@flink-app/oidc-plugin 2.0.0-alpha.76 → 2.0.0-alpha.77

package/CHANGELOG.md

@@ -1,5 +1,16 @@
 # @flink-app/oidc-plugin
 
+## 2.0.0-alpha.77
+
+### Minor Changes
+
+-   Make providers optional when providerLoader is configured, add TCtx generic for typed ctx in providerLoader and onAuthSuccess callbacks
+
+### Patch Changes
+
+-   @flink-app/flink@2.0.0-alpha.77
+-   @flink-app/jwt-auth-plugin@2.0.0-alpha.77
+
 ## 2.0.0-alpha.76
 
 ### Patch Changes

package/dist/OidcPlugin.d.ts

@@ -73,5 +73,5 @@ import { OidcPluginOptions } from "./OidcPluginOptions";
  * });
  * ```
  */
-export declare function oidcPlugin(options: OidcPluginOptions): FlinkPlugin;
+export declare function oidcPlugin<TCtx = any>(options: OidcPluginOptions<TCtx>): FlinkPlugin;
 //# sourceMappingURL=OidcPlugin.d.ts.map

package/dist/OidcPlugin.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"OidcPlugin.d.ts","sourceRoot":"","sources":["../src/OidcPlugin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAY,WAAW,EAAO,MAAM,kBAAkB,CAAC;AAE9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAWxD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwEG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,iBAAiB,GAAG,WAAW,CAiNlE"}
+{"version":3,"file":"OidcPlugin.d.ts","sourceRoot":"","sources":["../src/OidcPlugin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAY,WAAW,EAAO,MAAM,kBAAkB,CAAC;AAE9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAWxD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwEG;AACH,wBAAgB,UAAU,CAAC,IAAI,GAAG,GAAG,EAAE,OAAO,EAAE,iBAAiB,CAAC,IAAI,CAAC,GAAG,WAAW,CAmNpF"}

package/dist/OidcPlugin.js

@@ -109,13 +109,14 @@ const CallbackOidc = __importStar(require("./handlers/CallbackOidc"));
  */
 function oidcPlugin(options) {
     // Validation
-    if (!options.providers || Object.keys(options.providers).length === 0) {
-        throw new Error("OIDC Plugin: At least one provider must be configured");
+    const providers = options.providers || {};
+    if (Object.keys(providers).length === 0 && !options.providerLoader) {
+        throw new Error("OIDC Plugin: At least one provider must be configured, or providerLoader must be provided");
     }
     // Validate provider configurations
-    const configuredProviders = Object.keys(options.providers);
+    const configuredProviders = Object.keys(providers);
     for (const providerName of configuredProviders) {
-        const providerConfig = options.providers[providerName];
+        const providerConfig = providers[providerName];
         if (!providerConfig)
             continue;
         if (!providerConfig.issuer) {
@@ -142,9 +143,9 @@ function oidcPlugin(options) {
     let encryptionKey = options.encryptionKey;
     if (!encryptionKey) {
         // Derive from the first configured provider that has a client secret
-        const providerWithSecret = configuredProviders.find((name) => options.providers[name]?.clientSecret);
+        const providerWithSecret = configuredProviders.find((name) => providers[name]?.clientSecret);
         if (providerWithSecret) {
-            encryptionKey = options.providers[providerWithSecret].clientSecret;
+            encryptionKey = providers[providerWithSecret].clientSecret;
             flink_1.log.warn("OIDC Plugin: No encryption key provided, deriving from client secret. " + "For better security, provide a dedicated encryptionKey in options.");
         }
     }
@@ -189,7 +190,7 @@ function oidcPlugin(options) {
             await db.collection(sessionsCollectionName).createIndex({ createdAt: 1 }, { expireAfterSeconds: sessionTTL });
             flink_1.log.info(`OIDC Plugin: Created TTL index on ${sessionsCollectionName} with ${sessionTTL}s expiration`);
             // Initialize provider registry
-            providerRegistry = new ProviderRegistry_1.ProviderRegistry(options.providers, options.providerLoader);
+            providerRegistry = new ProviderRegistry_1.ProviderRegistry(providers, options.providerLoader, flinkApp.ctx);
             // Store provider registry in app context for handlers to access
             flinkApp.ctx.oidcProviderRegistry = providerRegistry;
             // Register OIDC handlers
@@ -198,7 +199,7 @@ function oidcPlugin(options) {
                 flinkApp.addHandler(InitiateOidc);
                 flinkApp.addHandler(CallbackOidc);
             }
-            flink_1.log.info(`OIDC Plugin initialized with providers: ${configuredProviders.join(", ")}`);
+            flink_1.log.info(`OIDC Plugin initialized${configuredProviders.length > 0 ? ` with providers: ${configuredProviders.join(", ")}` : " with dynamic provider loader"}`);
         }
         catch (error) {
             flink_1.log.error("Failed to initialize OIDC Plugin:", error);

package/dist/OidcPluginOptions.d.ts

@@ -56,7 +56,7 @@ export interface AuthErrorCallbackResponse {
  * The onAuthSuccess callback receives the Flink context as a second parameter,
  * allowing the application to generate JWT tokens using ctx.plugins.jwtAuth.createToken().
  */
-export interface OidcPluginOptions {
+export interface OidcPluginOptions<TCtx = any> {
     /**
      * OIDC provider configurations
      * Key = provider name (used in URLs: /oidc/{provider}/initiate)
@@ -81,7 +81,7 @@ export interface OidcPluginOptions {
      *   }
      * }
      */
-    providers: Record<string, OidcProviderConfig>;
+    providers?: Record<string, OidcProviderConfig>;
     /**
      * Whether to store OIDC tokens for future API access
      * If false, tokens are discarded after authentication (auth-only mode)
@@ -163,7 +163,7 @@ export interface OidcPluginOptions {
          * Includes accessToken, idToken, refreshToken
          */
         tokens?: OidcTokenSet;
-    }, ctx: any) => Promise<AuthSuccessCallbackResponse>;
+    }, ctx: TCtx) => Promise<AuthSuccessCallbackResponse>;
     /**
      * Callback invoked on OIDC authentication errors
      *
@@ -204,11 +204,12 @@ export interface OidcPluginOptions {
      * Use this for multi-tenant scenarios where each organization has different IdPs.
      *
      * @param providerName - Name of the provider to load
+     * @param ctx - Flink context with access to repos and plugins
      * @returns Provider configuration or null if not found
      *
      * Example:
      * ```typescript
-     * providerLoader: async (providerName) => {
+     * providerLoader: async (providerName, ctx) => {
      *   const config = await ctx.repos.oidcProviderRepo.getByName(providerName);
      *   if (!config || !config.enabled) {
      *     return null;
@@ -224,7 +225,7 @@ export interface OidcPluginOptions {
      * }
      * ```
      */
-    providerLoader?: (providerName: string) => Promise<OidcProviderConfig | null>;
+    providerLoader?: (providerName: string, ctx: TCtx) => Promise<OidcProviderConfig | null>;
     /**
      * Custom collection name for OIDC sessions
      * Default: 'oidc_sessions'

package/dist/OidcPluginOptions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"OidcPluginOptions.d.ts","sourceRoot":"","sources":["../src/OidcPluginOptions.ts"],"names":[],"mappings":"AAAA,OAAO,WAAW,MAAM,uBAAuB,CAAC;AAChD,OAAO,YAAY,MAAM,wBAAwB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAE1D;;GAEG;AACH,MAAM,WAAW,SAAS;IACtB;;OAEG;IACH,IAAI,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAEhB;;OAEG;IACH,OAAO,CAAC,EAAE,GAAG,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,2BAA2B;IACxC;;;OAGG;IACH,IAAI,EAAE,GAAG,CAAC;IAEV;;;OAGG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACtC;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,iBAAiB;IAC9B;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;IAE9C;;;;;;;;;;;OAWG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;IAEtB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgDG;IACH,aAAa,EAAE,CACX,MAAM,EAAE;QACJ;;WAEG;QACH,OAAO,EAAE,WAAW,CAAC;QAErB;;;WAGG;QACH,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAE5B;;WAEG;QACH,QAAQ,EAAE,MAAM,CAAC;QAEjB;;;WAGG;QACH,MAAM,CAAC,EAAE,YAAY,CAAC;KACzB,EACD,GAAG,EAAE,GAAG,KACP,OAAO,CAAC,2BAA2B,CAAC,CAAC;IAE1C;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE;QAAE,KAAK,EAAE,SAAS,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,KAAK,OAAO,CAAC,yBAAyB,CAAC,CAAC;IAErG;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4BG;IACH,cAAc,CAAC,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAE9E;;;OAGG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC;;;OAGG;IACH,yBAAyB,CAAC,EAAE,MAAM,CAAC;IAEnC;;;;;;;OAOG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;;;;;;;;;OAUG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;;;;;OAOG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC5B"}
+{"version":3,"file":"OidcPluginOptions.d.ts","sourceRoot":"","sources":["../src/OidcPluginOptions.ts"],"names":[],"mappings":"AAAA,OAAO,WAAW,MAAM,uBAAuB,CAAC;AAChD,OAAO,YAAY,MAAM,wBAAwB,CAAC;AAClD,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAE1D;;GAEG;AACH,MAAM,WAAW,SAAS;IACtB;;OAEG;IACH,IAAI,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAEhB;;OAEG;IACH,OAAO,CAAC,EAAE,GAAG,CAAC;CACjB;AAED;;;GAGG;AACH,MAAM,WAAW,2BAA2B;IACxC;;;OAGG;IACH,IAAI,EAAE,GAAG,CAAC;IAEV;;;OAGG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACtC;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,iBAAiB,CAAC,IAAI,GAAG,GAAG;IACzC;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC;IAE/C;;;;;;;;;;;OAWG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;IAEtB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgDG;IACH,aAAa,EAAE,CACX,MAAM,EAAE;QACJ;;WAEG;QACH,OAAO,EAAE,WAAW,CAAC;QAErB;;;WAGG;QACH,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAE5B;;WAEG;QACH,QAAQ,EAAE,MAAM,CAAC;QAEjB;;;WAGG;QACH,MAAM,CAAC,EAAE,YAAY,CAAC;KACzB,EACD,GAAG,EAAE,IAAI,KACR,OAAO,CAAC,2BAA2B,CAAC,CAAC;IAE1C;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,WAAW,CAAC,EAAE,CAAC,MAAM,EAAE;QAAE,KAAK,EAAE,SAAS,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,KAAK,OAAO,CAAC,yBAAyB,CAAC,CAAC;IAErG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA6BG;IACH,cAAc,CAAC,EAAE,CAAC,YAAY,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC;IAEzF;;;OAGG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC;;;OAGG;IACH,yBAAyB,CAAC,EAAE,MAAM,CAAC;IAEnC;;;;;;;OAOG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;;;;;;;;;OAUG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;;;;;OAOG;IACH,cAAc,CAAC,EAAE,OAAO,CAAC;CAC5B"}

package/dist/providers/ProviderRegistry.d.ts

@@ -13,7 +13,8 @@ export declare class ProviderRegistry {
     private staticProviders;
     private providerInstances;
     private providerLoader?;
-    constructor(staticProviders: Record<string, OidcProviderConfig>, providerLoader?: (providerName: string) => Promise<OidcProviderConfig | null>);
+    private ctx;
+    constructor(staticProviders: Record<string, OidcProviderConfig>, providerLoader?: (providerName: string, ctx: any) => Promise<OidcProviderConfig | null>, ctx?: any);
     /**
      * Get provider instance by name
      *

package/dist/providers/ProviderRegistry.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ProviderRegistry.d.ts","sourceRoot":"","sources":["../../src/providers/ProviderRegistry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAG3D;;;;;;;;GAQG;AACH,qBAAa,gBAAgB;IACzB,OAAO,CAAC,eAAe,CAAqC;IAC5D,OAAO,CAAC,iBAAiB,CAAwC;IACjE,OAAO,CAAC,cAAc,CAAC,CAA+D;gBAGlF,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,EACnD,cAAc,CAAC,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC;IAMjF;;;;;;;;;;;;;OAaG;IACG,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAgC9D;;;;;OAKG;IACH,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAI1C;;;;;;;OAOG;IACH,UAAU,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI;IAQvC;;;;OAIG;IACH,gBAAgB,IAAI,MAAM,EAAE;CAG/B"}
+{"version":3,"file":"ProviderRegistry.d.ts","sourceRoot":"","sources":["../../src/providers/ProviderRegistry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAG3D;;;;;;;;GAQG;AACH,qBAAa,gBAAgB;IACzB,OAAO,CAAC,eAAe,CAAqC;IAC5D,OAAO,CAAC,iBAAiB,CAAwC;IACjE,OAAO,CAAC,cAAc,CAAC,CAAyE;IAChG,OAAO,CAAC,GAAG,CAAM;gBAGb,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,EACnD,cAAc,CAAC,EAAE,CAAC,YAAY,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,EACvF,GAAG,CAAC,EAAE,GAAG;IAOb;;;;;;;;;;;;;OAaG;IACG,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAgC9D;;;;;OAKG;IACH,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAI1C;;;;;;;OAOG;IACH,UAAU,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI;IAQvC;;;;OAIG;IACH,gBAAgB,IAAI,MAAM,EAAE;CAG/B"}

package/dist/providers/ProviderRegistry.js

@@ -13,10 +13,11 @@ const error_utils_1 = require("../utils/error-utils");
  * - Lazy initialization
  */
 class ProviderRegistry {
-    constructor(staticProviders, providerLoader) {
+    constructor(staticProviders, providerLoader, ctx) {
         this.providerInstances = new Map();
         this.staticProviders = staticProviders;
         this.providerLoader = providerLoader;
+        this.ctx = ctx;
     }
     /**
      * Get provider instance by name
@@ -42,7 +43,7 @@ class ProviderRegistry {
         let config = this.staticProviders[providerName] || null;
         // Try dynamic loader if not in static config
         if (!config && this.providerLoader) {
-            config = await this.providerLoader(providerName);
+            config = await this.providerLoader(providerName, this.ctx);
         }
         if (!config) {
             throw (0, error_utils_1.createOidcError)(error_utils_1.OidcErrorCodes.PROVIDER_NOT_CONFIGURED, `OIDC provider '${providerName}' is not configured`, {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@flink-app/oidc-plugin",
-  "version": "2.0.0-alpha.76",
+  "version": "2.0.0-alpha.77",
   "description": "Flink plugin for OIDC authentication with generic IdP support",
   "author": "joel@frost.se",
   "license": "MIT",
@@ -11,10 +11,10 @@
   },
   "dependencies": {
     "openid-client": "^5.7.0",
-    "@flink-app/jwt-auth-plugin": "2.0.0-alpha.76"
+    "@flink-app/jwt-auth-plugin": "2.0.0-alpha.77"
   },
   "peerDependencies": {
-    "@flink-app/flink": ">=2.0.0-alpha.76",
+    "@flink-app/flink": ">=2.0.0-alpha.77",
     "mongodb": "^6.15.0"
   },
   "peerDependenciesMeta": {
@@ -27,9 +27,9 @@
     "@types/node": "22.13.10",
     "ts-node": "^10.9.2",
     "tsc-watch": "^4.2.9",
-    "@flink-app/flink": "2.0.0-alpha.76",
-    "@flink-app/test-utils": "2.0.0-alpha.76",
-    "@flink-app/jwt-auth-plugin": "2.0.0-alpha.76"
+    "@flink-app/flink": "2.0.0-alpha.77",
+    "@flink-app/test-utils": "2.0.0-alpha.77",
+    "@flink-app/jwt-auth-plugin": "2.0.0-alpha.77"
   },
   "scripts": {
     "test": "jasmine-ts --config=./spec/support/jasmine.json",

package/spec/plugin/OidcPlugin.spec.ts

@@ -11,13 +11,40 @@ import { createTestProviderConfig, createPublicClientProviderConfig } from "../h
 describe("OidcPlugin", () => {
 
     describe("configuration validation", () => {
-        it("should throw error if no providers configured", () => {
+        it("should throw error if no providers and no providerLoader configured", () => {
             expect(() => {
                 oidcPlugin({
                     providers: {},
                     onAuthSuccess: async () => ({ user: {}, token: "", redirectUrl: "" }),
                 });
-            }).toThrowError(/At least one provider must be configured/);
+            }).toThrowError(/At least one provider must be configured, or providerLoader must be provided/);
+        });
+
+        it("should throw error if providers omitted and no providerLoader configured", () => {
+            expect(() => {
+                oidcPlugin({
+                    onAuthSuccess: async () => ({ user: {}, token: "", redirectUrl: "" }),
+                });
+            }).toThrowError(/At least one provider must be configured, or providerLoader must be provided/);
+        });
+
+        it("should accept empty providers when providerLoader is configured", () => {
+            expect(() => {
+                oidcPlugin({
+                    providers: {},
+                    providerLoader: async () => null,
+                    onAuthSuccess: async () => ({ user: {}, token: "", redirectUrl: "" }),
+                });
+            }).not.toThrow();
+        });
+
+        it("should accept omitted providers when providerLoader is configured", () => {
+            expect(() => {
+                oidcPlugin({
+                    providerLoader: async () => null,
+                    onAuthSuccess: async () => ({ user: {}, token: "", redirectUrl: "" }),
+                });
+            }).not.toThrow();
         });
 
         it("should throw error if onAuthSuccess is missing", () => {

package/spec/providers/ProviderRegistry.spec.ts

@@ -29,7 +29,7 @@ describe("ProviderRegistry", () => {
         });
 
         it("should create registry with provider loader", () => {
-            const loader = async (name: string) => null;
+            const loader = async (name: string, ctx: any) => null;
             const registry = new ProviderRegistry(staticProviders, loader);
             expect(registry).toBeDefined();
         });
@@ -49,7 +49,7 @@ describe("ProviderRegistry", () => {
         });
 
         it("should return true if provider loader is configured", () => {
-            const loader = async (name: string) => null;
+            const loader = async (name: string, ctx: any) => null;
             const registry = new ProviderRegistry(staticProviders, loader);
             // hasProvider returns true if loader exists, even for unknown providers
             expect(registry.hasProvider("unknown")).toBe(true);
@@ -87,7 +87,8 @@ describe("ProviderRegistry", () => {
             });
 
             const loader = jasmine.createSpy("loader").and.returnValue(Promise.resolve(dynamicConfig));
-            const registry = new ProviderRegistry(staticProviders, loader);
+            const mockCtx = { repos: {} };
+            const registry = new ProviderRegistry(staticProviders, loader, mockCtx);
 
             // Note: This will attempt real OIDC discovery, which will fail in tests
             // We're primarily testing that the loader is called
@@ -95,13 +96,13 @@ describe("ProviderRegistry", () => {
                 await registry.getProvider("okta");
             } catch (error) {
                 // Discovery will fail, but loader should have been called
-                expect(loader).toHaveBeenCalledWith("okta");
+                expect(loader).toHaveBeenCalledWith("okta", mockCtx);
             }
         });
 
         it("should prioritize static config over loader", async () => {
             const loader = jasmine.createSpy("loader").and.returnValue(Promise.resolve(null));
-            const registry = new ProviderRegistry(staticProviders, loader);
+            const registry = new ProviderRegistry(staticProviders, loader, {});
 
             // Note: This will attempt real OIDC discovery
             try {
@@ -113,7 +114,7 @@ describe("ProviderRegistry", () => {
         });
 
         it("should throw error if loader returns null", async () => {
-            const loader = async (name: string) => null;
+            const loader = async (name: string, ctx: any) => null;
             const registry = new ProviderRegistry({}, loader);
 
             try {
@@ -169,7 +170,7 @@ describe("ProviderRegistry", () => {
                     })
                 )
             );
-            const registry = new ProviderRegistry({}, loader);
+            const registry = new ProviderRegistry({}, loader, {});
 
             // First call - will attempt to initialize (and fail on discovery)
             try {

package/src/OidcPlugin.ts

@@ -84,16 +84,18 @@ import * as CallbackOidc from "./handlers/CallbackOidc";
  * });
  * ```
  */
-export function oidcPlugin(options: OidcPluginOptions): FlinkPlugin {
+export function oidcPlugin<TCtx = any>(options: OidcPluginOptions<TCtx>): FlinkPlugin {
     // Validation
-    if (!options.providers || Object.keys(options.providers).length === 0) {
-        throw new Error("OIDC Plugin: At least one provider must be configured");
+    const providers = options.providers || {};
+
+    if (Object.keys(providers).length === 0 && !options.providerLoader) {
+        throw new Error("OIDC Plugin: At least one provider must be configured, or providerLoader must be provided");
     }
 
     // Validate provider configurations
-    const configuredProviders = Object.keys(options.providers);
+    const configuredProviders = Object.keys(providers);
     for (const providerName of configuredProviders) {
-        const providerConfig = options.providers[providerName];
+        const providerConfig = providers[providerName];
         if (!providerConfig) continue;
 
         if (!providerConfig.issuer) {
@@ -125,9 +127,9 @@ export function oidcPlugin(options: OidcPluginOptions): FlinkPlugin {
     let encryptionKey = options.encryptionKey;
     if (!encryptionKey) {
         // Derive from the first configured provider that has a client secret
-        const providerWithSecret = configuredProviders.find((name) => options.providers[name]?.clientSecret);
+        const providerWithSecret = configuredProviders.find((name) => providers[name]?.clientSecret);
         if (providerWithSecret) {
-            encryptionKey = options.providers[providerWithSecret].clientSecret;
+            encryptionKey = providers[providerWithSecret].clientSecret;
             log.warn(
                 "OIDC Plugin: No encryption key provided, deriving from client secret. " + "For better security, provide a dedicated encryptionKey in options."
             );
@@ -186,7 +188,7 @@ export function oidcPlugin(options: OidcPluginOptions): FlinkPlugin {
             log.info(`OIDC Plugin: Created TTL index on ${sessionsCollectionName} with ${sessionTTL}s expiration`);
 
             // Initialize provider registry
-            providerRegistry = new ProviderRegistry(options.providers, options.providerLoader);
+            providerRegistry = new ProviderRegistry(providers, options.providerLoader, flinkApp.ctx);
 
             // Store provider registry in app context for handlers to access
             (flinkApp.ctx as any).oidcProviderRegistry = providerRegistry;
@@ -198,7 +200,7 @@ export function oidcPlugin(options: OidcPluginOptions): FlinkPlugin {
                 flinkApp.addHandler(CallbackOidc);
             }
 
-            log.info(`OIDC Plugin initialized with providers: ${configuredProviders.join(", ")}`);
+            log.info(`OIDC Plugin initialized${configuredProviders.length > 0 ? ` with providers: ${configuredProviders.join(", ")}` : " with dynamic provider loader"}`);
         } catch (error) {
             log.error("Failed to initialize OIDC Plugin:", error);
             throw error;

package/src/OidcPluginOptions.ts

@@ -64,7 +64,7 @@ export interface AuthErrorCallbackResponse {
  * The onAuthSuccess callback receives the Flink context as a second parameter,
  * allowing the application to generate JWT tokens using ctx.plugins.jwtAuth.createToken().
  */
-export interface OidcPluginOptions {
+export interface OidcPluginOptions<TCtx = any> {
     /**
      * OIDC provider configurations
      * Key = provider name (used in URLs: /oidc/{provider}/initiate)
@@ -89,7 +89,7 @@ export interface OidcPluginOptions {
      *   }
      * }
      */
-    providers: Record<string, OidcProviderConfig>;
+    providers?: Record<string, OidcProviderConfig>;
 
     /**
      * Whether to store OIDC tokens for future API access
@@ -178,7 +178,7 @@ export interface OidcPluginOptions {
              */
             tokens?: OidcTokenSet;
         },
-        ctx: any
+        ctx: TCtx
     ) => Promise<AuthSuccessCallbackResponse>;
 
     /**
@@ -219,11 +219,12 @@ export interface OidcPluginOptions {
      * Use this for multi-tenant scenarios where each organization has different IdPs.
      *
      * @param providerName - Name of the provider to load
+     * @param ctx - Flink context with access to repos and plugins
      * @returns Provider configuration or null if not found
      *
      * Example:
      * ```typescript
-     * providerLoader: async (providerName) => {
+     * providerLoader: async (providerName, ctx) => {
      *   const config = await ctx.repos.oidcProviderRepo.getByName(providerName);
      *   if (!config || !config.enabled) {
      *     return null;
@@ -239,7 +240,7 @@ export interface OidcPluginOptions {
      * }
      * ```
      */
-    providerLoader?: (providerName: string) => Promise<OidcProviderConfig | null>;
+    providerLoader?: (providerName: string, ctx: TCtx) => Promise<OidcProviderConfig | null>;
 
     /**
      * Custom collection name for OIDC sessions

package/src/providers/ProviderRegistry.ts

@@ -14,14 +14,17 @@ import { createOidcError, OidcErrorCodes } from "../utils/error-utils";
 export class ProviderRegistry {
     private staticProviders: Record<string, OidcProviderConfig>;
     private providerInstances: Map<string, OidcProvider> = new Map();
-    private providerLoader?: (providerName: string) => Promise<OidcProviderConfig | null>;
+    private providerLoader?: (providerName: string, ctx: any) => Promise<OidcProviderConfig | null>;
+    private ctx: any;
 
     constructor(
         staticProviders: Record<string, OidcProviderConfig>,
-        providerLoader?: (providerName: string) => Promise<OidcProviderConfig | null>
+        providerLoader?: (providerName: string, ctx: any) => Promise<OidcProviderConfig | null>,
+        ctx?: any
     ) {
         this.staticProviders = staticProviders;
         this.providerLoader = providerLoader;
+        this.ctx = ctx;
     }
 
     /**
@@ -50,7 +53,7 @@ export class ProviderRegistry {
 
         // Try dynamic loader if not in static config
         if (!config && this.providerLoader) {
-            config = await this.providerLoader(providerName);
+            config = await this.providerLoader(providerName, this.ctx);
         }
 
         if (!config) {