npm - @monocloud/auth-core - Versions diffs - 0.1.3 → 0.1.5 - Mend

@monocloud/auth-core 0.1.3 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/README.md +19 -3
package/dist/index.cjs +101 -65
package/dist/index.cjs.map +1 -1
package/dist/index.d.mts +72 -35
package/dist/index.mjs +75 -40
package/dist/index.mjs.map +1 -1
package/dist/types-hokU85Zr.d.mts +1243 -0
package/dist/utils/index.cjs +19 -19
package/dist/utils/index.cjs.map +1 -1
package/dist/utils/index.d.mts +5 -7
package/dist/utils/index.mjs +5 -6
package/dist/utils/index.mjs.map +1 -1
package/dist/utils/internal.cjs +365 -23
package/dist/utils/internal.cjs.map +1 -0
package/dist/utils/internal.d.mts +5 -6
package/dist/utils/internal.mjs +342 -2
package/dist/utils/internal.mjs.map +1 -0
package/package.json +4 -4
package/dist/index.d.cts +0 -274
package/dist/internal-DXHuqjJJ.mjs +0 -343
package/dist/internal-DXHuqjJJ.mjs.map +0 -1
package/dist/internal-DytuO03E.cjs +0 -475
package/dist/internal-DytuO03E.cjs.map +0 -1
package/dist/types-CnxqWHwA.d.cts +0 -481
package/dist/types-DwJl9ZUf.d.mts +0 -481
package/dist/utils/index.d.cts +0 -106
package/dist/utils/internal.d.cts +0 -209

package/dist/types-hokU85Zr.d.mts ADDED Viewed

@@ -0,0 +1,1243 @@
+//#region src/types.d.ts
+/**
+ * Supported OAuth 2.0 / OpenID Connect response types.
+ *
+ * Response types determine which artifacts are returned from the authorization endpoint during authentication.
+ *
+ * > Modern applications should prefer the Authorization Code Flow (`code`) with PKCE. Implicit flow variants are included for compatibility with legacy or specialized scenarios.
+ *
+ * @category Types (Enums)
+ */
+type ResponseTypes =
+/**
+ * Authorization Code Flow (recommended). Returns an authorization code that is exchanged for tokens server-side.
+ */
+'code'
+/**
+ * Implicit Flow returning an access token directly from the authorization endpoint.
+ */
+| 'token'
+/**
+ * Implicit Flow returning an ID token.
+ */
+| 'id_token'
+/**
+ * Implicit Flow returning both an ID token and an access token.
+ */
+| 'id_token token'
+/**
+ * Hybrid Flow returning an authorization code and an ID token.
+ */
+| 'code id_token'
+/**
+ * Hybrid Flow returning an authorization code and an access token.
+ */
+| 'code token'
+/**
+ * Hybrid Flow returning an authorization code, ID token, and access token.
+ */
+| 'code id_token token';
+/**
+ * Supported PKCE (Proof Key for Code Exchange) code challenge methods.
+ *
+ * PKCE protects authorization code flows by binding the authorization request to the token exchange using a cryptographic verifier.
+ *
+ * @category Types (Enums)
+ */
+type CodeChallengeMethod =
+/**
+ * Uses the code verifier directly as the challenge. Not recommended for production use.
+ */
+'plain'
+/**
+ * Uses a SHA-256 hash of the code verifier.
+ */
+| 'S256';
+/**
+ * Supported OpenID Connect `display` parameter values.
+ *
+ * The display parameter hints to the authorization server how the authentication or consent UI should be presented to the user.
+ *
+ * @category Types (Enums)
+ */
+type DisplayOptions =
+/**
+ * Full-page authentication experience in the browser.
+ */
+'page'
+/**
+ * Authentication optimized for popup windows.
+ */
+| 'popup'
+/**
+ * Authentication optimized for touch-based devices.
+ */
+| 'touch'
+/**
+ * Authentication optimized for legacy mobile or constrained browsers.
+ */
+| 'wap';
+/**
+ * Supported OAuth 2.0 / OpenID Connect `response_mode` values.
+ *
+ * The response mode determines how authorization results are returned from the authorization endpoint to the client application.
+ *
+ * @category Types (Enums)
+ */
+type ResponseModes =
+/**
+ * Returns authorization results using an HTTP POST request with parameters encoded in the request body.
+ */
+'form_post'
+/**
+ * Returns authorization results as URL query parameters.
+ */
+| 'query'
+/**
+ * Returns authorization results in the URL fragment.
+ */
+| 'fragment';
+/**
+ * Supported OpenID Connect `prompt` parameter values.
+ *
+ * The `prompt` parameter controls whether the authorization server should force specific user interactions during authentication.
+ *
+ * @category Types (Enums)
+ */
+type Prompt =
+/**
+ * Do not display any authentication or consent UI.
+ */
+'none'
+/**
+ * Forces the user to re-authenticate even if an active session exists.
+ */
+| 'login'
+/**
+ * Forces the consent screen to be displayed to the user.
+ */
+| 'consent'
+/**
+ * Prompts the user to choose an account when multiple sessions exist.
+ */
+| 'select_account'
+/**
+ * Prompts the user to create a new account (sign-up flow).
+ */
+| 'create';
+/**
+ * Parameters used to construct an OAuth 2.0 / OpenID Connect authorization request.
+ *
+ * @category Types
+ */
+interface AuthorizationParams {
+  /**
+   * A cryptographically random value used to maintain request state
+   * and protect against CSRF attacks.
+   */
+  state?: string;
+  /**
+   * Space-separated list of scopes requested during authentication.
+   */
+  scopes?: string;
+  /**
+   * The redirect URI where the authorization server sends the user after authentication completes.
+   */
+  redirectUri?: string;
+  /**
+   * Determines which artifacts are returned from the authorization endpoint.
+   */
+  responseType?: ResponseTypes;
+  /**
+   * PKCE code challenge derived from the code verifier. Used to secure authorization code exchanges.
+   */
+  codeChallenge?: string;
+  /**
+   * Method used to generate the PKCE code challenge.
+   */
+  codeChallengeMethod?: CodeChallengeMethod;
+  /**
+   * Hint to the authorization server indicating which authenticator or connection should be used.
+   */
+  authenticatorHint?: Authenticators;
+  /**
+   * Maximum acceptable time (in seconds) since the user last authenticated. If exceeded, the user may be required to sign in again.
+   */
+  maxAge?: number;
+  /**
+   * Hint identifying the user (for example, email or username). Used to prefill or optimize the sign-in experience.
+   */
+  loginHint?: string;
+  /**
+   * A signed JWT containing authorization request parameters.
+   */
+  request?: string;
+  /**
+   * Specifies how the authorization response is returned to the client.
+   */
+  responseMode?: ResponseModes;
+  /**
+   * Authentication Context Class Reference (ACR) values requesting specific authentication assurance levels or methods.
+   */
+  acrValues?: string[];
+  /**
+   * A cryptographically random value included in the ID token to prevent replay attacks.
+   */
+  nonce?: string;
+  /**
+   * Preferred UI language.
+   */
+  uiLocales?: string;
+  /**
+   * Preferred display mode for the authentication UI.
+   */
+  display?: DisplayOptions;
+  /**
+   * Controls authentication interaction behavior. For example, forcing login or consent.
+   */
+  prompt?: Prompt;
+  /**
+   * URI referencing a previously created authorization request (typically via Pushed Authorization Requests — PAR).
+   *
+   * When set, other authorization parameters may be ignored.
+   */
+  requestUri?: string;
+  /**
+   * Space-separated list of resource indicators that scope the issued access token.
+   */
+  resource?: string;
+}
+/**
+ * Parameters returned to the application after the authorization server redirects the user back to the callback URL.
+ *
+ * @category Types
+ */
+interface CallbackParams {
+  /**
+   * The state value originally sent in the authorization request. Used to validate request integrity and prevent CSRF attacks.
+   */
+  state?: string;
+  /**
+   * Error code returned when authorization fails.
+   */
+  error?: string;
+  /**
+   * Human-readable description providing additional information about the authorization error.
+   */
+  errorDescription?: string;
+  /**
+   * Authorization code returned when using the Authorization Code Flow.
+   */
+  code?: string;
+  /**
+   * Access token returned directly by implicit or hybrid flows.
+   */
+  accessToken?: string;
+  /**
+   * Lifetime of the access token in seconds.
+   */
+  expiresIn?: number;
+  /**
+   * ID token issued by the authorization server.
+   */
+  idToken?: string;
+  /**
+   * Refresh token issued during authorization (if enabled).
+   */
+  refreshToken?: string;
+  /**
+   * OIDC session state value used for session monitoring and front-channel session management.
+   */
+  sessionState?: string;
+}
+/**
+ * Represents a JSON Web Key (JWK) as defined by RFC 7517.
+ *
+ * A JWK describes a cryptographic key used to verify or encrypt JSON Web Tokens (JWTs) as obtained from the JWKS (JSON Web Key Set) endpoint exposed by the authorization server.
+ *
+ * The available properties depend on the key type (`kty`).
+ *
+ * @category Types
+ */
+interface Jwk {
+  /**
+   * Key type (for example: `RSA`, or `EC`).
+   */
+  kty: string;
+  /**
+   * Intended algorithm for the key (for example: `RS256`).
+   */
+  alg?: string;
+  /**
+   * Allowed operations for the key (e.g. `sign`, `verify`, `encrypt`).
+   */
+  key_ops?: string[];
+  /**
+   * Indicates whether the key is extractable.
+   */
+  ext?: boolean;
+  /**
+   * Public key use (`sig` for signature or `enc` for encryption).
+   */
+  use?: string;
+  /**
+   * X.509 certificate chain.
+   */
+  x5c?: string[];
+  /**
+   * X.509 certificate SHA-1 thumbprint.
+   */
+  x5t?: string;
+  /**
+   * X.509 certificate SHA-256 thumbprint.
+   */
+  'x5t#S256'?: string;
+  /**
+   * URL referencing the X.509 certificate.
+   */
+  x5u?: string;
+  /**
+   * Key identifier used to match keys during verification.
+   */
+  kid?: string;
+  /**
+   * Elliptic curve name (for example: `P-256`).
+   */
+  crv?: string;
+  /**
+   * X coordinate for EC public keys.
+   */
+  x?: string;
+  /**
+   * Y coordinate for EC public keys.
+   */
+  y?: string;
+  /**
+   * RSA modulus.
+   */
+  n?: string;
+  /**
+   * RSA public exponent.
+   */
+  e?: string;
+  /**
+   * RSA private exponent.
+   */
+  d?: string;
+  /**
+   * RSA first prime factor.
+   */
+  p?: string;
+  /**
+   * RSA second prime factor.
+   */
+  q?: string;
+  /**
+   * RSA first factor CRT exponent.
+   */
+  dp?: string;
+  /**
+   * RSA second factor CRT exponent.
+   */
+  dq?: string;
+  /**
+   * RSA CRT coefficient.
+   */
+  qi?: string;
+  /**
+   * Additional prime information (multi-prime RSA).
+   */
+  oth?: {
+    d?: string;
+    r?: string;
+    t?: string;
+  }[];
+  /**
+   * Symmetric key value (base64url encoded).
+   */
+  k?: string;
+}
+/**
+ * Represents a JSON Web Key Set (JWKS).
+ *
+ * A JWKS is a collection of public JSON Web Keys used to verify signatures of JSON Web Tokens (JWTs).
+ *
+ * @category Types
+ */
+interface Jwks {
+  /**
+   * The list of public keys contained in this key set.
+   */
+  keys: Jwk[];
+}
+/**
+ * Represents a postal address as defined by the OpenID Connect standard `address` claim.
+ *
+ * @category Types
+ */
+interface Address {
+  /**
+   * Full mailing address formatted for display or mailing labels.
+   */
+  formatted?: string;
+  /**
+   * Full street address component, which may include house number, street name, apartment, suite, or unit information.
+   */
+  street_address?: string;
+  /**
+   * City or locality component.
+   */
+  locality?: string;
+  /**
+   * State, province, or region component.
+   */
+  region?: string;
+  /**
+   * Postal or ZIP code.
+   */
+  postal_code?: string;
+  /**
+   * Country name or ISO country code.
+   */
+  country?: string;
+  /**
+   * Additional provider-specific address fields.
+   */
+  [key: string]: unknown;
+}
+/**
+ * Represents the OpenID Connect **UserInfo** response.
+ *
+ * @typeParam TAddress - The shape of the `address` claim. Defaults to {@link Address}.
+ *
+ * @category Types
+ */
+interface UserinfoResponse<TAddress extends Address = Address> {
+  /**
+   * Subject identifier - a unique, stable identifier for the user within the issuer.
+   */
+  sub: string;
+  /**
+   * Group memberships for the user.
+   */
+  groups?: Group[];
+  /**
+   * Full name of the user (e.g. "Jane Doe").
+   */
+  name?: string;
+  /**
+   * Given name(s) / first name.
+   */
+  given_name?: string;
+  /**
+   * Surname(s) / last name.
+   */
+  family_name?: string;
+  /**
+   * Middle name(s).
+   */
+  middle_name?: string;
+  /**
+   * Casual name used by the user.
+   */
+  nickname?: string;
+  /**
+   * Preferred username.
+   */
+  preferred_username?: string;
+  /**
+   * URL of the user's profile page.
+   */
+  profile?: string;
+  /**
+   * URL of the user's profile picture.
+   */
+  picture?: string;
+  /**
+   * URL of the user's website.
+   */
+  website?: string;
+  /**
+   * Email address.
+   */
+  email?: string;
+  /**
+   * Whether the email address has been verified by the provider.
+   */
+  email_verified?: boolean;
+  /**
+   * Gender.
+   */
+  gender?: string;
+  /**
+   * Birthday.
+   */
+  birthdate?: string;
+  /**
+   * Time zone name.
+   */
+  zoneinfo?: string;
+  /**
+   * Locale.
+   */
+  locale?: string;
+  /**
+   * Phone number (formatted in E.164 standard).
+   */
+  phone_number?: string;
+  /**
+   * Whether the phone number has been verified by the provider.
+   */
+  phone_number_verified?: boolean;
+  /**
+   * Time the user's information was last updated (seconds since epoch).
+   */
+  updated_at?: number;
+  /**
+   * Postal address.
+   */
+  address?: TAddress;
+  /**
+   * Additional provider-specific claims.
+   */
+  [key: string]: unknown;
+}
+/**
+ * Represents a user group included in the authenticated session.
+ *
+ * @category Types
+ */
+type Group =
+/**
+ * Structured group representation.
+ */
+{
+  id: string;
+  name: string;
+}
+/**
+ * Group identifier or group name.
+ */
+| string;
+/**
+ * Represents the authenticated user stored in a MonoCloud session.
+ *
+ * @category Types
+ */
+interface MonoCloudUser extends UserinfoResponse {
+  /**
+   * Authentication Methods References (AMR). Indicates how the user authenticated.
+   */
+  amr?: string[];
+  /**
+   * Identity Provider (IdP) identifier. Specifies the upstream provider used to authenticate the user.
+   */
+  idp?: string;
+}
+/**
+ * Represents an OAuth 2.0 access token and its associated metadata.
+ *
+ * @category Types
+ */
+interface AccessToken {
+  /**
+   * The issued access token.
+   */
+  accessToken: string;
+  /**
+   * The expiration time of the access token (Unix epoch, in seconds).
+   */
+  accessTokenExpiration: number;
+  /**
+   * Space-separated list of scopes granted to the access token.
+   *
+   * These represent the effective permissions approved by the authorization server.
+   */
+  scopes: string;
+  /**
+   * Optional resource (audience) that the access token is scoped for.
+   */
+  resource?: string;
+  /**
+   * Optional space-separated list of scopes originally requested during token acquisition.
+   */
+  requestedScopes?: string;
+}
+/**
+ * Represents an authenticated session, containing the authenticated user profile along with the tokens and metadata issued during authentication.
+ *
+ * @category Types
+ */
+interface MonoCloudSession {
+  /**
+   * The authenticated user profile, typically derived from ID token claims and/or the `UserInfo` endpoint.
+   */
+  user: MonoCloudUser;
+  /**
+   * Optional ID token issued during authentication.
+   */
+  idToken?: string;
+  /**
+   * Space-separated list of scopes authorized for the session.
+   */
+  authorizedScopes?: string;
+  /**
+   * Access tokens associated with the session.
+   *
+   * Multiple tokens may exist when access tokens are issued for different resources or scope sets.
+   */
+  accessTokens?: AccessToken[];
+  /**
+   * Optional refresh token used to obtain new access tokens without requiring the user to re-authenticate.
+   */
+  refreshToken?: string;
+  /**
+   * Additional custom properties attached to the session.
+   *
+   * These may be added via hooks such as `onSessionCreating`.
+   */
+  [key: string]: unknown;
+}
+/**
+ * Standard OpenID Connect ID Token claims.
+ *
+ * @category Types
+ */
+interface IdTokenClaims extends UserinfoResponse {
+  /**
+   * Authentication Context Class Reference. Indicates the assurance level of the authentication performed.
+   */
+  acr?: string;
+  /**
+   * Authentication Methods References. Lists the authentication methods used (for example: `pwd`, `mfa`, `otp`).
+   */
+  amr?: string[];
+  /**
+   * Access token hash. Used to validate access tokens returned alongside the ID token.
+   */
+  at_hash?: string;
+  /**
+   * Intended audience(s) of the ID token.
+   */
+  aud: string | string[];
+  /**
+   * Time when the end-user authentication occurred (Unix epoch seconds).
+   */
+  auth_time?: number;
+  /**
+   * Authorized party - identifies the client to which the ID token was issued.
+   */
+  azp?: string;
+  /**
+   * Authorization code hash. Used to validate authorization codes returned with hybrid flows.
+   */
+  c_hash?: string;
+  /**
+   * Expiration time of the ID token (Unix epoch seconds).
+   */
+  exp: number;
+  /**
+   * Time at which the ID token was issued (Unix epoch seconds).
+   */
+  iat: number;
+  /**
+   * Issuer identifier - the authorization server that issued the token.
+   */
+  iss: string;
+  /**
+   * Nonce value used to associate the authentication request with the issued ID token and prevent replay attacks.
+   */
+  nonce?: string;
+  /**
+   * State hash (used in some hybrid flow validations).
+   */
+  s_hash?: string;
+  /**
+   * Subject identifier — uniquely identifies the authenticated user.
+   */
+  sub: string;
+  /**
+   * Additional custom or provider-specific claims.
+   */
+  [key: string]: unknown;
+}
+/**
+ * OAuth 2.0 / OpenID Connect token endpoint response.
+ *
+ * @category Types
+ */
+interface Tokens {
+  /**
+   * Access token issued by the authorization server.
+   */
+  access_token: string;
+  /**
+   * Optional refresh token used to obtain new access tokens without requiring user re-authentication.
+   */
+  refresh_token?: string;
+  /**
+   * Optional ID token containing authentication claims about the user.
+   */
+  id_token?: string;
+  /**
+   * Space-separated list of scopes granted for the access token.
+   */
+  scope?: string;
+  /**
+   * Lifetime of the access token (in seconds) from the time the response was issued.
+   */
+  expires_in?: number;
+  /**
+   * Token type issued.
+   */
+  token_type?: string;
+}
+/**
+ * Supported authentication methods and identity providers.
+ *
+ * @category Types (Enums)
+ */
+type Authenticators =
+/**
+ * Username/password authentication.
+ */
+'password'
+/**
+ * Passkey (WebAuthn / FIDO2) authentication.
+ */
+| 'passkey'
+/**
+ * Email-based authentication (magic link or OTP).
+ */
+| 'email'
+/**
+ * Phone-based authentication (SMS OTP).
+ */
+| 'phone'
+/**
+ * Google identity provider.
+ */
+| 'google'
+/**
+ * Apple identity provider.
+ */
+| 'apple'
+/**
+ * Facebook identity provider.
+ */
+| 'facebook'
+/**
+ * Microsoft identity provider.
+ */
+| 'microsoft'
+/**
+ * GitHub identity provider.
+ */
+| 'github'
+/**
+ * GitLab identity provider.
+ */
+| 'gitlab'
+/**
+ * Discord identity provider.
+ */
+| 'discord'
+/**
+ * Twitter (X) identity provider.
+ */
+| 'twitter'
+/**
+ * LinkedIn identity provider.
+ */
+| 'linkedin'
+/**
+ * Xero identity provider.
+ */
+| 'xero';
+/**
+ * Supported JSON Web Signature (JWS) algorithms used to sign tokens.
+ *
+ * These algorithms define how tokens issued by MonoCloud are cryptographically signed and verified. The expected algorithm should match the configuration of your MonoCloud application.
+ *
+ * @category Types (Enums)
+ */
+type SecurityAlgorithms =
+/**
+ * RSA using SHA-256.
+ *
+ * Default and most commonly used signing algorithm.
+ */
+'RS256'
+/**
+ * RSA using SHA-384.
+ */
+| 'RS384'
+/**
+ * RSA using SHA-512.
+ */
+| 'RS512'
+/**
+ * RSA-PSS using SHA-256.
+ *
+ * Provides stronger cryptographic padding than RS256.
+ */
+| 'PS256'
+/**
+ * RSA-PSS using SHA-384.
+ */
+| 'PS384'
+/**
+ * RSA-PSS using SHA-512.
+ */
+| 'PS512'
+/**
+ * ECDSA using P-256 curve and SHA-256.
+ *
+ * Produces smaller tokens and faster verification.
+ */
+| 'ES256'
+/**
+ * ECDSA using P-384 curve and SHA-384.
+ */
+| 'ES384'
+/**
+ * ECDSA using P-521 curve and SHA-512.
+ */
+| 'ES512';
+/**
+ * Parameters contained in a JSON Web Signature (JWS) header.
+ *
+ * @category Types
+ */
+interface JwsHeaderParameters {
+  /**
+   * The cryptographic algorithm used to sign the token.
+   */
+  alg: SecurityAlgorithms;
+  /**
+   * Identifier of the key used to sign the token.
+   */
+  kid?: string;
+  /**
+   * The token type.
+   */
+  typ?: string;
+  /**
+   * List of header parameters that are marked as critical and must be understood by the token processor.
+   */
+  crit?: string[];
+  /**
+   * An embedded JSON Web Key (JWK) containing the signing key.
+   */
+  jwk?: Jwk;
+}
+/**
+ * Represents the authentication transaction state stored between the authorization request and the callback.
+ *
+ * @category Types
+ */
+interface AuthState {
+  /**
+   * A unique value used to correlate the authorization request with the callback and protect against CSRF attacks.
+   */
+  state: string;
+  /**
+   * A cryptographic value used to associate the ID token with the original authentication request and prevent replay attacks.
+   */
+  nonce: string;
+  /**
+   * Optional. PKCE code verifier used to validate the authorization code exchange.
+   */
+  codeVerifier?: string;
+  /**
+   * Optional. Maximum allowed time (in seconds) since the user's last authentication.
+   */
+  maxAge?: number;
+  /**
+   * Optional. Space-separated list of resource indicators requested for the access token.
+   */
+  resource?: string;
+  /**
+   * Space-separated list of scopes requested during authorization.
+   */
+  scopes: string;
+}
+/**
+ * Parameters used to construct an OpenID Connect end-session (sign-out) request.
+ *
+ * @category Types
+ */
+interface EndSessionParameters {
+  /**
+   * ID token hint identifying the session to terminate.
+   *
+   * When provided, the authorization server can use this value to determine which user session should be signed out.
+   */
+  idToken?: string;
+  /**
+   * The URL the authorization server should redirect the user to after a successful sign-out.
+   */
+  postLogoutRedirectUri?: string;
+  /**
+   * Optional state value returned to the application after sign-out.
+   */
+  state?: string;
+}
+/**
+ * OpenID Connect Discovery metadata published by the authorization server.
+ *
+ * @category Types
+ */
+interface IssuerMetadata {
+  /**
+   * The issuer identifier for the authorization server.
+   */
+  issuer: string;
+  /**
+   * JSON Web Key Set (JWKS) endpoint used to obtain signing keys.
+   */
+  jwks_uri: string;
+  /**
+   * Authorization endpoint used to initiate authentication requests.
+   */
+  authorization_endpoint: string;
+  /**
+   * Token endpoint used to exchange authorization codes for tokens.
+   */
+  token_endpoint: string;
+  /**
+   * UserInfo endpoint used to retrieve user profile claims.
+   */
+  userinfo_endpoint: string;
+  /**
+   * End-session endpoint used to initiate logout.
+   */
+  end_session_endpoint: string;
+  /**
+   * Session management iframe endpoint.
+   */
+  check_session_iframe: string;
+  /**
+   * Token revocation endpoint.
+   */
+  revocation_endpoint: string;
+  /**
+   * Token introspection endpoint.
+   */
+  introspection_endpoint: string;
+  /**
+   * Device Authorization Grant endpoint.
+   */
+  device_authorization_endpoint: string;
+  /**
+   * Pushed Authorization Request (PAR) endpoint.
+   */
+  pushed_authorization_request_endpoint?: string;
+  /**
+   * Indicates support for front-channel logout.
+   */
+  frontchannel_logout_supported: boolean;
+  /**
+   * Indicates front-channel logout session support.
+   */
+  frontchannel_logout_session_supported: boolean;
+  /**
+   * Indicates support for back-channel logout.
+   */
+  backchannel_logout_supported: boolean;
+  /**
+   * Indicates back-channel logout session support.
+   */
+  backchannel_logout_session_supported: boolean;
+  /**
+   * OAuth scopes supported by the authorization server.
+   */
+  scopes_supported: string[];
+  /**
+   * Claims that may be returned in tokens or UserInfo responses.
+   */
+  claims_supported: string[];
+  /**
+   * Supported OAuth grant types.
+   */
+  grant_types_supported: string[];
+  /**
+   * Supported OAuth/OIDC response types.
+   */
+  response_types_supported: string[];
+  /**
+   * Supported response modes.
+   */
+  response_modes_supported: string[];
+  /**
+   * Supported authentication methods for the token endpoint.
+   */
+  token_endpoint_auth_methods_supported: string[];
+  /**
+   * Supported signing algorithms for ID tokens.
+   */
+  id_token_signing_alg_values_supported: string[];
+  /**
+   * Supported subject identifier types.
+   */
+  subject_types_supported: string[];
+  /**
+   * Supported PKCE code challenge methods.
+   */
+  code_challenge_methods_supported: string[];
+  /**
+   * Indicates support for request objects passed by value.
+   */
+  request_parameter_supported: boolean;
+  /**
+   * Indicates support for request objects passed by reference (request_uri).
+   */
+  request_uri_parameter_supported: boolean;
+  /**
+   * Indicates whether PAR is required for authorization requests.
+   */
+  require_pushed_authorization_requests: boolean;
+  /**
+   * Supported signing algorithms for request objects.
+   */
+  request_object_signing_alg_values_supported: string[];
+}
+/**
+ * Options used when exchanging a refresh token for a new access token.
+ *
+ * These parameters allow requesting an access token scoped to specific resources or scopes that were previously authorized by the user.
+ *
+ * @category Types
+ */
+interface RefreshGrantOptions {
+  /**
+   * Space-separated list of resource indicators that the new access token should be issued for.
+   *
+   * The requested resources must have been previously granted during the original authorization flow.
+   */
+  resource?: string;
+  /**
+   * Space-separated list of scopes to request for the refreshed access token.
+   *
+   * The requested scopes must have been granted during the original authorization flow.
+   */
+  scopes?: string;
+}
+/**
+ * Options used when authenticating a user via the Authorization Code flow.
+ *
+ * @category Types
+ */
+interface AuthenticateOptions {
+  /**
+   * PKCE code verifier associated with the authorization request.
+   */
+  codeVerifier?: string;
+  /**
+   * When enabled, user profile data is fetched from the UserInfo endpoint and merged into the session user object.
+   * @defaultValue false
+   */
+  fetchUserInfo?: boolean;
+  /**
+   * Determines whether the ID token signature and claims should be validated. Disabling validation is not recommended except for advanced or controlled environments.
+   * @defaultValue true
+   */
+  validateIdToken?: boolean;
+  /**
+   * JSON Web Key Set used to validate the ID token signature.
+   *
+   * If not provided, the JWKS is automatically fetched from the authorization server metadata.
+   */
+  jwks?: Jwks;
+  /**
+   * Nonce value expected in the ID token. Used to prevent replay attacks.
+   */
+  idTokenNonce?: string;
+  /**
+   * Maximum allowed authentication age (in seconds) for the ID token.
+   */
+  idTokenMaxAge?: number;
+  /**
+   * Clock skew adjustment (in seconds) applied when validating ID token timestamps against the authorization server.
+   */
+  idTokenClockSkew?: number;
+  /**
+   * Additional allowed clock tolerance (in seconds) when validating time-based ID token claims such as `exp`, `iat`, and `nbf`.
+   */
+  idTokenClockTolerance?: number;
+  /**
+   * List of ID token claims to remove before storing the session.
+   */
+  filteredIdTokenClaims?: string[];
+  /**
+   * Callback invoked before a session is created or updated. Allows customization or enrichment of the session.
+   */
+  onSessionCreating?: OnSessionCreating;
+}
+/**
+ * Options used when refreshing an existing MonoCloud session.
+ *
+ * @category Types
+ */
+interface RefreshSessionOptions {
+  /**
+   * When enabled, user profile data is fetched from the UserInfo endpoint and merged into the session user object.
+   * @defaultValue false
+   */
+  fetchUserInfo?: boolean;
+  /**
+   * Determines whether the ID token signature and claims should be validated. Disabling validation is not recommended except for advanced or controlled environments.
+   * @defaultValue true
+   */
+  validateIdToken?: boolean;
+  /**
+   * JSON Web Key Set used to validate the ID token signature.
+   *
+   * If not provided, the JWKS is automatically fetched from the authorization server metadata.
+   */
+  jwks?: Jwks;
+  /**
+   * Clock skew adjustment (in seconds) applied when validating ID token timestamps against the authorization server.
+   */
+  idTokenClockSkew?: number;
+  /**
+   * Additional allowed clock tolerance (in seconds) when validating time-based ID token claims such as `exp`, `iat`, and `nbf`.
+   */
+  idTokenClockTolerance?: number;
+  /**
+   * Options applied to the refresh token grant request, such as requesting tokens for specific resources or scopes.
+   */
+  refreshGrantOptions?: RefreshGrantOptions;
+  /**
+   * List of ID token claims to remove before storing the session.
+   */
+  filteredIdTokenClaims?: string[];
+  /**
+   * Callback invoked before a session is created or updated. Allows customization or enrichment of the session.
+   */
+  onSessionCreating?: OnSessionCreating;
+}
+/**
+ * Options used when refetching user profile data from the UserInfo endpoint.
+ *
+ * @category Types
+ */
+interface RefetchUserInfoOptions {
+  /**
+   * Callback invoked before a session is created or updated. Allows customization or enrichment of the session.
+      */
+  onSessionCreating?: OnSessionCreating;
+}
+/**
+ * Supported OAuth 2.0 client authentication methods.
+ *
+ * These methods define how a client authenticates itself when calling the authorization server token endpoint.
+ *
+ * @category Types (Enums)
+ */
+type ClientAuthMethod =
+/**
+ * Client credentials are sent using HTTP Basic authentication
+ */
+'client_secret_basic'
+/**
+ * Client credentials are included in the request body as form parameters.
+ */
+| 'client_secret_post'
+/**
+ * Client authenticates using a signed JWT created with the client secret.
+ */
+| 'client_secret_jwt'
+/**
+ * Client authenticates using a signed JWT created with a private key.
+ */
+| 'private_key_jwt';
+/**
+ * Parameters used when creating a Pushed Authorization Request (PAR).
+ *
+ * This type mirrors {@link AuthorizationParams} but excludes `requestUri`,
+ * since the `request_uri` value is generated by the authorization server
+ * after a successful PAR request and must not be supplied by the client.
+ *
+ * @category Types
+ */
+interface PushedAuthorizationParams extends Omit<AuthorizationParams, 'requestUri'> {}
+/**
+ * Configuration options used to initialize the MonoCloudClient.
+ *
+ * @category Types
+ */
+interface MonoCloudClientOptions {
+  /**
+   * Client secret used for client authentication.
+   *
+   * When `clientAuthMethod` is `client_secret_jwt` and a plain-text secret is provided, the default signing algorithm is `HS256`.
+   *
+   * To use a different algorithm, provide a symmetric JSON Web Key (JWK) (`kty: "oct"`) with the desired algorithm specified in its `alg` property.
+   */
+  clientSecret?: string | Jwk;
+  /**
+   * Client authentication method used when communicating with the token endpoint.
+   */
+  clientAuthMethod?: ClientAuthMethod;
+  /**
+   * Expected signing algorithm for validating ID tokens.
+   * @defaultValue 'RS256'
+   */
+  idTokenSigningAlgorithm?: SecurityAlgorithms;
+  /**
+   * Duration (in seconds) to cache the JSON Web Key Set (JWKS) retrieved from the authorization server.
+   * @defaultValue 300
+   */
+  jwksCacheDuration?: number;
+  /**
+   * Duration (in seconds) to cache OpenID Connect discovery metadata.
+   * @defaultValue 300
+   */
+  metadataCacheDuration?: number;
+}
+/**
+ * Response returned from the Pushed Authorization Request (PAR) endpoint.
+ *
+ * @category Types
+ */
+interface ParResponse {
+  /**
+   * The URI reference identifying the pushed authorization request.
+   *
+   * This value must be supplied as the `request_uri` parameter when redirecting the user to the authorization endpoint.
+   */
+  request_uri: string;
+  /**
+   * Lifetime of the `request_uri`, in seconds. After this duration expires, the authorization request becomes invalid.
+   */
+  expires_in: number;
+}
+/**
+ * Callback invoked before a session is created or updated.
+ *
+ * This hook allows you to inspect or modify the session during the authentication lifecycle — for example, to enrich the session with custom claims, normalize user data, or apply application-specific logic.
+ *
+ * @category Types (Handler)
+ *
+ * @param session - The session being created or updated.
+ * @param idToken - Optional. Claims extracted from the ID token.
+ * @param userInfo - Optional. Claims returned from the `UserInfo` endpoint.
+ * @returns Returns a promise or void. Execution continues once the callback completes.
+ */
+type OnSessionCreating = (
+/**
+ * The session being created or updated.
+ */
+session: MonoCloudSession,
+/**
+ * Optional. Claims extracted from the ID token received during authentication.
+ */
+idToken?: Partial<IdTokenClaims>,
+/**
+ * Optional. Claims returned from the UserInfo endpoint.
+ */
+userInfo?: UserinfoResponse) => Promise<void> | void;
+//#endregion
+export { SecurityAlgorithms as A, Prompt as C, RefreshSessionOptions as D, RefreshGrantOptions as E, UserinfoResponse as M, ResponseModes as O, ParResponse as S, RefetchUserInfoOptions as T, JwsHeaderParameters as _, Authenticators as a, MonoCloudUser as b, ClientAuthMethod as c, EndSessionParameters as d, Group as f, Jwks as g, Jwk as h, AuthenticateOptions as i, Tokens as j, ResponseTypes as k, CodeChallengeMethod as l, IssuerMetadata as m, Address as n, AuthorizationParams as o, IdTokenClaims as p, AuthState as r, CallbackParams as s, AccessToken as t, DisplayOptions as u, MonoCloudClientOptions as v, PushedAuthorizationParams as w, OnSessionCreating as x, MonoCloudSession as y };
+//# sourceMappingURL=types-hokU85Zr.d.mts.map