signalk-server
Version:
An implementation of a [Signal K](http://signalk.org) server for boats.
72 lines • 2.08 kB
TypeScript
import { OIDCConfig, OIDCProviderMetadata } from './types';
/**
* JSON Web Key Set structure
*/
export interface JSONWebKeySet {
keys: Array<{
kty: string;
kid?: string;
use?: string;
alg?: string;
[key: string]: unknown;
}>;
}
/**
* ID Token claims after validation
*/
export interface ValidatedIdTokenClaims {
iss: string;
sub: string;
aud: string | string[];
exp: number;
iat: number;
nonce?: string;
email?: string;
name?: string;
preferred_username?: string;
groups?: string[];
[key: string]: unknown;
}
type FetchFn = typeof fetch;
/**
* Set the fetch function (for testing)
*/
export declare function setFetchFunction(fn: FetchFn): void;
/**
* Reset the fetch function to the default
*/
export declare function resetFetchFunction(): void;
/**
* Clear the JWKS cache
*/
export declare function clearJwksCache(): void;
/**
* Fetch JWKS from the provider
* @param metadata Provider metadata containing jwks_uri
* @returns The JWKS
*/
export declare function fetchJwks(metadata: OIDCProviderMetadata): Promise<JSONWebKeySet>;
/**
* Validate an ID token according to OIDC spec
*
* Validates:
* - Signature using provider's JWKS
* - Issuer matches expected issuer
* - Audience contains client_id
* - Token is not expired (with 5 min clock skew tolerance)
* - Nonce matches expected nonce
*
* If signature verification fails, the JWKS cache is cleared and validation
* is retried once. This handles the case where the OIDC provider has rotated
* keys since the JWKS was cached.
*
* @param idToken The ID token string
* @param config OIDC configuration
* @param metadata Provider metadata
* @param expectedNonce The nonce from the auth state
* @returns Validated claims from the ID token
* @throws OIDCError if validation fails
*/
export declare function validateIdToken(idToken: string, config: OIDCConfig, metadata: OIDCProviderMetadata, expectedNonce: string): Promise<ValidatedIdTokenClaims>;
export {};
//# sourceMappingURL=id-token-validation.d.ts.map