@mulverse/mulguard-core 1.0.0

package/src/providers/apple.ts

@@ -0,0 +1,206 @@
+/**
+ * <div class="provider" style={{display: "flex", justifyContent: "space-between", alignItems: "center"}}>
+ * <span style={{fontSize: "1.35rem" }}>
+ *  Built-in sign in with <b>Apple</b> integration.
+ * </span>
+ * <a href="https://apple.com" style={{backgroundColor: "black", padding: "12px", borderRadius: "100%" }}>
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/apple.svg" width="24"/>
+ * </a>
+ * </div>
+ *
+ * @module providers/apple
+ */
+
+import { conformInternal, customFetch } from "../lib/symbols.js"
+import type { OAuthConfig, OAuthUserConfig } from "./index.js"
+
+/** The returned user profile from Apple when using the profile callback. */
+export interface AppleProfile extends Record<string, any> {
+  /**
+   * The issuer registered claim identifies the principal that issued the identity token.
+   * Since Apple generates the token, the value is `https://appleid.apple.com`.
+   */
+  iss: "https://appleid.apple.com"
+  /**
+   * The audience registered claim identifies the recipient for which the identity token is intended.
+   * Since the token is meant for your application, the value is the `client_id` from your developer account.
+   */
+  aud: string
+  /**
+   * The issued at registered claim indicates the time at which Apple issued the identity token,
+   * in terms of the number of seconds since Epoch, in UTC.
+   */
+  iat: number
+
+  /**
+   * The expiration time registered identifies the time on or after which the identity token expires,
+   * in terms of number of seconds since Epoch, in UTC.
+   * The value must be greater than the current date/time when verifying the token.
+   */
+  exp: number
+  /**
+   * The subject registered claim identifies the principal that's the subject of the identity token.
+   * Since this token is meant for your application, the value is the unique identifier for the user.
+   */
+  sub: string
+  /**
+   * A String value used to associate a client session and the identity token.
+   * This value mitigates replay attacks and is present only if passed during the authorization request.
+   */
+  nonce: string
+
+  /**
+   * A Boolean value that indicates whether the transaction is on a nonce-supported platform.
+   * If you sent a nonce in the authorization request but don't see the nonce claim in the identity token,
+   * check this claim to determine how to proceed.
+   * If this claim returns true, you should treat nonce as mandatory and fail the transaction;
+   * otherwise, you can proceed treating the nonce as options.
+   */
+  nonce_supported: boolean
+
+  /**
+   * A String value representing the user's email address.
+   * The email address is either the user's real email address or the proxy address,
+   * depending on their status private email relay service.
+   */
+  email: string
+
+  /**
+   * A String or Boolean value that indicates whether the service has verified the email.
+   * The value of this claim is always true, because the servers only return verified email addresses.
+   * The value can either be a String (`"true"`) or a Boolean (`true`).
+   */
+  email_verified: "true" | true
+
+  /**
+   * A String or Boolean value that indicates whether the email shared by the user is the proxy address.
+   * The value can either be a String (`"true"` or `"false"`) or a Boolean (`true` or `false`).
+   */
+  is_private_email: boolean | "true" | "false"
+
+  /**
+   * An Integer value that indicates whether the user appears to be a real person.
+   * Use the value of this claim to mitigate fraud. The possible values are: 0 (or Unsupported), 1 (or Unknown), 2 (or LikelyReal).
+   * For more information, see [`ASUserDetectionStatus`](https://developer.apple.com/documentation/authenticationservices/asuserdetectionstatus).
+   * This claim is present only on iOS 14 and later, macOS 11 and later, watchOS 7 and later, tvOS 14 and later;
+   * the claim isn't present or supported for web-based apps.
+   */
+  real_user_status: 0 | 1 | 2
+
+  /**
+   * A String value representing the transfer identifier used to migrate users to your team.
+   * This claim is present only during the 60-day transfer period after an you transfer an app.
+   * For more information, see [Bringing New Apps and Users into Your Team](https://developer.apple.com/documentation/sign_in_with_apple/bringing_new_apps_and_users_into_your_team).
+   */
+  transfer_sub: string
+  at_hash: string
+  auth_time: number
+  user?: AppleNonConformUser
+}
+
+/**
+ * This is the shape of the `user` query parameter that Apple sends the first
+ * time the user consents to the app.
+ * @see https://developer.apple.com/documentation/sign_in_with_apple/request_an_authorization_to_the_sign_in_with_apple_server#4066168
+ */
+export interface AppleNonConformUser {
+  name: {
+    firstName: string
+    lastName: string
+  }
+  email: string
+}
+
+/**
+ * ### Setup
+ *
+ * #### Callback URL
+ * ```
+ * https://example.com/auth/callback/apple
+ * ```
+ *
+ * #### Configuration
+ * ```ts
+ * import Apple from "@auth/core/providers/apple"
+ * ...
+ * providers: [
+ *   Apple({
+ *     clientId: env.AUTH_APPLE_ID,
+ *     clientSecret: env.AUTH_APPLE_SECRET,
+ *   })
+ * ]
+ * ...
+ * ```
+ *
+ * ### Resources
+ *
+ * - Sign in with Apple [Overview](https://developer.apple.com/sign-in-with-apple/get-started/)
+ * - Sign in with Apple [REST API](https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api)
+ * - [How to retrieve](https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_rest_api/authenticating_users_with_sign_in_with_apple#3383773) the user's information from Apple ID servers
+ * - [Learn more about OAuth](https://authjs.dev/concepts/oauth)
+ * - [Creating the Client Secret](https://developer.apple.com/documentation/accountorganizationaldatasharing/creating-a-client-secret)
+ *
+ * ### Notes
+ *
+ * - Apple does not support localhost/http URLs. You can only use a live URL with HTTPS.
+ * - Apple requires the client secret to be a JWT. We provide a CLI command `npx auth add apple`, to help you generate one.
+ *   This will prompt you for the necessary information and at the end it will add the `AUTH_APPLE_ID` and `AUTH_APPLE_SECRET` to your `.env` file.
+ * - Apple provides minimal user information. It returns the user's email and name, but only the first time the user consents to the app.
+ * - The Apple provider does not support setting up the same client for multiple deployments (like [preview deployments](https://authjs.dev/getting-started/deployment#securing-a-preview-deployment)).
+ * - The Apple provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/apple.ts). To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
+ *
+ * ## Help
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ */
+export default function Apple(
+  config: OAuthUserConfig<AppleProfile>
+): OAuthConfig<AppleProfile> {
+  return {
+    id: "apple",
+    name: "Apple",
+    type: "oidc",
+    issuer: "https://appleid.apple.com",
+    authorization: {
+      params: {
+        scope: "name email", // https://developer.apple.com/documentation/sign_in_with_apple/clientconfigi/3230955-scope
+        response_mode: "form_post",
+      },
+    },
+    // We need to parse the special `user` parameter the first time the user consents to the app.
+    // It adds the `name` object to the `profile`, with `firstName` and `lastName` fields.
+    [conformInternal]: true,
+    profile(profile) {
+      const name = profile.user
+        ? `${profile.user.name.firstName} ${profile.user.name.lastName}`
+        : profile.email
+      return {
+        id: profile.sub,
+        name: name,
+        email: profile.email,
+        image: null,
+      }
+    },
+    // Apple does not provide a userinfo endpoint.
+    async [customFetch](...args) {
+      const url = new URL(args[0] instanceof Request ? args[0].url : args[0])
+      if (url.pathname.endsWith(".well-known/openid-configuration")) {
+        const response = await fetch(...args)
+        const json = await response.clone().json()
+        return Response.json({
+          ...json,
+          userinfo_endpoint: "https://appleid.apple.com/fake_endpoint",
+        })
+      }
+      return fetch(...args)
+    },
+    client: { token_endpoint_auth_method: "client_secret_post" },
+    style: { text: "#fff", bg: "#000" },
+    checks: ["nonce", "state"],
+    options: config,
+  }
+}

package/src/providers/asgardeo.ts

@@ -0,0 +1,118 @@
+/**
+ * <div class="provider" style={{display: "flex", justifyContent: "space-between", alignItems: "center"}}>
+ * <span style={{fontSize: "1.35rem" }}>
+ *  Built-in sign in with <b>Asgardeo</b> integration.
+ * </span>
+ * <a href="https://wso2.com/asgardeo/" style={{backgroundColor: "#ECEFF1", padding: "12px", borderRadius: "100%" }}>
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/asgardeo.svg" width="24"/>
+ * </a>
+ * </div>
+ *
+ * @module providers/asgardeo
+ */
+
+import type { OIDCConfig, OIDCUserConfig } from "./index.js"
+
+/** The returned user profile from Asgardeo when using the profile callback. */
+export interface AsgardeoProfile extends Record<string, any> {
+  /**
+   * The user Asgardeo account ID
+   */
+  sub: string
+  /**
+   * The user name
+   */
+  given_name: string
+  /**
+   * The user email
+   */
+  email: string
+  /**
+   * The user profile picture
+   */
+  picture: string
+}
+
+/**
+ *
+ * ### Setup
+ *
+ * #### Callback URL
+ * ```
+ * https://example.com/api/auth/callback/asgardeo
+ * ```
+ *
+ * #### Configuration
+ *```ts
+ * import { Auth } from "@auth/core"
+ * import Asgardeo from "@auth/core/providers/asgardeo";
+ *
+ * const request = new Request(origin)
+ * const response = await Auth(request, {
+ *   providers: [
+ *     Asgardeo({
+ *       clientId: ASGARDEO_CLIENT_ID,
+ *       clientSecret: ASGARDEO_CLIENT_SECRET,
+ *       issuer: ASGARDEO_ISSUER,
+ *     }),
+ *   ],
+ * })
+ * ```
+ *
+ * ### Configuring Asgardeo
+ *
+ * Follow these steps:
+ *
+ * 1. Log into the [Asgardeo console](https://console.asgardeo.io)
+ * 2. Next, go to "Application" tab (more info [here](https://wso2.com/asgardeo/docs/guides/applications/register-oidc-web-app/))
+ * 3. Register a standard based, Open ID connect, application
+ * 4. Add the **callback URLs**: `http://localhost:3000/api/auth/callback/asgardeo` (development) and `https://{YOUR_DOMAIN}.com/api/auth/callback/asgardeo` (production)
+ * 5. After registering the application, go to "Protocol" tab.
+ * 6. Check `code` as the grant type.
+ * 7. Add "Authorized redirect URLs" & "Allowed origins fields"
+ * 8. Make Email, First Name, Photo URL user attributes mandatory from the console.
+ *
+ * Then, create a `.env` file in the project root add the following entries:
+ *
+ * ```
+ * ASGARDEO_CLIENT_ID="Copy client ID from protocol tab here"
+ * ASGARDEO_CLIENT_SECRET="Copy client from protocol tab here"
+ * ASGARDEO_ISSUER="Copy the issuer url from the info tab here"
+ * ```
+ *
+ * ### Resources
+ *
+ * - [Asgardeo - Authentication Guide](https://wso2.com/asgardeo/docs/guides/authentication)
+ * - [Learn more about OAuth](https://authjs.dev/concepts/oauth)
+ *
+ * ### Notes
+ *
+ * The Asgardeo provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/asgardeo.ts). To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
+ *
+ * :::info
+ * By default, Auth.js assumes that the Asgardeo provider is based on the [OAuth 2](https://www.rfc-editor.org/rfc/rfc6749.html) spec
+ * :::
+ *
+ * ## Help
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ */
+export default function Asgardeo(
+  config: OIDCUserConfig<AsgardeoProfile>
+): OIDCConfig<AsgardeoProfile> {
+  return {
+    id: "asgardeo",
+    name: "Asgardeo",
+    type: "oidc",
+    wellKnown: `${config?.issuer}/oauth2/token/.well-known/openid-configuration`,
+    style: {
+      bg: "#000",
+      text: "#fff",
+    },
+    options: config,
+  }
+}

package/src/providers/atlassian.ts

@@ -0,0 +1,120 @@
+/**
+ * <div style={{display: "flex", justifyContent: "space-between", alignItems: "center"}}>
+ * <span style={{fontSize: "1.35rem" }}>
+ *  Built-in sign in with <b>Atlassian</b> integration.
+ * </span>
+ * <a href="https://www.atlassian.com/" style={{backgroundColor: "black", padding: "12px", borderRadius: "100%" }}>
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/atlassian.svg" width="24" style={{ marginTop: "-3px"}} />
+ * </a>
+ * </div>
+ *
+ * @module providers/atlassian
+ */
+import type { OAuthConfig, OAuthUserConfig } from "./index.js"
+
+/** The returned user profile from Atlassian when using the profile callback. */
+export interface AtlassianProfile extends Record<string, any> {
+  /**
+   * The user's atlassian account ID
+   */
+  account_id: string
+  /**
+   * The user name
+   */
+  name: string
+  /**
+   * The user's email
+   */
+  email: string
+  /**
+   * The user's profile picture
+   */
+  picture: string
+}
+
+/**
+ * ### Setup
+ *
+ * #### Callback URL
+ * ```
+ * https://example.com/api/auth/callback/atlassian
+ * ```
+ *
+ * #### Configuration
+ *
+ * Import the provider and configure it in your **Auth.js** initialization file:
+ *
+ * ```ts
+ * import Atlassian from "@auth/core/providers/atlassian"
+ * ...
+ * providers: [
+ *  Atlassian({
+ *    clientId: env.AUTH_ATLASSIAN_ID,
+ *    clientSecret: env.AUTH_ATLASSIAN_SECRET,
+ *  }),
+ * ]
+ * ...
+ * ```
+ *
+ * ### Configuring Atlassian
+ *
+ * Follow these steps:
+ *
+ * 1. From any page on [developer.atlassian.com](https://developer.atlassian.com), select your profile icon in the top-right corner, and from the dropdown, select **Developer console**.
+ * 2. Select your app from the list (or create one if you don't already have one)
+ * 3. Select **Authorization** in the left menu
+ * 4. Next to OAuth 2.0 (3LO), select **Configure** (or **Add** for newly created app)
+ * 5. Enter the **Callback URL**: `https://{YOUR_DOMAIN}/api/auth/callback/atlassian`
+ * 6. Click Save changes
+ * 7. Select **Settings** in the left menu
+ * 8. Access and copy your app's **Client ID** and **Secret**
+ *
+ * Then, create a `.env` file in the project root add the following entries:
+ *
+ * ```
+ * AUTH_ATLASSIAN_ID=<Client ID copied in step 8>
+ * AUTH_ATLASSIAN_SECRET=<Secret copied in step 8>
+ * ```
+ *
+ * ### Resources
+ *
+ * - [Atlassian docs](https://developer.atlassian.com/cloud/jira/software/oauth-2-3lo-apps/)
+ *
+ * ### Notes
+ *
+ * The Atlassian provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/atlassian.ts). To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/providers/custom-provider#override-default-options).
+ *
+ * ## Help
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ */
+export default function Atlassian(
+  options: OAuthUserConfig<AtlassianProfile>
+): OAuthConfig<AtlassianProfile> {
+  return {
+    id: "atlassian",
+    name: "Atlassian",
+    type: "oauth",
+    authorization: {
+      url: "https://auth.atlassian.com/authorize",
+      params: { audience: "api.atlassian.com", scope: "read:me" },
+    },
+    token: "https://auth.atlassian.com/oauth/token",
+    userinfo: "https://api.atlassian.com/me",
+    profile(profile) {
+      return {
+        id: profile.account_id,
+        name: profile.name,
+        email: profile.email,
+        image: profile.picture,
+      }
+    },
+    checks: ["state"],
+    style: { bg: "#fff", text: "#0052cc" },
+    options,
+  }
+}

package/src/providers/auth0.ts

@@ -0,0 +1,127 @@
+/**
+ * <div class="provider" style={{display: "flex", justifyContent: "space-between", alignItems: "center"}}>
+ * <span style={{fontSize: "1.35rem" }}>
+ *  Built-in sign in with <b>Auth0</b> integration.
+ * </span>
+ * <a href="https://auth0.com" style={{backgroundColor: "black", padding: "12px", borderRadius: "100%" }}>
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/auth0.svg" width="24"/>
+ * </a>
+ * </div>
+ *
+ * @module providers/auth0
+ */
+import type { OIDCConfig, OIDCUserConfig } from "./index.js"
+
+/** The returned user profile from Auth0 when using the profile callback. [Reference](https://auth0.com/docs/manage-users/user-accounts/user-profiles/user-profile-structure). */
+export interface Auth0Profile extends Record<string, any> {
+  /** The user's unique identifier. */
+  sub: string
+  /** Custom fields that store info about a user that influences the user's access, such as support plan, security roles (if not using the Authorization Core feature set), or access control groups. To learn more, read Metadata Overview. */
+  app_metadata: object
+  /** Indicates whether the user has been blocked. Importing enables subscribers to ensure that users remain blocked when migrating to Auth0. */
+  blocked: boolean
+  /** Timestamp indicating when the user profile was first created. */
+  created_at: Date
+  /** (unique) The user's email address. */
+  email: string
+  /** Indicates whether the user has verified their email address. */
+  email_verified: boolean
+  /** The user's family name. */
+  family_name: string
+  /** The user's given name. */
+  given_name: string
+  /** Custom fields that store info about a user that does not impact what they can or cannot access, such as work address, home address, or user preferences. To learn more, read Metadata Overview. */
+  user_metadata: object
+  /** (unique) The user's username. */
+  username: string
+  /** Contains info retrieved from the identity provider with which the user originally authenticates. Users may also link their profile to multiple identity providers; those identities will then also appear in this array. The contents of an individual identity provider object varies by provider. In some cases, it will also include an API Access Token to be used with the provider. */
+  identities: Array<{
+    /** Name of the Auth0 connection used to authenticate the user. */
+    connection: string
+    /** Indicates whether the connection is a social one. */
+    isSocial: boolean
+    /** Name of the entity that is authenticating the user, such as Facebook, Google, SAML, or your own provider. */
+    provider: string
+    /** User's unique identifier for this connection/provider. */
+    user_id: string
+    /** User info associated with the connection. When profiles are linked, it is populated with the associated user info for secondary accounts. */
+    profileData: object
+    [key: string]: any
+  }>
+  /** IP address associated with the user's last login. */
+  last_ip: string
+  /** Timestamp indicating when the user last logged in. If a user is blocked and logs in, the blocked session updates last_login. If you are using this property from inside a Rule using the user< object, its value will be associated with the login that triggered the rule; this is because rules execute after login. */
+  last_login: Date
+  /** Timestamp indicating the last time the user's password was reset/changed. At user creation, this field does not exist. This property is only available for Database connections. */
+  last_password_reset: Date
+  /** Number of times the user has logged in. If a user is blocked and logs in, the blocked session is counted in logins_count. */
+  logins_count: number
+  /** List of multi-factor providers with which the user is enrolled. */
+  multifactor: string
+  /** The user's full name. */
+  name: string
+  /** The user's nickname. */
+  nickname: string
+  /** The user's phone number. Only valid for users with SMS connections. */
+  phone_number: string
+  /** Indicates whether the user has been verified their phone number. Only valid for users with SMS connections. */
+  phone_verified: boolean
+  /** URL pointing to the user's profile picture. */
+  picture: string
+  /** Timestamp indicating when the user's profile was last updated/modified. Changes to last_login are considered updates, so most of the time, updated_at will match last_login. */
+  updated_at: Date
+  /** (unique) The user's identifier. Importing allows user records to be synchronized across multiple systems without using mapping tables. */
+  user_id: string
+}
+
+/**
+ * ### Setup
+ *
+ * #### Callback URL
+ * ```
+ * https://example.com/api/auth/callback/auth0
+ * ```
+ *
+ * #### Configuration
+ * ```ts
+ * import { Auth } from "@auth/core"
+ * import Auth0 from "@auth/core/providers/auth0"
+ *
+ * const request = new Request(origin)
+ * const response = await Auth(request, {
+ *   providers: [
+ *     Auth0({
+ *       clientId: AUTH0_ID,
+ *       clientSecret: AUTH0_SECRET,
+ *     }),
+ *   ],
+ * })
+ * ```
+ *
+ * ### Resources
+ *
+ * - [Auth0 docs](https://auth0.com/docs/authenticate)
+ *
+ * ### Notes
+ *
+ * The Auth0 provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/auth0.ts). To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
+ *
+ * ## Help
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ */
+export default function Auth0(
+  config: OIDCUserConfig<Auth0Profile>
+): OIDCConfig<Auth0Profile> {
+  return {
+    id: "auth0",
+    name: "Auth0",
+    type: "oidc",
+    style: { text: "#fff", bg: "#EB5424" },
+    options: config,
+  }
+}

package/src/providers/authentik.ts

@@ -0,0 +1,100 @@
+/**
+ * <div class="provider" style={{backgroundColor: "#fd4b2d", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
+ * <span>Built-in <b>Authentik</b> integration.</span>
+ * <a href="https://goauthentik.io/">
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/authentik.svg" height="48" width="48"/>
+ * </a>
+ * </div>
+ *
+ * @module providers/authentik
+ */
+import type { OAuthConfig, OAuthUserConfig } from "./index.js"
+
+export interface AuthentikProfile extends Record<string, any> {
+  iss: string
+  sub: string
+  aud: string
+  exp: number
+  iat: number
+  auth_time: number
+  acr: string
+  c_hash: string
+  nonce: string
+  at_hash: string
+  email: string
+  email_verified: boolean
+  name: string
+  given_name: string
+  family_name: string
+  preferred_username: string
+  nickname: string
+  groups: string[]
+}
+
+/**
+ * Add Authentik login to your page.
+ *
+ * ### Setup
+ *
+ * #### Callback URL
+ * ```
+ * https://example.com/api/auth/callback/authentik
+ * ```
+ *
+ * #### Configuration
+ *```ts
+ * import { Auth } from "@auth/core"
+ * import Authentik from "@auth/core/providers/authentik"
+ *
+ * const request = new Request(origin)
+ * const response = await Auth(request, {
+ *   providers: [
+ *     Authentik({
+ *       clientId: AUTHENTIK_CLIENT_ID,
+ *       clientSecret: AUTHENTIK_CLIENT_SECRET,
+ *       issuer: AUTHENTIK_ISSUER,
+ *     }),
+ *   ],
+ * })
+ * ```
+ *
+ * :::note
+ * issuer should include the slug without a trailing slash – e.g., https://my-authentik-domain.com/application/o/My_Slug
+ * :::
+ *
+ * ### Resources
+ *
+ *  - [Authentik OAuth documentation](https://goauthentik.io/docs/providers/oauth2)
+ *
+ * ### Notes
+ *
+ * By default, Auth.js assumes that the Authentik provider is
+ * based on the [Open ID Connect](https://openid.net/specs/openid-connect-core-1_0.html) specification.
+ *
+ * :::tip
+ *
+ * The Authentik provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/authentik.ts).
+ * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
+ *
+ * :::
+ *
+ * :::info **Disclaimer**
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ *
+ * :::
+ */
+export default function Authentik<P extends AuthentikProfile>(
+  options: OAuthUserConfig<P>
+): OAuthConfig<P> {
+  return {
+    id: "authentik",
+    name: "Authentik",
+    type: "oidc",
+    options,
+  }
+}