npm - @boxyhq/saml-jackson - Versions diffs - 1.33.1-beta.1 → 1.34.0 - Mend

@boxyhq/saml-jackson 1.33.1-beta.1 → 1.34.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (278) hide show

package/dist/typings.d.ts +1 -1
package/package.json +1 -1
package/dist/controller/oauth/oidc-issuer.d.ts +0 -2
package/dist/controller/oauth/oidc-issuer.js +0 -25
package/dist/controller/oauth/oidc-issuer.js.map +0 -1
package/dist/src/controller/admin.d.ts +0 -27
package/dist/src/controller/admin.js +0 -60
package/dist/src/controller/admin.js.map +0 -1
package/dist/src/controller/analytics.d.ts +0 -16
package/dist/src/controller/analytics.js +0 -79
package/dist/src/controller/analytics.js.map +0 -1
package/dist/src/controller/api.d.ts +0 -557
package/dist/src/controller/api.js +0 -806
package/dist/src/controller/api.js.map +0 -1
package/dist/src/controller/connection/oidc.d.ts +0 -7
package/dist/src/controller/connection/oidc.js +0 -181
package/dist/src/controller/connection/oidc.js.map +0 -1
package/dist/src/controller/connection/saml.d.ts +0 -7
package/dist/src/controller/connection/saml.js +0 -250
package/dist/src/controller/connection/saml.js.map +0 -1
package/dist/src/controller/error.d.ts +0 -10
package/dist/src/controller/error.js +0 -13
package/dist/src/controller/error.js.map +0 -1
package/dist/src/controller/health-check.d.ts +0 -11
package/dist/src/controller/health-check.js +0 -51
package/dist/src/controller/health-check.js.map +0 -1
package/dist/src/controller/logout.d.ts +0 -18
package/dist/src/controller/logout.js +0 -132
package/dist/src/controller/logout.js.map +0 -1
package/dist/src/controller/oauth/allowed.d.ts +0 -1
package/dist/src/controller/oauth/allowed.js +0 -30
package/dist/src/controller/oauth/allowed.js.map +0 -1
package/dist/src/controller/oauth/code-verifier.d.ts +0 -1
package/dist/src/controller/oauth/code-verifier.js +0 -8
package/dist/src/controller/oauth/code-verifier.js.map +0 -1
package/dist/src/controller/oauth/oidc-client.d.ts +0 -12
package/dist/src/controller/oauth/oidc-client.js +0 -89
package/dist/src/controller/oauth/oidc-client.js.map +0 -1
package/dist/src/controller/oauth/redirect.d.ts +0 -1
package/dist/src/controller/oauth/redirect.js +0 -13
package/dist/src/controller/oauth/redirect.js.map +0 -1
package/dist/src/controller/oauth.d.ts +0 -142
package/dist/src/controller/oauth.js +0 -1112
package/dist/src/controller/oauth.js.map +0 -1
package/dist/src/controller/oidc-discovery.d.ts +0 -22
package/dist/src/controller/oidc-discovery.js +0 -47
package/dist/src/controller/oidc-discovery.js.map +0 -1
package/dist/src/controller/setup-link.d.ts +0 -307
package/dist/src/controller/setup-link.js +0 -462
package/dist/src/controller/setup-link.js.map +0 -1
package/dist/src/controller/sp-config.d.ts +0 -22
package/dist/src/controller/sp-config.js +0 -89
package/dist/src/controller/sp-config.js.map +0 -1
package/dist/src/controller/sso-handler.d.ts +0 -66
package/dist/src/controller/sso-handler.js +0 -306
package/dist/src/controller/sso-handler.js.map +0 -1
package/dist/src/controller/utils.d.ts +0 -84
package/dist/src/controller/utils.js +0 -328
package/dist/src/controller/utils.js.map +0 -1
package/dist/src/cron/lock.d.ts +0 -18
package/dist/src/cron/lock.js +0 -98
package/dist/src/cron/lock.js.map +0 -1
package/dist/src/db/db.d.ts +0 -5
package/dist/src/db/db.js +0 -178
package/dist/src/db/db.js.map +0 -1
package/dist/src/db/defaultDb.d.ts +0 -2
package/dist/src/db/defaultDb.js +0 -18
package/dist/src/db/defaultDb.js.map +0 -1
package/dist/src/db/dynamoDb.d.ts +0 -19
package/dist/src/db/dynamoDb.js +0 -320
package/dist/src/db/dynamoDb.js.map +0 -1
package/dist/src/db/encrypter.d.ts +0 -3
package/dist/src/db/encrypter.js +0 -22
package/dist/src/db/encrypter.js.map +0 -1
package/dist/src/db/mem.d.ts +0 -23
package/dist/src/db/mem.js +0 -186
package/dist/src/db/mem.js.map +0 -1
package/dist/src/db/mongo.d.ts +0 -22
package/dist/src/db/mongo.js +0 -177
package/dist/src/db/mongo.js.map +0 -1
package/dist/src/db/planetscale/entity/JacksonIndex.d.ts +0 -5
package/dist/src/db/planetscale/entity/JacksonIndex.js +0 -32
package/dist/src/db/planetscale/entity/JacksonIndex.js.map +0 -1
package/dist/src/db/planetscale/entity/JacksonStore.d.ts +0 -9
package/dist/src/db/planetscale/entity/JacksonStore.js +0 -63
package/dist/src/db/planetscale/entity/JacksonStore.js.map +0 -1
package/dist/src/db/planetscale/entity/JacksonTTL.d.ts +0 -4
package/dist/src/db/planetscale/entity/JacksonTTL.js +0 -27
package/dist/src/db/planetscale/entity/JacksonTTL.js.map +0 -1
package/dist/src/db/redis.d.ts +0 -18
package/dist/src/db/redis.js +0 -214
package/dist/src/db/redis.js.map +0 -1
package/dist/src/db/sql/entity/JacksonIndex.d.ts +0 -7
package/dist/src/db/sql/entity/JacksonIndex.js +0 -39
package/dist/src/db/sql/entity/JacksonIndex.js.map +0 -1
package/dist/src/db/sql/entity/JacksonStore.d.ts +0 -9
package/dist/src/db/sql/entity/JacksonStore.js +0 -61
package/dist/src/db/sql/entity/JacksonStore.js.map +0 -1
package/dist/src/db/sql/entity/JacksonTTL.d.ts +0 -4
package/dist/src/db/sql/entity/JacksonTTL.js +0 -27
package/dist/src/db/sql/entity/JacksonTTL.js.map +0 -1
package/dist/src/db/sql/mariadb/entity/JacksonIndex.d.ts +0 -7
package/dist/src/db/sql/mariadb/entity/JacksonIndex.js +0 -39
package/dist/src/db/sql/mariadb/entity/JacksonIndex.js.map +0 -1
package/dist/src/db/sql/mariadb/entity/JacksonStore.d.ts +0 -9
package/dist/src/db/sql/mariadb/entity/JacksonStore.js +0 -63
package/dist/src/db/sql/mariadb/entity/JacksonStore.js.map +0 -1
package/dist/src/db/sql/mariadb/entity/JacksonTTL.d.ts +0 -4
package/dist/src/db/sql/mariadb/entity/JacksonTTL.js +0 -27
package/dist/src/db/sql/mariadb/entity/JacksonTTL.js.map +0 -1
package/dist/src/db/sql/mssql/entity/JacksonIndex.d.ts +0 -7
package/dist/src/db/sql/mssql/entity/JacksonIndex.js +0 -39
package/dist/src/db/sql/mssql/entity/JacksonIndex.js.map +0 -1
package/dist/src/db/sql/mssql/entity/JacksonStore.d.ts +0 -9
package/dist/src/db/sql/mssql/entity/JacksonStore.js +0 -61
package/dist/src/db/sql/mssql/entity/JacksonStore.js.map +0 -1
package/dist/src/db/sql/mssql/entity/JacksonTTL.d.ts +0 -4
package/dist/src/db/sql/mssql/entity/JacksonTTL.js +0 -27
package/dist/src/db/sql/mssql/entity/JacksonTTL.js.map +0 -1
package/dist/src/db/sql/mssql.d.ts +0 -1
package/dist/src/db/sql/mssql.js +0 -44
package/dist/src/db/sql/mssql.js.map +0 -1
package/dist/src/db/sql/sql.d.ts +0 -32
package/dist/src/db/sql/sql.js +0 -318
package/dist/src/db/sql/sql.js.map +0 -1
package/dist/src/db/sql/sqlite/entity/JacksonIndex.d.ts +0 -7
package/dist/src/db/sql/sqlite/entity/JacksonIndex.js +0 -39
package/dist/src/db/sql/sqlite/entity/JacksonIndex.js.map +0 -1
package/dist/src/db/sql/sqlite/entity/JacksonStore.d.ts +0 -9
package/dist/src/db/sql/sqlite/entity/JacksonStore.js +0 -61
package/dist/src/db/sql/sqlite/entity/JacksonStore.js.map +0 -1
package/dist/src/db/sql/sqlite/entity/JacksonTTL.d.ts +0 -4
package/dist/src/db/sql/sqlite/entity/JacksonTTL.js +0 -27
package/dist/src/db/sql/sqlite/entity/JacksonTTL.js.map +0 -1
package/dist/src/db/store.d.ts +0 -5
package/dist/src/db/store.js +0 -65
package/dist/src/db/store.js.map +0 -1
package/dist/src/db/utils.d.ts +0 -16
package/dist/src/db/utils.js +0 -28
package/dist/src/db/utils.js.map +0 -1
package/dist/src/directory-sync/batch-events/queue.d.ts +0 -40
package/dist/src/directory-sync/batch-events/queue.js +0 -225
package/dist/src/directory-sync/batch-events/queue.js.map +0 -1
package/dist/src/directory-sync/index.d.ts +0 -27
package/dist/src/directory-sync/index.js +0 -97
package/dist/src/directory-sync/index.js.map +0 -1
package/dist/src/directory-sync/non-scim/google/api.d.ts +0 -36
package/dist/src/directory-sync/non-scim/google/api.js +0 -143
package/dist/src/directory-sync/non-scim/google/api.js.map +0 -1
package/dist/src/directory-sync/non-scim/google/index.d.ts +0 -12
package/dist/src/directory-sync/non-scim/google/index.js +0 -10
package/dist/src/directory-sync/non-scim/google/index.js.map +0 -1
package/dist/src/directory-sync/non-scim/google/oauth.d.ts +0 -27
package/dist/src/directory-sync/non-scim/google/oauth.js +0 -105
package/dist/src/directory-sync/non-scim/google/oauth.js.map +0 -1
package/dist/src/directory-sync/non-scim/index.d.ts +0 -24
package/dist/src/directory-sync/non-scim/index.js +0 -85
package/dist/src/directory-sync/non-scim/index.js.map +0 -1
package/dist/src/directory-sync/non-scim/syncGroupMembers.d.ts +0 -23
package/dist/src/directory-sync/non-scim/syncGroupMembers.js +0 -105
package/dist/src/directory-sync/non-scim/syncGroupMembers.js.map +0 -1
package/dist/src/directory-sync/non-scim/syncGroups.d.ts +0 -24
package/dist/src/directory-sync/non-scim/syncGroups.js +0 -120
package/dist/src/directory-sync/non-scim/syncGroups.js.map +0 -1
package/dist/src/directory-sync/non-scim/syncUsers.d.ts +0 -24
package/dist/src/directory-sync/non-scim/syncUsers.js +0 -120
package/dist/src/directory-sync/non-scim/syncUsers.js.map +0 -1
package/dist/src/directory-sync/non-scim/utils.d.ts +0 -36
package/dist/src/directory-sync/non-scim/utils.js +0 -109
package/dist/src/directory-sync/non-scim/utils.js.map +0 -1
package/dist/src/directory-sync/request.d.ts +0 -14
package/dist/src/directory-sync/request.js +0 -29
package/dist/src/directory-sync/request.js.map +0 -1
package/dist/src/directory-sync/scim/Base.d.ts +0 -12
package/dist/src/directory-sync/scim/Base.js +0 -23
package/dist/src/directory-sync/scim/Base.js.map +0 -1
package/dist/src/directory-sync/scim/DirectoryConfig.d.ts +0 -343
package/dist/src/directory-sync/scim/DirectoryConfig.js +0 -580
package/dist/src/directory-sync/scim/DirectoryConfig.js.map +0 -1
package/dist/src/directory-sync/scim/DirectoryGroups.d.ts +0 -28
package/dist/src/directory-sync/scim/DirectoryGroups.js +0 -252
package/dist/src/directory-sync/scim/DirectoryGroups.js.map +0 -1
package/dist/src/directory-sync/scim/DirectoryUsers.d.ts +0 -25
package/dist/src/directory-sync/scim/DirectoryUsers.js +0 -193
package/dist/src/directory-sync/scim/DirectoryUsers.js.map +0 -1
package/dist/src/directory-sync/scim/Groups.d.ts +0 -166
package/dist/src/directory-sync/scim/Groups.js +0 -348
package/dist/src/directory-sync/scim/Groups.js.map +0 -1
package/dist/src/directory-sync/scim/Users.d.ts +0 -99
package/dist/src/directory-sync/scim/Users.js +0 -215
package/dist/src/directory-sync/scim/Users.js.map +0 -1
package/dist/src/directory-sync/scim/WebhookEventsLogger.d.ts +0 -101
package/dist/src/directory-sync/scim/WebhookEventsLogger.js +0 -165
package/dist/src/directory-sync/scim/WebhookEventsLogger.js.map +0 -1
package/dist/src/directory-sync/scim/transform.d.ts +0 -6
package/dist/src/directory-sync/scim/transform.js +0 -37
package/dist/src/directory-sync/scim/transform.js.map +0 -1
package/dist/src/directory-sync/scim/utils.d.ts +0 -33
package/dist/src/directory-sync/scim/utils.js +0 -129
package/dist/src/directory-sync/scim/utils.js.map +0 -1
package/dist/src/directory-sync/types.d.ts +0 -195
package/dist/src/directory-sync/types.js +0 -10
package/dist/src/directory-sync/types.js.map +0 -1
package/dist/src/directory-sync/utils.d.ts +0 -19
package/dist/src/directory-sync/utils.js +0 -56
package/dist/src/directory-sync/utils.js.map +0 -1
package/dist/src/ee/branding/index.d.ts +0 -17
package/dist/src/ee/branding/index.js +0 -49
package/dist/src/ee/branding/index.js.map +0 -1
package/dist/src/ee/common/checkLicense.d.ts +0 -3
package/dist/src/ee/common/checkLicense.js +0 -23
package/dist/src/ee/common/checkLicense.js.map +0 -1
package/dist/src/ee/identity-federation/app.d.ts +0 -328
package/dist/src/ee/identity-federation/app.js +0 -532
package/dist/src/ee/identity-federation/app.js.map +0 -1
package/dist/src/ee/identity-federation/idp-login.d.ts +0 -18
package/dist/src/ee/identity-federation/idp-login.js +0 -98
package/dist/src/ee/identity-federation/idp-login.js.map +0 -1
package/dist/src/ee/identity-federation/index.d.ts +0 -15
package/dist/src/ee/identity-federation/index.js +0 -43
package/dist/src/ee/identity-federation/index.js.map +0 -1
package/dist/src/ee/identity-federation/sso.d.ts +0 -24
package/dist/src/ee/identity-federation/sso.js +0 -124
package/dist/src/ee/identity-federation/sso.js.map +0 -1
package/dist/src/ee/identity-federation/types.d.ts +0 -38
package/dist/src/ee/identity-federation/types.js +0 -2
package/dist/src/ee/identity-federation/types.js.map +0 -1
package/dist/src/ee/ory/ory.d.ts +0 -18
package/dist/src/ee/ory/ory.js +0 -195
package/dist/src/ee/ory/ory.js.map +0 -1
package/dist/src/ee/product/index.d.ts +0 -14
package/dist/src/ee/product/index.js +0 -45
package/dist/src/ee/product/index.js.map +0 -1
package/dist/src/event/axios.d.ts +0 -2
package/dist/src/event/axios.js +0 -27
package/dist/src/event/axios.js.map +0 -1
package/dist/src/event/index.d.ts +0 -11
package/dist/src/event/index.js +0 -53
package/dist/src/event/index.js.map +0 -1
package/dist/src/event/types.d.ts +0 -21
package/dist/src/event/types.js +0 -2
package/dist/src/event/types.js.map +0 -1
package/dist/src/event/utils.d.ts +0 -4
package/dist/src/event/utils.js +0 -33
package/dist/src/event/utils.js.map +0 -1
package/dist/src/event/webhook.d.ts +0 -3
package/dist/src/event/webhook.js +0 -34
package/dist/src/event/webhook.js.map +0 -1
package/dist/src/index.d.ts +0 -35
package/dist/src/index.js +0 -161
package/dist/src/index.js.map +0 -1
package/dist/src/loadConnection.d.ts +0 -4
package/dist/src/loadConnection.js +0 -38
package/dist/src/loadConnection.js.map +0 -1
package/dist/src/opentelemetry/metrics.d.ts +0 -14
package/dist/src/opentelemetry/metrics.js +0 -64
package/dist/src/opentelemetry/metrics.js.map +0 -1
package/dist/src/saml/claims.d.ts +0 -12
package/dist/src/saml/claims.js +0 -57
package/dist/src/saml/claims.js.map +0 -1
package/dist/src/saml/lib.d.ts +0 -8
package/dist/src/saml/lib.js +0 -29
package/dist/src/saml/lib.js.map +0 -1
package/dist/src/saml/x509.d.ts +0 -9
package/dist/src/saml/x509.js +0 -93
package/dist/src/saml/x509.js.map +0 -1
package/dist/src/sso-traces/index.d.ts +0 -114
package/dist/src/sso-traces/index.js +0 -229
package/dist/src/sso-traces/index.js.map +0 -1
package/dist/src/sso-traces/types.d.ts +0 -44
package/dist/src/sso-traces/types.js +0 -2
package/dist/src/sso-traces/types.js.map +0 -1
package/dist/src/typings.d.ts +0 -540
package/dist/src/typings.js +0 -5
package/dist/src/typings.js.map +0 -1
package/dist/typeorm.d.ts +0 -3
package/dist/typeorm.js +0 -58
package/dist/typeorm.js.map +0 -1

package/dist/src/controller/oauth.js DELETED Viewed

@@ -1,1112 +0,0 @@
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __rest = (this && this.__rest) || function (s, e) {
-    var t = {};
-    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
-        t[p] = s[p];
-    if (s != null && typeof Object.getOwnPropertySymbols === "function")
-        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
-            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
-                t[p[i]] = s[p[i]];
-        }
-    return t;
-};
-import crypto from 'crypto';
-import * as jose from 'jose';
-import { promisify } from 'util';
-import { deflateRaw } from 'zlib';
-import saml from '@boxyhq/saml20';
-import { clientIDFederatedPrefix, clientIDOIDCPrefix, relayStatePrefix, IndexNames, OAuthErrorResponse, getErrorMessage, loadJWSPrivateKey, computeKid, isJWSKeyPairLoaded, extractOIDCUserProfile, getScopeValues, getEncodedTenantProduct, isConnectionActive, } from './utils';
-import * as metrics from '../opentelemetry/metrics';
-import { JacksonError } from './error';
-import * as allowed from './oauth/allowed';
-import * as codeVerifier from './oauth/code-verifier';
-import * as redirect from './oauth/redirect';
-import { getDefaultCertificate } from '../saml/x509';
-import { SSOHandler } from './sso-handler';
-import { extractSAMLResponseAttributes } from '../saml/lib';
-import { oidcClientConfig } from './oauth/oidc-client';
-const deflateRawAsync = promisify(deflateRaw);
-export class OAuthController {
-    constructor({ connectionStore, sessionStore, codeStore, tokenStore, ssoTraces, opts, idFedApp }) {
-        this.connectionStore = connectionStore;
-        this.sessionStore = sessionStore;
-        this.codeStore = codeStore;
-        this.tokenStore = tokenStore;
-        this.ssoTraces = ssoTraces;
-        this.opts = opts;
-        this.idFedApp = idFedApp;
-        this.ssoHandler = new SSOHandler({
-            connection: connectionStore,
-            session: sessionStore,
-            opts,
-        });
-    }
-    authorize(body) {
-        return __awaiter(this, void 0, void 0, function* () {
-            var _a, _b, _c;
-            const { tenant, product, access_type, resource, response_type = 'code', client_id, redirect_uri, state, scope, nonce, code_challenge, code_challenge_method = '', idp_hint, forceAuthn = 'false', login_hint } = body, oidcParams = __rest(body, ["tenant", "product", "access_type", "resource", "response_type", "client_id", "redirect_uri", "state", "scope", "nonce", "code_challenge", "code_challenge_method", "idp_hint", "forceAuthn", "login_hint"]) // Rest of the params will be assumed as OIDC params and will be forwarded to the IdP
-            ;
-            let requestedTenant;
-            let requestedProduct;
-            let requestedScopes;
-            let requestedOIDCFlow;
-            let isOIDCFederated;
-            let connection;
-            let fedApp;
-            try {
-                requestedTenant = tenant;
-                requestedProduct = product;
-                metrics.increment('oauthAuthorize');
-                if (!redirect_uri) {
-                    throw new JacksonError('Please specify a redirect URL.', 400);
-                }
-                requestedScopes = getScopeValues(scope);
-                requestedOIDCFlow = requestedScopes.includes('openid');
-                if (tenant && product) {
-                    const response = yield this.ssoHandler.resolveConnection({
-                        tenant,
-                        product,
-                        idp_hint,
-                        authFlow: 'oauth',
-                        originalParams: Object.assign({}, body),
-                    });
-                    if ('redirectUrl' in response) {
-                        return {
-                            redirect_url: response.redirectUrl,
-                        };
-                    }
-                    if ('connection' in response) {
-                        connection = response.connection;
-                    }
-                }
-                else if (client_id && client_id !== '' && client_id !== 'undefined' && client_id !== 'null') {
-                    // if tenant and product are encoded in the client_id then we parse it and check for the relevant connection(s)
-                    let sp = getEncodedTenantProduct(client_id);
-                    if (!sp && access_type) {
-                        sp = getEncodedTenantProduct(access_type);
-                    }
-                    if (!sp && resource) {
-                        sp = getEncodedTenantProduct(resource);
-                        if (sp === null) {
-                            oidcParams.resource = resource;
-                        }
-                    }
-                    if (!sp && requestedScopes) {
-                        const encodedParams = requestedScopes.find((scope) => scope.includes('=') && scope.includes('&')); // for now assume only one encoded param i.e. for tenant/product
-                        if (encodedParams) {
-                            sp = getEncodedTenantProduct(encodedParams);
-                        }
-                    }
-                    if (sp && sp.tenant && sp.product) {
-                        const { tenant, product } = sp;
-                        requestedTenant = tenant;
-                        requestedProduct = product;
-                        const response = yield this.ssoHandler.resolveConnection({
-                            tenant,
-                            product,
-                            idp_hint,
-                            authFlow: 'oauth',
-                            originalParams: Object.assign({}, body),
-                        });
-                        if ('redirectUrl' in response) {
-                            return {
-                                redirect_url: response.redirectUrl,
-                            };
-                        }
-                        if ('connection' in response) {
-                            connection = response.connection;
-                        }
-                    }
-                    else {
-                        // client_id is not encoded, so we look for the connection using the client_id
-                        // First we check if it's a federated connection
-                        if (client_id.startsWith(`${clientIDFederatedPrefix}${clientIDOIDCPrefix}`)) {
-                            isOIDCFederated = true;
-                            fedApp = yield this.idFedApp.get({
-                                id: client_id.replace(clientIDFederatedPrefix, ''),
-                            });
-                            const response = yield this.ssoHandler.resolveConnection({
-                                tenant: fedApp.tenant,
-                                product: fedApp.product,
-                                idp_hint,
-                                authFlow: 'oauth',
-                                originalParams: Object.assign({}, body),
-                                tenants: fedApp.tenants,
-                                idFedAppId: fedApp.id,
-                                fedType: fedApp.type,
-                            });
-                            if ('redirectUrl' in response) {
-                                return {
-                                    redirect_url: response.redirectUrl,
-                                };
-                            }
-                            if ('connection' in response) {
-                                connection = response.connection;
-                                requestedTenant = fedApp.tenant;
-                                requestedProduct = fedApp.product;
-                            }
-                        }
-                        else {
-                            // If it's not a federated connection, we look for the connection using the client_id
-                            connection = yield this.connectionStore.get(client_id);
-                            if (connection) {
-                                requestedTenant = connection.tenant;
-                                requestedProduct = connection.product;
-                            }
-                        }
-                    }
-                }
-                else {
-                    throw new JacksonError('You need to specify client_id or tenant & product', 403);
-                }
-                if (!connection) {
-                    throw new JacksonError('IdP connection not found.', 403);
-                }
-                if (!allowed.redirect(redirect_uri, connection.redirectUrl)) {
-                    if (fedApp) {
-                        if (!allowed.redirect(redirect_uri, fedApp.redirectUrl)) {
-                            throw new JacksonError('Redirect URL is not allowed.', 403);
-                        }
-                    }
-                    else {
-                        throw new JacksonError('Redirect URL is not allowed.', 403);
-                    }
-                }
-                if (!isConnectionActive(connection)) {
-                    throw new JacksonError('SSO connection is deactivated. Please contact your administrator.', 403);
-                }
-            }
-            catch (err) {
-                const error_description = getErrorMessage(err);
-                // Save the error trace
-                yield this.ssoTraces.saveTrace({
-                    error: error_description,
-                    context: {
-                        tenant: requestedTenant || '',
-                        product: requestedProduct || '',
-                        clientID: (connection === null || connection === void 0 ? void 0 : connection.clientID) || '',
-                        requestedOIDCFlow,
-                        isOIDCFederated,
-                        redirectUri: redirect_uri,
-                    },
-                });
-                throw err;
-            }
-            const isMissingJWTKeysForOIDCFlow = requestedOIDCFlow &&
-                (!((_a = this.opts.openid) === null || _a === void 0 ? void 0 : _a.jwtSigningKeys) || !isJWSKeyPairLoaded(this.opts.openid.jwtSigningKeys));
-            const oAuthClientReqError = !state || response_type !== 'code';
-            const connectionIsSAML = 'idpMetadata' in connection && connection.idpMetadata !== undefined;
-            const connectionIsOIDC = 'oidcProvider' in connection && connection.oidcProvider !== undefined;
-            if (isMissingJWTKeysForOIDCFlow || oAuthClientReqError || (!connectionIsSAML && !connectionIsOIDC)) {
-                let error, error_description;
-                if (isMissingJWTKeysForOIDCFlow) {
-                    error = 'server_error';
-                    error_description =
-                        'OAuth server not configured correctly for openid flow, check if JWT signing keys are loaded';
-                }
-                if (!state) {
-                    error = 'invalid_request';
-                    error_description = 'Please specify a state to safeguard against XSRF attacks';
-                }
-                if (response_type !== 'code') {
-                    error = 'unsupported_response_type';
-                    error_description = 'Only Authorization Code grant is supported';
-                }
-                if (!connectionIsSAML && !connectionIsOIDC) {
-                    error = 'server_error';
-                    error_description = 'Connection appears to be misconfigured';
-                }
-                // Save the error trace
-                const traceId = yield this.ssoTraces.saveTrace({
-                    error: error_description,
-                    context: {
-                        tenant: requestedTenant,
-                        product: requestedProduct,
-                        clientID: connection.clientID,
-                        requestedOIDCFlow,
-                        isOIDCFederated,
-                        redirectUri: redirect_uri,
-                    },
-                });
-                return {
-                    redirect_url: OAuthErrorResponse({
-                        error,
-                        error_description: traceId ? `${traceId}: ${error_description}` : error_description,
-                        redirect_uri,
-                        state,
-                    }),
-                };
-            }
-            // Connection retrieved: Handover to IdP starts here
-            let ssoUrl;
-            let post = false;
-            // Init sessionId
-            const sessionId = crypto.randomBytes(16).toString('hex');
-            const relayState = relayStatePrefix + sessionId;
-            // SAML connection: SAML request will be constructed here
-            let samlReq;
-            if (connectionIsSAML) {
-                try {
-                    const { sso } = connection.idpMetadata;
-                    if ('redirectUrl' in sso) {
-                        // HTTP Redirect binding
-                        ssoUrl = sso.redirectUrl;
-                    }
-                    else if ('postUrl' in sso) {
-                        // HTTP-POST binding
-                        ssoUrl = sso.postUrl;
-                        post = true;
-                    }
-                    else {
-                        // This code here is kept for backward compatibility. We now have validation while adding the SSO connection to ensure binding is present.
-                        const error_description = 'SAML binding could not be retrieved';
-                        // Save the error trace
-                        const traceId = yield this.ssoTraces.saveTrace({
-                            error: error_description,
-                            context: {
-                                tenant: requestedTenant,
-                                product: requestedProduct,
-                                clientID: connection.clientID,
-                                requestedOIDCFlow,
-                                isOIDCFederated,
-                                redirectUri: redirect_uri,
-                            },
-                        });
-                        return {
-                            redirect_url: OAuthErrorResponse({
-                                error: 'invalid_request',
-                                error_description: traceId ? `${traceId}: ${error_description}` : error_description,
-                                redirect_uri,
-                                state,
-                            }),
-                        };
-                    }
-                    const cert = yield getDefaultCertificate();
-                    samlReq = saml.request({
-                        ssoUrl,
-                        entityID: this.opts.samlAudience,
-                        callbackUrl: this.opts.externalUrl + this.opts.samlPath,
-                        signingKey: cert.privateKey,
-                        publicKey: cert.publicKey,
-                        forceAuthn: forceAuthn === 'true' ? true : !!connection.forceAuthn,
-                        identifierFormat: connection.identifierFormat
-                            ? connection.identifierFormat
-                            : 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
-                    });
-                }
-                catch (err) {
-                    const error_description = getErrorMessage(err);
-                    // Save the error trace
-                    const traceId = yield this.ssoTraces.saveTrace({
-                        error: error_description,
-                        context: {
-                            tenant: requestedTenant,
-                            product: requestedProduct,
-                            clientID: connection.clientID,
-                            requestedOIDCFlow,
-                            isOIDCFederated,
-                            redirectUri: redirect_uri,
-                        },
-                    });
-                    return {
-                        redirect_url: OAuthErrorResponse({
-                            error: 'server_error',
-                            error_description: traceId ? `${traceId}: ${error_description}` : error_description,
-                            redirect_uri,
-                            state,
-                        }),
-                    };
-                }
-            }
-            // OIDC Connection: Issuer discovery, openid-client init and extraction of authorization endpoint happens here
-            let oidcCodeVerifier;
-            let oidcNonce;
-            if (connectionIsOIDC) {
-                const { discoveryUrl, metadata, clientId, clientSecret } = connection.oidcProvider;
-                const { ssoTraces } = this;
-                try {
-                    if (!this.opts.oidcPath) {
-                        throw new JacksonError('OpenID response handler path (oidcPath) is not set');
-                    }
-                    const client = yield import('openid-client');
-                    const oidcConfig = yield oidcClientConfig({
-                        discoveryUrl,
-                        metadata,
-                        clientId,
-                        clientSecret,
-                        ssoTraces: {
-                            instance: ssoTraces,
-                            context: {
-                                tenant: requestedTenant,
-                                product: requestedProduct,
-                                clientID: connection.clientID,
-                                requestedOIDCFlow,
-                                isOIDCFederated,
-                                redirectUri: redirect_uri,
-                            },
-                        },
-                    });
-                    oidcCodeVerifier = client.randomPKCECodeVerifier();
-                    const code_challenge = yield client.calculatePKCECodeChallenge(oidcCodeVerifier);
-                    oidcNonce = client.randomNonce();
-                    const standardScopes = ((_b = this.opts.openid) === null || _b === void 0 ? void 0 : _b.requestProfileScope)
-                        ? ['openid', 'email', 'profile']
-                        : ['openid', 'email'];
-                    const paramsToForward = ((_c = this.opts.openid) === null || _c === void 0 ? void 0 : _c.forwardOIDCParams) ? oidcParams : {};
-                    if (login_hint) {
-                        paramsToForward.login_hint = login_hint;
-                    }
-                    ssoUrl = client.buildAuthorizationUrl(oidcConfig, Object.assign({ scope: [...requestedScopes, ...standardScopes]
-                            .filter((value, index, self) => self.indexOf(value) === index) // filter out duplicates
-                            .join(' '), code_challenge, code_challenge_method: 'S256', state: relayState, nonce: oidcNonce, redirect_uri: this.opts.externalUrl + this.opts.oidcPath }, paramsToForward)).href;
-                }
-                catch (err) {
-                    const error_description = getErrorMessage(err);
-                    // Save the error trace
-                    const traceId = yield this.ssoTraces.saveTrace({
-                        error: error_description,
-                        context: {
-                            tenant: requestedTenant,
-                            product: requestedProduct,
-                            clientID: connection.clientID,
-                            requestedOIDCFlow,
-                            isOIDCFederated,
-                            redirectUri: redirect_uri,
-                        },
-                    });
-                    if (err) {
-                        return {
-                            redirect_url: OAuthErrorResponse({
-                                error: 'server_error',
-                                error_description: traceId ? `${traceId}: ${error_description}` : error_description,
-                                redirect_uri,
-                                state,
-                            }),
-                        };
-                    }
-                }
-            }
-            // Session persistence happens here
-            try {
-                const requested = { client_id, state, redirect_uri };
-                if (requestedTenant) {
-                    requested.tenant = requestedTenant;
-                }
-                if (requestedProduct) {
-                    requested.product = requestedProduct;
-                }
-                if (idp_hint) {
-                    requested.idp_hint = idp_hint;
-                }
-                else {
-                    if (fedApp) {
-                        requested.idp_hint = connection.clientID;
-                    }
-                }
-                if (requestedOIDCFlow) {
-                    requested.oidc = true;
-                    if (nonce) {
-                        requested.nonce = nonce;
-                    }
-                }
-                if (requestedScopes) {
-                    requested.scope = requestedScopes;
-                }
-                const sessionObj = {
-                    redirect_uri,
-                    response_type,
-                    state,
-                    code_challenge,
-                    code_challenge_method,
-                    requested,
-                    oidcFederated: fedApp
-                        ? {
-                            redirectUrl: fedApp.redirectUrl,
-                            id: fedApp.id,
-                            clientID: fedApp.clientID,
-                            clientSecret: fedApp.clientSecret,
-                        }
-                        : undefined,
-                };
-                yield this.sessionStore.put(sessionId, connectionIsSAML
-                    ? Object.assign(Object.assign({}, sessionObj), { id: samlReq === null || samlReq === void 0 ? void 0 : samlReq.id }) : Object.assign(Object.assign({}, sessionObj), { id: connection.clientID, oidcCodeVerifier, oidcNonce }));
-                // Redirect to IdP
-                if (connectionIsSAML) {
-                    let redirectUrl;
-                    let authorizeForm;
-                    if (!post) {
-                        // HTTP Redirect binding
-                        redirectUrl = redirect.success(ssoUrl, {
-                            RelayState: relayState,
-                            SAMLRequest: Buffer.from(yield deflateRawAsync(samlReq.request)).toString('base64'),
-                        });
-                    }
-                    else {
-                        // HTTP POST binding
-                        authorizeForm = saml.createPostForm(ssoUrl, [
-                            {
-                                name: 'RelayState',
-                                value: relayState,
-                            },
-                            {
-                                name: 'SAMLRequest',
-                                value: Buffer.from(samlReq.request).toString('base64'),
-                            },
-                        ]);
-                    }
-                    return {
-                        redirect_url: redirectUrl,
-                        authorize_form: authorizeForm,
-                    };
-                }
-                if (connectionIsOIDC) {
-                    return { redirect_url: ssoUrl };
-                }
-                throw 'Connection appears to be misconfigured';
-            }
-            catch (err) {
-                const error_description = getErrorMessage(err);
-                // Save the error trace
-                const traceId = yield this.ssoTraces.saveTrace({
-                    error: error_description,
-                    context: {
-                        tenant: requestedTenant,
-                        product: requestedProduct,
-                        clientID: connection.clientID,
-                        requestedOIDCFlow,
-                        isOIDCFederated,
-                        redirectUri: redirect_uri,
-                        samlRequest: (samlReq === null || samlReq === void 0 ? void 0 : samlReq.request) || '',
-                    },
-                });
-                return {
-                    redirect_url: OAuthErrorResponse({
-                        error: 'server_error',
-                        error_description: traceId ? `${traceId}: ${error_description}` : error_description,
-                        redirect_uri,
-                        state,
-                    }),
-                };
-            }
-        });
-    }
-    samlResponse(body) {
-        return __awaiter(this, void 0, void 0, function* () {
-            var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o;
-            let connection;
-            let rawResponse;
-            let sessionId;
-            let session;
-            let issuer;
-            let isIdPFlow;
-            let isSAMLFederated;
-            let isOIDCFederated;
-            let validateOpts;
-            let redirect_uri;
-            const { SAMLResponse, idp_hint, RelayState = '' } = body;
-            try {
-                isIdPFlow = !RelayState.startsWith(relayStatePrefix);
-                rawResponse = Buffer.from(SAMLResponse, 'base64').toString();
-                issuer = saml.parseIssuer(rawResponse);
-                if (!this.opts.idpEnabled && isIdPFlow) {
-                    // IdP login is disabled so block the request
-                    throw new JacksonError('IdP (Identity Provider) flow has been disabled. Please head to your Service Provider to login.', 403);
-                }
-                sessionId = RelayState.replace(relayStatePrefix, '');
-                if (!issuer) {
-                    throw new JacksonError('Issuer not found.', 403);
-                }
-                const connections = (yield this.connectionStore.getByIndex({
-                    name: IndexNames.EntityID,
-                    value: issuer,
-                })).data;
-                if (!connections || connections.length === 0) {
-                    throw new JacksonError('SAML connection not found.', 403);
-                }
-                session = sessionId ? yield this.sessionStore.get(sessionId) : null;
-                if (!isIdPFlow && !session) {
-                    throw new JacksonError('Unable to validate state from the origin request.', 403);
-                }
-                isSAMLFederated = session && 'samlFederated' in session;
-                isOIDCFederated = session && 'oidcFederated' in session;
-                const isSPFlow = !isIdPFlow && !isSAMLFederated;
-                // IdP initiated SSO flow
-                if (isIdPFlow) {
-                    const response = yield this.ssoHandler.resolveConnection({
-                        idp_hint,
-                        authFlow: 'idp-initiated',
-                        entityId: issuer,
-                        originalParams: {
-                            SAMLResponse,
-                        },
-                    });
-                    // Redirect to the product selection page
-                    if ('postForm' in response) {
-                        return {
-                            app_select_form: response.postForm,
-                        };
-                    }
-                    // Found a connection
-                    if ('connection' in response) {
-                        connection = response.connection;
-                        if (!isConnectionActive(connection)) {
-                            throw new JacksonError('SSO connection is deactivated. Please contact your administrator.', 403);
-                        }
-                    }
-                }
-                // SP initiated SSO flow
-                // Resolve if there are multiple matches for SP login
-                if (isSPFlow || isSAMLFederated || isOIDCFederated) {
-                    connection = connections.filter((c) => {
-                        return (c.clientID === session.requested.client_id ||
-                            c.clientID === session.requested.idp_hint ||
-                            (c.tenant === session.requested.tenant && c.product === session.requested.product));
-                    })[0];
-                }
-                if (!connection) {
-                    throw new JacksonError('SAML connection not found.', 403);
-                }
-                if (session &&
-                    session.redirect_uri &&
-                    !allowed.redirect(session.redirect_uri, connection.redirectUrl)) {
-                    if (isOIDCFederated) {
-                        if (!allowed.redirect(session.redirect_uri, (_a = session.oidcFederated) === null || _a === void 0 ? void 0 : _a.redirectUrl)) {
-                            throw new JacksonError('Redirect URL is not allowed.', 403);
-                        }
-                    }
-                    else {
-                        throw new JacksonError('Redirect URL is not allowed.', 403);
-                    }
-                }
-                const { privateKey } = yield getDefaultCertificate();
-                validateOpts = {
-                    audience: `${this.opts.samlAudience}`,
-                    privateKey,
-                };
-                if (connection.idpMetadata.publicKey) {
-                    validateOpts.publicKey = connection.idpMetadata.publicKey;
-                }
-                else if (connection.idpMetadata.thumbprint) {
-                    validateOpts.thumbprint = connection.idpMetadata.thumbprint;
-                }
-                if (session && session.id) {
-                    validateOpts['inResponseTo'] = session.id;
-                }
-                redirect_uri = (session && session.redirect_uri) || connection.defaultRedirectUrl;
-            }
-            catch (err) {
-                // Save the error trace
-                yield this.ssoTraces.saveTrace({
-                    error: getErrorMessage(err),
-                    context: {
-                        samlResponse: rawResponse,
-                        tenant: ((_b = session === null || session === void 0 ? void 0 : session.requested) === null || _b === void 0 ? void 0 : _b.tenant) || (connection === null || connection === void 0 ? void 0 : connection.tenant),
-                        product: ((_c = session === null || session === void 0 ? void 0 : session.requested) === null || _c === void 0 ? void 0 : _c.product) || (connection === null || connection === void 0 ? void 0 : connection.product),
-                        clientID: ((_d = session === null || session === void 0 ? void 0 : session.requested) === null || _d === void 0 ? void 0 : _d.client_id) || (connection === null || connection === void 0 ? void 0 : connection.clientID),
-                        providerName: (_e = connection === null || connection === void 0 ? void 0 : connection.idpMetadata) === null || _e === void 0 ? void 0 : _e.provider,
-                        redirectUri: isIdPFlow ? connection === null || connection === void 0 ? void 0 : connection.defaultRedirectUrl : session === null || session === void 0 ? void 0 : session.redirect_uri,
-                        issuer,
-                        isSAMLFederated,
-                        isOIDCFederated,
-                        isIdPFlow,
-                        requestedOIDCFlow: !!((_f = session === null || session === void 0 ? void 0 : session.requested) === null || _f === void 0 ? void 0 : _f.oidc),
-                        acsUrl: (_g = session === null || session === void 0 ? void 0 : session.requested) === null || _g === void 0 ? void 0 : _g.acsUrl,
-                        entityId: (_h = session === null || session === void 0 ? void 0 : session.requested) === null || _h === void 0 ? void 0 : _h.entityId,
-                        relayState: RelayState,
-                    },
-                });
-                throw err; // Rethrow the error
-            }
-            let profile;
-            try {
-                profile = yield extractSAMLResponseAttributes(rawResponse, validateOpts);
-                // This is a federated SAML flow, let's create a new SAMLResponse and POST it to the SP
-                if (isSAMLFederated) {
-                    const { responseForm } = yield this.ssoHandler.createSAMLResponse({ profile, session });
-                    yield this.sessionStore.delete(sessionId);
-                    return { response_form: responseForm };
-                }
-                const code = yield this._buildAuthorizationCode(connection, profile, session, isIdPFlow);
-                const params = {
-                    code,
-                };
-                if (session && session.state) {
-                    params['state'] = session.state;
-                }
-                yield this.sessionStore.delete(sessionId);
-                return { redirect_url: redirect.success(redirect_uri, params) };
-            }
-            catch (err) {
-                const error_description = getErrorMessage(err);
-                // Trace the error
-                const traceId = yield this.ssoTraces.saveTrace({
-                    error: error_description,
-                    context: {
-                        samlResponse: rawResponse,
-                        tenant: connection.tenant,
-                        product: connection.product,
-                        clientID: connection.clientID,
-                        providerName: (_j = connection === null || connection === void 0 ? void 0 : connection.idpMetadata) === null || _j === void 0 ? void 0 : _j.provider,
-                        redirectUri: isIdPFlow ? connection === null || connection === void 0 ? void 0 : connection.defaultRedirectUrl : session === null || session === void 0 ? void 0 : session.redirect_uri,
-                        isSAMLFederated,
-                        isOIDCFederated,
-                        isIdPFlow,
-                        acsUrl: (_k = session === null || session === void 0 ? void 0 : session.requested) === null || _k === void 0 ? void 0 : _k.acsUrl,
-                        entityId: (_l = session === null || session === void 0 ? void 0 : session.requested) === null || _l === void 0 ? void 0 : _l.entityId,
-                        requestedOIDCFlow: !!((_m = session === null || session === void 0 ? void 0 : session.requested) === null || _m === void 0 ? void 0 : _m.oidc),
-                        relayState: RelayState,
-                        issuer,
-                        profile,
-                    },
-                });
-                if (isSAMLFederated) {
-                    throw err;
-                }
-                return {
-                    redirect_url: OAuthErrorResponse({
-                        error: 'access_denied',
-                        error_description: traceId ? `${traceId}: ${error_description}` : error_description,
-                        redirect_uri,
-                        state: (_o = session === null || session === void 0 ? void 0 : session.requested) === null || _o === void 0 ? void 0 : _o.state,
-                    }),
-                };
-            }
-        });
-    }
-    oidcAuthzResponse(body) {
-        return __awaiter(this, void 0, void 0, function* () {
-            var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l;
-            let oidcConnection;
-            let session;
-            let isSAMLFederated;
-            let isOIDCFederated;
-            let redirect_uri;
-            let profile;
-            const callbackParams = body;
-            let RelayState = callbackParams.state || '';
-            try {
-                if (!RelayState) {
-                    throw new JacksonError('State from original request is missing.', 403);
-                }
-                RelayState = RelayState.replace(relayStatePrefix, '');
-                session = yield this.sessionStore.get(RelayState);
-                if (!session) {
-                    throw new JacksonError('Unable to validate state from the original request.', 403);
-                }
-                isSAMLFederated = session && 'samlFederated' in session;
-                isOIDCFederated = session && 'oidcFederated' in session;
-                oidcConnection = yield this.connectionStore.get(session.id);
-                if (!oidcConnection) {
-                    throw new JacksonError('OIDC connection not found.', 403);
-                }
-                if (!isSAMLFederated) {
-                    redirect_uri = session && session.redirect_uri;
-                    if (!redirect_uri) {
-                        throw new JacksonError('Redirect URL from the authorization request could not be retrieved', 403);
-                    }
-                    if (redirect_uri && !allowed.redirect(redirect_uri, oidcConnection.redirectUrl)) {
-                        if (isOIDCFederated) {
-                            if (!allowed.redirect(redirect_uri, (_a = session.oidcFederated) === null || _a === void 0 ? void 0 : _a.redirectUrl)) {
-                                throw new JacksonError('Redirect URL is not allowed.', 403);
-                            }
-                        }
-                        else {
-                            throw new JacksonError('Redirect URL is not allowed.', 403);
-                        }
-                    }
-                }
-            }
-            catch (err) {
-                yield this.ssoTraces.saveTrace({
-                    error: getErrorMessage(err),
-                    context: {
-                        tenant: ((_b = session === null || session === void 0 ? void 0 : session.requested) === null || _b === void 0 ? void 0 : _b.tenant) || (oidcConnection === null || oidcConnection === void 0 ? void 0 : oidcConnection.tenant),
-                        product: ((_c = session === null || session === void 0 ? void 0 : session.requested) === null || _c === void 0 ? void 0 : _c.product) || (oidcConnection === null || oidcConnection === void 0 ? void 0 : oidcConnection.product),
-                        clientID: ((_d = session === null || session === void 0 ? void 0 : session.requested) === null || _d === void 0 ? void 0 : _d.client_id) || (oidcConnection === null || oidcConnection === void 0 ? void 0 : oidcConnection.clientID),
-                        providerName: (_e = oidcConnection === null || oidcConnection === void 0 ? void 0 : oidcConnection.oidcProvider) === null || _e === void 0 ? void 0 : _e.provider,
-                        acsUrl: (_f = session === null || session === void 0 ? void 0 : session.requested) === null || _f === void 0 ? void 0 : _f.acsUrl,
-                        entityId: (_g = session === null || session === void 0 ? void 0 : session.requested) === null || _g === void 0 ? void 0 : _g.entityId,
-                        redirectUri: redirect_uri,
-                        relayState: RelayState,
-                        isSAMLFederated,
-                        isOIDCFederated,
-                        requestedOIDCFlow: !!((_h = session === null || session === void 0 ? void 0 : session.requested) === null || _h === void 0 ? void 0 : _h.oidc),
-                        oidcIdPRequest: (_j = session === null || session === void 0 ? void 0 : session.requested) === null || _j === void 0 ? void 0 : _j.oidcIdPRequest,
-                    },
-                });
-                // Rethrow err and redirect to Jackson error page
-                throw err;
-            }
-            // Reconstruct the oidcClient, code exchange for token and user profile happens here
-            const { discoveryUrl, metadata, clientId, clientSecret } = oidcConnection.oidcProvider;
-            const { ssoTraces } = this;
-            let tokens = undefined;
-            try {
-                const client = yield import('openid-client');
-                const oidcConfig = yield oidcClientConfig({
-                    discoveryUrl,
-                    metadata,
-                    clientId,
-                    clientSecret,
-                    ssoTraces: {
-                        instance: ssoTraces,
-                        context: {
-                            tenant: oidcConnection.tenant,
-                            product: oidcConnection.product,
-                            clientID: oidcConnection.clientID,
-                            providerName: oidcConnection.oidcProvider.provider,
-                            redirectUri: redirect_uri,
-                            relayState: RelayState,
-                            isSAMLFederated,
-                            isOIDCFederated,
-                            acsUrl: session.requested.acsUrl,
-                            entityId: session.requested.entityId,
-                            requestedOIDCFlow: !!session.requested.oidc,
-                            oidcIdPRequest: (_k = session === null || session === void 0 ? void 0 : session.requested) === null || _k === void 0 ? void 0 : _k.oidcIdPRequest,
-                        },
-                    },
-                });
-                const currentUrl = new URL(this.opts.externalUrl + this.opts.oidcPath + '?' + new URLSearchParams(callbackParams));
-                tokens = yield client.authorizationCodeGrant(oidcConfig, currentUrl, {
-                    pkceCodeVerifier: session.oidcCodeVerifier,
-                    expectedNonce: session.oidcNonce,
-                    expectedState: callbackParams.state,
-                    idTokenExpected: true,
-                });
-                profile = yield extractOIDCUserProfile(tokens, oidcConfig);
-                if (isSAMLFederated) {
-                    const { responseForm } = yield this.ssoHandler.createSAMLResponse({ profile, session });
-                    yield this.sessionStore.delete(RelayState);
-                    return { response_form: responseForm };
-                }
-                const code = yield this._buildAuthorizationCode(oidcConnection, profile, session, false);
-                const params = {
-                    code,
-                };
-                if (session && session.state) {
-                    params['state'] = session.state;
-                }
-                yield this.sessionStore.delete(RelayState);
-                return { redirect_url: redirect.success(redirect_uri, params) };
-            }
-            catch (err) {
-                const { error, error_description, error_uri, session_state, scope, stack } = err;
-                const error_message = error_description || getErrorMessage(err);
-                const traceId = yield this.ssoTraces.saveTrace({
-                    error: error_message,
-                    context: {
-                        tenant: oidcConnection.tenant,
-                        product: oidcConnection.product,
-                        clientID: oidcConnection.clientID,
-                        providerName: oidcConnection.oidcProvider.provider,
-                        redirectUri: redirect_uri,
-                        relayState: RelayState,
-                        isSAMLFederated,
-                        isOIDCFederated,
-                        acsUrl: session.requested.acsUrl,
-                        entityId: session.requested.entityId,
-                        requestedOIDCFlow: !!session.requested.oidc,
-                        oidcIdPRequest: (_l = session === null || session === void 0 ? void 0 : session.requested) === null || _l === void 0 ? void 0 : _l.oidcIdPRequest,
-                        profile,
-                        error,
-                        error_description,
-                        error_uri,
-                        session_state_from_op_error: session_state,
-                        scope_from_op_error: scope,
-                        stack,
-                        oidcTokenSet: { id_token: tokens === null || tokens === void 0 ? void 0 : tokens.id_token, access_token: tokens === null || tokens === void 0 ? void 0 : tokens.access_token },
-                    },
-                });
-                if (isSAMLFederated) {
-                    throw err;
-                }
-                return {
-                    redirect_url: OAuthErrorResponse({
-                        error: error || 'server_error',
-                        error_description: traceId ? `${traceId}: ${error_message}` : error_message,
-                        redirect_uri: redirect_uri,
-                        state: session.state,
-                    }),
-                };
-            }
-        });
-    }
-    // Build the authorization code for the session
-    _buildAuthorizationCode(connection, profile, session, isIdPFlow) {
-        return __awaiter(this, void 0, void 0, function* () {
-            // Store details against a code
-            const code = crypto.randomBytes(20).toString('hex');
-            const requested = isIdPFlow
-                ? { isIdPFlow: true, tenant: connection.tenant, product: connection.product }
-                : session
-                    ? session.requested
-                    : null;
-            const codeVal = {
-                profile,
-                clientID: connection.clientID,
-                clientSecret: connection.clientSecret,
-                requested,
-                isIdPFlow,
-            };
-            if (session) {
-                codeVal['session'] = session;
-            }
-            yield this.codeStore.put(code, codeVal);
-            return code;
-        });
-    }
-    /**
-     * @swagger
-     *
-     * /oauth/token:
-     *   post:
-     *     summary: Code exchange
-     *     operationId: oauth-code-exchange
-     *     tags:
-     *       - OAuth
-     *     consumes:
-     *       - application/x-www-form-urlencoded
-     *     parameters:
-     *       - name: grant_type
-     *         in: formData
-     *         type: string
-     *         description: Grant type should be 'authorization_code'
-     *         default: authorization_code
-     *         required: true
-     *       - name: client_id
-     *         in: formData
-     *         type: string
-     *         description: Use the client_id returned by the SAML connection API
-     *         required: true
-     *       - name: client_secret
-     *         in: formData
-     *         type: string
-     *         description: Use the client_secret returned by the SAML connection API
-     *         required: true
-     *       - name: code_verifier
-     *         in: formData
-     *         type: string
-     *         description: code_verifier against the code_challenge in the authz request (relevant to PKCE flow)
-     *       - name: redirect_uri
-     *         in: formData
-     *         type: string
-     *         description: Redirect URI
-     *         required: true
-     *       - name: code
-     *         in: formData
-     *         type: string
-     *         description: Code
-     *         required: true
-     *     responses:
-     *       '200':
-     *         description: Success
-     *         schema:
-     *           type: object
-     *           properties:
-     *             access_token:
-     *               type: string
-     *             token_type:
-     *               type: string
-     *             expires_in:
-     *               type: string
-     *           example:
-     *             access_token: 8958e13053832b5af58fdf2ee83f35f5d013dc74
-     *             token_type: bearer
-     *             expires_in: 300
-     */
-    token(body, authHeader) {
-        return __awaiter(this, void 0, void 0, function* () {
-            var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l;
-            let basic_client_id;
-            let basic_client_secret;
-            try {
-                if (authHeader) {
-                    // Authorization: Basic {Base64(<client_id>:<client_secret>)}
-                    const base64Credentials = authHeader.split(' ')[1];
-                    const credentials = Buffer.from(base64Credentials, 'base64').toString('ascii');
-                    [basic_client_id, basic_client_secret] = credentials.split(':');
-                }
-                // eslint-disable-next-line @typescript-eslint/no-unused-vars
-            }
-            catch (err) {
-                // no-op
-            }
-            const { code, grant_type = 'authorization_code', redirect_uri } = body;
-            const client_id = 'client_id' in body ? body.client_id : basic_client_id;
-            const client_secret = 'client_secret' in body ? body.client_secret : basic_client_secret;
-            const code_verifier = 'code_verifier' in body ? body.code_verifier : undefined;
-            metrics.increment('oauthToken');
-            if (grant_type !== 'authorization_code') {
-                throw new JacksonError('Unsupported grant_type', 400);
-            }
-            if (!code) {
-                throw new JacksonError('Please specify code', 400);
-            }
-            const codeVal = yield this.codeStore.get(code);
-            if (!codeVal || !codeVal.profile) {
-                throw new JacksonError('Invalid code', 403);
-            }
-            if ((_a = codeVal.requested) === null || _a === void 0 ? void 0 : _a.redirect_uri) {
-                if (redirect_uri !== codeVal.requested.redirect_uri) {
-                    throw new JacksonError(`Invalid request: ${!redirect_uri ? 'redirect_uri missing' : 'redirect_uri mismatch'}`, 400);
-                }
-            }
-            if (code_verifier) {
-                // PKCE flow
-                let cv = code_verifier;
-                if (((_b = codeVal.session.code_challenge_method) === null || _b === void 0 ? void 0 : _b.toLowerCase()) === 's256') {
-                    cv = codeVerifier.encode(code_verifier);
-                }
-                if (codeVal.session.code_challenge !== cv) {
-                    throw new JacksonError('Invalid code_verifier', 401);
-                }
-                // For Federation flow, we need to verify the client_secret
-                if (client_id === null || client_id === void 0 ? void 0 : client_id.startsWith(`${clientIDFederatedPrefix}${clientIDOIDCPrefix}`)) {
-                    if (client_id !== ((_d = (_c = codeVal.session) === null || _c === void 0 ? void 0 : _c.oidcFederated) === null || _d === void 0 ? void 0 : _d.clientID) ||
-                        client_secret !== ((_f = (_e = codeVal.session) === null || _e === void 0 ? void 0 : _e.oidcFederated) === null || _f === void 0 ? void 0 : _f.clientSecret)) {
-                        throw new JacksonError('Invalid client_id or client_secret', 401);
-                    }
-                }
-            }
-            else if (client_id && client_secret) {
-                // check if we have an encoded client_id
-                if (client_id !== 'dummy') {
-                    const sp = getEncodedTenantProduct(client_id);
-                    if (!sp) {
-                        // OAuth flow
-                        if (client_id !== codeVal.clientID || client_secret !== codeVal.clientSecret) {
-                            throw new JacksonError('Invalid client_id or client_secret', 401);
-                        }
-                    }
-                    else {
-                        if (!codeVal.isIdPFlow &&
-                            (sp.tenant !== ((_g = codeVal.requested) === null || _g === void 0 ? void 0 : _g.tenant) || sp.product !== ((_h = codeVal.requested) === null || _h === void 0 ? void 0 : _h.product))) {
-                            throw new JacksonError('Invalid tenant or product', 401);
-                        }
-                        // encoded client_id, verify client_secret
-                        if (client_secret !== this.opts.clientSecretVerifier) {
-                            throw new JacksonError('Invalid client_secret', 401);
-                        }
-                    }
-                }
-                else {
-                    if (client_secret !== this.opts.clientSecretVerifier && client_secret !== codeVal.clientSecret) {
-                        throw new JacksonError('Invalid client_secret', 401);
-                    }
-                }
-            }
-            else if (codeVal && codeVal.session) {
-                throw new JacksonError('Please specify client_secret or code_verifier', 401);
-            }
-            // store details against a token
-            const token = crypto.randomBytes(20).toString('hex');
-            const tokenVal = Object.assign(Object.assign({}, codeVal.profile), { requested: codeVal.requested });
-            const requestedOIDCFlow = !!((_j = codeVal.requested) === null || _j === void 0 ? void 0 : _j.oidc);
-            const requestHasNonce = !!((_k = codeVal.requested) === null || _k === void 0 ? void 0 : _k.nonce);
-            if (requestedOIDCFlow) {
-                const { jwtSigningKeys, jwsAlg } = (_l = this.opts.openid) !== null && _l !== void 0 ? _l : {};
-                if (!jwtSigningKeys || !isJWSKeyPairLoaded(jwtSigningKeys)) {
-                    throw new JacksonError('JWT signing keys are not loaded', 500);
-                }
-                let claims = requestHasNonce ? { nonce: codeVal.requested.nonce } : {};
-                claims = Object.assign(Object.assign({}, claims), { id: codeVal.profile.claims.id, email: codeVal.profile.claims.email, firstName: codeVal.profile.claims.firstName, lastName: codeVal.profile.claims.lastName, roles: codeVal.profile.claims.roles, groups: codeVal.profile.claims.groups });
-                const signingKey = yield loadJWSPrivateKey(jwtSigningKeys.private, jwsAlg);
-                const kid = yield computeKid(jwtSigningKeys.public, jwsAlg);
-                const id_token = yield new jose.SignJWT(claims)
-                    .setProtectedHeader({ alg: jwsAlg, kid })
-                    .setIssuedAt()
-                    .setIssuer(this.opts.externalUrl)
-                    .setSubject(codeVal.profile.claims.id)
-                    .setAudience(tokenVal.requested.client_id)
-                    .setExpirationTime(`${this.opts.db.ttl}s`) //  identity token only really needs to be valid long enough for it to be verified by the client application.
-                    .sign(signingKey);
-                tokenVal.id_token = id_token;
-                tokenVal.claims.sub = codeVal.profile.claims.id;
-            }
-            yield this.tokenStore.put(token, tokenVal);
-            // delete the code
-            try {
-                yield this.codeStore.delete(code);
-                // eslint-disable-next-line @typescript-eslint/no-unused-vars
-            }
-            catch (_err) {
-                // ignore error
-            }
-            const tokenResponse = {
-                access_token: token,
-                token_type: 'bearer',
-                expires_in: this.opts.db.ttl,
-            };
-            if (requestedOIDCFlow) {
-                tokenResponse.id_token = tokenVal.id_token;
-            }
-            return tokenResponse;
-        });
-    }
-    /**
-     * @swagger
-     *
-     * /oauth/userinfo:
-     *   get:
-     *     summary: Get profile
-     *     operationId: oauth-get-profile
-     *     tags:
-     *       - OAuth
-     *     responses:
-     *       '200':
-     *         description: Success
-     *         schema:
-     *           type: object
-     *           properties:
-     *             id:
-     *               type: string
-     *             email:
-     *               type: string
-     *             firstName:
-     *               type: string
-     *             lastName:
-     *               type: string
-     *             roles:
-     *               type: array
-     *               items:
-     *                 type: string
-     *             groups:
-     *               type: array
-     *               items:
-     *                 type: string
-     *             raw:
-     *               type: object
-     *             requested:
-     *               type: object
-     *           example:
-     *             id: 32b5af58fdf
-     *             email: jackson@coolstartup.com
-     *             firstName: SAML
-     *             lastName: Jackson
-     *             raw: {
-     *
-     *             }
-     *             requested: {
-     *
-     *             }
-     */
-    userInfo(token) {
-        return __awaiter(this, void 0, void 0, function* () {
-            const rsp = yield this.tokenStore.get(token);
-            metrics.increment('oauthUserInfo');
-            if (!rsp || !rsp.claims) {
-                throw new JacksonError('Invalid token', 403);
-            }
-            return Object.assign(Object.assign({}, rsp.claims), { requested: rsp.requested });
-        });
-    }
-}
-//# sourceMappingURL=oauth.js.map