@auth/core

import type { Client } from "oauth4webapi"; import type { CommonProviderOptions } from "../providers/index.js"; import type { Awaitable, Profile, TokenSet, User } from "../types.js"; import type { AuthConfig } from "../index.js"; import type { customFetch } from "../lib/symbols.js"; type AuthorizationParameters = any; type CallbackParamsType = any; type IssuerMetadata = any; type OAuthCallbackChecks = any; type OpenIDCallbackChecks = any; export type { OAuthProviderId } from "./provider-types.js"; export type OAuthChecks = OpenIDCallbackChecks | OAuthCallbackChecks; type PartialIssuer = Partial<Pick<IssuerMetadata, "jwks_endpoint" | "issuer">>; type UrlParams = Record<string, unknown>; export type AuthorizationEndpointHandler = EndpointHandler<AuthorizationParameters>; export type TokenEndpointHandler = EndpointHandler<UrlParams, { /** * Parameters extracted from the request to the `/api/auth/callback/:providerId` endpoint. * Contains params like `state`. */ params: CallbackParamsType; /** * When using this custom flow, make sure to do all the necessary security checks. * This object contains parameters you have to match against the request to make sure it is valid. */ checks: OAuthChecks; }, { tokens: TokenSet; }>; export type UserinfoEndpointHandler = EndpointHandler<UrlParams, { tokens: TokenSet; }, Profile>; export type ProfileCallback<Profile> = (profile: Profile, tokens: TokenSet) => Awaitable<User>; export type AccountCallback = (tokens: TokenSet) => TokenSet | undefined | void; export interface OAuthProviderButtonStyles { logo?: string; /** * @deprecated */ text?: string; /** * @deprecated Please use 'brandColor' instead */ bg?: string; brandColor?: string; } /** TODO: Document */ export interface OAuth2Config<Profile> extends CommonProviderOptions, PartialIssuer { /** * Identifies the provider when you want to sign in to * a specific provider. * * @example * ```ts * signIn('github') // "github" is the provider ID * ``` */ id: string; /** The name of the provider. shown on the default sign in page. */ name: string; /** * OpenID Connect (OIDC) compliant providers can configure * this instead of `authorize`/`token`/`userinfo` options * without further configuration needed in most cases. * You can still use the `authorize`/`token`/`userinfo` * options for advanced control. * * [Authorization Server Metadata](https://datatracker.ietf.org/doc/html/rfc8414#section-3) */ wellKnown?: string; issuer?: string; /** * The login process will be initiated by sending the user to this URL. * * [Authorization endpoint](https://datatracker.ietf.org/doc/html/rfc6749#section-3.1) */ authorization?: string | AuthorizationEndpointHandler; token?: string | TokenEndpointHandler; userinfo?: string | UserinfoEndpointHandler; type: "oauth"; /** * Receives the full {@link Profile} returned by the OAuth provider, and returns a subset. * It is used to create the user in the database. * * Defaults to: `id`, `email`, `name`, `image` * * @see [Database Adapter: User model](https://authjs.dev/reference/core/adapters#user) */ profile?: ProfileCallback<Profile>; /** * Receives the full {@link TokenSet} returned by the OAuth provider, and returns a subset. * It is used to create the account associated with a user in the database. * * :::note * You need to adjust your database's [Account model](https://authjs.dev/reference/core/adapters#account) to match the returned properties. * Check out the documentation of your [database adapter](https://authjs.dev/reference/core/adapters) for more information. * ::: * * Defaults to: `access_token`, `id_token`, `refresh_token`, `expires_at`, `scope`, `token_type`, `session_state` * * @example * ```ts * import GitHub from "@auth/core/providers/github" * // ... * GitHub({ * account(account) { * // https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens#refreshing-a-user-access-token-with-a-refresh-token * const refresh_token_expires_at = * Math.floor(Date.now() / 1000) + Number(account.refresh_token_expires_in) * return { * access_token: account.access_token, * expires_at: account.expires_at, * refresh_token: account.refresh_token, * refresh_token_expires_at * } * } * }) * ``` * * @see [Database Adapter: Account model](https://authjs.dev/reference/core/adapters#account) * @see https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse * @see https://www.ietf.org/rfc/rfc6749.html#section-5.1 */ account?: AccountCallback; /** * The CSRF protection performed on the callback endpoint. * @default ["pkce"] * * @note When `redirectProxyUrl` or {@link AuthConfig.redirectProxyUrl} is set, * `"state"` will be added to checks automatically. * * [RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients (PKCE)](https://www.rfc-editor.org/rfc/rfc7636.html#section-4) | * [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.1) | * [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) | */ checks?: Array<"pkce" | "state" | "none">; clientId?: string; clientSecret?: string; /** * Pass overrides to the underlying OAuth library. * See [`oauth4webapi` client](https://github.com/panva/oauth4webapi/blob/main/docs/interfaces/Client.md) for details. */ client?: Partial<Client & { token_endpoint_auth_method: string; }>; style?: OAuthProviderButtonStyles; /** * Normally, when you sign in with an OAuth provider and another account * with the same email address already exists, * the accounts are not linked automatically. * * Automatic account linking on sign in is not secure * between arbitrary providers and is disabled by default. * Learn more in our [Security FAQ](https://authjs.dev/concepts#security). * * However, it may be desirable to allow automatic account linking if you trust that the provider involved has securely verified the email address * associated with the account. Set `allowDangerousEmailAccountLinking: true` * to enable automatic account linking. */ allowDangerousEmailAccountLinking?: boolean; redirectProxyUrl?: AuthConfig["redirectProxyUrl"]; /** @see {customFetch} */ [customFetch]?: typeof fetch; options?: OAuthUserConfig<Profile>; } /** * Extension of the {@link OAuth2Config}. * * @see https://openid.net/specs/openid-connect-core-1_0.html */ export interface OIDCConfig<Profile> extends Omit<OAuth2Config<Profile>, "type" | "checks"> { type: "oidc"; checks?: Array<NonNullable<OAuth2Config<Profile>["checks"]>[number] | "nonce">; /** * If set to `false`, the `userinfo_endpoint` will be fetched for the user data. * @note An `id_token` is still required to be returned during the authorization flow. */ idToken?: boolean; } export type OAuthConfig<Profile> = OIDCConfig<Profile> | OAuth2Config<Profile>; export type OAuthEndpointType = "authorization" | "token" | "userinfo"; export type OIDCConfigInternal<Profile> = OAuthConfigInternal<Profile> & { checks: OIDCConfig<Profile>["checks"]; idToken: OIDCConfig<Profile>["idToken"]; }; export type OAuthUserConfig<Profile> = Omit<Partial<OAuthConfig<Profile>>, "options" | "type">; export type OIDCUserConfig<Profile> = Omit<Partial<OIDCConfig<Profile>>, "options" | "type">; //# sourceMappingURL=oauth.d.ts.map