; headers: HeadersInit; statusCode: number; name: string; message: string; stack?: string; cause?: unknown; } | { success: boolean; message: string; }>; }; schema: { oauthApplication: { modelName: string; fields: { name: { type: "string"; }; icon: { type: "string"; required: false; }; metadata: { type: "string"; required: false; }; clientId: { type: "string"; unique: true; }; clientSecret: { type: "string"; required: false; }; redirectUrls: { type: "string"; }; type: { type: "string"; }; disabled: { type: "boolean"; required: false; defaultValue: false; }; userId: { type: "string"; required: false; references: { model: string; field: string; onDelete: "cascade"; }; index: true; }; createdAt: { type: "date"; }; updatedAt: { type: "date"; }; }; }; oauthAccessToken: { modelName: string; fields: { accessToken: { type: "string"; unique: true; }; refreshToken: { type: "string"; unique: true; }; accessTokenExpiresAt: { type: "date"; }; refreshTokenExpiresAt: { type: "date"; }; clientId: { type: "string"; references: { model: string; field: string; onDelete: "cascade"; }; index: true; }; userId: { type: "string"; required: false; references: { model: string; field: string; onDelete: "cascade"; }; index: true; }; scopes: { type: "string"; }; createdAt: { type: "date"; }; updatedAt: { type: "date"; }; }; }; oauthConsent: { modelName: string; fields: { clientId: { type: "string"; references: { model: string; field: string; onDelete: "cascade"; }; index: true; }; userId: { type: "string"; references: { model: string; field: string; onDelete: "cascade"; }; index: true; }; scopes: { type: "string"; }; createdAt: { type: "date"; }; updatedAt: { type: "date"; }; consentGiven: { type: "boolean"; }; }; }; }; readonly options: { scopes: string[]; __skipDeprecationWarning?: boolean | undefined; accessTokenExpiresIn: number; allowDynamicClientRegistration?: boolean | undefined; metadata?: Partial | undefined; refreshTokenExpiresIn: number; codeExpiresIn: number; defaultScope: string; consentPage?: string | undefined; getConsentHTML?: ((props: { clientId: string; clientName: string; clientIcon?: string | undefined; clientMetadata: Record | null; code: string; scopes: string[]; }) => string) | undefined; loginPage: string; requirePKCE?: boolean | undefined; allowPlainCodeChallengeMethod: boolean; generateClientId?: (() => string) | undefined; generateClientSecret?: (() => string) | undefined; getAdditionalUserInfoClaim?: ((user: _better_auth_core_db0.User & Record, scopes: string[], client: Client) => Record | Promise>) | undefined; trustedClients?: Client[] | undefined; storeClientSecret: "plain" | "hashed" | "encrypted" | { hash: (clientSecret: string) => Promise; } | { encrypt: (clientSecret: string) => Promise; decrypt: (clientSecret: string) => Promise; }; useJWTPlugin?: boolean | undefined; schema?: InferOptionSchema | undefined; }; }; //#endregion export { AuthorizationQuery, Client, CodeVerificationValue, OAuthAccessToken, OIDCMetadata, OIDCOptions, TokenBody, getClient, getMetadata, oidcProvider };