@boxyhq/saml-jackson 1.2.1 → 1.3.0

package/dist/controller/utils.d.ts

@@ -1,8 +1,9 @@
-import type { OAuthErrorHandlerParams } from '../typings';
+import type { ConnectionType, OAuthErrorHandlerParams, OIDCSSOConnection, SAMLSSOConnectionWithEncodedMetadata, SAMLSSOConnectionWithRawMetadata } from '../typings';
 import * as jose from 'jose';
 export declare enum IndexNames {
     EntityID = "entityID",
-    TenantProduct = "tenantProduct"
+    TenantProduct = "tenantProduct",
+    OIDCProviderClientID = "OIDCProviderClientID"
 }
 export declare const storeNamespacePrefix: {
     dsync: {
@@ -29,3 +30,10 @@ export declare function isJWSKeyPairLoaded(jwsKeyPair: {
 export declare const importJWTPublicKey: (key: string, jwsAlg: string) => Promise<jose.KeyLike>;
 export declare const exportPublicKeyJWK: (key: jose.KeyLike) => Promise<jose.JWK>;
 export declare const generateJwkThumbprint: (jwk: jose.JWK) => Promise<string>;
+export declare const validateSSOConnection: (body: SAMLSSOConnectionWithRawMetadata | SAMLSSOConnectionWithEncodedMetadata | OIDCSSOConnection, strategy: ConnectionType) => void;
+export declare const validateRedirectUrl: ({ redirectUrlList, defaultRedirectUrl }: {
+    redirectUrlList: any;
+    defaultRedirectUrl: any;
+}) => void;
+export declare const extractRedirectUrls: (urls: string[] | string) => string[];
+export declare const extractHostName: (url: string) => string | null;

package/dist/controller/utils.js

@@ -35,7 +35,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateJwkThumbprint = exports.exportPublicKeyJWK = exports.importJWTPublicKey = exports.isJWSKeyPairLoaded = exports.loadJWSPrivateKey = exports.createRandomSecret = exports.getErrorMessage = exports.OAuthErrorResponse = exports.validateAbsoluteUrl = exports.relayStatePrefix = exports.storeNamespacePrefix = exports.IndexNames = void 0;
+exports.extractHostName = exports.extractRedirectUrls = exports.validateRedirectUrl = exports.validateSSOConnection = exports.generateJwkThumbprint = exports.exportPublicKeyJWK = exports.importJWTPublicKey = exports.isJWSKeyPairLoaded = exports.loadJWSPrivateKey = exports.createRandomSecret = exports.getErrorMessage = exports.OAuthErrorResponse = exports.validateAbsoluteUrl = exports.relayStatePrefix = exports.storeNamespacePrefix = exports.IndexNames = void 0;
 const error_1 = require("./error");
 const redirect = __importStar(require("./oauth/redirect"));
 const crypto_1 = __importDefault(require("crypto"));
@@ -44,6 +44,7 @@ var IndexNames;
 (function (IndexNames) {
     IndexNames["EntityID"] = "entityID";
     IndexNames["TenantProduct"] = "tenantProduct";
+    IndexNames["OIDCProviderClientID"] = "OIDCProviderClientID";
 })(IndexNames = exports.IndexNames || (exports.IndexNames = {}));
 // The namespace prefix for the database store
 exports.storeNamespacePrefix = {
@@ -120,3 +121,89 @@ const generateJwkThumbprint = (jwk) => __awaiter(void 0, void 0, void 0, functio
     return thumbprint;
 });
 exports.generateJwkThumbprint = generateJwkThumbprint;
+const validateSSOConnection = (body, strategy) => {
+    const { defaultRedirectUrl, redirectUrl, tenant, product, description } = body;
+    const encodedRawMetadata = 'encodedRawMetadata' in body ? body.encodedRawMetadata : undefined;
+    const rawMetadata = 'rawMetadata' in body ? body.rawMetadata : undefined;
+    const oidcDiscoveryUrl = 'oidcDiscoveryUrl' in body ? body.oidcDiscoveryUrl : undefined;
+    const oidcClientId = 'oidcClientId' in body ? body.oidcClientId : undefined;
+    const oidcClientSecret = 'oidcClientSecret' in body ? body.oidcClientSecret : undefined;
+    if (strategy !== 'saml' && strategy !== 'oidc') {
+        throw new error_1.JacksonError(`Strategy: ${strategy} not supported`, 400);
+    }
+    if (strategy === 'saml') {
+        if (!rawMetadata && !encodedRawMetadata) {
+            throw new error_1.JacksonError('Please provide rawMetadata or encodedRawMetadata', 400);
+        }
+    }
+    if (strategy === 'oidc') {
+        if (!oidcClientId) {
+            throw new error_1.JacksonError('Please provide the clientId from OpenID Provider', 400);
+        }
+        if (!oidcClientSecret) {
+            throw new error_1.JacksonError('Please provide the clientSecret from OpenID Provider', 400);
+        }
+        if (!oidcDiscoveryUrl) {
+            throw new error_1.JacksonError('Please provide the discoveryUrl for the OpenID Provider', 400);
+        }
+    }
+    if (!defaultRedirectUrl) {
+        throw new error_1.JacksonError('Please provide a defaultRedirectUrl', 400);
+    }
+    if (!redirectUrl) {
+        throw new error_1.JacksonError('Please provide redirectUrl', 400);
+    }
+    if (!tenant) {
+        throw new error_1.JacksonError('Please provide tenant', 400);
+    }
+    if (!product) {
+        throw new error_1.JacksonError('Please provide product', 400);
+    }
+    if (description && description.length > 100) {
+        throw new error_1.JacksonError('Description should not exceed 100 characters', 400);
+    }
+};
+exports.validateSSOConnection = validateSSOConnection;
+const validateRedirectUrl = ({ redirectUrlList, defaultRedirectUrl }) => {
+    if (redirectUrlList) {
+        if (redirectUrlList.length > 100) {
+            throw new error_1.JacksonError('Exceeded maximum number of allowed redirect urls', 400);
+        }
+        for (const url of redirectUrlList) {
+            (0, exports.validateAbsoluteUrl)(url, 'redirectUrl is invalid');
+        }
+    }
+    if (defaultRedirectUrl) {
+        (0, exports.validateAbsoluteUrl)(defaultRedirectUrl, 'defaultRedirectUrl is invalid');
+    }
+};
+exports.validateRedirectUrl = validateRedirectUrl;
+const extractRedirectUrls = (urls) => {
+    if (!urls) {
+        return [];
+    }
+    if (typeof urls === 'string') {
+        if (urls.startsWith('[')) {
+            // redirectUrl is a stringified array
+            return JSON.parse(urls);
+        }
+        // redirectUrl is a single URL
+        return [urls];
+    }
+    // redirectUrl is an array of URLs
+    return urls;
+};
+exports.extractRedirectUrls = extractRedirectUrls;
+const extractHostName = (url) => {
+    try {
+        const pUrl = new URL(url);
+        if (pUrl.hostname.startsWith('www.')) {
+            return pUrl.hostname.substring(4);
+        }
+        return pUrl.hostname;
+    }
+    catch (err) {
+        return null;
+    }
+};
+exports.extractHostName = extractHostName;

package/dist/directory-sync/DirectoryUsers.js

@@ -143,6 +143,10 @@ class DirectoryUsers {
             this.users.setTenantAndProduct(directory.tenant, directory.product);
             // Get the user
             const { data: user } = userId ? yield this.users.get(userId) : { data: null };
+            // Delete password if exists in the body
+            if (body && 'password' in body) {
+                delete body['password'];
+            }
             if (user) {
                 switch (method) {
                     case 'GET':

package/dist/index.d.ts

@@ -1,13 +1,14 @@
 import type { DirectorySync, JacksonOption } from './typings';
 import { AdminController } from './controller/admin';
-import { APIController } from './controller/api';
+import { ConnectionAPIController } from './controller/api';
 import { OAuthController } from './controller/oauth';
 import { HealthCheckController } from './controller/health-check';
 import { LogoutController } from './controller/logout';
 import { OidcDiscoveryController } from './controller/oidc-discovery';
 import { SPSAMLConfig } from './controller/sp-config';
 export declare const controllers: (opts: JacksonOption) => Promise<{
-    apiController: APIController;
+    apiController: ConnectionAPIController;
+    connectionAPIController: ConnectionAPIController;
     oauthController: OAuthController;
     adminController: AdminController;
     logoutController: LogoutController;

package/dist/index.js

@@ -29,7 +29,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.controllers = void 0;
 const db_1 = __importDefault(require("./db/db"));
 const defaultDb_1 = __importDefault(require("./db/defaultDb"));
-const read_config_1 = __importDefault(require("./read-config"));
+const loadConnection_1 = __importDefault(require("./loadConnection"));
 const admin_1 = require("./controller/admin");
 const api_1 = require("./controller/api");
 const oauth_1 = require("./controller/oauth");
@@ -47,8 +47,13 @@ const defaultOpts = (opts) => {
         throw new Error('samlPath is required');
     }
     newOpts.scimPath = newOpts.scimPath || '/api/scim/v2.0';
+    if (!newOpts.oidcPath) {
+        throw new Error('oidcPath is required');
+    }
     newOpts.samlAudience = newOpts.samlAudience || 'https://saml.boxyhq.com';
-    newOpts.preLoadedConfig = newOpts.preLoadedConfig || ''; // path to folder containing static SAML config that will be preloaded. This is useful for self-hosted deployments that only have to support a single tenant (or small number of known tenants).
+    // path to folder containing static IdP connections that will be preloaded. This is useful for self-hosted deployments that only have to support a single tenant (or small number of known tenants).
+    newOpts.preLoadedConnection = newOpts.preLoadedConnection || '';
+    newOpts.preLoadedConfig = newOpts.preLoadedConfig || ''; // for backwards compatibility
     newOpts.idpEnabled = newOpts.idpEnabled === true;
     (0, defaultDb_1.default)(newOpts);
     newOpts.clientSecretVerifier = newOpts.clientSecretVerifier || 'dummy';
@@ -60,43 +65,50 @@ const defaultOpts = (opts) => {
 const controllers = (opts) => __awaiter(void 0, void 0, void 0, function* () {
     opts = defaultOpts(opts);
     const db = yield db_1.default.new(opts.db);
-    const configStore = db.store('saml:config');
+    const connectionStore = db.store('saml:config');
     const sessionStore = db.store('oauth:session', opts.db.ttl);
     const codeStore = db.store('oauth:code', opts.db.ttl);
     const tokenStore = db.store('oauth:token', opts.db.ttl);
     const healthCheckStore = db.store('_health:check');
-    const apiController = new api_1.APIController({ configStore });
-    const adminController = new admin_1.AdminController({ configStore });
+    const connectionAPIController = new api_1.ConnectionAPIController({ connectionStore });
+    const adminController = new admin_1.AdminController({ connectionStore });
     const healthCheckController = new health_check_1.HealthCheckController({ healthCheckStore });
     yield healthCheckController.init();
     const oauthController = new oauth_1.OAuthController({
-        configStore,
+        connectionStore,
         sessionStore,
         codeStore,
         tokenStore,
         opts,
     });
     const logoutController = new logout_1.LogoutController({
-        configStore,
+        connectionStore,
         sessionStore,
         opts,
     });
     const directorySync = yield (0, directory_sync_1.default)({ db, opts });
     const oidcDiscoveryController = new oidc_discovery_1.OidcDiscoveryController({ opts });
     const spConfig = new sp_config_1.SPSAMLConfig(opts);
-    // write pre-loaded config if present
-    if (opts.preLoadedConfig && opts.preLoadedConfig.length > 0) {
-        const configs = yield (0, read_config_1.default)(opts.preLoadedConfig);
-        for (const config of configs) {
-            yield apiController.config(config);
-            console.log(`loaded config for tenant "${config.tenant}" and product "${config.product}"`);
+    // write pre-loaded connections if present
+    const preLoadedConnection = opts.preLoadedConnection || opts.preLoadedConfig;
+    if (preLoadedConnection && preLoadedConnection.length > 0) {
+        const connections = yield (0, loadConnection_1.default)(preLoadedConnection);
+        for (const connection of connections) {
+            if ('oidcDiscoveryUrl' in connection) {
+                yield connectionAPIController.createOIDCConnection(connection);
+            }
+            else {
+                yield connectionAPIController.createSAMLConnection(connection);
+            }
+            console.log(`loaded connection for tenant "${connection.tenant}" and product "${connection.product}"`);
         }
     }
     const type = opts.db.engine === 'sql' && opts.db.type ? ' Type: ' + opts.db.type : '';
     console.log(`Using engine: ${opts.db.engine}.${type}`);
     return {
         spConfig,
-        apiController,
+        apiController: connectionAPIController,
+        connectionAPIController,
         oauthController,
         adminController,
         logoutController,

package/dist/loadConnection.d.ts

@@ -0,0 +1,3 @@
+import { OIDCSSOConnection, SAMLSSOConnectionWithEncodedMetadata, SAMLSSOConnectionWithRawMetadata } from './typings';
+declare const loadConnection: (preLoadedConnection: string) => Promise<(SAMLSSOConnectionWithEncodedMetadata | SAMLSSOConnectionWithRawMetadata | OIDCSSOConnection)[]>;
+export default loadConnection;

package/dist/{read-config.js → loadConnection.js}

@@ -34,22 +34,23 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 Object.defineProperty(exports, "__esModule", { value: true });
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
-const readConfig = (preLoadedConfig) => __awaiter(void 0, void 0, void 0, function* () {
-    if (preLoadedConfig.startsWith('./')) {
-        preLoadedConfig = path.resolve(process.cwd(), preLoadedConfig);
+const loadConnection = (preLoadedConnection) => __awaiter(void 0, void 0, void 0, function* () {
+    if (preLoadedConnection.startsWith('./')) {
+        preLoadedConnection = path.resolve(process.cwd(), preLoadedConnection);
     }
-    const files = yield fs.promises.readdir(preLoadedConfig);
-    const configs = [];
+    const files = yield fs.promises.readdir(preLoadedConnection);
+    const connections = [];
     for (const idx in files) {
         const file = files[idx];
         if (file.endsWith('.js')) {
-            const { default: config } = yield Promise.resolve().then(() => __importStar(require(
-            /* webpackIgnore: true */ path.join(preLoadedConfig, file))));
-            const rawMetadata = yield fs.promises.readFile(path.join(preLoadedConfig, path.parse(file).name + '.xml'), 'utf8');
-            config.encodedRawMetadata = Buffer.from(rawMetadata, 'utf8').toString('base64');
-            configs.push(config);
+            const { default: connection, } = yield Promise.resolve().then(() => __importStar(require(/* webpackIgnore: true */ path.join(preLoadedConnection, file))));
+            if (!('oidcDiscoveryUrl' in connection)) {
+                const rawMetadata = yield fs.promises.readFile(path.join(preLoadedConnection, path.parse(file).name + '.xml'), 'utf8');
+                connection.encodedRawMetadata = Buffer.from(rawMetadata, 'utf8').toString('base64');
+            }
+            connections.push(connection);
         }
     }
-    return configs;
+    return connections;
 });
-exports.default = readConfig;
+exports.default = loadConnection;

package/dist/opentelemetry/metrics.js

@@ -3,29 +3,29 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.increment = void 0;
 const api_metrics_1 = require("@opentelemetry/api-metrics");
 const counters = {
-    createConfig: {
-        name: 'jackson.config.create',
-        description: 'Number of SAML config create requests',
+    createConnection: {
+        name: 'jackson.connection.create',
+        description: 'Number of IdP connection create requests',
     },
-    getConfig: {
-        name: 'jackson.config.get',
-        description: 'Number of SAML config get requests',
+    getConnections: {
+        name: 'jackson.connections.get',
+        description: 'Number of IdP connections get requests',
     },
-    deleteConfig: {
-        name: 'jackson.config.delete',
-        description: 'Number of SAML config delete requests',
+    deleteConnections: {
+        name: 'jackson.connections.delete',
+        description: 'Number of IdP connections delete requests',
     },
     oauthAuthorize: {
         name: 'jackson.oauth.authorize',
-        description: 'Number of SAML oauth authorize requests',
+        description: 'Number of oauth authorize requests',
     },
     oauthToken: {
         name: 'jackson.oauth.token',
-        description: 'Number of SAML oauth token requests',
+        description: 'Number of oauth token requests',
     },
     oauthUserInfo: {
         name: 'jackson.oauth.userinfo',
-        description: 'Number of SAML oauth user info requests',
+        description: 'Number of oauth user info requests',
     },
 };
 const createCounter = (action) => {

package/dist/saml/x509.d.ts

@@ -1,7 +1,7 @@
 declare const _default: {
-    generate: () => Promise<{
-        publicKey: string;
-        privateKey: string;
-    } | undefined>;
+    generate: () => {
+        publicKey: any;
+        privateKey: any;
+    };
 };
 export default _default;

package/dist/saml/x509.js

@@ -22,50 +22,46 @@ var __importStar = (this && this.__importStar) || function (mod) {
     __setModuleDefault(result, mod);
     return result;
 };
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
 Object.defineProperty(exports, "__esModule", { value: true });
-const x509 = __importStar(require("@peculiar/x509"));
-const webcrypto_1 = require("@peculiar/webcrypto");
-const crypto = new webcrypto_1.Crypto();
-x509.cryptoProvider.set(crypto);
-const alg = {
-    name: 'RSASSA-PKCS1-v1_5',
-    hash: 'SHA-256',
-    publicExponent: new Uint8Array([1, 0, 1]),
-    modulusLength: 2048,
+const forge = __importStar(require("node-forge"));
+const pki = forge.pki;
+const generate = () => {
+    const today = new Date();
+    const keys = pki.rsa.generateKeyPair(2048);
+    const cert = pki.createCertificate();
+    cert.publicKey = keys.publicKey;
+    cert.serialNumber = '01';
+    cert.validity.notBefore = new Date();
+    cert.validity.notAfter = new Date(today.setFullYear(today.getFullYear() + 10));
+    const attrs = [
+        {
+            name: 'commonName',
+            value: 'BoxyHQ Jackson',
+        },
+    ];
+    cert.setSubject(attrs);
+    cert.setIssuer(attrs);
+    cert.setExtensions([
+        {
+            name: 'basicConstraints',
+            cA: false,
+        },
+        {
+            name: 'keyUsage',
+            keyCertSign: false,
+            digitalSignature: true,
+            nonRepudiation: false,
+            keyEncipherment: false,
+            dataEncipherment: false,
+        },
+    ]);
+    // self-sign certificate
+    cert.sign(keys.privateKey, forge.md.sha256.create());
+    return {
+        publicKey: pki.certificateToPem(cert),
+        privateKey: pki.privateKeyToPem(keys.privateKey),
+    };
 };
-const generate = () => __awaiter(void 0, void 0, void 0, function* () {
-    const keys = yield crypto.subtle.generateKey(alg, true, ['sign', 'verify']);
-    const extensions = [new x509.BasicConstraintsExtension(false, undefined, true)];
-    extensions.push(new x509.KeyUsagesExtension(x509.KeyUsageFlags.digitalSignature, true));
-    if (keys.publicKey) {
-        extensions.push(yield x509.SubjectKeyIdentifierExtension.create(keys.publicKey));
-    }
-    const cert = yield x509.X509CertificateGenerator.createSelfSigned({
-        serialNumber: '01',
-        name: 'CN=BoxyHQ Jackson',
-        notBefore: new Date(),
-        notAfter: new Date('3021/01/01'),
-        signingAlgorithm: alg,
-        keys: keys,
-        extensions,
-    });
-    if (keys.privateKey) {
-        const pkcs8 = yield crypto.subtle.exportKey('pkcs8', keys.privateKey);
-        return {
-            publicKey: cert.toString('pem'),
-            privateKey: x509.PemConverter.encode(pkcs8, 'private key'),
-        };
-    }
-});
 exports.default = {
     generate,
 };

package/dist/typings.d.ts

@@ -1,31 +1,68 @@
 import { type JWK } from 'jose';
-export declare type IdPConfig = {
+interface SSOConnection {
     defaultRedirectUrl: string;
     redirectUrl: string[] | string;
     tenant: string;
     product: string;
     name?: string;
     description?: string;
-    rawMetadata?: string;
-    encodedRawMetadata?: string;
+}
+export interface SAMLSSOConnection extends SSOConnection {
+    forceAuthn?: boolean | string;
+}
+export interface SAMLSSOConnectionWithRawMetadata extends SAMLSSOConnection {
+    rawMetadata: string;
+    encodedRawMetadata?: never;
+}
+export interface SAMLSSOConnectionWithEncodedMetadata extends SAMLSSOConnection {
+    rawMetadata?: never;
+    encodedRawMetadata: string;
+}
+export interface OIDCSSOConnection extends SSOConnection {
+    oidcDiscoveryUrl: string;
+    oidcClientId: string;
+    oidcClientSecret: string;
+}
+export declare type ConnectionType = 'saml' | 'oidc';
+declare type ClientIDQuery = {
+    clientID: string;
 };
-export interface IAPIController {
-    config(body: IdPConfig): Promise<any>;
-    updateConfig(body: any): Promise<any>;
-    getConfig(body: {
-        clientID?: string;
-        tenant?: string;
-        product?: string;
+declare type TenantQuery = {
+    tenant: string;
+    product: string;
+    strategy?: ConnectionType;
+};
+export declare type GetConnectionsQuery = ClientIDQuery | TenantQuery;
+export declare type DelConnectionsQuery = (ClientIDQuery & {
+    clientSecret: string;
+}) | TenantQuery;
+export declare type GetConfigQuery = ClientIDQuery | Omit<TenantQuery, 'strategy'>;
+export declare type DelConfigQuery = (ClientIDQuery & {
+    clientSecret: string;
+}) | Omit<TenantQuery, 'strategy'>;
+export interface IConnectionAPIController {
+    config(body: SAMLSSOConnection): Promise<any>;
+    createSAMLConnection(body: SAMLSSOConnectionWithRawMetadata | SAMLSSOConnectionWithEncodedMetadata): Promise<any>;
+    createOIDCConnection(body: OIDCSSOConnection): Promise<any>;
+    updateConfig(body: SAMLSSOConnection & {
+        clientID: string;
+        clientSecret: string;
+    }): Promise<any>;
+    updateSAMLConnection(body: (SAMLSSOConnectionWithRawMetadata | SAMLSSOConnectionWithEncodedMetadata) & {
+        clientID: string;
+        clientSecret: string;
+    }): Promise<any>;
+    updateOIDCConnection(body: OIDCSSOConnection & {
+        clientID: string;
+        clientSecret: string;
     }): Promise<any>;
-    deleteConfig(body: {
-        clientID?: string;
-        clientSecret?: string;
-        tenant?: string;
-        product?: string;
-    }): Promise<void>;
+    getConnections(body: GetConnectionsQuery): Promise<Array<any>>;
+    getConfig(body: GetConfigQuery): Promise<any>;
+    deleteConnections(body: DelConnectionsQuery): Promise<void>;
+    deleteConfig(body: DelConfigQuery): Promise<void>;
 }
 export interface IOAuthController {
-    authorize(body: OAuthReqBody): Promise<{
+    authorize(body: OAuthReq): Promise<{
         redirect_url?: string;
         authorize_form?: string;
     }>;
@@ -33,11 +70,14 @@ export interface IOAuthController {
         redirect_url?: string;
         app_select_form?: string;
     }>;
+    oidcAuthzResponse(body: OIDCAuthzResponsePayload): Promise<{
+        redirect_url?: string;
+    }>;
     token(body: OAuthTokenReq): Promise<OAuthTokenRes>;
     userInfo(token: string): Promise<Profile>;
 }
 export interface IAdminController {
-    getAllConfig(pageOffset?: number, pageLimit?: number): any;
+    getAllConnection(pageOffset?: number, pageLimit?: number): any;
 }
 export interface IHealthCheckController {
     status(): Promise<{
@@ -70,34 +110,67 @@ export interface IOidcDiscoveryController {
     }>;
 }
 export interface OAuthReqBody {
+    state: string;
     response_type: 'code';
-    client_id: string;
     redirect_uri: string;
-    state: string;
-    tenant?: string;
-    product?: string;
-    access_type?: string;
-    resource?: string;
-    scope?: string;
-    nonce?: string;
     code_challenge: string;
     code_challenge_method: 'plain' | 'S256' | '';
-    provider: 'saml';
+    scope?: string;
+    nonce?: string;
     idp_hint?: string;
+    prompt?: string;
+}
+export interface OAuthReqBodyWithClientId extends OAuthReqBody {
+    client_id: string;
+}
+export interface OAuthReqBodyWithTenantProduct extends OAuthReqBody {
+    client_id: 'dummy';
+    tenant: string;
+    product: string;
+}
+export interface OAuthReqBodyWithAccessType extends OAuthReqBody {
+    client_id: 'dummy';
+    access_type: string;
 }
+export interface OAuthReqBodyWithResource extends OAuthReqBody {
+    client_id: 'dummy';
+    resource: string;
+}
+export declare type OAuthReq = OAuthReqBodyWithClientId | OAuthReqBodyWithTenantProduct | OAuthReqBodyWithAccessType | OAuthReqBodyWithResource;
 export interface SAMLResponsePayload {
     SAMLResponse: string;
     RelayState: string;
     idp_hint?: string;
 }
-export interface OAuthTokenReq {
-    client_id: string;
-    client_secret: string;
-    code_verifier: string;
+interface OIDCAuthzResponseSuccess {
+    code: string;
+    state: string;
+    error?: never;
+    error_description?: never;
+}
+interface OIDCAuthzResponseError {
+    code?: never;
+    state: string;
+    error: OAuthErrorHandlerParams['error'] | OIDCErrorCodes;
+    error_description?: string;
+}
+export declare type OIDCAuthzResponsePayload = OIDCAuthzResponseSuccess | OIDCAuthzResponseError;
+interface OAuthTokenReqBody {
     code: string;
     grant_type: 'authorization_code';
-    redirect_uri?: string;
+    redirect_uri: string;
+}
+export interface OAuthTokenReqWithCodeVerifier extends OAuthTokenReqBody {
+    code_verifier: string;
+    client_id?: never;
+    client_secret?: never;
+}
+export interface OAuthTokenReqWithCredentials extends OAuthTokenReqBody {
+    code_verifier?: never;
+    client_id: string;
+    client_secret: string;
 }
+export declare type OAuthTokenReq = OAuthTokenReqWithCodeVerifier | OAuthTokenReqWithCredentials;
 export interface OAuthTokenRes {
     access_token: string;
     id_token?: string;
@@ -154,8 +227,10 @@ export interface DatabaseOption {
 export interface JacksonOption {
     externalUrl: string;
     samlPath: string;
+    oidcPath: string;
     samlAudience?: string;
     preLoadedConfig?: string;
+    preLoadedConnection?: string;
     idpEnabled?: boolean;
     db: DatabaseOption;
     clientSecretVerifier?: string;
@@ -189,7 +264,7 @@ interface Metadata {
     loginType: 'idp' | 'sp';
     provider: string;
 }
-export interface SAMLConfig {
+export interface SAMLConnection {
     idpMetadata: Metadata;
     certs: {
         privateKey: string;
@@ -198,11 +273,12 @@ export interface SAMLConfig {
     defaultRedirectUrl: string;
 }
 export interface OAuthErrorHandlerParams {
-    error: 'invalid_request' | 'access_denied' | 'unauthorized_client' | 'unsupported_response_type' | 'invalid_scope' | 'server_error' | 'temporarily_unavailable';
+    error: 'invalid_request' | 'access_denied' | 'unauthorized_client' | 'unsupported_response_type' | 'invalid_scope' | 'server_error' | 'temporarily_unavailable' | OIDCErrorCodes;
     error_description: string;
     redirect_uri: string;
     state?: string;
 }
+export declare type OIDCErrorCodes = 'interaction_required' | 'login_required' | 'account_selection_required' | 'consent_required' | 'invalid_request_uri' | 'invalid_request_object' | 'request_not_supported' | 'request_uri_not_supported' | 'registration_not_supported';
 export interface ISPSAMLConfig {
     get(): {
         acsUrl: string;