@frontmcp/sdk 0.4.0 → 0.5.0

package/src/auth/instances/instance.local-primary-auth.d.ts

@@ -1,18 +1,105 @@
 import { URL } from 'url';
-import { FrontMcpAuth, FrontMcpLogger, LocalAuthOptions, ScopeEntry, ServerRequest } from '../../common';
+import { FrontMcpAuth, FrontMcpLogger, ScopeEntry, ServerRequest, JWK } from '../../common';
+import { PublicAuthOptions, OrchestratedLocalOptions, OrchestratedRemoteOptions } from '../../common/types/options/auth.options';
 import ProviderRegistry from '../../provider/provider.registry';
-export declare class LocalPrimaryAuth extends FrontMcpAuth {
+import { AuthorizationStore } from '../session/authorization.store';
+/**
+ * Options type for LocalPrimaryAuth - can be public, orchestrated local, or orchestrated remote
+ */
+export type LocalPrimaryAuthOptions = PublicAuthOptions | OrchestratedLocalOptions | OrchestratedRemoteOptions;
+/**
+ * User information for JWT claims
+ */
+export interface UserInfo {
+    sub: string;
+    email?: string;
+    name?: string;
+    picture?: string;
+    roles?: string[];
+}
+/**
+ * Token response from the token endpoint
+ */
+export interface TokenResponse {
+    access_token: string;
+    token_type: 'Bearer';
+    expires_in: number;
+    refresh_token?: string;
+    scope?: string;
+}
+/**
+ * Consent and federated login metadata for JWT claims
+ */
+export interface ConsentMetadata {
+    selectedToolIds?: string[];
+    selectedProviderIds?: string[];
+    skippedProviderIds?: string[];
+    consentEnabled?: boolean;
+    federatedLoginUsed?: boolean;
+}
+export declare class LocalPrimaryAuth extends FrontMcpAuth<LocalPrimaryAuthOptions> {
     private scope;
     private providers;
     readonly host: string;
     readonly port: number;
     readonly issuer: string;
-    readonly keys: any[];
+    readonly keys: JWK[];
     readonly secret: Uint8Array;
     readonly logger: FrontMcpLogger;
+    readonly authorizationStore: AuthorizationStore;
     private jwks;
-    constructor(scope: ScopeEntry, providers: ProviderRegistry, metadata: LocalAuthOptions);
+    /** Default access token TTL (1 hour) */
+    private readonly accessTokenTtlSeconds;
+    /** Default refresh token TTL (30 days) */
+    private readonly refreshTokenTtlSeconds;
+    /**
+     * Get the authorization store as InMemoryAuthorizationStore with type guard.
+     * This ensures type safety when using InMemory-specific methods.
+     */
+    private getInMemoryStore;
+    constructor(scope: ScopeEntry, providers: ProviderRegistry, options: LocalPrimaryAuthOptions);
+    /**
+     * Derive issuer from options
+     */
+    private deriveIssuer;
     signAnonymousJwt(): Promise<string>;
+    /**
+     * Sign an access token for an authenticated user
+     */
+    signAccessToken(user: UserInfo, scopes: string[], audience?: string, consentMetadata?: ConsentMetadata): Promise<string>;
+    /**
+     * Exchange an authorization code for tokens
+     */
+    exchangeCode(code: string, clientId: string, redirectUri: string, codeVerifier: string): Promise<TokenResponse | {
+        error: string;
+        error_description: string;
+    }>;
+    /**
+     * Refresh an access token using a refresh token
+     */
+    refreshAccessToken(refreshToken: string, clientId: string): Promise<TokenResponse | {
+        error: string;
+        error_description: string;
+    }>;
+    /**
+     * Create an authorization code for a user (called after login)
+     */
+    createAuthorizationCode(params: {
+        clientId: string;
+        redirectUri: string;
+        scopes: string[];
+        codeChallenge: string;
+        userSub: string;
+        userEmail?: string;
+        userName?: string;
+        state?: string;
+        resource?: string;
+        selectedToolIds?: string[];
+        selectedProviderIds?: string[];
+        skippedProviderIds?: string[];
+        consentEnabled?: boolean;
+        federatedLoginUsed?: boolean;
+    }): Promise<string>;
     protected initialize(): Promise<void>;
     fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
     validate(request: ServerRequest): Promise<void>;

package/src/auth/instances/instance.local-primary-auth.js

@@ -5,6 +5,7 @@ const tslib_1 = require("tslib");
 const jose_1 = require("jose");
 const crypto_1 = require("crypto");
 const common_1 = require("../../common");
+const auth_options_1 = require("../../common/types/options/auth.options");
 const well_known_prm_flow_1 = tslib_1.__importDefault(require("../flows/well-known.prm.flow"));
 const well_known_oauth_authorization_server_flow_1 = tslib_1.__importDefault(require("../flows/well-known.oauth-authorization-server.flow"));
 const well_known_jwks_flow_1 = tslib_1.__importDefault(require("../flows/well-known.jwks.flow"));
@@ -12,7 +13,9 @@ const session_verify_flow_1 = tslib_1.__importDefault(require("../flows/session.
 const oauth_authorize_flow_1 = tslib_1.__importDefault(require("../flows/oauth.authorize.flow"));
 const oauth_register_flow_1 = tslib_1.__importDefault(require("../flows/oauth.register.flow"));
 const oauth_token_flow_1 = tslib_1.__importDefault(require("../flows/oauth.token.flow"));
+const oauth_callback_flow_1 = tslib_1.__importDefault(require("../flows/oauth.callback.flow"));
 const jwks_1 = require("../jwks");
+const authorization_store_1 = require("../session/authorization.store");
 const DEFAULT_NO_AUTH_SECRET = (0, crypto_1.randomBytes)(32);
 class LocalPrimaryAuth extends common_1.FrontMcpAuth {
     scope;
@@ -23,24 +26,60 @@ class LocalPrimaryAuth extends common_1.FrontMcpAuth {
     keys = [];
     secret;
     logger;
+    authorizationStore;
     jwks = new jwks_1.JwksService();
-    constructor(scope, providers, metadata) {
-        super(metadata);
+    /** Default access token TTL (1 hour) */
+    accessTokenTtlSeconds = 3600;
+    /** Default refresh token TTL (30 days) */
+    refreshTokenTtlSeconds = 30 * 24 * 3600;
+    /**
+     * Get the authorization store as InMemoryAuthorizationStore with type guard.
+     * This ensures type safety when using InMemory-specific methods.
+     */
+    getInMemoryStore() {
+        if (!(this.authorizationStore instanceof authorization_store_1.InMemoryAuthorizationStore)) {
+            throw new Error('LocalPrimaryAuth requires InMemoryAuthorizationStore for record creation methods');
+        }
+        return this.authorizationStore;
+    }
+    constructor(scope, providers, options) {
+        super(options);
         this.scope = scope;
         this.providers = providers;
         this.logger = this.providers.getActiveScope().logger.child('LocalPrimaryAuth');
         this.port = this.providers.getActiveScope().metadata.http?.port ?? 3001;
         this.host = 'localhost';
-        this.issuer = `http://${this.host}:${this.port}${scope.fullPath}`;
-        if (process.env["JWT_SECRET"]) {
-            this.secret = new TextEncoder().encode(process.env["JWT_SECRET"]);
+        this.issuer = this.deriveIssuer(options);
+        if (process.env['JWT_SECRET']) {
+            this.secret = new TextEncoder().encode(process.env['JWT_SECRET']);
         }
         else {
             this.logger.warn('JWT_SECRET is not set, using default secret');
             this.secret = DEFAULT_NO_AUTH_SECRET;
         }
+        // Initialize authorization store (in-memory for now, Redis later)
+        this.authorizationStore = new authorization_store_1.InMemoryAuthorizationStore();
         this.ready = this.initialize();
     }
+    /**
+     * Derive issuer from options
+     */
+    deriveIssuer(options) {
+        const basePath = `http://${this.host}:${this.port}${this.scope.fullPath}`;
+        if ((0, auth_options_1.isPublicMode)(options)) {
+            return options.issuer ?? basePath;
+        }
+        if ((0, auth_options_1.isOrchestratedMode)(options)) {
+            if ((0, auth_options_1.isOrchestratedLocal)(options)) {
+                return options.local?.issuer ?? basePath;
+            }
+            else {
+                // Orchestrated remote
+                return options.local?.issuer ?? basePath;
+            }
+        }
+        return basePath;
+    }
     async signAnonymousJwt() {
         const sub = (0, crypto_1.randomUUID)();
         return new jose_1.SignJWT({ sub, role: 'user', anonymous: true })
@@ -50,6 +89,197 @@ class LocalPrimaryAuth extends common_1.FrontMcpAuth {
             .setExpirationTime('1d')
             .sign(this.secret);
     }
+    /**
+     * Sign an access token for an authenticated user
+     */
+    async signAccessToken(user, scopes, audience, consentMetadata) {
+        const claims = {
+            sub: user.sub,
+            scope: scopes.join(' '),
+        };
+        if (user.email)
+            claims['email'] = user.email;
+        if (user.name)
+            claims['name'] = user.name;
+        if (user.picture)
+            claims['picture'] = user.picture;
+        if (user.roles)
+            claims['roles'] = user.roles;
+        // Add consent metadata if present
+        if (consentMetadata) {
+            if (consentMetadata.consentEnabled) {
+                claims['consent'] = {
+                    enabled: true,
+                    selectedTools: consentMetadata.selectedToolIds ?? [],
+                };
+            }
+            if (consentMetadata.federatedLoginUsed) {
+                claims['federated'] = {
+                    enabled: true,
+                    selectedProviders: consentMetadata.selectedProviderIds ?? [],
+                    skippedProviders: consentMetadata.skippedProviderIds ?? [],
+                };
+            }
+        }
+        const jwt = new jose_1.SignJWT(claims)
+            .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
+            .setIssuedAt()
+            .setIssuer(this.issuer)
+            .setExpirationTime(`${this.accessTokenTtlSeconds}s`)
+            .setJti((0, crypto_1.randomUUID)());
+        if (audience) {
+            jwt.setAudience(audience);
+        }
+        return jwt.sign(this.secret);
+    }
+    /**
+     * Exchange an authorization code for tokens
+     */
+    async exchangeCode(code, clientId, redirectUri, codeVerifier) {
+        // Get the authorization code record
+        const codeRecord = await this.authorizationStore.getAuthorizationCode(code);
+        if (!codeRecord) {
+            this.logger.warn(`Authorization code not found or expired: ${code.substring(0, 8)}...`);
+            return {
+                error: 'invalid_grant',
+                error_description: 'Authorization code is invalid or expired',
+            };
+        }
+        // Verify code hasn't been used (single-use)
+        if (codeRecord.used) {
+            this.logger.warn(`Authorization code already used: ${code.substring(0, 8)}...`);
+            // Security: If a code is reused, revoke all tokens from this code
+            await this.authorizationStore.deleteAuthorizationCode(code);
+            return {
+                error: 'invalid_grant',
+                error_description: 'Authorization code has already been used',
+            };
+        }
+        // Verify client_id matches
+        if (codeRecord.clientId !== clientId) {
+            this.logger.warn(`Client ID mismatch: expected ${codeRecord.clientId}, got ${clientId}`);
+            return {
+                error: 'invalid_grant',
+                error_description: 'Client ID does not match',
+            };
+        }
+        // Verify redirect_uri matches
+        if (codeRecord.redirectUri !== redirectUri) {
+            this.logger.warn(`Redirect URI mismatch`);
+            return {
+                error: 'invalid_grant',
+                error_description: 'Redirect URI does not match',
+            };
+        }
+        // Verify PKCE
+        if (!(0, authorization_store_1.verifyPkce)(codeVerifier, codeRecord.pkce)) {
+            this.logger.warn(`PKCE verification failed`);
+            return {
+                error: 'invalid_grant',
+                error_description: 'PKCE verification failed',
+            };
+        }
+        // Mark code as used
+        await this.authorizationStore.markCodeUsed(code);
+        // Generate tokens
+        const user = {
+            sub: codeRecord.userSub,
+            email: codeRecord.userEmail,
+            name: codeRecord.userName,
+        };
+        // Build consent metadata from code record
+        const consentMetadata = codeRecord.consentEnabled || codeRecord.federatedLoginUsed
+            ? {
+                selectedToolIds: codeRecord.selectedToolIds,
+                selectedProviderIds: codeRecord.selectedProviderIds,
+                skippedProviderIds: codeRecord.skippedProviderIds,
+                consentEnabled: codeRecord.consentEnabled,
+                federatedLoginUsed: codeRecord.federatedLoginUsed,
+            }
+            : undefined;
+        const accessToken = await this.signAccessToken(user, codeRecord.scopes, codeRecord.resource, consentMetadata);
+        // Create refresh token
+        const refreshTokenRecord = this.getInMemoryStore().createRefreshTokenRecord({
+            clientId,
+            userSub: user.sub,
+            scopes: codeRecord.scopes,
+            resource: codeRecord.resource,
+        });
+        await this.authorizationStore.storeRefreshToken(refreshTokenRecord);
+        this.logger.info(`Tokens issued for user: ${user.sub}`);
+        return {
+            access_token: accessToken,
+            token_type: 'Bearer',
+            expires_in: this.accessTokenTtlSeconds,
+            refresh_token: refreshTokenRecord.token,
+            scope: codeRecord.scopes.join(' '),
+        };
+    }
+    /**
+     * Refresh an access token using a refresh token
+     */
+    async refreshAccessToken(refreshToken, clientId) {
+        const tokenRecord = await this.authorizationStore.getRefreshToken(refreshToken);
+        if (!tokenRecord) {
+            this.logger.warn('Refresh token not found or expired');
+            return {
+                error: 'invalid_grant',
+                error_description: 'Refresh token is invalid or expired',
+            };
+        }
+        if (tokenRecord.clientId !== clientId) {
+            this.logger.warn('Client ID mismatch on refresh');
+            return {
+                error: 'invalid_grant',
+                error_description: 'Client ID does not match',
+            };
+        }
+        // Generate new access token
+        const user = { sub: tokenRecord.userSub };
+        const accessToken = await this.signAccessToken(user, tokenRecord.scopes, tokenRecord.resource);
+        // Rotate refresh token
+        const newRefreshRecord = this.getInMemoryStore().createRefreshTokenRecord({
+            clientId,
+            userSub: tokenRecord.userSub,
+            scopes: tokenRecord.scopes,
+            resource: tokenRecord.resource,
+        });
+        await this.authorizationStore.rotateRefreshToken(refreshToken, newRefreshRecord);
+        this.logger.info(`Tokens refreshed for user: ${user.sub}`);
+        return {
+            access_token: accessToken,
+            token_type: 'Bearer',
+            expires_in: this.accessTokenTtlSeconds,
+            refresh_token: newRefreshRecord.token,
+            scope: tokenRecord.scopes.join(' '),
+        };
+    }
+    /**
+     * Create an authorization code for a user (called after login)
+     */
+    async createAuthorizationCode(params) {
+        const store = this.getInMemoryStore();
+        const codeRecord = store.createCodeRecord({
+            clientId: params.clientId,
+            redirectUri: params.redirectUri,
+            scopes: params.scopes,
+            pkce: { challenge: params.codeChallenge, method: 'S256' },
+            userSub: params.userSub,
+            userEmail: params.userEmail,
+            userName: params.userName,
+            state: params.state,
+            resource: params.resource,
+            // Consent and Federated Login Data
+            selectedToolIds: params.selectedToolIds,
+            selectedProviderIds: params.selectedProviderIds,
+            skippedProviderIds: params.skippedProviderIds,
+            consentEnabled: params.consentEnabled,
+            federatedLoginUsed: params.federatedLoginUsed,
+        });
+        await this.authorizationStore.storeAuthorizationCode(codeRecord);
+        this.logger.info(`Authorization code created for user: ${params.userSub}`);
+        return codeRecord.code;
+    }
     async initialize() {
         // TODO: create separated jwk service for local/remote auth options
         this.providers.injectProvider({
@@ -71,7 +301,7 @@ class LocalPrimaryAuth extends common_1.FrontMcpAuth {
     }
     async registerAuthFlows() {
         const scope = this.providers.getActiveScope();
-        await scope.registryFlows(well_known_prm_flow_1.default, /** /.well-known/oauth-protected-resource */ well_known_oauth_authorization_server_flow_1.default, /** /.well-known/oauth-authorization-server */ well_known_jwks_flow_1.default, /** /.well-known/jwks.json */ session_verify_flow_1.default, /** Session verification flow */ oauth_authorize_flow_1.default, oauth_token_flow_1.default, oauth_register_flow_1.default);
+        await scope.registryFlows(well_known_prm_flow_1.default /** /.well-known/oauth-protected-resource */, well_known_oauth_authorization_server_flow_1.default /** /.well-known/oauth-authorization-server */, well_known_jwks_flow_1.default /** /.well-known/jwks.json */, session_verify_flow_1.default /** Session verification flow */, oauth_authorize_flow_1.default /** GET /oauth/authorize */, oauth_token_flow_1.default /** POST /oauth/token */, oauth_callback_flow_1.default /** GET /oauth/callback - login callback */, oauth_register_flow_1.default /** POST /oauth/register */);
     }
 }
 exports.LocalPrimaryAuth = LocalPrimaryAuth;

package/src/auth/instances/instance.local-primary-auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"instance.local-primary-auth.js","sourceRoot":"","sources":["../../../../src/auth/instances/instance.local-primary-auth.ts"],"names":[],"mappings":";;;;AAAA,+BAA6B;AAE7B,mCAA+C;AAC/C,yCAAsH;AAEtH,+FAA4D;AAC5D,6IAAkF;AAClF,iGAA8D;AAC9D,+FAA6D;AAC7D,iGAA+D;AAC/D,+FAA6D;AAC7D,yFAAuD;AACvD,kCAAoC;AAGpC,MAAM,sBAAsB,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAA;AAE9C,MAAa,gBAAiB,SAAQ,qBAAY;IAS5B;IAAyB;IARpC,IAAI,CAAS;IACb,IAAI,CAAS;IACb,MAAM,CAAS;IACf,IAAI,GAAU,EAAE,CAAC;IACjB,MAAM,CAAa;IACnB,MAAM,CAAiB;IACxB,IAAI,GAAG,IAAI,kBAAW,EAAE,CAAC;IAEjC,YAAoB,KAAgB,EAAS,SAA2B,EAAE,QAA0B;QAClG,KAAK,CAAC,QAAQ,CAAC,CAAC;QADE,UAAK,GAAL,KAAK,CAAW;QAAS,cAAS,GAAT,SAAS,CAAkB;QAEtE,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAC/E,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,IAAI,IAAI,CAAC;QACxE,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QACxB,IAAI,CAAC,MAAM,GAAG,UAAU,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAA;QAEjE,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;YAC9B,IAAI,CAAC,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAA;QACnE,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAA;YAC/D,IAAI,CAAC,MAAM,GAAG,sBAAsB,CAAC;QACvC,CAAC;QACD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;IACjC,CAAC;IAGD,KAAK,CAAC,gBAAgB;QACpB,MAAM,GAAG,GAAG,IAAA,mBAAU,GAAE,CAAA;QACxB,OAAO,IAAI,cAAO,CAAC,EAAC,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,EAAC,CAAC;aACrD,kBAAkB,CAAC,EAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAC,CAAC;aAC9C,WAAW,EAAE;aACb,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC;aACtB,iBAAiB,CAAC,IAAI,CAAC;aACvB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;IACtB,CAAC;IAES,KAAK,CAAC,UAAU;QACxB,mEAAmE;QACnE,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC;YAC5B,KAAK,EAAE,IAAI,CAAC,IAAI;YAChB,QAAQ,EAAE;gBACR,KAAK,EAAE,sBAAa,CAAC,MAAM;gBAC3B,IAAI,EAAE,kBAAkB;aACzB;YACD,OAAO,EAAE,kBAAW;SACrB,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAG/B,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAEQ,KAAK,CAAC,KAAwB,EAAE,IAAkB;QACzD,OAAO,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;IAEQ,QAAQ,CAAC,OAAsB;QACtC,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAGO,KAAK,CAAC,iBAAiB;QAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,CAAC;QAC9C,MAAM,KAAK,CAAC,aAAa,CACvB,6BAAgB,EAAE,4CAA4C,CAC9D,oDAAe,EAAE,8CAA8C,CAC/D,8BAAiB,EAAE,6BAA6B,CAChD,6BAAiB,EAAE,gCAAgC,CAEnD,8BAAkB,EAClB,0BAAc,EACd,6BAAiB,CAClB,CAAC;IACJ,CAAC;CACF;AA3ED,4CA2EC","sourcesContent":["import {SignJWT} from \"jose\";\nimport {URL} from 'url';\nimport {randomBytes, randomUUID} from \"crypto\";\nimport {FrontMcpAuth, FrontMcpLogger, LocalAuthOptions, ProviderScope, ScopeEntry, ServerRequest} from '../../common';\nimport ProviderRegistry from '../../provider/provider.registry';\nimport WellKnownPrmFlow from '../flows/well-known.prm.flow';\nimport WellKnownAsFlow from '../flows/well-known.oauth-authorization-server.flow';\nimport WellKnownJwksFlow from '../flows/well-known.jwks.flow';\nimport SessionVerifyFlow from '../flows/session.verify.flow';\nimport OauthAuthorizeFlow from \"../flows/oauth.authorize.flow\";\nimport OauthRegisterFlow from \"../flows/oauth.register.flow\";\nimport OauthTokenFlow from \"../flows/oauth.token.flow\";\nimport {JwksService} from \"../jwks\";\n\n\nconst DEFAULT_NO_AUTH_SECRET = randomBytes(32)\n\nexport class LocalPrimaryAuth extends FrontMcpAuth {\n  readonly host: string;\n  readonly port: number;\n  readonly issuer: string;\n  readonly keys: any[] = [];\n  readonly secret: Uint8Array;\n  readonly logger: FrontMcpLogger;\n  private jwks = new JwksService();\n\n  constructor(private scope:ScopeEntry,private providers: ProviderRegistry, metadata: LocalAuthOptions) {\n    super(metadata);\n    this.logger = this.providers.getActiveScope().logger.child('LocalPrimaryAuth');\n    this.port = this.providers.getActiveScope().metadata.http?.port ?? 3001;\n    this.host = 'localhost';\n    this.issuer = `http://${this.host}:${this.port}${scope.fullPath}`\n\n    if (process.env[\"JWT_SECRET\"]) {\n      this.secret = new TextEncoder().encode(process.env[\"JWT_SECRET\"])\n    } else {\n      this.logger.warn('JWT_SECRET is not set, using default secret')\n      this.secret = DEFAULT_NO_AUTH_SECRET;\n    }\n    this.ready = this.initialize();\n  }\n\n\n  async signAnonymousJwt() {\n    const sub = randomUUID()\n    return new SignJWT({sub, role: 'user', anonymous: true})\n      .setProtectedHeader({alg: 'HS256', typ: 'JWT'})\n      .setIssuedAt()\n      .setIssuer(this.issuer)\n      .setExpirationTime('1d')\n      .sign(this.secret)\n  }\n\n  protected async initialize(): Promise<void> {\n    // TODO: create separated jwk service for local/remote auth options\n    this.providers.injectProvider({\n      value: this.jwks,\n      metadata: {\n        scope: ProviderScope.GLOBAL,\n        name: 'auth:jwk-service',\n      },\n      provide: JwksService,\n    });\n\n    await this.registerAuthFlows();\n\n\n    return Promise.resolve();\n  }\n\n  override fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response> {\n    return fetch(input, init);\n  }\n\n  override validate(request: ServerRequest): Promise<void> {\n    return Promise.resolve();\n  }\n\n\n  private async registerAuthFlows() {\n    const scope = this.providers.getActiveScope();\n    await scope.registryFlows(\n      WellKnownPrmFlow, /** /.well-known/oauth-protected-resource */\n      WellKnownAsFlow, /** /.well-known/oauth-authorization-server */\n      WellKnownJwksFlow, /** /.well-known/jwks.json */\n      SessionVerifyFlow, /** Session verification flow */\n\n      OauthAuthorizeFlow,\n      OauthTokenFlow,\n      OauthRegisterFlow\n    );\n  }\n}"]}
+{"version":3,"file":"instance.local-primary-auth.js","sourceRoot":"","sources":["../../../../src/auth/instances/instance.local-primary-auth.ts"],"names":[],"mappings":";;;;AAAA,+BAA+B;AAE/B,mCAAiD;AACjD,yCAA2G;AAC3G,0EAOiD;AAEjD,+FAA4D;AAC5D,6IAAkF;AAClF,iGAA8D;AAC9D,+FAA6D;AAC7D,iGAA+D;AAC/D,+FAA6D;AAC7D,yFAAuD;AACvD,+FAA6D;AAC7D,kCAAsC;AACtC,wEAKwC;AAOxC,MAAM,sBAAsB,GAAG,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC;AAmC/C,MAAa,gBAAiB,SAAQ,qBAAqC;IA0BrD;IAA2B;IAzBtC,IAAI,CAAS;IACb,IAAI,CAAS;IACb,MAAM,CAAS;IACf,IAAI,GAAU,EAAE,CAAC;IACjB,MAAM,CAAa;IACnB,MAAM,CAAiB;IACvB,kBAAkB,CAAqB;IACxC,IAAI,GAAG,IAAI,kBAAW,EAAE,CAAC;IAEjC,wCAAwC;IACvB,qBAAqB,GAAG,IAAI,CAAC;IAC9C,0CAA0C;IACzB,sBAAsB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAEzD;;;OAGG;IACK,gBAAgB;QACtB,IAAI,CAAC,CAAC,IAAI,CAAC,kBAAkB,YAAY,gDAA0B,CAAC,EAAE,CAAC;YACrE,MAAM,IAAI,KAAK,CAAC,kFAAkF,CAAC,CAAC;QACtG,CAAC;QACD,OAAO,IAAI,CAAC,kBAAkB,CAAC;IACjC,CAAC;IAED,YAAoB,KAAiB,EAAU,SAA2B,EAAE,OAAgC;QAC1G,KAAK,CAAC,OAAO,CAAC,CAAC;QADG,UAAK,GAAL,KAAK,CAAY;QAAU,cAAS,GAAT,SAAS,CAAkB;QAExE,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAC/E,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,IAAI,IAAI,CAAC;QACxE,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QACxB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAEzC,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC;YAC9B,IAAI,CAAC,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC;QACpE,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;YAChE,IAAI,CAAC,MAAM,GAAG,sBAAsB,CAAC;QACvC,CAAC;QAED,kEAAkE;QAClE,IAAI,CAAC,kBAAkB,GAAG,IAAI,gDAA0B,EAAE,CAAC;QAE3D,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;IACjC,CAAC;IAED;;OAEG;IACK,YAAY,CAAC,OAAgC;QACnD,MAAM,QAAQ,GAAG,UAAU,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;QAE1E,IAAI,IAAA,2BAAY,EAAC,OAAO,CAAC,EAAE,CAAC;YAC1B,OAAO,OAAO,CAAC,MAAM,IAAI,QAAQ,CAAC;QACpC,CAAC;QAED,IAAI,IAAA,iCAAkB,EAAC,OAAO,CAAC,EAAE,CAAC;YAChC,IAAI,IAAA,kCAAmB,EAAC,OAAO,CAAC,EAAE,CAAC;gBACjC,OAAO,OAAO,CAAC,KAAK,EAAE,MAAM,IAAI,QAAQ,CAAC;YAC3C,CAAC;iBAAM,CAAC;gBACN,sBAAsB;gBACtB,OAAO,OAAO,CAAC,KAAK,EAAE,MAAM,IAAI,QAAQ,CAAC;YAC3C,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,KAAK,CAAC,gBAAgB;QACpB,MAAM,GAAG,GAAG,IAAA,mBAAU,GAAE,CAAC;QACzB,OAAO,IAAI,cAAO,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;aACvD,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;aAChD,WAAW,EAAE;aACb,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC;aACtB,iBAAiB,CAAC,IAAI,CAAC;aACvB,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CACnB,IAAc,EACd,MAAgB,EAChB,QAAiB,EACjB,eAAiC;QAEjC,MAAM,MAAM,GAA4B;YACtC,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;SACxB,CAAC;QAEF,IAAI,IAAI,CAAC,KAAK;YAAE,MAAM,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC;QAC7C,IAAI,IAAI,CAAC,IAAI;YAAE,MAAM,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC;QAC1C,IAAI,IAAI,CAAC,OAAO;YAAE,MAAM,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC;QACnD,IAAI,IAAI,CAAC,KAAK;YAAE,MAAM,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC;QAE7C,kCAAkC;QAClC,IAAI,eAAe,EAAE,CAAC;YACpB,IAAI,eAAe,CAAC,cAAc,EAAE,CAAC;gBACnC,MAAM,CAAC,SAAS,CAAC,GAAG;oBAClB,OAAO,EAAE,IAAI;oBACb,aAAa,EAAE,eAAe,CAAC,eAAe,IAAI,EAAE;iBACrD,CAAC;YACJ,CAAC;YACD,IAAI,eAAe,CAAC,kBAAkB,EAAE,CAAC;gBACvC,MAAM,CAAC,WAAW,CAAC,GAAG;oBACpB,OAAO,EAAE,IAAI;oBACb,iBAAiB,EAAE,eAAe,CAAC,mBAAmB,IAAI,EAAE;oBAC5D,gBAAgB,EAAE,eAAe,CAAC,kBAAkB,IAAI,EAAE;iBAC3D,CAAC;YACJ,CAAC;QACH,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,cAAO,CAAC,MAAM,CAAC;aAC5B,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;aAChD,WAAW,EAAE;aACb,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC;aACtB,iBAAiB,CAAC,GAAG,IAAI,CAAC,qBAAqB,GAAG,CAAC;aACnD,MAAM,CAAC,IAAA,mBAAU,GAAE,CAAC,CAAC;QAExB,IAAI,QAAQ,EAAE,CAAC;YACb,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QAC5B,CAAC;QAED,OAAO,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC/B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAChB,IAAY,EACZ,QAAgB,EAChB,WAAmB,EACnB,YAAoB;QAEpB,oCAAoC;QACpC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC;QAE5E,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,4CAA4C,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;YACxF,OAAO;gBACL,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,0CAA0C;aAC9D,CAAC;QACJ,CAAC;QAED,4CAA4C;QAC5C,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC;YACpB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oCAAoC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;YAChF,kEAAkE;YAClE,MAAM,IAAI,CAAC,kBAAkB,CAAC,uBAAuB,CAAC,IAAI,CAAC,CAAC;YAC5D,OAAO;gBACL,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,0CAA0C;aAC9D,CAAC;QACJ,CAAC;QAED,2BAA2B;QAC3B,IAAI,UAAU,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACrC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gCAAgC,UAAU,CAAC,QAAQ,SAAS,QAAQ,EAAE,CAAC,CAAC;YACzF,OAAO;gBACL,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,0BAA0B;aAC9C,CAAC;QACJ,CAAC;QAED,8BAA8B;QAC9B,IAAI,UAAU,CAAC,WAAW,KAAK,WAAW,EAAE,CAAC;YAC3C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;YAC1C,OAAO;gBACL,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,6BAA6B;aACjD,CAAC;QACJ,CAAC;QAED,cAAc;QACd,IAAI,CAAC,IAAA,gCAAU,EAAC,YAAY,EAAE,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;YAC7C,OAAO;gBACL,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,0BAA0B;aAC9C,CAAC;QACJ,CAAC;QAED,oBAAoB;QACpB,MAAM,IAAI,CAAC,kBAAkB,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;QAEjD,kBAAkB;QAClB,MAAM,IAAI,GAAa;YACrB,GAAG,EAAE,UAAU,CAAC,OAAO;YACvB,KAAK,EAAE,UAAU,CAAC,SAAS;YAC3B,IAAI,EAAE,UAAU,CAAC,QAAQ;SAC1B,CAAC;QAEF,0CAA0C;QAC1C,MAAM,eAAe,GACnB,UAAU,CAAC,cAAc,IAAI,UAAU,CAAC,kBAAkB;YACxD,CAAC,CAAC;gBACE,eAAe,EAAE,UAAU,CAAC,eAAe;gBAC3C,mBAAmB,EAAE,UAAU,CAAC,mBAAmB;gBACnD,kBAAkB,EAAE,UAAU,CAAC,kBAAkB;gBACjD,cAAc,EAAE,UAAU,CAAC,cAAc;gBACzC,kBAAkB,EAAE,UAAU,CAAC,kBAAkB;aAClD;YACH,CAAC,CAAC,SAAS,CAAC;QAEhB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,UAAU,CAAC,MAAM,EAAE,UAAU,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;QAE9G,uBAAuB;QACvB,MAAM,kBAAkB,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC,wBAAwB,CAAC;YAC1E,QAAQ;YACR,OAAO,EAAE,IAAI,CAAC,GAAG;YACjB,MAAM,EAAE,UAAU,CAAC,MAAM;YACzB,QAAQ,EAAE,UAAU,CAAC,QAAQ;SAC9B,CAAC,CAAC;QACH,MAAM,IAAI,CAAC,kBAAkB,CAAC,iBAAiB,CAAC,kBAAkB,CAAC,CAAC;QAEpE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,2BAA2B,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAExD,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,IAAI,CAAC,qBAAqB;YACtC,aAAa,EAAE,kBAAkB,CAAC,KAAK;YACvC,KAAK,EAAE,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;SACnC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,kBAAkB,CACtB,YAAoB,EACpB,QAAgB;QAEhB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;QAEhF,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;YACvD,OAAO;gBACL,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,qCAAqC;aACzD,CAAC;QACJ,CAAC;QAED,IAAI,WAAW,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACtC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;YAClD,OAAO;gBACL,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,0BAA0B;aAC9C,CAAC;QACJ,CAAC;QAED,4BAA4B;QAC5B,MAAM,IAAI,GAAa,EAAE,GAAG,EAAE,WAAW,CAAC,OAAO,EAAE,CAAC;QACpD,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,WAAW,CAAC,MAAM,EAAE,WAAW,CAAC,QAAQ,CAAC,CAAC;QAE/F,uBAAuB;QACvB,MAAM,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC,wBAAwB,CAAC;YACxE,QAAQ;YACR,OAAO,EAAE,WAAW,CAAC,OAAO;YAC5B,MAAM,EAAE,WAAW,CAAC,MAAM;YAC1B,QAAQ,EAAE,WAAW,CAAC,QAAQ;SAC/B,CAAC,CAAC;QACH,MAAM,IAAI,CAAC,kBAAkB,CAAC,kBAAkB,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAC;QAEjF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,8BAA8B,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAE3D,OAAO;YACL,YAAY,EAAE,WAAW;YACzB,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,IAAI,CAAC,qBAAqB;YACtC,aAAa,EAAE,gBAAgB,CAAC,KAAK;YACrC,KAAK,EAAE,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;SACpC,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,uBAAuB,CAAC,MAgB7B;QACC,MAAM,KAAK,GAAG,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtC,MAAM,UAAU,GAAG,KAAK,CAAC,gBAAgB,CAAC;YACxC,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,IAAI,EAAE,EAAE,SAAS,EAAE,MAAM,CAAC,aAAa,EAAE,MAAM,EAAE,MAAM,EAAE;YACzD,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,mCAAmC;YACnC,eAAe,EAAE,MAAM,CAAC,eAAe;YACvC,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;YAC/C,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;YAC7C,cAAc,EAAE,MAAM,CAAC,cAAc;YACrC,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;SAC9C,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,kBAAkB,CAAC,sBAAsB,CAAC,UAAU,CAAC,CAAC;QACjE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wCAAwC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;QAE3E,OAAO,UAAU,CAAC,IAAI,CAAC;IACzB,CAAC;IAES,KAAK,CAAC,UAAU;QACxB,mEAAmE;QACnE,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC;YAC5B,KAAK,EAAE,IAAI,CAAC,IAAI;YAChB,QAAQ,EAAE;gBACR,KAAK,EAAE,sBAAa,CAAC,MAAM;gBAC3B,IAAI,EAAE,kBAAkB;aACzB;YACD,OAAO,EAAE,kBAAW;SACrB,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAE/B,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAEQ,KAAK,CAAC,KAAwB,EAAE,IAAkB;QACzD,OAAO,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;IAEQ,QAAQ,CAAC,OAAsB;QACtC,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAEO,KAAK,CAAC,iBAAiB;QAC7B,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,CAAC;QAC9C,MAAM,KAAK,CAAC,aAAa,CACvB,6BAAgB,CAAC,4CAA4C,EAC7D,oDAAe,CAAC,8CAA8C,EAC9D,8BAAiB,CAAC,6BAA6B,EAC/C,6BAAiB,CAAC,gCAAgC,EAElD,8BAAkB,CAAC,2BAA2B,EAC9C,0BAAc,CAAC,wBAAwB,EACvC,6BAAiB,CAAC,2CAA2C,EAC7D,6BAAiB,CAAC,2BAA2B,CAC9C,CAAC;IACJ,CAAC;CACF;AA1WD,4CA0WC","sourcesContent":["import { SignJWT } from 'jose';\nimport { URL } from 'url';\nimport { randomBytes, randomUUID } from 'crypto';\nimport { FrontMcpAuth, FrontMcpLogger, ProviderScope, ScopeEntry, ServerRequest, JWK } from '../../common';\nimport {\n  PublicAuthOptions,\n  OrchestratedLocalOptions,\n  OrchestratedRemoteOptions,\n  isPublicMode,\n  isOrchestratedMode,\n  isOrchestratedLocal,\n} from '../../common/types/options/auth.options';\nimport ProviderRegistry from '../../provider/provider.registry';\nimport WellKnownPrmFlow from '../flows/well-known.prm.flow';\nimport WellKnownAsFlow from '../flows/well-known.oauth-authorization-server.flow';\nimport WellKnownJwksFlow from '../flows/well-known.jwks.flow';\nimport SessionVerifyFlow from '../flows/session.verify.flow';\nimport OauthAuthorizeFlow from '../flows/oauth.authorize.flow';\nimport OauthRegisterFlow from '../flows/oauth.register.flow';\nimport OauthTokenFlow from '../flows/oauth.token.flow';\nimport OauthCallbackFlow from '../flows/oauth.callback.flow';\nimport { JwksService } from '../jwks';\nimport {\n  AuthorizationStore,\n  InMemoryAuthorizationStore,\n  AuthorizationCodeRecord,\n  verifyPkce,\n} from '../session/authorization.store';\n\n/**\n * Options type for LocalPrimaryAuth - can be public, orchestrated local, or orchestrated remote\n */\nexport type LocalPrimaryAuthOptions = PublicAuthOptions | OrchestratedLocalOptions | OrchestratedRemoteOptions;\n\nconst DEFAULT_NO_AUTH_SECRET = randomBytes(32);\n\n/**\n * User information for JWT claims\n */\nexport interface UserInfo {\n  sub: string;\n  email?: string;\n  name?: string;\n  picture?: string;\n  roles?: string[];\n}\n\n/**\n * Token response from the token endpoint\n */\nexport interface TokenResponse {\n  access_token: string;\n  token_type: 'Bearer';\n  expires_in: number;\n  refresh_token?: string;\n  scope?: string;\n}\n\n/**\n * Consent and federated login metadata for JWT claims\n */\nexport interface ConsentMetadata {\n  selectedToolIds?: string[];\n  selectedProviderIds?: string[];\n  skippedProviderIds?: string[];\n  consentEnabled?: boolean;\n  federatedLoginUsed?: boolean;\n}\n\nexport class LocalPrimaryAuth extends FrontMcpAuth<LocalPrimaryAuthOptions> {\n  readonly host: string;\n  readonly port: number;\n  readonly issuer: string;\n  readonly keys: JWK[] = [];\n  readonly secret: Uint8Array;\n  readonly logger: FrontMcpLogger;\n  readonly authorizationStore: AuthorizationStore;\n  private jwks = new JwksService();\n\n  /** Default access token TTL (1 hour) */\n  private readonly accessTokenTtlSeconds = 3600;\n  /** Default refresh token TTL (30 days) */\n  private readonly refreshTokenTtlSeconds = 30 * 24 * 3600;\n\n  /**\n   * Get the authorization store as InMemoryAuthorizationStore with type guard.\n   * This ensures type safety when using InMemory-specific methods.\n   */\n  private getInMemoryStore(): InMemoryAuthorizationStore {\n    if (!(this.authorizationStore instanceof InMemoryAuthorizationStore)) {\n      throw new Error('LocalPrimaryAuth requires InMemoryAuthorizationStore for record creation methods');\n    }\n    return this.authorizationStore;\n  }\n\n  constructor(private scope: ScopeEntry, private providers: ProviderRegistry, options: LocalPrimaryAuthOptions) {\n    super(options);\n    this.logger = this.providers.getActiveScope().logger.child('LocalPrimaryAuth');\n    this.port = this.providers.getActiveScope().metadata.http?.port ?? 3001;\n    this.host = 'localhost';\n    this.issuer = this.deriveIssuer(options);\n\n    if (process.env['JWT_SECRET']) {\n      this.secret = new TextEncoder().encode(process.env['JWT_SECRET']);\n    } else {\n      this.logger.warn('JWT_SECRET is not set, using default secret');\n      this.secret = DEFAULT_NO_AUTH_SECRET;\n    }\n\n    // Initialize authorization store (in-memory for now, Redis later)\n    this.authorizationStore = new InMemoryAuthorizationStore();\n\n    this.ready = this.initialize();\n  }\n\n  /**\n   * Derive issuer from options\n   */\n  private deriveIssuer(options: LocalPrimaryAuthOptions): string {\n    const basePath = `http://${this.host}:${this.port}${this.scope.fullPath}`;\n\n    if (isPublicMode(options)) {\n      return options.issuer ?? basePath;\n    }\n\n    if (isOrchestratedMode(options)) {\n      if (isOrchestratedLocal(options)) {\n        return options.local?.issuer ?? basePath;\n      } else {\n        // Orchestrated remote\n        return options.local?.issuer ?? basePath;\n      }\n    }\n\n    return basePath;\n  }\n\n  async signAnonymousJwt() {\n    const sub = randomUUID();\n    return new SignJWT({ sub, role: 'user', anonymous: true })\n      .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })\n      .setIssuedAt()\n      .setIssuer(this.issuer)\n      .setExpirationTime('1d')\n      .sign(this.secret);\n  }\n\n  /**\n   * Sign an access token for an authenticated user\n   */\n  async signAccessToken(\n    user: UserInfo,\n    scopes: string[],\n    audience?: string,\n    consentMetadata?: ConsentMetadata,\n  ): Promise<string> {\n    const claims: Record<string, unknown> = {\n      sub: user.sub,\n      scope: scopes.join(' '),\n    };\n\n    if (user.email) claims['email'] = user.email;\n    if (user.name) claims['name'] = user.name;\n    if (user.picture) claims['picture'] = user.picture;\n    if (user.roles) claims['roles'] = user.roles;\n\n    // Add consent metadata if present\n    if (consentMetadata) {\n      if (consentMetadata.consentEnabled) {\n        claims['consent'] = {\n          enabled: true,\n          selectedTools: consentMetadata.selectedToolIds ?? [],\n        };\n      }\n      if (consentMetadata.federatedLoginUsed) {\n        claims['federated'] = {\n          enabled: true,\n          selectedProviders: consentMetadata.selectedProviderIds ?? [],\n          skippedProviders: consentMetadata.skippedProviderIds ?? [],\n        };\n      }\n    }\n\n    const jwt = new SignJWT(claims)\n      .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })\n      .setIssuedAt()\n      .setIssuer(this.issuer)\n      .setExpirationTime(`${this.accessTokenTtlSeconds}s`)\n      .setJti(randomUUID());\n\n    if (audience) {\n      jwt.setAudience(audience);\n    }\n\n    return jwt.sign(this.secret);\n  }\n\n  /**\n   * Exchange an authorization code for tokens\n   */\n  async exchangeCode(\n    code: string,\n    clientId: string,\n    redirectUri: string,\n    codeVerifier: string,\n  ): Promise<TokenResponse | { error: string; error_description: string }> {\n    // Get the authorization code record\n    const codeRecord = await this.authorizationStore.getAuthorizationCode(code);\n\n    if (!codeRecord) {\n      this.logger.warn(`Authorization code not found or expired: ${code.substring(0, 8)}...`);\n      return {\n        error: 'invalid_grant',\n        error_description: 'Authorization code is invalid or expired',\n      };\n    }\n\n    // Verify code hasn't been used (single-use)\n    if (codeRecord.used) {\n      this.logger.warn(`Authorization code already used: ${code.substring(0, 8)}...`);\n      // Security: If a code is reused, revoke all tokens from this code\n      await this.authorizationStore.deleteAuthorizationCode(code);\n      return {\n        error: 'invalid_grant',\n        error_description: 'Authorization code has already been used',\n      };\n    }\n\n    // Verify client_id matches\n    if (codeRecord.clientId !== clientId) {\n      this.logger.warn(`Client ID mismatch: expected ${codeRecord.clientId}, got ${clientId}`);\n      return {\n        error: 'invalid_grant',\n        error_description: 'Client ID does not match',\n      };\n    }\n\n    // Verify redirect_uri matches\n    if (codeRecord.redirectUri !== redirectUri) {\n      this.logger.warn(`Redirect URI mismatch`);\n      return {\n        error: 'invalid_grant',\n        error_description: 'Redirect URI does not match',\n      };\n    }\n\n    // Verify PKCE\n    if (!verifyPkce(codeVerifier, codeRecord.pkce)) {\n      this.logger.warn(`PKCE verification failed`);\n      return {\n        error: 'invalid_grant',\n        error_description: 'PKCE verification failed',\n      };\n    }\n\n    // Mark code as used\n    await this.authorizationStore.markCodeUsed(code);\n\n    // Generate tokens\n    const user: UserInfo = {\n      sub: codeRecord.userSub,\n      email: codeRecord.userEmail,\n      name: codeRecord.userName,\n    };\n\n    // Build consent metadata from code record\n    const consentMetadata: ConsentMetadata | undefined =\n      codeRecord.consentEnabled || codeRecord.federatedLoginUsed\n        ? {\n            selectedToolIds: codeRecord.selectedToolIds,\n            selectedProviderIds: codeRecord.selectedProviderIds,\n            skippedProviderIds: codeRecord.skippedProviderIds,\n            consentEnabled: codeRecord.consentEnabled,\n            federatedLoginUsed: codeRecord.federatedLoginUsed,\n          }\n        : undefined;\n\n    const accessToken = await this.signAccessToken(user, codeRecord.scopes, codeRecord.resource, consentMetadata);\n\n    // Create refresh token\n    const refreshTokenRecord = this.getInMemoryStore().createRefreshTokenRecord({\n      clientId,\n      userSub: user.sub,\n      scopes: codeRecord.scopes,\n      resource: codeRecord.resource,\n    });\n    await this.authorizationStore.storeRefreshToken(refreshTokenRecord);\n\n    this.logger.info(`Tokens issued for user: ${user.sub}`);\n\n    return {\n      access_token: accessToken,\n      token_type: 'Bearer',\n      expires_in: this.accessTokenTtlSeconds,\n      refresh_token: refreshTokenRecord.token,\n      scope: codeRecord.scopes.join(' '),\n    };\n  }\n\n  /**\n   * Refresh an access token using a refresh token\n   */\n  async refreshAccessToken(\n    refreshToken: string,\n    clientId: string,\n  ): Promise<TokenResponse | { error: string; error_description: string }> {\n    const tokenRecord = await this.authorizationStore.getRefreshToken(refreshToken);\n\n    if (!tokenRecord) {\n      this.logger.warn('Refresh token not found or expired');\n      return {\n        error: 'invalid_grant',\n        error_description: 'Refresh token is invalid or expired',\n      };\n    }\n\n    if (tokenRecord.clientId !== clientId) {\n      this.logger.warn('Client ID mismatch on refresh');\n      return {\n        error: 'invalid_grant',\n        error_description: 'Client ID does not match',\n      };\n    }\n\n    // Generate new access token\n    const user: UserInfo = { sub: tokenRecord.userSub };\n    const accessToken = await this.signAccessToken(user, tokenRecord.scopes, tokenRecord.resource);\n\n    // Rotate refresh token\n    const newRefreshRecord = this.getInMemoryStore().createRefreshTokenRecord({\n      clientId,\n      userSub: tokenRecord.userSub,\n      scopes: tokenRecord.scopes,\n      resource: tokenRecord.resource,\n    });\n    await this.authorizationStore.rotateRefreshToken(refreshToken, newRefreshRecord);\n\n    this.logger.info(`Tokens refreshed for user: ${user.sub}`);\n\n    return {\n      access_token: accessToken,\n      token_type: 'Bearer',\n      expires_in: this.accessTokenTtlSeconds,\n      refresh_token: newRefreshRecord.token,\n      scope: tokenRecord.scopes.join(' '),\n    };\n  }\n\n  /**\n   * Create an authorization code for a user (called after login)\n   */\n  async createAuthorizationCode(params: {\n    clientId: string;\n    redirectUri: string;\n    scopes: string[];\n    codeChallenge: string;\n    userSub: string;\n    userEmail?: string;\n    userName?: string;\n    state?: string;\n    resource?: string;\n    // Consent and Federated Login Data\n    selectedToolIds?: string[];\n    selectedProviderIds?: string[];\n    skippedProviderIds?: string[];\n    consentEnabled?: boolean;\n    federatedLoginUsed?: boolean;\n  }): Promise<string> {\n    const store = this.getInMemoryStore();\n    const codeRecord = store.createCodeRecord({\n      clientId: params.clientId,\n      redirectUri: params.redirectUri,\n      scopes: params.scopes,\n      pkce: { challenge: params.codeChallenge, method: 'S256' },\n      userSub: params.userSub,\n      userEmail: params.userEmail,\n      userName: params.userName,\n      state: params.state,\n      resource: params.resource,\n      // Consent and Federated Login Data\n      selectedToolIds: params.selectedToolIds,\n      selectedProviderIds: params.selectedProviderIds,\n      skippedProviderIds: params.skippedProviderIds,\n      consentEnabled: params.consentEnabled,\n      federatedLoginUsed: params.federatedLoginUsed,\n    });\n\n    await this.authorizationStore.storeAuthorizationCode(codeRecord);\n    this.logger.info(`Authorization code created for user: ${params.userSub}`);\n\n    return codeRecord.code;\n  }\n\n  protected async initialize(): Promise<void> {\n    // TODO: create separated jwk service for local/remote auth options\n    this.providers.injectProvider({\n      value: this.jwks,\n      metadata: {\n        scope: ProviderScope.GLOBAL,\n        name: 'auth:jwk-service',\n      },\n      provide: JwksService,\n    });\n\n    await this.registerAuthFlows();\n\n    return Promise.resolve();\n  }\n\n  override fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response> {\n    return fetch(input, init);\n  }\n\n  override validate(request: ServerRequest): Promise<void> {\n    return Promise.resolve();\n  }\n\n  private async registerAuthFlows() {\n    const scope = this.providers.getActiveScope();\n    await scope.registryFlows(\n      WellKnownPrmFlow /** /.well-known/oauth-protected-resource */,\n      WellKnownAsFlow /** /.well-known/oauth-authorization-server */,\n      WellKnownJwksFlow /** /.well-known/jwks.json */,\n      SessionVerifyFlow /** Session verification flow */,\n\n      OauthAuthorizeFlow /** GET /oauth/authorize */,\n      OauthTokenFlow /** POST /oauth/token */,\n      OauthCallbackFlow /** GET /oauth/callback - login callback */,\n      OauthRegisterFlow /** POST /oauth/register */,\n    );\n  }\n}\n"]}

package/src/auth/instances/instance.remote-primary-auth.d.ts

@@ -1,12 +1,13 @@
-import { FrontMcpAuth, RemoteAuthOptions, ScopeEntry, ServerRequest } from '../../common';
+import { FrontMcpAuth, ScopeEntry, ServerRequest } from '../../common';
+import { TransparentAuthOptions } from '../../common/types/options/auth.options';
 import { URL } from 'url';
 import ProviderRegistry from '../../provider/provider.registry';
-export declare class RemotePrimaryAuth extends FrontMcpAuth<RemoteAuthOptions> {
+export declare class RemotePrimaryAuth extends FrontMcpAuth<TransparentAuthOptions> {
     private readonly scope;
     private readonly providers;
     ready: Promise<void>;
     private jwks;
-    constructor(scope: ScopeEntry, providers: ProviderRegistry, options: RemoteAuthOptions);
+    constructor(scope: ScopeEntry, providers: ProviderRegistry, options: TransparentAuthOptions);
     fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
     validate(request: ServerRequest): Promise<void>;
     get issuer(): string;

package/src/auth/instances/instance.remote-primary-auth.js

@@ -26,7 +26,7 @@ class RemotePrimaryAuth extends common_1.FrontMcpAuth {
         return Promise.resolve();
     }
     get issuer() {
-        return this.options.baseUrl;
+        return this.options.remote.provider;
     }
     async initialize() {
         const scope = this.providers.getActiveScope();
@@ -42,7 +42,7 @@ class RemotePrimaryAuth extends common_1.FrontMcpAuth {
         return Promise.resolve();
     }
     async registerAuthFlows(scope) {
-        await scope.registryFlows(well_known_prm_flow_1.default, /** /.well-known/oauth-protected-resource */ well_known_oauth_authorization_server_flow_1.default, /** /.well-known/oauth-authorization-server */ well_known_jwks_flow_1.default, /** /.well-known/jwks.json */ session_verify_flow_1.default);
+        await scope.registryFlows(well_known_prm_flow_1.default /** /.well-known/oauth-protected-resource */, well_known_oauth_authorization_server_flow_1.default /** /.well-known/oauth-authorization-server */, well_known_jwks_flow_1.default /** /.well-known/jwks.json */, session_verify_flow_1.default /** Session verification flow */);
     }
 }
 exports.RemotePrimaryAuth = RemotePrimaryAuth;

package/src/auth/instances/instance.remote-primary-auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"instance.remote-primary-auth.js","sourceRoot":"","sources":["../../../../src/auth/instances/instance.remote-primary-auth.ts"],"names":[],"mappings":";;;;AAAA,yCAAuG;AAGvG,kCAAoC;AACpC,+FAA4D;AAC5D,6IAAkF;AAClF,iGAA8D;AAC9D,+FAA6D;AAI7D,MAAa,iBAAkB,SAAQ,qBAA+B;IAIvC;IAAoC;IAHxD,KAAK,CAAgB;IACtB,IAAI,GAAG,IAAI,kBAAW,EAAE,CAAC;IAEjC,YAA6B,KAAiB,EAAmB,SAA2B,EAAE,OAA0B;QACtH,KAAK,CAAC,OAAO,CAAC,CAAC;QADY,UAAK,GAAL,KAAK,CAAY;QAAmB,cAAS,GAAT,SAAS,CAAkB;QAE1F,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;IACjC,CAAC;IAEQ,KAAK,CAAC,KAAwB,EAAE,IAAkB;QACzD,OAAO,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;IAEQ,QAAQ,CAAC,OAAsB;QACtC,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAGD,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC;IAC9B,CAAC;IAES,KAAK,CAAC,UAAU;QACxB,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,CAAC;QAE9C,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC;YAC5B,KAAK,EAAE,IAAI,CAAC,IAAI;YAChB,QAAQ,EAAE;gBACR,KAAK,EAAE,sBAAa,CAAC,MAAM;gBAC3B,IAAI,EAAE,kBAAkB;aACzB;YACD,OAAO,EAAE,kBAAW;SACrB,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACpC,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAGO,KAAK,CAAC,iBAAiB,CAAC,KAAY;QAC1C,MAAM,KAAK,CAAC,aAAa,CACvB,6BAAgB,EAAE,4CAA4C,CAC9D,oDAAe,EAAE,8CAA8C,CAC/D,8BAAiB,EAAE,6BAA6B,CAChD,6BAAiB,CAClB,CAAC;IACJ,CAAC;CACF;AA/CD,8CA+CC","sourcesContent":["import {FrontMcpAuth, ProviderScope, RemoteAuthOptions, ScopeEntry, ServerRequest} from '../../common';\nimport {URL} from 'url';\nimport ProviderRegistry from '../../provider/provider.registry';\nimport {JwksService} from '../jwks';\nimport WellKnownPrmFlow from '../flows/well-known.prm.flow';\nimport WellKnownAsFlow from '../flows/well-known.oauth-authorization-server.flow';\nimport WellKnownJwksFlow from '../flows/well-known.jwks.flow';\nimport SessionVerifyFlow from '../flows/session.verify.flow';\nimport {Scope} from '../../scope';\n\n\nexport class RemotePrimaryAuth extends FrontMcpAuth<RemoteAuthOptions> {\n  override ready: Promise<void>;\n  private jwks = new JwksService();\n\n  constructor(private readonly scope: ScopeEntry, private readonly providers: ProviderRegistry, options: RemoteAuthOptions) {\n    super(options);\n    this.ready = this.initialize();\n  }\n\n  override fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response> {\n    return fetch(input, init);\n  }\n\n  override validate(request: ServerRequest): Promise<void> {\n    return Promise.resolve();\n  }\n\n\n  get issuer(): string {\n    return this.options.baseUrl;\n  }\n\n  protected async initialize() {\n    const scope = this.providers.getActiveScope();\n\n    this.providers.injectProvider({\n      value: this.jwks,\n      metadata: {\n        scope: ProviderScope.GLOBAL,\n        name: 'auth:jwk-service',\n      },\n      provide: JwksService,\n    });\n\n    await this.registerAuthFlows(scope);\n    return Promise.resolve();\n  }\n\n\n  private async registerAuthFlows(scope: Scope) {\n    await scope.registryFlows(\n      WellKnownPrmFlow, /** /.well-known/oauth-protected-resource */\n      WellKnownAsFlow, /** /.well-known/oauth-authorization-server */\n      WellKnownJwksFlow, /** /.well-known/jwks.json */\n      SessionVerifyFlow, /** Session verification flow */\n    );\n  }\n}"]}
+{"version":3,"file":"instance.remote-primary-auth.js","sourceRoot":"","sources":["../../../../src/auth/instances/instance.remote-primary-auth.ts"],"names":[],"mappings":";;;;AAAA,yCAAsF;AAItF,kCAAsC;AACtC,+FAA4D;AAC5D,6IAAkF;AAClF,iGAA8D;AAC9D,+FAA6D;AAG7D,MAAa,iBAAkB,SAAQ,qBAAoC;IAKtD;IACA;IALV,KAAK,CAAgB;IACtB,IAAI,GAAG,IAAI,kBAAW,EAAE,CAAC;IAEjC,YACmB,KAAiB,EACjB,SAA2B,EAC5C,OAA+B;QAE/B,KAAK,CAAC,OAAO,CAAC,CAAC;QAJE,UAAK,GAAL,KAAK,CAAY;QACjB,cAAS,GAAT,SAAS,CAAkB;QAI5C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;IACjC,CAAC;IAEQ,KAAK,CAAC,KAAwB,EAAE,IAAkB;QACzD,OAAO,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAC5B,CAAC;IAEQ,QAAQ,CAAC,OAAsB;QACtC,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAED,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC;IACtC,CAAC;IAES,KAAK,CAAC,UAAU;QACxB,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,cAAc,EAAE,CAAC;QAE9C,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC;YAC5B,KAAK,EAAE,IAAI,CAAC,IAAI;YAChB,QAAQ,EAAE;gBACR,KAAK,EAAE,sBAAa,CAAC,MAAM;gBAC3B,IAAI,EAAE,kBAAkB;aACzB;YACD,OAAO,EAAE,kBAAW;SACrB,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACpC,OAAO,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,KAAY;QAC1C,MAAM,KAAK,CAAC,aAAa,CACvB,6BAAgB,CAAC,4CAA4C,EAC7D,oDAAe,CAAC,8CAA8C,EAC9D,8BAAiB,CAAC,6BAA6B,EAC/C,6BAAiB,CAAC,gCAAgC,CACnD,CAAC;IACJ,CAAC;CACF;AAjDD,8CAiDC","sourcesContent":["import { FrontMcpAuth, ProviderScope, ScopeEntry, ServerRequest } from '../../common';\nimport { TransparentAuthOptions } from '../../common/types/options/auth.options';\nimport { URL } from 'url';\nimport ProviderRegistry from '../../provider/provider.registry';\nimport { JwksService } from '../jwks';\nimport WellKnownPrmFlow from '../flows/well-known.prm.flow';\nimport WellKnownAsFlow from '../flows/well-known.oauth-authorization-server.flow';\nimport WellKnownJwksFlow from '../flows/well-known.jwks.flow';\nimport SessionVerifyFlow from '../flows/session.verify.flow';\nimport { Scope } from '../../scope';\n\nexport class RemotePrimaryAuth extends FrontMcpAuth<TransparentAuthOptions> {\n  override ready: Promise<void>;\n  private jwks = new JwksService();\n\n  constructor(\n    private readonly scope: ScopeEntry,\n    private readonly providers: ProviderRegistry,\n    options: TransparentAuthOptions,\n  ) {\n    super(options);\n    this.ready = this.initialize();\n  }\n\n  override fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response> {\n    return fetch(input, init);\n  }\n\n  override validate(request: ServerRequest): Promise<void> {\n    return Promise.resolve();\n  }\n\n  get issuer(): string {\n    return this.options.remote.provider;\n  }\n\n  protected async initialize() {\n    const scope = this.providers.getActiveScope();\n\n    this.providers.injectProvider({\n      value: this.jwks,\n      metadata: {\n        scope: ProviderScope.GLOBAL,\n        name: 'auth:jwk-service',\n      },\n      provide: JwksService,\n    });\n\n    await this.registerAuthFlows(scope);\n    return Promise.resolve();\n  }\n\n  private async registerAuthFlows(scope: Scope) {\n    await scope.registryFlows(\n      WellKnownPrmFlow /** /.well-known/oauth-protected-resource */,\n      WellKnownAsFlow /** /.well-known/oauth-authorization-server */,\n      WellKnownJwksFlow /** /.well-known/jwks.json */,\n      SessionVerifyFlow /** Session verification flow */,\n    );\n  }\n}\n"]}