UNPKG

graphdb-workbench

Version:
149 lines (148 loc) 5.65 kB
import { Service } from '../../../providers/service/service'; import { OpenIdTokens } from '../../../models/security/authentication/openid-auth-flow-models'; /** * Service responsible for managing OpenID Connect authentication flows, token management, * and security operations within the GraphDB workbench. */ export declare class OpenIdService implements Service { private readonly logger; private readonly openIdRestService; private readonly openidStorageService; private readonly securityContextService; private readonly tokenUtils; private readonly authenticationStorageService; private readonly authFlowHandler; private readonly tokenRefreshManager; private readonly openIdUrlBuilder; /** * Retrieves the JSON Web Key Set (JWKS) from the OpenID provider. * The JWKS contains the public keys used to verify JWT tokens. * * @returns {Promise<{ keys: { kid: string }[] }>} resolving to an object containing an array of keys with their key IDs */ getJSONWebKeySet(): Promise<{ keys: { kid: string; }[]; }>; /** * Exchanges an authorization code for OpenID tokens. * Used after redirect from provider in code flow. * @param {string} redirectUrl - Redirect URI used in the flow * @param {string} code - Authorization code from provider * @param {string | null} [codeVerifier] - PKCE code verifier (optional) * @returns {Promise<OpenIdTokens>} Tokens object */ getTokens(redirectUrl: string, code: string, codeVerifier?: string | null): Promise<OpenIdTokens>; /** * Refreshes access tokens using a refresh token. * Saves new tokens and sets up next refresh. * Emits logout event on failure. * @param {string} refreshToken - Refresh token * @returns {Promise<void>} Promise that resolves when tokens are refreshed * @throws {OpenIdError} If no OpenID config */ refreshTokens(refreshToken: string): Promise<void>; /** * Initializes OpenID authentication system. * Loads JWKS, checks authentication, and handles pending flows. * @returns {Promise<boolean>} True if authenticated, else false */ initializeOpenId(): Promise<boolean>; /** * Loads JWKS from provider and updates security context. * @returns {Promise<void>} */ initializeJsonWebKeySet(): Promise<void>; /** * Starts authorization code flow with PKCE. * Stores state and redirects to provider login. * @param {string} state - CSRF protection state * @param {string} returnToUrl - Redirect URI after login */ setupCodeFlow(state: string, returnToUrl: string): void; /** * Starts authorization code flow without PKCE. * Clears PKCE verifier and redirects to login. * @param {string} state - CSRF protection state * @param {string} returnToUrl - Redirect URI after login */ setupCodeNoPkceFlow(state: string, returnToUrl: string): void; /** * Starts implicit flow for OpenID authentication. * Stores nonce and redirects to provider login. * @param {string} state - Nonce and CSRF protection state * @param {string} returnToUrl - Redirect URI after login */ setupImplicitFlow(state: string, returnToUrl: string): void; /** * Sets up automatic token refresh based on expiration. * @returns {Promise<void>} */ setupTokensRefresh(): Promise<void>; /** * Clears authentication data, tokens, and refresh timers. */ clearAuthentication(): void; /** * Initiates logout by clearing authentication. */ logout(logoutFromIDP?: boolean): void; /** * Gets OpenID security config from context. * @returns {OpenidSecurityConfig} OpenID config * @throws {OpenIdError} If no config */ private getOpenIdConfig; /** * Builds a key set mapping from key ID to key object. * @param {Array<{ kid: string }>} keys - JWKS keys * @returns {Record<string, JsonWebKey & { kid: string }>} Key set */ private buildKeySet; /** * Handles completion of authentication flow. * Processes query params and exchanges codes/tokens. * @returns {Promise<boolean>} True if authenticated */ private handleAuthenticationFlow; /** * Exchanges authorization code for tokens and saves them. * Used as callback in code flow. * @param {string} code - Authorization code * @param {string} redirectUrl - Redirect URI * @param {string | null} [codeVerifier] - PKCE code verifier (optional) * @returns {Promise<void>} * @throws {OpenIdError} If no config or token exchange fails */ private exchangeTokensForCode; /** * Clears authentication data. */ private softLogout; /** * Performs hard logout and redirects to provider's logout endpoint. * @param {string} redirectUrl - Redirect URI after logout */ private hardLogout; /** * Redirects browser to specified URL. * @param {string} url - Target URL */ private redirectToUrl; /** * Builds login URL for OpenID provider. * @param {string} state - CSRF protection state * @param {string} codeChallenge - PKCE code challenge * @param {string} redirectUrl - Redirect URI after login * @returns {string} Login URL * @throws {OpenIdError} If no config */ private getLoginUrl; /** * Builds logout URL for OpenID provider. * @param {string} redirectUrl - Redirect URI after logout * @returns {string} Logout URL */ private getLogoutUrl; }