@authrim/server 0.1.0

package/dist/index.d.cts

@@ -0,0 +1,791 @@
+import { A as AuthrimServer, a as AuthenticateRequest, b as AuthenticateResult, J as JwtHeader, P as ParsedJwt, S as StandardClaims, C as ClaimsValidationOptions, c as ClaimsValidationResult, T as TokenValidationOptions, d as TokenValidationResult, I as IntrospectionRequest, e as IntrospectionResponse, R as RevocationRequest, D as DPoPValidationOptions, f as DPoPValidationResult } from './types-CzpMdWFR.cjs';
+export { g as AccessTokenClaims, h as AuthenticateError, i as AuthenticateSuccess, j as ConfirmationClaim, k as DPoPProofHeader, l as DPoPProofPayload, m as IdTokenClaims, M as MiddlewareOptions, V as ValidatedToken, n as createAuthrimServer } from './types-CzpMdWFR.cjs';
+import { C as CachedJwk, H as HttpProvider, a as CryptoProvider, b as ClockProvider, c as CacheProvider } from './config-I0GIVJA_.cjs';
+export { A as AuthrimServerConfig, E as EcPublicJwk, J as JwkKeyType, d as JwkKeyUse, e as JwkSet, f as JwkSigningAlgorithm, M as MemoryCacheOptions, O as OkpPublicJwk, P as PublicJwk, R as ResolvedAuthrimServerConfig, g as RsaPublicJwk } from './config-I0GIVJA_.cjs';
+
+/**
+ * Authrim Server SDK Error Types
+ *
+ * These error codes are specific to server-side token validation and DPoP operations.
+ */
+/**
+ * Server SDK error codes
+ */
+type AuthrimServerErrorCode = 'invalid_token' | 'token_expired' | 'token_not_yet_valid' | 'token_malformed' | 'signature_invalid' | 'algorithm_mismatch' | 'invalid_issuer' | 'invalid_audience' | 'jwks_fetch_error' | 'jwks_key_not_found' | 'jwks_key_ambiguous' | 'jwks_key_import_error' | 'dpop_proof_missing' | 'dpop_proof_invalid' | 'dpop_proof_signature_invalid' | 'dpop_method_mismatch' | 'dpop_uri_mismatch' | 'dpop_ath_mismatch' | 'dpop_binding_mismatch' | 'dpop_iat_expired' | 'dpop_nonce_required' | 'introspection_error' | 'revocation_error' | 'configuration_error' | 'provider_error' | 'network_error' | 'timeout_error';
+/**
+ * Error metadata for recovery information
+ */
+interface AuthrimServerErrorMeta {
+    /** HTTP status code to return */
+    httpStatus: number;
+    /** Whether this is a transient error */
+    transient: boolean;
+    /** Whether automatic retry is possible */
+    retryable: boolean;
+    /** WWW-Authenticate error attribute */
+    wwwAuthenticateError?: string;
+}
+/**
+ * Options for creating an AuthrimServerError
+ */
+interface AuthrimServerErrorOptions {
+    details?: Record<string, unknown>;
+    cause?: Error;
+}
+/**
+ * Authrim Server SDK Error class
+ */
+declare class AuthrimServerError extends Error {
+    /** Error code for programmatic handling */
+    readonly code: AuthrimServerErrorCode;
+    /** Additional error details */
+    readonly details?: Record<string, unknown>;
+    /** Underlying cause */
+    readonly cause?: Error;
+    constructor(code: AuthrimServerErrorCode, message: string, options?: AuthrimServerErrorOptions);
+    /**
+     * Get error metadata for HTTP response
+     */
+    get meta(): AuthrimServerErrorMeta;
+}
+/**
+ * Get error metadata for a given error code
+ */
+declare function getServerErrorMeta(code: AuthrimServerErrorCode): AuthrimServerErrorMeta;
+
+/**
+ * Session Management Type Definitions
+ *
+ * OpenID Connect Back-Channel Logout 1.0
+ * https://openid.net/specs/openid-connect-backchannel-1_0.html
+ */
+/**
+ * Logout token claims (for back-channel logout)
+ *
+ * Per OIDC Back-Channel Logout 1.0 Section 2.4, the logout token MUST contain:
+ * - iss: Issuer Identifier
+ * - aud: Audience (one or more)
+ * - iat: Issued At
+ * - exp: Expiration Time
+ * - jti: JWT ID (unique identifier)
+ * - events: MUST contain "http://schemas.openid.net/event/backchannel-logout" key
+ * - sub and/or sid: At least one MUST be present
+ *
+ * The logout token MUST NOT contain:
+ * - nonce claim (to prevent confusion with ID tokens)
+ */
+interface LogoutTokenClaims {
+    /** Issuer */
+    iss: string;
+    /** Subject (optional, but either sub or sid must be present) */
+    sub?: string;
+    /** Audience (one or more client_ids) */
+    aud: string | string[];
+    /** Issued at time (Unix timestamp) */
+    iat: number;
+    /** Expiration time (Unix timestamp) - REQUIRED per Section 2.4 */
+    exp: number;
+    /** JWT ID (unique identifier for replay protection) */
+    jti: string;
+    /**
+     * Events claim
+     * MUST contain the back-channel logout event with an empty object value
+     */
+    events: {
+        'http://schemas.openid.net/event/backchannel-logout': Record<string, never>;
+    };
+    /** Session ID (optional, but either sub or sid must be present) */
+    sid?: string;
+}
+
+/**
+ * Core Authentication Function (Framework-Agnostic)
+ *
+ * This function is the ONLY authentication logic.
+ * Framework adapters are thin wrappers that:
+ * 1. Extract headers/method/url from framework-specific request
+ * 2. Call authenticateRequest()
+ * 3. Attach result to framework-specific context
+ *
+ * Header normalization:
+ * - All header names are normalized to lowercase internally
+ * - If multiple Authorization headers exist, only the first is used
+ * - DPoP header lookup is case-insensitive
+ */
+
+/**
+ * Authenticate a request
+ *
+ * @param server - AuthrimServer instance
+ * @param request - Framework-agnostic request
+ * @returns Authentication result
+ */
+declare function authenticateRequest(server: AuthrimServer, request: AuthenticateRequest): Promise<AuthenticateResult>;
+
+/**
+ * JWKS Key Selection Algorithm
+ *
+ * This algorithm MUST be implemented identically across all language SDKs.
+ *
+ * 1. If token header contains `kid`:
+ *    a. Find key where key.kid === header.kid AND key.use === 'sig' (or undefined)
+ *    b. If not found AND cache is stale, refresh JWKS and retry ONCE
+ *    c. If still not found, return error: jwks_key_not_found
+ *
+ * 2. If no `kid` in token header:
+ *    a. Filter keys by: key.alg === header.alg AND key.use === 'sig' (or undefined)
+ *    b. If exactly ONE key matches, use it
+ *    c. If ZERO or MORE THAN ONE keys match, return error: jwks_key_ambiguous
+ *
+ * 3. Algorithm mismatch:
+ *    - If key.alg is present AND key.alg !== header.alg, skip the key
+ *
+ * 4. Cache behavior:
+ *    - Default TTL: 1 hour
+ *    - Stale-while-revalidate: NOT implemented (fail-closed)
+ *    - Thundering herd: Use single-flight pattern (one concurrent fetch per issuer)
+ *
+ * 5. Cache-Control header:
+ *    - SHOULD be respected if present
+ *    - max-age takes precedence over default TTL
+ */
+
+/**
+ * Key selection result
+ */
+interface KeySelectionResult {
+    key: CachedJwk | null;
+    error: AuthrimServerError | null;
+    needsRefresh: boolean;
+}
+/**
+ * Select a key by kid (Key ID)
+ *
+ * @param keys - Available keys
+ * @param kid - Key ID from token header
+ * @param alg - Algorithm from token header
+ * @returns KeySelectionResult
+ */
+declare function selectKeyByKid(keys: CachedJwk[], kid: string, alg: string): KeySelectionResult;
+/**
+ * Select a key by algorithm (when no kid is present)
+ *
+ * @param keys - Available keys
+ * @param alg - Algorithm from token header
+ * @returns KeySelectionResult
+ */
+declare function selectKeyByAlgorithm(keys: CachedJwk[], alg: string): KeySelectionResult;
+/**
+ * Select a key from JWKS based on token header
+ *
+ * @param keys - Available keys
+ * @param header - JWT header
+ * @returns KeySelectionResult
+ */
+declare function selectKey(keys: CachedJwk[], header: JwtHeader): KeySelectionResult;
+
+/**
+ * JWKS Manager
+ *
+ * Handles JWKS fetching, caching, and key rotation.
+ */
+
+/**
+ * JWKS Manager configuration
+ */
+interface JwksManagerConfig {
+    /** JWKS endpoint URL */
+    jwksUri: string;
+    /** Cache TTL in milliseconds */
+    cacheTtlMs: number;
+    /** HTTP provider */
+    http: HttpProvider;
+    /** Crypto provider */
+    crypto: CryptoProvider;
+    /** Clock provider */
+    clock: ClockProvider;
+    /** Cache provider */
+    cache: CacheProvider<CachedJwk[]>;
+    /**
+     * Optional callback for key import warnings
+     * Called when a key fails to import (may be encryption key, unsupported algorithm, etc.)
+     */
+    onKeyImportWarning?: (warning: KeyImportWarning) => void;
+    /**
+     * Allow redirects to different hosts (default: false)
+     *
+     * SECURITY: By default, JWKS fetches will fail if redirected to a different host
+     * to prevent SSRF attacks. Only enable this if you explicitly trust the issuer
+     * to redirect to arbitrary hosts.
+     */
+    allowCrossOriginRedirect?: boolean;
+}
+/**
+ * Key import warning information
+ */
+interface KeyImportWarning {
+    /** Key ID (if present) */
+    kid?: string;
+    /** Key type */
+    kty: string;
+    /** Algorithm (if present) */
+    alg?: string;
+    /** Reason for failure */
+    reason: 'unsupported_algorithm' | 'import_failed' | 'unknown_key_type';
+    /** Error message */
+    message: string;
+}
+/**
+ * JWKS Manager
+ *
+ * Features:
+ * - Automatic JWKS fetching and caching
+ * - Key rotation handling (retry on kid not found)
+ * - Single-flight pattern (one concurrent fetch per issuer)
+ * - Cache-Control header support
+ */
+declare class JwksManager {
+    private readonly config;
+    private readonly cacheKey;
+    private inFlight;
+    constructor(config: JwksManagerConfig);
+    /**
+     * Get a key for verifying a JWT
+     *
+     * Implements the key selection algorithm with automatic refresh on key not found.
+     *
+     * @param header - JWT header
+     * @returns Selected key or error
+     */
+    getKey(header: JwtHeader): Promise<KeySelectionResult>;
+    /**
+     * Get cached keys or fetch if not available
+     */
+    private getKeys;
+    /**
+     * Fetch JWKS and cache keys
+     *
+     * Uses single-flight pattern to prevent thundering herd.
+     */
+    private fetchAndCacheKeys;
+    /**
+     * Actually fetch and cache keys
+     */
+    private doFetchAndCache;
+    /**
+     * Determine the algorithm for a JWK
+     */
+    private determineAlgorithm;
+    /**
+     * Maximum cache TTL (24 hours) to prevent overflow and unreasonable cache times
+     */
+    private static readonly MAX_CACHE_TTL_MS;
+    /**
+     * Parse Cache-Control header for max-age
+     *
+     * @param header - Cache-Control header value
+     * @returns TTL in milliseconds
+     */
+    private parseCacheControl;
+    /**
+     * Invalidate cached keys
+     */
+    invalidate(): void;
+}
+
+/**
+ * JWT Signature Verification
+ *
+ * RFC 7519 - JSON Web Token (JWT)
+ *
+ * This module handles ONLY cryptographic signature verification.
+ * Claims validation is handled separately in validate-claims.ts.
+ */
+
+/**
+ * Parse a JWT without verification
+ *
+ * @param token - JWT string
+ * @returns Parsed JWT structure
+ * @throws Error if JWT format is invalid
+ * @throws InsecureAlgorithmError if JWT uses alg: none
+ */
+declare function parseJwt<T = Record<string, unknown>>(token: string): ParsedJwt<T>;
+/**
+ * Verify JWT signature
+ *
+ * @param token - JWT string
+ * @param key - CryptoKey for verification
+ * @param crypto - Crypto provider
+ * @returns Parsed JWT if signature is valid, null otherwise
+ */
+declare function verifyJwtSignature<T = Record<string, unknown>>(token: string, key: CryptoKey, crypto: CryptoProvider): Promise<ParsedJwt<T> | null>;
+
+/**
+ * JWT Claims Validation
+ *
+ * RFC 7519 - JSON Web Token (JWT)
+ *
+ * This module handles claims validation (iss, aud, exp, nbf, iat).
+ * Signature verification is handled separately in verify-jwt.ts.
+ */
+
+/**
+ * Validate JWT claims
+ *
+ * Validates:
+ * - iss (issuer) - must match expected issuer
+ * - aud (audience) - must include expected audience
+ * - exp (expiration) - must not be expired (with tolerance)
+ * - nbf (not before) - must be past nbf (with tolerance)
+ * - iat (issued at) - must not be in the future (with tolerance)
+ *
+ * For ID Token validation (OIDC Core 1.0 Section 3.1.3.7), set:
+ * - requireExp: true
+ * - requireIat: true
+ *
+ * @param payload - JWT payload containing claims
+ * @param options - Validation options
+ * @returns Validation result
+ */
+declare function validateClaims(payload: StandardClaims, options: ClaimsValidationOptions): ClaimsValidationResult;
+/**
+ * Calculate time remaining until token expiration
+ *
+ * @param exp - Expiration timestamp (Unix seconds)
+ * @param now - Current timestamp (Unix seconds)
+ * @returns Seconds until expiration, or undefined if no exp claim
+ */
+declare function getExpiresIn(exp: number | undefined, now: number): number | undefined;
+
+/**
+ * Token Validator
+ *
+ * Orchestrates JWT signature verification and claims validation.
+ */
+
+/**
+ * Token Validator configuration
+ */
+interface TokenValidatorConfig {
+    /** JWKS Manager */
+    jwksManager: JwksManager;
+    /** Crypto provider */
+    crypto: CryptoProvider;
+    /** Clock provider */
+    clock: ClockProvider;
+    /** Validation options */
+    options: TokenValidationOptions;
+}
+/**
+ * Token Validator
+ *
+ * Combines JWKS key retrieval, signature verification, and claims validation.
+ */
+declare class TokenValidator {
+    private readonly config;
+    constructor(config: TokenValidatorConfig);
+    /**
+     * Validate a JWT access token
+     *
+     * Steps:
+     * 1. Parse JWT structure
+     * 2. Get signing key from JWKS
+     * 3. Verify signature
+     * 4. Validate claims (iss, aud, exp, nbf, iat)
+     *
+     * @param token - JWT string
+     * @returns Validation result
+     */
+    validate(token: string): Promise<TokenValidationResult>;
+    /**
+     * Validate required scopes
+     */
+    private validateScopes;
+}
+
+/**
+ * Token Introspection (RFC 7662)
+ *
+ * OAuth 2.0 Token Introspection
+ */
+
+/**
+ * Introspection client configuration
+ */
+interface IntrospectionClientConfig {
+    /** Introspection endpoint URL */
+    endpoint: string;
+    /** Client ID */
+    clientId: string;
+    /** Client secret */
+    clientSecret: string;
+    /** HTTP provider */
+    http: HttpProvider;
+}
+/**
+ * Token Introspection Client
+ *
+ * Calls the authorization server's introspection endpoint to check token validity.
+ */
+declare class IntrospectionClient {
+    private readonly config;
+    constructor(config: IntrospectionClientConfig);
+    /**
+     * Introspect a token
+     *
+     * @param request - Introspection request
+     * @returns Introspection response
+     */
+    introspect(request: IntrospectionRequest): Promise<IntrospectionResponse>;
+}
+
+/**
+ * Token Revocation (RFC 7009)
+ *
+ * OAuth 2.0 Token Revocation
+ */
+
+/**
+ * Revocation client configuration
+ */
+interface RevocationClientConfig {
+    /** Revocation endpoint URL */
+    endpoint: string;
+    /** Client ID */
+    clientId: string;
+    /** Client secret */
+    clientSecret: string;
+    /** HTTP provider */
+    http: HttpProvider;
+}
+/**
+ * Token Revocation Client
+ *
+ * Calls the authorization server's revocation endpoint to invalidate tokens.
+ */
+declare class RevocationClient {
+    private readonly config;
+    constructor(config: RevocationClientConfig);
+    /**
+     * Revoke a token
+     *
+     * Note: Per RFC 7009, a successful response (200) does not guarantee
+     * the token was revoked. The server may silently ignore invalid tokens.
+     *
+     * @param request - Revocation request
+     */
+    revoke(request: RevocationRequest): Promise<void>;
+}
+
+/**
+ * DPoP Proof Validator (RFC 9449)
+ *
+ * IMPORTANT: This SDK validates DPoP proofs STATELESSLY.
+ *
+ * What this SDK validates:
+ * - Proof signature (embedded JWK in header)
+ * - htm (HTTP method) matches request
+ * - htu (HTTP URI) matches request
+ * - ath (access token hash) if present
+ * - cnf.jkt binding (thumbprint matches)
+ * - iat is within acceptable window
+ *
+ * What this SDK does NOT validate:
+ * - jti uniqueness (replay detection)
+ *   → MUST be implemented by the resource server if required
+ *   → Recommended: Store jti with TTL = proof lifetime + clock tolerance
+ *
+ * Nonce handling:
+ * - If server returns use_dpop_nonce error, SDK returns dpop_nonce_required
+ * - Application is responsible for retry with nonce
+ */
+
+/**
+ * DPoP Proof Validator
+ */
+declare class DPoPValidator {
+    private readonly crypto;
+    private readonly clock;
+    constructor(crypto: CryptoProvider, clock: ClockProvider);
+    /**
+     * Validate a DPoP proof
+     *
+     * @param proof - DPoP proof JWT
+     * @param options - Validation options
+     * @returns Validation result
+     */
+    validate(proof: string, options: DPoPValidationOptions): Promise<DPoPValidationResult>;
+    /**
+     * Validate DPoP header
+     */
+    private validateHeader;
+    /**
+     * Validate DPoP payload structure
+     */
+    private validatePayloadStructure;
+    /**
+     * Verify DPoP proof signature
+     */
+    private verifySignature;
+    /**
+     * Validate access token hash (ath claim)
+     *
+     * Per RFC 9449 Section 4.2:
+     * When the DPoP proof is used with an access token, the ath claim MUST be present
+     * and contain the base64url-encoded SHA-256 hash of the access token.
+     */
+    private validateAccessTokenHash;
+}
+
+/**
+ * JWK Thumbprint (RFC 7638)
+ *
+ * Computes a hash of a JWK for use as a key identifier.
+ */
+
+/**
+ * Calculate JWK thumbprint
+ *
+ * Per RFC 7638, the thumbprint is computed as:
+ * 1. Construct a JSON object with only the required members, in lexicographic order
+ * 2. Compute SHA-256 hash of the UTF-8 encoding of the JSON
+ * 3. Base64url encode the hash
+ *
+ * @param jwk - JSON Web Key
+ * @param crypto - Crypto provider
+ * @returns Base64url-encoded thumbprint
+ */
+declare function calculateJwkThumbprint(jwk: JsonWebKey, crypto: CryptoProvider): Promise<string>;
+/**
+ * Verify that a JWK thumbprint matches the expected value
+ *
+ * @param jwk - JSON Web Key to verify
+ * @param expectedThumbprint - Expected thumbprint value
+ * @param crypto - Crypto provider
+ * @returns true if thumbprints match
+ */
+declare function verifyJwkThumbprint(jwk: JsonWebKey, expectedThumbprint: string, crypto: CryptoProvider): Promise<boolean>;
+
+/**
+ * Base64URL Encoding/Decoding Utilities
+ *
+ * RFC 4648 Section 5 - Base64 Encoding with URL and Filename Safe Alphabet
+ */
+/**
+ * Encode bytes to base64url string
+ *
+ * @param data - Bytes to encode
+ * @returns Base64url-encoded string (no padding)
+ */
+declare function base64UrlEncode(data: Uint8Array): string;
+/**
+ * Decode base64url string to bytes
+ *
+ * @param str - Base64url-encoded string
+ * @returns Decoded bytes
+ */
+declare function base64UrlDecode(str: string): Uint8Array;
+/**
+ * Encode string to base64url
+ *
+ * @param str - String to encode (UTF-8)
+ * @returns Base64url-encoded string
+ */
+declare function base64UrlEncodeString(str: string): string;
+/**
+ * Decode base64url to string
+ *
+ * @param str - Base64url-encoded string
+ * @returns Decoded string (UTF-8)
+ */
+declare function base64UrlDecodeString(str: string): string;
+
+/**
+ * HTTP Error Response Utilities
+ *
+ * Helpers for building OAuth 2.0 / RFC 6750 compliant error responses.
+ */
+
+/**
+ * OAuth 2.0 error response body
+ */
+interface ErrorResponseBody {
+    error: string;
+    error_description?: string;
+}
+/**
+ * Build an error response body from an AuthrimServerError
+ *
+ * @param error - The error to convert
+ * @returns Error response body
+ */
+declare function buildErrorResponse(error: AuthrimServerError): ErrorResponseBody;
+/**
+ * Build WWW-Authenticate header value (RFC 6750)
+ *
+ * @param error - The error
+ * @param realm - Optional realm value
+ * @param scheme - Authentication scheme ('Bearer' or 'DPoP')
+ * @returns WWW-Authenticate header value
+ */
+declare function buildWwwAuthenticateHeader(error: AuthrimServerError, realm?: string, scheme?: 'Bearer' | 'DPoP'): string;
+/**
+ * Build error headers for HTTP response
+ *
+ * @param error - The error
+ * @param options - Options for header building
+ * @returns Headers object
+ */
+declare function buildErrorHeaders(error: AuthrimServerError, options?: {
+    realm?: string;
+    scheme?: 'Bearer' | 'DPoP';
+    dpopNonce?: string;
+}): Record<string, string>;
+
+/**
+ * Back-Channel Logout Validator
+ *
+ * Implements OpenID Connect Back-Channel Logout 1.0
+ * https://openid.net/specs/openid-connect-backchannel-1_0.html
+ *
+ * Back-channel logout allows the OP to notify RPs of logout events
+ * via direct HTTP calls (server-to-server).
+ *
+ * NOTE: This validator performs claims validation only.
+ * JWT signature verification MUST be performed separately using JWKS.
+ */
+
+/**
+ * Back-channel logout event URI
+ */
+declare const BACKCHANNEL_LOGOUT_EVENT = "http://schemas.openid.net/event/backchannel-logout";
+/**
+ * Back-channel logout validation error codes
+ */
+type BackChannelLogoutErrorCode = 'invalid_format' | 'insecure_algorithm' | 'invalid_issuer' | 'invalid_audience' | 'invalid_events' | 'token_expired' | 'iat_too_old' | 'not_yet_valid' | 'missing_sub_and_sid' | 'sub_mismatch' | 'sid_mismatch' | 'missing_jti' | 'nonce_present';
+/**
+ * Options for validating a logout token
+ */
+interface BackChannelLogoutValidationOptions {
+    /** Expected issuer */
+    issuer: string;
+    /** Expected audience (client_id) */
+    audience: string;
+    /** Maximum age in seconds (default: 60) */
+    maxAge?: number;
+    /** Clock skew tolerance in seconds (default: 30) */
+    clockSkew?: number;
+    /** Expected session ID (optional) */
+    expectedSid?: string;
+    /** Expected subject (optional) */
+    expectedSub?: string;
+}
+/**
+ * Result of back-channel logout token validation
+ */
+interface BackChannelLogoutValidationResult {
+    /** Whether the token is valid */
+    valid: boolean;
+    /** Validated claims (if valid) */
+    claims?: LogoutTokenClaims;
+    /** JWT header (if valid) */
+    header?: JwtHeader;
+    /** Error message (if invalid) */
+    error?: string;
+    /** Error code (if invalid) */
+    errorCode?: BackChannelLogoutErrorCode;
+}
+/**
+ * Back-Channel Logout Validator
+ *
+ * Validates logout_token JWTs per OIDC Back-Channel Logout 1.0.
+ *
+ * ## Security Notes
+ *
+ * 1. **JWT Signature Verification**: This class performs claims validation only.
+ *    JWT signature verification MUST be performed separately using JWKS
+ *    before calling validate(). The caller MUST reject tokens with alg: none.
+ *
+ * 2. **Algorithm Validation**: Per Section 2.6, "alg with the value none MUST NOT
+ *    be used". This validator explicitly rejects alg: none tokens.
+ *
+ * 3. **JTI Replay Protection**: This validator checks for jti presence only.
+ *    The application MUST implement jti replay protection by:
+ *    - Storing used jti values (at least until token expiry + clock skew)
+ *    - Rejecting tokens with previously-used jti values
+ *
+ * 4. **Expiration Validation**: Per Section 2.4, exp is REQUIRED. This validator
+ *    checks that the token has not expired (with clock skew tolerance).
+ *
+ * Usage (Node.js server receiving back-channel logout request):
+ * ```typescript
+ * // 1. Receive logout_token from POST body
+ * const logoutToken = req.body.logout_token;
+ *
+ * // 2. Verify JWT signature using JWKS (MUST reject alg: none)
+ * const jwks = await jwksManager.getJwks();
+ * const verified = await verifyJwtSignature(logoutToken, key, crypto);
+ * if (!verified) {
+ *   return res.status(400).send('Invalid signature');
+ * }
+ *
+ * // 3. Validate claims (includes alg: none rejection)
+ * const validator = new BackChannelLogoutValidator();
+ * const result = validator.validate(logoutToken, {
+ *   issuer: 'https://op.example.com',
+ *   audience: 'my-client-id'
+ * });
+ *
+ * if (!result.valid) {
+ *   return res.status(400).send('Invalid logout token');
+ * }
+ *
+ * // 4. Check for jti replay (application responsibility)
+ * if (await jtiStore.has(result.claims.jti)) {
+ *   return res.status(400).send('Token replay detected');
+ * }
+ * await jtiStore.set(result.claims.jti, true, result.claims.exp + clockSkew);
+ *
+ * // 5. Perform logout for sub and/or sid
+ * await logoutUser(result.claims.sub, result.claims.sid);
+ * ```
+ */
+declare class BackChannelLogoutValidator {
+    /**
+     * Validate a logout_token
+     *
+     * Per OIDC Back-Channel Logout 1.0 Section 2.4 and 2.6, the logout_token MUST:
+     * - Be a valid JWT with alg != "none"
+     * - Contain iss, aud, iat, exp, jti claims
+     * - Contain events claim with back-channel logout event
+     * - Contain either sub or sid (or both)
+     * - NOT contain a nonce claim
+     * - NOT be expired (exp validation)
+     *
+     * @param logoutToken - JWT logout token to validate
+     * @param options - Validation options
+     * @returns Validation result
+     */
+    validate(logoutToken: string, options: BackChannelLogoutValidationOptions): BackChannelLogoutValidationResult;
+    /**
+     * Extract claims from a logout token without validation
+     *
+     * Useful for inspecting the token before/during validation.
+     *
+     * @param logoutToken - JWT logout token
+     * @returns Claims or null if invalid format
+     */
+    extractClaims(logoutToken: string): LogoutTokenClaims | null;
+    /**
+     * Extract header from a logout token without validation
+     *
+     * Useful for getting kid to select the correct JWKS key.
+     *
+     * @param logoutToken - JWT logout token
+     * @returns Header or null if invalid format
+     */
+    extractHeader(logoutToken: string): JwtHeader | null;
+}
+
+export { AuthenticateRequest, AuthenticateResult, AuthrimServer, AuthrimServerError, type AuthrimServerErrorCode, type AuthrimServerErrorMeta, type AuthrimServerErrorOptions, BACKCHANNEL_LOGOUT_EVENT, type BackChannelLogoutErrorCode, type BackChannelLogoutValidationOptions, type BackChannelLogoutValidationResult, BackChannelLogoutValidator, ClaimsValidationOptions, ClaimsValidationResult, DPoPValidationOptions, DPoPValidationResult, DPoPValidator, IntrospectionClient, type IntrospectionClientConfig, IntrospectionRequest, IntrospectionResponse, JwksManager, type JwksManagerConfig, JwtHeader, type KeyImportWarning, type LogoutTokenClaims, ParsedJwt, RevocationClient, type RevocationClientConfig, RevocationRequest, StandardClaims, TokenValidationOptions, TokenValidationResult, TokenValidator, type TokenValidatorConfig, authenticateRequest, base64UrlDecode, base64UrlDecodeString, base64UrlEncode, base64UrlEncodeString, buildErrorHeaders, buildErrorResponse, buildWwwAuthenticateHeader, calculateJwkThumbprint, getExpiresIn, getServerErrorMeta, parseJwt, selectKey, selectKeyByAlgorithm, selectKeyByKid, validateClaims, verifyJwkThumbprint, verifyJwtSignature };