@dereekb/firebase-server 13.2.2 → 13.3.0

package/oidc/src/lib/oidc.config.d.ts

@@ -0,0 +1,175 @@
+import type { Configuration } from 'oidc-provider';
+import { type WebsitePath, type SlashPath } from '@dereekb/util';
+import { type OidcScope, type OidcTokenEndpointAuthMethod } from '@dereekb/firebase';
+import { type JwksServiceConfig } from './service/oidc.jwks.service';
+import { type JwksKeyConverterConfig } from './model';
+/**
+ * Custom error rendering function for the oidc-provider.
+ *
+ * Matches the `renderError` option from the oidc-provider `Configuration` type.
+ */
+export type OidcRenderErrorFunction = Configuration['renderError'];
+/**
+ * OIDC provider-level configuration for scopes, grant types, response types,
+ * and claim mappings. These values drive both the oidc-provider instance and the
+ * discovery metadata endpoint.
+ *
+ * Generic on `S` so that claim keys are validated against the app's scope union.
+ *
+ * @example
+ * ```typescript
+ * type MyScopes = 'openid' | 'profile' | 'email';
+ *
+ * const providerConfig: OidcProviderConfig<MyScopes> = {
+ *   claims: {
+ *     openid: ['sub'],
+ *     profile: ['name', 'picture'],
+ *     email: ['email', 'email_verified']
+ *   },
+ *   responseTypes: ['code'],
+ *   grantTypes: ['authorization_code', 'refresh_token']
+ * };
+ * ```
+ */
+export interface OidcProviderConfig<S extends OidcScope = OidcScope> {
+    /**
+     * Maps OIDC scope names to the claims they grant access to.
+     *
+     * The keys also determine `scopes_supported` in the discovery document.
+     */
+    readonly claims: Record<S, string[]>;
+    /**
+     * Supported OAuth 2.0 response types (e.g., `['code']`).
+     */
+    readonly responseTypes: string[];
+    /**
+     * Supported OAuth 2.0 grant types (e.g., `['authorization_code', 'refresh_token']`).
+     */
+    readonly grantTypes: string[];
+}
+/**
+ * Configures the lifetime (in seconds) for each token type issued by the OIDC provider.
+ */
+export interface OidcTokenLifetimes {
+    /**
+     * Access token lifetime in seconds. Defaults to 900 (15 min).
+     */
+    readonly accessToken: number;
+    /**
+     * ID token lifetime in seconds. Defaults to 3600 (1 hour).
+     */
+    readonly idToken: number;
+    /**
+     * Refresh token lifetime in seconds (absolute). Defaults to 2592000 (30 days).
+     */
+    readonly refreshToken: number;
+    /**
+     * Authorization code lifetime in seconds. Defaults to 60.
+     */
+    readonly authorizationCode: number;
+}
+/**
+ * Default token lifetimes: 15 min access tokens, 30-day refresh tokens, 60 s auth codes.
+ */
+export declare const DEFAULT_OIDC_TOKEN_LIFETIMES: OidcTokenLifetimes;
+/**
+ * Configuration for the OIDC module.
+ *
+ * Used as an abstract class so it can serve as both a type and a NestJS DI token.
+ */
+export declare abstract class OidcModuleConfig {
+    /**
+     * The OIDC issuer URL (e.g., 'https://accounts.example.com').
+     * Must be the canonical URL where the OIDC provider is accessible.
+     */
+    readonly issuer: string;
+    /**
+     * The path prefix used for OIDC interaction endpoints (login/consent).
+     *
+     * Appended to the base appUrl this is the base frontend interaction path.
+     *
+     * Defaults to '/oauth'.
+     */
+    readonly appOAuthInteractionPath: WebsitePath;
+    /**
+     * Frontend URL for the login interaction page.
+     * The interaction uid will be appended as a query parameter.
+     *
+     * Defaults to `<appOAuthInteractionPath>/login`.
+     */
+    readonly appOAuthLoginUrlPart: WebsitePath;
+    /**
+     * Frontend URL for the consent interaction page.
+     *
+     * Defaults to `<appOAuthInteractionPath>/consent`.
+     */
+    readonly appOAuthConsentUrlPart: WebsitePath;
+    /**
+     * Token lifetime configuration.
+     */
+    readonly tokenLifetimes: OidcTokenLifetimes;
+    /**
+     * JWKS service configuration (encryption secret, rotated key max age).
+     */
+    readonly jwksServiceConfig: JwksServiceConfig;
+    /**
+     * JWKS key converter configuration (encryption secret for Firestore field encryption).
+     */
+    readonly jwksKeyConverterConfig: JwksKeyConverterConfig;
+    /**
+     * Custom error rendering function for the oidc-provider.
+     *
+     * When not provided, defaults to a JSON error response with `error` and `error_description` fields.
+     * Set this to customize how OIDC errors are presented (e.g. redirect to an error page).
+     *
+     * The function signature matches oidc-provider's `renderError` configuration option.
+     */
+    readonly renderError?: OidcRenderErrorFunction;
+    /**
+     * Whether to suppress the oidc-provider "already parsed request body" warning.
+     *
+     * Enable this when running behind a platform (e.g. Firebase Cloud Functions) that
+     * parses request bodies before they reach the OIDC provider. The provider handles
+     * this correctly by falling back to `req.body`, but emits a one-time warning.
+     *
+     * Defaults to `false`.
+     */
+    readonly suppressBodyParserWarning?: boolean;
+    /**
+     * Path prefixes that require OAuth bearer token verification.
+     *
+     * Only requests matching one of these prefixes will be checked by the
+     * {@link OidcAuthBearerTokenMiddleware}. When non-empty, the middleware
+     * module is automatically registered by {@link oidcModuleMetadata}.
+     *
+     * Paths under the global API route prefix should not be included
+     * since those are typically protected by AppCheck.
+     */
+    readonly protectedPaths?: SlashPath[];
+    /**
+     * Supported token endpoint authentication methods.
+     *
+     * Overrides the default methods (`client_secret_post`, `client_secret_basic`)
+     * in the discovery metadata document.
+     *
+     * @see DEFAULT_OIDC_TOKEN_ENDPOINT_AUTH_METHODS
+     */
+    readonly tokenEndpointAuthMethods?: OidcTokenEndpointAuthMethod[];
+    /**
+     * Whether to enable the OIDC dynamic client registration endpoint (`/reg`).
+     *
+     * When enabled, clients can self-register via the registration endpoint
+     * and manage their registrations via the registration management feature.
+     *
+     * Defaults to `false`.
+     */
+    readonly registrationEnabled?: boolean;
+    /**
+     * Validates that all required fields are present on the config.
+     *
+     * Called by {@link oidcModuleConfigFactory} after building the config from environment variables.
+     *
+     * @throws {Error} When any required field (`issuer`, `appInteractionPath`, `appLoginUrlPart`, `appConsentUrlPart`, `jwksServiceConfig`, `jwksKeyConverterConfig`) is missing.
+     */
+    static assertValidConfig(config: OidcModuleConfig): void;
+}

package/oidc/src/lib/oidc.module.d.ts

@@ -0,0 +1,100 @@
+import { type ModuleMetadata } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import { OidcModuleConfig } from './oidc.config';
+import { type FirestoreContext } from '@dereekb/firebase';
+import { FirebaseServerEnvService } from '@dereekb/firebase-server';
+import { OidcServerFirestoreCollections } from './model/model';
+/**
+ * Environment variable name for the JWKS encryption secret (hex-encoded AES-256 key).
+ *
+ * Used for encrypting private keys at rest in Firestore.
+ */
+export declare const OIDC_JWKS_ENCRYPTION_SECRET_ENV_KEY = "OIDC_JWKS_ENCRYPTION_SECRET";
+/**
+ * Default path appended to `appUrl` to form the OIDC issuer URL.
+ *
+ * The issuer is the canonical identity of the OIDC provider (e.g., `https://example.com/oidc`).
+ * It appears in the `.well-known/openid-configuration` discovery document and is passed
+ * to `new Provider(issuer, ...)`. All provider endpoints (auth, token, userinfo, etc.)
+ * are served under this path via the {@link OidcProviderController}.
+ *
+ * This path is also used as the proxy target on the frontend (e.g., `/oidc/**` → backend),
+ * so frontend interaction routes must NOT live under this prefix.
+ */
+export declare const DEFAULT_OIDC_ISSUER_PATH = "/oidc";
+/**
+ * Default frontend base path for OAuth interaction pages (login, consent).
+ *
+ * This is the path prefix on the **frontend app** where the OAuth interaction UI lives.
+ * The backend `OidcInteractionController` GET handler redirects the browser here after
+ * reading the oidc-provider interaction session.
+ *
+ * Uses `/oauth/interaction` instead of `/oidc/...` to avoid colliding with the
+ * `/oidc/**` proxy rule that forwards requests to the backend OIDC provider.
+ *
+ * Apps typically override this (e.g., `/demo/oauth`) via {@link ProvideAppOidcModuleMetadataConfig.config}.
+ */
+export declare const DEFAULT_APP_OAUTH_INTERACTION_PATH = "/oauth/interaction";
+/**
+ * Default path part appended to `appOAuthInteractionPath` for the frontend login page.
+ *
+ * Combined with `appOAuthInteractionPath` to form the full login redirect URL
+ * (e.g., `/oauth/interaction/login?uid=...`).
+ */
+export declare const DEFAULT_APP_OAUTH_LOGIN_PATH_PART = "/login";
+/**
+ * Default path part appended to `appOAuthInteractionPath` for the frontend consent page.
+ *
+ * Combined with `appOAuthInteractionPath` to form the full consent redirect URL
+ * (e.g., `/oauth/interaction/consent?uid=...`).
+ */
+export declare const DEFAULT_APP_OAUTH_CONSENT_PATH_PART = "/consent";
+/**
+ * Route patterns for OIDC controllers that should be excluded from a global API route prefix.
+ *
+ * Typically fox dbx-components we set all the routes in the NestJS app to have a global prefix (e.g., '/api').
+ * For `firebase-server/oidc` we exclude the routes here so that the global prefix doesn't affect the OIDC routes.
+ *
+ * Use with `globalApiRoutePrefix.exclude` in {@link NestServerInstanceConfig}.
+ */
+export declare const FIREBASE_SERVER_OIDC_ROUTES_FOR_GLOBAL_ROUTE_EXCLUDE: string[];
+/**
+ * Factory that builds {@link OidcModuleConfig} from environment variables and the app's {@link FirebaseServerEnvService}.
+ *
+ * Derives the issuer URL from `appUrl` + the optional `OIDC_ISSUER_PATH` env var (defaults to `/oidc`).
+ * Reads the JWKS encryption secret from `OIDC_JWKS_ENCRYPTION_SECRET`; in test environments,
+ * a deterministic fallback is used.
+ *
+ * @throws {Error} When `appUrl` is missing, lacks an HTTP prefix, or the encryption secret is invalid.
+ */
+export declare function oidcModuleConfigFactory(configService: ConfigService, envService: FirebaseServerEnvService): OidcModuleConfig;
+/**
+ * Factory that creates {@link OidcServerFirestoreCollections} using the provided Firestore context
+ * and JWKS encryption config from {@link OidcModuleConfig}.
+ */
+export declare function oidcFirestoreCollectionsFactory(firestoreContext: FirestoreContext, oidcModuleConfig: OidcModuleConfig): OidcServerFirestoreCollections;
+export interface ProvideAppOidcModuleMetadataConfig extends Pick<ModuleMetadata, 'imports' | 'exports' | 'providers'> {
+    /**
+     * Module that exports the required dependencies for this module.
+     * When provided, this module is automatically included in the generated `imports` array.
+     */
+    readonly dependencyModule: Required<ModuleMetadata>['imports']['0'];
+    /**
+     * Optional overrides to merge into the {@link OidcModuleConfig} produced by the factory.
+     */
+    readonly config?: Partial<Pick<OidcModuleConfig, 'suppressBodyParserWarning' | 'renderError' | 'protectedPaths' | 'appOAuthInteractionPath' | 'appOAuthLoginUrlPart' | 'appOAuthConsentUrlPart' | 'tokenEndpointAuthMethods' | 'registrationEnabled'>>;
+}
+/**
+ * Convenience function used to generate ModuleMetadata for an app's OidcModule.
+ *
+ * The OidcModule requires the following dependencies in order to initialize properly:
+ * - FIREBASE_FIRESTORE_CONTEXT_TOKEN
+ * - OidcAccountService (provided via factory)
+ *
+ * Additionally, the following may be optionally provided:
+ * - JwksServiceStorageConfig
+ *
+ * @param metadataConfig
+ * @returns
+ */
+export declare function oidcModuleMetadata(metadataConfig: ProvideAppOidcModuleMetadataConfig): ModuleMetadata;

package/oidc/src/lib/service/index.d.ts

@@ -0,0 +1,10 @@
+export * from './oidc.account';
+export * from './oidc.account.service';
+export * from './oidc.auth';
+export * from './oidc.adapter.service';
+export * from './oidc.service';
+export * from './oidc.encryption.service';
+export * from './oidc.jwks.service';
+export * from './oidc.config.service';
+export * from './oidc.client.service';
+export * from './oidc.interaction.service';

package/oidc/src/lib/service/oidc.account.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Account representation returned by the `findAccount` callback in oidc-provider.
+ *
+ * The provider calls {@link OidcAccount.claims} during token issuance and userinfo
+ * responses to resolve the claims for the authenticated subject.
+ *
+ * @see {@link FindAccountFunction}
+ * @see {@link OidcAccountServiceUserContext.findAccount}
+ */
+export interface OidcAccount {
+    readonly accountId: string;
+    claims(use: string, scope: string, claims?: Record<string, unknown>, rejected?: string[]): Promise<OidcAccountClaims>;
+}
+/**
+ * Claims returned by the OIDC userinfo and ID token endpoints.
+ *
+ * Standard OIDC claims (`sub`, `email`, `name`, etc.) plus arbitrary custom claims
+ * via the index signature.
+ */
+export interface OidcAccountClaims {
+    sub: string;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    picture?: string;
+    [key: string]: unknown;
+}
+/**
+ * Signature of the `findAccount` callback passed to the oidc-provider `Configuration`.
+ *
+ * The provider calls this during token and userinfo requests to resolve the
+ * {@link OidcAccount} for a given subject identifier.
+ *
+ * @see {@link OidcService}
+ */
+export type FindAccountFunction = (ctx: unknown, id: string, token?: unknown) => Promise<OidcAccount | undefined>;

package/oidc/src/lib/service/oidc.account.service.d.ts

@@ -0,0 +1,104 @@
+import { type FirebaseServerAuthService, type FirebaseServerAuthUserContext } from '@dereekb/firebase-server';
+import type { OidcAccount, OidcAccountClaims } from './oidc.account';
+import type { OidcProviderConfig } from '../oidc.config';
+import { type OidcScope } from '@dereekb/firebase';
+/**
+ * Delegate interface that allows customizing how OIDC claims are built from a user context.
+ *
+ * Generic on `S` to type-check scope names at compile time, and on `U` to allow
+ * custom Firebase Auth user context types.
+ *
+ * The delegate also carries the {@link OidcProviderConfig} so that provider-level
+ * settings (claims mapping, response types, grant types) are defined alongside
+ * the claim-building logic they correspond to.
+ *
+ * @example
+ * ```typescript
+ * type MyScopes = 'openid' | 'profile' | 'email';
+ *
+ * const delegate: OidcAccountServiceDelegate<MyScopes> = {
+ *   providerConfig: {
+ *     claims: {
+ *       openid: ['sub'],
+ *       profile: ['name', 'picture'],
+ *       email: ['email', 'email_verified']
+ *     },
+ *     responseTypes: ['code'],
+ *     grantTypes: ['authorization_code', 'refresh_token']
+ *   },
+ *   async buildClaimsForUser(userContext, scopes) {
+ *     const user = await userContext.loadRecord();
+ *     const claims: OidcAccountClaims = { sub: user.uid };
+ *
+ *     if (scopes.has('profile')) {
+ *       claims.name = user.displayName;
+ *     }
+ *
+ *     if (scopes.has('email')) {
+ *       claims.email = user.email;
+ *       claims.email_verified = user.emailVerified ?? false;
+ *     }
+ *
+ *     return claims;
+ *   }
+ * };
+ * ```
+ */
+export declare abstract class OidcAccountServiceDelegate<S extends OidcScope = OidcScope, U extends FirebaseServerAuthUserContext = FirebaseServerAuthUserContext> {
+    /**
+     * Provider-level OIDC configuration (scopes/claims mapping, response types, grant types).
+     *
+     * The keys of `claims` define the supported scopes and must align with the
+     * scope checks performed in {@link buildClaimsForUser}.
+     */
+    abstract readonly providerConfig: OidcProviderConfig<S>;
+    /**
+     * Builds claims for the given user context based on the requested scopes.
+     *
+     * @param userContext - The Firebase Auth user context.
+     * @param scopes - The set of requested OIDC scopes, typed to the `S` union.
+     * @returns The claims to return for this user.
+     */
+    abstract buildClaimsForUser(userContext: U, scopes: Set<S>): Promise<OidcAccountClaims> | OidcAccountClaims;
+}
+/**
+ * Per-user context for OIDC account operations.
+ *
+ * Created by {@link OidcAccountService.userContext} for a specific user ID.
+ */
+export declare class OidcAccountServiceUserContext<S extends OidcScope = OidcScope, U extends FirebaseServerAuthUserContext = FirebaseServerAuthUserContext> {
+    private readonly _service;
+    private readonly _uid;
+    readonly authUserContext: U;
+    constructor(_service: OidcAccountService<S, U>, _uid: string);
+    get uid(): string;
+    get service(): OidcAccountService<S, U>;
+    /**
+     * Finds this user's OIDC account representation.
+     *
+     * Returns an {@link OidcAccount} compatible with oidc-provider's `findAccount` interface,
+     * or `undefined` if the user does not exist in Firebase Auth.
+     */
+    findAccount(): Promise<OidcAccount | undefined>;
+}
+/**
+ * Service that provides OIDC account lookup backed by Firebase Auth.
+ *
+ * Uses an {@link OidcAccountServiceDelegate} to customize claim building
+ * and to carry the provider-level OIDC configuration.
+ *
+ * Register it as a provider using the `OidcAccountService` class as the injection token.
+ */
+export declare class OidcAccountService<S extends OidcScope = OidcScope, U extends FirebaseServerAuthUserContext = FirebaseServerAuthUserContext> {
+    readonly authService: FirebaseServerAuthService<U>;
+    readonly delegate: OidcAccountServiceDelegate<S, U>;
+    constructor(authService: FirebaseServerAuthService<U>, delegate: OidcAccountServiceDelegate<S, U>);
+    /**
+     * The provider config from the delegate.
+     */
+    get providerConfig(): OidcProviderConfig<S>;
+    /**
+     * Creates a user context for the given user ID.
+     */
+    userContext(uid: string): OidcAccountServiceUserContext<S, U>;
+}

package/oidc/src/lib/service/oidc.adapter.service.d.ts

@@ -0,0 +1,20 @@
+import type { AdapterConstructor } from 'oidc-provider';
+import { type OidcServerFirestoreCollections } from '../model';
+import { type OidcEncryptionService } from './oidc.encryption.service';
+/**
+ * Creates an oidc-provider adapter constructor backed by Firestore via {@link OidcServerFirestoreCollections}.
+ *
+ * All model types are stored in a single collection, discriminated by the `type` field.
+ * Sensitive payload fields (`client_secret`, `registration_access_token`) are selectively
+ * encrypted via the {@link OidcEncryptionService}.
+ *
+ * @example
+ * ```ts
+ * const adapter = createAdapterFactory(collections, encryptionService);
+ * new Provider('issuer', { adapter });
+ * ```
+ *
+ * @param collections - Firestore collection access for adapter entries.
+ * @param encryptionService - Encryption service for sensitive payload fields.
+ */
+export declare function createAdapterFactory(collections: OidcServerFirestoreCollections, encryptionService: OidcEncryptionService): AdapterConstructor;

package/oidc/src/lib/service/oidc.auth.d.ts

@@ -0,0 +1,26 @@
+import { type OidcEntryClientId } from '@dereekb/firebase';
+import { type FirebaseServerAuthData, type FirebaseServerAuthenticatedRequest } from '@dereekb/firebase-server';
+/**
+ * Auth data attached to the request after successful OIDC bearer token verification.
+ *
+ * Extends {@link FirebaseServerAuthData} so it is compatible with the server auth pipeline.
+ * The `accessToken` field carries OIDC-specific claims from the verified access token.
+ */
+export interface OidcAuthData extends FirebaseServerAuthData {
+    /**
+     * Claims from the verified OIDC access token.
+     */
+    readonly oidcValidatedToken: {
+        readonly sub: string;
+        readonly scope?: string;
+        readonly client_id?: OidcEntryClientId;
+        [key: string]: unknown;
+    };
+}
+/**
+ * Extends {@link FirebaseServerAuthenticatedRequest} with OIDC auth data.
+ *
+ * The `auth` field is populated by {@link OidcAuthBearerTokenMiddleware} after
+ * successful bearer token verification.
+ */
+export type OidcAuthenticatedRequest = FirebaseServerAuthenticatedRequest<OidcAuthData>;

package/oidc/src/lib/service/oidc.client.service.d.ts

@@ -0,0 +1,57 @@
+import { type CreateOidcClientParams, type CreateOidcClientResult, type UpdateOidcClientParams, type RotateOidcClientSecretResult, type OidcEntryClientId } from '@dereekb/firebase';
+import type { ClientMetadata } from 'oidc-provider';
+import { type OidcService } from './oidc.service';
+/**
+ * Service for managing OIDC client registrations through the oidc-provider.
+ *
+ * Mirrors the oidc-provider `registration.js` flow to ensure all provider
+ * validation and lifecycle hooks run.
+ */
+export declare class OidcClientService {
+    private readonly oidcService;
+    constructor(oidcService: OidcService);
+    /**
+     * Creates a new OIDC client through the oidc-provider.
+     *
+     * Generates `client_id` and `client_secret` using the same defaults as oidc-provider's
+     * registration flow, validates via `Client.validate`, and persists through the adapter.
+     *
+     * @param params - Client registration parameters.
+     * @param validatedMetadata - Optional pre-validated metadata to merge into the client properties.
+     *   Use this for server-side fields (e.g., inline `jwks`) that have already been validated
+     *   and should not be exposed through the API params.
+     * @returns The generated client ID and secret (plaintext, returned only once).
+     */
+    createClient(params: CreateOidcClientParams, validatedMetadata?: Partial<Pick<ClientMetadata, 'jwks'>>): Promise<CreateOidcClientResult>;
+    /**
+     * Updates an existing OIDC client through the oidc-provider.
+     *
+     * Loads the existing client payload via the adapter, merges the updated fields,
+     * re-validates through `provider.Client`, and persists.
+     *
+     * `token_endpoint_auth_method` is immutable and cannot be changed.
+     *
+     * @param clientId - The client's document/adapter entry ID.
+     * @param params - The fields to update.
+     * @throws When the client is not found.
+     */
+    updateClient(clientId: OidcEntryClientId, params: Omit<UpdateOidcClientParams, 'key'>): Promise<void>;
+    /**
+     * Rotates the client secret for an existing OIDC client.
+     *
+     * Generates a new `client_secret`, re-validates via `Client.validate()`, and persists.
+     * The new secret is returned in plaintext — this is the only time it is available.
+     *
+     * @param clientId - The client's document/adapter entry ID.
+     * @returns The client ID and new secret (plaintext, returned only once).
+     * @throws When the client is not found.
+     */
+    rotateClientSecret(clientId: OidcEntryClientId): Promise<RotateOidcClientSecretResult>;
+    /**
+     * Deletes an OIDC client through the oidc-provider adapter.
+     *
+     * @param clientId - The client's document/adapter entry ID.
+     * @throws When the client is not found.
+     */
+    deleteClient(clientId: OidcEntryClientId): Promise<void>;
+}

package/oidc/src/lib/service/oidc.config.service.d.ts

@@ -0,0 +1,100 @@
+import { OidcModuleConfig, type OidcProviderConfig } from '../oidc.config';
+import { OidcAccountService } from './oidc.account.service';
+import { type WebsiteUrl } from '@dereekb/util';
+import { type OidcScope, type OidcTokenEndpointAuthMethod } from '@dereekb/firebase';
+import { FirebaseServerEnvService } from '@dereekb/firebase-server';
+/**
+ * Default oidc-provider route paths.
+ *
+ * These match the oidc-provider defaults and are used to build
+ * both the provider configuration and the discovery document.
+ *
+ * @see https://github.com/panva/node-oidc-provider/blob/main/docs/README.md
+ */
+export declare const DEFAULT_OIDC_ROUTES: {
+    readonly authorization: "/auth";
+    readonly token: "/token";
+    readonly userinfo: "/me";
+    readonly jwks: "/jwks";
+    readonly registration: "/reg";
+    readonly end_session: "/session/end";
+    readonly code_verification: "/device";
+    readonly device_authorization: "/device/auth";
+    readonly introspection: "/token/introspection";
+    readonly revocation: "/token/revocation";
+    readonly pushed_authorization_request: "/request";
+};
+export type OidcRoutes = typeof DEFAULT_OIDC_ROUTES;
+export declare const DEFAULT_OIDC_SUBJECT_TYPES: readonly string[];
+export declare const DEFAULT_OIDC_TOKEN_ENDPOINT_AUTH_METHODS: readonly OidcTokenEndpointAuthMethod[];
+export declare const DEFAULT_OIDC_ID_TOKEN_SIGNING_ALG_VALUES: readonly string[];
+export declare const DEFAULT_OIDC_CODE_CHALLENGE_METHODS: readonly string[];
+/**
+ * OpenID Connect Discovery metadata (RFC 8414 / OpenID Connect Discovery 1.0).
+ */
+export interface OidcDiscoveryMetadata {
+    readonly issuer: WebsiteUrl;
+    readonly authorization_endpoint: WebsiteUrl;
+    readonly token_endpoint: WebsiteUrl;
+    readonly userinfo_endpoint: WebsiteUrl;
+    readonly jwks_uri: WebsiteUrl;
+    readonly registration_endpoint?: WebsiteUrl;
+    readonly scopes_supported: OidcScope[];
+    readonly response_types_supported: string[];
+    readonly response_modes_supported: string[];
+    readonly grant_types_supported: string[];
+    readonly subject_types_supported: string[];
+    readonly id_token_signing_alg_values_supported: string[];
+    readonly token_endpoint_auth_methods_supported: OidcTokenEndpointAuthMethod[];
+    readonly claims_supported: string[];
+    readonly code_challenge_methods_supported: string[];
+}
+/**
+ * Centralizes all derived OIDC provider configuration so that both the
+ * oidc-provider instance and the discovery endpoint use the same values.
+ *
+ * Reads provider-level settings (scopes, claims, grant types, response types) from
+ * the {@link OidcAccountServiceDelegate.providerConfig} via the injected account service.
+ *
+ * Injected into {@link OidcService} and {@link OidcWellKnownController}.
+ */
+export declare class OidcProviderConfigService {
+    private readonly config;
+    readonly routes: OidcRoutes;
+    /**
+     * If the OIDC registration route is enabled.
+     */
+    readonly oidcRegistrationRouteEnabled: boolean;
+    /**
+     * The url to the front-end login page.
+     */
+    readonly appLoginUrl: WebsiteUrl;
+    /**
+     * The url to the front-end consent page.
+     */
+    readonly appConsentUrl: WebsiteUrl;
+    /**
+     * The app-provided provider config from the delegate.
+     */
+    readonly providerConfig: OidcProviderConfig;
+    /**
+     * Scopes derived from the claims configuration keys.
+     */
+    readonly scopesSupported: string[];
+    /**
+     * Flat list of all unique claim names from the claims configuration.
+     */
+    readonly claimsSupported: string[];
+    /**
+     * Token endpoint authentication methods from config or defaults.
+     */
+    readonly tokenEndpointAuthMethodsSupported: OidcTokenEndpointAuthMethod[];
+    constructor(config: OidcModuleConfig, accountService: OidcAccountService, envService: FirebaseServerEnvService);
+    /**
+     * Builds the OpenID Connect Discovery metadata document.
+     *
+     * @param jwksUri - Optional override for the JWKS URI (e.g., from cloud storage).
+     *   Falls back to `{issuer}{routes.jwks}`.
+     */
+    buildDiscoveryMetadata(jwksUri?: string): OidcDiscoveryMetadata;
+}