@sap/xssec
Version:
XS Advanced Container Security API for node.js
412 lines • 10.8 kB
TypeScript
export type X509Certificate = import("crypto").X509Certificate;
export type ServiceCredentials = {
clientid?: string;
url?: string;
/**
* PEM-encoded client certificate
*/
certificate?: string;
/**
* PEM-encoded client key
*/
key?: string;
/**
* to be used as alternative authentication method to mTLS-based authentication. Must be defined when `certificate` is NOT defined.
*/
clientsecret?: string;
};
export type IdentityServiceCredentials = {
/**
* tenant
*/
app_tid?: string;
};
export type XsuaaServiceCredentials = {
xsappname?: string;
/**
* domain of service
*/
uaadomain?: string;
/**
* URL to fetch tokens based on mTLS. Must be defined when `certificate` is defined.
*/
certurl?: string;
};
export type XsaServiceCredentials = {
xsappname?: string;
/**
* URL to fetch tokens based on mTLS. Must be defined when `certificate` is defined.
*/
certurl?: string;
};
export type UaaServiceCredentials = {
/**
* domain of service
*/
uaadomain?: string;
};
export type ServiceConfig = {
/**
* key/value object whose entries override default endpoints of service
*/
endpoints?: object;
/**
* configures different kinds of validation
*/
validation?: {
enabled?: boolean;
jwks?: JwksConfig;
signatureCache?: CacheConfig;
};
/**
* configures token fetch behaviour.
*/
tokenfetch?: TokenFetchConfig;
/**
* default configuration for requests against this Service
*/
requests?: {
timeout?: number;
retry?: boolean | ExponentialBackoffRetryConfig;
};
};
export type TokenFetchConfig = {
/**
* configures the token fetch response cache used by the cached token getter methods (getClientCredentialsToken, getJwtBearerToken, getPasswordToken). Enabled by default with a built-in LRU cache of size 100. Set cache.enabled=false to disable.
*/
cache?: CacheConfig;
};
export type JwksConfig = {
/**
* if true, shares the JWKS cache with the first instance of the same Service type that was created with this flag set to true, otherwise creates a new JWKS cache for each instance
*/
shared?: boolean;
/**
* time in *ms* since last refresh until a JWK counts as expired which requires a synchronous refresh on the next validation using this JWK
*/
expirationTime?: number;
/**
* time in *ms* since last refresh until a JWK counts as stale which triggers an asynchronous refresh in the background on the next validation using this JWK
*/
refreshPeriod?: number;
};
export type CacheConfig = {
/**
* - enables the cache
*/
enabled?: boolean;
/**
* - Size of the cache, defaults to 100
*/
size?: number;
/**
* - A custom cache instance that is used instead of the default LRUCache.
*/
impl?: import("../util/Types").Cache;
};
export type RetryConfig = {
/**
* name of the retry configuration strategy
*/
name?: string;
/**
* maximum number of retries
*/
retries?: number;
/**
* initial delay in ms between retries
*/
initialDelay?: number;
/**
* factor to exponentially increase the delay between retries
*/
factor?: number;
/**
* maximum delay in ms between retries
*/
maxDelay?: number;
};
export type ExponentialBackoffRetryConfig = RetryConfig;
export type IdentityServiceConfig = {
/**
* configures different kinds of validation
*/
validation?: {
x5t?: {
enabled?: boolean;
};
proofToken?: {
enabled?: boolean;
};
};
/**
* configures id token cache (enabled with size 100 by default)
*/
idTokenCache?: CacheConfig;
/**
* configuration for SecurityContexts created by this service
*/
context?: object;
/**
* activation flag or custom configuration options for XSUAA legacy extension
*/
xsuaaLegacyExtension?: boolean | XsuaaLegacyExtensionConfig;
/**
* a list of explicitly created SecurityContext extensions
*/
extensions?: ContextExtension<import("../context/IdentityServiceSecurityContext")>[];
};
export type XsuaaLegacyExtensionConfig = {
/**
* Which context type should be returned after token validation.
*/
primaryContextType?: string;
/**
* Optional cache configuration. Defaults to an in-memory LRU with max size 100.
*/
cache?: CacheConfig;
};
/**
* <SC>
*/
export type ContextExtension<SC> = {
/**
* a function that extends or patches properties of the SecurityContext, e.g. by fetching additional tokens to add a secondary SecurityContext
*/
extendSecurityContext: (arg0: SC) => Promise<void | import("../context/SecurityContext")<any, any>>;
};
export type SecurityContextConfig = {
/**
* all Service instances passed to createSecurityContext global function
*/
services?: object[];
/**
* jwt token used to build the context if no Token instance is provided
*/
jwt?: string;
/**
* an already decoded Token instance used to build the context without decoding the jwt again
*/
token?: import("../token/Token");
/**
* client certificate in PEM format
*/
clientCertificatePem?: string;
/**
* parsed client certificate which will be automatically created from clientCertificatePem
*/
clientCertificate?: X509Certificate;
/**
* correlation id that will be sent along with external requests
*/
correlationId?: string;
/**
* request object from which the jwt and additional information, such as a correlation id and the forwarded client certificate, will be extracted if not provided directly
*/
req?: {
headers?: object;
};
/**
* if true, the SecurityContext is created without validating the token. Caution! This flag MUST NOT BE ENABLED, except for testing or when the token has already been validated before, e.g. in DwC contexts.
*/
skipValidation?: boolean;
};
/**
* A cache object that can be used to store and retrieve values via set and get methods.
*/
export type Cache = {
/**
* Sets the value of the given key in the cache.
*/
set: Function;
/**
* Retrieves the value of the given key from the cache.
*/
get: Function;
};
export type TokenFetchOptions = {
/**
* correlationId to correlate log entries with the request
*/
correlationId?: string;
/**
* request timeout in ms
*/
timeout?: number;
/**
* "jwt" or "opaque" (Default: "jwt")
*/
token_format?: "jwt" | "opaque";
};
export type IdentityServiceTokenFetchOptions = {
/**
* can be used to override the app_tid from credentials for this token fetch
*/
app_tid?: string;
/**
* name (or array of names) of API dependency to another application that shall be consumed with this token in the format urn:sap:identity:application:provider:name:<dependencyName>
*/
resource?: string | string[];
/**
* expiration of refresh token. If set to 0, no refresh_token will be contained in the response
*/
refresh_expiry?: number;
};
export type XsuaaTokenFetchOptions = {
/**
* requested scope of token
*/
scope?: string[];
/**
* (aka subdomain) the subdomain of a tenant on the same subaccount from which to fetch a token. Note that this parameter does NOT accept a tenant ID. To pass a zone ID, use the zid parameter instead.
*/
tenant?: string;
/**
* the zone id from which to fetch a token
*/
zid?: string;
/**
* additional authorities that can be freely chosen during token fetch that will be put into the token under az_attr claim (see https://github.com/cloudfoundry/uaa/blob/24c0c23fa36d7c604e365e1be4df658d55dcb211/docs/UAA-APIs.rst#support-for-additional-authorization-attributes)
*/
authorities?: object;
};
export type GrantType = "client_credentials" | "password" | "urn:ietf:params:oauth:grant-type:jwt-bearer";
export type TokenFetchResponse = {
/**
* access token as JWT
*/
access_token: string;
/**
* number of seconds until the access token expires
*/
expires_in: number;
token_type: string;
};
export type IdTokenFetchResponse = {
/**
* - ID token as JWT
*/
id_token: string;
};
export type RefreshableTokenFetchResponse = {
refresh_token: string;
};
export type IdentityServicePasswordTokenFetchResponse = TokenFetchResponse & IdTokenFetchResponse & RefreshableTokenFetchResponse;
export type IdentityServiceJwtBearerTokenFetchResponse = TokenFetchResponse & IdTokenFetchResponse & RefreshableTokenFetchResponse;
export type JwtHeader = {
/**
* Key ID
*/
kid?: string;
/**
* Algorithm
*/
alg?: string;
};
/**
* Standard claims https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.
*/
export type JwtPayload = {
/**
* Issuer
*/
iss?: string;
/**
* Subject
*/
sub?: string;
/**
* Audience
*/
aud?: string | string[];
/**
* Expiration time
*/
exp?: number;
/**
* Not before
*/
nbf?: number;
/**
* Issued at
*/
iat?: number;
/**
* JWT ID
* Additional known claims
*/
jti?: string;
/**
* Authorized party
*/
azp?: string;
/**
* Email
*/
email?: string;
/**
* Family name
*/
familiy_name?: string;
/**
* First name
*/
given_name?: string;
/**
* Grant type
*/
grant_type?: string;
/**
* User name
*/
user_name?: string;
/**
* User UUID
*/
user_uuid?: string;
};
export type IdentityServiceJwtPayload = {
/**
* The ID of the caller's tenant within the SAP Cloud Identity Service application for which the token was fetched.
*/
app_tid?: string;
/**
* SAP Cloud Identity Service APIs consumed by the caller
*/
ias_apis?: string[];
/**
* SCIM ID
*/
scim_id?: string;
/**
* Deprecated claim for app_tid
*/
zone_uuid?: string;
};
export type XsuaaJwtPayload = {
/**
* Client ID
*/
cid?: string;
/**
* Client ID
*/
client_id?: string;
/**
* Origin
*/
origin?: string;
/**
* Scopes
*/
scope?: string[];
/**
* User ID
*/
user_id?: string;
/**
* Zone ID
*/
zid?: string;
};
//# sourceMappingURL=Types.d.ts.map