UNPKG

@authlink/client

Version:

Official client SDK for integrating with the Authlink Identity Provider

302 lines (301 loc) 8.97 kB
/** * Options for authorization requests. * */ export interface AuthorizeOptions { /** * The unique identifier of the client application. * */ clientId?: string; /** * The type of the response. * Can be "code", "id_token", "token" or a combination. * */ responseType?: ResponseType; /** * The URI to redirect the user to after authorization. * */ redirectUri?: string; /** * Space-separated list of scopes (e.g. "openid profile email"). * */ scope?: string; /** * The challenge derived from the code verifier. * */ codeChallenge?: string; /** * The method used to derive the code challenge from the code verifier. * Must be "plain" or "S256". * Default is "S256". * */ codeChallengeMethod?: CodeChallengeMethod; /** * The prompt parameter specifies how the authorization server should prompt the user for reauthentication. * Can be "none", "login", "consent" or "select_account". * Default is "none". * */ prompt?: Prompt; /** * The response mode parameter defines how the authorization server returns the result of the authorization request. * Can be "query", "fragment", "form_post" or "web_message". * Default is "query" which means the result will be returned in the query string of the redirect URI. * */ responseMode?: ResponseMode; /** * A random string to protect against CSRF attacks. * */ state?: string; /** * A random value used to associate a client session with an ID token. * */ nonce?: string; /** * Suggested username or email address to pre-fill the login form. * */ loginHint?: string; /** * The unique identifier for the request, used to retrieve a pending authorization request. * Usually generated by the authorization server and used after the user has logged in to continue the authorization flow. * This is useful for resuming an authorization request after a user has logged in. * */ requestId?: string; /** * Whether to automatically redirect the user. * If true, the user will be redirected to the authorization server. * If false, the authorization URL will be returned. * Default is true. * */ autoRedirect?: boolean; } export type ResponseType = "code" | "token" | "id_token" | "token id_token" | "code id_token"; export type ResponseMode = "query" | "fragment" | "form_post" | "web_message"; export type Prompt = "none" | "login" | "consent" | "select_account"; export type CodeChallengeMethod = "plain" | "S256"; /** * The response from the authorization server after a successful silent authorization request. * */ export interface AuthorizeResponse { /** * The type of response received from the authorization server. * */ type: string; /** * The state parameter returned by the authorization server. * */ state: string; /** * The authorization code received from the authorization server. * */ code?: string; /** * The ID token received from the authorization server. * */ idToken?: string; /** * The access token received from the authorization server. * */ accessToken?: string; /** * When the access token expires, in seconds. * */ expiresIn?: number; /** * The error code returned by the authorization server, if any. * */ error?: string; /** * The error description returned by the authorization server, if any. * */ errorDescription?: string; } /** * Options for token exchange. * */ export interface TokenOptions { /** * The type of grant being requested. * */ grantType: GrantType; /** * The unique identifier for the client application making the request. * */ clientId: string; /** * The client secret for the client application, if required. * */ clientSecret?: string; /** * The URL to redirect the user after authorization, if using the authorization code grant type. * */ redirectUri?: string; /** * The code received from the authorization server, if using the authorization code grant type. * */ code?: string; /** * The code verifier used in PKCE (Proof Key for Code Exchange), if using the authorization code grant type. * */ codeVerifier?: string; /** * The refresh token used to get a new access token, if using the refresh token grant type. * */ refreshToken?: string; /** * The username for the resource owner, if using the password grant type. * */ username?: string; /** * The password for the resource owner, if using the password grant type. * */ password?: string; /** * The scope of the access request, if applicable. * This is a space-separated list of scopes (e.g. "openid profile email"). * */ scope?: string; /** * The device code received from the authorization server, if using the device code grant type. * */ deviceCode?: string; /** * The type of the client assertion being used for authentication. Used in JWT-based client authentication. * */ clientAssertionType?: string; /** * The client assertion used for authentication, if applicable. * This is typically a JWT signed by the client. * */ clientAssertion?: string; /** * The target audience for the access token. * */ audience?: string; } export type GrantType = "authorization_code" | "refresh_token" | "client_credentials" | "password" | "urn:ietf:params:oauth:grant-type:device_code"; /** * The response from the authorization server after a token exchange. * */ export interface TokenResponse { /** * The type of token received from the authorization server. * */ tokenType: string; /** * The access token received from the authorization server. * */ accessToken: string; /** * When the access token expires, in seconds. * */ expiresIn: number; /** * The refresh token received from the authorization server. * Only present if offline_access scope is requested. * */ refreshToken?: string; /** * The ID token received from the authorization server. * Only present if openid scope is requested. * */ idToken?: string; /** * The scope of the access token, as a space-separated list of scopes. * */ scope?: string; /** * The type of token issued, used in scenarios like OAuth 2.0 Token Exchange. * */ issuedTokenType?: string; } /** * The request object for logout. * */ export interface LogoutOptions { /** * The unique identifier for the client application making the request. * */ clientId: string; /** * The ID token hint to validate the logout request. * */ idTokenHint: string; /** * The URL to redirect the user after logout. * */ postLogoutRedirectUri: string; /** * The state parameter to maintain state between the request and callback. * */ state?: string; /** * The session ID to identify the user's session. * This is optional and may be used by the identity provider to track the session. * */ sessionId?: string; /** * The reason for logout, if applicable. * This is optional and may be used by the identity provider to track the reason for logout. * */ reason?: string; } /** * The user info response from the identity provider. * */ export interface UserInfoResponse { /** * The claims about the user. * */ [claim: string]: string | number | boolean | null; } /** * The discovery document from the identity provider. * This document contains metadata about the identity provider's endpoints and supported features. * */ export interface OpenIdConfiguration { /** * The URL of the identity provider's issuer. * */ issuer: string; /** * The URL of the identity provider's end session endpoint. * */ jwksUri: string; } /** * The JSON Web Key (JWK) used for signing and verifying tokens. * */ export interface JsonWebKey { /** * The key type (e.g., "RSA", "EC"). * */ kty: string; /** * The key use (e.g., "sig" for signature, "enc" for encryption). * */ use: string; /** * The key ID (kid) used to identify the key. * */ kid: string; /** * The algorithm used for the key (e.g., "RS256", "ES256"). * */ alg: string; /** * The modulus of the RSA key. * */ n: string; /** * The exponent of the RSA key. * */ e: string; } /** * The JSON Web Key Set (JWKS) containing multiple JWKs. * */ export interface JsonWebKeySet { /** * The keys in the set. * */ keys: JsonWebKey[]; }