@enterprisestandard/react 0.0.3-beta.3 → 0.0.5

package/dist/oidc-schema.d.ts

@@ -41,3 +41,46 @@ export interface OidcCallbackParams {
  * @returns A StandardSchemaV1 instance for OIDC callback parameters
  */
 export declare function oidcCallbackSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, OidcCallbackParams>;
+/**
+ * Token Response from IdP
+ */
+export interface TokenResponse {
+    access_token: string;
+    id_token: string;
+    refresh_token?: string;
+    token_type: string;
+    expires_in?: number;
+    scope?: string;
+    refresh_expires_in?: number;
+    session_state?: string;
+    expires?: string;
+}
+/**
+ * Creates a StandardSchemaV1 for validating OIDC Token Responses.
+ * @param vendor - The name of the vendor creating this schema
+ * @returns A StandardSchemaV1 instance for Token Response validation
+ */
+export declare function tokenResponseSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, TokenResponse>;
+/**
+ * ID Token Claims
+ */
+export interface IdTokenClaims {
+    iss?: string;
+    aud?: string;
+    exp?: number;
+    iat?: number;
+    sub?: string;
+    sid?: string;
+    name?: string;
+    email?: string;
+    preferred_username?: string;
+    picture?: string;
+    [key: string]: unknown;
+}
+/**
+ * Creates a StandardSchemaV1 for validating ID Token Claims.
+ * @param vendor - The name of the vendor creating this schema
+ * @returns A StandardSchemaV1 instance for ID Token Claims validation
+ */
+export declare function idTokenClaimsSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, IdTokenClaims>;
+//# sourceMappingURL=oidc-schema.d.ts.map

package/dist/oidc-schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-schema.d.ts","sourceRoot":"","sources":["../src/oidc-schema.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAE1D;;;GAGG;AACH,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,IAAI,EAAE,MAAM,CAAC;IAEb;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,kBAAkB,CAAC,CAoHhH;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,aAAa,CAAC,CAmJ5G;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,aAAa,CAAC,CAsD5G"}

package/dist/scim-schema.d.ts

@@ -0,0 +1,356 @@
+import type { StandardSchemaV1 } from './standard-schema';
+/**
+ * SCIM 2.0 User Resource
+ * @see https://datatracker.ietf.org/doc/html/rfc7643#section-4.1
+ */
+/**
+ * SCIM Name sub-attribute
+ */
+export interface Name {
+    /**
+     * The full name, including all middle names, titles, and suffixes as appropriate
+     */
+    formatted?: string;
+    /**
+     * The family name of the User, or last name
+     */
+    familyName?: string;
+    /**
+     * The given name of the User, or first name
+     */
+    givenName?: string;
+    /**
+     * The middle name(s) of the User
+     */
+    middleName?: string;
+    /**
+     * The honorific prefix(es) of the User, or title
+     */
+    honorificPrefix?: string;
+    /**
+     * The honorific suffix(es) of the User, or suffix
+     */
+    honorificSuffix?: string;
+}
+/**
+ * SCIM Email sub-attribute
+ */
+export interface Email {
+    /**
+     * The email address value
+     */
+    value: string;
+    /**
+     * A human-readable name, primarily used for display purposes
+     */
+    display?: string;
+    /**
+     * A label indicating the attribute's function (e.g., "work" or "home")
+     */
+    type?: string;
+    /**
+     * A Boolean value indicating the 'primary' or preferred attribute value
+     */
+    primary?: boolean;
+}
+/**
+ * SCIM Phone Number sub-attribute
+ */
+export interface PhoneNumber {
+    /**
+     * The phone number value
+     */
+    value: string;
+    /**
+     * A human-readable name, primarily used for display purposes
+     */
+    display?: string;
+    /**
+     * A label indicating the attribute's function (e.g., "work", "home", "mobile")
+     */
+    type?: string;
+    /**
+     * A Boolean value indicating the 'primary' or preferred attribute value
+     */
+    primary?: boolean;
+}
+/**
+ * SCIM Address sub-attribute
+ */
+export interface Address {
+    /**
+     * The full mailing address, formatted for display
+     */
+    formatted?: string;
+    /**
+     * The full street address component
+     */
+    streetAddress?: string;
+    /**
+     * The city or locality component
+     */
+    locality?: string;
+    /**
+     * The state or region component
+     */
+    region?: string;
+    /**
+     * The zip code or postal code component
+     */
+    postalCode?: string;
+    /**
+     * The country name component
+     */
+    country?: string;
+    /**
+     * A label indicating the attribute's function (e.g., "work" or "home")
+     */
+    type?: string;
+    /**
+     * A Boolean value indicating the 'primary' or preferred attribute value
+     */
+    primary?: boolean;
+}
+/**
+ * SCIM Group reference
+ */
+export interface Group {
+    /**
+     * The identifier of the User's group
+     */
+    value: string;
+    /**
+     * The URI of the corresponding 'Group' resource
+     */
+    $ref?: string;
+    /**
+     * A human-readable name, primarily used for display purposes
+     */
+    display?: string;
+    /**
+     * A label indicating the attribute's function (e.g., "direct" or "indirect")
+     */
+    type?: string;
+}
+/**
+ * SCIM Role
+ */
+export interface Role {
+    /**
+     * The value of the role
+     */
+    value: string;
+    /**
+     * A human-readable name, primarily used for display purposes
+     */
+    display?: string;
+    /**
+     * A label indicating the attribute's function
+     */
+    type?: string;
+    /**
+     * A Boolean value indicating the 'primary' or preferred attribute value
+     */
+    primary?: boolean;
+}
+/**
+ * SCIM X509 Certificate
+ */
+export interface X509Certificate {
+    /**
+     * The value of the X.509 certificate
+     */
+    value: string;
+    /**
+     * A human-readable name, primarily used for display purposes
+     */
+    display?: string;
+    /**
+     * A label indicating the attribute's function
+     */
+    type?: string;
+    /**
+     * A Boolean value indicating the 'primary' or preferred attribute value
+     */
+    primary?: boolean;
+}
+/**
+ * SCIM Enterprise User Extension
+ * @see https://datatracker.ietf.org/doc/html/rfc7643#section-4.3
+ */
+export interface EnterpriseUser {
+    /**
+     * Numeric or alphanumeric identifier assigned to a person
+     */
+    employeeNumber?: string;
+    /**
+     * Identifies the name of a cost center
+     */
+    costCenter?: string;
+    /**
+     * Identifies the name of an organization
+     */
+    organization?: string;
+    /**
+     * Identifies the name of a division
+     */
+    division?: string;
+    /**
+     * Identifies the name of a department
+     */
+    department?: string;
+    /**
+     * The user's manager
+     */
+    manager?: {
+        /**
+         * The "id" of the SCIM resource representing the User's manager
+         */
+        value?: string;
+        /**
+         * The URI of the SCIM resource representing the User's manager
+         */
+        $ref?: string;
+        /**
+         * The displayName of the User's manager
+         */
+        displayName?: string;
+    };
+}
+/**
+ * SCIM User Resource
+ */
+export interface User {
+    /**
+     * REQUIRED. Unique identifier for the User, typically from the provider
+     */
+    id?: string;
+    /**
+     * REQUIRED. A unique identifier for a SCIM resource as defined by the service provider
+     */
+    externalId?: string;
+    /**
+     * Resource metadata
+     */
+    meta?: {
+        resourceType?: string;
+        created?: string;
+        lastModified?: string;
+        location?: string;
+        version?: string;
+    };
+    /**
+     * REQUIRED. Unique identifier for the User, typically used for login
+     */
+    userName: string;
+    /**
+     * The components of the user's name
+     */
+    name?: Name;
+    /**
+     * The name of the User, suitable for display to end-users
+     */
+    displayName?: string;
+    /**
+     * The casual way to address the user
+     */
+    nickName?: string;
+    /**
+     * A fully qualified URL pointing to a page representing the User's online profile
+     */
+    profileUrl?: string;
+    /**
+     * The user's title, such as "Vice President"
+     */
+    title?: string;
+    /**
+     * Used to identify the relationship between the organization and the user
+     */
+    userType?: string;
+    /**
+     * Indicates the User's preferred written or spoken language
+     */
+    preferredLanguage?: string;
+    /**
+     * Used to indicate the User's default location for purposes of localizing items such as currency
+     */
+    locale?: string;
+    /**
+     * The User's time zone in the "Olson" time zone database format
+     */
+    timezone?: string;
+    /**
+     * A Boolean value indicating the User's administrative status
+     */
+    active?: boolean;
+    /**
+     * The User's cleartext password
+     */
+    password?: string;
+    /**
+     * Email addresses for the user
+     */
+    emails?: Email[];
+    /**
+     * Phone numbers for the User
+     */
+    phoneNumbers?: PhoneNumber[];
+    /**
+     * Instant messaging addresses for the User
+     */
+    ims?: Array<{
+        value: string;
+        display?: string;
+        type?: string;
+        primary?: boolean;
+    }>;
+    /**
+     * URLs of photos of the User
+     */
+    photos?: Array<{
+        value: string;
+        display?: string;
+        type?: string;
+        primary?: boolean;
+    }>;
+    /**
+     * Physical mailing addresses for this User
+     */
+    addresses?: Address[];
+    /**
+     * A list of groups to which the user belongs
+     */
+    groups?: Group[];
+    /**
+     * A list of entitlements for the User
+     */
+    entitlements?: Array<{
+        value: string;
+        display?: string;
+        type?: string;
+        primary?: boolean;
+    }>;
+    /**
+     * A list of roles for the User
+     */
+    roles?: Role[];
+    /**
+     * A list of certificates issued to the User
+     */
+    x509Certificates?: X509Certificate[];
+    /**
+     * Enterprise User Extension
+     */
+    'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'?: EnterpriseUser;
+    /**
+     * REQUIRED. The schemas attribute is an array of Strings which allows introspection of the supported schema version
+     */
+    schemas?: string[];
+}
+/**
+ * Creates a StandardSchemaV1 for validating SCIM User resources.
+ * @param vendor - The name of the vendor creating this schema
+ * @returns A StandardSchemaV1 instance for SCIM User resources
+ */
+export declare function userSchema(vendor: string): StandardSchemaV1<Record<string, unknown>, User>;
+//# sourceMappingURL=scim-schema.d.ts.map

package/dist/scim-schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scim-schema.d.ts","sourceRoot":"","sources":["../src/scim-schema.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAE1D;;;GAGG;AAEH;;GAEG;AACH,MAAM,WAAW,IAAI;IACnB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;;OAEG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,KAAK;IACpB;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACtB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,KAAK;IACpB;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,IAAI;IACnB;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;OAEG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,OAAO,CAAC,EAAE;QACR;;WAEG;QACH,KAAK,CAAC,EAAE,MAAM,CAAC;QACf;;WAEG;QACH,IAAI,CAAC,EAAE,MAAM,CAAC;QACd;;WAEG;QACH,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,IAAI;IACnB;;OAEG;IACH,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,IAAI,CAAC,EAAE;QACL,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IACF;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB;;OAEG;IACH,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;OAEG;IACH,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC;IACjB;;OAEG;IACH,YAAY,CAAC,EAAE,WAAW,EAAE,CAAC;IAC7B;;OAEG;IACH,GAAG,CAAC,EAAE,KAAK,CAAC;QACV,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,CAAC,CAAC;IACH;;OAEG;IACH,MAAM,CAAC,EAAE,KAAK,CAAC;QACb,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,CAAC,CAAC;IACH;;OAEG;IACH,SAAS,CAAC,EAAE,OAAO,EAAE,CAAC;IACtB;;OAEG;IACH,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC;IACjB;;OAEG;IACH,YAAY,CAAC,EAAE,KAAK,CAAC;QACnB,KAAK,EAAE,MAAM,CAAC;QACd,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,OAAO,CAAC,EAAE,OAAO,CAAC;KACnB,CAAC,CAAC;IACH;;OAEG;IACH,KAAK,CAAC,EAAE,IAAI,EAAE,CAAC;IACf;;OAEG;IACH,gBAAgB,CAAC,EAAE,eAAe,EAAE,CAAC;IACrC;;OAEG;IACH,4DAA4D,CAAC,EAAE,cAAc,CAAC;IAC9E;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;CACpB;AAqYD;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC,CAgG1F"}

package/dist/server.d.ts

@@ -4,3 +4,4 @@ export declare function getRequiredUser(request: Request, config?: ESConfig): Pr
 export declare function initiateLogin(config: LoginConfig): Promise<Response>;
 export declare function callback(request: Request, config?: ESConfig): Promise<Response>;
 export declare function handler(request: Request, config?: SSOHandlerConfig): Promise<Response>;
+//# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,OAAO,CAAC;AAoBrE,wBAAsB,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,QAAQ,mEAEhE;AAED,wBAAsB,eAAe,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,QAAQ,uDAIxE;AAED,wBAAsB,aAAa,CAAC,MAAM,EAAE,WAAW,qBAItD;AAED,wBAAsB,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,QAAQ,qBAIjE;AAED,wBAAsB,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,gBAAgB,qBAIxE"}

package/dist/session-store.d.ts

@@ -0,0 +1,179 @@
+/**
+ * Session management for tracking user sessions and enabling backchannel logout.
+ *
+ * Session stores are optional - the package works with JWT cookies alone.
+ * Sessions are only required for backchannel logout functionality.
+ *
+ * ## Session Validation Strategies
+ *
+ * When using a session store, you can configure when sessions are validated:
+ *
+ * ### 'always' (default)
+ * Validates session on every authenticated request.
+ * - **Security**: Maximum - immediate session revocation
+ * - **Performance**: InMemory ~0.00005ms, Redis ~1-2ms per request
+ * - **Backchannel Logout**: Takes effect immediately
+ * - **Use when**: Security is paramount, using InMemory or Redis backend
+ *
+ * ### 'refresh-only'
+ * Validates session only during token refresh (typically every 5-15 minutes).
+ * - **Security**: Good - 5-15 minute revocation window
+ * - **Performance**: 99% reduction in session lookups
+ * - **Backchannel Logout**: Takes effect within token TTL (5-15 min)
+ * - **Use when**: Performance is critical AND delayed revocation is acceptable
+ * - **WARNING**: Compromised sessions remain valid until next refresh
+ *
+ * ### 'disabled'
+ * Never validates sessions against the store.
+ * - **Security**: None - backchannel logout doesn't work
+ * - **Performance**: No overhead
+ * - **Use when**: Cookie-only mode without session store
+ * - **WARNING**: Do not use with session_store configured
+ *
+ * ## Performance Characteristics
+ *
+ * | Backend      | Lookup Time | Impact on Request | Recommendation         |
+ * |--------------|-------------|-------------------|------------------------|
+ * | InMemory     | <0.00005ms  | Negligible        | Use 'always'           |
+ * | Redis        | 1-2ms       | 2-4% increase     | Use 'always' or test   |
+ * | Database     | 5-20ms      | 10-40% increase   | Use Redis cache layer  |
+ *
+ * ## Example Usage
+ *
+ * ```typescript
+ * import { sso, InMemorySessionStore } from '@enterprisestandard/react/server';
+ *
+ * // Maximum security (default)
+ * const secure = sso({
+ *   // ... other config
+ *   session_store: new InMemorySessionStore(),
+ *   session_validation: 'always', // Immediate revocation
+ * });
+ *
+ * // High performance
+ * const fast = sso({
+ *   // ... other config
+ *   session_store: new InMemorySessionStore(),
+ *   session_validation: {
+ *     strategy: 'refresh-only' // 5-15 min revocation delay
+ *   }
+ * });
+ * ```
+ */
+/**
+ * Core session data tracked for each authenticated user session.
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to sessions
+ */
+export type Session<TExtended = Record<string, never>> = {
+    /**
+     * Session ID from the Identity Provider (from `sid` claim in ID token).
+     * This is the unique identifier for the session.
+     */
+    sid: string;
+    /**
+     * Subject identifier (user ID) from the Identity Provider.
+     * From the `sub` claim in the ID token.
+     */
+    sub: string;
+    /**
+     * Timestamp when the session was created.
+     */
+    createdAt: Date;
+    /**
+     * Timestamp of the last activity in this session.
+     * Can be updated to track session activity.
+     */
+    lastActivityAt: Date;
+    /**
+     * Allow consumers to add runtime data to sessions.
+     */
+    [key: string]: unknown;
+} & TExtended;
+/**
+ * Abstract interface for session storage backends.
+ *
+ * Consumers can implement this interface to use different storage backends:
+ * - Redis
+ * - Database (PostgreSQL, MySQL, etc.)
+ * - Distributed cache
+ * - Custom solutions
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to sessions
+ *
+ * @example
+ * ```typescript
+ * // Custom session data
+ * type MySessionData = {
+ *   ipAddress: string;
+ *   userAgent: string;
+ * };
+ *
+ * // Implement custom store
+ * class RedisSessionStore implements SessionStore<MySessionData> {
+ *   async create(session: Session<MySessionData>): Promise<void> {
+ *     await redis.set(`session:${session.sid}`, JSON.stringify(session));
+ *   }
+ *   // ... other methods
+ * }
+ * ```
+ */
+export interface SessionStore<TExtended = Record<string, never>> {
+    /**
+     * Create a new session in the store.
+     *
+     * @param session - The session data to store
+     * @throws Error if session with same sid already exists
+     */
+    create(session: Session<TExtended>): Promise<void>;
+    /**
+     * Retrieve a session by its IdP session ID (sid).
+     *
+     * @param sid - The session.sid from the Identity Provider
+     * @returns The session if found, null otherwise
+     */
+    get(sid: string): Promise<Session<TExtended> | null>;
+    /**
+     * Update an existing session with partial data.
+     *
+     * Commonly used to update lastActivityAt or add custom fields.
+     *
+     * @param sid - The session.sid to update
+     * @param data - Partial session data to merge
+     * @throws Error if session not found
+     */
+    update(sid: string, data: Partial<Session<TExtended>>): Promise<void>;
+    /**
+     * Delete a session by its IdP session ID (sid).
+     *
+     * Used for both normal logout and backchannel logout flows.
+     *
+     * @param sid - The session.sid to delete
+     */
+    delete(sid: string): Promise<void>;
+}
+/**
+ * In-memory session store implementation using Maps.
+ *
+ * Suitable for:
+ * - Development and testing
+ * - Single-server deployments
+ * - Applications without high availability requirements
+ *
+ * NOT suitable for:
+ * - Multi-server deployments (sessions not shared)
+ * - High availability scenarios (sessions lost on restart)
+ * - Production applications with distributed architecture
+ *
+ * For production, implement SessionStore with Redis or a database.
+ *
+ * @template TExtended - Type-safe custom data that consumers can add to sessions
+ */
+export declare class InMemorySessionStore<TExtended = Record<string, never>> implements SessionStore<TExtended> {
+    private sessions;
+    create(session: Session<TExtended>): Promise<void>;
+    get(sid: string): Promise<Session<TExtended> | null>;
+    update(sid: string, data: Partial<Session<TExtended>>): Promise<void>;
+    delete(sid: string): Promise<void>;
+}
+//# sourceMappingURL=session-store.d.ts.map

package/dist/session-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-store.d.ts","sourceRoot":"","sources":["../src/session-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6DG;AAEH;;;;GAIG;AACH,MAAM,MAAM,OAAO,CAAC,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI;IACvD;;;OAGG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;;OAGG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;OAEG;IACH,SAAS,EAAE,IAAI,CAAC;IAEhB;;;OAGG;IACH,cAAc,EAAE,IAAI,CAAC;IAErB;;OAEG;IACH,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB,GAAG,SAAS,CAAC;AAEd;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,WAAW,YAAY,CAAC,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC;IAC7D;;;;;OAKG;IACH,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEnD;;;;;OAKG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC;IAErD;;;;;;;;OAQG;IACH,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEtE;;;;;;OAMG;IACH,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACpC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,oBAAoB,CAAC,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAE,YAAW,YAAY,CAAC,SAAS,CAAC;IACrG,OAAO,CAAC,QAAQ,CAAyC;IAEnD,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAQlD,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC;IAIpD,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAWrE,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAGzC"}

package/dist/sso.d.ts

@@ -1,19 +1,24 @@
 import type { EnterpriseStandard, EnterpriseUser } from '.';
-export type SSOConfig = {
-    authority: string;
-    token_url: string;
-    authorization_url: string;
-    client_id: string;
-    redirect_uri: string;
-    response_type: string;
-    scope: string;
-    post_logout_redirect_uri?: string;
+import type { IdTokenClaims, OidcCallbackParams, TokenResponse } from './oidc-schema';
+import type { StandardSchemaV1 } from './standard-schema';
+import type { SessionStore } from './session-store';
+export type SSOConfig<TSessionData = Record<string, never>> = {
+    authority?: string;
+    token_url?: string;
+    authorization_url?: string;
+    client_id?: string;
+    redirect_uri?: string;
+    response_type?: 'code';
+    scope?: string;
     silent_redirect_uri?: string;
     jwks_uri?: string;
-    cookiePrefix?: string;
-    cookiePath?: string;
-    sameSite?: 'Strict' | 'Lax';
-    secure?: boolean;
+    cookies_prefix?: string;
+    cookies_path?: string;
+    cookies_secure?: boolean;
+    cookies_same_site?: 'Strict' | 'Lax';
+    end_session_endpoint?: string;
+    revocation_endpoint?: string;
+    session_store?: SessionStore<TSessionData>;
 };
 export type ESConfig = {
     es?: EnterpriseStandard;
@@ -29,13 +34,23 @@ export type SSOHandlerConfig = {
     landingUrl?: string;
     tokenUrl?: string;
     refreshUrl?: string;
+    jwksUrl?: string;
+    logoutUrl?: string;
+    logoutBackChannelUrl?: string;
+    validation?: {
+        callbackParams?: StandardSchemaV1<unknown, OidcCallbackParams>;
+        idTokenClaims?: StandardSchemaV1<unknown, IdTokenClaims>;
+        tokenResponse?: StandardSchemaV1<unknown, TokenResponse>;
+    };
 } & ESConfig;
-export type SSO = {
+export type SSO<_TSessionData = Record<string, never>> = {
     getUser: (request: Request) => Promise<EnterpriseUser | undefined>;
     getRequiredUser: (request: Request) => Promise<EnterpriseUser>;
     getJwt: (request: Request) => Promise<string | undefined>;
     initiateLogin: (config: LoginConfig) => Promise<Response>;
+    logout: (request: Request, config?: LoginConfig) => Promise<Response>;
     callbackHandler: (request: Request) => Promise<Response>;
     handler: (request: Request, handlerConfig?: SSOHandlerConfig) => Promise<Response>;
 };
-export declare function sso(config: SSOConfig): SSO;
+export declare function sso<TSessionData = Record<string, never>>(config: SSOConfig<TSessionData>): SSO<TSessionData>;
+//# sourceMappingURL=sso.d.ts.map

package/dist/sso.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sso.d.ts","sourceRoot":"","sources":["../src/sso.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,GAAG,CAAC;AAC5D,OAAO,KAAK,EAAE,aAAa,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAEtF,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAC1D,OAAO,KAAK,EAAW,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAG7D,MAAM,MAAM,SAAS,CAAC,YAAY,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI;IAC5D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,iBAAiB,CAAC,EAAE,QAAQ,GAAG,KAAK,CAAC;IACrC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,aAAa,CAAC,EAAE,YAAY,CAAC,YAAY,CAAC,CAAC;CAC5C,CAAC;AAwCF,MAAM,MAAM,QAAQ,GAAG;IACrB,EAAE,CAAC,EAAE,kBAAkB,CAAC;CACzB,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,QAAQ,CAAC;AAEb,MAAM,MAAM,gBAAgB,GAAG;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,UAAU,CAAC,EAAE;QACX,cAAc,CAAC,EAAE,gBAAgB,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC;QAC/D,aAAa,CAAC,EAAE,gBAAgB,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QACzD,aAAa,CAAC,EAAE,gBAAgB,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;KAC1D,CAAC;CACH,GAAG,QAAQ,CAAC;AAEb,MAAM,MAAM,GAAG,CAAC,aAAa,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI;IACvD,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,cAAc,GAAG,SAAS,CAAC,CAAC;IACnE,eAAe,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,cAAc,CAAC,CAAC;IAC/D,MAAM,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;IAC1D,aAAa,EAAE,CAAC,MAAM,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC1D,MAAM,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IACtE,eAAe,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IACzD,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,EAAE,aAAa,CAAC,EAAE,gBAAgB,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CACpF,CAAC;AAIF,wBAAgB,GAAG,CAAC,YAAY,GAAG,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,MAAM,EAAE,SAAS,CAAC,YAAY,CAAC,GAAG,GAAG,CAAC,YAAY,CAAC,CA2wB5G"}

package/dist/standard-schema.d.ts

@@ -53,3 +53,4 @@ export declare namespace StandardSchemaV1 {
     /** Infers the output type of a Standard Schema. */
     type InferOutput<Schema extends StandardSchemaV1> = NonNullable<Schema['~standard']['types']>['output'];
 }
+//# sourceMappingURL=standard-schema.d.ts.map