signalk-server
Version:
An implementation of a [Signal K](http://signalk.org) server for boats.
59 lines • 2.82 kB
TypeScript
import { Request, Response, IRouter } from 'express';
import { OIDCConfig, OIDCUserInfo, OIDCCryptoService, ExternalUserService, ExternalUser } from './types';
/**
* Validate and merge userinfo claims into ID token claims.
*
* Security considerations:
* - Validates that userinfo sub matches ID token sub (OIDC Core spec requirement)
* - Only merges safe claims (email, name, preferred_username, groups)
* - Does NOT allow userinfo to overwrite security-critical claims (sub, iss, aud, nonce)
*
* @param idTokenClaims The validated claims from the ID token
* @param userinfoClaims The claims from the userinfo endpoint
* @param groupsAttribute The attribute name for groups (default: 'groups')
* @throws OIDCError if userinfo sub doesn't match ID token sub
*/
export declare function validateAndMergeUserinfoClaims(idTokenClaims: Record<string, unknown>, userinfoClaims: Record<string, unknown>, groupsAttribute?: string): void;
/**
* Dependencies injected by tokensecurity.
* This interface defines the contract between tokensecurity and OIDC authentication.
*/
export interface OIDCAuthDependencies {
/** Get parsed OIDC configuration */
getOIDCConfig: () => OIDCConfig;
/** Set session cookies after successful authentication */
setSessionCookie: (res: Response, req: Request, token: string, username: string, options?: {
rememberMe?: boolean;
}) => void;
/** Clear session cookies on logout */
clearSessionCookie: (res: Response) => void;
/** Generate a JWT for a user */
generateJWT: (userId: string, expiration?: string) => string;
/**
* Crypto service for OIDC state encryption.
* Provides a derived secret - OIDC handles its own encryption.
*/
cryptoService: OIDCCryptoService;
/**
* User service for external authentication providers.
* Abstracts user storage so OIDC doesn't need to know about
* the underlying storage mechanism.
*/
userService: ExternalUserService;
}
/**
* Find or create a user from OIDC authentication.
* This function looks up existing users by OIDC subject+issuer, or creates
* a new user if auto-creation is enabled.
*
* For existing users, permissions are recalculated on each login based on
* current group memberships. This allows permission changes to take effect
* when group assignments change in the identity provider.
*/
export declare function findOrCreateOIDCUser(userInfo: OIDCUserInfo, oidcConfig: OIDCConfig, deps: Pick<OIDCAuthDependencies, 'userService'>): Promise<ExternalUser | null>;
/**
* Register OIDC authentication routes.
* This function adds the OIDC login, callback, and status endpoints to the Express app.
*/
export declare function registerOIDCRoutes(app: IRouter, deps: OIDCAuthDependencies): void;
//# sourceMappingURL=oidc-auth.d.ts.map