@dereekb/dbx-firebase 13.11.3 → 13.11.5

package/fesm2022/dereekb-dbx-firebase-oidc.mjs

@@ -1,17 +1,18 @@
 import * as i0 from '@angular/core';
-import { input, computed, output, ChangeDetectionStrategy, Component, inject, Injectable, signal, effect, Directive, provideAppInitializer, makeEnvironmentProviders } from '@angular/core';
-import * as i1$1 from '@dereekb/dbx-web';
-import { DbxBasicLoadingComponent, DbxErrorComponent, DbxButtonComponent, DbxAvatarComponent, DbxLoadingComponent, DbxButtonSpacerDirective, AbstractDbxSelectionListWrapperDirective, DbxListWrapperComponentImportsModule, provideDbxListViewWrapper, DEFAULT_LIST_WRAPPER_COMPONENT_CONFIGURATION_TEMPLATE, AbstractDbxSelectionListViewDirective, DbxSelectionValueListViewComponentImportsModule, provideDbxListView, DEFAULT_DBX_SELECTION_VALUE_LIST_COMPONENT_CONFIGURATION_TEMPLATE, AbstractDbxValueListViewItemComponent, DbxActionSnackbarErrorDirective, DbxContentPitDirective, DbxDetailBlockComponent, DbxClickToCopyTextComponent, DbxActionConfirmDirective } from '@dereekb/dbx-web';
+import { input, computed, output, ChangeDetectionStrategy, Component, inject, Injectable, signal, effect, Directive, viewChild, provideAppInitializer, makeEnvironmentProviders } from '@angular/core';
+import * as i1 from '@dereekb/dbx-web';
+import { DbxBasicLoadingComponent, DbxErrorComponent, DbxButtonComponent, DbxAvatarComponent, DbxButtonSpacerDirective, DbxActionSnackbarErrorDirective, AbstractDbxSelectionListWrapperDirective, DbxListWrapperComponentImportsModule, DEFAULT_LIST_WRAPPER_COMPONENT_CONFIGURATION_TEMPLATE, AbstractDbxSelectionListViewDirective, DbxSelectionValueListViewComponentImportsModule, provideDbxListView, DEFAULT_DBX_SELECTION_VALUE_LIST_COMPONENT_CONFIGURATION_TEMPLATE, AbstractDbxValueListViewItemComponent, provideDbxListViewWrapper, DbxSpacerDirective, DbxActionConfirmDirective, DbxContentPitDirective, DbxDetailBlockComponent, DbxClickToCopyTextComponent } from '@dereekb/dbx-web';
 import { readableError, SPACE_STRING_SPLIT_JOIN, separateValues, generatePkceCodeVerifier, generatePkceCodeChallenge } from '@dereekb/util';
-import { DbxInjectionComponent, DBX_INJECTION_COMPONENT_DATA, DbxRouterService, dbxRouteParamReaderInstance, completeOnDestroy, DbxActionDirective, DbxActionEnforceModifiedDirective, DbxActionHandlerDirective, DbxActionButtonDirective, DbxAppAuthRouterService } from '@dereekb/dbx-core';
+import { DbxInjectionComponent, DbxActionDirective, DbxActionHandlerDirective, DbxActionValueDirective, DbxActionButtonDirective, DBX_INJECTION_COMPONENT_DATA, DbxRouterService, dbxRouteParamReaderInstance, completeOnDestroy, DbxActionEnforceModifiedDirective, DbxAppAuthRouterService } from '@dereekb/dbx-core';
+import { of, map, first, switchMap, tap, BehaviorSubject } from 'rxjs';
+import * as i1$1 from '@dereekb/dbx-form';
+import { dbxForgeListSelectionField, AbstractConfigAsyncForgeFormDirective, DbxForgeFormComponentImportsModule, dbxForgeFormComponentProviders, DBX_FORGE_FORM_COMPONENT_TEMPLATE, DbxActionFormDirective, dbxForgeValueSelectionField, dbxForgeTextField, dbxForgeSearchableStringChipField, isWebsiteUrlValidator, dbxForgeContainer, dbxForgePickableChipField, pickableValueFieldValuesConfigForStaticLabeledValues, DbxFormSourceDirective, DbxFormValueChangeDirective } from '@dereekb/dbx-form';
+import { successResult } from '@dereekb/rxjs';
 import { toSignal } from '@angular/core/rxjs-interop';
-import { DbxFirebaseAuthService, AbstractDbxFirebaseDocumentStore, firebaseDocumentStoreCreateFunction, firebaseDocumentStoreUpdateFunction, firebaseDocumentStoreDeleteFunction, AbstractDbxFirebaseCollectionStore, DbxFirebaseCollectionStoreDirective, provideDbxFirebaseCollectionStoreDirective, DbxFirebaseDocumentStoreDirective, provideDbxFirebaseDocumentStoreDirective } from '@dereekb/dbx-firebase';
+import { DbxFirebaseAuthService, AbstractDbxFirebaseDocumentStore, firebaseDocumentStoreCreateFunction, firebaseDocumentStoreUpdateFunction, firebaseDocumentStoreDeleteFunction, AbstractDbxFirebaseCollectionStore, DbxFirebaseCollectionStoreDirective, provideDbxFirebaseCollectionStoreDirective, DbxFirebaseCollectionListDirective, DbxFirebaseCollectionChangeDirective, DbxFirebaseDocumentStoreDirective, provideDbxFirebaseDocumentStoreDirective } from '@dereekb/dbx-firebase';
 import { HttpClient } from '@angular/common/http';
-import { first, switchMap, of, map, BehaviorSubject, tap } from 'rxjs';
-import * as i1 from '@dereekb/dbx-form';
-import { dbxForgeValueSelectionField, dbxForgeTextField, dbxForgeSearchableStringChipField, isWebsiteUrlValidator, dbxForgeContainer, dbxForgePickableChipField, pickableValueFieldValuesConfigForStaticLabeledValues, AbstractConfigAsyncForgeFormDirective, DbxForgeFormComponentImportsModule, dbxForgeFormComponentProviders, DBX_FORGE_FORM_COMPONENT_TEMPLATE, DbxActionFormDirective, DbxFormSourceDirective, DbxFormValueChangeDirective } from '@dereekb/dbx-form';
-import { ALL_OIDC_TOKEN_ENDPOINT_AUTH_METHOD_OPTIONS, PRIVATE_KEY_JWT_TOKEN_ENDPOINT_AUTH_METHOD, OIDC_ENTRY_CLIENT_TYPE, OidcModelFunctions, OidcModelFirestoreCollections } from '@dereekb/firebase';
-import { CommonModule } from '@angular/common';
+import { ALL_OIDC_TOKEN_ENDPOINT_AUTH_METHOD_OPTIONS, PRIVATE_KEY_JWT_TOKEN_ENDPOINT_AUTH_METHOD, OidcModelFunctions, OidcModelFirestoreCollections, OIDC_ENTRY_CLIENT_TYPE, oidcGrantEntriesByUidQuery } from '@dereekb/firebase';
+import { DatePipe, CommonModule } from '@angular/common';
 
 /**
  * Presentational component for the OIDC OAuth login interaction.
@@ -39,6 +40,9 @@ class DbxFirebaseOAuthLoginViewComponent {
     static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "17.0.0", version: "21.2.11", type: DbxFirebaseOAuthLoginViewComponent, isStandalone: true, selector: "dbx-firebase-oauth-login-view", inputs: { loginStateCase: { classPropertyName: "loginStateCase", publicName: "loginStateCase", isSignal: true, isRequired: true, transformFunction: null }, error: { classPropertyName: "error", publicName: "error", isSignal: true, isRequired: false, transformFunction: null } }, outputs: { retryClick: "retryClick" }, host: { classAttribute: "d-block dbx-firebase-oauth-login-view" }, ngImport: i0, template: `
     <div class="dbx-firebase-oauth-login-view">
       @switch (loginStateCase()) {
+        @case ('unknown') {
+          <dbx-basic-loading [loading]="true"></dbx-basic-loading>
+        }
         @case ('no_user') {
           <ng-content></ng-content>
         }
@@ -65,6 +69,9 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImpo
                     template: `
     <div class="dbx-firebase-oauth-login-view">
       @switch (loginStateCase()) {
+        @case ('unknown') {
+          <dbx-basic-loading [loading]="true"></dbx-basic-loading>
+        }
         @case ('no_user') {
           <ng-content></ng-content>
         }
@@ -88,120 +95,174 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImpo
                 }]
         }], propDecorators: { loginStateCase: [{ type: i0.Input, args: [{ isSignal: true, alias: "loginStateCase", required: true }] }], error: [{ type: i0.Input, args: [{ isSignal: true, alias: "error", required: false }] }], retryClick: [{ type: i0.Output, args: ["retryClick"] }] } });
 
+/**
+ * Default required scopes — `openid` is mandatory for any OIDC flow, so the
+ * UI always treats it as not-deselectable.
+ */
+const DEFAULT_OAUTH_CONSENT_REQUIRED_SCOPES = ['openid'];
 /**
  * Presentational component for the OIDC OAuth consent screen.
  *
- * Accepts an `OAuthInteractionLoginDetails` input that contains all client and scope
- * information. Renders the client name, logo, client URL, scopes (via `<dbx-injection>`),
- * error/loading states, and approve/deny action buttons.
+ * Wires up two `dbxAction` contexts — an outer one for Approve (which hosts
+ * the scope-selection forge form via `dbxActionForm`) and a nested one for
+ * Deny (which carries no value). Buttons are bound by Angular DI's
+ * nearest-ancestor lookup: the Approve button picks up the outer action, the
+ * Deny button (wrapped in its own `<ng-container dbxAction>`) picks up the
+ * inner.
+ *
+ * Supports ng-content projection — anything provided is rendered for the
+ * `'no_user'` state (so apps can project a login view, mirroring
+ * `DbxFirebaseOAuthLoginViewComponent`).
  *
  * @example
  * ```html
  * <dbx-firebase-oauth-consent-view
  *   [details]="loginDetails"
- *   [loading]="false"
+ *   [consentStateCase]="'user'"
  *   [scopeInjectionConfig]="scopeConfig"
- *   (approveClick)="onApprove()"
- *   (denyClick)="onDeny()">
+ *   [approveHandler]="handleApprove"
+ *   [denyHandler]="handleDeny">
  * </dbx-firebase-oauth-consent-view>
  * ```
  */
 class DbxFirebaseOAuthConsentViewComponent {
     details = input(...(ngDevMode ? [undefined, { debugName: "details" }] : /* istanbul ignore next */ []));
-    loading = input(false, ...(ngDevMode ? [{ debugName: "loading" }] : /* istanbul ignore next */ []));
-    error = input(...(ngDevMode ? [undefined, { debugName: "error" }] : /* istanbul ignore next */ []));
+    consentStateCase = input.required(...(ngDevMode ? [{ debugName: "consentStateCase" }] : /* istanbul ignore next */ []));
     scopeInjectionConfig = input.required(...(ngDevMode ? [{ debugName: "scopeInjectionConfig" }] : /* istanbul ignore next */ []));
+    /**
+     * Scopes that cannot be deselected by the user. Forwarded to the scope
+     * view so it can render an "Always granted" hint. Defaults to `['openid']`.
+     */
+    requiredScopes = input(DEFAULT_OAUTH_CONSENT_REQUIRED_SCOPES, ...(ngDevMode ? [{ debugName: "requiredScopes" }] : /* istanbul ignore next */ []));
+    /**
+     * Approve handler — called with the form value when the Approve button
+     * triggers the outer action. Receives a `WorkUsingContext` to drive the
+     * action's loading/success/error pipeline.
+     */
+    approveHandler = input.required(...(ngDevMode ? [{ debugName: "approveHandler" }] : /* istanbul ignore next */ []));
+    /**
+     * Deny handler — called when the Deny button triggers the inner action.
+     * No value is passed (`dbxActionValue` provides an empty payload).
+     */
+    denyHandler = input.required(...(ngDevMode ? [{ debugName: "denyHandler" }] : /* istanbul ignore next */ []));
     clientName = computed(() => this.details()?.client_name ?? '', ...(ngDevMode ? [{ debugName: "clientName" }] : /* istanbul ignore next */ []));
     clientUri = computed(() => this.details()?.client_uri, ...(ngDevMode ? [{ debugName: "clientUri" }] : /* istanbul ignore next */ []));
     logoUri = computed(() => this.details()?.logo_uri, ...(ngDevMode ? [{ debugName: "logoUri" }] : /* istanbul ignore next */ []));
     scopes = computed(() => SPACE_STRING_SPLIT_JOIN.splitStrings(this.details()?.scopes ?? ''), ...(ngDevMode ? [{ debugName: "scopes" }] : /* istanbul ignore next */ []));
-    resolvedError = computed(() => {
-        const error = this.error();
-        return typeof error === 'string' ? readableError('ERROR', error) : error;
-    }, ...(ngDevMode ? [{ debugName: "resolvedError" }] : /* istanbul ignore next */ []));
-    approveClick = output();
-    denyClick = output();
     resolvedScopeInjectionConfig = computed(() => {
         const data = {
             details: this.details(),
             scopes: this.scopes(),
-            clientName: this.clientName()
+            clientName: this.clientName(),
+            requiredScopes: this.requiredScopes()
         };
         return { ...this.scopeInjectionConfig(), data };
     }, ...(ngDevMode ? [{ debugName: "resolvedScopeInjectionConfig" }] : /* istanbul ignore next */ []));
     static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOAuthConsentViewComponent, deps: [], target: i0.ɵɵFactoryTarget.Component });
-    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "17.0.0", version: "21.2.11", type: DbxFirebaseOAuthConsentViewComponent, isStandalone: true, selector: "dbx-firebase-oauth-consent-view", inputs: { details: { classPropertyName: "details", publicName: "details", isSignal: true, isRequired: false, transformFunction: null }, loading: { classPropertyName: "loading", publicName: "loading", isSignal: true, isRequired: false, transformFunction: null }, error: { classPropertyName: "error", publicName: "error", isSignal: true, isRequired: false, transformFunction: null }, scopeInjectionConfig: { classPropertyName: "scopeInjectionConfig", publicName: "scopeInjectionConfig", isSignal: true, isRequired: true, transformFunction: null } }, outputs: { approveClick: "approveClick", denyClick: "denyClick" }, host: { classAttribute: "d-block dbx-firebase-oauth-consent-view" }, ngImport: i0, template: `
+    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "17.0.0", version: "21.2.11", type: DbxFirebaseOAuthConsentViewComponent, isStandalone: true, selector: "dbx-firebase-oauth-consent-view", inputs: { details: { classPropertyName: "details", publicName: "details", isSignal: true, isRequired: false, transformFunction: null }, consentStateCase: { classPropertyName: "consentStateCase", publicName: "consentStateCase", isSignal: true, isRequired: true, transformFunction: null }, scopeInjectionConfig: { classPropertyName: "scopeInjectionConfig", publicName: "scopeInjectionConfig", isSignal: true, isRequired: true, transformFunction: null }, requiredScopes: { classPropertyName: "requiredScopes", publicName: "requiredScopes", isSignal: true, isRequired: false, transformFunction: null }, approveHandler: { classPropertyName: "approveHandler", publicName: "approveHandler", isSignal: true, isRequired: true, transformFunction: null }, denyHandler: { classPropertyName: "denyHandler", publicName: "denyHandler", isSignal: true, isRequired: true, transformFunction: null } }, host: { classAttribute: "d-block dbx-firebase-oauth-consent-view" }, ngImport: i0, template: `
     <div class="dbx-firebase-oauth-consent-view">
-      @if (loading()) {
-        <dbx-loading [loading]="true" text="Processing..."></dbx-loading>
-      } @else {
-        <div class="dbx-firebase-oauth-consent-header">
+      @switch (consentStateCase()) {
+        @case ('unknown') {
+          <dbx-basic-loading [loading]="true"></dbx-basic-loading>
+        }
+        @case ('no_user') {
+          <ng-content></ng-content>
+        }
+        @case ('user') {
+          <div class="dbx-firebase-oauth-consent-header">
+            @if (clientName()) {
+              <h2>You're signing in to {{ clientName() }}</h2>
+            }
+            <div class="dbx-firebase-oauth-consent-header-info dbx-flex">
+              <dbx-avatar [avatarUrl]="logoUri()" [avatarStyle]="'square'" avatarIcon="apps"></dbx-avatar>
+              <span>
+                @if (clientUri()) {
+                  <a class="dbx-firebase-oauth-consent-client-uri" [href]="clientUri()" target="_blank" rel="noopener noreferrer">{{ clientUri() }}</a>
+                }
+              </span>
+            </div>
+          </div>
           @if (clientName()) {
-            <h2>You're signing in to {{ clientName() }}</h2>
+            <p class="dbx-firebase-oauth-consent-prompt">
+              <strong>{{ clientName() }}</strong>
+              is requesting these permissions:
+            </p>
           }
-          <div class="dbx-firebase-oauth-consent-header-info dbx-flex">
-            <dbx-avatar [avatarUrl]="logoUri()" [avatarStyle]="'square'" avatarIcon="apps"></dbx-avatar>
-            <span>
-              @if (clientUri()) {
-                <a class="dbx-firebase-oauth-consent-client-uri" [href]="clientUri()" target="_blank" rel="noopener noreferrer">{{ clientUri() }}</a>
-              }
-            </span>
+
+          <div dbxAction dbxActionSnackbarError [dbxActionHandler]="approveHandler()">
+            <dbx-injection [config]="resolvedScopeInjectionConfig()"></dbx-injection>
+
+            <div class="dbx-pt3 dbx-pb3 dbx-firebase-oauth-consent-actions">
+              <dbx-button dbxActionButton text="Approve" [raised]="true" color="primary"></dbx-button>
+              <dbx-button-spacer></dbx-button-spacer>
+              <ng-container dbxAction dbxActionSnackbarError dbxActionValue [dbxActionHandler]="denyHandler()">
+                <dbx-button dbxActionButton text="Deny" [flat]="true" color="warn"></dbx-button>
+              </ng-container>
+            </div>
           </div>
-        </div>
-        <dbx-injection [config]="resolvedScopeInjectionConfig()"></dbx-injection>
-        <div class="dbx-pt3 dbx-pb3 dbx-firebase-oauth-consent-actions">
-          <dbx-button text="Approve" [raised]="true" color="primary" (buttonClick)="approveClick.emit()"></dbx-button>
-          <dbx-button-spacer></dbx-button-spacer>
-          <dbx-button text="Deny" [flat]="true" color="warn" (buttonClick)="denyClick.emit()"></dbx-button>
-        </div>
-        @if (resolvedError()) {
-          <dbx-error [error]="resolvedError()"></dbx-error>
         }
       }
     </div>
-  `, isInline: true, styles: [".dbx-firebase-oauth-consent-view .dbx-firebase-oauth-consent-header-info{align-items:center;gap:12px}\n"], dependencies: [{ kind: "component", type: DbxInjectionComponent, selector: "dbx-injection, [dbxInjection], [dbx-injection]", inputs: ["config", "template"] }, { kind: "component", type: DbxAvatarComponent, selector: "dbx-avatar", inputs: ["context", "avatarSelector", "avatarUid", "avatarUrl", "avatarKey", "avatarIcon", "avatarStyle", "avatarSize", "avatarHideOnError"] }, { kind: "component", type: DbxLoadingComponent, selector: "dbx-loading", inputs: ["padding", "show", "text", "mode", "color", "diameter", "linear", "loading", "error", "context"] }, { kind: "component", type: DbxErrorComponent, selector: "dbx-error", inputs: ["error", "iconOnly"], outputs: ["popoverOpened"] }, { kind: "component", type: DbxButtonComponent, selector: "dbx-button", inputs: ["bar", "type", "buttonStyle", "color", "spinnerColor", "customButtonColor", "customTextColor", "customSpinnerColor", "basic", "tonal", "raised", "stroked", "flat", "iconOnly", "fab", "customContent", "allowClickPropagation", "mode"] }, { kind: "directive", type: DbxButtonSpacerDirective, selector: "dbx-button-spacer,[dbxButtonSpacer]" }], changeDetection: i0.ChangeDetectionStrategy.OnPush });
+  `, isInline: true, styles: [".dbx-firebase-oauth-consent-view .dbx-firebase-oauth-consent-header-info{align-items:center;gap:12px}\n"], dependencies: [{ kind: "component", type: DbxInjectionComponent, selector: "dbx-injection, [dbxInjection], [dbx-injection]", inputs: ["config", "template"] }, { kind: "component", type: DbxAvatarComponent, selector: "dbx-avatar", inputs: ["context", "avatarSelector", "avatarUid", "avatarUrl", "avatarKey", "avatarIcon", "avatarStyle", "avatarSize", "avatarHideOnError"] }, { kind: "component", type: DbxBasicLoadingComponent, selector: "dbx-basic-loading", inputs: ["diameter", "mode", "color", "text", "linear", "show", "loading", "error"] }, { kind: "component", type: DbxButtonComponent, selector: "dbx-button", inputs: ["bar", "type", "buttonStyle", "color", "spinnerColor", "customButtonColor", "customTextColor", "customSpinnerColor", "basic", "tonal", "raised", "stroked", "flat", "iconOnly", "fab", "customContent", "allowClickPropagation", "mode"] }, { kind: "directive", type: DbxButtonSpacerDirective, selector: "dbx-button-spacer,[dbxButtonSpacer]" }, { kind: "directive", type: DbxActionDirective, selector: "dbx-action,[dbxAction]", exportAs: ["action", "dbxAction"] }, { kind: "directive", type: DbxActionHandlerDirective, selector: "[dbxActionHandler]", inputs: ["dbxActionHandler"] }, { kind: "directive", type: DbxActionValueDirective, selector: "dbxActionValue,[dbxActionValue]", inputs: ["dbxActionValue"] }, { kind: "directive", type: DbxActionButtonDirective, selector: "[dbxActionButton]", inputs: ["dbxActionButtonEcho"] }, { kind: "directive", type: DbxActionSnackbarErrorDirective, selector: "[dbxActionSnackbarError]", inputs: ["dbxActionSnackbarError"] }], changeDetection: i0.ChangeDetectionStrategy.OnPush });
 }
 i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOAuthConsentViewComponent, decorators: [{
             type: Component,
-            args: [{ selector: 'dbx-firebase-oauth-consent-view', standalone: true, imports: [DbxInjectionComponent, DbxAvatarComponent, DbxLoadingComponent, DbxErrorComponent, DbxButtonComponent, DbxButtonSpacerDirective], template: `
+            args: [{ selector: 'dbx-firebase-oauth-consent-view', standalone: true, imports: [DbxInjectionComponent, DbxAvatarComponent, DbxBasicLoadingComponent, DbxButtonComponent, DbxButtonSpacerDirective, DbxActionDirective, DbxActionHandlerDirective, DbxActionValueDirective, DbxActionButtonDirective, DbxActionSnackbarErrorDirective], template: `
     <div class="dbx-firebase-oauth-consent-view">
-      @if (loading()) {
-        <dbx-loading [loading]="true" text="Processing..."></dbx-loading>
-      } @else {
-        <div class="dbx-firebase-oauth-consent-header">
+      @switch (consentStateCase()) {
+        @case ('unknown') {
+          <dbx-basic-loading [loading]="true"></dbx-basic-loading>
+        }
+        @case ('no_user') {
+          <ng-content></ng-content>
+        }
+        @case ('user') {
+          <div class="dbx-firebase-oauth-consent-header">
+            @if (clientName()) {
+              <h2>You're signing in to {{ clientName() }}</h2>
+            }
+            <div class="dbx-firebase-oauth-consent-header-info dbx-flex">
+              <dbx-avatar [avatarUrl]="logoUri()" [avatarStyle]="'square'" avatarIcon="apps"></dbx-avatar>
+              <span>
+                @if (clientUri()) {
+                  <a class="dbx-firebase-oauth-consent-client-uri" [href]="clientUri()" target="_blank" rel="noopener noreferrer">{{ clientUri() }}</a>
+                }
+              </span>
+            </div>
+          </div>
           @if (clientName()) {
-            <h2>You're signing in to {{ clientName() }}</h2>
+            <p class="dbx-firebase-oauth-consent-prompt">
+              <strong>{{ clientName() }}</strong>
+              is requesting these permissions:
+            </p>
           }
-          <div class="dbx-firebase-oauth-consent-header-info dbx-flex">
-            <dbx-avatar [avatarUrl]="logoUri()" [avatarStyle]="'square'" avatarIcon="apps"></dbx-avatar>
-            <span>
-              @if (clientUri()) {
-                <a class="dbx-firebase-oauth-consent-client-uri" [href]="clientUri()" target="_blank" rel="noopener noreferrer">{{ clientUri() }}</a>
-              }
-            </span>
+
+          <div dbxAction dbxActionSnackbarError [dbxActionHandler]="approveHandler()">
+            <dbx-injection [config]="resolvedScopeInjectionConfig()"></dbx-injection>
+
+            <div class="dbx-pt3 dbx-pb3 dbx-firebase-oauth-consent-actions">
+              <dbx-button dbxActionButton text="Approve" [raised]="true" color="primary"></dbx-button>
+              <dbx-button-spacer></dbx-button-spacer>
+              <ng-container dbxAction dbxActionSnackbarError dbxActionValue [dbxActionHandler]="denyHandler()">
+                <dbx-button dbxActionButton text="Deny" [flat]="true" color="warn"></dbx-button>
+              </ng-container>
+            </div>
           </div>
-        </div>
-        <dbx-injection [config]="resolvedScopeInjectionConfig()"></dbx-injection>
-        <div class="dbx-pt3 dbx-pb3 dbx-firebase-oauth-consent-actions">
-          <dbx-button text="Approve" [raised]="true" color="primary" (buttonClick)="approveClick.emit()"></dbx-button>
-          <dbx-button-spacer></dbx-button-spacer>
-          <dbx-button text="Deny" [flat]="true" color="warn" (buttonClick)="denyClick.emit()"></dbx-button>
-        </div>
-        @if (resolvedError()) {
-          <dbx-error [error]="resolvedError()"></dbx-error>
         }
       }
     </div>
   `, host: {
                         class: 'd-block dbx-firebase-oauth-consent-view'
                     }, changeDetection: ChangeDetectionStrategy.OnPush, styles: [".dbx-firebase-oauth-consent-view .dbx-firebase-oauth-consent-header-info{align-items:center;gap:12px}\n"] }]
-        }], propDecorators: { details: [{ type: i0.Input, args: [{ isSignal: true, alias: "details", required: false }] }], loading: [{ type: i0.Input, args: [{ isSignal: true, alias: "loading", required: false }] }], error: [{ type: i0.Input, args: [{ isSignal: true, alias: "error", required: false }] }], scopeInjectionConfig: [{ type: i0.Input, args: [{ isSignal: true, alias: "scopeInjectionConfig", required: true }] }], approveClick: [{ type: i0.Output, args: ["approveClick"] }], denyClick: [{ type: i0.Output, args: ["denyClick"] }] } });
+        }], propDecorators: { details: [{ type: i0.Input, args: [{ isSignal: true, alias: "details", required: false }] }], consentStateCase: [{ type: i0.Input, args: [{ isSignal: true, alias: "consentStateCase", required: true }] }], scopeInjectionConfig: [{ type: i0.Input, args: [{ isSignal: true, alias: "scopeInjectionConfig", required: true }] }], requiredScopes: [{ type: i0.Input, args: [{ isSignal: true, alias: "requiredScopes", required: false }] }], approveHandler: [{ type: i0.Input, args: [{ isSignal: true, alias: "approveHandler", required: true }] }], denyHandler: [{ type: i0.Input, args: [{ isSignal: true, alias: "denyHandler", required: true }] }] } });
 
 /**
  * Abstract base class for consent scope view components.
  *
- * Provides typed access to the `DbxFirebaseOAuthConsentScopesViewData` injected
- * via `DBX_INJECTION_COMPONENT_DATA`. Subclasses only need to define a template.
+ * Provides typed access to the `DbxFirebaseOAuthConsentScopesViewData`
+ * injected via `DBX_INJECTION_COMPONENT_DATA`. Subclasses define the
+ * template that renders the requested scopes and (optionally) hosts a
+ * forge form decorated with `dbxActionForm`.
  *
  * @example
  * ```typescript
@@ -216,43 +277,200 @@ class AbstractDbxFirebaseOAuthConsentScopeViewComponent {
     clientName = computed(() => this.data?.clientName ?? '', ...(ngDevMode ? [{ debugName: "clientName" }] : /* istanbul ignore next */ []));
     clientUri = computed(() => this.data?.details?.client_uri, ...(ngDevMode ? [{ debugName: "clientUri" }] : /* istanbul ignore next */ []));
     logoUri = computed(() => this.data?.details?.logo_uri, ...(ngDevMode ? [{ debugName: "logoUri" }] : /* istanbul ignore next */ []));
+    requiredScopes = computed(() => this.data?.requiredScopes ?? [], ...(ngDevMode ? [{ debugName: "requiredScopes" }] : /* istanbul ignore next */ []));
+    isScopeRequired(scope) {
+        return this.requiredScopes().includes(scope);
+    }
 }
 
 /**
- * Standalone presentational component that renders a list of OAuth consent scopes.
+ * Selection-list wrapper used as the `listComponentClass` for the OIDC
+ * consent scope `dbxForgeListSelectionField`.
+ *
+ * Reuses the workspace's `dbx-list` selection infrastructure so the existing
+ * scope-row visual treatment (name + description) remains intact while the
+ * selection state participates in the surrounding `dbxAction`/`dbxActionForm`
+ * pipeline.
  *
  * @example
- * ```html
- * <dbx-firebase-oauth-consent-scope-list [scopes]="mappedScopes"></dbx-firebase-oauth-consent-scope-list>
+ * ```ts
+ * dbxForgeListSelectionField<OAuthConsentScope, DbxFirebaseOAuthConsentScopeListComponent, OidcScope>({
+ *   key: 'grantedOIDCScopes',
+ *   props: {
+ *     listComponentClass: of(DbxFirebaseOAuthConsentScopeListComponent),
+ *     readKey: (scope) => scope.name,
+ *     state$: of(successResult(optionalScopes)),
+ *     wrapped: false,
+ *     maxHeight: 'none'
+ *   }
+ * });
  * ```
  */
-class DbxFirebaseOAuthConsentScopeListComponent {
-    scopes = input([], ...(ngDevMode ? [{ debugName: "scopes" }] : /* istanbul ignore next */ []));
+class DbxFirebaseOAuthConsentScopeListComponent extends AbstractDbxSelectionListWrapperDirective {
+    constructor() {
+        super({ componentClass: DbxFirebaseOAuthConsentScopeListViewComponent, defaultSelectionMode: 'select' });
+    }
     static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOAuthConsentScopeListComponent, deps: [], target: i0.ɵɵFactoryTarget.Component });
-    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "17.0.0", version: "21.2.11", type: DbxFirebaseOAuthConsentScopeListComponent, isStandalone: true, selector: "dbx-firebase-oauth-consent-scope-list", inputs: { scopes: { classPropertyName: "scopes", publicName: "scopes", isSignal: true, isRequired: false, transformFunction: null } }, ngImport: i0, template: `
-    @for (scope of scopes(); track scope.name) {
-      <div class="dbx-firebase-oauth-consent-scope-list-item dbx-mb2">
-        <span class="dbx-firebase-oauth-consent-scope-name dbx-pb2">{{ scope.name }}</span>
-        @if (scope.description) {
-          <span class="dbx-firebase-oauth-consent-scope-description">{{ scope.description }}</span>
+    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "14.0.0", version: "21.2.11", type: DbxFirebaseOAuthConsentScopeListComponent, isStandalone: true, selector: "dbx-firebase-oauth-consent-scope-list", host: { classAttribute: "dbx-list-no-hover-effects dbx-list-card-items-list" }, usesInheritance: true, ngImport: i0, template: "\n  <dbx-list [state]=\"currentState$\" [config]=\"configSignal()\" [hasMore]=\"hasMore()\" [disabled]=\"disabledSignal()\" [selectionMode]=\"selectionModeSignal()\">\n    <ng-content top select=\"[top]\"></ng-content>\n    <ng-content bottom select=\"[bottom]\"></ng-content>\n    <ng-content empty select=\"[empty]\"></ng-content>\n    <ng-content emptyLoading select=\"[emptyLoading]\"></ng-content>\n    <ng-content end select=\"[end]\"></ng-content>\n  </dbx-list>", isInline: true, dependencies: [{ kind: "ngmodule", type: DbxListWrapperComponentImportsModule }, { kind: "component", type: i1.DbxListComponent, selector: "dbx-list", inputs: ["padded", "state", "config", "disabled", "selectionMode", "hasMore"], outputs: ["contentScrolled"] }], changeDetection: i0.ChangeDetectionStrategy.OnPush });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOAuthConsentScopeListComponent, decorators: [{
+            type: Component,
+            args: [{
+                    selector: 'dbx-firebase-oauth-consent-scope-list',
+                    template: DEFAULT_LIST_WRAPPER_COMPONENT_CONFIGURATION_TEMPLATE,
+                    host: {
+                        class: 'dbx-list-no-hover-effects dbx-list-card-items-list'
+                    },
+                    imports: [DbxListWrapperComponentImportsModule],
+                    changeDetection: ChangeDetectionStrategy.OnPush,
+                    standalone: true
+                }]
+        }], ctorParameters: () => [] });
+/**
+ * Selection list view that pairs with `DbxFirebaseOAuthConsentScopeListComponent`.
+ * Maps each `OAuthConsentScope` to a `DbxValueListItem` keyed by the scope name
+ * and renders it through `DbxFirebaseOAuthConsentScopeListItemComponent`.
+ */
+class DbxFirebaseOAuthConsentScopeListViewComponent extends AbstractDbxSelectionListViewDirective {
+    config = {
+        componentClass: DbxFirebaseOAuthConsentScopeListItemComponent,
+        mapValuesToItemValues: (values) => of(values.map((scope) => ({ ...scope, key: scope.name, itemValue: scope })))
+    };
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOAuthConsentScopeListViewComponent, deps: null, target: i0.ɵɵFactoryTarget.Component });
+    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "14.0.0", version: "21.2.11", type: DbxFirebaseOAuthConsentScopeListViewComponent, isStandalone: true, selector: "dbx-firebase-oauth-consent-scope-list-view", providers: provideDbxListView(DbxFirebaseOAuthConsentScopeListViewComponent), usesInheritance: true, ngImport: i0, template: "<dbx-selection-list-view [config]=\"config\"></dbx-selection-list-view>", isInline: true, dependencies: [{ kind: "ngmodule", type: DbxSelectionValueListViewComponentImportsModule }, { kind: "component", type: i1.DbxSelectionValueListViewComponent, selector: "dbx-selection-list-view" }], changeDetection: i0.ChangeDetectionStrategy.OnPush });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOAuthConsentScopeListViewComponent, decorators: [{
+            type: Component,
+            args: [{
+                    selector: 'dbx-firebase-oauth-consent-scope-list-view',
+                    template: DEFAULT_DBX_SELECTION_VALUE_LIST_COMPONENT_CONFIGURATION_TEMPLATE,
+                    imports: [DbxSelectionValueListViewComponentImportsModule],
+                    providers: provideDbxListView(DbxFirebaseOAuthConsentScopeListViewComponent),
+                    changeDetection: ChangeDetectionStrategy.OnPush,
+                    standalone: true
+                }]
+        }] });
+/**
+ * Item row inside the OIDC consent scope selection list. Shown as the visual
+ * row for both selected and unselected scopes — the selection chrome (the
+ * leading checkbox/highlight) is provided by the wrapping
+ * `dbx-selection-list-view`.
+ */
+class DbxFirebaseOAuthConsentScopeListItemComponent extends AbstractDbxValueListViewItemComponent {
+    get name() {
+        return this.itemValue.name;
+    }
+    get description() {
+        return this.itemValue.description;
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOAuthConsentScopeListItemComponent, deps: null, target: i0.ɵɵFactoryTarget.Component });
+    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "17.0.0", version: "21.2.11", type: DbxFirebaseOAuthConsentScopeListItemComponent, isStandalone: true, selector: "ng-component", usesInheritance: true, ngImport: i0, template: `
+    <div class="dbx-list-item-padded dbx-list-item-padded-thick dbx-list-two-line-item">
+      <div class="item-left">
+        <div class="mat-subtitle-2">{{ name }}</div>
+        @if (description) {
+          <div class="item-details">{{ description }}</div>
         }
       </div>
-    }
-  `, isInline: true, styles: [".dbx-firebase-oauth-consent-scope-list-item{display:flex;flex-direction:column;padding:8px 12px;border-left:3px solid var(--dbx-primary-color);background:color-mix(in srgb,var(--dbx-color-current) 10%,transparent)}.dbx-firebase-oauth-consent-scope-list-item .dbx-firebase-oauth-consent-scope-name{font-weight:500}.dbx-firebase-oauth-consent-scope-list-item .dbx-firebase-oauth-consent-scope-description{font-size:.85em;opacity:.7}\n"], changeDetection: i0.ChangeDetectionStrategy.OnPush });
+    </div>
+  `, isInline: true, changeDetection: i0.ChangeDetectionStrategy.OnPush });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOAuthConsentScopeListComponent, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOAuthConsentScopeListItemComponent, decorators: [{
             type: Component,
-            args: [{ selector: 'dbx-firebase-oauth-consent-scope-list', standalone: true, template: `
-    @for (scope of scopes(); track scope.name) {
-      <div class="dbx-firebase-oauth-consent-scope-list-item dbx-mb2">
-        <span class="dbx-firebase-oauth-consent-scope-name dbx-pb2">{{ scope.name }}</span>
-        @if (scope.description) {
-          <span class="dbx-firebase-oauth-consent-scope-description">{{ scope.description }}</span>
+            args: [{
+                    template: `
+    <div class="dbx-list-item-padded dbx-list-item-padded-thick dbx-list-two-line-item">
+      <div class="item-left">
+        <div class="mat-subtitle-2">{{ name }}</div>
+        @if (description) {
+          <div class="item-details">{{ description }}</div>
         }
       </div>
-    }
-  `, changeDetection: ChangeDetectionStrategy.OnPush, styles: [".dbx-firebase-oauth-consent-scope-list-item{display:flex;flex-direction:column;padding:8px 12px;border-left:3px solid var(--dbx-primary-color);background:color-mix(in srgb,var(--dbx-color-current) 10%,transparent)}.dbx-firebase-oauth-consent-scope-list-item .dbx-firebase-oauth-consent-scope-name{font-weight:500}.dbx-firebase-oauth-consent-scope-list-item .dbx-firebase-oauth-consent-scope-description{font-size:.85em;opacity:.7}\n"] }]
-        }], propDecorators: { scopes: [{ type: i0.Input, args: [{ isSignal: true, alias: "scopes", required: false }] }] } });
+    </div>
+  `,
+                    standalone: true,
+                    changeDetection: ChangeDetectionStrategy.OnPush
+                }]
+        }] });
+
+/**
+ * Validator key emitted when the user has not selected any optional scope.
+ * Surfaces alongside the form's invalid state so the action button stays disabled.
+ */
+const OAUTH_CONSENT_SCOPES_REQUIRED_VALIDATOR_KIND = 'mustSelectAtLeastOneScope';
+/**
+ * Default message shown when the user has cleared every optional scope.
+ */
+const OAUTH_CONSENT_SCOPES_REQUIRED_VALIDATOR_DEFAULT_MESSAGE = 'Select at least one scope to grant.';
+/**
+ * Builds a complete `FormConfig` ready to feed into a forge form component.
+ *
+ * The resulting form has a single `grantedOIDCScopes` field — a
+ * `dbxForgeListSelectionField` rendered through
+ * `DbxFirebaseOAuthConsentScopeListComponent` (a `dbx-list` selection wrapper).
+ * The list renders bare (no Material form-field wrapper) and without the
+ * default 300px height cap so it grows to fit the scope list.
+ *
+ * @param config - The consent scopes form fields configuration.
+ * @returns A `FormConfig` whose single field selects an `OidcScope[]` of granted scopes.
+ */
+function oauthConsentScopesFormConfig(config) {
+    const { optionalScopes, initiallySelected } = config;
+    const value = (initiallySelected ?? optionalScopes.map((scope) => scope.name)).slice();
+    const optionalScopesArray = optionalScopes.slice();
+    const validators = [
+        {
+            type: 'custom',
+            expression: 'fieldValue && fieldValue.length > 0',
+            kind: OAUTH_CONSENT_SCOPES_REQUIRED_VALIDATOR_KIND
+        }
+    ];
+    return {
+        fields: [
+            dbxForgeListSelectionField({
+                key: 'grantedOIDCScopes',
+                value,
+                validators,
+                validationMessages: {
+                    [OAUTH_CONSENT_SCOPES_REQUIRED_VALIDATOR_KIND]: OAUTH_CONSENT_SCOPES_REQUIRED_VALIDATOR_DEFAULT_MESSAGE
+                },
+                props: {
+                    listComponentClass: of(DbxFirebaseOAuthConsentScopeListComponent),
+                    readKey: (scope) => scope.name,
+                    state$: of(successResult(optionalScopesArray)),
+                    wrapped: false,
+                    maxHeight: 'none'
+                }
+            })
+        ]
+    };
+}
+
+/**
+ * Reusable forge form component that renders one checkbox per OIDC scope
+ * defined in {@link OAuthConsentScopesFormFieldsConfig}. Required scopes are
+ * rendered as checked-and-disabled.
+ *
+ * Pair with `<dbx-firebase-oauth-consent-scope-default-view>` for the default
+ * consent flow, or embed directly in custom consent UIs that supply their
+ * own scope/required configuration.
+ */
+class DbxFirebaseOAuthConsentScopeFormComponent extends AbstractConfigAsyncForgeFormDirective {
+    formConfig$ = this.currentConfig$.pipe(map((config) => (config ? oauthConsentScopesFormConfig(config) : undefined)));
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOAuthConsentScopeFormComponent, deps: null, target: i0.ɵɵFactoryTarget.Component });
+    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "14.0.0", version: "21.2.11", type: DbxFirebaseOAuthConsentScopeFormComponent, isStandalone: true, selector: "dbx-firebase-oauth-consent-scope-form", providers: dbxForgeFormComponentProviders(), usesInheritance: true, ngImport: i0, template: "<dbx-forge></dbx-forge>", isInline: true, dependencies: [{ kind: "ngmodule", type: DbxForgeFormComponentImportsModule }, { kind: "component", type: i1$1.DbxForgeFormComponent, selector: "dbx-forge" }], changeDetection: i0.ChangeDetectionStrategy.OnPush });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOAuthConsentScopeFormComponent, decorators: [{
+            type: Component,
+            args: [{
+                    selector: 'dbx-firebase-oauth-consent-scope-form',
+                    template: DBX_FORGE_FORM_COMPONENT_TEMPLATE,
+                    providers: dbxForgeFormComponentProviders(),
+                    imports: [DbxForgeFormComponentImportsModule],
+                    changeDetection: ChangeDetectionStrategy.OnPush,
+                    standalone: true
+                }]
+        }] });
 
 const DEFAULT_OIDC_AUTHORIZATION_ENDPOINT_PATH = '/oidc/auth';
 const DEFAULT_OIDC_INTERACTION_ENDPOINT_PATH = '/interaction';
@@ -336,18 +554,33 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImpo
         }] });
 
 /**
- * Default consent scope view component that maps scope names to descriptions
- * using the `OidcScopeDetails` from the app-level OIDC configuration.
+ * Default consent scope view component.
  *
- * Apps can override this by providing a custom `consentScopeListViewClass`
- * in `DbxFirebaseOidcConfig` or `DbxOAuthConsentComponentConfig`.
+ * Reads the requested scopes (and required scopes) from the
+ * `DBX_INJECTION_COMPONENT_DATA` provided by the parent consent view,
+ * resolves human-readable descriptions from the app-level
+ * `DbxFirebaseOidcConfigService`, then renders a
+ * `DbxFirebaseOAuthConsentScopeFormComponent` with `dbxActionForm` so the
+ * form's value participates in the surrounding `dbxAction` (the consent
+ * view's outer Approve action).
+ *
+ * Required scopes are not user-selectable. They are surfaced as an "Always
+ * granted" hint above the form because the server enforces them regardless
+ * of payload — including them in the selection list would just add noise.
+ *
+ * Apps can override this default via
+ * `DbxFirebaseOidcConfig.consentScopeListViewClass` or
+ * `DbxOAuthConsentComponentConfig.consentScopeListViewClass`. Custom views
+ * should similarly apply `dbxActionForm` to a forge form whose value matches
+ * `OAuthConsentScopesFormValue`.
  */
-class DbxFirebaseOAuthConsentScopeDefaultViewComponent extends AbstractDbxFirebaseOAuthConsentScopeViewComponent {
-    oidcConfigService = inject(DbxFirebaseOidcConfigService);
+class DbxFirebaseOAuthConsentScopeDefaultViewComponent {
+    _oidcConfigService = inject(DbxFirebaseOidcConfigService);
+    _data = inject(DBX_INJECTION_COMPONENT_DATA);
     mappedScopes = computed(() => {
-        const availableScopes = this.oidcConfigService.availableScopes;
+        const availableScopes = this._oidcConfigService.availableScopes;
         const availableScopeValues = new Set(availableScopes.map((s) => s.value));
-        const { included: knownScopes, excluded: unknownScopes } = separateValues(this.scopes(), (name) => availableScopeValues.has(name));
+        const { included: knownScopes, excluded: unknownScopes } = separateValues(this._data.scopes, (name) => availableScopeValues.has(name));
         return [
             ...knownScopes.map((name) => {
                 const details = availableScopes.find((s) => s.value === name);
@@ -356,29 +589,38 @@ class DbxFirebaseOAuthConsentScopeDefaultViewComponent extends AbstractDbxFireba
             ...unknownScopes.map((name) => ({ name, description: 'unknown' }))
         ];
     }, ...(ngDevMode ? [{ debugName: "mappedScopes" }] : /* istanbul ignore next */ []));
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOAuthConsentScopeDefaultViewComponent, deps: null, target: i0.ɵɵFactoryTarget.Component });
-    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "14.0.0", version: "21.2.11", type: DbxFirebaseOAuthConsentScopeDefaultViewComponent, isStandalone: true, selector: "dbx-firebase-oauth-consent-scope-default-view", usesInheritance: true, ngImport: i0, template: `
-    <p>
-      <strong>{{ clientName() }}</strong>
-      is requesting these permissions:
-    </p>
-    <dbx-firebase-oauth-consent-scope-list [scopes]="mappedScopes()"></dbx-firebase-oauth-consent-scope-list>
-  `, isInline: true, dependencies: [{ kind: "component", type: DbxFirebaseOAuthConsentScopeListComponent, selector: "dbx-firebase-oauth-consent-scope-list", inputs: ["scopes"] }], changeDetection: i0.ChangeDetectionStrategy.OnPush });
+    optionalScopes = computed(() => {
+        const requiredSet = new Set(this._data.requiredScopes ?? []);
+        return this.mappedScopes().filter((scope) => !requiredSet.has(scope.name));
+    }, ...(ngDevMode ? [{ debugName: "optionalScopes" }] : /* istanbul ignore next */ []));
+    alwaysGrantedLabel = computed(() => {
+        const required = this._data.requiredScopes ?? [];
+        return required.length > 0 ? required.join(', ') : null;
+    }, ...(ngDevMode ? [{ debugName: "alwaysGrantedLabel" }] : /* istanbul ignore next */ []));
+    formFieldsConfig = computed(() => ({
+        optionalScopes: this.optionalScopes()
+    }), ...(ngDevMode ? [{ debugName: "formFieldsConfig" }] : /* istanbul ignore next */ []));
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOAuthConsentScopeDefaultViewComponent, deps: [], target: i0.ɵɵFactoryTarget.Component });
+    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "17.0.0", version: "21.2.11", type: DbxFirebaseOAuthConsentScopeDefaultViewComponent, isStandalone: true, selector: "dbx-firebase-oauth-consent-scope-default-view", ngImport: i0, template: `
+    @if (alwaysGrantedLabel(); as label) {
+      <p class="dbx-firebase-oauth-consent-always-granted dbx-hint">Always granted: {{ label }}</p>
+    }
+    <dbx-firebase-oauth-consent-scope-form dbxActionForm [config]="formFieldsConfig()"></dbx-firebase-oauth-consent-scope-form>
+  `, isInline: true, dependencies: [{ kind: "component", type: DbxFirebaseOAuthConsentScopeFormComponent, selector: "dbx-firebase-oauth-consent-scope-form" }, { kind: "directive", type: DbxActionFormDirective, selector: "[dbxActionForm]", inputs: ["dbxActionFormDisabledOnWorking", "dbxActionFormIsValid", "dbxActionFormIsEqual", "dbxActionFormIsModified", "dbxActionFormMapValue"] }], changeDetection: i0.ChangeDetectionStrategy.OnPush });
 }
 i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOAuthConsentScopeDefaultViewComponent, decorators: [{
             type: Component,
             args: [{
                     selector: 'dbx-firebase-oauth-consent-scope-default-view',
-                    standalone: true,
-                    imports: [DbxFirebaseOAuthConsentScopeListComponent],
                     template: `
-    <p>
-      <strong>{{ clientName() }}</strong>
-      is requesting these permissions:
-    </p>
-    <dbx-firebase-oauth-consent-scope-list [scopes]="mappedScopes()"></dbx-firebase-oauth-consent-scope-list>
+    @if (alwaysGrantedLabel(); as label) {
+      <p class="dbx-firebase-oauth-consent-always-granted dbx-hint">Always granted: {{ label }}</p>
+    }
+    <dbx-firebase-oauth-consent-scope-form dbxActionForm [config]="formFieldsConfig()"></dbx-firebase-oauth-consent-scope-form>
   `,
-                    changeDetection: ChangeDetectionStrategy.OnPush
+                    imports: [DbxFirebaseOAuthConsentScopeFormComponent, DbxActionFormDirective],
+                    changeDetection: ChangeDetectionStrategy.OnPush,
+                    standalone: true
                 }]
         }] });
 
@@ -418,14 +660,23 @@ class DbxFirebaseOidcInteractionService {
     /**
      * Submit consent decision to complete the consent interaction.
      *
-     * Automatically attaches the current user's Firebase ID token.
+     * Automatically attaches the current user's Firebase ID token. When `approved`
+     * is true, optional `grants` may be passed to grant only a subset of the
+     * requested scopes/claims/resource scopes; the server validates that any
+     * subset is contained in the corresponding `missing*` set on the prompt.
+     *
+     * When `approved` is false, `grants` is ignored (not sent).
      *
      * @param uid - The OIDC interaction UID identifying the current consent interaction.
      * @param approved - Whether the user approved or denied the consent request.
+     * @param grants - Optional subset of OIDC scopes / OIDC claims / resource scopes to grant.
      * @returns Observable that emits the redirect URL from the server response.
      */
-    submitConsent(uid, approved) {
-        return this._authService.idTokenString$.pipe(first(), switchMap((idToken) => this.http.post(`${this.baseUrl}/${uid}/consent`, { idToken, approved })));
+    submitConsent(uid, approved, grants) {
+        return this._authService.idTokenString$.pipe(first(), switchMap((idToken) => {
+            const body = approved && grants ? { idToken, approved, ...grants } : { idToken, approved };
+            return this.http.post(`${this.baseUrl}/${uid}/consent`, body);
+        }));
     }
     static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOidcInteractionService, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
     static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOidcInteractionService, providedIn: 'root' });
@@ -454,7 +705,7 @@ class DbxFirebaseOAuthLoginComponent {
     interactionService = inject(DbxFirebaseOidcInteractionService);
     uidParamReader = dbxRouteParamReaderInstance(this.dbxRouterService, DEFAULT_OIDC_INTERACTION_UID_PARAM_KEY);
     interactionUid = toSignal(this.uidParamReader.value$);
-    isLoggedIn = toSignal(this.dbxFirebaseAuthService.isLoggedIn$, { initialValue: false });
+    isLoggedIn = toSignal(this.dbxFirebaseAuthService.isLoggedIn$);
     submitting = signal(false, ...(ngDevMode ? [{ debugName: "submitting" }] : /* istanbul ignore next */ []));
     errorMessage = signal(null, ...(ngDevMode ? [{ debugName: "errorMessage" }] : /* istanbul ignore next */ []));
     loginStateCase = computed(() => {
@@ -464,7 +715,11 @@ class DbxFirebaseOAuthLoginComponent {
         if (this.errorMessage()) {
             return 'error';
         }
-        if (!this.isLoggedIn()) {
+        const isLoggedIn = this.isLoggedIn();
+        if (isLoggedIn === undefined) {
+            return 'unknown';
+        }
+        if (!isLoggedIn) {
             return 'no_user';
         }
         return 'user';
@@ -530,17 +785,29 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImpo
                 }]
         }], ctorParameters: () => [] });
 
+/**
+ * OIDC scopes that cannot be deselected on the consent screen. `openid` is
+ * mandatory for any OIDC flow, so the UI shows it as always-granted and the
+ * server enforces it regardless of payload.
+ */
+const OAUTH_CONSENT_REQUIRED_SCOPES = ['openid'];
 /**
  * Container component for the OIDC OAuth consent screen.
  *
- * Manages all state: route param reading, consent submission, and error handling.
- * Delegates visual rendering to `DbxFirebaseOAuthConsentViewComponent`.
- *
  * Reads interaction UID and client details from route params (populated by
- * the server redirect), then assembles them into `OAuthInteractionLoginDetails`.
+ * the server redirect), assembles them into `OAuthInteractionLoginDetails`,
+ * and exposes Approve / Deny handlers that drive the view's nested
+ * `dbxAction` contexts.
+ *
+ * Submission progress and error states are owned by the action stores; this
+ * container is just routing-glue + handler factories.
+ *
+ * Supports ng-content projection — any content provided is passed through to
+ * the view component for the `'no_user'` state (e.g. an app's login view).
  */
 class DbxOAuthConsentComponent {
     dbxRouterService = inject(DbxRouterService);
+    dbxFirebaseAuthService = inject(DbxFirebaseAuthService);
     interactionService = inject(DbxFirebaseOidcInteractionService);
     oidcConfigService = inject(DbxFirebaseOidcConfigService);
     // Config input
@@ -559,6 +826,8 @@ class DbxOAuthConsentComponent {
     routeClientUri = toSignal(this.clientUriParamReader.value$);
     routeLogoUri = toSignal(this.logoUriParamReader.value$);
     routeScopes = toSignal(this.scopesParamReader.value$);
+    // Auth state — undefined until Firebase resolves to avoid a flash between 'unknown' → 'no_user'/'user'
+    isLoggedIn = toSignal(this.dbxFirebaseAuthService.isLoggedIn$);
     // Resolved values
     resolvedInteractionUid = computed(() => this.routeUid(), ...(ngDevMode ? [{ debugName: "resolvedInteractionUid" }] : /* istanbul ignore next */ []));
     resolvedDetails = computed(() => {
@@ -579,8 +848,21 @@ class DbxOAuthConsentComponent {
     scopeInjectionConfig = computed(() => ({
         componentClass: this.config()?.consentScopeListViewClass ?? this.oidcConfigService.consentScopeListViewClass ?? DbxFirebaseOAuthConsentScopeDefaultViewComponent
     }), ...(ngDevMode ? [{ debugName: "scopeInjectionConfig" }] : /* istanbul ignore next */ []));
-    loading = signal(false, ...(ngDevMode ? [{ debugName: "loading" }] : /* istanbul ignore next */ []));
-    error = signal(null, ...(ngDevMode ? [{ debugName: "error" }] : /* istanbul ignore next */ []));
+    /**
+     * Scopes the user cannot deselect. Forwarded to the view, which shows
+     * them as a static "Always granted" hint above the selection list.
+     */
+    requiredScopes = OAUTH_CONSENT_REQUIRED_SCOPES;
+    consentStateCase = computed(() => {
+        const isLoggedIn = this.isLoggedIn();
+        if (isLoggedIn === undefined) {
+            return 'unknown';
+        }
+        if (!isLoggedIn) {
+            return 'no_user';
+        }
+        return 'user';
+    }, ...(ngDevMode ? [{ debugName: "consentStateCase" }] : /* istanbul ignore next */ []));
     ngOnDestroy() {
         this.interactionUidParamReader.destroy();
         this.clientIdParamReader.destroy();
@@ -589,37 +871,47 @@ class DbxOAuthConsentComponent {
         this.logoUriParamReader.destroy();
         this.scopesParamReader.destroy();
     }
-    approve() {
-        this._submitConsent(true);
-    }
-    deny() {
-        this._submitConsent(false);
-    }
-    _submitConsent(approved) {
+    /**
+     * Handles the Approve action. Pulls the form's selected scope array
+     * straight off the form value (it already matches the API field name
+     * `grantedOIDCScopes`) and forwards it through `submitConsent`. On a
+     * successful response, hard-navigates to the OIDC server's redirect URL.
+     */
+    handleApprove = (formValue, context) => {
         const uid = this.resolvedInteractionUid();
         if (!uid) {
-            this.error.set('Missing interaction UID');
+            context.reject(new Error('Missing interaction UID'));
             return;
         }
-        this.loading.set(true);
-        this.error.set(null);
-        this.interactionService.submitConsent(uid, approved).subscribe({
-            next: (response) => {
-                this.loading.set(false);
-                if (response.redirectTo) {
-                    window.location.href = response.redirectTo;
-                }
-            },
-            error: () => {
-                this.loading.set(false);
-                this.error.set('Failed to process consent. Please try again.');
+        const grantedOIDCScopes = formValue.grantedOIDCScopes;
+        context.startWorkingWithObservable(this.interactionService.submitConsent(uid, true, { grantedOIDCScopes }).pipe(tap((response) => {
+            if (response.redirectTo) {
+                window.location.href = response.redirectTo;
             }
-        });
-    }
+        })));
+    };
+    /**
+     * Handles the Deny action. No payload is sent — the server returns
+     * `access_denied` to the OAuth client.
+     */
+    handleDeny = (_value, context) => {
+        const uid = this.resolvedInteractionUid();
+        if (!uid) {
+            context.reject(new Error('Missing interaction UID'));
+            return;
+        }
+        context.startWorkingWithObservable(this.interactionService.submitConsent(uid, false).pipe(tap((response) => {
+            if (response.redirectTo) {
+                window.location.href = response.redirectTo;
+            }
+        })));
+    };
     static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxOAuthConsentComponent, deps: [], target: i0.ɵɵFactoryTarget.Component });
     static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "17.1.0", version: "21.2.11", type: DbxOAuthConsentComponent, isStandalone: true, selector: "dbx-firebase-oauth-consent", inputs: { config: { classPropertyName: "config", publicName: "config", isSignal: true, isRequired: false, transformFunction: null } }, host: { classAttribute: "d-block dbx-firebase-oauth-consent" }, ngImport: i0, template: `
-    <dbx-firebase-oauth-consent-view [details]="resolvedDetails()" [loading]="loading()" [error]="error()" [scopeInjectionConfig]="scopeInjectionConfig()" (approveClick)="approve()" (denyClick)="deny()"></dbx-firebase-oauth-consent-view>
-  `, isInline: true, dependencies: [{ kind: "component", type: DbxFirebaseOAuthConsentViewComponent, selector: "dbx-firebase-oauth-consent-view", inputs: ["details", "loading", "error", "scopeInjectionConfig"], outputs: ["approveClick", "denyClick"] }], changeDetection: i0.ChangeDetectionStrategy.OnPush });
+    <dbx-firebase-oauth-consent-view [details]="resolvedDetails()" [consentStateCase]="consentStateCase()" [scopeInjectionConfig]="scopeInjectionConfig()" [requiredScopes]="requiredScopes" [approveHandler]="handleApprove" [denyHandler]="handleDeny">
+      <ng-content />
+    </dbx-firebase-oauth-consent-view>
+  `, isInline: true, dependencies: [{ kind: "component", type: DbxFirebaseOAuthConsentViewComponent, selector: "dbx-firebase-oauth-consent-view", inputs: ["details", "consentStateCase", "scopeInjectionConfig", "requiredScopes", "approveHandler", "denyHandler"] }], changeDetection: i0.ChangeDetectionStrategy.OnPush });
 }
 i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxOAuthConsentComponent, decorators: [{
             type: Component,
@@ -628,7 +920,9 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImpo
                     standalone: true,
                     imports: [DbxFirebaseOAuthConsentViewComponent],
                     template: `
-    <dbx-firebase-oauth-consent-view [details]="resolvedDetails()" [loading]="loading()" [error]="error()" [scopeInjectionConfig]="scopeInjectionConfig()" (approveClick)="approve()" (denyClick)="deny()"></dbx-firebase-oauth-consent-view>
+    <dbx-firebase-oauth-consent-view [details]="resolvedDetails()" [consentStateCase]="consentStateCase()" [scopeInjectionConfig]="scopeInjectionConfig()" [requiredScopes]="requiredScopes" [approveHandler]="handleApprove" [denyHandler]="handleDeny">
+      <ng-content />
+    </dbx-firebase-oauth-consent-view>
   `,
                     host: {
                         class: 'd-block dbx-firebase-oauth-consent'
@@ -856,7 +1150,7 @@ class DbxFirebaseOidcEntryClientForgeFormComponent extends AbstractConfigAsyncFo
         });
     }));
     static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOidcEntryClientForgeFormComponent, deps: null, target: i0.ɵɵFactoryTarget.Component });
-    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "14.0.0", version: "21.2.11", type: DbxFirebaseOidcEntryClientForgeFormComponent, isStandalone: true, selector: "dbx-firebase-oidc-client-forge-form", providers: dbxForgeFormComponentProviders(), usesInheritance: true, ngImport: i0, template: "<dbx-forge></dbx-forge>", isInline: true, dependencies: [{ kind: "ngmodule", type: DbxForgeFormComponentImportsModule }, { kind: "component", type: i1.DbxForgeFormComponent, selector: "dbx-forge" }], changeDetection: i0.ChangeDetectionStrategy.OnPush });
+    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "14.0.0", version: "21.2.11", type: DbxFirebaseOidcEntryClientForgeFormComponent, isStandalone: true, selector: "dbx-firebase-oidc-client-forge-form", providers: dbxForgeFormComponentProviders(), usesInheritance: true, ngImport: i0, template: "<dbx-forge></dbx-forge>", isInline: true, dependencies: [{ kind: "ngmodule", type: DbxForgeFormComponentImportsModule }, { kind: "component", type: i1$1.DbxForgeFormComponent, selector: "dbx-forge" }], changeDetection: i0.ChangeDetectionStrategy.OnPush });
 }
 i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOidcEntryClientForgeFormComponent, decorators: [{
             type: Component,
@@ -878,7 +1172,7 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImpo
 class DbxFirebaseOidcEntryClientTestForgeFormComponent extends AbstractConfigAsyncForgeFormDirective {
     formConfig$ = this.currentConfig$.pipe(map((config) => (config ? oidcEntryClientTestForgeFormFields(config) : undefined)));
     static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOidcEntryClientTestForgeFormComponent, deps: null, target: i0.ɵɵFactoryTarget.Component });
-    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "14.0.0", version: "21.2.11", type: DbxFirebaseOidcEntryClientTestForgeFormComponent, isStandalone: true, selector: "dbx-firebase-oidc-client-test-forge-form", providers: dbxForgeFormComponentProviders(), usesInheritance: true, ngImport: i0, template: "<dbx-forge></dbx-forge>", isInline: true, dependencies: [{ kind: "ngmodule", type: DbxForgeFormComponentImportsModule }, { kind: "component", type: i1.DbxForgeFormComponent, selector: "dbx-forge" }], changeDetection: i0.ChangeDetectionStrategy.OnPush });
+    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "14.0.0", version: "21.2.11", type: DbxFirebaseOidcEntryClientTestForgeFormComponent, isStandalone: true, selector: "dbx-firebase-oidc-client-test-forge-form", providers: dbxForgeFormComponentProviders(), usesInheritance: true, ngImport: i0, template: "<dbx-forge></dbx-forge>", isInline: true, dependencies: [{ kind: "ngmodule", type: DbxForgeFormComponentImportsModule }, { kind: "component", type: i1$1.DbxForgeFormComponent, selector: "dbx-forge" }], changeDetection: i0.ChangeDetectionStrategy.OnPush });
 }
 i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOidcEntryClientTestForgeFormComponent, decorators: [{
             type: Component,
@@ -892,6 +1186,173 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImpo
                 }]
         }] });
 
+/**
+ * Document store for a single {@link OidcEntry}.
+ */
+class OidcEntryDocumentStore extends AbstractDbxFirebaseDocumentStore {
+    oidcModelFunctions = inject(OidcModelFunctions);
+    _latestClientSecret$ = completeOnDestroy(new BehaviorSubject(undefined));
+    /**
+     * The client secret from the most recent create operation.
+     *
+     * Only available immediately after creation — the server does not return it again.
+     */
+    latestClientSecret$ = this._latestClientSecret$.asObservable();
+    get latestClientSecret() {
+        return this._latestClientSecret$.value;
+    }
+    constructor() {
+        super({ firestoreCollection: inject(OidcModelFirestoreCollections).oidcEntryCollection });
+    }
+    createClient = firebaseDocumentStoreCreateFunction(this, this.oidcModelFunctions.oidcEntry.createOidcEntry.client, {
+        onResult: (_params, result) => {
+            this._latestClientSecret$.next(result.client_secret);
+        }
+    });
+    updateClient = firebaseDocumentStoreUpdateFunction(this, this.oidcModelFunctions.oidcEntry.updateOidcEntry.client);
+    rotateClientSecret = firebaseDocumentStoreUpdateFunction(this, this.oidcModelFunctions.oidcEntry.updateOidcEntry.rotateClientSecret, {
+        onResult: (_params, result) => {
+            this._latestClientSecret$.next(result.client_secret);
+        }
+    });
+    deleteClient = firebaseDocumentStoreDeleteFunction(this, this.oidcModelFunctions.oidcEntry.deleteOidcEntry.client);
+    deleteToken = firebaseDocumentStoreDeleteFunction(this, this.oidcModelFunctions.oidcEntry.deleteOidcEntry.token);
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: OidcEntryDocumentStore, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: OidcEntryDocumentStore });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: OidcEntryDocumentStore, decorators: [{
+            type: Injectable
+        }], ctorParameters: () => [] });
+
+/**
+ * Wrapper list of {@link OidcEntry} Grant rows belonging to the current user.
+ *
+ * Renders one row per Grant — i.e. one row per "app with access to my account" —
+ * with an inline Revoke button that cascades through every grantable token.
+ */
+class DbxFirebaseOidcEntryGrantListComponent extends AbstractDbxSelectionListWrapperDirective {
+    constructor() {
+        super({
+            componentClass: DbxFirebaseOidcEntryGrantListViewComponent,
+            defaultSelectionMode: 'view'
+        });
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOidcEntryGrantListComponent, deps: [], target: i0.ɵɵFactoryTarget.Component });
+    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "14.0.0", version: "21.2.11", type: DbxFirebaseOidcEntryGrantListComponent, isStandalone: true, selector: "dbx-firebase-oidc-grant-list", host: { classAttribute: "dbx-list-no-hover-effects dbx-list-card-items-list" }, providers: provideDbxListViewWrapper(DbxFirebaseOidcEntryGrantListComponent), usesInheritance: true, ngImport: i0, template: "\n  <dbx-list [state]=\"currentState$\" [config]=\"configSignal()\" [hasMore]=\"hasMore()\" [disabled]=\"disabledSignal()\" [selectionMode]=\"selectionModeSignal()\">\n    <ng-content top select=\"[top]\"></ng-content>\n    <ng-content bottom select=\"[bottom]\"></ng-content>\n    <ng-content empty select=\"[empty]\"></ng-content>\n    <ng-content emptyLoading select=\"[emptyLoading]\"></ng-content>\n    <ng-content end select=\"[end]\"></ng-content>\n  </dbx-list>", isInline: true, dependencies: [{ kind: "ngmodule", type: DbxListWrapperComponentImportsModule }, { kind: "component", type: i1.DbxListComponent, selector: "dbx-list", inputs: ["padded", "state", "config", "disabled", "selectionMode", "hasMore"], outputs: ["contentScrolled"] }], changeDetection: i0.ChangeDetectionStrategy.OnPush });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOidcEntryGrantListComponent, decorators: [{
+            type: Component,
+            args: [{
+                    selector: 'dbx-firebase-oidc-grant-list',
+                    template: DEFAULT_LIST_WRAPPER_COMPONENT_CONFIGURATION_TEMPLATE,
+                    providers: provideDbxListViewWrapper(DbxFirebaseOidcEntryGrantListComponent),
+                    standalone: true,
+                    host: {
+                        class: 'dbx-list-no-hover-effects dbx-list-card-items-list'
+                    },
+                    imports: [DbxListWrapperComponentImportsModule],
+                    changeDetection: ChangeDetectionStrategy.OnPush
+                }]
+        }], ctorParameters: () => [] });
+class DbxFirebaseOidcEntryGrantListViewComponent extends AbstractDbxSelectionListViewDirective {
+    config = {
+        componentClass: DbxFirebaseOidcEntryGrantListViewItemComponent,
+        mapValuesToItemValues: (x) => of(x.map((y, i) => {
+            const id = y.id;
+            return { ...y, key: id ?? `grant_${i}`, itemValue: y };
+        }))
+    };
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOidcEntryGrantListViewComponent, deps: null, target: i0.ɵɵFactoryTarget.Component });
+    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "14.0.0", version: "21.2.11", type: DbxFirebaseOidcEntryGrantListViewComponent, isStandalone: true, selector: "dbx-firebase-oidc-grant-list-view", providers: provideDbxListView(DbxFirebaseOidcEntryGrantListViewComponent), usesInheritance: true, ngImport: i0, template: "<dbx-selection-list-view [config]=\"config\"></dbx-selection-list-view>", isInline: true, dependencies: [{ kind: "ngmodule", type: DbxSelectionValueListViewComponentImportsModule }, { kind: "component", type: i1.DbxSelectionValueListViewComponent, selector: "dbx-selection-list-view" }], changeDetection: i0.ChangeDetectionStrategy.OnPush });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOidcEntryGrantListViewComponent, decorators: [{
+            type: Component,
+            args: [{
+                    selector: 'dbx-firebase-oidc-grant-list-view',
+                    template: DEFAULT_DBX_SELECTION_VALUE_LIST_COMPONENT_CONFIGURATION_TEMPLATE,
+                    providers: provideDbxListView(DbxFirebaseOidcEntryGrantListViewComponent),
+                    standalone: true,
+                    imports: [DbxSelectionValueListViewComponentImportsModule],
+                    changeDetection: ChangeDetectionStrategy.OnPush
+                }]
+        }] });
+// MARK: Item
+/**
+ * Per-row view for a Grant entry. Inline "Revoke" button uses a per-component
+ * {@link OidcEntryDocumentStore} keyed to this entry's id so calling
+ * `deleteToken` invokes the {@link DeleteOidcTokenParams} callModel against
+ * the right document.
+ */
+class DbxFirebaseOidcEntryGrantListViewItemComponent extends AbstractDbxValueListViewItemComponent {
+    oidcEntryDocumentStore = inject(OidcEntryDocumentStore);
+    clientIdSignal = computed(() => this._payload().clientId ?? '', ...(ngDevMode ? [{ debugName: "clientIdSignal" }] : /* istanbul ignore next */ []));
+    scopeSignal = computed(() => this._payload().openid?.scope ?? null, ...(ngDevMode ? [{ debugName: "scopeSignal" }] : /* istanbul ignore next */ []));
+    expiresAtSignal = computed(() => this.itemValue.expiresAt ?? null, ...(ngDevMode ? [{ debugName: "expiresAtSignal" }] : /* istanbul ignore next */ []));
+    revokeConfirmConfig = {
+        title: 'Revoke access',
+        prompt: 'This app will lose access to your account immediately. Existing access and refresh tokens stop working.',
+        confirmText: 'Revoke'
+    };
+    handleRevoke = (_, context) => {
+        context.startWorkingWithLoadingStateObservable(this.oidcEntryDocumentStore.deleteToken({}));
+    };
+    constructor() {
+        super();
+        const id = this.itemValue.id;
+        if (id) {
+            this.oidcEntryDocumentStore.setId(id);
+        }
+    }
+    _payload() {
+        return this.itemValue.payload ?? {};
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOidcEntryGrantListViewItemComponent, deps: [], target: i0.ɵɵFactoryTarget.Component });
+    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "17.0.0", version: "21.2.11", type: DbxFirebaseOidcEntryGrantListViewItemComponent, isStandalone: true, selector: "dbx-firebase-oidc-grant-list-view-item", providers: [OidcEntryDocumentStore], usesInheritance: true, ngImport: i0, template: `
+    <div class="dbx-list-item-padded dbx-list-item-padded-thick dbx-list-two-line-item">
+      <div class="item-left">
+        <span class="item-title">{{ clientIdSignal() }}</span>
+        @if (scopeSignal()) {
+          <span class="item-details">{{ scopeSignal() }}</span>
+        }
+        @if (expiresAtSignal()) {
+          <span class="item-details-footnote">Expires {{ expiresAtSignal() | date: 'medium' }}</span>
+        }
+      </div>
+      <dbx-spacer></dbx-spacer>
+      <div class="item-right">
+        <dbx-button dbxAction [dbxActionHandler]="handleRevoke" [dbxActionConfirm]="revokeConfirmConfig" dbxActionButton text="Revoke" icon="block" color="warn" [raised]="true"></dbx-button>
+      </div>
+    </div>
+  `, isInline: true, dependencies: [{ kind: "directive", type: DbxSpacerDirective, selector: "dbx-spacer, [dbxSpacer]" }, { kind: "component", type: DbxButtonComponent, selector: "dbx-button", inputs: ["bar", "type", "buttonStyle", "color", "spinnerColor", "customButtonColor", "customTextColor", "customSpinnerColor", "basic", "tonal", "raised", "stroked", "flat", "iconOnly", "fab", "customContent", "allowClickPropagation", "mode"] }, { kind: "directive", type: DbxActionDirective, selector: "dbx-action,[dbxAction]", exportAs: ["action", "dbxAction"] }, { kind: "directive", type: DbxActionHandlerDirective, selector: "[dbxActionHandler]", inputs: ["dbxActionHandler"] }, { kind: "directive", type: DbxActionButtonDirective, selector: "[dbxActionButton]", inputs: ["dbxActionButtonEcho"] }, { kind: "directive", type: DbxActionConfirmDirective, selector: "[dbxActionConfirm]", inputs: ["dbxActionConfirm", "dbxActionConfirmSkip"] }, { kind: "pipe", type: DatePipe, name: "date" }], changeDetection: i0.ChangeDetectionStrategy.OnPush });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOidcEntryGrantListViewItemComponent, decorators: [{
+            type: Component,
+            args: [{
+                    selector: 'dbx-firebase-oidc-grant-list-view-item',
+                    template: `
+    <div class="dbx-list-item-padded dbx-list-item-padded-thick dbx-list-two-line-item">
+      <div class="item-left">
+        <span class="item-title">{{ clientIdSignal() }}</span>
+        @if (scopeSignal()) {
+          <span class="item-details">{{ scopeSignal() }}</span>
+        }
+        @if (expiresAtSignal()) {
+          <span class="item-details-footnote">Expires {{ expiresAtSignal() | date: 'medium' }}</span>
+        }
+      </div>
+      <dbx-spacer></dbx-spacer>
+      <div class="item-right">
+        <dbx-button dbxAction [dbxActionHandler]="handleRevoke" [dbxActionConfirm]="revokeConfirmConfig" dbxActionButton text="Revoke" icon="block" color="warn" [raised]="true"></dbx-button>
+      </div>
+    </div>
+  `,
+                    standalone: true,
+                    imports: [DatePipe, DbxSpacerDirective, DbxButtonComponent, DbxActionDirective, DbxActionHandlerDirective, DbxActionButtonDirective, DbxActionConfirmDirective],
+                    providers: [OidcEntryDocumentStore],
+                    changeDetection: ChangeDetectionStrategy.OnPush
+                }]
+        }], ctorParameters: () => [] });
+
 class DbxFirebaseOidcEntryClientListComponent extends AbstractDbxSelectionListWrapperDirective {
     constructor() {
         super({
@@ -900,7 +1361,7 @@ class DbxFirebaseOidcEntryClientListComponent extends AbstractDbxSelectionListWr
         });
     }
     static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOidcEntryClientListComponent, deps: [], target: i0.ɵɵFactoryTarget.Component });
-    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "14.0.0", version: "21.2.11", type: DbxFirebaseOidcEntryClientListComponent, isStandalone: true, selector: "dbx-firebase-oidc-client-list", providers: provideDbxListViewWrapper(DbxFirebaseOidcEntryClientListComponent), usesInheritance: true, ngImport: i0, template: "\n  <dbx-list [state]=\"currentState$\" [config]=\"configSignal()\" [hasMore]=\"hasMore()\" [disabled]=\"disabledSignal()\" [selectionMode]=\"selectionModeSignal()\">\n    <ng-content top select=\"[top]\"></ng-content>\n    <ng-content bottom select=\"[bottom]\"></ng-content>\n    <ng-content empty select=\"[empty]\"></ng-content>\n    <ng-content emptyLoading select=\"[emptyLoading]\"></ng-content>\n    <ng-content end select=\"[end]\"></ng-content>\n  </dbx-list>", isInline: true, dependencies: [{ kind: "ngmodule", type: DbxListWrapperComponentImportsModule }, { kind: "component", type: i1$1.DbxListComponent, selector: "dbx-list", inputs: ["padded", "state", "config", "disabled", "selectionMode", "hasMore"], outputs: ["contentScrolled"] }] });
+    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "14.0.0", version: "21.2.11", type: DbxFirebaseOidcEntryClientListComponent, isStandalone: true, selector: "dbx-firebase-oidc-client-list", providers: provideDbxListViewWrapper(DbxFirebaseOidcEntryClientListComponent), usesInheritance: true, ngImport: i0, template: "\n  <dbx-list [state]=\"currentState$\" [config]=\"configSignal()\" [hasMore]=\"hasMore()\" [disabled]=\"disabledSignal()\" [selectionMode]=\"selectionModeSignal()\">\n    <ng-content top select=\"[top]\"></ng-content>\n    <ng-content bottom select=\"[bottom]\"></ng-content>\n    <ng-content empty select=\"[empty]\"></ng-content>\n    <ng-content emptyLoading select=\"[emptyLoading]\"></ng-content>\n    <ng-content end select=\"[end]\"></ng-content>\n  </dbx-list>", isInline: true, dependencies: [{ kind: "ngmodule", type: DbxListWrapperComponentImportsModule }, { kind: "component", type: i1.DbxListComponent, selector: "dbx-list", inputs: ["padded", "state", "config", "disabled", "selectionMode", "hasMore"], outputs: ["contentScrolled"] }] });
 }
 i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOidcEntryClientListComponent, decorators: [{
             type: Component,
@@ -918,7 +1379,7 @@ class DbxFirebaseOidcEntryClientListViewComponent extends AbstractDbxSelectionLi
         mapValuesToItemValues: (x) => of(x.map((y, i) => ({ ...y, key: `oidc_${i}`, itemValue: y })))
     };
     static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOidcEntryClientListViewComponent, deps: null, target: i0.ɵɵFactoryTarget.Component });
-    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "14.0.0", version: "21.2.11", type: DbxFirebaseOidcEntryClientListViewComponent, isStandalone: true, selector: "dbx-firebase-oidc-client-list-view", providers: provideDbxListView(DbxFirebaseOidcEntryClientListViewComponent), usesInheritance: true, ngImport: i0, template: "<dbx-selection-list-view [config]=\"config\"></dbx-selection-list-view>", isInline: true, dependencies: [{ kind: "ngmodule", type: DbxSelectionValueListViewComponentImportsModule }, { kind: "component", type: i1$1.DbxSelectionValueListViewComponent, selector: "dbx-selection-list-view" }] });
+    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "14.0.0", version: "21.2.11", type: DbxFirebaseOidcEntryClientListViewComponent, isStandalone: true, selector: "dbx-firebase-oidc-client-list-view", providers: provideDbxListView(DbxFirebaseOidcEntryClientListViewComponent), usesInheritance: true, ngImport: i0, template: "<dbx-selection-list-view [config]=\"config\"></dbx-selection-list-view>", isInline: true, dependencies: [{ kind: "ngmodule", type: DbxSelectionValueListViewComponentImportsModule }, { kind: "component", type: i1.DbxSelectionValueListViewComponent, selector: "dbx-selection-list-view" }] });
 }
 i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOidcEntryClientListViewComponent, decorators: [{
             type: Component,
@@ -1016,42 +1477,77 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImpo
         }] });
 
 /**
- * Document store for a single {@link OidcEntry}.
+ * Collection store for querying {@link OidcEntry} documents.
  */
-class OidcEntryDocumentStore extends AbstractDbxFirebaseDocumentStore {
-    oidcModelFunctions = inject(OidcModelFunctions);
-    _latestClientSecret$ = completeOnDestroy(new BehaviorSubject(undefined));
-    /**
-     * The client secret from the most recent create operation.
-     *
-     * Only available immediately after creation — the server does not return it again.
-     */
-    latestClientSecret$ = this._latestClientSecret$.asObservable();
-    get latestClientSecret() {
-        return this._latestClientSecret$.value;
-    }
+class OidcEntryCollectionStore extends AbstractDbxFirebaseCollectionStore {
     constructor() {
         super({ firestoreCollection: inject(OidcModelFirestoreCollections).oidcEntryCollection });
     }
-    createClient = firebaseDocumentStoreCreateFunction(this, this.oidcModelFunctions.oidcEntry.createOidcEntry.client, {
-        onResult: (_params, result) => {
-            this._latestClientSecret$.next(result.client_secret);
-        }
-    });
-    updateClient = firebaseDocumentStoreUpdateFunction(this, this.oidcModelFunctions.oidcEntry.updateOidcEntry.client);
-    rotateClientSecret = firebaseDocumentStoreUpdateFunction(this, this.oidcModelFunctions.oidcEntry.updateOidcEntry.rotateClientSecret, {
-        onResult: (_params, result) => {
-            this._latestClientSecret$.next(result.client_secret);
-        }
-    });
-    deleteClient = firebaseDocumentStoreDeleteFunction(this, this.oidcModelFunctions.oidcEntry.deleteOidcEntry.client);
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: OidcEntryDocumentStore, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: OidcEntryDocumentStore });
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: OidcEntryCollectionStore, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
+    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: OidcEntryCollectionStore });
 }
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: OidcEntryDocumentStore, decorators: [{
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: OidcEntryCollectionStore, decorators: [{
             type: Injectable
         }], ctorParameters: () => [] });
 
+/**
+ * Directive providing a {@link OidcEntryCollectionStore} for querying {@link OidcEntry} documents.
+ */
+class OidcEntryCollectionStoreDirective extends DbxFirebaseCollectionStoreDirective {
+    constructor() {
+        super(inject(OidcEntryCollectionStore));
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: OidcEntryCollectionStoreDirective, deps: [], target: i0.ɵɵFactoryTarget.Directive });
+    static ɵdir = i0.ɵɵngDeclareDirective({ minVersion: "14.0.0", version: "21.2.11", type: OidcEntryCollectionStoreDirective, isStandalone: true, selector: "[dbxOidcEntryCollection]", providers: provideDbxFirebaseCollectionStoreDirective(OidcEntryCollectionStoreDirective, OidcEntryCollectionStore), usesInheritance: true, ngImport: i0 });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: OidcEntryCollectionStoreDirective, decorators: [{
+            type: Directive,
+            args: [{
+                    selector: '[dbxOidcEntryCollection]',
+                    providers: provideDbxFirebaseCollectionStoreDirective(OidcEntryCollectionStoreDirective, OidcEntryCollectionStore),
+                    standalone: true
+                }]
+        }], ctorParameters: () => [] });
+
+/**
+ * Drop-in container for the "apps with access to my account" management UI.
+ *
+ * Wires a {@link OidcEntryCollectionStoreDirective} to query Grant entries
+ * for the signed-in user, then renders {@link DbxFirebaseOidcEntryGrantListComponent}
+ * with inline Revoke buttons. No inputs — the container resolves the current
+ * user via {@link DbxFirebaseAuthService}.
+ */
+class DbxFirebaseOidcEntryGrantListContainerComponent {
+    dbxFirebaseAuthService = inject(DbxFirebaseAuthService);
+    oidcEntryCollectionStoreDirective = viewChild(OidcEntryCollectionStoreDirective, ...(ngDevMode ? [{ debugName: "oidcEntryCollectionStoreDirective" }] : /* istanbul ignore next */ []));
+    grantConstraintsSignal = toSignal(this.dbxFirebaseAuthService.currentAuthUser$.pipe(map((user) => (user?.uid ? oidcGrantEntriesByUidQuery(user.uid) : []))));
+    ngOnInit() {
+        const directive = this.oidcEntryCollectionStoreDirective();
+        directive?.setMaxPages(5);
+        directive?.setItemsPerPage(20);
+    }
+    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOidcEntryGrantListContainerComponent, deps: [], target: i0.ɵɵFactoryTarget.Component });
+    static ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "17.2.0", version: "21.2.11", type: DbxFirebaseOidcEntryGrantListContainerComponent, isStandalone: true, selector: "dbx-firebase-oidc-grant-list-container", viewQueries: [{ propertyName: "oidcEntryCollectionStoreDirective", first: true, predicate: OidcEntryCollectionStoreDirective, descendants: true, isSignal: true }], ngImport: i0, template: `
+    <div dbxOidcEntryCollection dbxFirebaseCollectionChange="auto" [constraints]="grantConstraintsSignal()">
+      <dbx-firebase-oidc-grant-list dbxFirebaseCollectionList></dbx-firebase-oidc-grant-list>
+    </div>
+  `, isInline: true, dependencies: [{ kind: "directive", type: OidcEntryCollectionStoreDirective, selector: "[dbxOidcEntryCollection]" }, { kind: "directive", type: DbxFirebaseCollectionListDirective, selector: "[dbxFirebaseCollectionList]" }, { kind: "directive", type: DbxFirebaseCollectionChangeDirective, selector: "[dbxFirebaseCollectionChange]", inputs: ["dbxFirebaseCollectionChange"] }, { kind: "component", type: DbxFirebaseOidcEntryGrantListComponent, selector: "dbx-firebase-oidc-grant-list" }], changeDetection: i0.ChangeDetectionStrategy.OnPush });
+}
+i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: DbxFirebaseOidcEntryGrantListContainerComponent, decorators: [{
+            type: Component,
+            args: [{
+                    selector: 'dbx-firebase-oidc-grant-list-container',
+                    template: `
+    <div dbxOidcEntryCollection dbxFirebaseCollectionChange="auto" [constraints]="grantConstraintsSignal()">
+      <dbx-firebase-oidc-grant-list dbxFirebaseCollectionList></dbx-firebase-oidc-grant-list>
+    </div>
+  `,
+                    standalone: true,
+                    imports: [OidcEntryCollectionStoreDirective, DbxFirebaseCollectionListDirective, DbxFirebaseCollectionChangeDirective, DbxFirebaseOidcEntryGrantListComponent],
+                    changeDetection: ChangeDetectionStrategy.OnPush
+                }]
+        }], propDecorators: { oidcEntryCollectionStoreDirective: [{ type: i0.ViewChild, args: [i0.forwardRef(() => OidcEntryCollectionStoreDirective), { isSignal: true }] }] } });
+
 /**
  * Container component for creating a new OAuth client.
  *
@@ -1365,39 +1861,6 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImpo
                 }]
         }] });
 
-/**
- * Collection store for querying {@link OidcEntry} documents.
- */
-class OidcEntryCollectionStore extends AbstractDbxFirebaseCollectionStore {
-    constructor() {
-        super({ firestoreCollection: inject(OidcModelFirestoreCollections).oidcEntryCollection });
-    }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: OidcEntryCollectionStore, deps: [], target: i0.ɵɵFactoryTarget.Injectable });
-    static ɵprov = i0.ɵɵngDeclareInjectable({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: OidcEntryCollectionStore });
-}
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: OidcEntryCollectionStore, decorators: [{
-            type: Injectable
-        }], ctorParameters: () => [] });
-
-/**
- * Directive providing a {@link OidcEntryCollectionStore} for querying {@link OidcEntry} documents.
- */
-class OidcEntryCollectionStoreDirective extends DbxFirebaseCollectionStoreDirective {
-    constructor() {
-        super(inject(OidcEntryCollectionStore));
-    }
-    static ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: OidcEntryCollectionStoreDirective, deps: [], target: i0.ɵɵFactoryTarget.Directive });
-    static ɵdir = i0.ɵɵngDeclareDirective({ minVersion: "14.0.0", version: "21.2.11", type: OidcEntryCollectionStoreDirective, isStandalone: true, selector: "[dbxOidcEntryCollection]", providers: provideDbxFirebaseCollectionStoreDirective(OidcEntryCollectionStoreDirective, OidcEntryCollectionStore), usesInheritance: true, ngImport: i0 });
-}
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "21.2.11", ngImport: i0, type: OidcEntryCollectionStoreDirective, decorators: [{
-            type: Directive,
-            args: [{
-                    selector: '[dbxOidcEntryCollection]',
-                    providers: provideDbxFirebaseCollectionStoreDirective(OidcEntryCollectionStoreDirective, OidcEntryCollectionStore),
-                    standalone: true
-                }]
-        }], ctorParameters: () => [] });
-
 /**
  * Directive providing a {@link OidcEntryDocumentStore} for accessing a single {@link OidcEntry} document.
  */
@@ -1465,5 +1928,5 @@ function provideDbxFirebaseOidc(config) {
  * Generated bundle index. Do not edit.
  */
 
-export { AbstractDbxFirebaseOAuthConsentScopeViewComponent, DEFAULT_OIDC_AUTHORIZATION_ENDPOINT_PATH, DEFAULT_OIDC_CLIENT_ID_PARAM_KEY, DEFAULT_OIDC_CLIENT_NAME_PARAM_KEY, DEFAULT_OIDC_CLIENT_URI_PARAM_KEY, DEFAULT_OIDC_INTERACTION_ENDPOINT_PATH, DEFAULT_OIDC_INTERACTION_UID_PARAM_KEY, DEFAULT_OIDC_LOGO_URI_PARAM_KEY, DEFAULT_OIDC_SCOPES_PARAM_KEY, DEFAULT_OIDC_TOKEN_ENDPOINT_AUTH_METHODS, DbxFirebaseOAuthConsentScopeDefaultViewComponent, DbxFirebaseOAuthConsentScopeListComponent, DbxFirebaseOAuthConsentViewComponent, DbxFirebaseOAuthLoginComponent, DbxFirebaseOAuthLoginViewComponent, DbxFirebaseOidcConfig, DbxFirebaseOidcConfigService, DbxFirebaseOidcEntryClientCreateComponent, DbxFirebaseOidcEntryClientForgeFormComponent, DbxFirebaseOidcEntryClientListComponent, DbxFirebaseOidcEntryClientListViewComponent, DbxFirebaseOidcEntryClientListViewItemClientComponent, DbxFirebaseOidcEntryClientListViewItemComponent, DbxFirebaseOidcEntryClientListViewItemDefaultComponent, DbxFirebaseOidcEntryClientTestComponent, DbxFirebaseOidcEntryClientTestForgeFormComponent, DbxFirebaseOidcEntryClientUpdateComponent, DbxFirebaseOidcEntryClientViewComponent, DbxFirebaseOidcInteractionService, DbxOAuthConsentComponent, OidcEntryCollectionStore, OidcEntryCollectionStoreDirective, OidcEntryDocumentStore, OidcEntryDocumentStoreDirective, oidcClientHomepageUriForgeField, oidcClientJwksUriForgeField, oidcClientLogoUriForgeField, oidcClientNameForgeField, oidcClientRedirectUrisForgeField, oidcClientTestClientIdForgeField, oidcClientTestRedirectUriForgeField, oidcClientTestScopesForgeField, oidcClientTokenEndpointAuthMethodForgeField, oidcEntryClientForgeFormFields, oidcEntryClientTestForgeFormFields, oidcEntryClientUpdateForgeFormFields, provideDbxFirebaseOidc, provideOidcModelFirestoreCollections };
+export { AbstractDbxFirebaseOAuthConsentScopeViewComponent, DEFAULT_OIDC_AUTHORIZATION_ENDPOINT_PATH, DEFAULT_OIDC_CLIENT_ID_PARAM_KEY, DEFAULT_OIDC_CLIENT_NAME_PARAM_KEY, DEFAULT_OIDC_CLIENT_URI_PARAM_KEY, DEFAULT_OIDC_INTERACTION_ENDPOINT_PATH, DEFAULT_OIDC_INTERACTION_UID_PARAM_KEY, DEFAULT_OIDC_LOGO_URI_PARAM_KEY, DEFAULT_OIDC_SCOPES_PARAM_KEY, DEFAULT_OIDC_TOKEN_ENDPOINT_AUTH_METHODS, DbxFirebaseOAuthConsentScopeDefaultViewComponent, DbxFirebaseOAuthConsentScopeFormComponent, DbxFirebaseOAuthConsentScopeListComponent, DbxFirebaseOAuthConsentScopeListItemComponent, DbxFirebaseOAuthConsentScopeListViewComponent, DbxFirebaseOAuthConsentViewComponent, DbxFirebaseOAuthLoginComponent, DbxFirebaseOAuthLoginViewComponent, DbxFirebaseOidcConfig, DbxFirebaseOidcConfigService, DbxFirebaseOidcEntryClientCreateComponent, DbxFirebaseOidcEntryClientForgeFormComponent, DbxFirebaseOidcEntryClientListComponent, DbxFirebaseOidcEntryClientListViewComponent, DbxFirebaseOidcEntryClientListViewItemClientComponent, DbxFirebaseOidcEntryClientListViewItemComponent, DbxFirebaseOidcEntryClientListViewItemDefaultComponent, DbxFirebaseOidcEntryClientTestComponent, DbxFirebaseOidcEntryClientTestForgeFormComponent, DbxFirebaseOidcEntryClientUpdateComponent, DbxFirebaseOidcEntryClientViewComponent, DbxFirebaseOidcEntryGrantListComponent, DbxFirebaseOidcEntryGrantListContainerComponent, DbxFirebaseOidcEntryGrantListViewComponent, DbxFirebaseOidcEntryGrantListViewItemComponent, DbxFirebaseOidcInteractionService, DbxOAuthConsentComponent, OAUTH_CONSENT_SCOPES_REQUIRED_VALIDATOR_DEFAULT_MESSAGE, OAUTH_CONSENT_SCOPES_REQUIRED_VALIDATOR_KIND, OidcEntryCollectionStore, OidcEntryCollectionStoreDirective, OidcEntryDocumentStore, OidcEntryDocumentStoreDirective, oauthConsentScopesFormConfig, oidcClientHomepageUriForgeField, oidcClientJwksUriForgeField, oidcClientLogoUriForgeField, oidcClientNameForgeField, oidcClientRedirectUrisForgeField, oidcClientTestClientIdForgeField, oidcClientTestRedirectUriForgeField, oidcClientTestScopesForgeField, oidcClientTokenEndpointAuthMethodForgeField, oidcEntryClientForgeFormFields, oidcEntryClientTestForgeFormFields, oidcEntryClientUpdateForgeFormFields, provideDbxFirebaseOidc, provideOidcModelFirestoreCollections };
 //# sourceMappingURL=dereekb-dbx-firebase-oidc.mjs.map