@mcp-abap-adt/auth-providers 0.2.10 → 1.0.0

package/CHANGELOG.md

@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.0.0] - 2026-02-10
+
+### Added
+- SSO providers for OIDC and SAML2, plus `SsoProviderFactory` for DI-friendly creation.
+- OIDC flows: browser (PKCE), device flow, password grant, token exchange.
+- SAML2 flows: browser/manual/assertion input, bearer exchange, and pure SAML (cookie-based) output.
+- `BaseTokenProvider` now supports `tokenType` and `expiresAt` from `ITokenResult`.
+
 ## [0.2.10] - 2025-12-25
 
 ### Changed

package/README.md

@@ -99,6 +99,95 @@ const clientCredsBroker = new AuthBroker({
 }, 'none');
 ```
 
+### SSO Providers
+
+This package also includes SSO providers for OIDC and SAML2, plus a small factory for DI-friendly creation.
+
+Available providers:
+- `OidcBrowserProvider` (authorization code + PKCE)
+- `OidcDeviceFlowProvider`
+- `OidcPasswordProvider`
+- `OidcTokenExchangeProvider`
+- `Saml2BearerProvider` (SAML assertion exchange)
+- `Saml2PureProvider` (returns SAMLResponse as token)
+
+Factory example:
+
+```typescript
+import { AuthBroker } from '@mcp-abap-adt/auth-broker';
+import { SsoProviderFactory } from '@mcp-abap-adt/auth-providers';
+
+const tokenProvider = SsoProviderFactory.create({
+  protocol: 'oidc',
+  flow: 'browser',
+  config: {
+    issuerUrl: 'https://example-idp/.well-known/openid-configuration',
+    clientId: '...',
+    clientSecret: '...',
+    scopes: ['openid', 'profile', 'email'],
+    browser: 'system',
+  },
+});
+
+const broker = new AuthBroker({ tokenProvider }, 'none');
+```
+
+SAML bearer example (manual flow):
+
+```typescript
+import { AuthBroker } from '@mcp-abap-adt/auth-broker';
+import { Saml2BearerProvider } from '@mcp-abap-adt/auth-providers';
+
+const provider = new Saml2BearerProvider({
+  assertionFlow: 'manual',
+  idpSsoUrl: 'https://idp.example.com/sso',
+  spEntityId: 'my-sp-entity',
+  uaaUrl: 'https://uaa.example.com',
+  clientId: '...',
+  clientSecret: '...',
+});
+
+const broker = new AuthBroker({ tokenProvider: provider }, 'none');
+```
+
+SAML bearer example (headless, assertion provider):
+
+```typescript
+import { AuthBroker } from '@mcp-abap-adt/auth-broker';
+import { Saml2BearerProvider } from '@mcp-abap-adt/auth-providers';
+
+const provider = new Saml2BearerProvider({
+  assertionFlow: 'assertion',
+  assertionProvider: async () => {
+    return getSamlResponseFromSsoProxy();
+  },
+  uaaUrl: 'https://uaa.example.com',
+  clientId: '...',
+  clientSecret: '...',
+});
+
+const broker = new AuthBroker({ tokenProvider: provider }, 'none');
+```
+
+Pure SAML example (cookie-based):
+
+```typescript
+import { AuthBroker } from '@mcp-abap-adt/auth-broker';
+import { Saml2PureProvider } from '@mcp-abap-adt/auth-providers';
+
+const provider = new Saml2PureProvider({
+  assertionFlow: 'manual',
+  idpSsoUrl: 'https://idp.example.com/sso',
+  spEntityId: 'my-sp-entity',
+  // Convert SAMLResponse to session cookies for SAP (implementation-specific)
+  cookieProvider: async (samlResponse) => {
+    return exchangeSamlForCookies(samlResponse);
+  },
+});
+
+const broker = new AuthBroker({ tokenProvider: provider }, 'none');
+```
+
 ### With Stores
 
 **Important**: BTP and ABAP are different entities:

package/dist/__tests__/helpers/netHelpers.d.ts

@@ -0,0 +1,3 @@
+export declare function getAvailablePort(): Promise<number>;
+export declare function canListenOnLocalhost(): Promise<boolean>;
+//# sourceMappingURL=netHelpers.d.ts.map

package/dist/__tests__/helpers/netHelpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"netHelpers.d.ts","sourceRoot":"","sources":["../../../src/__tests__/helpers/netHelpers.ts"],"names":[],"mappings":"AAEA,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC,CAcxD;AAED,wBAAsB,oBAAoB,IAAI,OAAO,CAAC,OAAO,CAAC,CAQ7D"}

package/dist/__tests__/helpers/netHelpers.js

@@ -0,0 +1,63 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getAvailablePort = getAvailablePort;
+exports.canListenOnLocalhost = canListenOnLocalhost;
+const net = __importStar(require("node:net"));
+async function getAvailablePort() {
+    return new Promise((resolve, reject) => {
+        const server = net.createServer();
+        server.once('error', reject);
+        server.listen(0, '127.0.0.1', () => {
+            const address = server.address();
+            if (typeof address === 'object' && address?.port) {
+                const port = address.port;
+                server.close(() => resolve(port));
+            }
+            else {
+                server.close(() => reject(new Error('Failed to acquire a port')));
+            }
+        });
+    });
+}
+async function canListenOnLocalhost() {
+    return new Promise((resolve) => {
+        const server = net.createServer();
+        server.once('error', () => resolve(false));
+        server.listen(0, '127.0.0.1', () => {
+            server.close(() => resolve(true));
+        });
+    });
+}

package/dist/auth/manualInput.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Manual input helper (stdin)
+ */
+export declare function readManualInput(prompt: string): Promise<string>;
+//# sourceMappingURL=manualInput.d.ts.map

package/dist/auth/manualInput.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manualInput.d.ts","sourceRoot":"","sources":["../../src/auth/manualInput.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,wBAAsB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAYrE"}

package/dist/auth/manualInput.js

@@ -0,0 +1,19 @@
+"use strict";
+/**
+ * Manual input helper (stdin)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readManualInput = readManualInput;
+const node_readline_1 = require("node:readline");
+async function readManualInput(prompt) {
+    const rl = (0, node_readline_1.createInterface)({
+        input: process.stdin,
+        output: process.stdout,
+    });
+    return new Promise((resolve) => {
+        rl.question(prompt, (answer) => {
+            rl.close();
+            resolve(answer.trim());
+        });
+    });
+}

package/dist/auth/oidcBrowserAuth.d.ts

@@ -0,0 +1,9 @@
+/**
+ * OIDC browser authorization code flow (capture code)
+ */
+import type { ILogger } from '@mcp-abap-adt/interfaces';
+export declare function startOidcBrowserAuth(authorizationUrl: string, browser: string, logger?: ILogger, port?: number): Promise<{
+    code: string;
+    state?: string;
+}>;
+//# sourceMappingURL=oidcBrowserAuth.d.ts.map

package/dist/auth/oidcBrowserAuth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidcBrowserAuth.d.ts","sourceRoot":"","sources":["../../src/auth/oidcBrowserAuth.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,0BAA0B,CAAC;AAqExD,wBAAsB,oBAAoB,CACxC,gBAAgB,EAAE,MAAM,EACxB,OAAO,EAAE,MAAM,EACf,MAAM,CAAC,EAAE,OAAO,EAChB,IAAI,GAAE,MAAa,GAClB,OAAO,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CA2C3C"}

package/dist/auth/oidcBrowserAuth.js

@@ -0,0 +1,144 @@
+"use strict";
+/**
+ * OIDC browser authorization code flow (capture code)
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.startOidcBrowserAuth = startOidcBrowserAuth;
+const http = __importStar(require("node:http"));
+const net = __importStar(require("node:net"));
+const express_1 = __importDefault(require("express"));
+const BROWSER_MAP = {
+    chrome: 'chrome',
+    edge: 'msedge',
+    firefox: 'firefox',
+    system: undefined,
+    auto: undefined,
+    headless: null,
+    none: null,
+};
+function isPortAvailable(port) {
+    return new Promise((resolve) => {
+        const server = net.createServer();
+        server.listen(port, () => {
+            server.once('close', () => resolve(true));
+            server.close();
+        });
+        server.on('error', () => resolve(false));
+    });
+}
+async function openBrowserUrl(authorizationUrl, browser, logger) {
+    const browserApp = BROWSER_MAP[browser];
+    if (browserApp === null) {
+        logger?.info('[OIDC] Browser suppressed, open URL manually', {
+            authorizationUrl,
+        });
+        return;
+    }
+    if (browser === 'auto') {
+        try {
+            const openModule = await Promise.resolve().then(() => __importStar(require('open')));
+            const open = openModule.default;
+            await open(authorizationUrl);
+            logger?.info('[OIDC] Browser opened');
+            return;
+        }
+        catch (error) {
+            logger?.warn('[OIDC] Failed to open browser automatically', {
+                error: error instanceof Error ? error.message : String(error),
+            });
+            logger?.info('[OIDC] Open URL manually', { authorizationUrl });
+            return;
+        }
+    }
+    try {
+        const openModule = await Promise.resolve().then(() => __importStar(require('open')));
+        const open = openModule.default;
+        if (browserApp) {
+            await open(authorizationUrl, { app: { name: browserApp } });
+        }
+        else {
+            await open(authorizationUrl);
+        }
+    }
+    catch (error) {
+        logger?.warn('[OIDC] Failed to open browser', {
+            error: error instanceof Error ? error.message : String(error),
+        });
+        logger?.info('[OIDC] Open URL manually', { authorizationUrl });
+    }
+}
+async function startOidcBrowserAuth(authorizationUrl, browser, logger, port = 3001) {
+    const portAvailable = await isPortAvailable(port);
+    if (!portAvailable) {
+        throw new Error(`Port ${port} is already in use. Please specify a different port or free the port.`);
+    }
+    return new Promise((resolve, reject) => {
+        const app = (0, express_1.default)();
+        const server = http.createServer(app);
+        server.keepAliveTimeout = 0;
+        server.headersTimeout = 0;
+        const PORT = port;
+        let resolved = false;
+        const cleanup = () => {
+            if (resolved)
+                return;
+            resolved = true;
+            server.close();
+        };
+        app.get('/callback', (req, res) => {
+            const code = req.query.code;
+            const state = req.query.state;
+            if (!code || typeof code !== 'string') {
+                res.status(400).send('Missing authorization code');
+                cleanup();
+                reject(new Error('Missing authorization code'));
+                return;
+            }
+            res
+                .status(200)
+                .send('Authentication complete. You can close this window.');
+            cleanup();
+            resolve({ code, state: typeof state === 'string' ? state : undefined });
+        });
+        server.listen(PORT, async () => {
+            logger?.info('[OIDC] Callback server listening', { port: PORT });
+            await openBrowserUrl(authorizationUrl, browser, logger);
+        });
+    });
+}

package/dist/auth/oidcDiscovery.d.ts

@@ -0,0 +1,14 @@
+/**
+ * OIDC discovery helper
+ */
+import type { ILogger } from '@mcp-abap-adt/interfaces';
+export interface OidcDiscoveryDocument {
+    issuer: string;
+    authorization_endpoint?: string;
+    token_endpoint: string;
+    device_authorization_endpoint?: string;
+    jwks_uri?: string;
+    end_session_endpoint?: string;
+}
+export declare function discoverOidc(issuerOrDiscoveryUrl: string, logger?: ILogger): Promise<OidcDiscoveryDocument>;
+//# sourceMappingURL=oidcDiscovery.d.ts.map

package/dist/auth/oidcDiscovery.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidcDiscovery.d.ts","sourceRoot":"","sources":["../../src/auth/oidcDiscovery.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,0BAA0B,CAAC;AAGxD,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,cAAc,EAAE,MAAM,CAAC;IACvB,6BAA6B,CAAC,EAAE,MAAM,CAAC;IACvC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAWD,wBAAsB,YAAY,CAChC,oBAAoB,EAAE,MAAM,EAC5B,MAAM,CAAC,EAAE,OAAO,GACf,OAAO,CAAC,qBAAqB,CAAC,CAkBhC"}

package/dist/auth/oidcDiscovery.js

@@ -0,0 +1,33 @@
+"use strict";
+/**
+ * OIDC discovery helper
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.discoverOidc = discoverOidc;
+const axios_1 = __importDefault(require("axios"));
+const discoveryCache = new Map();
+function normalizeDiscoveryUrl(issuerOrDiscoveryUrl) {
+    if (issuerOrDiscoveryUrl.endsWith('/.well-known/openid-configuration')) {
+        return issuerOrDiscoveryUrl;
+    }
+    return `${issuerOrDiscoveryUrl.replace(/\/+$/, '')}/.well-known/openid-configuration`;
+}
+async function discoverOidc(issuerOrDiscoveryUrl, logger) {
+    const discoveryUrl = normalizeDiscoveryUrl(issuerOrDiscoveryUrl);
+    const cached = discoveryCache.get(discoveryUrl);
+    if (cached) {
+        return cached;
+    }
+    logger?.info('[OIDC] Fetching discovery document', { discoveryUrl });
+    const response = await axios_1.default.get(discoveryUrl, {
+        headers: { Accept: 'application/json' },
+    });
+    if (!response.data?.token_endpoint) {
+        throw new Error('OIDC discovery document missing token_endpoint');
+    }
+    discoveryCache.set(discoveryUrl, response.data);
+    return response.data;
+}

package/dist/auth/oidcPkce.d.ts

@@ -0,0 +1,6 @@
+/**
+ * OIDC PKCE helpers
+ */
+export declare function generatePkceVerifier(length?: number): string;
+export declare function generatePkceChallenge(verifier: string): string;
+//# sourceMappingURL=oidcPkce.d.ts.map

package/dist/auth/oidcPkce.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidcPkce.d.ts","sourceRoot":"","sources":["../../src/auth/oidcPkce.ts"],"names":[],"mappings":"AAAA;;GAEG;AAYH,wBAAgB,oBAAoB,CAAC,MAAM,GAAE,MAAW,GAAG,MAAM,CAEhE;AAED,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAG9D"}

package/dist/auth/oidcPkce.js

@@ -0,0 +1,22 @@
+"use strict";
+/**
+ * OIDC PKCE helpers
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generatePkceVerifier = generatePkceVerifier;
+exports.generatePkceChallenge = generatePkceChallenge;
+const node_crypto_1 = require("node:crypto");
+function base64UrlEncode(buffer) {
+    return buffer
+        .toString('base64')
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+$/, '');
+}
+function generatePkceVerifier(length = 32) {
+    return base64UrlEncode((0, node_crypto_1.randomBytes)(length));
+}
+function generatePkceChallenge(verifier) {
+    const hash = (0, node_crypto_1.createHash)('sha256').update(verifier).digest();
+    return base64UrlEncode(hash);
+}

package/dist/auth/oidcToken.d.ts

@@ -0,0 +1,26 @@
+/**
+ * OIDC token endpoint helpers
+ */
+import type { ILogger } from '@mcp-abap-adt/interfaces';
+export interface OidcTokenResponse {
+    accessToken: string;
+    refreshToken?: string;
+    idToken?: string;
+    expiresIn?: number;
+    tokenType?: string;
+}
+export declare function exchangeAuthorizationCode(tokenEndpoint: string, clientId: string, clientSecret: string | undefined, code: string, redirectUri: string, codeVerifier: string, logger?: ILogger): Promise<OidcTokenResponse>;
+export declare function refreshOidcToken(tokenEndpoint: string, clientId: string, clientSecret: string | undefined, refreshToken: string, logger?: ILogger): Promise<OidcTokenResponse>;
+export interface OidcDeviceFlowInitResponse {
+    deviceCode: string;
+    userCode: string;
+    verificationUri: string;
+    verificationUriComplete?: string;
+    interval?: number;
+    expiresIn?: number;
+}
+export declare function initiateDeviceAuthorization(deviceEndpoint: string, clientId: string, scope: string | undefined, logger?: ILogger): Promise<OidcDeviceFlowInitResponse>;
+export declare function pollDeviceTokens(tokenEndpoint: string, clientId: string, clientSecret: string | undefined, deviceCode: string, interval?: number, logger?: ILogger): Promise<OidcTokenResponse>;
+export declare function passwordGrant(tokenEndpoint: string, clientId: string, clientSecret: string | undefined, username: string, password: string, scope: string | undefined, logger?: ILogger): Promise<OidcTokenResponse>;
+export declare function tokenExchange(tokenEndpoint: string, clientId: string, clientSecret: string | undefined, subjectToken: string, subjectTokenType: string, scope: string | undefined, audience: string | undefined, actorToken?: string, actorTokenType?: string, logger?: ILogger): Promise<OidcTokenResponse>;
+//# sourceMappingURL=oidcToken.d.ts.map

package/dist/auth/oidcToken.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidcToken.d.ts","sourceRoot":"","sources":["../../src/auth/oidcToken.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,0BAA0B,CAAC;AAGxD,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AA6BD,wBAAsB,yBAAyB,CAC7C,aAAa,EAAE,MAAM,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,GAAG,SAAS,EAChC,IAAI,EAAE,MAAM,EACZ,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,EACpB,MAAM,CAAC,EAAE,OAAO,GACf,OAAO,CAAC,iBAAiB,CAAC,CAoB5B;AAED,wBAAsB,gBAAgB,CACpC,aAAa,EAAE,MAAM,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,GAAG,SAAS,EAChC,YAAY,EAAE,MAAM,EACpB,MAAM,CAAC,EAAE,OAAO,GACf,OAAO,CAAC,iBAAiB,CAAC,CAgB5B;AAED,MAAM,WAAW,0BAA0B;IACzC,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,eAAe,EAAE,MAAM,CAAC;IACxB,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,wBAAsB,2BAA2B,CAC/C,cAAc,EAAE,MAAM,EACtB,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,MAAM,CAAC,EAAE,OAAO,GACf,OAAO,CAAC,0BAA0B,CAAC,CA0BrC;AAED,wBAAsB,gBAAgB,CACpC,aAAa,EAAE,MAAM,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,GAAG,SAAS,EAChC,UAAU,EAAE,MAAM,EAClB,QAAQ,GAAE,MAAU,EACpB,MAAM,CAAC,EAAE,OAAO,GACf,OAAO,CAAC,iBAAiB,CAAC,CA8B5B;AAED,wBAAsB,aAAa,CACjC,aAAa,EAAE,MAAM,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,GAAG,SAAS,EAChC,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,MAAM,CAAC,EAAE,OAAO,GACf,OAAO,CAAC,iBAAiB,CAAC,CAoB5B;AAED,wBAAsB,aAAa,CACjC,aAAa,EAAE,MAAM,EACrB,QAAQ,EAAE,MAAM,EAChB,YAAY,EAAE,MAAM,GAAG,SAAS,EAChC,YAAY,EAAE,MAAM,EACpB,gBAAgB,EAAE,MAAM,EACxB,KAAK,EAAE,MAAM,GAAG,SAAS,EACzB,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,UAAU,CAAC,EAAE,MAAM,EACnB,cAAc,CAAC,EAAE,MAAM,EACvB,MAAM,CAAC,EAAE,OAAO,GACf,OAAO,CAAC,iBAAiB,CAAC,CAgC5B"}

package/dist/auth/oidcToken.js

@@ -0,0 +1,165 @@
+"use strict";
+/**
+ * OIDC token endpoint helpers
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.exchangeAuthorizationCode = exchangeAuthorizationCode;
+exports.refreshOidcToken = refreshOidcToken;
+exports.initiateDeviceAuthorization = initiateDeviceAuthorization;
+exports.pollDeviceTokens = pollDeviceTokens;
+exports.passwordGrant = passwordGrant;
+exports.tokenExchange = tokenExchange;
+const axios_1 = __importDefault(require("axios"));
+function toBasicAuth(clientId, clientSecret) {
+    return Buffer.from(`${clientId}:${clientSecret}`).toString('base64');
+}
+function buildAuthHeaders(clientId, clientSecret) {
+    if (clientSecret) {
+        return { Authorization: `Basic ${toBasicAuth(clientId, clientSecret)}` };
+    }
+    return {};
+}
+function mapTokenResponse(data) {
+    if (!data?.access_token) {
+        throw new Error('Token response missing access_token');
+    }
+    return {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token,
+        idToken: data.id_token,
+        expiresIn: data.expires_in,
+        tokenType: data.token_type,
+    };
+}
+async function exchangeAuthorizationCode(tokenEndpoint, clientId, clientSecret, code, redirectUri, codeVerifier, logger) {
+    const params = new URLSearchParams();
+    params.append('grant_type', 'authorization_code');
+    params.append('code', code);
+    params.append('redirect_uri', redirectUri);
+    params.append('code_verifier', codeVerifier);
+    params.append('client_id', clientId);
+    logger?.info('[OIDC] Exchanging authorization code for tokens', {
+        tokenEndpoint,
+    });
+    const response = await axios_1.default.post(tokenEndpoint, params.toString(), {
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            ...buildAuthHeaders(clientId, clientSecret),
+        },
+    });
+    return mapTokenResponse(response.data);
+}
+async function refreshOidcToken(tokenEndpoint, clientId, clientSecret, refreshToken, logger) {
+    const params = new URLSearchParams();
+    params.append('grant_type', 'refresh_token');
+    params.append('refresh_token', refreshToken);
+    params.append('client_id', clientId);
+    logger?.info('[OIDC] Refreshing token', { tokenEndpoint });
+    const response = await axios_1.default.post(tokenEndpoint, params.toString(), {
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            ...buildAuthHeaders(clientId, clientSecret),
+        },
+    });
+    return mapTokenResponse(response.data);
+}
+async function initiateDeviceAuthorization(deviceEndpoint, clientId, scope, logger) {
+    const params = new URLSearchParams();
+    params.append('client_id', clientId);
+    if (scope) {
+        params.append('scope', scope);
+    }
+    logger?.info('[OIDC] Initiating device authorization', { deviceEndpoint });
+    const response = await axios_1.default.post(deviceEndpoint, params.toString(), {
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    });
+    const data = response.data;
+    if (!data?.device_code || !data?.user_code || !data?.verification_uri) {
+        throw new Error('Device authorization response missing required fields');
+    }
+    return {
+        deviceCode: data.device_code,
+        userCode: data.user_code,
+        verificationUri: data.verification_uri,
+        verificationUriComplete: data.verification_uri_complete,
+        interval: data.interval,
+        expiresIn: data.expires_in,
+    };
+}
+async function pollDeviceTokens(tokenEndpoint, clientId, clientSecret, deviceCode, interval = 5, logger) {
+    const params = new URLSearchParams();
+    params.append('grant_type', 'urn:ietf:params:oauth:grant-type:device_code');
+    params.append('device_code', deviceCode);
+    params.append('client_id', clientId);
+    while (true) {
+        try {
+            const response = await axios_1.default.post(tokenEndpoint, params.toString(), {
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                    ...buildAuthHeaders(clientId, clientSecret),
+                },
+            });
+            return mapTokenResponse(response.data);
+        }
+        catch (error) {
+            const status = error?.response?.status;
+            const errorCode = error?.response?.data?.error;
+            if (status === 400 &&
+                (errorCode === 'authorization_pending' || errorCode === 'slow_down')) {
+                const wait = errorCode === 'slow_down' ? interval + 5 : interval;
+                logger?.debug('[OIDC] Device authorization pending', { wait });
+                await new Promise((resolve) => setTimeout(resolve, wait * 1000));
+                continue;
+            }
+            throw error;
+        }
+    }
+}
+async function passwordGrant(tokenEndpoint, clientId, clientSecret, username, password, scope, logger) {
+    const params = new URLSearchParams();
+    params.append('grant_type', 'password');
+    params.append('username', username);
+    params.append('password', password);
+    params.append('client_id', clientId);
+    if (scope) {
+        params.append('scope', scope);
+    }
+    logger?.info('[OIDC] Performing password grant', { tokenEndpoint });
+    const response = await axios_1.default.post(tokenEndpoint, params.toString(), {
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            ...buildAuthHeaders(clientId, clientSecret),
+        },
+    });
+    return mapTokenResponse(response.data);
+}
+async function tokenExchange(tokenEndpoint, clientId, clientSecret, subjectToken, subjectTokenType, scope, audience, actorToken, actorTokenType, logger) {
+    const params = new URLSearchParams();
+    params.append('grant_type', 'urn:ietf:params:oauth:grant-type:token-exchange');
+    params.append('subject_token', subjectToken);
+    params.append('subject_token_type', subjectTokenType);
+    params.append('client_id', clientId);
+    if (scope) {
+        params.append('scope', scope);
+    }
+    if (audience) {
+        params.append('audience', audience);
+    }
+    if (actorToken) {
+        params.append('actor_token', actorToken);
+    }
+    if (actorTokenType) {
+        params.append('actor_token_type', actorTokenType);
+    }
+    logger?.info('[OIDC] Performing token exchange', { tokenEndpoint });
+    const response = await axios_1.default.post(tokenEndpoint, params.toString(), {
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            ...buildAuthHeaders(clientId, clientSecret),
+        },
+    });
+    return mapTokenResponse(response.data);
+}