@flink-app/oidc-plugin 0.13.0

package/dist/handlers/InitiateOidc.js

@@ -0,0 +1,91 @@
+"use strict";
+/**
+ * OIDC Initiate Handler
+ *
+ * Initiates the OIDC authorization code flow by:
+ * 1. Validating the provider is supported and configured
+ * 2. Generating cryptographically secure state, code_verifier, and nonce
+ * 3. Creating an OIDC session to track the flow
+ * 4. Building the provider's authorization URL with PKCE
+ * 5. Redirecting the user to the provider for authorization
+ *
+ * Route: GET /oidc/:provider/initiate?redirectUri={optional_redirect_url}
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Route = void 0;
+const flink_1 = require("@flink-app/flink");
+const state_utils_1 = require("../utils/state-utils");
+const error_utils_1 = require("../utils/error-utils");
+const openid_client_1 = require("openid-client");
+/**
+ * Route configuration
+ * This handler is registered programmatically by the plugin
+ */
+exports.Route = {
+    path: "/oidc/:provider/initiate",
+    method: flink_1.HttpMethod.get,
+};
+/**
+ * OIDC Initiate Handler
+ *
+ * Starts the OIDC flow by generating security parameters, creating a session,
+ * and redirecting to the OIDC provider's authorization URL.
+ */
+const InitiateOidc = async ({ ctx, req }) => {
+    const { provider } = req.params;
+    const { redirectUri } = req.query;
+    try {
+        // Validate provider name format
+        (0, error_utils_1.validateProvider)(provider);
+        // Get provider registry from context
+        const providerRegistry = ctx.oidcProviderRegistry;
+        if (!providerRegistry) {
+            throw (0, error_utils_1.createOidcError)(error_utils_1.OidcErrorCodes.PROVIDER_NOT_CONFIGURED, "OIDC plugin not properly initialized");
+        }
+        // Get OIDC provider instance (loads dynamically if needed)
+        const oidcProvider = await providerRegistry.getProvider(provider);
+        // Get plugin options
+        const { options } = ctx.plugins.oidc;
+        // Determine redirect URI (use provided or default to callback URL)
+        const staticProviderConfig = options.providers[provider];
+        const finalRedirectUri = redirectUri || staticProviderConfig?.callbackUrl || `${req.protocol}://${req.get("host")}/oidc/${provider}/callback`;
+        // Generate cryptographically secure parameters
+        const state = (0, state_utils_1.generateState)();
+        const sessionId = (0, state_utils_1.generateSessionId)();
+        const nonce = (0, state_utils_1.generateNonce)();
+        const codeVerifier = openid_client_1.generators.codeVerifier();
+        // Store session for state validation in callback
+        await ctx.repos.oidcSessionRepo.create({
+            sessionId,
+            state,
+            codeVerifier,
+            nonce,
+            provider,
+            redirectUri: finalRedirectUri,
+            createdAt: new Date(),
+        });
+        // Build authorization URL with PKCE and nonce
+        const authorizationUrl = await oidcProvider.getAuthorizationUrl({
+            state,
+            codeVerifier,
+            nonce,
+        });
+        // Redirect user to provider's authorization page
+        return {
+            status: 302,
+            headers: {
+                Location: authorizationUrl,
+            },
+            data: {},
+        };
+    }
+    catch (error) {
+        // Handle validation errors
+        if (error.code && Object.values(error_utils_1.OidcErrorCodes).includes(error.code)) {
+            return (0, flink_1.badRequest)(error.message);
+        }
+        // Handle unexpected errors
+        return (0, flink_1.internalServerError)(error.message || "Failed to initiate OIDC flow");
+    }
+};
+exports.default = InitiateOidc;

package/dist/index.d.ts

@@ -0,0 +1,27 @@
+/**
+ * @flink-app/oidc-plugin
+ *
+ * OIDC authentication plugin for Flink Framework
+ *
+ * Provides OpenID Connect authentication with generic IdP support,
+ * JWT integration via jwt-auth-plugin, JIT user provisioning,
+ * and optional token storage for API access.
+ */
+export { oidcPlugin } from "./OidcPlugin";
+export { OidcPluginOptions, OidcError, AuthSuccessCallbackResponse, AuthErrorCallbackResponse } from "./OidcPluginOptions";
+export { OidcProviderConfig } from "./OidcProviderConfig";
+export { OidcPluginContext } from "./OidcPluginContext";
+export { default as OidcProfile } from "./schemas/OidcProfile";
+export { default as OidcTokenSet } from "./schemas/OidcTokenSet";
+export { default as OidcSession } from "./schemas/OidcSession";
+export { default as OidcConnection } from "./schemas/OidcConnection";
+export { default as InitiateRequest } from "./schemas/InitiateRequest";
+export { default as CallbackRequest } from "./schemas/CallbackRequest";
+export { OidcProvider } from "./providers/OidcProvider";
+export { ProviderRegistry } from "./providers/ProviderRegistry";
+export { generateState, generateSessionId, generateNonce, validateState } from "./utils/state-utils";
+export { encryptToken, decryptToken, validateEncryptionSecret } from "./utils/encryption-utils";
+export { mapClaimsToProfile, extractCustomClaims } from "./utils/claims-mapper";
+export { formatTokenResponse } from "./utils/response-utils";
+export { createOidcError, validateProvider, handleProviderError, OidcErrorCodes } from "./utils/error-utils";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAG1C,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,2BAA2B,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAC;AAC3H,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAG1D,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAGxD,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAC/D,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,wBAAwB,CAAC;AACjE,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAC/D,OAAO,EAAE,OAAO,IAAI,cAAc,EAAE,MAAM,0BAA0B,CAAC;AACrE,OAAO,EAAE,OAAO,IAAI,eAAe,EAAE,MAAM,2BAA2B,CAAC;AACvE,OAAO,EAAE,OAAO,IAAI,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAGvE,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAGhE,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACrG,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,wBAAwB,EAAE,MAAM,0BAA0B,CAAC;AAChG,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAChF,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/index.js

@@ -0,0 +1,40 @@
+"use strict";
+/**
+ * @flink-app/oidc-plugin
+ *
+ * OIDC authentication plugin for Flink Framework
+ *
+ * Provides OpenID Connect authentication with generic IdP support,
+ * JWT integration via jwt-auth-plugin, JIT user provisioning,
+ * and optional token storage for API access.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OidcErrorCodes = exports.handleProviderError = exports.validateProvider = exports.createOidcError = exports.formatTokenResponse = exports.extractCustomClaims = exports.mapClaimsToProfile = exports.validateEncryptionSecret = exports.decryptToken = exports.encryptToken = exports.validateState = exports.generateNonce = exports.generateSessionId = exports.generateState = exports.ProviderRegistry = exports.OidcProvider = exports.oidcPlugin = void 0;
+// Main plugin factory
+var OidcPlugin_1 = require("./OidcPlugin");
+Object.defineProperty(exports, "oidcPlugin", { enumerable: true, get: function () { return OidcPlugin_1.oidcPlugin; } });
+// Provider classes (for advanced usage)
+var OidcProvider_1 = require("./providers/OidcProvider");
+Object.defineProperty(exports, "OidcProvider", { enumerable: true, get: function () { return OidcProvider_1.OidcProvider; } });
+var ProviderRegistry_1 = require("./providers/ProviderRegistry");
+Object.defineProperty(exports, "ProviderRegistry", { enumerable: true, get: function () { return ProviderRegistry_1.ProviderRegistry; } });
+// Utility functions (for custom implementations)
+var state_utils_1 = require("./utils/state-utils");
+Object.defineProperty(exports, "generateState", { enumerable: true, get: function () { return state_utils_1.generateState; } });
+Object.defineProperty(exports, "generateSessionId", { enumerable: true, get: function () { return state_utils_1.generateSessionId; } });
+Object.defineProperty(exports, "generateNonce", { enumerable: true, get: function () { return state_utils_1.generateNonce; } });
+Object.defineProperty(exports, "validateState", { enumerable: true, get: function () { return state_utils_1.validateState; } });
+var encryption_utils_1 = require("./utils/encryption-utils");
+Object.defineProperty(exports, "encryptToken", { enumerable: true, get: function () { return encryption_utils_1.encryptToken; } });
+Object.defineProperty(exports, "decryptToken", { enumerable: true, get: function () { return encryption_utils_1.decryptToken; } });
+Object.defineProperty(exports, "validateEncryptionSecret", { enumerable: true, get: function () { return encryption_utils_1.validateEncryptionSecret; } });
+var claims_mapper_1 = require("./utils/claims-mapper");
+Object.defineProperty(exports, "mapClaimsToProfile", { enumerable: true, get: function () { return claims_mapper_1.mapClaimsToProfile; } });
+Object.defineProperty(exports, "extractCustomClaims", { enumerable: true, get: function () { return claims_mapper_1.extractCustomClaims; } });
+var response_utils_1 = require("./utils/response-utils");
+Object.defineProperty(exports, "formatTokenResponse", { enumerable: true, get: function () { return response_utils_1.formatTokenResponse; } });
+var error_utils_1 = require("./utils/error-utils");
+Object.defineProperty(exports, "createOidcError", { enumerable: true, get: function () { return error_utils_1.createOidcError; } });
+Object.defineProperty(exports, "validateProvider", { enumerable: true, get: function () { return error_utils_1.validateProvider; } });
+Object.defineProperty(exports, "handleProviderError", { enumerable: true, get: function () { return error_utils_1.handleProviderError; } });
+Object.defineProperty(exports, "OidcErrorCodes", { enumerable: true, get: function () { return error_utils_1.OidcErrorCodes; } });

package/dist/providers/OidcProvider.d.ts

@@ -0,0 +1,90 @@
+import { UserinfoResponse } from "openid-client";
+import { OidcProviderConfig } from "../OidcProviderConfig";
+import OidcProfile from "../schemas/OidcProfile";
+import OidcTokenSet from "../schemas/OidcTokenSet";
+/**
+ * Generic OIDC Provider implementation using openid-client
+ *
+ * Supports both OIDC discovery and manual configuration.
+ * Handles the complete OIDC flow including:
+ * - Authorization URL generation with PKCE
+ * - Token exchange (code → tokens)
+ * - ID token validation
+ * - UserInfo endpoint fetching
+ * - Claims mapping to profile
+ */
+export declare class OidcProvider {
+    private config;
+    private issuer;
+    private client;
+    private initialized;
+    constructor(config: OidcProviderConfig);
+    /**
+     * Initialize the provider by discovering or creating the OIDC client
+     *
+     * Uses OIDC discovery if discoveryUrl is provided, otherwise uses
+     * manual endpoint configuration.
+     *
+     * This is async and should be called before using the provider.
+     */
+    initialize(): Promise<void>;
+    /**
+     * Generate authorization URL with PKCE and nonce
+     *
+     * @param params - Authorization parameters
+     * @returns Authorization URL to redirect user to
+     */
+    getAuthorizationUrl(params: {
+        state: string;
+        codeVerifier: string;
+        nonce: string;
+    }): Promise<string>;
+    /**
+     * Exchange authorization code for tokens
+     *
+     * Performs the OAuth 2.0 token exchange and validates the ID token.
+     *
+     * @param params - Token exchange parameters
+     * @returns Token set with access token, ID token, and claims
+     */
+    exchangeCodeForToken(params: {
+        code: string;
+        codeVerifier: string;
+        state: string;
+        nonce: string;
+    }): Promise<OidcTokenSet>;
+    /**
+     * Get user profile from UserInfo endpoint
+     *
+     * Fetches additional user claims from the UserInfo endpoint.
+     * Merges with claims from ID token.
+     *
+     * @param accessToken - Access token from token exchange
+     * @returns UserInfo response
+     */
+    getUserInfo(accessToken: string): Promise<UserinfoResponse>;
+    /**
+     * Build complete user profile from tokens
+     *
+     * Combines claims from ID token and UserInfo endpoint,
+     * applies custom claim mapping, and returns normalized profile.
+     *
+     * @param tokenSet - Token set from exchange
+     * @param includeUserInfo - Whether to fetch UserInfo endpoint
+     * @returns Normalized user profile
+     */
+    buildProfile(tokenSet: OidcTokenSet, includeUserInfo?: boolean): Promise<OidcProfile>;
+    /**
+     * Ensure provider is initialized before use
+     *
+     * @throws Error if not initialized
+     */
+    private ensureInitialized;
+    /**
+     * Get issuer metadata (after initialization)
+     *
+     * @returns Issuer metadata
+     */
+    getIssuerMetadata(): any;
+}
+//# sourceMappingURL=OidcProvider.d.ts.map

package/dist/providers/OidcProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OidcProvider.d.ts","sourceRoot":"","sources":["../../src/providers/OidcProvider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAwC,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACvF,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,WAAW,MAAM,wBAAwB,CAAC;AACjD,OAAO,YAAY,MAAM,yBAAyB,CAAC;AAInD;;;;;;;;;;GAUG;AACH,qBAAa,YAAY;IACrB,OAAO,CAAC,MAAM,CAAqB;IACnC,OAAO,CAAC,MAAM,CAA+B;IAC7C,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,WAAW,CAAkB;gBAEzB,MAAM,EAAE,kBAAkB;IAItC;;;;;;;OAOG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IA+CjC;;;;;OAKG;IACG,mBAAmB,CAAC,MAAM,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IAiB1G;;;;;;;OAOG;IACG,oBAAoB,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,YAAY,CAAC;IAqC/H;;;;;;;;OAQG;IACG,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAajE;;;;;;;;;OASG;IACG,YAAY,CAAC,QAAQ,EAAE,YAAY,EAAE,eAAe,GAAE,OAAc,GAAG,OAAO,CAAC,WAAW,CAAC;IA2BjG;;;;OAIG;YACW,iBAAiB;IAU/B;;;;OAIG;IACH,iBAAiB,IAAI,GAAG;CAM3B"}

package/dist/providers/OidcProvider.js

@@ -0,0 +1,208 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OidcProvider = void 0;
+const openid_client_1 = require("openid-client");
+const claims_mapper_1 = require("../utils/claims-mapper");
+const error_utils_1 = require("../utils/error-utils");
+/**
+ * Generic OIDC Provider implementation using openid-client
+ *
+ * Supports both OIDC discovery and manual configuration.
+ * Handles the complete OIDC flow including:
+ * - Authorization URL generation with PKCE
+ * - Token exchange (code → tokens)
+ * - ID token validation
+ * - UserInfo endpoint fetching
+ * - Claims mapping to profile
+ */
+class OidcProvider {
+    constructor(config) {
+        this.issuer = null;
+        this.client = null;
+        this.initialized = false;
+        this.config = config;
+    }
+    /**
+     * Initialize the provider by discovering or creating the OIDC client
+     *
+     * Uses OIDC discovery if discoveryUrl is provided, otherwise uses
+     * manual endpoint configuration.
+     *
+     * This is async and should be called before using the provider.
+     */
+    async initialize() {
+        if (this.initialized) {
+            return;
+        }
+        try {
+            // Option 1: OIDC Discovery
+            if (this.config.discoveryUrl) {
+                this.issuer = await openid_client_1.Issuer.discover(this.config.discoveryUrl);
+            }
+            // Option 2: Manual configuration
+            else {
+                // Validate required endpoints for manual config
+                if (!this.config.authorizationEndpoint || !this.config.tokenEndpoint || !this.config.jwksUri) {
+                    throw (0, error_utils_1.createOidcError)(error_utils_1.OidcErrorCodes.PROVIDER_NOT_CONFIGURED, "Provider must have either discoveryUrl or manual endpoints (authorizationEndpoint, tokenEndpoint, jwksUri)", { provider: this.config.issuer });
+                }
+                this.issuer = new openid_client_1.Issuer({
+                    issuer: this.config.issuer,
+                    authorization_endpoint: this.config.authorizationEndpoint,
+                    token_endpoint: this.config.tokenEndpoint,
+                    userinfo_endpoint: this.config.userinfoEndpoint,
+                    jwks_uri: this.config.jwksUri,
+                });
+            }
+            // Create OIDC client
+            this.client = new this.issuer.Client({
+                client_id: this.config.clientId,
+                client_secret: this.config.clientSecret,
+                redirect_uris: [this.config.callbackUrl],
+                response_types: ["code"],
+            });
+            this.initialized = true;
+        }
+        catch (error) {
+            throw (0, error_utils_1.createOidcError)(error_utils_1.OidcErrorCodes.DISCOVERY_FAILED, `Failed to initialize OIDC provider: ${error.message}`, {
+                issuer: this.config.issuer,
+                originalError: error.message,
+            });
+        }
+    }
+    /**
+     * Generate authorization URL with PKCE and nonce
+     *
+     * @param params - Authorization parameters
+     * @returns Authorization URL to redirect user to
+     */
+    async getAuthorizationUrl(params) {
+        await this.ensureInitialized();
+        const codeChallenge = openid_client_1.generators.codeChallenge(params.codeVerifier);
+        const scope = this.config.scope?.join(" ") || "openid email profile";
+        const authUrl = this.client.authorizationUrl({
+            scope,
+            state: params.state,
+            code_challenge: codeChallenge,
+            code_challenge_method: "S256",
+            nonce: params.nonce,
+        });
+        return authUrl;
+    }
+    /**
+     * Exchange authorization code for tokens
+     *
+     * Performs the OAuth 2.0 token exchange and validates the ID token.
+     *
+     * @param params - Token exchange parameters
+     * @returns Token set with access token, ID token, and claims
+     */
+    async exchangeCodeForToken(params) {
+        await this.ensureInitialized();
+        try {
+            const tokenSet = await this.client.callback(this.config.callbackUrl, {
+                code: params.code,
+                state: params.state,
+            }, {
+                code_verifier: params.codeVerifier,
+                state: params.state,
+                nonce: params.nonce,
+            });
+            // Extract claims from ID token (already validated by openid-client)
+            const claims = tokenSet.claims();
+            return {
+                accessToken: tokenSet.access_token,
+                idToken: tokenSet.id_token,
+                refreshToken: tokenSet.refresh_token,
+                tokenType: tokenSet.token_type || "Bearer",
+                expiresIn: tokenSet.expires_in,
+                scope: tokenSet.scope,
+                claims,
+            };
+        }
+        catch (error) {
+            throw (0, error_utils_1.createOidcError)(error_utils_1.OidcErrorCodes.TOKEN_EXCHANGE_FAILED, `Token exchange failed: ${error.message}`, {
+                originalError: error.message,
+                errorCode: error.error,
+            });
+        }
+    }
+    /**
+     * Get user profile from UserInfo endpoint
+     *
+     * Fetches additional user claims from the UserInfo endpoint.
+     * Merges with claims from ID token.
+     *
+     * @param accessToken - Access token from token exchange
+     * @returns UserInfo response
+     */
+    async getUserInfo(accessToken) {
+        await this.ensureInitialized();
+        try {
+            const userinfo = await this.client.userinfo(accessToken);
+            return userinfo;
+        }
+        catch (error) {
+            throw (0, error_utils_1.createOidcError)(error_utils_1.OidcErrorCodes.USERINFO_FAILED, `UserInfo request failed: ${error.message}`, {
+                originalError: error.message,
+            });
+        }
+    }
+    /**
+     * Build complete user profile from tokens
+     *
+     * Combines claims from ID token and UserInfo endpoint,
+     * applies custom claim mapping, and returns normalized profile.
+     *
+     * @param tokenSet - Token set from exchange
+     * @param includeUserInfo - Whether to fetch UserInfo endpoint
+     * @returns Normalized user profile
+     */
+    async buildProfile(tokenSet, includeUserInfo = true) {
+        let claims = { ...tokenSet.claims };
+        // Optionally fetch additional claims from UserInfo endpoint
+        if (includeUserInfo && this.config.userinfoEndpoint) {
+            try {
+                const userinfo = await this.getUserInfo(tokenSet.accessToken);
+                // Merge UserInfo claims with ID token claims
+                claims = { ...claims, ...userinfo };
+            }
+            catch (error) {
+                // UserInfo is optional - continue with ID token claims only
+                console.warn("Failed to fetch UserInfo, using ID token claims only:", error);
+            }
+        }
+        // Apply custom claim mapping if configured
+        if (this.config.claimMapping) {
+            const customClaims = (0, claims_mapper_1.extractCustomClaims)(claims, this.config.claimMapping);
+            claims = { ...claims, ...customClaims };
+        }
+        // Map to normalized profile
+        const profile = (0, claims_mapper_1.mapClaimsToProfile)(claims);
+        return profile;
+    }
+    /**
+     * Ensure provider is initialized before use
+     *
+     * @throws Error if not initialized
+     */
+    async ensureInitialized() {
+        if (!this.initialized) {
+            await this.initialize();
+        }
+        if (!this.client) {
+            throw (0, error_utils_1.createOidcError)(error_utils_1.OidcErrorCodes.PROVIDER_NOT_CONFIGURED, "OIDC client not initialized");
+        }
+    }
+    /**
+     * Get issuer metadata (after initialization)
+     *
+     * @returns Issuer metadata
+     */
+    getIssuerMetadata() {
+        if (!this.issuer) {
+            throw (0, error_utils_1.createOidcError)(error_utils_1.OidcErrorCodes.PROVIDER_NOT_CONFIGURED, "Provider not initialized");
+        }
+        return this.issuer.metadata;
+    }
+}
+exports.OidcProvider = OidcProvider;

package/dist/providers/ProviderRegistry.d.ts

@@ -0,0 +1,55 @@
+import { OidcProvider } from "./OidcProvider";
+import { OidcProviderConfig } from "../OidcProviderConfig";
+/**
+ * Provider registry for managing OIDC provider instances
+ *
+ * Handles:
+ * - Static provider configuration
+ * - Dynamic provider loading from database
+ * - Provider instance caching
+ * - Lazy initialization
+ */
+export declare class ProviderRegistry {
+    private staticProviders;
+    private providerInstances;
+    private providerLoader?;
+    constructor(staticProviders: Record<string, OidcProviderConfig>, providerLoader?: (providerName: string) => Promise<OidcProviderConfig | null>);
+    /**
+     * Get provider instance by name
+     *
+     * Looks up provider in the following order:
+     * 1. Cached instance
+     * 2. Static configuration
+     * 3. Dynamic loader (if configured)
+     *
+     * Providers are lazy-initialized on first use and cached.
+     *
+     * @param providerName - Provider identifier
+     * @returns Initialized OIDC provider instance
+     * @throws Error if provider not found or initialization fails
+     */
+    getProvider(providerName: string): Promise<OidcProvider>;
+    /**
+     * Check if provider exists in static configuration or can be loaded dynamically
+     *
+     * @param providerName - Provider identifier
+     * @returns true if provider exists, false otherwise
+     */
+    hasProvider(providerName: string): boolean;
+    /**
+     * Clear provider cache
+     *
+     * Forces re-initialization of providers on next access.
+     * Useful when provider configurations change.
+     *
+     * @param providerName - Optional provider to clear (clears all if not specified)
+     */
+    clearCache(providerName?: string): void;
+    /**
+     * Get list of configured provider names
+     *
+     * @returns Array of provider names from static configuration
+     */
+    getProviderNames(): string[];
+}
+//# sourceMappingURL=ProviderRegistry.d.ts.map

package/dist/providers/ProviderRegistry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ProviderRegistry.d.ts","sourceRoot":"","sources":["../../src/providers/ProviderRegistry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAG3D;;;;;;;;GAQG;AACH,qBAAa,gBAAgB;IACzB,OAAO,CAAC,eAAe,CAAqC;IAC5D,OAAO,CAAC,iBAAiB,CAAwC;IACjE,OAAO,CAAC,cAAc,CAAC,CAA+D;gBAGlF,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,EACnD,cAAc,CAAC,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC;IAMjF;;;;;;;;;;;;;OAaG;IACG,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAgC9D;;;;;OAKG;IACH,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAI1C;;;;;;;OAOG;IACH,UAAU,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI;IAQvC;;;;OAIG;IACH,gBAAgB,IAAI,MAAM,EAAE;CAG/B"}

package/dist/providers/ProviderRegistry.js

@@ -0,0 +1,94 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ProviderRegistry = void 0;
+const OidcProvider_1 = require("./OidcProvider");
+const error_utils_1 = require("../utils/error-utils");
+/**
+ * Provider registry for managing OIDC provider instances
+ *
+ * Handles:
+ * - Static provider configuration
+ * - Dynamic provider loading from database
+ * - Provider instance caching
+ * - Lazy initialization
+ */
+class ProviderRegistry {
+    constructor(staticProviders, providerLoader) {
+        this.providerInstances = new Map();
+        this.staticProviders = staticProviders;
+        this.providerLoader = providerLoader;
+    }
+    /**
+     * Get provider instance by name
+     *
+     * Looks up provider in the following order:
+     * 1. Cached instance
+     * 2. Static configuration
+     * 3. Dynamic loader (if configured)
+     *
+     * Providers are lazy-initialized on first use and cached.
+     *
+     * @param providerName - Provider identifier
+     * @returns Initialized OIDC provider instance
+     * @throws Error if provider not found or initialization fails
+     */
+    async getProvider(providerName) {
+        // Check cache first
+        const cachedProvider = this.providerInstances.get(providerName);
+        if (cachedProvider) {
+            return cachedProvider;
+        }
+        // Try static configuration
+        let config = this.staticProviders[providerName] || null;
+        // Try dynamic loader if not in static config
+        if (!config && this.providerLoader) {
+            config = await this.providerLoader(providerName);
+        }
+        if (!config) {
+            throw (0, error_utils_1.createOidcError)(error_utils_1.OidcErrorCodes.PROVIDER_NOT_CONFIGURED, `OIDC provider '${providerName}' is not configured`, {
+                providerName,
+                availableProviders: Object.keys(this.staticProviders),
+            });
+        }
+        // Create and initialize provider
+        const provider = new OidcProvider_1.OidcProvider(config);
+        await provider.initialize();
+        // Cache the instance
+        this.providerInstances.set(providerName, provider);
+        return provider;
+    }
+    /**
+     * Check if provider exists in static configuration or can be loaded dynamically
+     *
+     * @param providerName - Provider identifier
+     * @returns true if provider exists, false otherwise
+     */
+    hasProvider(providerName) {
+        return providerName in this.staticProviders || !!this.providerLoader;
+    }
+    /**
+     * Clear provider cache
+     *
+     * Forces re-initialization of providers on next access.
+     * Useful when provider configurations change.
+     *
+     * @param providerName - Optional provider to clear (clears all if not specified)
+     */
+    clearCache(providerName) {
+        if (providerName) {
+            this.providerInstances.delete(providerName);
+        }
+        else {
+            this.providerInstances.clear();
+        }
+    }
+    /**
+     * Get list of configured provider names
+     *
+     * @returns Array of provider names from static configuration
+     */
+    getProviderNames() {
+        return Object.keys(this.staticProviders);
+    }
+}
+exports.ProviderRegistry = ProviderRegistry;