@deque/axe-auth 1.1.0-next.fb07beab → 1.1.0-next.fea0aa8a

package/dist/oauth/authorize.d.ts

@@ -0,0 +1,53 @@
+import type { TokenSet } from "./tokenResponse";
+import { type TokenStore } from "./tokenStore";
+/** Options for `authorize`. */
+export interface AuthorizeOptions {
+    /** Issuer URL the OIDC discovery document advertises (e.g. `${serverURL}/realms/${realm}` for Keycloak). */
+    issuerURL: string;
+    /** OAuth client ID registered with the authorization server. */
+    clientId: string;
+    /** Persisted alongside the tokens so future verbs can re-discover `/api/sso-config` without flags. */
+    walnutURL: string;
+    /** OAuth scopes to request. Keycloak callers typically pass `["offline_access"]` for a refresh token. */
+    scopes: readonly string[];
+    /** Max time to wait for the loopback callback, in milliseconds. */
+    timeoutMs?: number;
+    /** Aborts the in-flight discovery, callback wait, and token exchange. */
+    signal?: AbortSignal;
+    /** Override for the token persistence layer. */
+    tokenStore?: TokenStore;
+    /** Override for the system browser launcher. Injected for tests. */
+    openBrowser?: (url: string) => void;
+    /** Called with the authorization URL just before the browser launch. Default prints to stderr only when stderr is a TTY. */
+    onAuthorizationUrl?: (url: string) => void;
+    /**
+     * Called for soft warnings (e.g. requested `offline_access` but the
+     * server returned no refresh token, or the browser failed to
+     * launch). Default prints to stderr only when stderr is a TTY.
+     * Non-TTY callers who want warning visibility should pass an
+     * explicit handler — dropped warnings have no symptom at the time
+     * they fire; users discover the consequence later.
+     */
+    onWarning?: (message: string) => void;
+    /** Forwarded to discovery; permits non-loopback http issuers + endpoints. */
+    allowInsecureIssuer?: boolean;
+}
+/**
+ * Runs the full OAuth 2.0 Authorization Code + PKCE flow (RFC 6749 +
+ * RFC 7636): discovery, PKCE + state generation, loopback callback
+ * server, browser launch, code → token exchange, and keychain
+ * persistence.
+ *
+ * Note on identity: this library uses the OIDC discovery well-known
+ * path as a convention (most OAuth 2.0 providers expose it) but does
+ * *not* perform OIDC-strength identity validation — no id_token
+ * parsing, nonce checks, or JWKS signature verification. Callers
+ * needing authenticated identity claims should layer that on top.
+ *
+ * @returns The `TokenSet` on success. Also persisted via `tokenStore`.
+ *   `refreshToken` will be absent if the requested scopes did not
+ *   include `offline_access` (or the provider's equivalent).
+ * @throws {OAuthFlowError} For discovery, token-exchange, or keychain failures.
+ * @throws {OAuthCallbackError} For loopback/callback-server failures.
+ */
+export declare function authorize(options: AuthorizeOptions): Promise<TokenSet>;

package/dist/oauth/authorize.js

@@ -0,0 +1,117 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authorize = authorize;
+const callbackServer_1 = require("./callbackServer");
+const discoverOIDC_1 = require("./discoverOIDC");
+const pkce_1 = require("./pkce");
+const authorizationURL_1 = require("./authorizationURL");
+const openBrowser_1 = require("./openBrowser");
+const tokenExchange_1 = require("./tokenExchange");
+const tokenStore_1 = require("./tokenStore");
+const errors_1 = require("./errors");
+function defaultOnAuthorizationUrl(url) {
+    if (process.stderr.isTTY) {
+        console.error(`Authorization URL: ${url}`);
+    }
+}
+function defaultOnWarning(message) {
+    if (process.stderr.isTTY) {
+        console.error(`axe-auth: ${message}`);
+    }
+}
+/**
+ * Runs the full OAuth 2.0 Authorization Code + PKCE flow (RFC 6749 +
+ * RFC 7636): discovery, PKCE + state generation, loopback callback
+ * server, browser launch, code → token exchange, and keychain
+ * persistence.
+ *
+ * Note on identity: this library uses the OIDC discovery well-known
+ * path as a convention (most OAuth 2.0 providers expose it) but does
+ * *not* perform OIDC-strength identity validation — no id_token
+ * parsing, nonce checks, or JWKS signature verification. Callers
+ * needing authenticated identity claims should layer that on top.
+ *
+ * @returns The `TokenSet` on success. Also persisted via `tokenStore`.
+ *   `refreshToken` will be absent if the requested scopes did not
+ *   include `offline_access` (or the provider's equivalent).
+ * @throws {OAuthFlowError} For discovery, token-exchange, or keychain failures.
+ * @throws {OAuthCallbackError} For loopback/callback-server failures.
+ */
+async function authorize(options) {
+    const { issuerURL, clientId, walnutURL, scopes, timeoutMs, signal, tokenStore = new tokenStore_1.KeyringTokenStore(), openBrowser = openBrowser_1.openBrowser, onAuthorizationUrl = defaultOnAuthorizationUrl, onWarning = defaultOnWarning, allowInsecureIssuer, } = options;
+    // Discovery before browser-launch so a bad URL surfaces as a
+    // throw rather than a wrong/unreachable browser tab.
+    const config = await (0, discoverOIDC_1.discoverOIDC)(issuerURL, {
+        signal,
+        allowInsecureIssuer,
+    });
+    const codeVerifier = (0, pkce_1.generateCodeVerifier)();
+    const codeChallenge = (0, pkce_1.deriveCodeChallenge)(codeVerifier);
+    const state = (0, pkce_1.generateState)();
+    const callback = await (0, callbackServer_1.startCallbackServer)({
+        expectedState: state,
+        timeoutMs,
+        signal,
+    });
+    try {
+        const authURL = (0, authorizationURL_1.buildAuthorizationURL)({
+            authorizationEndpoint: config.authorizationEndpoint,
+            clientId,
+            redirectUri: callback.redirectUri,
+            codeChallenge,
+            state,
+            scopes,
+        });
+        // Surface before launch so the URL is always visible even if the
+        // browser spawn fails (or never does anything useful, e.g. on a
+        // headless box).
+        onAuthorizationUrl(authURL);
+        try {
+            openBrowser(authURL);
+        }
+        catch (err) {
+            // Only swallow the "could not launch browser" case: the URL was
+            // already surfaced via onAuthorizationUrl so the user can
+            // complete the flow manually. Any other error (a bug in an
+            // injected openBrowser, an unexpected throw) must propagate so
+            // callers and tests can see it.
+            if (err instanceof errors_1.OAuthFlowError &&
+                err.code === "BROWSER_LAUNCH_FAILED") {
+                onWarning(err.message);
+            }
+            else {
+                throw err;
+            }
+        }
+        const { code } = await callback.result;
+        const tokens = await (0, tokenExchange_1.exchangeCodeForTokens)({
+            tokenEndpoint: config.tokenEndpoint,
+            clientId,
+            code,
+            codeVerifier,
+            redirectUri: callback.redirectUri,
+            signal,
+        });
+        // If the caller requested offline_access but no refresh_token
+        // came back, warn. Prefer the server's reported `grantedScope`
+        // when present (RFC 6749 §5.1) since the provider's consent
+        // screen may have dropped the scope.
+        if (scopes.includes("offline_access") && !tokens.refreshToken) {
+            const grantedSuffix = tokens.grantedScope
+                ? ` (server granted: ${tokens.grantedScope})`
+                : "";
+            onWarning(`'offline_access' was requested but no refresh_token was returned${grantedSuffix}. Cross-session refresh will not be available.`);
+        }
+        await tokenStore.save({
+            tokens,
+            issuerURL,
+            clientId,
+            allowInsecureIssuer: allowInsecureIssuer ?? false,
+            walnutURL,
+        });
+        return tokens;
+    }
+    finally {
+        await callback.close();
+    }
+}

package/dist/oauth/discoverOIDC.d.ts

@@ -0,0 +1,33 @@
+/** Subset of the OIDC discovery document that this package consumes. */
+export interface OIDCConfiguration {
+    /** Issuer identifier. Same value the authorization server will claim in tokens. */
+    issuer: string;
+    /** Endpoint the browser is redirected to for authorization. */
+    authorizationEndpoint: string;
+    /** Endpoint for code → token exchange and refresh-token grants. */
+    tokenEndpoint: string;
+    /** Present on most providers (Keycloak, Auth0); OIDC spec does not require it. */
+    revocationEndpoint?: string;
+    /** Present on providers that implement RP-initiated logout (OIDC session management). */
+    endSessionEndpoint?: string;
+}
+/** Options for `discoverOIDC`. */
+export interface DiscoverOIDCOptions {
+    /** Aborts the underlying fetch when fired. */
+    signal?: AbortSignal;
+    /** Permit non-HTTPS issuer URLs whose host is not a loopback literal. Default `false`. */
+    allowInsecureIssuer?: boolean;
+}
+/**
+ * Fetches and parses the OIDC discovery document. Fails fast (no
+ * retry) so the caller does not open a browser against an unreachable
+ * authorization server. Verifies the server's claimed `issuer` matches
+ * the input URL per OIDC Discovery §3 — without this, a hostile
+ * discovery response could redirect the authorization and token
+ * endpoints to attacker hosts.
+ *
+ * Uses the OIDC well-known path as a convention; does not perform
+ * OIDC-strength identity validation (no id_token / nonce / signature
+ * checks). Callers needing identity assurance should layer that on top.
+ */
+export declare function discoverOIDC(issuerURL: string, options?: DiscoverOIDCOptions): Promise<OIDCConfiguration>;

package/dist/oauth/discoverOIDC.js

@@ -0,0 +1,144 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.discoverOIDC = discoverOIDC;
+const errors_1 = require("./errors");
+const issuerURL_1 = require("./issuerURL");
+const predicates_1 = require("./predicates");
+const userAgent_1 = require("../userAgent");
+const LOOPBACK_HOSTS = new Set(["localhost", "127.0.0.1", "[::1]"]);
+function optionalString(v) {
+    return (0, predicates_1.isNonEmptyString)(v) ? v : undefined;
+}
+/** Throws `DISCOVERY_FAILED` if `url` is not safe to transmit OAuth secrets over. */
+function assertSecureURL(url, label, allowInsecurePermitted) {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `${label} is not a valid URL: ${url}`);
+    }
+    if (parsed.protocol === "https:")
+        return;
+    if (parsed.protocol === "http:") {
+        const host = parsed.host.toLowerCase();
+        // Keycloak on localhost:8080 → host === "localhost:8080"; strip
+        // the port for the loopback check.
+        const hostname = host.replace(/:\d+$/, "");
+        if (LOOPBACK_HOSTS.has(hostname))
+            return;
+        if (allowInsecurePermitted)
+            return;
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Refusing to use ${label} over http:// against non-loopback host ${parsed.host}. Use https:// or pass allowInsecureIssuer: true to override (only do this on trusted networks).`);
+    }
+    throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Unsupported ${label} scheme '${parsed.protocol}'; expected https: or http: (loopback only).`);
+}
+function buildDiscoveryURL(issuerURL) {
+    // URL parsing (rather than concat) so the path lands on `pathname`
+    // even if the input has a query string or fragment. `normalizeIssuerURL`
+    // strips those, but defense in depth.
+    const normalized = new URL((0, issuerURL_1.normalizeIssuerURL)(issuerURL));
+    normalized.search = "";
+    normalized.hash = "";
+    normalized.pathname = `${normalized.pathname.replace(/\/$/, "")}/.well-known/openid-configuration`;
+    return normalized.toString();
+}
+function parseConfiguration(body, url) {
+    const missing = [];
+    if (!(0, predicates_1.isNonEmptyString)(body.issuer))
+        missing.push("issuer");
+    if (!(0, predicates_1.isNonEmptyString)(body.authorization_endpoint)) {
+        missing.push("authorization_endpoint");
+    }
+    if (!(0, predicates_1.isNonEmptyString)(body.token_endpoint))
+        missing.push("token_endpoint");
+    if (missing.length > 0) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `OpenID configuration at ${url} is missing required field(s): ${missing.join(", ")}`);
+    }
+    return {
+        issuer: body.issuer,
+        authorizationEndpoint: body.authorization_endpoint,
+        tokenEndpoint: body.token_endpoint,
+        revocationEndpoint: optionalString(body.revocation_endpoint),
+        endSessionEndpoint: optionalString(body.end_session_endpoint),
+    };
+}
+/**
+ * `code_challenge_methods_supported` is OPTIONAL in OIDC discovery —
+ * absence is fine (older providers don't advertise). But when the
+ * list is present and excludes `S256` (the only method this CLI
+ * uses, per RFC 7636), fail fast with an actionable message.
+ */
+function assertPKCESupport(body, url) {
+    const methods = body.code_challenge_methods_supported;
+    if (!Array.isArray(methods))
+        return;
+    if (methods.includes("S256"))
+        return;
+    throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `OpenID configuration at ${url} advertises code_challenge_methods_supported = ${JSON.stringify(methods)}, but axe-auth requires S256 (PKCE per RFC 7636). The OAuth client used by axe-auth needs PKCE enabled, or you may be on an axe server version that predates OAuth-based MCP authentication.`);
+}
+/**
+ * Fetches and parses the OIDC discovery document. Fails fast (no
+ * retry) so the caller does not open a browser against an unreachable
+ * authorization server. Verifies the server's claimed `issuer` matches
+ * the input URL per OIDC Discovery §3 — without this, a hostile
+ * discovery response could redirect the authorization and token
+ * endpoints to attacker hosts.
+ *
+ * Uses the OIDC well-known path as a convention; does not perform
+ * OIDC-strength identity validation (no id_token / nonce / signature
+ * checks). Callers needing identity assurance should layer that on top.
+ */
+async function discoverOIDC(issuerURL, options = {}) {
+    const allowInsecure = options.allowInsecureIssuer ?? false;
+    assertSecureURL(issuerURL, "issuer URL", allowInsecure);
+    const url = buildDiscoveryURL(issuerURL);
+    let response;
+    try {
+        response = await fetch(url, {
+            headers: { "User-Agent": userAgent_1.USER_AGENT },
+            signal: options.signal,
+        });
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Could not reach the authentication server at ${url}. Check the URL and your network connection.`, { cause });
+    }
+    if (!response.ok) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Authentication server at ${url} responded with HTTP ${response.status}. Check the issuer URL.`);
+    }
+    let body;
+    try {
+        body = await response.json();
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Authentication server at ${url} did not return a valid JSON OpenID configuration`, { cause });
+    }
+    if (body === null || typeof body !== "object") {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `OpenID configuration at ${url} was not a JSON object`);
+    }
+    const config = parseConfiguration(body, url);
+    // OIDC Discovery §3: the `issuer` value returned MUST equal the URL
+    // the client used for discovery. Without this check (and without
+    // id_token signature validation, which this library does not do),
+    // a hostile discovery response could redirect the authorization and
+    // token endpoints to attacker hosts while still appearing to come
+    // from the legitimate origin.
+    if ((0, issuerURL_1.normalizeIssuerURL)(config.issuer) !== (0, issuerURL_1.normalizeIssuerURL)(issuerURL)) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Issuer mismatch: requested ${issuerURL} but discovery document claims ${config.issuer}`);
+    }
+    // Enforce scheme on the endpoints the flow actually hits. A tampered
+    // discovery response could claim the legitimate issuer while
+    // returning http://... for authorization_endpoint or token_endpoint,
+    // which would leak the auth code + PKCE verifier to a cleartext
+    // path. Same loopback / allowInsecureIssuer policy as the input.
+    assertSecureURL(config.authorizationEndpoint, "authorization_endpoint", allowInsecure);
+    assertSecureURL(config.tokenEndpoint, "token_endpoint", allowInsecure);
+    if (config.revocationEndpoint) {
+        assertSecureURL(config.revocationEndpoint, "revocation_endpoint", allowInsecure);
+    }
+    if (config.endSessionEndpoint) {
+        assertSecureURL(config.endSessionEndpoint, "end_session_endpoint", allowInsecure);
+    }
+    assertPKCESupport(body, url);
+    return config;
+}

package/dist/oauth/discoverSSOConfig.d.ts

@@ -0,0 +1,37 @@
+/** Subset of `/api/sso-config` this package consumes. */
+export interface SSOConfig {
+    /** Keycloak base URL, e.g. `https://auth.example.com`. */
+    url: string;
+    /** Keycloak realm name. */
+    realm: string;
+    /** OAuth client ID for the axe-auth CLI. */
+    mcpClientId: string;
+}
+/** Options for `discoverSSOConfig`. */
+export interface DiscoverSSOConfigOptions {
+    /** Aborts the underlying fetch when fired. */
+    signal?: AbortSignal;
+    /** Permit non-HTTPS axe server URLs whose host is not a loopback literal. Default `false`. */
+    allowInsecure?: boolean;
+}
+/**
+ * Fetches and parses the axe server's `/api/sso-config` discovery
+ * endpoint. Used by `axe-auth login` to derive the OAuth issuer URL,
+ * realm, and CLI-specific client ID from the axe server URL the user
+ * supplied (or the SaaS prod default), so users no longer have to know
+ * the underlying Keycloak coordinates.
+ *
+ * Distinguishes three failure shapes for the operator-relevant cases:
+ *
+ * - `mcpClientId` field absent: the axe server deployment predates the
+ *   field entirely. Surfaces as "needs upgrading".
+ * - `mcpClientId` is `null`: the axe server version supports the field
+ *   but the operator has not configured `KEYCLOAK_MCP_PUBLIC_CLIENT_ID`.
+ *   Surfaces as "ask the operator to configure".
+ * - any non-empty string: returned as-is.
+ *
+ * Other failure modes (unreachable, non-2xx, malformed JSON, missing
+ * `url` / `realm`) all map to `DISCOVERY_FAILED` with a descriptive
+ * message. The caller is expected to surface these errors verbatim.
+ */
+export declare function discoverSSOConfig(serverURL: string, options?: DiscoverSSOConfigOptions): Promise<SSOConfig>;

package/dist/oauth/discoverSSOConfig.js

@@ -0,0 +1,105 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.discoverSSOConfig = discoverSSOConfig;
+const errors_1 = require("./errors");
+const predicates_1 = require("./predicates");
+const userAgent_1 = require("../userAgent");
+const LOOPBACK_HOSTS = new Set(["localhost", "127.0.0.1", "[::1]"]);
+function assertSecureServerURL(serverURL, allowInsecure) {
+    let parsed;
+    try {
+        parsed = new URL(serverURL);
+    }
+    catch {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server URL is not a valid URL: ${serverURL}`);
+    }
+    if (parsed.protocol === "https:")
+        return parsed;
+    if (parsed.protocol === "http:") {
+        const hostname = parsed.host.toLowerCase().replace(/:\d+$/, "");
+        if (LOOPBACK_HOSTS.has(hostname))
+            return parsed;
+        if (allowInsecure)
+            return parsed;
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Refusing to use axe server URL over http:// against non-loopback host ${parsed.host}. Use https:// or pass --allow-insecure-issuer to override (only do this on trusted networks).`);
+    }
+    throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Unsupported axe server URL scheme '${parsed.protocol}'; expected https: or http: (loopback only).`);
+}
+function buildSSOConfigURL(parsed) {
+    const copy = new URL(parsed.toString());
+    copy.search = "";
+    copy.hash = "";
+    copy.pathname = `${copy.pathname.replace(/\/+$/, "")}/api/sso-config`;
+    return copy.toString();
+}
+/**
+ * Fetches and parses the axe server's `/api/sso-config` discovery
+ * endpoint. Used by `axe-auth login` to derive the OAuth issuer URL,
+ * realm, and CLI-specific client ID from the axe server URL the user
+ * supplied (or the SaaS prod default), so users no longer have to know
+ * the underlying Keycloak coordinates.
+ *
+ * Distinguishes three failure shapes for the operator-relevant cases:
+ *
+ * - `mcpClientId` field absent: the axe server deployment predates the
+ *   field entirely. Surfaces as "needs upgrading".
+ * - `mcpClientId` is `null`: the axe server version supports the field
+ *   but the operator has not configured `KEYCLOAK_MCP_PUBLIC_CLIENT_ID`.
+ *   Surfaces as "ask the operator to configure".
+ * - any non-empty string: returned as-is.
+ *
+ * Other failure modes (unreachable, non-2xx, malformed JSON, missing
+ * `url` / `realm`) all map to `DISCOVERY_FAILED` with a descriptive
+ * message. The caller is expected to surface these errors verbatim.
+ */
+async function discoverSSOConfig(serverURL, options = {}) {
+    const allowInsecure = options.allowInsecure ?? false;
+    const parsed = assertSecureServerURL(serverURL, allowInsecure);
+    const url = buildSSOConfigURL(parsed);
+    let response;
+    try {
+        response = await fetch(url, {
+            headers: { "User-Agent": userAgent_1.USER_AGENT },
+            signal: options.signal,
+        });
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `Could not reach the axe server at ${url}. Check the --server URL and your network connection.`, { cause });
+    }
+    if (!response.ok) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server at ${url} responded with HTTP ${response.status}. Check the --server URL.`);
+    }
+    let body;
+    try {
+        body = await response.json();
+    }
+    catch (cause) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server at ${url} did not return valid JSON.`, { cause });
+    }
+    if (body === null || typeof body !== "object" || Array.isArray(body)) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server at ${url} returned a non-object response body.`);
+    }
+    const raw = body;
+    const missing = [];
+    if (!(0, predicates_1.isNonEmptyString)(raw.url))
+        missing.push("url");
+    if (!(0, predicates_1.isNonEmptyString)(raw.realm))
+        missing.push("realm");
+    if (missing.length > 0) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `${url} is missing required field(s): ${missing.join(", ")}`);
+    }
+    if (!("mcpClientId" in raw)) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server at ${serverURL} does not advertise OAuth-based MCP authentication. The deployment may need to be upgraded to a version that supports the axe-auth CLI.`);
+    }
+    if (raw.mcpClientId === null) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server at ${serverURL} has not been configured for OAuth-based MCP authentication. Ask your operator to set the KEYCLOAK_MCP_PUBLIC_CLIENT_ID environment variable on the axe server.`);
+    }
+    if (!(0, predicates_1.isNonEmptyString)(raw.mcpClientId)) {
+        throw new errors_1.OAuthFlowError("DISCOVERY_FAILED", `axe server at ${serverURL} returned a malformed mcpClientId (expected a non-empty string).`);
+    }
+    return {
+        url: raw.url,
+        realm: raw.realm,
+        mcpClientId: raw.mcpClientId,
+    };
+}

package/dist/oauth/errors.d.ts

@@ -1,3 +1,4 @@
+/** Error codes raised by the loopback callback server. */
 export type OAuthCallbackErrorCode = 
 /** No callback arrived within `timeoutMs`; a retry is reasonable. */
 "TIMEOUT"
@@ -11,12 +12,66 @@ export type OAuthCallbackErrorCode =
  | "BIND_FAILED"
 /** Caller's `AbortSignal` fired. Expected; no user-facing message. */
  | "ABORTED";
-export type OAuthCallbackErrorOptions = {
+/** Options for `OAuthCallbackError`. */
+export interface OAuthCallbackErrorOptions {
+    /** Structured metadata for callers that want to surface specific fields. */
     details?: Record<string, string>;
+    /** Underlying error that triggered this failure. */
     cause?: unknown;
-};
+}
+/**
+ * Error raised by the loopback callback server when the authorization
+ * response cannot be consumed (timeout, state mismatch, provider error,
+ * malformed response, bind failure, or caller abort).
+ */
 export declare class OAuthCallbackError extends Error {
+    /** Discriminator for programmatic handling. */
     readonly code: OAuthCallbackErrorCode;
+    /** Structured metadata carried alongside the error, if any. */
     readonly details?: Record<string, string>;
     constructor(code: OAuthCallbackErrorCode, message: string, options?: OAuthCallbackErrorOptions);
 }
+/** Error codes raised by the OAuth flow orchestrator and its helpers. */
+export type OAuthFlowErrorCode = 
+/** OIDC discovery could not reach or parse the authorization server. No browser was opened. */
+"DISCOVERY_FAILED"
+/** Could not launch the system browser. User should be told to open the URL manually. */
+ | "BROWSER_LAUNCH_FAILED"
+/** Authorization code → token exchange was rejected by the authorization server. */
+ | "TOKEN_EXCHANGE_FAILED"
+/** System keychain is unavailable (e.g. no D-Bus secret service on Linux). */
+ | "KEYRING_UNAVAILABLE"
+/** OAuth blob is too large for the OS keystore (Windows Credential Manager: 2560 UTF-16 chars per entry, MAX_CHUNKS chunks max). The keystore itself is healthy; the IDP is issuing tokens with too many claims. */
+ | "TOKEN_TOO_LARGE"
+/** Authorization endpoint returned by discovery cannot be used (e.g. already carries an OAuth-required param). Server misconfiguration. */
+ | "INVALID_AUTHORIZATION_ENDPOINT"
+/** No usable stored credentials; the user needs to run `login` to re-authenticate. Covers empty / corrupt / version-mismatched store and refresh tokens the authorization server has revoked. */
+ | "NOT_AUTHENTICATED";
+/** Options for `OAuthFlowError`. */
+export interface OAuthFlowErrorOptions {
+    /** Structured metadata for callers that want to surface specific fields. */
+    details?: Record<string, string>;
+    /** Underlying error that triggered this failure. */
+    cause?: unknown;
+}
+/**
+ * Error raised by anything in the OAuth flow outside the callback
+ * server itself: OIDC discovery, browser launch, token exchange, or
+ * keychain access.
+ *
+ * **Logging note.** For code `TOKEN_EXCHANGE_FAILED`, `message` may
+ * include the authorization server's `error_description`, which is
+ * free-form text the server controls and could plausibly contain
+ * user-identifying or otherwise sensitive information. Prefer
+ * structured logging via the discriminated `code` and the explicit
+ * `details` fields; avoid echoing the raw `message` (or the result
+ * of `console.error(err)`, which includes it) into shared log sinks
+ * without a redaction step.
+ */
+export declare class OAuthFlowError extends Error {
+    /** Discriminator for programmatic handling. */
+    readonly code: OAuthFlowErrorCode;
+    /** Structured metadata carried alongside the error, if any. */
+    readonly details?: Record<string, string>;
+    constructor(code: OAuthFlowErrorCode, message: string, options?: OAuthFlowErrorOptions);
+}

package/dist/oauth/errors.js

@@ -1,8 +1,15 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.OAuthCallbackError = void 0;
+exports.OAuthFlowError = exports.OAuthCallbackError = void 0;
+/**
+ * Error raised by the loopback callback server when the authorization
+ * response cannot be consumed (timeout, state mismatch, provider error,
+ * malformed response, bind failure, or caller abort).
+ */
 class OAuthCallbackError extends Error {
+    /** Discriminator for programmatic handling. */
     code;
+    /** Structured metadata carried alongside the error, if any. */
     details;
     constructor(code, message, options = {}) {
         super(message, { cause: options.cause });
@@ -12,3 +19,30 @@ class OAuthCallbackError extends Error {
     }
 }
 exports.OAuthCallbackError = OAuthCallbackError;
+/**
+ * Error raised by anything in the OAuth flow outside the callback
+ * server itself: OIDC discovery, browser launch, token exchange, or
+ * keychain access.
+ *
+ * **Logging note.** For code `TOKEN_EXCHANGE_FAILED`, `message` may
+ * include the authorization server's `error_description`, which is
+ * free-form text the server controls and could plausibly contain
+ * user-identifying or otherwise sensitive information. Prefer
+ * structured logging via the discriminated `code` and the explicit
+ * `details` fields; avoid echoing the raw `message` (or the result
+ * of `console.error(err)`, which includes it) into shared log sinks
+ * without a redaction step.
+ */
+class OAuthFlowError extends Error {
+    /** Discriminator for programmatic handling. */
+    code;
+    /** Structured metadata carried alongside the error, if any. */
+    details;
+    constructor(code, message, options = {}) {
+        super(message, { cause: options.cause });
+        this.name = "OAuthFlowError";
+        this.code = code;
+        this.details = options.details;
+    }
+}
+exports.OAuthFlowError = OAuthFlowError;

package/dist/oauth/getValidAccessToken.d.ts

@@ -0,0 +1,54 @@
+import { type LoadResult, type TokenStore } from "./tokenStore";
+/** Options for `getValidAccessToken`. */
+export interface GetValidAccessTokenOptions {
+    /** OIDC issuer URL. Must match the stored entry's `issuerURL`; mismatch throws NOT_AUTHENTICATED. */
+    issuerURL: string;
+    /** OAuth client identifier. Must match the stored entry's `clientId`; same mismatch behavior as `issuerURL`. */
+    clientId: string;
+    /**
+     * How close to expiry preemptive refresh kicks in, in ms. Default
+     * 60_000. Buffer covers clock skew vs. the server. Assumes
+     * access-token TTL ≫ this; otherwise every call refreshes.
+     */
+    expiryBufferMs?: number;
+    /** Override for the token store. */
+    tokenStore?: TokenStore;
+    /** Pre-loaded `tokenStore.load()` result so the dispatcher's keychain read isn't repeated. */
+    loadedEntry?: LoadResult;
+    /** Aborts discovery + the refresh POST when fired. */
+    signal?: AbortSignal;
+    /** Forwarded to discovery; permits non-loopback http. */
+    allowInsecureIssuer?: boolean;
+    /** Called for soft warnings (e.g. rotated tokens couldn't be persisted — see HAZARD note in the body). Default prints to stderr only when stderr is a TTY. */
+    onWarning?: (message: string) => void;
+    /** Source of `now`. Defaults to `Date.now`. Injected for test determinism. */
+    now?: () => number;
+}
+/**
+ * Returns a currently-valid access token string for the given issuer,
+ * refreshing via the stored refresh token if the cached access token
+ * is within `expiryBufferMs` of expiring (or already expired).
+ *
+ * Throws `OAuthFlowError("NOT_AUTHENTICATED", ...)` when the user
+ * must re-run `axe-auth login` — covers an empty / corrupt /
+ * version-mismatched store, an expired access token with no refresh
+ * token to rotate with, and a refresh attempt rejected with
+ * `invalid_grant` (which also clears the stored tokens).
+ *
+ * Throws `OAuthFlowError("TOKEN_EXCHANGE_FAILED", ...)` for transient
+ * failures during refresh (network errors, 5xx, malformed responses)
+ * and leaves the stored tokens intact so a retry is possible.
+ *
+ * Throws `OAuthFlowError("DISCOVERY_FAILED", ...)` when the issuer
+ * URL cannot be reached or parsed at refresh time.
+ *
+ * **Concurrency note.** Not safe against parallel invocations for
+ * the same issuer. Keycloak rotates refresh tokens by default; if
+ * two parallel calls both land on the refresh path, only one
+ * winner's rotated refresh token will be persisted and the loser's
+ * rotated token is stranded. The intended consumer is the
+ * `axe-auth token` CLI (a one-shot), so this is fine in context;
+ * per-request callers should wrap in an in-flight-Promise singleton
+ * keyed by issuer.
+ */
+export declare function getValidAccessToken(options: GetValidAccessTokenOptions): Promise<string>;