@authrim/core 0.1.4 → 0.1.6

package/dist/index.d.ts

@@ -4012,205 +4012,6 @@ declare class FrontChannelLogoutUrlBuilder {
     validateRequest(url: string | URL, expected?: FrontChannelLogoutValidationOptions): FrontChannelLogoutValidationResult;
 }
 
-/**
- * JWT Utilities
- *
- * Note: This module only provides decoding (parsing) functionality.
- * JWT signature verification MUST be performed by the server.
- * Never trust decoded JWT claims without server-side verification.
- */
-
-/**
- * JWT Header
- */
-interface JwtHeader {
-    alg: string;
-    typ?: string;
-    kid?: string;
-    [key: string]: unknown;
-}
-/**
- * Decoded JWT structure
- */
-interface DecodedJwt<T = Record<string, unknown>> {
-    header: JwtHeader;
-    payload: T;
-    signature: string;
-}
-/**
- * Decode a JWT without verifying the signature
- *
- * WARNING: This function does NOT verify the JWT signature.
- * Use this only for reading claims after the token has been
- * validated by the authorization server.
- *
- * @param jwt - JWT string to decode
- * @returns Decoded JWT parts
- * @throws Error if the JWT format is invalid
- */
-declare function decodeJwt<T = Record<string, unknown>>(jwt: string): DecodedJwt<T>;
-/**
- * Decode an ID token and extract claims
- *
- * WARNING: This function does NOT verify the ID token.
- * The token MUST be verified by the authorization server before use.
- *
- * @param idToken - ID token string
- * @returns ID token claims
- */
-declare function decodeIdToken(idToken: string): IdTokenClaims;
-/**
- * Check if a JWT is expired
- *
- * @param jwt - Decoded JWT payload with exp claim
- * @param skewSeconds - Clock skew tolerance in seconds (default: 0)
- * @returns true if expired
- */
-declare function isJwtExpired(payload: {
-    exp?: number;
-}, skewSeconds?: number): boolean;
-/**
- * Get the nonce claim from an ID token
- *
- * @param idToken - ID token string
- * @returns nonce value or undefined
- */
-declare function getIdTokenNonce(idToken: string): string | undefined;
-
-/**
- * Back-Channel Logout Validator
- *
- * Implements OpenID Connect Back-Channel Logout 1.0
- * https://openid.net/specs/openid-connect-backchannel-1_0.html
- *
- * Back-channel logout allows the OP to notify RPs of logout events
- * via direct HTTP calls (server-to-server).
- *
- * NOTE: This validator performs claims validation only.
- * JWT signature verification MUST be performed separately using JWKS.
- */
-
-/**
- * Back-channel logout event URI
- */
-declare const BACKCHANNEL_LOGOUT_EVENT = "http://schemas.openid.net/event/backchannel-logout";
-/**
- * Back-channel logout validation error codes
- */
-type BackChannelLogoutErrorCode = 'invalid_format' | 'invalid_issuer' | 'invalid_audience' | 'invalid_events' | 'expired' | 'not_yet_valid' | 'missing_sub_and_sid' | 'sub_mismatch' | 'sid_mismatch' | 'missing_jti' | 'nonce_present';
-/**
- * Options for validating a logout token
- */
-interface BackChannelLogoutValidationOptions {
-    /** Expected issuer */
-    issuer: string;
-    /** Expected audience (client_id) */
-    audience: string;
-    /** Maximum age in seconds (default: 60) */
-    maxAge?: number;
-    /** Clock skew tolerance in seconds (default: 30) */
-    clockSkew?: number;
-    /** Expected session ID (optional) */
-    expectedSid?: string;
-    /** Expected subject (optional) */
-    expectedSub?: string;
-}
-/**
- * Result of back-channel logout token validation
- */
-interface BackChannelLogoutValidationResult {
-    /** Whether the token is valid */
-    valid: boolean;
-    /** Validated claims (if valid) */
-    claims?: LogoutTokenClaims;
-    /** JWT header (if valid) */
-    header?: JwtHeader;
-    /** Error message (if invalid) */
-    error?: string;
-    /** Error code (if invalid) */
-    errorCode?: BackChannelLogoutErrorCode;
-}
-/**
- * Back-Channel Logout Validator
- *
- * Validates logout_token JWTs per OIDC Back-Channel Logout 1.0.
- *
- * ## Security Notes
- *
- * 1. **JWT Signature Verification**: This class performs claims validation only.
- *    JWT signature verification MUST be performed separately using JWKS
- *    before calling validate().
- *
- * 2. **JTI Replay Protection**: This validator checks for jti presence only.
- *    The application MUST implement jti replay protection by:
- *    - Storing used jti values (at least until token expiry + clock skew)
- *    - Rejecting tokens with previously-used jti values
- *
- * Usage (Node.js server receiving back-channel logout request):
- * ```typescript
- * // 1. Receive logout_token from POST body
- * const logoutToken = req.body.logout_token;
- *
- * // 2. Verify JWT signature using JWKS (not shown - use jose or similar)
- * await verifyJwtSignature(logoutToken, jwks);
- *
- * // 3. Validate claims
- * const validator = new BackChannelLogoutValidator();
- * const result = validator.validate(logoutToken, {
- *   issuer: 'https://op.example.com',
- *   audience: 'my-client-id'
- * });
- *
- * if (!result.valid) {
- *   return res.status(400).send('Invalid logout token');
- * }
- *
- * // 4. Check for jti replay (application responsibility)
- * if (await jtiStore.has(result.claims.jti)) {
- *   return res.status(400).send('Token replay detected');
- * }
- * await jtiStore.set(result.claims.jti, true, maxAge + clockSkew);
- *
- * // 5. Perform logout for sub and/or sid
- * await logoutUser(result.claims.sub, result.claims.sid);
- * ```
- */
-declare class BackChannelLogoutValidator {
-    /**
-     * Validate a logout_token
-     *
-     * Per OIDC Back-Channel Logout 1.0, the logout_token MUST:
-     * - Be a valid JWT
-     * - Contain iss, aud, iat, jti claims
-     * - Contain events claim with back-channel logout event
-     * - Contain either sub or sid (or both)
-     * - NOT contain a nonce claim
-     *
-     * @param logoutToken - JWT logout token to validate
-     * @param options - Validation options
-     * @returns Validation result
-     */
-    validate(logoutToken: string, options: BackChannelLogoutValidationOptions): BackChannelLogoutValidationResult;
-    /**
-     * Extract claims from a logout token without validation
-     *
-     * Useful for inspecting the token before/during validation.
-     *
-     * @param logoutToken - JWT logout token
-     * @returns Claims or null if invalid format
-     */
-    extractClaims(logoutToken: string): LogoutTokenClaims | null;
-    /**
-     * Extract header from a logout token without validation
-     *
-     * Useful for getting kid to select the correct JWKS key.
-     *
-     * @param logoutToken - JWT logout token
-     * @returns Header or null if invalid format
-     */
-    extractHeader(logoutToken: string): JwtHeader | null;
-}
-
 /**
  * Debug Module Types
  *
@@ -4440,6 +4241,71 @@ declare function stringToBase64url(str: string): string;
  */
 declare function base64urlToString(base64url: string): string;
 
+/**
+ * JWT Utilities
+ *
+ * Note: This module only provides decoding (parsing) functionality.
+ * JWT signature verification MUST be performed by the server.
+ * Never trust decoded JWT claims without server-side verification.
+ */
+
+/**
+ * JWT Header
+ */
+interface JwtHeader {
+    alg: string;
+    typ?: string;
+    kid?: string;
+    [key: string]: unknown;
+}
+/**
+ * Decoded JWT structure
+ */
+interface DecodedJwt<T = Record<string, unknown>> {
+    header: JwtHeader;
+    payload: T;
+    signature: string;
+}
+/**
+ * Decode a JWT without verifying the signature
+ *
+ * WARNING: This function does NOT verify the JWT signature.
+ * Use this only for reading claims after the token has been
+ * validated by the authorization server.
+ *
+ * @param jwt - JWT string to decode
+ * @returns Decoded JWT parts
+ * @throws Error if the JWT format is invalid
+ */
+declare function decodeJwt<T = Record<string, unknown>>(jwt: string): DecodedJwt<T>;
+/**
+ * Decode an ID token and extract claims
+ *
+ * WARNING: This function does NOT verify the ID token.
+ * The token MUST be verified by the authorization server before use.
+ *
+ * @param idToken - ID token string
+ * @returns ID token claims
+ */
+declare function decodeIdToken(idToken: string): IdTokenClaims;
+/**
+ * Check if a JWT is expired
+ *
+ * @param jwt - Decoded JWT payload with exp claim
+ * @param skewSeconds - Clock skew tolerance in seconds (default: 0)
+ * @returns true if expired
+ */
+declare function isJwtExpired(payload: {
+    exp?: number;
+}, skewSeconds?: number): boolean;
+/**
+ * Get the nonce claim from an ID token
+ *
+ * @param idToken - ID token string
+ * @returns nonce value or undefined
+ */
+declare function getIdTokenNonce(idToken: string): string | undefined;
+
 /**
  * Hash Utilities
  *
@@ -4905,7 +4771,7 @@ interface PasskeyLoginStartResponse {
  */
 interface PasskeyLoginFinishRequest {
     challenge_id: string;
-    credential: AuthenticatorAssertionResponseJSON;
+    credential: AuthenticationResponseJSON;
     code_verifier: string;
 }
 /**
@@ -4942,7 +4808,7 @@ interface PasskeySignupStartResponse {
  */
 interface PasskeySignupFinishRequest {
     challenge_id: string;
-    credential: AuthenticatorAttestationResponseJSON;
+    credential: RegistrationResponseJSON;
     code_verifier: string;
 }
 /**
@@ -5079,13 +4945,51 @@ interface AuthenticatorAssertionResponseJSON {
     userHandle?: string;
 }
 /**
- * AuthenticatorAttestationResponse as JSON
+ * AuthenticatorAttestationResponse as JSON (inner response part)
  */
 interface AuthenticatorAttestationResponseJSON {
     clientDataJSON: string;
     attestationObject: string;
     transports?: AuthenticatorTransportType[];
 }
+/**
+ * Full RegistrationResponseJSON format (compatible with @simplewebauthn/server)
+ *
+ * This is the complete WebAuthn credential structure returned by navigator.credentials.create()
+ */
+interface RegistrationResponseJSON {
+    /** Credential ID (base64url) */
+    id: string;
+    /** Credential ID (base64url, same as id) */
+    rawId: string;
+    /** Attestation response */
+    response: AuthenticatorAttestationResponseJSON;
+    /** Always 'public-key' */
+    type: 'public-key';
+    /** Client extension results */
+    clientExtensionResults: Record<string, unknown>;
+    /** Authenticator attachment type */
+    authenticatorAttachment?: 'platform' | 'cross-platform' | null;
+}
+/**
+ * Full AuthenticationResponseJSON format (compatible with @simplewebauthn/server)
+ *
+ * This is the complete WebAuthn credential structure returned by navigator.credentials.get()
+ */
+interface AuthenticationResponseJSON {
+    /** Credential ID (base64url) */
+    id: string;
+    /** Credential ID (base64url, same as id) */
+    rawId: string;
+    /** Assertion response */
+    response: AuthenticatorAssertionResponseJSON;
+    /** Always 'public-key' */
+    type: 'public-key';
+    /** Client extension results */
+    clientExtensionResults: Record<string, unknown>;
+    /** Authenticator attachment type */
+    authenticatorAttachment?: 'platform' | 'cross-platform' | null;
+}
 /**
  * Direct Auth client configuration
  */
@@ -5157,4 +5061,4 @@ interface DirectAuthClient {
     session: SessionAuth;
 }
 
-export { type AddressClaim, type AttestationConveyancePreferenceType, type AuthCallbackCompleteEvent, type AuthCallbackEvent, type AuthCallbackProcessingEvent, type AuthFallbackEvent, type AuthInitEvent, type AuthLoginCompleteEvent, type AuthLogoutCompleteEvent, type AuthPopupBlockedEvent, type AuthRedirectingEvent, type AuthRequiredEvent, type AuthResult, type AuthState, type AuthStateSnapshot, type AuthState$1 as AuthStateType, type AuthenticationExtensionsClientInputsType, type AuthenticatorAssertionResponseJSON, type AuthenticatorAttachmentType, type AuthenticatorAttestationResponseJSON, type AuthenticatorSelectionCriteriaType, type AuthenticatorTransportType, AuthorizationCodeFlow, type AuthorizationContext, type AuthorizationUrlResult, AuthrimClient, type AuthrimClientConfig, AuthrimError, type AuthrimErrorCode, type AuthrimErrorMeta, type AuthrimErrorOptions, type AuthrimErrorRemediation, type AuthrimErrorSeverity, type AuthrimErrorUserAction, type AuthrimEventHandler, type AuthrimEventName, type AuthrimEvents, type AuthrimStorage, type AutoRefreshOptions, AutoRefreshScheduler, BACKCHANNEL_LOGOUT_EVENT, type BackChannelLogoutErrorCode, type BackChannelLogoutValidationOptions, type BackChannelLogoutValidationResult, BackChannelLogoutValidator, type BaseEventPayload, type BuildAuthorizationUrlOptions, type COSEAlgorithmIdentifier, type CheckSessionMessage, type CheckSessionResponse, type ClientAssertionClaims, type ClientAuthMethod, type ClientAuthResult, type ClientCredentials, ClientCredentialsClient, type ClientCredentialsClientOptions, type ClientCredentialsTokenOptions, type ClientSecretCredentials, type CodeChallengeMethod, type CoreEventName, type CryptoProvider, type DPoPCryptoProvider, type DPoPKeyPair, DPoPManager, type DPoPManagerConfig, type DPoPProofClaims, type DPoPProofHeader, type DPoPProofOptions, DebugContext, type DebugLogLevel, type DebugLogger, type DebugOptions, type DebugTimelineEvent, type DecodedJwt, type DeviceAuthorizationResponse, type DeviceFlowAccessDeniedResult, DeviceFlowClient, type DeviceFlowCompletedResult, type DeviceFlowExpiredResult, type DeviceFlowPendingResult, type DeviceFlowPollResult, type DeviceFlowSlowDownResult, type DeviceFlowStartOptions, type DeviceFlowState, type DirectAuthClient, type DirectAuthClientConfig, type DirectAuthError, type DirectAuthLogoutOptions, type DirectAuthTokenRequest, type DirectAuthTokenResponse, DiscoveryClient, type EmailCodeAuth, type EmailCodeSendOptions, type EmailCodeSendRequest, type EmailCodeSendResponse, type EmailCodeSendResult, type EmailCodeVerifyOptions, type EmailCodeVerifyRequest, type EmailCodeVerifyResponse, type EmitClassifiedErrorOptions, type EndpointOverrides, type ErrorClassification, type ErrorEvent, type ErrorEventEmitter, type ErrorEventPayload, type ErrorFatalEvent, type ErrorRecoverableEvent, type ErrorSeverity, EventEmitter, EventTimeline, type ExchangeCodeOptions, type FrontChannelLogoutBuildParams, type FrontChannelLogoutParams, FrontChannelLogoutUrlBuilder, type FrontChannelLogoutUrlOptions, type FrontChannelLogoutUrlResult, type FrontChannelLogoutValidationOptions, type FrontChannelLogoutValidationResult, type GenerateAuthStateOptions, type HashOptions, type HttpClient, type HttpOptions, type HttpResponse, type IntrospectTokenOptions, type IntrospectionResponse, type IntrospectionTokenTypeHint, JARBuilder, type JARBuilderConfig, type JARMResponseClaims, type JARMValidationOptions, type JARMValidationResult, JARMValidator, type JARMValidatorConfig, type JARRequestObjectClaims, type JARRequestOptions, type JWK, type JwtHeader, LogoutHandler, type LogoutHandlerOptions, type LogoutOptions, type LogoutResult, type LogoutTokenClaims, type MfaMethod, type NextAction, type NoClientCredentials, type OAuthErrorResponse, type OIDCDiscoveryDocument, PARClient, type PARClientOptions, type PARRequest, type PARResponse, type PARResult, PKCEHelper, type PKCEPair, type PasskeyAuth, type PasskeyCredential, type PasskeyLoginFinishRequest, type PasskeyLoginFinishResponse, type PasskeyLoginOptions, type PasskeyLoginStartRequest, type PasskeyLoginStartResponse, type PasskeyRegisterOptions, type PasskeySignUpOptions, type PasskeySignupFinishRequest, type PasskeySignupFinishResponse, type PasskeySignupStartRequest, type PasskeySignupStartResponse, type PrivateKeyJwtCredentials, type PublicKeyCredentialCreationOptionsJSON, type PublicKeyCredentialDescriptorJSON, type PublicKeyCredentialParametersType, type PublicKeyCredentialRequestOptionsJSON, type PublicKeyCredentialRpEntityType, type PublicKeyCredentialType, type PublicKeyCredentialUserEntityJSON, type RedactLevel, type ResidentKeyRequirementType, type ResolvedConfig, type RetryOptions, type RevokeTokenOptions, STORAGE_KEYS, type Session, type SessionAuth, type SessionChangeEvent, type SessionChangedEvent, type SessionCheckResult, type SessionEndedEvent, type SessionLogoutBroadcastEvent, type SessionManagementConfig, SessionManager, type SessionManagerOptions, type SessionStartedEvent, type SessionState, SessionStateCalculator, type SessionStateCalculatorOptions, type SessionStateParams, type SessionStateResult, type SessionSyncEvent, SilentAuthHandler, type SilentAuthOptions, type SilentAuthResult, type SilentAuthUrlResult, type SocialAuth, type SocialLoginOptions, type SocialProvider, type StandardClaims, type StateChangeEvent, StateManager, TOKEN_TYPE_URIS, type TimelineEntry, TokenApiClient, type TokenApiClientOptions, type TokenErrorEvent, type TokenExchangeRequest, type TokenExchangeResponse, type TokenExchangeResult, type TokenExchangedEvent, type TokenExpiredEvent, type TokenExpiringEvent, TokenIntrospector, type TokenIntrospectorOptions, TokenManager, type TokenManagerOptions, type TokenRefreshFailedEvent, type TokenRefreshedEvent, type TokenRefreshingEvent, type TokenResponse, TokenRevoker, type TokenRevokerOptions, type TokenSet, type TokenTypeHint, type TokenTypeUri, type User, type UserInfo, type UserVerificationRequirementType, type WarningITPEvent, type WarningPrivateModeEvent, type WarningStorageFallbackEvent, type WebOnlyEventName, base64urlDecode, base64urlEncode, base64urlToString, buildClientAuthentication, calculateBackoffDelay, calculateDsHash, classifyError, createAuthrimClient, createCancellableOperation, createConsoleLogger, createDebugLogger, createRetryFunction, decodeIdToken, decodeJwt, emitClassifiedError, getErrorMeta, getIdTokenNonce, isCancellationError, isJarRequired, isJwtExpired, isRetryableError, noopLogger, normalizeIssuer, parseRetryAfterHeader, raceWithCancellation, resolveConfig, sleep, stringToBase64url, timingSafeEqual, withAbortSignal, withRetry };
+export { type AddressClaim, type AttestationConveyancePreferenceType, type AuthCallbackCompleteEvent, type AuthCallbackEvent, type AuthCallbackProcessingEvent, type AuthFallbackEvent, type AuthInitEvent, type AuthLoginCompleteEvent, type AuthLogoutCompleteEvent, type AuthPopupBlockedEvent, type AuthRedirectingEvent, type AuthRequiredEvent, type AuthResult, type AuthState, type AuthStateSnapshot, type AuthState$1 as AuthStateType, type AuthenticationExtensionsClientInputsType, type AuthenticationResponseJSON, type AuthenticatorAssertionResponseJSON, type AuthenticatorAttachmentType, type AuthenticatorAttestationResponseJSON, type AuthenticatorSelectionCriteriaType, type AuthenticatorTransportType, AuthorizationCodeFlow, type AuthorizationContext, type AuthorizationUrlResult, AuthrimClient, type AuthrimClientConfig, AuthrimError, type AuthrimErrorCode, type AuthrimErrorMeta, type AuthrimErrorOptions, type AuthrimErrorRemediation, type AuthrimErrorSeverity, type AuthrimErrorUserAction, type AuthrimEventHandler, type AuthrimEventName, type AuthrimEvents, type AuthrimStorage, type AutoRefreshOptions, AutoRefreshScheduler, type BaseEventPayload, type BuildAuthorizationUrlOptions, type COSEAlgorithmIdentifier, type CheckSessionMessage, type CheckSessionResponse, type ClientAssertionClaims, type ClientAuthMethod, type ClientAuthResult, type ClientCredentials, ClientCredentialsClient, type ClientCredentialsClientOptions, type ClientCredentialsTokenOptions, type ClientSecretCredentials, type CodeChallengeMethod, type CoreEventName, type CryptoProvider, type DPoPCryptoProvider, type DPoPKeyPair, DPoPManager, type DPoPManagerConfig, type DPoPProofClaims, type DPoPProofHeader, type DPoPProofOptions, DebugContext, type DebugLogLevel, type DebugLogger, type DebugOptions, type DebugTimelineEvent, type DecodedJwt, type DeviceAuthorizationResponse, type DeviceFlowAccessDeniedResult, DeviceFlowClient, type DeviceFlowCompletedResult, type DeviceFlowExpiredResult, type DeviceFlowPendingResult, type DeviceFlowPollResult, type DeviceFlowSlowDownResult, type DeviceFlowStartOptions, type DeviceFlowState, type DirectAuthClient, type DirectAuthClientConfig, type DirectAuthError, type DirectAuthLogoutOptions, type DirectAuthTokenRequest, type DirectAuthTokenResponse, DiscoveryClient, type EmailCodeAuth, type EmailCodeSendOptions, type EmailCodeSendRequest, type EmailCodeSendResponse, type EmailCodeSendResult, type EmailCodeVerifyOptions, type EmailCodeVerifyRequest, type EmailCodeVerifyResponse, type EmitClassifiedErrorOptions, type EndpointOverrides, type ErrorClassification, type ErrorEvent, type ErrorEventEmitter, type ErrorEventPayload, type ErrorFatalEvent, type ErrorRecoverableEvent, type ErrorSeverity, EventEmitter, EventTimeline, type ExchangeCodeOptions, type FrontChannelLogoutBuildParams, type FrontChannelLogoutParams, FrontChannelLogoutUrlBuilder, type FrontChannelLogoutUrlOptions, type FrontChannelLogoutUrlResult, type FrontChannelLogoutValidationOptions, type FrontChannelLogoutValidationResult, type GenerateAuthStateOptions, type HashOptions, type HttpClient, type HttpOptions, type HttpResponse, type IntrospectTokenOptions, type IntrospectionResponse, type IntrospectionTokenTypeHint, JARBuilder, type JARBuilderConfig, type JARMResponseClaims, type JARMValidationOptions, type JARMValidationResult, JARMValidator, type JARMValidatorConfig, type JARRequestObjectClaims, type JARRequestOptions, type JWK, type JwtHeader, LogoutHandler, type LogoutHandlerOptions, type LogoutOptions, type LogoutResult, type LogoutTokenClaims, type MfaMethod, type NextAction, type NoClientCredentials, type OAuthErrorResponse, type OIDCDiscoveryDocument, PARClient, type PARClientOptions, type PARRequest, type PARResponse, type PARResult, PKCEHelper, type PKCEPair, type PasskeyAuth, type PasskeyCredential, type PasskeyLoginFinishRequest, type PasskeyLoginFinishResponse, type PasskeyLoginOptions, type PasskeyLoginStartRequest, type PasskeyLoginStartResponse, type PasskeyRegisterOptions, type PasskeySignUpOptions, type PasskeySignupFinishRequest, type PasskeySignupFinishResponse, type PasskeySignupStartRequest, type PasskeySignupStartResponse, type PrivateKeyJwtCredentials, type PublicKeyCredentialCreationOptionsJSON, type PublicKeyCredentialDescriptorJSON, type PublicKeyCredentialParametersType, type PublicKeyCredentialRequestOptionsJSON, type PublicKeyCredentialRpEntityType, type PublicKeyCredentialType, type PublicKeyCredentialUserEntityJSON, type RedactLevel, type RegistrationResponseJSON, type ResidentKeyRequirementType, type ResolvedConfig, type RetryOptions, type RevokeTokenOptions, STORAGE_KEYS, type Session, type SessionAuth, type SessionChangeEvent, type SessionChangedEvent, type SessionCheckResult, type SessionEndedEvent, type SessionLogoutBroadcastEvent, type SessionManagementConfig, SessionManager, type SessionManagerOptions, type SessionStartedEvent, type SessionState, SessionStateCalculator, type SessionStateCalculatorOptions, type SessionStateParams, type SessionStateResult, type SessionSyncEvent, SilentAuthHandler, type SilentAuthOptions, type SilentAuthResult, type SilentAuthUrlResult, type SocialAuth, type SocialLoginOptions, type SocialProvider, type StandardClaims, type StateChangeEvent, StateManager, TOKEN_TYPE_URIS, type TimelineEntry, TokenApiClient, type TokenApiClientOptions, type TokenErrorEvent, type TokenExchangeRequest, type TokenExchangeResponse, type TokenExchangeResult, type TokenExchangedEvent, type TokenExpiredEvent, type TokenExpiringEvent, TokenIntrospector, type TokenIntrospectorOptions, TokenManager, type TokenManagerOptions, type TokenRefreshFailedEvent, type TokenRefreshedEvent, type TokenRefreshingEvent, type TokenResponse, TokenRevoker, type TokenRevokerOptions, type TokenSet, type TokenTypeHint, type TokenTypeUri, type User, type UserInfo, type UserVerificationRequirementType, type WarningITPEvent, type WarningPrivateModeEvent, type WarningStorageFallbackEvent, type WebOnlyEventName, base64urlDecode, base64urlEncode, base64urlToString, buildClientAuthentication, calculateBackoffDelay, calculateDsHash, classifyError, createAuthrimClient, createCancellableOperation, createConsoleLogger, createDebugLogger, createRetryFunction, decodeIdToken, decodeJwt, emitClassifiedError, getErrorMeta, getIdTokenNonce, isCancellationError, isJarRequired, isJwtExpired, isRetryableError, noopLogger, normalizeIssuer, parseRetryAfterHeader, raceWithCancellation, resolveConfig, sleep, stringToBase64url, timingSafeEqual, withAbortSignal, withRetry };