npm - @dereekb/dbx-firebase - Versions diffs - 13.11.3 → 13.11.5 - Mend

@dereekb/dbx-firebase 13.11.3 → 13.11.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/fesm2022/dereekb-dbx-firebase-oidc.mjs +685 -222
package/fesm2022/dereekb-dbx-firebase-oidc.mjs.map +1 -1
package/fesm2022/dereekb-dbx-firebase.mjs +36 -1
package/fesm2022/dereekb-dbx-firebase.mjs.map +1 -1
package/package.json +11 -11
package/types/dereekb-dbx-firebase-oidc.d.ts +425 -171
package/types/dereekb-dbx-firebase.d.ts +36 -1

package/types/dereekb-dbx-firebase-oidc.d.ts CHANGED Viewed

@@ -1,26 +1,32 @@
-import * as _angular_core from '@angular/core';
-import { OnDestroy, Signal, Type, EnvironmentProviders } from '@angular/core';
+import * as i0 from '@angular/core';
+import { Signal, OnDestroy, Type, OnInit, EnvironmentProviders } from '@angular/core';
 import * as _dereekb_util from '@dereekb/util';
 import { Maybe, ErrorInput } from '@dereekb/util';
 import * as _dereekb_dbx_core from '@dereekb/dbx-core';
 import { DbxInjectionComponentConfig, SegueRefOrSegueRefRouterLink } from '@dereekb/dbx-core';
+import { WorkUsingContext } from '@dereekb/rxjs';
 import * as _dereekb_firebase from '@dereekb/firebase';
-import { OAuthInteractionLoginDetails, OidcScope, OidcInteractionUid, OidcTokenEndpointAuthMethod, OidcRedirectUri, OidcScopeDetails, CreateOidcClientParams, UpdateOidcClientFieldParams, OidcEntry, OidcEntryDocument, OidcModelFunctions, CreateOidcClientResult, RotateOidcClientSecretResult, OidcModelFirestoreCollections, OAuthInteractionLoginResponse, OAuthInteractionConsentResponse } from '@dereekb/firebase';
+import { OidcScope, OAuthInteractionLoginDetails, OAuthInteractionConsentResponse, OidcInteractionUid, OidcTokenEndpointAuthMethod, OidcRedirectUri, OidcScopeDetails, CreateOidcClientParams, UpdateOidcClientFieldParams, OidcEntry, OidcEntryDocument, OidcModelFunctions, CreateOidcClientResult, RotateOidcClientSecretResult, FirestoreQueryConstraint, OidcModelFirestoreCollections, OAuthInteractionLoginResponse, OAuthInteractionConsentRequest } from '@dereekb/firebase';
+import { FormConfig, ContainerField, RegisteredFieldTypes } from '@ng-forge/dynamic-forms';
+import { AbstractDbxSelectionListWrapperDirective, AbstractDbxValueListViewItemComponent, AbstractDbxSelectionListViewDirective, DbxSelectionValueListViewConfig, DbxActionConfirmConfig, DbxValueAsListItem } from '@dereekb/dbx-web';
 import * as _dereekb_dbx_form from '@dereekb/dbx-form';
 import { AbstractConfigAsyncForgeFormDirective } from '@dereekb/dbx-form';
-import * as _ng_forge_dynamic_forms_material from '@ng-forge/dynamic-forms-material';
-import { ContainerField, FormConfig, RegisteredFieldTypes } from '@ng-forge/dynamic-forms';
 import * as rxjs from 'rxjs';
 import { Observable } from 'rxjs';
-import { AbstractDbxSelectionListWrapperDirective, AbstractDbxSelectionListViewDirective, DbxSelectionValueListViewConfig, DbxValueAsListItem, AbstractDbxValueListViewItemComponent, DbxActionConfirmConfig } from '@dereekb/dbx-web';
-import { WorkUsingContext } from '@dereekb/rxjs';
+import * as _ng_forge_dynamic_forms_material from '@ng-forge/dynamic-forms-material';
 import * as _dereekb_dbx_firebase from '@dereekb/dbx-firebase';
-import { AbstractDbxFirebaseDocumentStore, AbstractDbxFirebaseCollectionStore, DbxFirebaseCollectionStoreDirective, DbxFirebaseDocumentStoreDirective } from '@dereekb/dbx-firebase';
+import { AbstractDbxFirebaseDocumentStore, AbstractDbxFirebaseCollectionStore, DbxFirebaseCollectionStoreDirective, DbxFirebaseAuthService, DbxFirebaseDocumentStoreDirective } from '@dereekb/dbx-firebase';
 /**
  * State cases for the OIDC login interaction flow.
+ *
+ * - `'unknown'` — Firebase auth state has not yet resolved. Render nothing/spinner to avoid flashing.
+ * - `'no_user'` — Auth resolved and there is no signed-in user. Project the login UI via ng-content.
+ * - `'user'` — Auth resolved and a user is signed in.
+ * - `'submitting'` — Submitting the ID token to the OIDC interaction endpoint.
+ * - `'error'` — Submission failed; allow retry.
  */
-type OidcLoginStateCase = 'no_user' | 'user' | 'submitting' | 'error';
+type OidcLoginStateCase = 'unknown' | 'no_user' | 'user' | 'submitting' | 'error';
 /**
  * Presentational component for the OIDC OAuth login interaction.
  *
@@ -36,69 +42,163 @@ type OidcLoginStateCase = 'no_user' | 'user' | 'submitting' | 'error';
  * ```
  */
 declare class DbxFirebaseOAuthLoginViewComponent {
-    readonly loginStateCase: _angular_core.InputSignal<OidcLoginStateCase>;
-    readonly error: _angular_core.InputSignal<Maybe<string | ErrorInput>>;
-    readonly resolvedError: _angular_core.Signal<Maybe<ErrorInput>>;
-    readonly retryClick: _angular_core.OutputEmitterRef<void>;
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<DbxFirebaseOAuthLoginViewComponent, never>;
-    static ɵcmp: _angular_core.ɵɵComponentDeclaration<DbxFirebaseOAuthLoginViewComponent, "dbx-firebase-oauth-login-view", never, { "loginStateCase": { "alias": "loginStateCase"; "required": true; "isSignal": true; }; "error": { "alias": "error"; "required": false; "isSignal": true; }; }, { "retryClick": "retryClick"; }, never, ["*"], true, never>;
+    readonly loginStateCase: i0.InputSignal<OidcLoginStateCase>;
+    readonly error: i0.InputSignal<Maybe<string | ErrorInput>>;
+    readonly resolvedError: i0.Signal<Maybe<ErrorInput>>;
+    readonly retryClick: i0.OutputEmitterRef<void>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOAuthLoginViewComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOAuthLoginViewComponent, "dbx-firebase-oauth-login-view", never, { "loginStateCase": { "alias": "loginStateCase"; "required": true; "isSignal": true; }; "error": { "alias": "error"; "required": false; "isSignal": true; }; }, { "retryClick": "retryClick"; }, never, ["*"], true, never>;
+}
+interface OAuthConsentScope<T extends OidcScope = OidcScope> {
+    readonly name: T;
+    readonly description: string;
 }
+/**
+ * Validator key emitted when the user has not selected any optional scope.
+ * Surfaces alongside the form's invalid state so the action button stays disabled.
+ */
+declare const OAUTH_CONSENT_SCOPES_REQUIRED_VALIDATOR_KIND = "mustSelectAtLeastOneScope";
+/**
+ * Default message shown when the user has cleared every optional scope.
+ */
+declare const OAUTH_CONSENT_SCOPES_REQUIRED_VALIDATOR_DEFAULT_MESSAGE = "Select at least one scope to grant.";
+/**
+ * Form value emitted by the consent scopes form.
+ *
+ * Uses the same key as the `OAuthInteractionConsentRequest.grantedOIDCScopes`
+ * payload field so the consent action handler can pass the form value through
+ * directly.
+ */
+interface OAuthConsentScopesFormValue {
+    readonly grantedOIDCScopes: OidcScope[];
+}
+/**
+ * Configuration for the consent scopes form.
+ *
+ * Required scopes are filtered out by the caller before being passed in —
+ * required scopes are surfaced separately as a static "Always granted" line
+ * because they are not user-selectable.
+ */
+interface OAuthConsentScopesFormFieldsConfig {
+    /**
+     * Optional scopes the user can choose to grant.
+     */
+    readonly optionalScopes: readonly OAuthConsentScope[];
+    /**
+     * Initial selection set. Defaults to every optional scope being selected.
+     */
+    readonly initiallySelected?: readonly OidcScope[];
+}
+/**
+ * Builds a complete `FormConfig` ready to feed into a forge form component.
+ *
+ * The resulting form has a single `grantedOIDCScopes` field — a
+ * `dbxForgeListSelectionField` rendered through
+ * `DbxFirebaseOAuthConsentScopeListComponent` (a `dbx-list` selection wrapper).
+ * The list renders bare (no Material form-field wrapper) and without the
+ * default 300px height cap so it grows to fit the scope list.
+ *
+ * @param config - The consent scopes form fields configuration.
+ * @returns A `FormConfig` whose single field selects an `OidcScope[]` of granted scopes.
+ */
+declare function oauthConsentScopesFormConfig(config: OAuthConsentScopesFormFieldsConfig): FormConfig;
+/**
+ * State cases for the OIDC consent interaction flow.
+ *
+ * - `'unknown'` — Firebase auth state has not yet resolved. Render a spinner
+ *   to avoid flashing between states.
+ * - `'no_user'` — Auth resolved and there is no signed-in user. Project the
+ *   login UI via ng-content.
+ * - `'user'` — Auth resolved and a user is signed in. Render the consent
+ *   form. Submission progress and errors are managed by the inner
+ *   `dbxAction` contexts and surfaced via `dbxActionSnackbarError`.
+ */
+type OidcConsentStateCase = 'unknown' | 'no_user' | 'user';
 /**
  * Presentational component for the OIDC OAuth consent screen.
  *
- * Accepts an `OAuthInteractionLoginDetails` input that contains all client and scope
- * information. Renders the client name, logo, client URL, scopes (via `<dbx-injection>`),
- * error/loading states, and approve/deny action buttons.
+ * Wires up two `dbxAction` contexts — an outer one for Approve (which hosts
+ * the scope-selection forge form via `dbxActionForm`) and a nested one for
+ * Deny (which carries no value). Buttons are bound by Angular DI's
+ * nearest-ancestor lookup: the Approve button picks up the outer action, the
+ * Deny button (wrapped in its own `<ng-container dbxAction>`) picks up the
+ * inner.
+ *
+ * Supports ng-content projection — anything provided is rendered for the
+ * `'no_user'` state (so apps can project a login view, mirroring
+ * `DbxFirebaseOAuthLoginViewComponent`).
  *
  * @example
  * ```html
  * <dbx-firebase-oauth-consent-view
  *   [details]="loginDetails"
- *   [loading]="false"
+ *   [consentStateCase]="'user'"
  *   [scopeInjectionConfig]="scopeConfig"
- *   (approveClick)="onApprove()"
- *   (denyClick)="onDeny()">
+ *   [approveHandler]="handleApprove"
+ *   [denyHandler]="handleDeny">
  * </dbx-firebase-oauth-consent-view>
  * ```
  */
 declare class DbxFirebaseOAuthConsentViewComponent {
-    readonly details: _angular_core.InputSignal<Maybe<OAuthInteractionLoginDetails<string>>>;
-    readonly loading: _angular_core.InputSignal<boolean>;
-    readonly error: _angular_core.InputSignal<Maybe<string | ErrorInput>>;
-    readonly scopeInjectionConfig: _angular_core.InputSignal<DbxInjectionComponentConfig<unknown>>;
-    readonly clientName: _angular_core.Signal<string>;
-    readonly clientUri: _angular_core.Signal<Maybe<string>>;
-    readonly logoUri: _angular_core.Signal<Maybe<string>>;
-    readonly scopes: _angular_core.Signal<string[]>;
-    readonly resolvedError: _angular_core.Signal<Maybe<ErrorInput>>;
-    readonly approveClick: _angular_core.OutputEmitterRef<void>;
-    readonly denyClick: _angular_core.OutputEmitterRef<void>;
-    readonly resolvedScopeInjectionConfig: _angular_core.Signal<DbxInjectionComponentConfig<unknown>>;
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<DbxFirebaseOAuthConsentViewComponent, never>;
-    static ɵcmp: _angular_core.ɵɵComponentDeclaration<DbxFirebaseOAuthConsentViewComponent, "dbx-firebase-oauth-consent-view", never, { "details": { "alias": "details"; "required": false; "isSignal": true; }; "loading": { "alias": "loading"; "required": false; "isSignal": true; }; "error": { "alias": "error"; "required": false; "isSignal": true; }; "scopeInjectionConfig": { "alias": "scopeInjectionConfig"; "required": true; "isSignal": true; }; }, { "approveClick": "approveClick"; "denyClick": "denyClick"; }, never, never, true, never>;
-}
-interface OAuthConsentScope<T extends OidcScope = OidcScope> {
-    readonly name: T;
-    readonly description: string;
+    readonly details: i0.InputSignal<Maybe<OAuthInteractionLoginDetails<string>>>;
+    readonly consentStateCase: i0.InputSignal<OidcConsentStateCase>;
+    readonly scopeInjectionConfig: i0.InputSignal<DbxInjectionComponentConfig<unknown>>;
+    /**
+     * Scopes that cannot be deselected by the user. Forwarded to the scope
+     * view so it can render an "Always granted" hint. Defaults to `['openid']`.
+     */
+    readonly requiredScopes: i0.InputSignal<readonly string[]>;
+    /**
+     * Approve handler — called with the form value when the Approve button
+     * triggers the outer action. Receives a `WorkUsingContext` to drive the
+     * action's loading/success/error pipeline.
+     */
+    readonly approveHandler: i0.InputSignal<WorkUsingContext<OAuthConsentScopesFormValue, OAuthInteractionConsentResponse>>;
+    /**
+     * Deny handler — called when the Deny button triggers the inner action.
+     * No value is passed (`dbxActionValue` provides an empty payload).
+     */
+    readonly denyHandler: i0.InputSignal<WorkUsingContext<void, OAuthInteractionConsentResponse>>;
+    readonly clientName: Signal<string>;
+    readonly clientUri: Signal<Maybe<string>>;
+    readonly logoUri: Signal<Maybe<string>>;
+    readonly scopes: Signal<OidcScope[]>;
+    readonly resolvedScopeInjectionConfig: Signal<DbxInjectionComponentConfig<unknown>>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOAuthConsentViewComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOAuthConsentViewComponent, "dbx-firebase-oauth-consent-view", never, { "details": { "alias": "details"; "required": false; "isSignal": true; }; "consentStateCase": { "alias": "consentStateCase"; "required": true; "isSignal": true; }; "scopeInjectionConfig": { "alias": "scopeInjectionConfig"; "required": true; "isSignal": true; }; "requiredScopes": { "alias": "requiredScopes"; "required": false; "isSignal": true; }; "approveHandler": { "alias": "approveHandler"; "required": true; "isSignal": true; }; "denyHandler": { "alias": "denyHandler"; "required": true; "isSignal": true; }; }, {}, never, ["*"], true, never>;
 }
 /**
- * Data provided to consent scope view components via the `DBX_INJECTION_COMPONENT_DATA` token.
+ * Data provided to consent scope view components via the
+ * `DBX_INJECTION_COMPONENT_DATA` token.
  *
- * Contains the scopes being requested and contextual information about the consent interaction.
+ * Carries the requested scopes plus surrounding interaction context. The
+ * form value (current granted scopes) is no longer carried here — the
+ * scope view's form is wired up via `dbxActionForm` to the parent's
+ * `dbxAction`, so the value pipeline runs through the action store at
+ * trigger time.
  */
 interface DbxFirebaseOAuthConsentScopesViewData {
     readonly details?: Maybe<OAuthInteractionLoginDetails>;
     readonly scopes: OidcScope[];
     readonly clientName: string;
+    /**
+     * Scopes that must always be granted. Surfaced separately so the scope
+     * view can render them as a static "Always granted" hint instead of
+     * making them user-selectable.
+     */
+    readonly requiredScopes?: readonly OidcScope[];
 }
 /**
  * Abstract base class for consent scope view components.
  *
- * Provides typed access to the `DbxFirebaseOAuthConsentScopesViewData` injected
- * via `DBX_INJECTION_COMPONENT_DATA`. Subclasses only need to define a template.
+ * Provides typed access to the `DbxFirebaseOAuthConsentScopesViewData`
+ * injected via `DBX_INJECTION_COMPONENT_DATA`. Subclasses define the
+ * template that renders the requested scopes and (optionally) hosts a
+ * forge form decorated with `dbxActionForm`.
  *
  * @example
  * ```typescript
@@ -108,39 +208,111 @@ interface DbxFirebaseOAuthConsentScopesViewData {
  */
 declare abstract class AbstractDbxFirebaseOAuthConsentScopeViewComponent {
     private readonly data;
-    readonly details: _angular_core.Signal<Maybe<OAuthInteractionLoginDetails<string>>>;
-    readonly scopes: _angular_core.Signal<string[]>;
-    readonly clientName: _angular_core.Signal<string>;
-    readonly clientUri: _angular_core.Signal<Maybe<string>>;
-    readonly logoUri: _angular_core.Signal<Maybe<string>>;
+    readonly details: i0.Signal<Maybe<OAuthInteractionLoginDetails<string>>>;
+    readonly scopes: i0.Signal<string[]>;
+    readonly clientName: i0.Signal<string>;
+    readonly clientUri: i0.Signal<Maybe<string>>;
+    readonly logoUri: i0.Signal<Maybe<string>>;
+    readonly requiredScopes: i0.Signal<readonly string[]>;
+    isScopeRequired(scope: OidcScope): boolean;
 }
 /**
- * Standalone presentational component that renders a list of OAuth consent scopes.
+ * Selection-list wrapper used as the `listComponentClass` for the OIDC
+ * consent scope `dbxForgeListSelectionField`.
+ *
+ * Reuses the workspace's `dbx-list` selection infrastructure so the existing
+ * scope-row visual treatment (name + description) remains intact while the
+ * selection state participates in the surrounding `dbxAction`/`dbxActionForm`
+ * pipeline.
  *
  * @example
- * ```html
- * <dbx-firebase-oauth-consent-scope-list [scopes]="mappedScopes"></dbx-firebase-oauth-consent-scope-list>
+ * ```ts
+ * dbxForgeListSelectionField<OAuthConsentScope, DbxFirebaseOAuthConsentScopeListComponent, OidcScope>({
+ *   key: 'grantedOIDCScopes',
+ *   props: {
+ *     listComponentClass: of(DbxFirebaseOAuthConsentScopeListComponent),
+ *     readKey: (scope) => scope.name,
+ *     state$: of(successResult(optionalScopes)),
+ *     wrapped: false,
+ *     maxHeight: 'none'
+ *   }
+ * });
  * ```
  */
-declare class DbxFirebaseOAuthConsentScopeListComponent {
-    readonly scopes: _angular_core.InputSignal<OAuthConsentScope<string>[]>;
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<DbxFirebaseOAuthConsentScopeListComponent, never>;
-    static ɵcmp: _angular_core.ɵɵComponentDeclaration<DbxFirebaseOAuthConsentScopeListComponent, "dbx-firebase-oauth-consent-scope-list", never, { "scopes": { "alias": "scopes"; "required": false; "isSignal": true; }; }, {}, never, never, true, never>;
+declare class DbxFirebaseOAuthConsentScopeListComponent extends AbstractDbxSelectionListWrapperDirective<OAuthConsentScope> {
+    constructor();
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOAuthConsentScopeListComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOAuthConsentScopeListComponent, "dbx-firebase-oauth-consent-scope-list", never, {}, {}, never, ["[top]", "[bottom]", "[empty]", "[emptyLoading]", "[end]"], true, never>;
+}
+/**
+ * Selection list view that pairs with `DbxFirebaseOAuthConsentScopeListComponent`.
+ * Maps each `OAuthConsentScope` to a `DbxValueListItem` keyed by the scope name
+ * and renders it through `DbxFirebaseOAuthConsentScopeListItemComponent`.
+ */
+declare class DbxFirebaseOAuthConsentScopeListViewComponent extends AbstractDbxSelectionListViewDirective<OAuthConsentScope> {
+    readonly config: DbxSelectionValueListViewConfig<OAuthConsentScope>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOAuthConsentScopeListViewComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOAuthConsentScopeListViewComponent, "dbx-firebase-oauth-consent-scope-list-view", never, {}, {}, never, never, true, never>;
+}
+/**
+ * Item row inside the OIDC consent scope selection list. Shown as the visual
+ * row for both selected and unselected scopes — the selection chrome (the
+ * leading checkbox/highlight) is provided by the wrapping
+ * `dbx-selection-list-view`.
+ */
+declare class DbxFirebaseOAuthConsentScopeListItemComponent extends AbstractDbxValueListViewItemComponent<OAuthConsentScope> {
+    get name(): string;
+    get description(): string;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOAuthConsentScopeListItemComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOAuthConsentScopeListItemComponent, "ng-component", never, {}, {}, never, never, true, never>;
 }
 /**
- * Default consent scope view component that maps scope names to descriptions
- * using the `OidcScopeDetails` from the app-level OIDC configuration.
+ * Reusable forge form component that renders one checkbox per OIDC scope
+ * defined in {@link OAuthConsentScopesFormFieldsConfig}. Required scopes are
+ * rendered as checked-and-disabled.
  *
- * Apps can override this by providing a custom `consentScopeListViewClass`
- * in `DbxFirebaseOidcConfig` or `DbxOAuthConsentComponentConfig`.
+ * Pair with `<dbx-firebase-oauth-consent-scope-default-view>` for the default
+ * consent flow, or embed directly in custom consent UIs that supply their
+ * own scope/required configuration.
  */
-declare class DbxFirebaseOAuthConsentScopeDefaultViewComponent extends AbstractDbxFirebaseOAuthConsentScopeViewComponent {
-    private readonly oidcConfigService;
-    readonly mappedScopes: _angular_core.Signal<OAuthConsentScope<string>[]>;
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<DbxFirebaseOAuthConsentScopeDefaultViewComponent, never>;
-    static ɵcmp: _angular_core.ɵɵComponentDeclaration<DbxFirebaseOAuthConsentScopeDefaultViewComponent, "dbx-firebase-oauth-consent-scope-default-view", never, {}, {}, never, never, true, never>;
+declare class DbxFirebaseOAuthConsentScopeFormComponent extends AbstractConfigAsyncForgeFormDirective<OAuthConsentScopesFormValue, OAuthConsentScopesFormFieldsConfig> {
+    readonly formConfig$: Observable<Maybe<FormConfig>>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOAuthConsentScopeFormComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOAuthConsentScopeFormComponent, "dbx-firebase-oauth-consent-scope-form", never, {}, {}, never, never, true, never>;
+}
+/**
+ * Default consent scope view component.
+ *
+ * Reads the requested scopes (and required scopes) from the
+ * `DBX_INJECTION_COMPONENT_DATA` provided by the parent consent view,
+ * resolves human-readable descriptions from the app-level
+ * `DbxFirebaseOidcConfigService`, then renders a
+ * `DbxFirebaseOAuthConsentScopeFormComponent` with `dbxActionForm` so the
+ * form's value participates in the surrounding `dbxAction` (the consent
+ * view's outer Approve action).
+ *
+ * Required scopes are not user-selectable. They are surfaced as an "Always
+ * granted" hint above the form because the server enforces them regardless
+ * of payload — including them in the selection list would just add noise.
+ *
+ * Apps can override this default via
+ * `DbxFirebaseOidcConfig.consentScopeListViewClass` or
+ * `DbxOAuthConsentComponentConfig.consentScopeListViewClass`. Custom views
+ * should similarly apply `dbxActionForm` to a forge form whose value matches
+ * `OAuthConsentScopesFormValue`.
+ */
+declare class DbxFirebaseOAuthConsentScopeDefaultViewComponent {
+    private readonly _oidcConfigService;
+    private readonly _data;
+    readonly mappedScopes: i0.Signal<OAuthConsentScope<string>[]>;
+    readonly optionalScopes: i0.Signal<OAuthConsentScope<string>[]>;
+    readonly alwaysGrantedLabel: i0.Signal<string | null>;
+    readonly formFieldsConfig: i0.Signal<OAuthConsentScopesFormFieldsConfig>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOAuthConsentScopeDefaultViewComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOAuthConsentScopeDefaultViewComponent, "dbx-firebase-oauth-consent-scope-default-view", never, {}, {}, never, never, true, never>;
 }
 /**
@@ -162,16 +334,16 @@ declare class DbxFirebaseOAuthLoginComponent implements OnDestroy {
     private readonly interactionService;
     readonly uidParamReader: _dereekb_dbx_core.DbxRouteParamReaderInstance<string>;
     readonly interactionUid: Signal<Maybe<OidcInteractionUid>>;
-    readonly isLoggedIn: Signal<boolean>;
-    readonly submitting: _angular_core.WritableSignal<boolean>;
-    readonly errorMessage: _angular_core.WritableSignal<string | null>;
+    readonly isLoggedIn: Signal<Maybe<boolean>>;
+    readonly submitting: i0.WritableSignal<boolean>;
+    readonly errorMessage: i0.WritableSignal<string | null>;
     readonly loginStateCase: Signal<OidcLoginStateCase>;
     constructor();
     ngOnDestroy(): void;
     retry(): void;
     private _submitIdToken;
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<DbxFirebaseOAuthLoginComponent, never>;
-    static ɵcmp: _angular_core.ɵɵComponentDeclaration<DbxFirebaseOAuthLoginComponent, "dbx-firebase-oauth-login", never, {}, {}, never, ["*"], true, never>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOAuthLoginComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOAuthLoginComponent, "dbx-firebase-oauth-login", never, {}, {}, never, ["*"], true, never>;
 }
 /**
@@ -189,17 +361,23 @@ interface DbxOAuthConsentComponentConfig {
 /**
  * Container component for the OIDC OAuth consent screen.
  *
- * Manages all state: route param reading, consent submission, and error handling.
- * Delegates visual rendering to `DbxFirebaseOAuthConsentViewComponent`.
- *
  * Reads interaction UID and client details from route params (populated by
- * the server redirect), then assembles them into `OAuthInteractionLoginDetails`.
+ * the server redirect), assembles them into `OAuthInteractionLoginDetails`,
+ * and exposes Approve / Deny handlers that drive the view's nested
+ * `dbxAction` contexts.
+ *
+ * Submission progress and error states are owned by the action stores; this
+ * container is just routing-glue + handler factories.
+ *
+ * Supports ng-content projection — any content provided is passed through to
+ * the view component for the `'no_user'` state (e.g. an app's login view).
  */
 declare class DbxOAuthConsentComponent implements OnDestroy {
     private readonly dbxRouterService;
+    private readonly dbxFirebaseAuthService;
     private readonly interactionService;
     private readonly oidcConfigService;
-    readonly config: _angular_core.InputSignal<Maybe<DbxOAuthConsentComponentConfig>>;
+    readonly config: i0.InputSignal<Maybe<DbxOAuthConsentComponentConfig>>;
     readonly interactionUidParamReader: _dereekb_dbx_core.DbxRouteParamReaderInstance<string>;
     readonly clientIdParamReader: _dereekb_dbx_core.DbxRouteParamReaderInstance<string>;
     readonly clientNameParamReader: _dereekb_dbx_core.DbxRouteParamReaderInstance<string>;
@@ -212,17 +390,31 @@ declare class DbxOAuthConsentComponent implements OnDestroy {
     private readonly routeClientUri;
     private readonly routeLogoUri;
     private readonly routeScopes;
-    readonly resolvedInteractionUid: _angular_core.Signal<Maybe<string>>;
-    readonly resolvedDetails: _angular_core.Signal<Maybe<OAuthInteractionLoginDetails<string>>>;
-    readonly scopeInjectionConfig: _angular_core.Signal<DbxInjectionComponentConfig<unknown>>;
-    readonly loading: _angular_core.WritableSignal<boolean>;
-    readonly error: _angular_core.WritableSignal<string | null>;
+    readonly isLoggedIn: Signal<Maybe<boolean>>;
+    readonly resolvedInteractionUid: Signal<Maybe<string>>;
+    readonly resolvedDetails: Signal<Maybe<OAuthInteractionLoginDetails<string>>>;
+    readonly scopeInjectionConfig: Signal<DbxInjectionComponentConfig<unknown>>;
+    /**
+     * Scopes the user cannot deselect. Forwarded to the view, which shows
+     * them as a static "Always granted" hint above the selection list.
+     */
+    readonly requiredScopes: readonly OidcScope[];
+    readonly consentStateCase: Signal<OidcConsentStateCase>;
     ngOnDestroy(): void;
-    approve(): void;
-    deny(): void;
-    private _submitConsent;
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<DbxOAuthConsentComponent, never>;
-    static ɵcmp: _angular_core.ɵɵComponentDeclaration<DbxOAuthConsentComponent, "dbx-firebase-oauth-consent", never, { "config": { "alias": "config"; "required": false; "isSignal": true; }; }, {}, never, never, true, never>;
+    /**
+     * Handles the Approve action. Pulls the form's selected scope array
+     * straight off the form value (it already matches the API field name
+     * `grantedOIDCScopes`) and forwards it through `submitConsent`. On a
+     * successful response, hard-navigates to the OIDC server's redirect URL.
+     */
+    readonly handleApprove: WorkUsingContext<OAuthConsentScopesFormValue, OAuthInteractionConsentResponse>;
+    /**
+     * Handles the Deny action. No payload is sent — the server returns
+     * `access_denied` to the OAuth client.
+     */
+    readonly handleDeny: WorkUsingContext<void, OAuthInteractionConsentResponse>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxOAuthConsentComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxOAuthConsentComponent, "dbx-firebase-oauth-consent", never, { "config": { "alias": "config"; "required": false; "isSignal": true; }; }, {}, never, ["*"], true, never>;
 }
 interface OidcEntryClientFormFieldsConfig {
@@ -345,8 +537,8 @@ type DbxFirebaseOidcEntryClientFormComponentConfig = Omit<OidcEntryClientFormFie
 declare class DbxFirebaseOidcEntryClientForgeFormComponent extends AbstractConfigAsyncForgeFormDirective<DbxFirebaseOidcModelClientFormValue, DbxFirebaseOidcEntryClientFormComponentConfig> {
     private readonly _oidcConfigService;
     readonly formConfig$: Observable<Maybe<FormConfig>>;
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientForgeFormComponent, never>;
-    static ɵcmp: _angular_core.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientForgeFormComponent, "dbx-firebase-oidc-client-forge-form", never, {}, {}, never, never, true, never>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientForgeFormComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientForgeFormComponent, "dbx-firebase-oidc-client-forge-form", never, {}, {}, never, never, true, never>;
 }
 interface DbxFirebaseOidcModelClientTestFormValue {
@@ -362,59 +554,133 @@ type DbxFirebaseOidcEntryClientTestFormComponentConfig = OidcEntryClientTestForm
  */
 declare class DbxFirebaseOidcEntryClientTestForgeFormComponent extends AbstractConfigAsyncForgeFormDirective<DbxFirebaseOidcModelClientTestFormValue, DbxFirebaseOidcEntryClientTestFormComponentConfig> {
     readonly formConfig$: Observable<Maybe<FormConfig>>;
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientTestForgeFormComponent, never>;
-    static ɵcmp: _angular_core.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientTestForgeFormComponent, "dbx-firebase-oidc-client-test-forge-form", never, {}, {}, never, never, true, never>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientTestForgeFormComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientTestForgeFormComponent, "dbx-firebase-oidc-client-test-forge-form", never, {}, {}, never, never, true, never>;
+}
+/**
+ * Document store for a single {@link OidcEntry}.
+ */
+declare class OidcEntryDocumentStore extends AbstractDbxFirebaseDocumentStore<OidcEntry, OidcEntryDocument> {
+    readonly oidcModelFunctions: OidcModelFunctions;
+    private readonly _latestClientSecret$;
+    /**
+     * The client secret from the most recent create operation.
+     *
+     * Only available immediately after creation — the server does not return it again.
+     */
+    readonly latestClientSecret$: rxjs.Observable<Maybe<string>>;
+    get latestClientSecret(): Maybe<string>;
+    constructor();
+    readonly createClient: _dereekb_dbx_firebase.DbxFirebaseDocumentStoreCreateFunction<_dereekb_firebase.CreateOidcClientParams, CreateOidcClientResult>;
+    readonly updateClient: _dereekb_dbx_firebase.DbxFirebaseDocumentStoreFunction<_dereekb_firebase.UpdateOidcClientParams, void>;
+    readonly rotateClientSecret: _dereekb_dbx_firebase.DbxFirebaseDocumentStoreFunction<_dereekb_firebase.TargetModelParams, RotateOidcClientSecretResult>;
+    readonly deleteClient: _dereekb_dbx_firebase.DbxFirebaseDocumentStoreFunction<_dereekb_firebase.TargetModelParams, void>;
+    readonly deleteToken: _dereekb_dbx_firebase.DbxFirebaseDocumentStoreFunction<_dereekb_firebase.TargetModelParams, void>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<OidcEntryDocumentStore, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<OidcEntryDocumentStore>;
+}
+/**
+ * Wrapper list of {@link OidcEntry} Grant rows belonging to the current user.
+ *
+ * Renders one row per Grant — i.e. one row per "app with access to my account" —
+ * with an inline Revoke button that cascades through every grantable token.
+ */
+declare class DbxFirebaseOidcEntryGrantListComponent extends AbstractDbxSelectionListWrapperDirective<OidcEntry> {
+    constructor();
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryGrantListComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOidcEntryGrantListComponent, "dbx-firebase-oidc-grant-list", never, {}, {}, never, ["[top]", "[bottom]", "[empty]", "[emptyLoading]", "[end]"], true, never>;
+}
+declare class DbxFirebaseOidcEntryGrantListViewComponent extends AbstractDbxSelectionListViewDirective<OidcEntry> {
+    readonly config: DbxSelectionValueListViewConfig<OidcEntry & {
+        key: string;
+        itemValue: OidcEntry;
+    }>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryGrantListViewComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOidcEntryGrantListViewComponent, "dbx-firebase-oidc-grant-list-view", never, {}, {}, never, never, true, never>;
+}
+/**
+ * Per-row view for a Grant entry. Inline "Revoke" button uses a per-component
+ * {@link OidcEntryDocumentStore} keyed to this entry's id so calling
+ * `deleteToken` invokes the {@link DeleteOidcTokenParams} callModel against
+ * the right document.
+ */
+declare class DbxFirebaseOidcEntryGrantListViewItemComponent extends AbstractDbxValueListViewItemComponent<OidcEntry> {
+    readonly oidcEntryDocumentStore: OidcEntryDocumentStore;
+    readonly clientIdSignal: i0.Signal<string>;
+    readonly scopeSignal: i0.Signal<string | null>;
+    readonly expiresAtSignal: i0.Signal<Date | null>;
+    readonly revokeConfirmConfig: DbxActionConfirmConfig;
+    readonly handleRevoke: WorkUsingContext;
+    constructor();
+    private _payload;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryGrantListViewItemComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOidcEntryGrantListViewItemComponent, "dbx-firebase-oidc-grant-list-view-item", never, {}, {}, never, never, true, never>;
 }
 type OidcEntryWithSelection = DbxValueAsListItem<OidcEntry>;
 declare class DbxFirebaseOidcEntryClientListComponent extends AbstractDbxSelectionListWrapperDirective<OidcEntry> {
     constructor();
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientListComponent, never>;
-    static ɵcmp: _angular_core.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientListComponent, "dbx-firebase-oidc-client-list", never, {}, {}, never, ["[top]", "[bottom]", "[empty]", "[emptyLoading]", "[end]"], true, never>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientListComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientListComponent, "dbx-firebase-oidc-client-list", never, {}, {}, never, ["[top]", "[bottom]", "[empty]", "[emptyLoading]", "[end]"], true, never>;
 }
 declare class DbxFirebaseOidcEntryClientListViewComponent extends AbstractDbxSelectionListViewDirective<OidcEntry> {
     readonly config: DbxSelectionValueListViewConfig<OidcEntryWithSelection>;
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientListViewComponent, never>;
-    static ɵcmp: _angular_core.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientListViewComponent, "dbx-firebase-oidc-client-list-view", never, {}, {}, never, never, true, never>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientListViewComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientListViewComponent, "dbx-firebase-oidc-client-list-view", never, {}, {}, never, never, true, never>;
 }
 declare class DbxFirebaseOidcEntryClientListViewItemClientComponent {
-    readonly entry: _angular_core.InputSignal<OidcEntry>;
+    readonly entry: i0.InputSignal<OidcEntry>;
     get name(): string;
     get clientId(): string;
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientListViewItemClientComponent, never>;
-    static ɵcmp: _angular_core.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientListViewItemClientComponent, "dbx-firebase-oidc-client-list-view-item-client", never, { "entry": { "alias": "entry"; "required": true; "isSignal": true; }; }, {}, never, never, true, never>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientListViewItemClientComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientListViewItemClientComponent, "dbx-firebase-oidc-client-list-view-item-client", never, { "entry": { "alias": "entry"; "required": true; "isSignal": true; }; }, {}, never, never, true, never>;
 }
 declare class DbxFirebaseOidcEntryClientListViewItemDefaultComponent {
-    readonly entry: _angular_core.InputSignal<OidcEntry>;
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientListViewItemDefaultComponent, never>;
-    static ɵcmp: _angular_core.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientListViewItemDefaultComponent, "dbx-firebase-oidc-client-list-view-item-default", never, { "entry": { "alias": "entry"; "required": true; "isSignal": true; }; }, {}, never, never, true, never>;
+    readonly entry: i0.InputSignal<OidcEntry>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientListViewItemDefaultComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientListViewItemDefaultComponent, "dbx-firebase-oidc-client-list-view-item-default", never, { "entry": { "alias": "entry"; "required": true; "isSignal": true; }; }, {}, never, never, true, never>;
 }
 declare class DbxFirebaseOidcEntryClientListViewItemComponent extends AbstractDbxValueListViewItemComponent<OidcEntry> {
     readonly clientType: _dereekb_firebase.OidcEntryType;
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientListViewItemComponent, never>;
-    static ɵcmp: _angular_core.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientListViewItemComponent, "ng-component", never, {}, {}, never, never, true, never>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientListViewItemComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientListViewItemComponent, "ng-component", never, {}, {}, never, never, true, never>;
 }
 /**
- * Document store for a single {@link OidcEntry}.
+ * Collection store for querying {@link OidcEntry} documents.
  */
-declare class OidcEntryDocumentStore extends AbstractDbxFirebaseDocumentStore<OidcEntry, OidcEntryDocument> {
-    readonly oidcModelFunctions: OidcModelFunctions;
-    private readonly _latestClientSecret$;
-    /**
-     * The client secret from the most recent create operation.
-     *
-     * Only available immediately after creation — the server does not return it again.
-     */
-    readonly latestClientSecret$: rxjs.Observable<Maybe<string>>;
-    get latestClientSecret(): Maybe<string>;
+declare class OidcEntryCollectionStore extends AbstractDbxFirebaseCollectionStore<OidcEntry, OidcEntryDocument> {
     constructor();
-    readonly createClient: _dereekb_dbx_firebase.DbxFirebaseDocumentStoreCreateFunction<_dereekb_firebase.CreateOidcClientParams, CreateOidcClientResult>;
-    readonly updateClient: _dereekb_dbx_firebase.DbxFirebaseDocumentStoreFunction<_dereekb_firebase.UpdateOidcClientParams, void>;
-    readonly rotateClientSecret: _dereekb_dbx_firebase.DbxFirebaseDocumentStoreFunction<_dereekb_firebase.TargetModelParams, RotateOidcClientSecretResult>;
-    readonly deleteClient: _dereekb_dbx_firebase.DbxFirebaseDocumentStoreFunction<_dereekb_firebase.TargetModelParams, void>;
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<OidcEntryDocumentStore, never>;
-    static ɵprov: _angular_core.ɵɵInjectableDeclaration<OidcEntryDocumentStore>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<OidcEntryCollectionStore, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<OidcEntryCollectionStore>;
+}
+/**
+ * Directive providing a {@link OidcEntryCollectionStore} for querying {@link OidcEntry} documents.
+ */
+declare class OidcEntryCollectionStoreDirective extends DbxFirebaseCollectionStoreDirective<OidcEntry, OidcEntryDocument, OidcEntryCollectionStore> {
+    constructor();
+    static ɵfac: i0.ɵɵFactoryDeclaration<OidcEntryCollectionStoreDirective, never>;
+    static ɵdir: i0.ɵɵDirectiveDeclaration<OidcEntryCollectionStoreDirective, "[dbxOidcEntryCollection]", never, {}, {}, never, never, true, never>;
+}
+/**
+ * Drop-in container for the "apps with access to my account" management UI.
+ *
+ * Wires a {@link OidcEntryCollectionStoreDirective} to query Grant entries
+ * for the signed-in user, then renders {@link DbxFirebaseOidcEntryGrantListComponent}
+ * with inline Revoke buttons. No inputs — the container resolves the current
+ * user via {@link DbxFirebaseAuthService}.
+ */
+declare class DbxFirebaseOidcEntryGrantListContainerComponent implements OnInit {
+    readonly dbxFirebaseAuthService: DbxFirebaseAuthService;
+    readonly oidcEntryCollectionStoreDirective: i0.Signal<OidcEntryCollectionStoreDirective | undefined>;
+    readonly grantConstraintsSignal: i0.Signal<FirestoreQueryConstraint<unknown>[] | undefined>;
+    ngOnInit(): void;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryGrantListContainerComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOidcEntryGrantListContainerComponent, "dbx-firebase-oidc-grant-list-container", never, {}, {}, never, never, true, never>;
 }
 /**
@@ -426,11 +692,11 @@ declare class OidcEntryDocumentStore extends AbstractDbxFirebaseDocumentStore<Oi
 declare class DbxFirebaseOidcEntryClientCreateComponent {
     readonly oidcEntryDocumentStore: OidcEntryDocumentStore;
     readonly formConfig: DbxFirebaseOidcEntryClientFormComponentConfig;
-    readonly createClientOwnerTarget: _angular_core.InputSignal<Maybe<string>>;
-    readonly clientCreated: _angular_core.OutputEmitterRef<CreateOidcClientResult>;
+    readonly createClientOwnerTarget: i0.InputSignal<Maybe<string>>;
+    readonly clientCreated: i0.OutputEmitterRef<CreateOidcClientResult>;
     readonly handleCreateClient: WorkUsingContext<DbxFirebaseOidcModelClientFormValue>;
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientCreateComponent, never>;
-    static ɵcmp: _angular_core.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientCreateComponent, "dbx-firebase-oidc-entry-client-create", never, { "createClientOwnerTarget": { "alias": "createClientOwnerTarget"; "required": false; "isSignal": true; }; }, { "clientCreated": "clientCreated"; }, never, never, true, never>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientCreateComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientCreateComponent, "dbx-firebase-oidc-entry-client-create", never, { "createClientOwnerTarget": { "alias": "createClientOwnerTarget"; "required": false; "isSignal": true; }; }, { "clientCreated": "clientCreated"; }, never, never, true, never>;
 }
 /**
@@ -445,33 +711,33 @@ declare class DbxFirebaseOidcEntryClientTestComponent {
     /**
      * Scopes the user can pick from. Overrides the service default when provided.
      */
-    readonly availableScopes: _angular_core.InputSignal<Maybe<OidcScopeDetails[]>>;
+    readonly availableScopes: i0.InputSignal<Maybe<OidcScopeDetails[]>>;
     /**
      * Path to the authorization endpoint. Overrides the service default when provided.
      */
-    readonly oidcAuthorizationEndpointApiPath: _angular_core.InputSignal<Maybe<string>>;
-    readonly resolvedAvailableScopes: _angular_core.Signal<OidcScopeDetails[]>;
-    readonly resolvedAuthorizationEndpointPath: _angular_core.Signal<string>;
-    readonly redirectUrisSignal: _angular_core.Signal<string[] | undefined>;
-    readonly clientIdSignal: _angular_core.Signal<string | undefined>;
-    readonly formConfig: _angular_core.Signal<OidcEntryClientTestFormFieldsConfig>;
+    readonly oidcAuthorizationEndpointApiPath: i0.InputSignal<Maybe<string>>;
+    readonly resolvedAvailableScopes: i0.Signal<OidcScopeDetails[]>;
+    readonly resolvedAuthorizationEndpointPath: i0.Signal<string>;
+    readonly redirectUrisSignal: i0.Signal<string[] | undefined>;
+    readonly clientIdSignal: i0.Signal<string | undefined>;
+    readonly formConfig: i0.Signal<OidcEntryClientTestFormFieldsConfig>;
     readonly formTemplate$: rxjs.Observable<DbxFirebaseOidcModelClientTestFormValue>;
-    readonly codeVerifier: _angular_core.WritableSignal<string>;
-    readonly codeChallenge: _angular_core.WritableSignal<string>;
-    readonly state: _angular_core.WritableSignal<string>;
-    readonly nonce: _angular_core.WritableSignal<string>;
+    readonly codeVerifier: i0.WritableSignal<string>;
+    readonly codeChallenge: i0.WritableSignal<string>;
+    readonly state: i0.WritableSignal<string>;
+    readonly nonce: i0.WritableSignal<string>;
     /**
      * The current form value, updated by the form via dbxFormValueChange.
      */
-    readonly formValue: _angular_core.WritableSignal<Maybe<DbxFirebaseOidcModelClientTestFormValue>>;
-    readonly authorizationUrlSignal: _angular_core.Signal<string | undefined>;
+    readonly formValue: i0.WritableSignal<Maybe<DbxFirebaseOidcModelClientTestFormValue>>;
+    readonly authorizationUrlSignal: i0.Signal<string | undefined>;
     constructor();
     onFormValueChange(value: Maybe<DbxFirebaseOidcModelClientTestFormValue>): void;
     openAuthorizationUrl(): void;
     regeneratePkce(): void;
     private _updateCodeChallenge;
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientTestComponent, never>;
-    static ɵcmp: _angular_core.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientTestComponent, "dbx-firebase-oidc-entry-client-test", never, { "availableScopes": { "alias": "availableScopes"; "required": false; "isSignal": true; }; "oidcAuthorizationEndpointApiPath": { "alias": "oidcAuthorizationEndpointApiPath"; "required": false; "isSignal": true; }; }, {}, never, never, true, never>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientTestComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientTestComponent, "dbx-firebase-oidc-entry-client-test", never, { "availableScopes": { "alias": "availableScopes"; "required": false; "isSignal": true; }; "oidcAuthorizationEndpointApiPath": { "alias": "oidcAuthorizationEndpointApiPath"; "required": false; "isSignal": true; }; }, {}, never, never, true, never>;
 }
 /**
@@ -484,8 +750,8 @@ declare class DbxFirebaseOidcEntryClientUpdateComponent {
     readonly formConfig: DbxFirebaseOidcEntryClientFormComponentConfig;
     readonly formTemplate$: rxjs.Observable<_dereekb_firebase.UpdateOidcClientFieldParams>;
     readonly handleUpdateClient: WorkUsingContext<DbxFirebaseOidcModelClientUpdateFormValue>;
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientUpdateComponent, never>;
-    static ɵcmp: _angular_core.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientUpdateComponent, "dbx-firebase-oidc-entry-client-update", never, {}, {}, never, never, true, never>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientUpdateComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientUpdateComponent, "dbx-firebase-oidc-entry-client-update", never, {}, {}, never, never, true, never>;
 }
 /**
@@ -496,30 +762,12 @@ declare class DbxFirebaseOidcEntryClientUpdateComponent {
  */
 declare class DbxFirebaseOidcEntryClientViewComponent {
     readonly oidcEntryDocumentStore: OidcEntryDocumentStore;
-    readonly clientIdSignal: _angular_core.Signal<string | undefined>;
-    readonly latestClientSecretSignal: _angular_core.Signal<_dereekb_util.Maybe<string>>;
+    readonly clientIdSignal: i0.Signal<string | undefined>;
+    readonly latestClientSecretSignal: i0.Signal<_dereekb_util.Maybe<string>>;
     readonly rotateSecretConfirmConfig: DbxActionConfirmConfig;
     readonly handleRotateClientSecret: WorkUsingContext;
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientViewComponent, never>;
-    static ɵcmp: _angular_core.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientViewComponent, "dbx-firebase-oidc-entry-client-view", never, {}, {}, never, never, true, never>;
-}
-/**
- * Collection store for querying {@link OidcEntry} documents.
- */
-declare class OidcEntryCollectionStore extends AbstractDbxFirebaseCollectionStore<OidcEntry, OidcEntryDocument> {
-    constructor();
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<OidcEntryCollectionStore, never>;
-    static ɵprov: _angular_core.ɵɵInjectableDeclaration<OidcEntryCollectionStore>;
-}
-/**
- * Directive providing a {@link OidcEntryCollectionStore} for querying {@link OidcEntry} documents.
- */
-declare class OidcEntryCollectionStoreDirective extends DbxFirebaseCollectionStoreDirective<OidcEntry, OidcEntryDocument, OidcEntryCollectionStore> {
-    constructor();
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<OidcEntryCollectionStoreDirective, never>;
-    static ɵdir: _angular_core.ɵɵDirectiveDeclaration<OidcEntryCollectionStoreDirective, "[dbxOidcEntryCollection]", never, {}, {}, never, never, true, never>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOidcEntryClientViewComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOidcEntryClientViewComponent, "dbx-firebase-oidc-entry-client-view", never, {}, {}, never, never, true, never>;
 }
 /**
@@ -527,8 +775,8 @@ declare class OidcEntryCollectionStoreDirective extends DbxFirebaseCollectionSto
  */
 declare class OidcEntryDocumentStoreDirective extends DbxFirebaseDocumentStoreDirective<OidcEntry, OidcEntryDocument, OidcEntryDocumentStore> {
     constructor();
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<OidcEntryDocumentStoreDirective, never>;
-    static ɵdir: _angular_core.ɵɵDirectiveDeclaration<OidcEntryDocumentStoreDirective, "[dbxOidcEntryDocument]", never, {}, {}, never, never, true, never>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<OidcEntryDocumentStoreDirective, never>;
+    static ɵdir: i0.ɵɵDirectiveDeclaration<OidcEntryDocumentStoreDirective, "[dbxOidcEntryDocument]", never, {}, {}, never, never, true, never>;
 }
 declare const DEFAULT_OIDC_AUTHORIZATION_ENDPOINT_PATH = "/oidc/auth";
@@ -597,8 +845,8 @@ declare class DbxFirebaseOidcConfigService {
     get tokenEndpointAuthMethods(): OidcTokenEndpointAuthMethod[];
     get oauthInteractionRoute(): Maybe<SegueRefOrSegueRefRouterLink>;
     get consentScopeListViewClass(): Maybe<Type<AbstractDbxFirebaseOAuthConsentScopeViewComponent>>;
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<DbxFirebaseOidcConfigService, never>;
-    static ɵprov: _angular_core.ɵɵInjectableDeclaration<DbxFirebaseOidcConfigService>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOidcConfigService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<DbxFirebaseOidcConfigService>;
 }
 /**
@@ -674,16 +922,22 @@ declare class DbxFirebaseOidcInteractionService {
     /**
      * Submit consent decision to complete the consent interaction.
      *
-     * Automatically attaches the current user's Firebase ID token.
+     * Automatically attaches the current user's Firebase ID token. When `approved`
+     * is true, optional `grants` may be passed to grant only a subset of the
+     * requested scopes/claims/resource scopes; the server validates that any
+     * subset is contained in the corresponding `missing*` set on the prompt.
+     *
+     * When `approved` is false, `grants` is ignored (not sent).
      *
      * @param uid - The OIDC interaction UID identifying the current consent interaction.
      * @param approved - Whether the user approved or denied the consent request.
+     * @param grants - Optional subset of OIDC scopes / OIDC claims / resource scopes to grant.
      * @returns Observable that emits the redirect URL from the server response.
      */
-    submitConsent(uid: OidcInteractionUid, approved: boolean): Observable<OAuthInteractionConsentResponse>;
-    static ɵfac: _angular_core.ɵɵFactoryDeclaration<DbxFirebaseOidcInteractionService, never>;
-    static ɵprov: _angular_core.ɵɵInjectableDeclaration<DbxFirebaseOidcInteractionService>;
+    submitConsent(uid: OidcInteractionUid, approved: boolean, grants?: Pick<OAuthInteractionConsentRequest, 'grantedOIDCScopes' | 'grantedOIDCClaims' | 'grantedResourceScopes'>): Observable<OAuthInteractionConsentResponse>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOidcInteractionService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<DbxFirebaseOidcInteractionService>;
 }
-export { AbstractDbxFirebaseOAuthConsentScopeViewComponent, DEFAULT_OIDC_AUTHORIZATION_ENDPOINT_PATH, DEFAULT_OIDC_CLIENT_ID_PARAM_KEY, DEFAULT_OIDC_CLIENT_NAME_PARAM_KEY, DEFAULT_OIDC_CLIENT_URI_PARAM_KEY, DEFAULT_OIDC_INTERACTION_ENDPOINT_PATH, DEFAULT_OIDC_INTERACTION_UID_PARAM_KEY, DEFAULT_OIDC_LOGO_URI_PARAM_KEY, DEFAULT_OIDC_SCOPES_PARAM_KEY, DEFAULT_OIDC_TOKEN_ENDPOINT_AUTH_METHODS, DbxFirebaseOAuthConsentScopeDefaultViewComponent, DbxFirebaseOAuthConsentScopeListComponent, DbxFirebaseOAuthConsentViewComponent, DbxFirebaseOAuthLoginComponent, DbxFirebaseOAuthLoginViewComponent, DbxFirebaseOidcConfig, DbxFirebaseOidcConfigService, DbxFirebaseOidcEntryClientCreateComponent, DbxFirebaseOidcEntryClientForgeFormComponent, DbxFirebaseOidcEntryClientListComponent, DbxFirebaseOidcEntryClientListViewComponent, DbxFirebaseOidcEntryClientListViewItemClientComponent, DbxFirebaseOidcEntryClientListViewItemComponent, DbxFirebaseOidcEntryClientListViewItemDefaultComponent, DbxFirebaseOidcEntryClientTestComponent, DbxFirebaseOidcEntryClientTestForgeFormComponent, DbxFirebaseOidcEntryClientUpdateComponent, DbxFirebaseOidcEntryClientViewComponent, DbxFirebaseOidcInteractionService, DbxOAuthConsentComponent, OidcEntryCollectionStore, OidcEntryCollectionStoreDirective, OidcEntryDocumentStore, OidcEntryDocumentStoreDirective, oidcClientHomepageUriForgeField, oidcClientJwksUriForgeField, oidcClientLogoUriForgeField, oidcClientNameForgeField, oidcClientRedirectUrisForgeField, oidcClientTestClientIdForgeField, oidcClientTestRedirectUriForgeField, oidcClientTestScopesForgeField, oidcClientTokenEndpointAuthMethodForgeField, oidcEntryClientForgeFormFields, oidcEntryClientTestForgeFormFields, oidcEntryClientUpdateForgeFormFields, provideDbxFirebaseOidc, provideOidcModelFirestoreCollections };
-export type { DbxFirebaseOAuthConsentScopesViewData, DbxFirebaseOidcEntryClientFormComponentConfig, DbxFirebaseOidcEntryClientTestFormComponentConfig, DbxFirebaseOidcModelClientFormValue, DbxFirebaseOidcModelClientTestFormValue, DbxFirebaseOidcModelClientUpdateFormValue, DbxOAuthConsentComponentConfig, OAuthConsentScope, OidcEntryClientFormFieldsConfig, OidcEntryClientTestFormFieldsConfig, OidcEntryWithSelection, OidcLoginStateCase, ProvideDbxFirebaseOidcConfig };
+export { AbstractDbxFirebaseOAuthConsentScopeViewComponent, DEFAULT_OIDC_AUTHORIZATION_ENDPOINT_PATH, DEFAULT_OIDC_CLIENT_ID_PARAM_KEY, DEFAULT_OIDC_CLIENT_NAME_PARAM_KEY, DEFAULT_OIDC_CLIENT_URI_PARAM_KEY, DEFAULT_OIDC_INTERACTION_ENDPOINT_PATH, DEFAULT_OIDC_INTERACTION_UID_PARAM_KEY, DEFAULT_OIDC_LOGO_URI_PARAM_KEY, DEFAULT_OIDC_SCOPES_PARAM_KEY, DEFAULT_OIDC_TOKEN_ENDPOINT_AUTH_METHODS, DbxFirebaseOAuthConsentScopeDefaultViewComponent, DbxFirebaseOAuthConsentScopeFormComponent, DbxFirebaseOAuthConsentScopeListComponent, DbxFirebaseOAuthConsentScopeListItemComponent, DbxFirebaseOAuthConsentScopeListViewComponent, DbxFirebaseOAuthConsentViewComponent, DbxFirebaseOAuthLoginComponent, DbxFirebaseOAuthLoginViewComponent, DbxFirebaseOidcConfig, DbxFirebaseOidcConfigService, DbxFirebaseOidcEntryClientCreateComponent, DbxFirebaseOidcEntryClientForgeFormComponent, DbxFirebaseOidcEntryClientListComponent, DbxFirebaseOidcEntryClientListViewComponent, DbxFirebaseOidcEntryClientListViewItemClientComponent, DbxFirebaseOidcEntryClientListViewItemComponent, DbxFirebaseOidcEntryClientListViewItemDefaultComponent, DbxFirebaseOidcEntryClientTestComponent, DbxFirebaseOidcEntryClientTestForgeFormComponent, DbxFirebaseOidcEntryClientUpdateComponent, DbxFirebaseOidcEntryClientViewComponent, DbxFirebaseOidcEntryGrantListComponent, DbxFirebaseOidcEntryGrantListContainerComponent, DbxFirebaseOidcEntryGrantListViewComponent, DbxFirebaseOidcEntryGrantListViewItemComponent, DbxFirebaseOidcInteractionService, DbxOAuthConsentComponent, OAUTH_CONSENT_SCOPES_REQUIRED_VALIDATOR_DEFAULT_MESSAGE, OAUTH_CONSENT_SCOPES_REQUIRED_VALIDATOR_KIND, OidcEntryCollectionStore, OidcEntryCollectionStoreDirective, OidcEntryDocumentStore, OidcEntryDocumentStoreDirective, oauthConsentScopesFormConfig, oidcClientHomepageUriForgeField, oidcClientJwksUriForgeField, oidcClientLogoUriForgeField, oidcClientNameForgeField, oidcClientRedirectUrisForgeField, oidcClientTestClientIdForgeField, oidcClientTestRedirectUriForgeField, oidcClientTestScopesForgeField, oidcClientTokenEndpointAuthMethodForgeField, oidcEntryClientForgeFormFields, oidcEntryClientTestForgeFormFields, oidcEntryClientUpdateForgeFormFields, provideDbxFirebaseOidc, provideOidcModelFirestoreCollections };
+export type { DbxFirebaseOAuthConsentScopesViewData, DbxFirebaseOidcEntryClientFormComponentConfig, DbxFirebaseOidcEntryClientTestFormComponentConfig, DbxFirebaseOidcModelClientFormValue, DbxFirebaseOidcModelClientTestFormValue, DbxFirebaseOidcModelClientUpdateFormValue, DbxOAuthConsentComponentConfig, OAuthConsentScope, OAuthConsentScopesFormFieldsConfig, OAuthConsentScopesFormValue, OidcConsentStateCase, OidcEntryClientFormFieldsConfig, OidcEntryClientTestFormFieldsConfig, OidcEntryWithSelection, OidcLoginStateCase, ProvideDbxFirebaseOidcConfig };