@authlink/client
Version:
Official client SDK for integrating with the Authlink Identity Provider
302 lines (301 loc) • 8.97 kB
TypeScript
/**
* Options for authorization requests.
* */
export interface AuthorizeOptions {
/**
* The unique identifier of the client application.
* */
clientId?: string;
/**
* The type of the response.
* Can be "code", "id_token", "token" or a combination.
* */
responseType?: ResponseType;
/**
* The URI to redirect the user to after authorization.
* */
redirectUri?: string;
/**
* Space-separated list of scopes (e.g. "openid profile email").
* */
scope?: string;
/**
* The challenge derived from the code verifier.
* */
codeChallenge?: string;
/**
* The method used to derive the code challenge from the code verifier.
* Must be "plain" or "S256".
* Default is "S256".
* */
codeChallengeMethod?: CodeChallengeMethod;
/**
* The prompt parameter specifies how the authorization server should prompt the user for reauthentication.
* Can be "none", "login", "consent" or "select_account".
* Default is "none".
* */
prompt?: Prompt;
/**
* The response mode parameter defines how the authorization server returns the result of the authorization request.
* Can be "query", "fragment", "form_post" or "web_message".
* Default is "query" which means the result will be returned in the query string of the redirect URI.
* */
responseMode?: ResponseMode;
/**
* A random string to protect against CSRF attacks.
* */
state?: string;
/**
* A random value used to associate a client session with an ID token.
* */
nonce?: string;
/**
* Suggested username or email address to pre-fill the login form.
* */
loginHint?: string;
/**
* The unique identifier for the request, used to retrieve a pending authorization request.
* Usually generated by the authorization server and used after the user has logged in to continue the authorization flow.
* This is useful for resuming an authorization request after a user has logged in.
* */
requestId?: string;
/**
* Whether to automatically redirect the user.
* If true, the user will be redirected to the authorization server.
* If false, the authorization URL will be returned.
* Default is true.
* */
autoRedirect?: boolean;
}
export type ResponseType = "code" | "token" | "id_token" | "token id_token" | "code id_token";
export type ResponseMode = "query" | "fragment" | "form_post" | "web_message";
export type Prompt = "none" | "login" | "consent" | "select_account";
export type CodeChallengeMethod = "plain" | "S256";
/**
* The response from the authorization server after a successful silent authorization request.
* */
export interface AuthorizeResponse {
/**
* The type of response received from the authorization server.
* */
type: string;
/**
* The state parameter returned by the authorization server.
* */
state: string;
/**
* The authorization code received from the authorization server.
* */
code?: string;
/**
* The ID token received from the authorization server.
* */
idToken?: string;
/**
* The access token received from the authorization server.
* */
accessToken?: string;
/**
* When the access token expires, in seconds.
* */
expiresIn?: number;
/**
* The error code returned by the authorization server, if any.
* */
error?: string;
/**
* The error description returned by the authorization server, if any.
* */
errorDescription?: string;
}
/**
* Options for token exchange.
* */
export interface TokenOptions {
/**
* The type of grant being requested.
* */
grantType: GrantType;
/**
* The unique identifier for the client application making the request.
* */
clientId: string;
/**
* The client secret for the client application, if required.
* */
clientSecret?: string;
/**
* The URL to redirect the user after authorization, if using the authorization code grant type.
* */
redirectUri?: string;
/**
* The code received from the authorization server, if using the authorization code grant type.
* */
code?: string;
/**
* The code verifier used in PKCE (Proof Key for Code Exchange), if using the authorization code grant type.
* */
codeVerifier?: string;
/**
* The refresh token used to get a new access token, if using the refresh token grant type.
* */
refreshToken?: string;
/**
* The username for the resource owner, if using the password grant type.
* */
username?: string;
/**
* The password for the resource owner, if using the password grant type.
* */
password?: string;
/**
* The scope of the access request, if applicable.
* This is a space-separated list of scopes (e.g. "openid profile email").
* */
scope?: string;
/**
* The device code received from the authorization server, if using the device code grant type.
* */
deviceCode?: string;
/**
* The type of the client assertion being used for authentication. Used in JWT-based client authentication.
* */
clientAssertionType?: string;
/**
* The client assertion used for authentication, if applicable.
* This is typically a JWT signed by the client.
* */
clientAssertion?: string;
/**
* The target audience for the access token.
* */
audience?: string;
}
export type GrantType = "authorization_code" | "refresh_token" | "client_credentials" | "password" | "urn:ietf:params:oauth:grant-type:device_code";
/**
* The response from the authorization server after a token exchange.
* */
export interface TokenResponse {
/**
* The type of token received from the authorization server.
* */
tokenType: string;
/**
* The access token received from the authorization server.
* */
accessToken: string;
/**
* When the access token expires, in seconds.
* */
expiresIn: number;
/**
* The refresh token received from the authorization server.
* Only present if offline_access scope is requested.
* */
refreshToken?: string;
/**
* The ID token received from the authorization server.
* Only present if openid scope is requested.
* */
idToken?: string;
/**
* The scope of the access token, as a space-separated list of scopes.
* */
scope?: string;
/**
* The type of token issued, used in scenarios like OAuth 2.0 Token Exchange.
* */
issuedTokenType?: string;
}
/**
* The request object for logout.
* */
export interface LogoutOptions {
/**
* The unique identifier for the client application making the request.
* */
clientId: string;
/**
* The ID token hint to validate the logout request.
* */
idTokenHint: string;
/**
* The URL to redirect the user after logout.
* */
postLogoutRedirectUri: string;
/**
* The state parameter to maintain state between the request and callback.
* */
state?: string;
/**
* The session ID to identify the user's session.
* This is optional and may be used by the identity provider to track the session.
* */
sessionId?: string;
/**
* The reason for logout, if applicable.
* This is optional and may be used by the identity provider to track the reason for logout.
* */
reason?: string;
}
/**
* The user info response from the identity provider.
* */
export interface UserInfoResponse {
/**
* The claims about the user.
* */
[claim: string]: string | number | boolean | null;
}
/**
* The discovery document from the identity provider.
* This document contains metadata about the identity provider's endpoints and supported features.
* */
export interface OpenIdConfiguration {
/**
* The URL of the identity provider's issuer.
* */
issuer: string;
/**
* The URL of the identity provider's end session endpoint.
* */
jwksUri: string;
}
/**
* The JSON Web Key (JWK) used for signing and verifying tokens.
* */
export interface JsonWebKey {
/**
* The key type (e.g., "RSA", "EC").
* */
kty: string;
/**
* The key use (e.g., "sig" for signature, "enc" for encryption).
* */
use: string;
/**
* The key ID (kid) used to identify the key.
* */
kid: string;
/**
* The algorithm used for the key (e.g., "RS256", "ES256").
* */
alg: string;
/**
* The modulus of the RSA key.
* */
n: string;
/**
* The exponent of the RSA key.
* */
e: string;
}
/**
* The JSON Web Key Set (JWKS) containing multiple JWKs.
* */
export interface JsonWebKeySet {
/**
* The keys in the set.
* */
keys: JsonWebKey[];
}