@memberjunction/auth-providers 0.0.1 → 5.16.0

package/dist/providers/GoogleProvider.d.ts

@@ -0,0 +1,18 @@
+import { JwtPayload } from 'jsonwebtoken';
+import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
+import { BaseAuthProvider } from '../BaseAuthProvider.js';
+/**
+ * Google Identity Platform authentication provider implementation
+ */
+export declare class GoogleProvider extends BaseAuthProvider {
+    constructor(config: AuthProviderConfig);
+    /**
+     * Extracts user information from Google JWT payload
+     */
+    extractUserInfo(payload: JwtPayload): AuthUserInfo;
+    /**
+     * Validates Google-specific configuration
+     */
+    validateConfig(): boolean;
+}
+//# sourceMappingURL=GoogleProvider.d.ts.map

package/dist/providers/GoogleProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"GoogleProvider.d.ts","sourceRoot":"","sources":["../../src/providers/GoogleProvider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE1C,OAAO,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACxE,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG1D;;GAEG;AACH,qBACa,cAAe,SAAQ,gBAAgB;gBACtC,MAAM,EAAE,kBAAkB;IAItC;;OAEG;IACH,eAAe,CAAC,OAAO,EAAE,UAAU,GAAG,YAAY;IAiBlD;;OAEG;IACH,cAAc,IAAI,OAAO;CAM1B"}

package/dist/providers/GoogleProvider.js

@@ -0,0 +1,51 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { RegisterClass } from '@memberjunction/global';
+import { BaseAuthProvider } from '../BaseAuthProvider.js';
+/**
+ * Google Identity Platform authentication provider implementation
+ */
+let GoogleProvider = class GoogleProvider extends BaseAuthProvider {
+    constructor(config) {
+        super(config);
+    }
+    /**
+     * Extracts user information from Google JWT payload
+     */
+    extractUserInfo(payload) {
+        // Google uses standard OIDC claims
+        const email = payload.email;
+        const fullName = payload.name;
+        const firstName = payload.given_name;
+        const lastName = payload.family_name;
+        const preferredUsername = email; // Google typically uses email as username
+        return {
+            email,
+            firstName: firstName || fullName?.split(' ')[0],
+            lastName: lastName || fullName?.split(' ')[1] || fullName?.split(' ')[0],
+            fullName,
+            preferredUsername
+        };
+    }
+    /**
+     * Validates Google-specific configuration
+     */
+    validateConfig() {
+        const baseValid = super.validateConfig();
+        const hasClientId = !!this.config.clientId;
+        return baseValid && hasClientId;
+    }
+};
+GoogleProvider = __decorate([
+    RegisterClass(BaseAuthProvider, 'google'),
+    __metadata("design:paramtypes", [Object])
+], GoogleProvider);
+export { GoogleProvider };
+//# sourceMappingURL=GoogleProvider.js.map

package/dist/providers/GoogleProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"GoogleProvider.js","sourceRoot":"","sources":["../../src/providers/GoogleProvider.ts"],"names":[],"mappings":";;;;;;;;;AACA,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAEvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG1D;;GAEG;AAEI,IAAM,cAAc,GAApB,MAAM,cAAe,SAAQ,gBAAgB;IAClD,YAAY,MAA0B;QACpC,KAAK,CAAC,MAAM,CAAC,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,OAAmB;QACjC,mCAAmC;QACnC,MAAM,KAAK,GAAG,OAAO,CAAC,KAA2B,CAAC;QAClD,MAAM,QAAQ,GAAG,OAAO,CAAC,IAA0B,CAAC;QACpD,MAAM,SAAS,GAAG,OAAO,CAAC,UAAgC,CAAC;QAC3D,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAiC,CAAC;QAC3D,MAAM,iBAAiB,GAAG,KAAK,CAAC,CAAC,0CAA0C;QAE3E,OAAO;YACL,KAAK;YACL,SAAS,EAAE,SAAS,IAAI,QAAQ,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC/C,QAAQ,EAAE,QAAQ,IAAI,QAAQ,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,QAAQ,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACxE,QAAQ;YACR,iBAAiB;SAClB,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,cAAc;QACZ,MAAM,SAAS,GAAG,KAAK,CAAC,cAAc,EAAE,CAAC;QACzC,MAAM,WAAW,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;QAE3C,OAAO,SAAS,IAAI,WAAW,CAAC;IAClC,CAAC;CACF,CAAA;AAlCY,cAAc;IAD1B,aAAa,CAAC,gBAAgB,EAAE,QAAQ,CAAC;;GAC7B,cAAc,CAkC1B"}

package/dist/providers/MSALProvider.d.ts

@@ -0,0 +1,18 @@
+import { JwtPayload } from 'jsonwebtoken';
+import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
+import { BaseAuthProvider } from '../BaseAuthProvider.js';
+/**
+ * Microsoft Authentication Library (MSAL) provider implementation
+ */
+export declare class MSALProvider extends BaseAuthProvider {
+    constructor(config: AuthProviderConfig);
+    /**
+     * Extracts user information from MSAL/Azure AD JWT payload
+     */
+    extractUserInfo(payload: JwtPayload): AuthUserInfo;
+    /**
+     * Validates MSAL-specific configuration
+     */
+    validateConfig(): boolean;
+}
+//# sourceMappingURL=MSALProvider.d.ts.map

package/dist/providers/MSALProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"MSALProvider.d.ts","sourceRoot":"","sources":["../../src/providers/MSALProvider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE1C,OAAO,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACxE,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1D;;GAEG;AACH,qBACa,YAAa,SAAQ,gBAAgB;gBACpC,MAAM,EAAE,kBAAkB;IAItC;;OAEG;IACH,eAAe,CAAC,OAAO,EAAE,UAAU,GAAG,YAAY;IAiBlD;;OAEG;IACH,cAAc,IAAI,OAAO;CAO1B"}

package/dist/providers/MSALProvider.js

@@ -0,0 +1,52 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { RegisterClass } from '@memberjunction/global';
+import { BaseAuthProvider } from '../BaseAuthProvider.js';
+/**
+ * Microsoft Authentication Library (MSAL) provider implementation
+ */
+let MSALProvider = class MSALProvider extends BaseAuthProvider {
+    constructor(config) {
+        super(config);
+    }
+    /**
+     * Extracts user information from MSAL/Azure AD JWT payload
+     */
+    extractUserInfo(payload) {
+        // MSAL/Azure AD uses some custom claims
+        const email = payload.email || payload.preferred_username;
+        const fullName = payload.name;
+        const firstName = payload.given_name;
+        const lastName = payload.family_name;
+        const preferredUsername = payload.preferred_username;
+        return {
+            email,
+            firstName: firstName || fullName?.split(' ')[0],
+            lastName: lastName || fullName?.split(' ')[1] || fullName?.split(' ')[0],
+            fullName,
+            preferredUsername
+        };
+    }
+    /**
+     * Validates MSAL-specific configuration
+     */
+    validateConfig() {
+        const baseValid = super.validateConfig();
+        const hasClientId = !!this.config.clientId;
+        const hasTenantId = !!this.config.tenantId;
+        return baseValid && hasClientId && hasTenantId;
+    }
+};
+MSALProvider = __decorate([
+    RegisterClass(BaseAuthProvider, 'msal'),
+    __metadata("design:paramtypes", [Object])
+], MSALProvider);
+export { MSALProvider };
+//# sourceMappingURL=MSALProvider.js.map

package/dist/providers/MSALProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"MSALProvider.js","sourceRoot":"","sources":["../../src/providers/MSALProvider.ts"],"names":[],"mappings":";;;;;;;;;AACA,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAEvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1D;;GAEG;AAEI,IAAM,YAAY,GAAlB,MAAM,YAAa,SAAQ,gBAAgB;IAChD,YAAY,MAA0B;QACpC,KAAK,CAAC,MAAM,CAAC,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,OAAmB;QACjC,wCAAwC;QACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAA2B,IAAI,OAAO,CAAC,kBAAwC,CAAC;QACtG,MAAM,QAAQ,GAAG,OAAO,CAAC,IAA0B,CAAC;QACpD,MAAM,SAAS,GAAG,OAAO,CAAC,UAAgC,CAAC;QAC3D,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAiC,CAAC;QAC3D,MAAM,iBAAiB,GAAG,OAAO,CAAC,kBAAwC,CAAC;QAE3E,OAAO;YACL,KAAK;YACL,SAAS,EAAE,SAAS,IAAI,QAAQ,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC/C,QAAQ,EAAE,QAAQ,IAAI,QAAQ,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,QAAQ,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACxE,QAAQ;YACR,iBAAiB;SAClB,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,cAAc;QACZ,MAAM,SAAS,GAAG,KAAK,CAAC,cAAc,EAAE,CAAC;QACzC,MAAM,WAAW,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;QAC3C,MAAM,WAAW,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;QAE3C,OAAO,SAAS,IAAI,WAAW,IAAI,WAAW,CAAC;IACjD,CAAC;CACF,CAAA;AAnCY,YAAY;IADxB,aAAa,CAAC,gBAAgB,EAAE,MAAM,CAAC;;GAC3B,YAAY,CAmCxB"}

package/dist/providers/OktaProvider.d.ts

@@ -0,0 +1,18 @@
+import { JwtPayload } from 'jsonwebtoken';
+import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
+import { BaseAuthProvider } from '../BaseAuthProvider.js';
+/**
+ * Okta authentication provider implementation
+ */
+export declare class OktaProvider extends BaseAuthProvider {
+    constructor(config: AuthProviderConfig);
+    /**
+     * Extracts user information from Okta JWT payload
+     */
+    extractUserInfo(payload: JwtPayload): AuthUserInfo;
+    /**
+     * Validates Okta-specific configuration
+     */
+    validateConfig(): boolean;
+}
+//# sourceMappingURL=OktaProvider.d.ts.map

package/dist/providers/OktaProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OktaProvider.d.ts","sourceRoot":"","sources":["../../src/providers/OktaProvider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE1C,OAAO,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACxE,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG1D;;GAEG;AACH,qBACa,YAAa,SAAQ,gBAAgB;gBACpC,MAAM,EAAE,kBAAkB;IAItC;;OAEG;IACH,eAAe,CAAC,OAAO,EAAE,UAAU,GAAG,YAAY;IAiBlD;;OAEG;IACH,cAAc,IAAI,OAAO;CAO1B"}

package/dist/providers/OktaProvider.js

@@ -0,0 +1,52 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { RegisterClass } from '@memberjunction/global';
+import { BaseAuthProvider } from '../BaseAuthProvider.js';
+/**
+ * Okta authentication provider implementation
+ */
+let OktaProvider = class OktaProvider extends BaseAuthProvider {
+    constructor(config) {
+        super(config);
+    }
+    /**
+     * Extracts user information from Okta JWT payload
+     */
+    extractUserInfo(payload) {
+        // Okta uses standard OIDC claims plus some custom ones
+        const email = payload.email || payload.preferred_username;
+        const fullName = payload.name;
+        const firstName = payload.given_name;
+        const lastName = payload.family_name;
+        const preferredUsername = payload.preferred_username || email;
+        return {
+            email,
+            firstName: firstName || fullName?.split(' ')[0],
+            lastName: lastName || fullName?.split(' ')[1] || fullName?.split(' ')[0],
+            fullName,
+            preferredUsername
+        };
+    }
+    /**
+     * Validates Okta-specific configuration
+     */
+    validateConfig() {
+        const baseValid = super.validateConfig();
+        const hasClientId = !!this.config.clientId;
+        const hasDomain = !!this.config.domain;
+        return baseValid && hasClientId && hasDomain;
+    }
+};
+OktaProvider = __decorate([
+    RegisterClass(BaseAuthProvider, 'okta'),
+    __metadata("design:paramtypes", [Object])
+], OktaProvider);
+export { OktaProvider };
+//# sourceMappingURL=OktaProvider.js.map

package/dist/providers/OktaProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"OktaProvider.js","sourceRoot":"","sources":["../../src/providers/OktaProvider.ts"],"names":[],"mappings":";;;;;;;;;AACA,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAEvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG1D;;GAEG;AAEI,IAAM,YAAY,GAAlB,MAAM,YAAa,SAAQ,gBAAgB;IAChD,YAAY,MAA0B;QACpC,KAAK,CAAC,MAAM,CAAC,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,OAAmB;QACjC,uDAAuD;QACvD,MAAM,KAAK,GAAG,OAAO,CAAC,KAA2B,IAAI,OAAO,CAAC,kBAAwC,CAAC;QACtG,MAAM,QAAQ,GAAG,OAAO,CAAC,IAA0B,CAAC;QACpD,MAAM,SAAS,GAAG,OAAO,CAAC,UAAgC,CAAC;QAC3D,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAiC,CAAC;QAC3D,MAAM,iBAAiB,GAAG,OAAO,CAAC,kBAAwC,IAAI,KAAK,CAAC;QAEpF,OAAO;YACL,KAAK;YACL,SAAS,EAAE,SAAS,IAAI,QAAQ,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC/C,QAAQ,EAAE,QAAQ,IAAI,QAAQ,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,QAAQ,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACxE,QAAQ;YACR,iBAAiB;SAClB,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,cAAc;QACZ,MAAM,SAAS,GAAG,KAAK,CAAC,cAAc,EAAE,CAAC;QACzC,MAAM,WAAW,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;QAC3C,MAAM,SAAS,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;QAEvC,OAAO,SAAS,IAAI,WAAW,IAAI,SAAS,CAAC;IAC/C,CAAC;CACF,CAAA;AAnCY,YAAY;IADxB,aAAa,CAAC,gBAAgB,EAAE,MAAM,CAAC;;GAC3B,YAAY,CAmCxB"}

package/dist/tokenExpiredError.d.ts

@@ -0,0 +1,5 @@
+import { GraphQLError } from 'graphql';
+export declare class TokenExpiredError extends GraphQLError {
+    constructor(expiryDate: Date, message?: string);
+}
+//# sourceMappingURL=tokenExpiredError.d.ts.map

package/dist/tokenExpiredError.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenExpiredError.d.ts","sourceRoot":"","sources":["../src/tokenExpiredError.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAEvC,qBAAa,iBAAkB,SAAQ,YAAY;gBACrC,UAAU,EAAE,IAAI,EAAE,OAAO,SAA+D;CAQrG"}

package/dist/tokenExpiredError.js

@@ -0,0 +1,12 @@
+import { GraphQLError } from 'graphql';
+export class TokenExpiredError extends GraphQLError {
+    constructor(expiryDate, message = 'The provided token has expired. Please authenticate again.') {
+        super(message, {
+            extensions: {
+                code: 'JWT_EXPIRED',
+                expiryDate: expiryDate.toISOString(),
+            },
+        });
+    }
+}
+//# sourceMappingURL=tokenExpiredError.js.map

package/dist/tokenExpiredError.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenExpiredError.js","sourceRoot":"","sources":["../src/tokenExpiredError.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAEvC,MAAM,OAAO,iBAAkB,SAAQ,YAAY;IACjD,YAAY,UAAgB,EAAE,OAAO,GAAG,4DAA4D;QAClG,KAAK,CAAC,OAAO,EAAE;YACb,UAAU,EAAE;gBACV,IAAI,EAAE,aAAa;gBACnB,UAAU,EAAE,UAAU,CAAC,WAAW,EAAE;aACrC;SACF,CAAC,CAAC;IACL,CAAC;CACF"}

package/package.json

@@ -1,10 +1,31 @@
 {
   "name": "@memberjunction/auth-providers",
-  "version": "0.0.1",
-  "description": "OIDC trusted publishing setup package for @memberjunction/auth-providers",
-  "keywords": [
-    "oidc",
-    "trusted-publishing",
-    "setup"
-  ]
+  "version": "5.16.0",
+  "description": "Authentication provider interfaces, base classes, and implementations for MemberJunction",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "scripts": {
+    "build": "tsc && tsc-alias -f",
+    "test": "vitest run --passWithNoTests",
+    "test:watch": "vitest"
+  },
+  "dependencies": {
+    "@memberjunction/core": "5.16.0",
+    "@memberjunction/global": "5.16.0",
+    "graphql": "^16.12.0",
+    "jsonwebtoken": "9.0.3",
+    "jwks-rsa": "^3.2.2"
+  },
+  "devDependencies": {
+    "@types/jsonwebtoken": "9.0.10",
+    "@types/node": "24.10.11",
+    "tsc-alias": "^1.8.15",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.18"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/MemberJunction/MJ"
+  }
 }

package/src/AuthProviderFactory.ts

@@ -0,0 +1,180 @@
+import { AuthProviderConfig } from '@memberjunction/core';
+import { IAuthProvider } from './IAuthProvider.js';
+import { BaseAuthProvider } from './BaseAuthProvider.js';
+import { MJGlobal, BaseSingleton } from '@memberjunction/global';
+
+// Import providers to ensure they're registered
+import './providers/Auth0Provider.js';
+import './providers/MSALProvider.js';
+import './providers/OktaProvider.js';
+import './providers/CognitoProvider.js';
+import './providers/GoogleProvider.js';
+
+/**
+ * Factory and registry for managing authentication providers
+ * Combines provider creation and lifecycle management in a single class
+ */
+export class AuthProviderFactory extends BaseSingleton<AuthProviderFactory> {
+  private providers: Map<string, IAuthProvider> = new Map();
+  private issuerCache: Map<string, IAuthProvider> = new Map();
+  private issuerMultiCache: Map<string, IAuthProvider[]> = new Map();
+
+  public constructor() {
+    super();
+  }
+
+  /**
+   * Gets the singleton instance of the factory
+   */
+  public static get Instance(): AuthProviderFactory {
+    return AuthProviderFactory.getInstance<AuthProviderFactory>();
+  }
+
+  /**
+   * Creates an authentication provider instance based on configuration
+   * Uses MJGlobal ClassFactory to instantiate the correct provider class
+   */
+  static createProvider(config: AuthProviderConfig): IAuthProvider {
+    try {
+      // Use MJGlobal ClassFactory to create the provider instance
+      // The provider type in config should match the key used in @RegisterClass
+      // The config is passed as a constructor parameter via the spread operator
+      const provider = MJGlobal.Instance.ClassFactory.CreateInstance<BaseAuthProvider>(
+        BaseAuthProvider,
+        config.type.toLowerCase(),
+        config
+      );
+      
+      if (!provider) {
+        throw new Error(`No provider registered for type: ${config.type}`);
+      }
+      
+      return provider;
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      throw new Error(`Failed to create authentication provider for type '${config.type}': ${message}`);
+    }
+  }
+
+  /**
+   * Registers a new authentication provider
+   */
+  register(provider: IAuthProvider): void {
+    if (!provider.validateConfig()) {
+      throw new Error(`Invalid configuration for provider: ${provider.name}`);
+    }
+
+    this.providers.set(provider.name, provider);
+    
+    // Clear issuer caches when registering new provider
+    this.issuerCache.clear();
+    this.issuerMultiCache.clear();
+    
+    console.log(`Registered auth provider: ${provider.name} with issuer: ${provider.issuer}`);
+  }
+
+  /**
+   * Gets a provider by its issuer URL
+   */
+  getByIssuer(issuer: string): IAuthProvider | undefined {
+    // Check cache first
+    if (this.issuerCache.has(issuer)) {
+      return this.issuerCache.get(issuer);
+    }
+
+    // Search through providers
+    for (const provider of this.providers.values()) {
+      if (provider.matchesIssuer(issuer)) {
+        // Cache for future lookups
+        this.issuerCache.set(issuer, provider);
+        return provider;
+      }
+    }
+
+    return undefined;
+  }
+
+  /**
+   * Gets all providers matching an issuer URL.
+   * Unlike getByIssuer() which returns only the first match, this returns
+   * all providers for a given issuer. This is needed when multiple apps
+   * (e.g. MJExplorer + MJCentral) share the same Auth0 domain but have
+   * different audiences (client IDs).
+   */
+  getAllByIssuer(issuer: string): IAuthProvider[] {
+    // Check multi-provider cache first
+    if (this.issuerMultiCache.has(issuer)) {
+      return this.issuerMultiCache.get(issuer)!;
+    }
+
+    const matches: IAuthProvider[] = [];
+    for (const provider of this.providers.values()) {
+      if (provider.matchesIssuer(issuer)) {
+        matches.push(provider);
+      }
+    }
+
+    if (matches.length > 0) {
+      this.issuerMultiCache.set(issuer, matches);
+    }
+
+    return matches;
+  }
+
+  /**
+   * Gets a provider by its name
+   */
+  getByName(name: string): IAuthProvider | undefined {
+    return this.providers.get(name);
+  }
+
+  /**
+   * Gets all registered providers
+   */
+  getAllProviders(): IAuthProvider[] {
+    return Array.from(this.providers.values());
+  }
+
+  /**
+   * Checks if any providers are registered
+   */
+  hasProviders(): boolean {
+    return this.providers.size > 0;
+  }
+
+  /**
+   * Clears all registered providers (useful for testing)
+   */
+  clear(): void {
+    this.providers.clear();
+    this.issuerCache.clear();
+    this.issuerMultiCache.clear();
+  }
+
+  /**
+   * Gets all registered provider types from the ClassFactory
+   */
+  static getRegisteredProviderTypes(): string[] {
+    // Get all registrations for BaseAuthProvider from ClassFactory
+    const registrations = MJGlobal.Instance.ClassFactory.GetAllRegistrations(BaseAuthProvider);
+    // Extract unique keys (provider types) from registrations
+    const providerTypes = registrations
+      .map(reg => reg.Key)
+      .filter((key): key is string => key !== null && key !== undefined);
+    // Return unique provider types
+    return Array.from(new Set(providerTypes));
+  }
+
+  /**
+   * Checks if a provider type is registered
+   */
+  static isProviderTypeRegistered(type: string): boolean {
+    try {
+      // Try to get the registration for this specific type
+      const registration = MJGlobal.Instance.ClassFactory.GetRegistration(BaseAuthProvider, type.toLowerCase());
+      return registration !== null && registration !== undefined;
+    } catch {
+      return false;
+    }
+  }
+}

package/src/BaseAuthProvider.ts

@@ -0,0 +1,137 @@
+import { JwtHeader, JwtPayload, SigningKeyCallback } from 'jsonwebtoken';
+import jwksClient from 'jwks-rsa';
+import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
+import { IAuthProvider } from './IAuthProvider.js';
+import https from 'https';
+import http from 'http';
+
+/**
+ * Base implementation of IAuthProvider with common functionality
+ * Concrete providers should extend this class and use @RegisterClass decorator
+ * with BaseAuthProvider as the base class
+ */
+export abstract class BaseAuthProvider implements IAuthProvider {
+  name: string;
+  issuer: string;
+  audience: string;
+  jwksUri: string;
+  /** OAuth client ID for this provider (used by OAuth proxy for upstream auth) */
+  clientId?: string;
+  protected config: AuthProviderConfig;
+  protected jwksClient: jwksClient.JwksClient;
+
+  constructor(config: AuthProviderConfig) {
+    this.config = config;
+    this.name = config.name;
+    this.issuer = config.issuer;
+    this.audience = config.audience;
+    this.jwksUri = config.jwksUri;
+    this.clientId = config.clientId;
+
+    // Create HTTP agent with keep-alive to prevent socket hangups
+    const agent = this.jwksUri.startsWith('https')
+      ? new https.Agent({
+          keepAlive: true,
+          keepAliveMsecs: 30000,
+          maxSockets: 50,
+          maxFreeSockets: 10,
+          timeout: 60000
+        })
+      : new http.Agent({
+          keepAlive: true,
+          keepAliveMsecs: 30000,
+          maxSockets: 50,
+          maxFreeSockets: 10,
+          timeout: 60000
+        });
+
+    // Initialize JWKS client with connection pooling and extended timeout
+    this.jwksClient = jwksClient({
+      jwksUri: this.jwksUri,
+      cache: true,
+      cacheMaxEntries: 5,
+      cacheMaxAge: 600000, // 10 minutes
+      timeout: 60000, // 60 seconds (increased from default 30s)
+      requestAgent: agent
+    });
+  }
+
+  /**
+   * Validates that required configuration is present
+   */
+  validateConfig(): boolean {
+    return !!(this.name && this.issuer && this.audience && this.jwksUri);
+  }
+
+  /**
+   * Gets the signing key for token verification with retry logic
+   */
+  getSigningKey(header: JwtHeader, callback: SigningKeyCallback): void {
+    this.getSigningKeyWithRetry(header, 3, 1000)
+      .then((key) => {
+        const signingKey = 'publicKey' in key ? key.publicKey : key.rsaPublicKey;
+        callback(null, signingKey);
+      })
+      .catch((err) => {
+        console.error(`Error getting signing key for provider ${this.name} after retries:`, err);
+        callback(err);
+      });
+  }
+
+  /**
+   * Retrieves signing key with exponential backoff retry logic
+   */
+  private async getSigningKeyWithRetry(
+    header: JwtHeader,
+    maxRetries: number,
+    initialDelayMs: number
+  ): Promise<jwksClient.SigningKey> {
+    let lastError: Error | undefined;
+
+    for (let attempt = 0; attempt <= maxRetries; attempt++) {
+      try {
+        return await this.jwksClient.getSigningKey(header.kid);
+      } catch (err) {
+        lastError = err instanceof Error ? err : new Error(String(err));
+
+        // Check if this is a connection error that's worth retrying
+        const isRetryableError =
+          lastError.message.includes('socket hang up') ||
+          lastError.message.includes('ECONNRESET') ||
+          lastError.message.includes('ETIMEDOUT') ||
+          lastError.message.includes('ENOTFOUND') ||
+          lastError.message.includes('EAI_AGAIN');
+
+        if (!isRetryableError || attempt === maxRetries) {
+          throw lastError;
+        }
+
+        // Exponential backoff: wait longer between each retry
+        const delayMs = initialDelayMs * Math.pow(2, attempt);
+        console.warn(
+          `Attempt ${attempt + 1}/${maxRetries + 1} failed for provider ${this.name}. ` +
+          `Retrying in ${delayMs}ms... Error: ${lastError.message}`
+        );
+
+        await new Promise(resolve => setTimeout(resolve, delayMs));
+      }
+    }
+
+    throw lastError || new Error('Failed to retrieve signing key');
+  }
+
+  /**
+   * Checks if a given issuer URL belongs to this provider
+   */
+  matchesIssuer(issuer: string): boolean {
+    // Handle trailing slashes and case sensitivity
+    const normalizedIssuer = issuer.toLowerCase().replace(/\/$/, '');
+    const normalizedProviderIssuer = this.issuer.toLowerCase().replace(/\/$/, '');
+    return normalizedIssuer === normalizedProviderIssuer;
+  }
+
+  /**
+   * Abstract method for extracting user info - must be implemented by each provider
+   */
+  abstract extractUserInfo(payload: JwtPayload): AuthUserInfo;
+}