@dereekb/dbx-firebase 13.11.4 → 13.11.6

package/package.json

@@ -1,20 +1,20 @@
 {
   "name": "@dereekb/dbx-firebase",
-  "version": "13.11.4",
+  "version": "13.11.6",
   "peerDependencies": {
     "@angular/common": "21.2.11",
     "@angular/core": "21.2.11",
     "@angular/material": "^21.2.9",
-    "@dereekb/date": "13.11.4",
-    "@dereekb/dbx-analytics": "13.11.4",
-    "@dereekb/dbx-core": "13.11.4",
-    "@dereekb/dbx-form": "13.11.4",
-    "@dereekb/dbx-web": "13.11.4",
-    "@dereekb/firebase": "13.11.4",
-    "@dereekb/model": "13.11.4",
-    "@dereekb/rxjs": "13.11.4",
-    "@dereekb/util": "13.11.4",
-    "@dereekb/vitest": "13.11.4",
+    "@dereekb/date": "13.11.6",
+    "@dereekb/dbx-analytics": "13.11.6",
+    "@dereekb/dbx-core": "13.11.6",
+    "@dereekb/dbx-form": "13.11.6",
+    "@dereekb/dbx-web": "13.11.6",
+    "@dereekb/firebase": "13.11.6",
+    "@dereekb/model": "13.11.6",
+    "@dereekb/rxjs": "13.11.6",
+    "@dereekb/util": "13.11.6",
+    "@dereekb/vitest": "13.11.6",
     "@ng-forge/dynamic-forms": "0.9.0-next.6",
     "@ngrx/component-store": "^21.1.0",
     "@ngx-formly/core": "git+https://git@github.com/dereekb/ngx-formly#996d1041c8d2afbe429985a5ad394e59327bfa1d",

package/types/dereekb-dbx-firebase-oidc.d.ts

@@ -1,19 +1,19 @@
 import * as i0 from '@angular/core';
-import { OnDestroy, Signal, Type, OnInit, EnvironmentProviders } from '@angular/core';
+import { Signal, OnDestroy, Type, OnInit, EnvironmentProviders } from '@angular/core';
 import * as _dereekb_util from '@dereekb/util';
 import { Maybe, ErrorInput } from '@dereekb/util';
 import * as _dereekb_dbx_core from '@dereekb/dbx-core';
 import { DbxInjectionComponentConfig, SegueRefOrSegueRefRouterLink } from '@dereekb/dbx-core';
+import { WorkUsingContext } from '@dereekb/rxjs';
 import * as _dereekb_firebase from '@dereekb/firebase';
-import { OAuthInteractionLoginDetails, OidcScope, OidcInteractionUid, OidcTokenEndpointAuthMethod, OidcRedirectUri, OidcScopeDetails, CreateOidcClientParams, UpdateOidcClientFieldParams, OidcEntry, OidcEntryDocument, OidcModelFunctions, CreateOidcClientResult, RotateOidcClientSecretResult, FirestoreQueryConstraint, OidcModelFirestoreCollections, OAuthInteractionLoginResponse, OAuthInteractionConsentResponse } from '@dereekb/firebase';
+import { OidcScope, OAuthInteractionLoginDetails, OAuthInteractionConsentResponse, OidcInteractionUid, OidcTokenEndpointAuthMethod, OidcRedirectUri, OidcScopeDetails, CreateOidcClientParams, UpdateOidcClientFieldParams, OidcEntry, OidcEntryDocument, OidcModelFunctions, CreateOidcClientResult, RotateOidcClientSecretResult, FirestoreQueryConstraint, OidcModelFirestoreCollections, OAuthInteractionLoginResponse, OAuthInteractionConsentRequest } from '@dereekb/firebase';
+import { FormConfig, ContainerField, RegisteredFieldTypes } from '@ng-forge/dynamic-forms';
+import { AbstractDbxSelectionListWrapperDirective, AbstractDbxValueListViewItemComponent, AbstractDbxSelectionListViewDirective, DbxSelectionValueListViewConfig, DbxActionConfirmConfig, DbxValueAsListItem } from '@dereekb/dbx-web';
 import * as _dereekb_dbx_form from '@dereekb/dbx-form';
 import { AbstractConfigAsyncForgeFormDirective } from '@dereekb/dbx-form';
-import * as _ng_forge_dynamic_forms_material from '@ng-forge/dynamic-forms-material';
-import { ContainerField, FormConfig, RegisteredFieldTypes } from '@ng-forge/dynamic-forms';
 import * as rxjs from 'rxjs';
 import { Observable } from 'rxjs';
-import { AbstractDbxSelectionListWrapperDirective, AbstractDbxSelectionListViewDirective, DbxSelectionValueListViewConfig, AbstractDbxValueListViewItemComponent, DbxActionConfirmConfig, DbxValueAsListItem } from '@dereekb/dbx-web';
-import { WorkUsingContext } from '@dereekb/rxjs';
+import * as _ng_forge_dynamic_forms_material from '@ng-forge/dynamic-forms-material';
 import * as _dereekb_dbx_firebase from '@dereekb/dbx-firebase';
 import { AbstractDbxFirebaseDocumentStore, AbstractDbxFirebaseCollectionStore, DbxFirebaseCollectionStoreDirective, DbxFirebaseAuthService, DbxFirebaseDocumentStoreDirective } from '@dereekb/dbx-firebase';
 
@@ -50,25 +50,86 @@ declare class DbxFirebaseOAuthLoginViewComponent {
     static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOAuthLoginViewComponent, "dbx-firebase-oauth-login-view", never, { "loginStateCase": { "alias": "loginStateCase"; "required": true; "isSignal": true; }; "error": { "alias": "error"; "required": false; "isSignal": true; }; }, { "retryClick": "retryClick"; }, never, ["*"], true, never>;
 }
 
+interface OAuthConsentScope<T extends OidcScope = OidcScope> {
+    readonly name: T;
+    readonly description: string;
+}
+
+/**
+ * Validator key emitted when the user has not selected any optional scope.
+ * Surfaces alongside the form's invalid state so the action button stays disabled.
+ */
+declare const OAUTH_CONSENT_SCOPES_REQUIRED_VALIDATOR_KIND = "mustSelectAtLeastOneScope";
+/**
+ * Default message shown when the user has cleared every optional scope.
+ */
+declare const OAUTH_CONSENT_SCOPES_REQUIRED_VALIDATOR_DEFAULT_MESSAGE = "Select at least one scope to grant.";
+/**
+ * Form value emitted by the consent scopes form.
+ *
+ * Uses the same key as the `OAuthInteractionConsentRequest.grantedOIDCScopes`
+ * payload field so the consent action handler can pass the form value through
+ * directly.
+ */
+interface OAuthConsentScopesFormValue {
+    readonly grantedOIDCScopes: OidcScope[];
+}
+/**
+ * Configuration for the consent scopes form.
+ *
+ * Required scopes are filtered out by the caller before being passed in —
+ * required scopes are surfaced separately as a static "Always granted" line
+ * because they are not user-selectable.
+ */
+interface OAuthConsentScopesFormFieldsConfig {
+    /**
+     * Optional scopes the user can choose to grant.
+     */
+    readonly optionalScopes: readonly OAuthConsentScope[];
+    /**
+     * Initial selection set. Defaults to every optional scope being selected.
+     */
+    readonly initiallySelected?: readonly OidcScope[];
+}
+/**
+ * Builds a complete `FormConfig` ready to feed into a forge form component.
+ *
+ * The resulting form has a single `grantedOIDCScopes` field — a
+ * `dbxForgeListSelectionField` rendered through
+ * `DbxFirebaseOAuthConsentScopeListComponent` (a `dbx-list` selection wrapper).
+ * The list renders bare (no Material form-field wrapper) and without the
+ * default 300px height cap so it grows to fit the scope list.
+ *
+ * @param config - The consent scopes form fields configuration.
+ * @returns A `FormConfig` whose single field selects an `OidcScope[]` of granted scopes.
+ */
+declare function oauthConsentScopesFormConfig(config: OAuthConsentScopesFormFieldsConfig): FormConfig;
+
 /**
  * State cases for the OIDC consent interaction flow.
  *
- * - `'unknown'` — Firebase auth state has not yet resolved. Render nothing/spinner to avoid flashing.
- * - `'no_user'` — Auth resolved and there is no signed-in user. Project the login UI via ng-content.
- * - `'user'` — Auth resolved and a user is signed in. Render the consent form.
- * - `'submitting'` — Submitting the consent decision to the OIDC interaction endpoint.
- * - `'error'` — Submission failed; allow retry.
+ * - `'unknown'` — Firebase auth state has not yet resolved. Render a spinner
+ *   to avoid flashing between states.
+ * - `'no_user'` — Auth resolved and there is no signed-in user. Project the
+ *   login UI via ng-content.
+ * - `'user'` — Auth resolved and a user is signed in. Render the consent
+ *   form. Submission progress and errors are managed by the inner
+ *   `dbxAction` contexts and surfaced via `dbxActionSnackbarError`.
  */
-type OidcConsentStateCase = 'unknown' | 'no_user' | 'user' | 'submitting' | 'error';
+type OidcConsentStateCase = 'unknown' | 'no_user' | 'user';
 /**
  * Presentational component for the OIDC OAuth consent screen.
  *
- * Accepts an `OAuthInteractionLoginDetails` input that contains all client and scope
- * information. Renders the client name, logo, client URL, scopes (via `<dbx-injection>`),
- * error/loading states, and approve/deny action buttons.
+ * Wires up two `dbxAction` contexts — an outer one for Approve (which hosts
+ * the scope-selection forge form via `dbxActionForm`) and a nested one for
+ * Deny (which carries no value). Buttons are bound by Angular DI's
+ * nearest-ancestor lookup: the Approve button picks up the outer action, the
+ * Deny button (wrapped in its own `<ng-container dbxAction>`) picks up the
+ * inner.
  *
- * Supports ng-content projection — content provided is rendered for the `'no_user'` state
- * (so apps can project a login view, mirroring `DbxFirebaseOAuthLoginViewComponent`).
+ * Supports ng-content projection — anything provided is rendered for the
+ * `'no_user'` state (so apps can project a login view, mirroring
+ * `DbxFirebaseOAuthLoginViewComponent`).
  *
  * @example
  * ```html
@@ -76,49 +137,68 @@ type OidcConsentStateCase = 'unknown' | 'no_user' | 'user' | 'submitting' | 'err
  *   [details]="loginDetails"
  *   [consentStateCase]="'user'"
  *   [scopeInjectionConfig]="scopeConfig"
- *   (approveClick)="onApprove()"
- *   (denyClick)="onDeny()">
+ *   [approveHandler]="handleApprove"
+ *   [denyHandler]="handleDeny">
  * </dbx-firebase-oauth-consent-view>
  * ```
  */
 declare class DbxFirebaseOAuthConsentViewComponent {
     readonly details: i0.InputSignal<Maybe<OAuthInteractionLoginDetails<string>>>;
     readonly consentStateCase: i0.InputSignal<OidcConsentStateCase>;
-    readonly error: i0.InputSignal<Maybe<string | ErrorInput>>;
     readonly scopeInjectionConfig: i0.InputSignal<DbxInjectionComponentConfig<unknown>>;
-    readonly clientName: i0.Signal<string>;
-    readonly clientUri: i0.Signal<Maybe<string>>;
-    readonly logoUri: i0.Signal<Maybe<string>>;
-    readonly scopes: i0.Signal<string[]>;
-    readonly resolvedError: i0.Signal<Maybe<ErrorInput>>;
-    readonly approveClick: i0.OutputEmitterRef<void>;
-    readonly denyClick: i0.OutputEmitterRef<void>;
-    readonly retryClick: i0.OutputEmitterRef<void>;
-    readonly resolvedScopeInjectionConfig: i0.Signal<DbxInjectionComponentConfig<unknown>>;
+    /**
+     * Scopes that cannot be deselected by the user. Forwarded to the scope
+     * view so it can render an "Always granted" hint. Defaults to `['openid']`.
+     */
+    readonly requiredScopes: i0.InputSignal<readonly string[]>;
+    /**
+     * Approve handler — called with the form value when the Approve button
+     * triggers the outer action. Receives a `WorkUsingContext` to drive the
+     * action's loading/success/error pipeline.
+     */
+    readonly approveHandler: i0.InputSignal<WorkUsingContext<OAuthConsentScopesFormValue, OAuthInteractionConsentResponse>>;
+    /**
+     * Deny handler — called when the Deny button triggers the inner action.
+     * No value is passed (`dbxActionValue` provides an empty payload).
+     */
+    readonly denyHandler: i0.InputSignal<WorkUsingContext<void, OAuthInteractionConsentResponse>>;
+    readonly clientName: Signal<string>;
+    readonly clientUri: Signal<Maybe<string>>;
+    readonly logoUri: Signal<Maybe<string>>;
+    readonly scopes: Signal<OidcScope[]>;
+    readonly resolvedScopeInjectionConfig: Signal<DbxInjectionComponentConfig<unknown>>;
     static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOAuthConsentViewComponent, never>;
-    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOAuthConsentViewComponent, "dbx-firebase-oauth-consent-view", never, { "details": { "alias": "details"; "required": false; "isSignal": true; }; "consentStateCase": { "alias": "consentStateCase"; "required": true; "isSignal": true; }; "error": { "alias": "error"; "required": false; "isSignal": true; }; "scopeInjectionConfig": { "alias": "scopeInjectionConfig"; "required": true; "isSignal": true; }; }, { "approveClick": "approveClick"; "denyClick": "denyClick"; "retryClick": "retryClick"; }, never, ["*"], true, never>;
-}
-
-interface OAuthConsentScope<T extends OidcScope = OidcScope> {
-    readonly name: T;
-    readonly description: string;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOAuthConsentViewComponent, "dbx-firebase-oauth-consent-view", never, { "details": { "alias": "details"; "required": false; "isSignal": true; }; "consentStateCase": { "alias": "consentStateCase"; "required": true; "isSignal": true; }; "scopeInjectionConfig": { "alias": "scopeInjectionConfig"; "required": true; "isSignal": true; }; "requiredScopes": { "alias": "requiredScopes"; "required": false; "isSignal": true; }; "approveHandler": { "alias": "approveHandler"; "required": true; "isSignal": true; }; "denyHandler": { "alias": "denyHandler"; "required": true; "isSignal": true; }; }, {}, never, ["*"], true, never>;
 }
 
 /**
- * Data provided to consent scope view components via the `DBX_INJECTION_COMPONENT_DATA` token.
+ * Data provided to consent scope view components via the
+ * `DBX_INJECTION_COMPONENT_DATA` token.
  *
- * Contains the scopes being requested and contextual information about the consent interaction.
+ * Carries the requested scopes plus surrounding interaction context. The
+ * form value (current granted scopes) is no longer carried here — the
+ * scope view's form is wired up via `dbxActionForm` to the parent's
+ * `dbxAction`, so the value pipeline runs through the action store at
+ * trigger time.
  */
 interface DbxFirebaseOAuthConsentScopesViewData {
     readonly details?: Maybe<OAuthInteractionLoginDetails>;
     readonly scopes: OidcScope[];
     readonly clientName: string;
+    /**
+     * Scopes that must always be granted. Surfaced separately so the scope
+     * view can render them as a static "Always granted" hint instead of
+     * making them user-selectable.
+     */
+    readonly requiredScopes?: readonly OidcScope[];
 }
 /**
  * Abstract base class for consent scope view components.
  *
- * Provides typed access to the `DbxFirebaseOAuthConsentScopesViewData` injected
- * via `DBX_INJECTION_COMPONENT_DATA`. Subclasses only need to define a template.
+ * Provides typed access to the `DbxFirebaseOAuthConsentScopesViewData`
+ * injected via `DBX_INJECTION_COMPONENT_DATA`. Subclasses define the
+ * template that renders the requested scopes and (optionally) hosts a
+ * forge form decorated with `dbxActionForm`.
  *
  * @example
  * ```typescript
@@ -133,32 +213,104 @@ declare abstract class AbstractDbxFirebaseOAuthConsentScopeViewComponent {
     readonly clientName: i0.Signal<string>;
     readonly clientUri: i0.Signal<Maybe<string>>;
     readonly logoUri: i0.Signal<Maybe<string>>;
+    readonly requiredScopes: i0.Signal<readonly string[]>;
+    isScopeRequired(scope: OidcScope): boolean;
 }
 
 /**
- * Standalone presentational component that renders a list of OAuth consent scopes.
+ * Selection-list wrapper used as the `listComponentClass` for the OIDC
+ * consent scope `dbxForgeListSelectionField`.
+ *
+ * Reuses the workspace's `dbx-list` selection infrastructure so the existing
+ * scope-row visual treatment (name + description) remains intact while the
+ * selection state participates in the surrounding `dbxAction`/`dbxActionForm`
+ * pipeline.
  *
  * @example
- * ```html
- * <dbx-firebase-oauth-consent-scope-list [scopes]="mappedScopes"></dbx-firebase-oauth-consent-scope-list>
+ * ```ts
+ * dbxForgeListSelectionField<OAuthConsentScope, DbxFirebaseOAuthConsentScopeListComponent, OidcScope>({
+ *   key: 'grantedOIDCScopes',
+ *   props: {
+ *     listComponentClass: of(DbxFirebaseOAuthConsentScopeListComponent),
+ *     readKey: (scope) => scope.name,
+ *     state$: of(successResult(optionalScopes)),
+ *     wrapped: false,
+ *     maxHeight: 'none'
+ *   }
+ * });
  * ```
  */
-declare class DbxFirebaseOAuthConsentScopeListComponent {
-    readonly scopes: i0.InputSignal<OAuthConsentScope<string>[]>;
+declare class DbxFirebaseOAuthConsentScopeListComponent extends AbstractDbxSelectionListWrapperDirective<OAuthConsentScope> {
+    constructor();
     static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOAuthConsentScopeListComponent, never>;
-    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOAuthConsentScopeListComponent, "dbx-firebase-oauth-consent-scope-list", never, { "scopes": { "alias": "scopes"; "required": false; "isSignal": true; }; }, {}, never, never, true, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOAuthConsentScopeListComponent, "dbx-firebase-oauth-consent-scope-list", never, {}, {}, never, ["[top]", "[bottom]", "[empty]", "[emptyLoading]", "[end]"], true, never>;
+}
+/**
+ * Selection list view that pairs with `DbxFirebaseOAuthConsentScopeListComponent`.
+ * Maps each `OAuthConsentScope` to a `DbxValueListItem` keyed by the scope name
+ * and renders it through `DbxFirebaseOAuthConsentScopeListItemComponent`.
+ */
+declare class DbxFirebaseOAuthConsentScopeListViewComponent extends AbstractDbxSelectionListViewDirective<OAuthConsentScope> {
+    readonly config: DbxSelectionValueListViewConfig<OAuthConsentScope>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOAuthConsentScopeListViewComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOAuthConsentScopeListViewComponent, "dbx-firebase-oauth-consent-scope-list-view", never, {}, {}, never, never, true, never>;
+}
+/**
+ * Item row inside the OIDC consent scope selection list. Shown as the visual
+ * row for both selected and unselected scopes — the selection chrome (the
+ * leading checkbox/highlight) is provided by the wrapping
+ * `dbx-selection-list-view`.
+ */
+declare class DbxFirebaseOAuthConsentScopeListItemComponent extends AbstractDbxValueListViewItemComponent<OAuthConsentScope> {
+    get name(): string;
+    get description(): string;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOAuthConsentScopeListItemComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOAuthConsentScopeListItemComponent, "ng-component", never, {}, {}, never, never, true, never>;
 }
 
 /**
- * Default consent scope view component that maps scope names to descriptions
- * using the `OidcScopeDetails` from the app-level OIDC configuration.
+ * Reusable forge form component that renders one checkbox per OIDC scope
+ * defined in {@link OAuthConsentScopesFormFieldsConfig}. Required scopes are
+ * rendered as checked-and-disabled.
  *
- * Apps can override this by providing a custom `consentScopeListViewClass`
- * in `DbxFirebaseOidcConfig` or `DbxOAuthConsentComponentConfig`.
+ * Pair with `<dbx-firebase-oauth-consent-scope-default-view>` for the default
+ * consent flow, or embed directly in custom consent UIs that supply their
+ * own scope/required configuration.
  */
-declare class DbxFirebaseOAuthConsentScopeDefaultViewComponent extends AbstractDbxFirebaseOAuthConsentScopeViewComponent {
-    private readonly oidcConfigService;
+declare class DbxFirebaseOAuthConsentScopeFormComponent extends AbstractConfigAsyncForgeFormDirective<OAuthConsentScopesFormValue, OAuthConsentScopesFormFieldsConfig> {
+    readonly formConfig$: Observable<Maybe<FormConfig>>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOAuthConsentScopeFormComponent, never>;
+    static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOAuthConsentScopeFormComponent, "dbx-firebase-oauth-consent-scope-form", never, {}, {}, never, never, true, never>;
+}
+
+/**
+ * Default consent scope view component.
+ *
+ * Reads the requested scopes (and required scopes) from the
+ * `DBX_INJECTION_COMPONENT_DATA` provided by the parent consent view,
+ * resolves human-readable descriptions from the app-level
+ * `DbxFirebaseOidcConfigService`, then renders a
+ * `DbxFirebaseOAuthConsentScopeFormComponent` with `dbxActionForm` so the
+ * form's value participates in the surrounding `dbxAction` (the consent
+ * view's outer Approve action).
+ *
+ * Required scopes are not user-selectable. They are surfaced as an "Always
+ * granted" hint above the form because the server enforces them regardless
+ * of payload — including them in the selection list would just add noise.
+ *
+ * Apps can override this default via
+ * `DbxFirebaseOidcConfig.consentScopeListViewClass` or
+ * `DbxOAuthConsentComponentConfig.consentScopeListViewClass`. Custom views
+ * should similarly apply `dbxActionForm` to a forge form whose value matches
+ * `OAuthConsentScopesFormValue`.
+ */
+declare class DbxFirebaseOAuthConsentScopeDefaultViewComponent {
+    private readonly _oidcConfigService;
+    private readonly _data;
     readonly mappedScopes: i0.Signal<OAuthConsentScope<string>[]>;
+    readonly optionalScopes: i0.Signal<OAuthConsentScope<string>[]>;
+    readonly alwaysGrantedLabel: i0.Signal<string | null>;
+    readonly formFieldsConfig: i0.Signal<OAuthConsentScopesFormFieldsConfig>;
     static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOAuthConsentScopeDefaultViewComponent, never>;
     static ɵcmp: i0.ɵɵComponentDeclaration<DbxFirebaseOAuthConsentScopeDefaultViewComponent, "dbx-firebase-oauth-consent-scope-default-view", never, {}, {}, never, never, true, never>;
 }
@@ -209,11 +361,13 @@ interface DbxOAuthConsentComponentConfig {
 /**
  * Container component for the OIDC OAuth consent screen.
  *
- * Manages all state: route param reading, Firebase Auth observation, consent submission,
- * and error handling. Delegates visual rendering to `DbxFirebaseOAuthConsentViewComponent`.
- *
  * Reads interaction UID and client details from route params (populated by
- * the server redirect), then assembles them into `OAuthInteractionLoginDetails`.
+ * the server redirect), assembles them into `OAuthInteractionLoginDetails`,
+ * and exposes Approve / Deny handlers that drive the view's nested
+ * `dbxAction` contexts.
+ *
+ * Submission progress and error states are owned by the action stores; this
+ * container is just routing-glue + handler factories.
  *
  * Supports ng-content projection — any content provided is passed through to
  * the view component for the `'no_user'` state (e.g. an app's login view).
@@ -240,14 +394,25 @@ declare class DbxOAuthConsentComponent implements OnDestroy {
     readonly resolvedInteractionUid: Signal<Maybe<string>>;
     readonly resolvedDetails: Signal<Maybe<OAuthInteractionLoginDetails<string>>>;
     readonly scopeInjectionConfig: Signal<DbxInjectionComponentConfig<unknown>>;
-    readonly submitting: i0.WritableSignal<boolean>;
-    readonly errorMessage: i0.WritableSignal<string | null>;
+    /**
+     * Scopes the user cannot deselect. Forwarded to the view, which shows
+     * them as a static "Always granted" hint above the selection list.
+     */
+    readonly requiredScopes: readonly OidcScope[];
     readonly consentStateCase: Signal<OidcConsentStateCase>;
     ngOnDestroy(): void;
-    approve(): void;
-    deny(): void;
-    retry(): void;
-    private _submitConsent;
+    /**
+     * Handles the Approve action. Pulls the form's selected scope array
+     * straight off the form value (it already matches the API field name
+     * `grantedOIDCScopes`) and forwards it through `submitConsent`. On a
+     * successful response, hard-navigates to the OIDC server's redirect URL.
+     */
+    readonly handleApprove: WorkUsingContext<OAuthConsentScopesFormValue, OAuthInteractionConsentResponse>;
+    /**
+     * Handles the Deny action. No payload is sent — the server returns
+     * `access_denied` to the OAuth client.
+     */
+    readonly handleDeny: WorkUsingContext<void, OAuthInteractionConsentResponse>;
     static ɵfac: i0.ɵɵFactoryDeclaration<DbxOAuthConsentComponent, never>;
     static ɵcmp: i0.ɵɵComponentDeclaration<DbxOAuthConsentComponent, "dbx-firebase-oauth-consent", never, { "config": { "alias": "config"; "required": false; "isSignal": true; }; }, {}, never, ["*"], true, never>;
 }
@@ -757,16 +922,22 @@ declare class DbxFirebaseOidcInteractionService {
     /**
      * Submit consent decision to complete the consent interaction.
      *
-     * Automatically attaches the current user's Firebase ID token.
+     * Automatically attaches the current user's Firebase ID token. When `approved`
+     * is true, optional `grants` may be passed to grant only a subset of the
+     * requested scopes/claims/resource scopes; the server validates that any
+     * subset is contained in the corresponding `missing*` set on the prompt.
+     *
+     * When `approved` is false, `grants` is ignored (not sent).
      *
      * @param uid - The OIDC interaction UID identifying the current consent interaction.
      * @param approved - Whether the user approved or denied the consent request.
+     * @param grants - Optional subset of OIDC scopes / OIDC claims / resource scopes to grant.
      * @returns Observable that emits the redirect URL from the server response.
      */
-    submitConsent(uid: OidcInteractionUid, approved: boolean): Observable<OAuthInteractionConsentResponse>;
+    submitConsent(uid: OidcInteractionUid, approved: boolean, grants?: Pick<OAuthInteractionConsentRequest, 'grantedOIDCScopes' | 'grantedOIDCClaims' | 'grantedResourceScopes'>): Observable<OAuthInteractionConsentResponse>;
     static ɵfac: i0.ɵɵFactoryDeclaration<DbxFirebaseOidcInteractionService, never>;
     static ɵprov: i0.ɵɵInjectableDeclaration<DbxFirebaseOidcInteractionService>;
 }
 
-export { AbstractDbxFirebaseOAuthConsentScopeViewComponent, DEFAULT_OIDC_AUTHORIZATION_ENDPOINT_PATH, DEFAULT_OIDC_CLIENT_ID_PARAM_KEY, DEFAULT_OIDC_CLIENT_NAME_PARAM_KEY, DEFAULT_OIDC_CLIENT_URI_PARAM_KEY, DEFAULT_OIDC_INTERACTION_ENDPOINT_PATH, DEFAULT_OIDC_INTERACTION_UID_PARAM_KEY, DEFAULT_OIDC_LOGO_URI_PARAM_KEY, DEFAULT_OIDC_SCOPES_PARAM_KEY, DEFAULT_OIDC_TOKEN_ENDPOINT_AUTH_METHODS, DbxFirebaseOAuthConsentScopeDefaultViewComponent, DbxFirebaseOAuthConsentScopeListComponent, DbxFirebaseOAuthConsentViewComponent, DbxFirebaseOAuthLoginComponent, DbxFirebaseOAuthLoginViewComponent, DbxFirebaseOidcConfig, DbxFirebaseOidcConfigService, DbxFirebaseOidcEntryClientCreateComponent, DbxFirebaseOidcEntryClientForgeFormComponent, DbxFirebaseOidcEntryClientListComponent, DbxFirebaseOidcEntryClientListViewComponent, DbxFirebaseOidcEntryClientListViewItemClientComponent, DbxFirebaseOidcEntryClientListViewItemComponent, DbxFirebaseOidcEntryClientListViewItemDefaultComponent, DbxFirebaseOidcEntryClientTestComponent, DbxFirebaseOidcEntryClientTestForgeFormComponent, DbxFirebaseOidcEntryClientUpdateComponent, DbxFirebaseOidcEntryClientViewComponent, DbxFirebaseOidcEntryGrantListComponent, DbxFirebaseOidcEntryGrantListContainerComponent, DbxFirebaseOidcEntryGrantListViewComponent, DbxFirebaseOidcEntryGrantListViewItemComponent, DbxFirebaseOidcInteractionService, DbxOAuthConsentComponent, OidcEntryCollectionStore, OidcEntryCollectionStoreDirective, OidcEntryDocumentStore, OidcEntryDocumentStoreDirective, oidcClientHomepageUriForgeField, oidcClientJwksUriForgeField, oidcClientLogoUriForgeField, oidcClientNameForgeField, oidcClientRedirectUrisForgeField, oidcClientTestClientIdForgeField, oidcClientTestRedirectUriForgeField, oidcClientTestScopesForgeField, oidcClientTokenEndpointAuthMethodForgeField, oidcEntryClientForgeFormFields, oidcEntryClientTestForgeFormFields, oidcEntryClientUpdateForgeFormFields, provideDbxFirebaseOidc, provideOidcModelFirestoreCollections };
-export type { DbxFirebaseOAuthConsentScopesViewData, DbxFirebaseOidcEntryClientFormComponentConfig, DbxFirebaseOidcEntryClientTestFormComponentConfig, DbxFirebaseOidcModelClientFormValue, DbxFirebaseOidcModelClientTestFormValue, DbxFirebaseOidcModelClientUpdateFormValue, DbxOAuthConsentComponentConfig, OAuthConsentScope, OidcConsentStateCase, OidcEntryClientFormFieldsConfig, OidcEntryClientTestFormFieldsConfig, OidcEntryWithSelection, OidcLoginStateCase, ProvideDbxFirebaseOidcConfig };
+export { AbstractDbxFirebaseOAuthConsentScopeViewComponent, DEFAULT_OIDC_AUTHORIZATION_ENDPOINT_PATH, DEFAULT_OIDC_CLIENT_ID_PARAM_KEY, DEFAULT_OIDC_CLIENT_NAME_PARAM_KEY, DEFAULT_OIDC_CLIENT_URI_PARAM_KEY, DEFAULT_OIDC_INTERACTION_ENDPOINT_PATH, DEFAULT_OIDC_INTERACTION_UID_PARAM_KEY, DEFAULT_OIDC_LOGO_URI_PARAM_KEY, DEFAULT_OIDC_SCOPES_PARAM_KEY, DEFAULT_OIDC_TOKEN_ENDPOINT_AUTH_METHODS, DbxFirebaseOAuthConsentScopeDefaultViewComponent, DbxFirebaseOAuthConsentScopeFormComponent, DbxFirebaseOAuthConsentScopeListComponent, DbxFirebaseOAuthConsentScopeListItemComponent, DbxFirebaseOAuthConsentScopeListViewComponent, DbxFirebaseOAuthConsentViewComponent, DbxFirebaseOAuthLoginComponent, DbxFirebaseOAuthLoginViewComponent, DbxFirebaseOidcConfig, DbxFirebaseOidcConfigService, DbxFirebaseOidcEntryClientCreateComponent, DbxFirebaseOidcEntryClientForgeFormComponent, DbxFirebaseOidcEntryClientListComponent, DbxFirebaseOidcEntryClientListViewComponent, DbxFirebaseOidcEntryClientListViewItemClientComponent, DbxFirebaseOidcEntryClientListViewItemComponent, DbxFirebaseOidcEntryClientListViewItemDefaultComponent, DbxFirebaseOidcEntryClientTestComponent, DbxFirebaseOidcEntryClientTestForgeFormComponent, DbxFirebaseOidcEntryClientUpdateComponent, DbxFirebaseOidcEntryClientViewComponent, DbxFirebaseOidcEntryGrantListComponent, DbxFirebaseOidcEntryGrantListContainerComponent, DbxFirebaseOidcEntryGrantListViewComponent, DbxFirebaseOidcEntryGrantListViewItemComponent, DbxFirebaseOidcInteractionService, DbxOAuthConsentComponent, OAUTH_CONSENT_SCOPES_REQUIRED_VALIDATOR_DEFAULT_MESSAGE, OAUTH_CONSENT_SCOPES_REQUIRED_VALIDATOR_KIND, OidcEntryCollectionStore, OidcEntryCollectionStoreDirective, OidcEntryDocumentStore, OidcEntryDocumentStoreDirective, oauthConsentScopesFormConfig, oidcClientHomepageUriForgeField, oidcClientJwksUriForgeField, oidcClientLogoUriForgeField, oidcClientNameForgeField, oidcClientRedirectUrisForgeField, oidcClientTestClientIdForgeField, oidcClientTestRedirectUriForgeField, oidcClientTestScopesForgeField, oidcClientTokenEndpointAuthMethodForgeField, oidcEntryClientForgeFormFields, oidcEntryClientTestForgeFormFields, oidcEntryClientUpdateForgeFormFields, provideDbxFirebaseOidc, provideOidcModelFirestoreCollections };
+export type { DbxFirebaseOAuthConsentScopesViewData, DbxFirebaseOidcEntryClientFormComponentConfig, DbxFirebaseOidcEntryClientTestFormComponentConfig, DbxFirebaseOidcModelClientFormValue, DbxFirebaseOidcModelClientTestFormValue, DbxFirebaseOidcModelClientUpdateFormValue, DbxOAuthConsentComponentConfig, OAuthConsentScope, OAuthConsentScopesFormFieldsConfig, OAuthConsentScopesFormValue, OidcConsentStateCase, OidcEntryClientFormFieldsConfig, OidcEntryClientTestFormFieldsConfig, OidcEntryWithSelection, OidcLoginStateCase, ProvideDbxFirebaseOidcConfig };

package/types/dereekb-dbx-firebase.d.ts

@@ -18,7 +18,7 @@ import * as _dereekb_rxjs from '@dereekb/rxjs';
 import { WorkUsingContext, WorkUsingObservable, ObservableOrValue, IsModifiedFunction, PageListLoadingState, ItemAccumulatorNextPageUntilResultsCountResult, SubscriptionObject, ObservableDecisionFunction, ListLoadingState, LoadingState, MaybeObservableOrValue, SwitchMapToDefaultFilterFunction, MaybeObservableOrValueGetter } from '@dereekb/rxjs';
 import * as dist_packages_dbx_form_types_dereekb_dbx_form from 'dist/packages/dbx-form/types/dereekb-dbx-form';
 import * as i1 from '@dereekb/dbx-web';
-import { DbxThemeColor, DbxActionConfirmConfig, DbxWidgetEntry, DbxPopupService, DbxWidgetService, DbxWidgetType, TwoColumnsContextStore, AbstractPopupDirective, DbxPopupKey, AbstractDbxSelectionListWrapperDirective, AbstractDbxSelectionListViewDirective, DbxSelectionValueListViewConfig, DbxValueAsListItem, AbstractDbxValueListViewItemComponent, DbxModelTypesService, DbxModelTypeInfo, DbxModelTypesMap, DbxModelTrackerService, AnchorForValueFunction, AbstractPopoverDirective, DbxPopoverService, DbxPopoverKey, AbstractPopoverRefDirective, DbxPopoverConfigSizing, DbxButtonStyle, DownloadTextContent, DbxModelObjectStateService, DbxListViewWrapper, DbxWidgetViewComponentConfig, AbstractDbxWidgetComponent, DbxWebFilePreviewService, DbxActionDialogFunction, FileAcceptFilterTypeString, DbxFileUploadComponent, DbxActionModule, DbxLoadingComponent, DbxActionSnackbarErrorDirective, DbxActionLoadingContextDirective, DbxFileUploadActionSyncDirective } from '@dereekb/dbx-web';
+import { DbxColorInput, DbxActionConfirmConfig, DbxWidgetEntry, DbxPopupService, DbxWidgetService, DbxWidgetType, TwoColumnsContextStore, AbstractPopupDirective, DbxPopupKey, AbstractDbxSelectionListWrapperDirective, AbstractDbxSelectionListViewDirective, DbxSelectionValueListViewConfig, DbxValueAsListItem, AbstractDbxValueListViewItemComponent, DbxModelTypesService, DbxModelTypeInfo, DbxModelTypesMap, DbxModelTrackerService, AnchorForValueFunction, AbstractPopoverDirective, DbxPopoverService, DbxPopoverKey, AbstractPopoverRefDirective, DbxPopoverConfigSizing, DbxButtonStyle, DownloadTextContent, DbxModelObjectStateService, DbxListViewWrapper, DbxWidgetViewComponentConfig, AbstractDbxWidgetComponent, DbxWebFilePreviewService, DbxActionDialogFunction, FileAcceptFilterTypeString, DbxFileUploadComponent, DbxActionModule, DbxLoadingComponent, DbxActionSnackbarErrorDirective, DbxActionLoadingContextDirective, DbxFileUploadActionSyncDirective } from '@dereekb/dbx-web';
 import { FormConfig } from '@ng-forge/dynamic-forms';
 import { MatSnackBar } from '@angular/material/snack-bar';
 import { NgPopoverRef } from 'ng-overlay-container';
@@ -611,9 +611,9 @@ interface DbxFirebaseLoginButtonConfig {
     buttonColor?: string;
     buttonTextColor?: string;
     /**
-     * Material theme color to apply (e.g., 'warn', 'primary').
+     * Material theme color or {@link DbxColorConfig} to apply to the underlying button (e.g., 'warn', 'primary').
      */
-    color?: DbxThemeColor;
+    color?: DbxColorInput;
     /**
      * Optional confirmation dialog config. When set, the action will prompt the user before executing.
      */
@@ -633,7 +633,7 @@ declare class DbxFirebaseLoginButtonComponent {
     readonly textSignal: i0.Signal<string>;
     readonly buttonColorSignal: i0.Signal<string | undefined>;
     readonly buttonTextColorSignal: i0.Signal<string | undefined>;
-    readonly colorSignal: i0.Signal<DbxThemeColor | undefined>;
+    readonly colorSignal: i0.Signal<DbxColorInput | undefined>;
     readonly confirmConfigSignal: i0.Signal<DbxActionConfirmConfig<unknown> | undefined>;
     setConfig(config: Maybe<DbxFirebaseLoginButtonConfig>): void;
     readonly handleAction: WorkUsingContext;