@mcp-abap-adt/auth-providers 0.2.10 → 1.0.0

package/dist/auth/saml2Auth.d.ts

@@ -0,0 +1,15 @@
+/**
+ * SAML 2.0 auth helpers
+ */
+import type { ILogger } from '@mcp-abap-adt/interfaces';
+export interface Saml2AuthConfig {
+    idpSsoUrl: string;
+    spEntityId: string;
+    acsUrl: string;
+    relayState?: string;
+    authorizationUrl?: string;
+}
+export declare function buildSamlAuthorizationUrl(config: Saml2AuthConfig): string;
+export declare function startSamlBrowserAuth(config: Saml2AuthConfig, browser: string, logger?: ILogger, port?: number): Promise<string>;
+export declare function parseSamlNotOnOrAfter(samlResponse: string): number | undefined;
+//# sourceMappingURL=saml2Auth.d.ts.map

package/dist/auth/saml2Auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"saml2Auth.d.ts","sourceRoot":"","sources":["../../src/auth/saml2Auth.ts"],"names":[],"mappings":"AAAA;;GAEG;AAMH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,0BAA0B,CAAC;AAGxD,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AA8CD,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,eAAe,GAAG,MAAM,CAazE;AA+CD,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,eAAe,EACvB,OAAO,EAAE,MAAM,EACf,MAAM,CAAC,EAAE,OAAO,EAChB,IAAI,GAAE,MAAa,GAClB,OAAO,CAAC,MAAM,CAAC,CA4DjB;AAED,wBAAgB,qBAAqB,CACnC,YAAY,EAAE,MAAM,GACnB,MAAM,GAAG,SAAS,CAYpB"}

package/dist/auth/saml2Auth.js

@@ -0,0 +1,205 @@
+"use strict";
+/**
+ * SAML 2.0 auth helpers
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildSamlAuthorizationUrl = buildSamlAuthorizationUrl;
+exports.startSamlBrowserAuth = startSamlBrowserAuth;
+exports.parseSamlNotOnOrAfter = parseSamlNotOnOrAfter;
+const node_crypto_1 = require("node:crypto");
+const http = __importStar(require("node:http"));
+const net = __importStar(require("node:net"));
+const node_zlib_1 = require("node:zlib");
+const express_1 = __importDefault(require("express"));
+const BROWSER_MAP = {
+    chrome: 'chrome',
+    edge: 'msedge',
+    firefox: 'firefox',
+    system: undefined,
+    auto: undefined,
+    headless: null,
+    none: null,
+};
+function isPortAvailable(port) {
+    return new Promise((resolve) => {
+        const server = net.createServer();
+        server.listen(port, () => {
+            server.once('close', () => resolve(true));
+            server.close();
+        });
+        server.on('error', () => resolve(false));
+    });
+}
+function base64Encode(input) {
+    return Buffer.isBuffer(input)
+        ? input.toString('base64')
+        : Buffer.from(input, 'utf8').toString('base64');
+}
+function buildAuthnRequestXml(spEntityId, acsUrl) {
+    const issueInstant = new Date().toISOString();
+    const id = `_${(0, node_crypto_1.randomUUID)()}`;
+    return [
+        '<?xml version="1.0" encoding="UTF-8"?>',
+        '<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"',
+        ' xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"',
+        ` ID="${id}"`,
+        ' Version="2.0"',
+        ` IssueInstant="${issueInstant}"`,
+        ` ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"`,
+        ` AssertionConsumerServiceURL="${acsUrl}">`,
+        `<saml:Issuer>${spEntityId}</saml:Issuer>`,
+        '</samlp:AuthnRequest>',
+    ].join('');
+}
+function buildSamlAuthorizationUrl(config) {
+    if (config.authorizationUrl) {
+        return config.authorizationUrl;
+    }
+    const xml = buildAuthnRequestXml(config.spEntityId, config.acsUrl);
+    const deflated = (0, node_zlib_1.deflateRawSync)(Buffer.from(xml, 'utf8'));
+    const samlRequest = encodeURIComponent(base64Encode(deflated));
+    const relayState = config.relayState
+        ? `&RelayState=${encodeURIComponent(config.relayState)}`
+        : '';
+    return `${config.idpSsoUrl}?SAMLRequest=${samlRequest}${relayState}`;
+}
+async function openBrowserUrl(authorizationUrl, browser, logger) {
+    const browserApp = BROWSER_MAP[browser];
+    if (browserApp === null) {
+        logger?.info('[SAML] Browser suppressed, open URL manually', {
+            authorizationUrl,
+        });
+        return;
+    }
+    if (browser === 'auto') {
+        try {
+            const openModule = await Promise.resolve().then(() => __importStar(require('open')));
+            const open = openModule.default;
+            await open(authorizationUrl);
+            logger?.info('[SAML] Browser opened');
+            return;
+        }
+        catch (error) {
+            logger?.warn('[SAML] Failed to open browser automatically', {
+                error: error instanceof Error ? error.message : String(error),
+            });
+            logger?.info('[SAML] Open URL manually', { authorizationUrl });
+            return;
+        }
+    }
+    try {
+        const openModule = await Promise.resolve().then(() => __importStar(require('open')));
+        const open = openModule.default;
+        if (browserApp) {
+            await open(authorizationUrl, { app: { name: browserApp } });
+        }
+        else {
+            await open(authorizationUrl);
+        }
+    }
+    catch (error) {
+        logger?.warn('[SAML] Failed to open browser', {
+            error: error instanceof Error ? error.message : String(error),
+        });
+        logger?.info('[SAML] Open URL manually', { authorizationUrl });
+    }
+}
+async function startSamlBrowserAuth(config, browser, logger, port = 3001) {
+    const portAvailable = await isPortAvailable(port);
+    if (!portAvailable) {
+        throw new Error(`Port ${port} is already in use. Please specify a different port or free the port.`);
+    }
+    const authorizationUrl = buildSamlAuthorizationUrl(config);
+    return new Promise((resolve, reject) => {
+        const app = (0, express_1.default)();
+        app.use(express_1.default.urlencoded({ extended: false, limit: '5mb' }));
+        const server = http.createServer(app);
+        server.keepAliveTimeout = 0;
+        server.headersTimeout = 0;
+        const PORT = port;
+        let resolved = false;
+        const cleanup = () => {
+            if (resolved)
+                return;
+            resolved = true;
+            server.close();
+        };
+        const handleResponse = (samlResponse) => {
+            if (!samlResponse) {
+                cleanup();
+                reject(new Error('Missing SAMLResponse'));
+                return;
+            }
+            cleanup();
+            resolve(samlResponse);
+        };
+        app.post('/callback', (req, res) => {
+            const samlResponse = req.body?.SAMLResponse;
+            res
+                .status(200)
+                .send('SAML authentication complete. You can close this window.');
+            handleResponse(typeof samlResponse === 'string' ? samlResponse : undefined);
+        });
+        app.get('/callback', (req, res) => {
+            const samlResponse = req.query.SAMLResponse;
+            res
+                .status(200)
+                .send('SAML authentication complete. You can close this window.');
+            handleResponse(typeof samlResponse === 'string' ? samlResponse : undefined);
+        });
+        server.listen(PORT, async () => {
+            logger?.info('[SAML] Callback server listening', { port: PORT });
+            await openBrowserUrl(authorizationUrl, browser, logger);
+        });
+    });
+}
+function parseSamlNotOnOrAfter(samlResponse) {
+    try {
+        const decoded = Buffer.from(samlResponse, 'base64').toString('utf8');
+        const match = decoded.match(/NotOnOrAfter="([^"]+)"/);
+        if (!match) {
+            return undefined;
+        }
+        const date = Date.parse(match[1]);
+        return Number.isNaN(date) ? undefined : date;
+    }
+    catch {
+        return undefined;
+    }
+}

package/dist/auth/saml2TokenExchange.d.ts

@@ -0,0 +1,12 @@
+/**
+ * SAML 2.0 bearer assertion exchange
+ */
+import type { ILogger } from '@mcp-abap-adt/interfaces';
+export interface Saml2TokenExchangeResponse {
+    accessToken: string;
+    refreshToken?: string;
+    expiresIn?: number;
+    tokenType?: string;
+}
+export declare function exchangeSamlAssertion(samlResponse: string, tokenUrl: string, clientId: string | undefined, clientSecret: string | undefined, logger?: ILogger): Promise<Saml2TokenExchangeResponse>;
+//# sourceMappingURL=saml2TokenExchange.d.ts.map

package/dist/auth/saml2TokenExchange.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"saml2TokenExchange.d.ts","sourceRoot":"","sources":["../../src/auth/saml2TokenExchange.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,0BAA0B,CAAC;AAGxD,MAAM,WAAW,0BAA0B;IACzC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAMD,wBAAsB,qBAAqB,CACzC,YAAY,EAAE,MAAM,EACpB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,YAAY,EAAE,MAAM,GAAG,SAAS,EAChC,MAAM,CAAC,EAAE,OAAO,GACf,OAAO,CAAC,0BAA0B,CAAC,CA6BrC"}

package/dist/auth/saml2TokenExchange.js

@@ -0,0 +1,39 @@
+"use strict";
+/**
+ * SAML 2.0 bearer assertion exchange
+ */
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.exchangeSamlAssertion = exchangeSamlAssertion;
+const axios_1 = __importDefault(require("axios"));
+function toBasicAuth(clientId, clientSecret) {
+    return Buffer.from(`${clientId}:${clientSecret}`).toString('base64');
+}
+async function exchangeSamlAssertion(samlResponse, tokenUrl, clientId, clientSecret, logger) {
+    const params = new URLSearchParams();
+    params.append('grant_type', 'urn:ietf:params:oauth:grant-type:saml2-bearer');
+    params.append('assertion', samlResponse);
+    if (clientId) {
+        params.append('client_id', clientId);
+    }
+    logger?.info('[SAML] Exchanging assertion for token', { tokenUrl });
+    const headers = {
+        'Content-Type': 'application/x-www-form-urlencoded',
+    };
+    if (clientId && clientSecret) {
+        headers.Authorization = `Basic ${toBasicAuth(clientId, clientSecret)}`;
+    }
+    const response = await axios_1.default.post(tokenUrl, params.toString(), { headers });
+    const data = response.data;
+    if (!data?.access_token) {
+        throw new Error('Token response missing access_token');
+    }
+    return {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token,
+        expiresIn: data.expires_in,
+        tokenType: data.token_type,
+    };
+}

package/dist/index.d.ts

@@ -5,6 +5,8 @@
  * Provides token providers
  */
 export { BrowserAuthError, RefreshError, ServiceKeyError, SessionDataError, TokenProviderError, ValidationError, } from './errors/TokenProviderErrors';
-export type { AuthorizationCodeProviderConfig, ClientCredentialsProviderConfig, DeviceFlowProviderConfig, } from './providers';
-export { AuthorizationCodeProvider, BaseTokenProvider, ClientCredentialsProvider, DeviceFlowProvider, } from './providers';
+export type { AuthorizationCodeProviderConfig, ClientCredentialsProviderConfig, DeviceFlowProviderConfig, OidcBrowserProviderConfig, OidcDeviceFlowProviderConfig, OidcPasswordProviderConfig, OidcTokenExchangeProviderConfig, Saml2BearerProviderConfig, Saml2PureProviderConfig, } from './providers';
+export { AuthorizationCodeProvider, BaseTokenProvider, ClientCredentialsProvider, DeviceFlowProvider, OidcBrowserProvider, OidcDeviceFlowProvider, OidcPasswordProvider, OidcTokenExchangeProvider, Saml2BearerProvider, Saml2PureProvider, } from './providers';
+export { SsoProviderFactory } from './sso/SsoProviderFactory';
+export type { SsoProviderConfig, SsoProviderInstance } from './sso/types';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,gBAAgB,EAChB,YAAY,EACZ,eAAe,EACf,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,GAChB,MAAM,8BAA8B,CAAC;AACtC,YAAY,EACV,+BAA+B,EAC/B,+BAA+B,EAC/B,wBAAwB,GACzB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,yBAAyB,EACzB,iBAAiB,EACjB,yBAAyB,EACzB,kBAAkB,GACnB,MAAM,aAAa,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,gBAAgB,EAChB,YAAY,EACZ,eAAe,EACf,gBAAgB,EAChB,kBAAkB,EAClB,eAAe,GAChB,MAAM,8BAA8B,CAAC;AACtC,YAAY,EACV,+BAA+B,EAC/B,+BAA+B,EAC/B,wBAAwB,EACxB,yBAAyB,EACzB,4BAA4B,EAC5B,0BAA0B,EAC1B,+BAA+B,EAC/B,yBAAyB,EACzB,uBAAuB,GACxB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,yBAAyB,EACzB,iBAAiB,EACjB,yBAAyB,EACzB,kBAAkB,EAClB,mBAAmB,EACnB,sBAAsB,EACtB,oBAAoB,EACpB,yBAAyB,EACzB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,aAAa,CAAC;AAGrB,OAAO,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAC9D,YAAY,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC"}

package/dist/index.js

@@ -6,7 +6,7 @@
  * Provides token providers
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.DeviceFlowProvider = exports.ClientCredentialsProvider = exports.BaseTokenProvider = exports.AuthorizationCodeProvider = exports.ValidationError = exports.TokenProviderError = exports.SessionDataError = exports.ServiceKeyError = exports.RefreshError = exports.BrowserAuthError = void 0;
+exports.SsoProviderFactory = exports.Saml2PureProvider = exports.Saml2BearerProvider = exports.OidcTokenExchangeProvider = exports.OidcPasswordProvider = exports.OidcDeviceFlowProvider = exports.OidcBrowserProvider = exports.DeviceFlowProvider = exports.ClientCredentialsProvider = exports.BaseTokenProvider = exports.AuthorizationCodeProvider = exports.ValidationError = exports.TokenProviderError = exports.SessionDataError = exports.ServiceKeyError = exports.RefreshError = exports.BrowserAuthError = void 0;
 // Errors
 var TokenProviderErrors_1 = require("./errors/TokenProviderErrors");
 Object.defineProperty(exports, "BrowserAuthError", { enumerable: true, get: function () { return TokenProviderErrors_1.BrowserAuthError; } });
@@ -21,3 +21,12 @@ Object.defineProperty(exports, "AuthorizationCodeProvider", { enumerable: true,
 Object.defineProperty(exports, "BaseTokenProvider", { enumerable: true, get: function () { return providers_1.BaseTokenProvider; } });
 Object.defineProperty(exports, "ClientCredentialsProvider", { enumerable: true, get: function () { return providers_1.ClientCredentialsProvider; } });
 Object.defineProperty(exports, "DeviceFlowProvider", { enumerable: true, get: function () { return providers_1.DeviceFlowProvider; } });
+Object.defineProperty(exports, "OidcBrowserProvider", { enumerable: true, get: function () { return providers_1.OidcBrowserProvider; } });
+Object.defineProperty(exports, "OidcDeviceFlowProvider", { enumerable: true, get: function () { return providers_1.OidcDeviceFlowProvider; } });
+Object.defineProperty(exports, "OidcPasswordProvider", { enumerable: true, get: function () { return providers_1.OidcPasswordProvider; } });
+Object.defineProperty(exports, "OidcTokenExchangeProvider", { enumerable: true, get: function () { return providers_1.OidcTokenExchangeProvider; } });
+Object.defineProperty(exports, "Saml2BearerProvider", { enumerable: true, get: function () { return providers_1.Saml2BearerProvider; } });
+Object.defineProperty(exports, "Saml2PureProvider", { enumerable: true, get: function () { return providers_1.Saml2PureProvider; } });
+// SSO factory
+var SsoProviderFactory_1 = require("./sso/SsoProviderFactory");
+Object.defineProperty(exports, "SsoProviderFactory", { enumerable: true, get: function () { return SsoProviderFactory_1.SsoProviderFactory; } });

package/dist/providers/BaseTokenProvider.d.ts

@@ -21,6 +21,7 @@ export declare abstract class BaseTokenProvider implements ITokenProvider {
     protected authorizationToken?: string;
     protected refreshToken?: string;
     protected expiresAt?: number;
+    protected tokenType?: 'jwt' | 'saml' | 'opaque';
     protected logger?: ILogger;
     /**
      * Format timestamp to readable date/time string

package/dist/providers/BaseTokenProvider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"BaseTokenProvider.d.ts","sourceRoot":"","sources":["../../src/providers/BaseTokenProvider.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EACV,OAAO,EACP,cAAc,EACd,YAAY,EACZ,eAAe,EAChB,MAAM,0BAA0B,CAAC;AAElC;;;;;;;;GAQG;AACH,8BAAsB,iBAAkB,YAAW,cAAc;IAC/D,SAAS,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IACtC,SAAS,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAChC,SAAS,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC7B,SAAS,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAE3B;;;;OAIG;IACH,SAAS,CAAC,oBAAoB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM;IAWzD;;OAEG;IACH,SAAS,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;IAMzD;;;OAGG;IACH,SAAS,CAAC,YAAY,IAAI,OAAO;IAyBjC;;;OAGG;IACH,SAAS,CAAC,QAAQ,CAAC,YAAY,IAAI,OAAO,CAAC,YAAY,CAAC;IAExD;;;OAGG;IACH,SAAS,CAAC,QAAQ,CAAC,cAAc,IAAI,OAAO,CAAC,YAAY,CAAC;IAE1D;;;OAGG;IACH,SAAS,CAAC,QAAQ,CAAC,WAAW,IAAI,eAAe;IAEjD;;;;;;;;OAQG;IACG,SAAS,IAAI,OAAO,CAAC,YAAY,CAAC;IAuElC,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAmB3E;;;OAGG;IACH,SAAS,CAAC,YAAY,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI;IAoBlD;;;;OAIG;IACH,SAAS,CAAC,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;IA0BnE;;;;OAIG;IACH,SAAS,CAAC,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;CAShE"}
+{"version":3,"file":"BaseTokenProvider.d.ts","sourceRoot":"","sources":["../../src/providers/BaseTokenProvider.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EACV,OAAO,EACP,cAAc,EACd,YAAY,EACZ,eAAe,EAChB,MAAM,0BAA0B,CAAC;AAElC;;;;;;;;GAQG;AACH,8BAAsB,iBAAkB,YAAW,cAAc;IAC/D,SAAS,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IACtC,SAAS,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAChC,SAAS,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC7B,SAAS,CAAC,SAAS,CAAC,EAAE,KAAK,GAAG,MAAM,GAAG,QAAQ,CAAC;IAChD,SAAS,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAE3B;;;;OAIG;IACH,SAAS,CAAC,oBAAoB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM;IAWzD;;OAEG;IACH,SAAS,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;IAMzD;;;OAGG;IACH,SAAS,CAAC,YAAY,IAAI,OAAO;IAyBjC;;;OAGG;IACH,SAAS,CAAC,QAAQ,CAAC,YAAY,IAAI,OAAO,CAAC,YAAY,CAAC;IAExD;;;OAGG;IACH,SAAS,CAAC,QAAQ,CAAC,cAAc,IAAI,OAAO,CAAC,YAAY,CAAC;IAE1D;;;OAGG;IACH,SAAS,CAAC,QAAQ,CAAC,WAAW,IAAI,eAAe;IAEjD;;;;;;;;OAQG;IACG,SAAS,IAAI,OAAO,CAAC,YAAY,CAAC;IAyElC,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAoC3E;;;OAGG;IACH,SAAS,CAAC,YAAY,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI;IA0BlD;;;;OAIG;IACH,SAAS,CAAC,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;IA0BnE;;;;OAIG;IACH,SAAS,CAAC,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;CAShE"}

package/dist/providers/BaseTokenProvider.js

@@ -23,6 +23,7 @@ class BaseTokenProvider {
     authorizationToken;
     refreshToken;
     expiresAt; // timestamp in milliseconds
+    tokenType;
     logger;
     /**
      * Format timestamp to readable date/time string
@@ -107,6 +108,8 @@ class BaseTokenProvider {
                 authorizationToken,
                 refreshToken: this.refreshToken,
                 authType: this.getAuthType(),
+                tokenType: this.tokenType ?? 'jwt',
+                expiresAt: this.expiresAt,
                 expiresIn: this.expiresAt
                     ? Math.floor((this.expiresAt - Date.now()) / 1000)
                     : undefined,
@@ -149,6 +152,21 @@ class BaseTokenProvider {
     }
     async validateToken(_token, _serviceUrl) {
         this.logger?.debug('[BaseTokenProvider] Validating token');
+        if (this.tokenType && this.tokenType !== 'jwt') {
+            if (!this.expiresAt) {
+                this.logger?.warn('[BaseTokenProvider] Token validation failed: missing expiresAt for non-JWT token');
+                return false;
+            }
+            const bufferMs = 60 * 1000;
+            const isValid = Date.now() < this.expiresAt - bufferMs;
+            this.logger?.info('[BaseTokenProvider] Token validation result', {
+                isValid,
+                tokenType: this.tokenType,
+                expiresAt: this.formatExpirationDate(this.expiresAt),
+                expiresIn: Math.floor((this.expiresAt - Date.now()) / 1000),
+            });
+            return isValid;
+        }
         const expiresAt = this.parseExpirationFromJWT(_token);
         if (!expiresAt) {
             this.logger?.warn('[BaseTokenProvider] Token validation failed: cannot parse expiration');
@@ -171,17 +189,25 @@ class BaseTokenProvider {
         const oldToken = this.formatToken(this.authorizationToken);
         this.authorizationToken = result.authorizationToken;
         this.refreshToken = result.refreshToken;
-        if (result.expiresIn) {
+        this.tokenType = result.tokenType ?? 'jwt';
+        if (result.expiresAt) {
+            this.expiresAt = result.expiresAt;
+        }
+        else if (result.expiresIn) {
             this.expiresAt = Date.now() + result.expiresIn * 1000;
         }
-        else {
+        else if (this.tokenType === 'jwt') {
             // Try to parse expiration from JWT if expiresIn not provided
             this.expiresAt = this.parseExpirationFromJWT(result.authorizationToken);
         }
+        else {
+            this.expiresAt = undefined;
+        }
         this.logger?.info('[BaseTokenProvider] Tokens updated', {
             oldToken,
             newToken: this.formatToken(result.authorizationToken),
             newRefreshToken: this.formatToken(result.refreshToken),
+            tokenType: this.tokenType,
             expiresAt: this.expiresAt
                 ? this.formatExpirationDate(this.expiresAt)
                 : undefined,

package/dist/providers/OidcBrowserProvider.d.ts

@@ -0,0 +1,24 @@
+/**
+ * OIDC Authorization Code Provider (with PKCE)
+ */
+import type { ILogger, ITokenResult, OAuth2GrantType } from '@mcp-abap-adt/interfaces';
+import { BaseTokenProvider } from './BaseTokenProvider';
+export interface OidcBrowserProviderConfig {
+    issuerUrl: string;
+    clientId: string;
+    clientSecret?: string;
+    scopes?: string[];
+    browser?: string;
+    redirectPort?: number;
+    accessToken?: string;
+    refreshToken?: string;
+    logger?: ILogger;
+}
+export declare class OidcBrowserProvider extends BaseTokenProvider {
+    private config;
+    constructor(config: OidcBrowserProviderConfig);
+    protected getAuthType(): OAuth2GrantType;
+    protected performLogin(): Promise<ITokenResult>;
+    protected performRefresh(): Promise<ITokenResult>;
+}
+//# sourceMappingURL=OidcBrowserProvider.d.ts.map

package/dist/providers/OidcBrowserProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OidcBrowserProvider.d.ts","sourceRoot":"","sources":["../../src/providers/OidcBrowserProvider.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EACV,OAAO,EACP,YAAY,EACZ,eAAe,EAChB,MAAM,0BAA0B,CAAC;AAMlC,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAExD,MAAM,WAAW,yBAAyB;IACxC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,qBAAa,mBAAoB,SAAQ,iBAAiB;IACxD,OAAO,CAAC,MAAM,CAA4B;gBAE9B,MAAM,EAAE,yBAAyB;IAc7C,SAAS,CAAC,WAAW,IAAI,eAAe;cAIxB,YAAY,IAAI,OAAO,CAAC,YAAY,CAAC;cAsDrC,cAAc,IAAI,OAAO,CAAC,YAAY,CAAC;CAsBxD"}

package/dist/providers/OidcBrowserProvider.js

@@ -0,0 +1,76 @@
+"use strict";
+/**
+ * OIDC Authorization Code Provider (with PKCE)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OidcBrowserProvider = void 0;
+const interfaces_1 = require("@mcp-abap-adt/interfaces");
+const oidcBrowserAuth_1 = require("../auth/oidcBrowserAuth");
+const oidcDiscovery_1 = require("../auth/oidcDiscovery");
+const oidcPkce_1 = require("../auth/oidcPkce");
+const oidcToken_1 = require("../auth/oidcToken");
+const BaseTokenProvider_1 = require("./BaseTokenProvider");
+class OidcBrowserProvider extends BaseTokenProvider_1.BaseTokenProvider {
+    config;
+    constructor(config) {
+        super();
+        this.config = config;
+        this.logger = config.logger;
+        if (config.accessToken) {
+            this.authorizationToken = config.accessToken;
+            this.expiresAt = this.parseExpirationFromJWT(config.accessToken);
+        }
+        if (config.refreshToken) {
+            this.refreshToken = config.refreshToken;
+        }
+    }
+    getAuthType() {
+        return interfaces_1.AUTH_TYPE_AUTHORIZATION_CODE_PKCE;
+    }
+    async performLogin() {
+        const discovery = await (0, oidcDiscovery_1.discoverOidc)(this.config.issuerUrl, this.logger);
+        if (!discovery.authorization_endpoint) {
+            throw new Error('OIDC discovery missing authorization_endpoint');
+        }
+        const redirectPort = this.config.redirectPort || 3001;
+        const redirectUri = `http://localhost:${redirectPort}/callback`;
+        const scope = (this.config.scopes && this.config.scopes.length > 0
+            ? this.config.scopes
+            : ['openid', 'profile', 'email']).join(' ');
+        const verifier = (0, oidcPkce_1.generatePkceVerifier)();
+        const challenge = (0, oidcPkce_1.generatePkceChallenge)(verifier);
+        const params = new URLSearchParams();
+        params.append('response_type', 'code');
+        params.append('client_id', this.config.clientId);
+        params.append('redirect_uri', redirectUri);
+        params.append('scope', scope);
+        params.append('code_challenge', challenge);
+        params.append('code_challenge_method', 'S256');
+        const authorizationUrl = `${discovery.authorization_endpoint}?${params.toString()}`;
+        const browser = this.config.browser || 'auto';
+        const { code } = await (0, oidcBrowserAuth_1.startOidcBrowserAuth)(authorizationUrl, browser, this.logger, redirectPort);
+        const tokens = await (0, oidcToken_1.exchangeAuthorizationCode)(discovery.token_endpoint, this.config.clientId, this.config.clientSecret, code, redirectUri, verifier, this.logger);
+        return {
+            authorizationToken: tokens.accessToken,
+            refreshToken: tokens.refreshToken,
+            authType: interfaces_1.AUTH_TYPE_AUTHORIZATION_CODE_PKCE,
+            expiresIn: tokens.expiresIn,
+            tokenType: 'jwt',
+        };
+    }
+    async performRefresh() {
+        if (!this.refreshToken) {
+            return this.performLogin();
+        }
+        const discovery = await (0, oidcDiscovery_1.discoverOidc)(this.config.issuerUrl, this.logger);
+        const tokens = await (0, oidcToken_1.refreshOidcToken)(discovery.token_endpoint, this.config.clientId, this.config.clientSecret, this.refreshToken, this.logger);
+        return {
+            authorizationToken: tokens.accessToken,
+            refreshToken: tokens.refreshToken || this.refreshToken,
+            authType: interfaces_1.AUTH_TYPE_AUTHORIZATION_CODE_PKCE,
+            expiresIn: tokens.expiresIn,
+            tokenType: 'jwt',
+        };
+    }
+}
+exports.OidcBrowserProvider = OidcBrowserProvider;

package/dist/providers/OidcDeviceFlowProvider.d.ts

@@ -0,0 +1,22 @@
+/**
+ * OIDC Device Flow Provider
+ */
+import type { ILogger, ITokenResult, OAuth2GrantType } from '@mcp-abap-adt/interfaces';
+import { BaseTokenProvider } from './BaseTokenProvider';
+export interface OidcDeviceFlowProviderConfig {
+    issuerUrl: string;
+    clientId: string;
+    clientSecret?: string;
+    scopes?: string[];
+    accessToken?: string;
+    refreshToken?: string;
+    logger?: ILogger;
+}
+export declare class OidcDeviceFlowProvider extends BaseTokenProvider {
+    private config;
+    constructor(config: OidcDeviceFlowProviderConfig);
+    protected getAuthType(): OAuth2GrantType;
+    protected performLogin(): Promise<ITokenResult>;
+    protected performRefresh(): Promise<ITokenResult>;
+}
+//# sourceMappingURL=OidcDeviceFlowProvider.d.ts.map

package/dist/providers/OidcDeviceFlowProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OidcDeviceFlowProvider.d.ts","sourceRoot":"","sources":["../../src/providers/OidcDeviceFlowProvider.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EACV,OAAO,EACP,YAAY,EACZ,eAAe,EAChB,MAAM,0BAA0B,CAAC;AAQlC,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAExD,MAAM,WAAW,4BAA4B;IAC3C,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,qBAAa,sBAAuB,SAAQ,iBAAiB;IAC3D,OAAO,CAAC,MAAM,CAA+B;gBAEjC,MAAM,EAAE,4BAA4B;IAchD,SAAS,CAAC,WAAW,IAAI,eAAe;cAIxB,YAAY,IAAI,OAAO,CAAC,YAAY,CAAC;cA0CrC,cAAc,IAAI,OAAO,CAAC,YAAY,CAAC;CAqBxD"}

package/dist/providers/OidcDeviceFlowProvider.js

@@ -0,0 +1,68 @@
+"use strict";
+/**
+ * OIDC Device Flow Provider
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OidcDeviceFlowProvider = void 0;
+const interfaces_1 = require("@mcp-abap-adt/interfaces");
+const oidcDiscovery_1 = require("../auth/oidcDiscovery");
+const oidcToken_1 = require("../auth/oidcToken");
+const BaseTokenProvider_1 = require("./BaseTokenProvider");
+class OidcDeviceFlowProvider extends BaseTokenProvider_1.BaseTokenProvider {
+    config;
+    constructor(config) {
+        super();
+        this.config = config;
+        this.logger = config.logger;
+        if (config.accessToken) {
+            this.authorizationToken = config.accessToken;
+            this.expiresAt = this.parseExpirationFromJWT(config.accessToken);
+        }
+        if (config.refreshToken) {
+            this.refreshToken = config.refreshToken;
+        }
+    }
+    getAuthType() {
+        return interfaces_1.AUTH_TYPE_AUTHORIZATION_CODE;
+    }
+    async performLogin() {
+        const discovery = await (0, oidcDiscovery_1.discoverOidc)(this.config.issuerUrl, this.logger);
+        if (!discovery.device_authorization_endpoint) {
+            throw new Error('OIDC discovery missing device_authorization_endpoint');
+        }
+        const scope = this.config.scopes?.join(' ');
+        const deviceFlow = await (0, oidcToken_1.initiateDeviceAuthorization)(discovery.device_authorization_endpoint, this.config.clientId, scope, this.logger);
+        // Manual user guidance
+        console.log('');
+        console.log('OIDC device authorization');
+        console.log('Go to:', deviceFlow.verificationUri);
+        if (deviceFlow.verificationUriComplete) {
+            console.log('Or use:', deviceFlow.verificationUriComplete);
+        }
+        console.log('Enter code:', deviceFlow.userCode);
+        console.log('');
+        const tokens = await (0, oidcToken_1.pollDeviceTokens)(discovery.token_endpoint, this.config.clientId, this.config.clientSecret, deviceFlow.deviceCode, deviceFlow.interval || 5, this.logger);
+        return {
+            authorizationToken: tokens.accessToken,
+            refreshToken: tokens.refreshToken,
+            authType: interfaces_1.AUTH_TYPE_AUTHORIZATION_CODE,
+            expiresIn: tokens.expiresIn,
+            tokenType: 'jwt',
+        };
+    }
+    async performRefresh() {
+        if (!this.refreshToken) {
+            return this.performLogin();
+        }
+        const discovery = await (0, oidcDiscovery_1.discoverOidc)(this.config.issuerUrl, this.logger);
+        const tokens = await (0, oidcToken_1.refreshOidcToken)(discovery.token_endpoint, this.config.clientId, this.config.clientSecret, this.refreshToken, this.logger);
+        return {
+            authorizationToken: tokens.accessToken,
+            refreshToken: tokens.refreshToken || this.refreshToken,
+            authType: interfaces_1.AUTH_TYPE_AUTHORIZATION_CODE,
+            expiresIn: tokens.expiresIn,
+            tokenType: 'jwt',
+        };
+    }
+}
+exports.OidcDeviceFlowProvider = OidcDeviceFlowProvider;

package/dist/providers/OidcPasswordProvider.d.ts

@@ -0,0 +1,24 @@
+/**
+ * OIDC Password Grant Provider
+ */
+import type { ILogger, ITokenResult, OAuth2GrantType } from '@mcp-abap-adt/interfaces';
+import { BaseTokenProvider } from './BaseTokenProvider';
+export interface OidcPasswordProviderConfig {
+    issuerUrl: string;
+    clientId: string;
+    clientSecret?: string;
+    username: string;
+    password: string;
+    scopes?: string[];
+    accessToken?: string;
+    refreshToken?: string;
+    logger?: ILogger;
+}
+export declare class OidcPasswordProvider extends BaseTokenProvider {
+    private config;
+    constructor(config: OidcPasswordProviderConfig);
+    protected getAuthType(): OAuth2GrantType;
+    protected performLogin(): Promise<ITokenResult>;
+    protected performRefresh(): Promise<ITokenResult>;
+}
+//# sourceMappingURL=OidcPasswordProvider.d.ts.map

package/dist/providers/OidcPasswordProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OidcPasswordProvider.d.ts","sourceRoot":"","sources":["../../src/providers/OidcPasswordProvider.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EACV,OAAO,EACP,YAAY,EACZ,eAAe,EAChB,MAAM,0BAA0B,CAAC;AAIlC,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAExD,MAAM,WAAW,0BAA0B;IACzC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,qBAAa,oBAAqB,SAAQ,iBAAiB;IACzD,OAAO,CAAC,MAAM,CAA6B;gBAE/B,MAAM,EAAE,0BAA0B;IAc9C,SAAS,CAAC,WAAW,IAAI,eAAe;cAIxB,YAAY,IAAI,OAAO,CAAC,YAAY,CAAC;cAsBrC,cAAc,IAAI,OAAO,CAAC,YAAY,CAAC;CAsBxD"}