UNPKG

@dbg-riskit/angular-auth

Version:

98 lines (97 loc) 5.67 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
import { UserInfo } from '@dbg-riskit/common'; export interface AuthResponse { id_token?: string | null; access_token?: string | null; refresh_token?: string | null; nonce?: string; token_type?: string; } export interface TokenData extends UserInfo { /** * REQUIRED. Issuer Identifier for the Issuer of the response. The iss value is a case sensitive * URL using the https scheme that contains scheme, host, and optionally, port number and path * components and no query or fragment components. */ iss: string; /** * REQUIRED. Subject Identifier. A locally unique and never reassigned identifier within the * Issuer for the End-User, which is intended to be consumed by the Client, e.g., 24400320 or * AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4. It MUST NOT exceed 255 ASCII characters in length. * The sub value is a case sensitive string. */ sub?: string; /** * REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 * client_id of the Relying Party as an audience value. It MAY also contain identifiers for * other audiences. In the general case, the aud value is an array of case sensitive strings. * In the common special case when there is one audience, the aud value MAY be a single case * sensitive string. */ aud: string | string[]; /** * REQUIRED. Expiration time on or after which the ID Token MUST NOT be accepted for processing. * The processing of this parameter requires that the current date/time MUST be before the * expiration date/time listed in the value. Implementers MAY provide for some small leeway, * usually no more than a few minutes, to account for clock skew. Its value is a JSON number * representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the * date/time. See RFC 3339 [RFC3339] for details regarding date/times in general and UTC in * particular. */ exp: number; /** * REQUIRED. Time at which the JWT was issued. Its value is a JSON number representing the number * of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. */ iat: number; /** * Time when the End-User authentication occurred. Its value is a JSON number representing the * number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. When a * max_age request is made or when auth_time is requested as an Essential Claim, then this * Claim is REQUIRED; otherwise, its inclusion is OPTIONAL. (The auth_time Claim semantically * corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] auth_time response parameter.) */ auth_time?: number; /** * String value used to associate a Client session with an ID Token, and to mitigate replay * attacks. The value is passed through unmodified from the Authentication Request to the ID * Token. If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal * to the value of the nonce parameter sent in the Authentication Request. If present in the * Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token * with the Claim Value being the nonce value sent in the Authentication Request. Authorization * Servers SHOULD perform no other processing on nonce values used. The nonce value is a case * sensitive string. */ nonce?: string; /** * OPTIONAL. Authentication Context Class Reference. String specifying an Authentication * Context Class Reference value that identifies the Authentication Context Class that the * authentication performed satisfied. The value "0" indicates the End-User authentication * did not meet the requirements of ISO/IEC 29115 [ISO29115] level 1. Authentication using * a long-lived browser cookie, for instance, is one example where the use of "level 0" is * appropriate. Authentications with level 0 SHOULD NOT be used to authorize access to any * resource of any monetary value. (This corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] * nist_auth_level 0.) An absolute URI or an RFC 6711 [RFC6711] registered name SHOULD be * used as the acr value; registered names MUST NOT be used with a different meaning than * that which is registered. Parties using this claim will need to agree upon the meanings * of the values used, which may be context-specific. The acr value is a case * sensitive string. */ acr?: string; /** * OPTIONAL. Authentication Methods References. JSON array of strings that are identifiers for * authentication methods used in the authentication. For instance, values might indicate * that both password and OTP authentication methods were used. The definition of particular * values to be used in the amr Claim is beyond the scope of this specification. Parties using * this claim will need to agree upon the meanings of the values used, which may be * context-specific. The amr value is an array of case sensitive strings. */ amr?: string[]; /** * OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it * MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the * ID Token has a single audience value and that audience is different than the authorized * party. It MAY be included even when the authorized party is the same as the sole audience. * The azp value is a case sensitive string containing a StringOrURI value. */ azp?: string; }