UNPKG

@primerouting/zitadel-node

Version:

Library for API access to ZITADEL. Provides compiled gRPC service clients and helpers for applications and service accounts. Support http2 self-hosted instances

130 lines (129 loc) 5.01 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
type ServiceAccountJson = { userId: string; keyId: string; key: string; }; /** * Options for the authentication of a service account. * Define specific access options like ZITADEL API access or additional scopes * that should be attached to the returned access token. */ export type AuthenticationOptions = { /** * Whether the requested access token from ZITADEL will include the "ZITADEL API" project * in its audience. The returned token will be able to access the API on the service accounts * behalf. Essentially, this attaches the [apiAccessScope] to the token. */ apiAccess?: boolean; /** * A list of required roles to add to the fetched token. * Translates to the role scope (`urn:zitadel:iam:org:project:role:{Role}`). */ roles?: string[]; /** * List of audiences that should be attached to the token. * Translates to the additional audience scope * (`urn:zitadel:iam:org:project:id:{ProjectId}:aud`). */ projectAudiences?: string[]; /** * List of arbitrary additional scopes that are concatenated into the scope. */ additionalScopes?: string[]; }; /** * A service account for [ZITADEL](https://zitadel.ch/). The service * account can be loaded from a valid JSON string or from a file containing the JSON string. * The account is used to communicate with the ZITADEL API and may serve as access token * provider for a gRPC service client. * * The service account can be used with the provided access rights in ZITADEL. If you * want to use the ZITADEL API itself (for example to manage organizations), * you need to authenticate with [AuthenticationOptions.apiAccess] set to `true`. * * To create a service account json, head over to your ZITADEL console * and execute the following steps: * - create a `Service User` in your organization * - Give the service user the relevant authorization (e.g. ORG_OWNER or access to a specific project) * - Create a "key" in the account detail page of the service user and download it */ export declare class ServiceAccount { readonly userId: string; readonly keyId: string; readonly key: string; /** * The type of the object. */ static readonly type = "serviceaccount"; /** * Create a new service account * * @param userId The user ID of the service account. * @param keyId The ID of the RSA key. * @param key The private RSA key of the service account. Used to sign the JWT. * * @throws {Error} If the userId is not defined. * @throws {Error} If the keyId is not defined. * @throws {Error} If the key is not defined. */ constructor(userId: string, keyId: string, key: string); /** * Create an service account from a JSON object. * * @param json The JSON object. * @returns A service account. * * @throws {Error} If the constructor throws an error. * @throws {Error} If the passed JSON cannot be properly destructed. */ static fromJson({ userId, key, keyId }: ServiceAccountJson): ServiceAccount; /** * Create an service account from a JSON string. * The string is parsed using `JSON.parse`. * * @param jsonString The JSON string. * @returns A service account. * * @throws {Error} If the constructor throws an error. * @throws {Error} If the passed JSON cannot be properly parsed. * @throws {Error} If the passed JSON cannot be properly destructed. */ static fromJsonString(jsonString: string): ServiceAccount; /** * Create a JSON object from the application. * * @returns A JSON object. */ toJson(): ServiceAccountJson & { type: typeof ServiceAccount.type; }; /** * Authenticates the service account against the provided audience (or issuer) to * fetch an access token. To authenticate with special options, use the * options parameter. * * The function returns an access token that can be sent * to authenticate any request as the given service account. The access token * is valid for 60 minutes. * * @param audience The audience to authenticate against. * @param options The options to use for authentication. * * @returns An access token that is valid for 60 minutes. * * @example Just authenticate the service account against ZITADEL * ```typescript * const sa = ServiceAccount.fromJson(serviceAccountJson); * const token = await sa.authenticate('https://issuer.zitadel.ch'); * ``` * * @example Authenticate the service account against ZITADEL with ZITADEL API access * ```typescript * const sa = ServiceAccount.fromJson(serviceAccountJson); * const token = await sa.authenticate('https://issuer.zitadel.ch', { apiAccess: true }); * ``` */ authenticate(audience: string, options?: AuthenticationOptions): Promise<string>; private getSignedJwt; } export {};