@mulverse/mulguard-core 1.0.0

package/src/providers/oauth.ts

@@ -0,0 +1,310 @@
+import type { Client, PrivateKey } from "oauth4webapi"
+import type { CommonProviderOptions } from "../providers/index.js"
+import type { Awaitable, Profile, TokenSet, User } from "../types.js"
+import type { AuthConfig } from "../index.js"
+import type { conformInternal, customFetch } from "../lib/symbols.js"
+
+// TODO: fix types
+type AuthorizationParameters = any
+type CallbackParamsType = any
+type IssuerMetadata = any
+type OAuthCallbackChecks = any
+type OpenIDCallbackChecks = any
+
+export type { OAuthProviderId } from "./provider-types.js"
+
+export type OAuthChecks = OpenIDCallbackChecks | OAuthCallbackChecks
+
+type PartialIssuer = Partial<Pick<IssuerMetadata, "jwks_endpoint" | "issuer">>
+
+type UrlParams = Record<string, unknown>
+
+type EndpointRequest<C, R, P> = (
+  context: C & {
+    /** Provider is passed for convenience, and also contains the `callbackUrl`. */
+    provider: OAuthConfigInternal<P> & {
+      signinUrl: string
+      callbackUrl: string
+    }
+  }
+) => Awaitable<R> | void
+
+/** Gives granular control of the request to the given endpoint */
+interface AdvancedEndpointHandler<P extends UrlParams, C, R> {
+  /** Endpoint URL. Can contain parameters. Optionally, you can use `params` */
+  url?: string
+  /** These will be prepended to the `url` */
+  params?: P
+  /**
+   * Control the corresponding OAuth endpoint request completely.
+   * Useful if your provider relies on some custom behaviour
+   * or it diverges from the OAuth spec.
+   *
+   * - ⚠ **This is an advanced option.**
+   * You should **try to avoid using advanced options** unless you are very comfortable using them.
+   */
+  request?: EndpointRequest<C, R, P>
+  /** @internal */
+  conform?: (response: Response) => Awaitable<Response | undefined>
+  clientPrivateKey?: CryptoKey | PrivateKey
+}
+
+/**
+ * Either an URL (containing all the parameters) or an object with more granular control.
+ * @internal
+ */
+export type EndpointHandler<
+  P extends UrlParams,
+  C = any,
+  R = any,
+> = AdvancedEndpointHandler<P, C, R>
+
+export type AuthorizationEndpointHandler =
+  EndpointHandler<AuthorizationParameters>
+
+export type TokenEndpointHandler = EndpointHandler<
+  UrlParams,
+  {
+    /**
+     * Parameters extracted from the request to the `/api/auth/callback/:providerId` endpoint.
+     * Contains params like `state`.
+     */
+    params: CallbackParamsType
+    /**
+     * When using this custom flow, make sure to do all the necessary security checks.
+     * This object contains parameters you have to match against the request to make sure it is valid.
+     */
+    checks: OAuthChecks
+  },
+  {
+    tokens: TokenSet
+  }
+>
+
+export type UserinfoEndpointHandler = EndpointHandler<
+  UrlParams,
+  { tokens: TokenSet },
+  Profile
+>
+
+export type ProfileCallback<Profile> = (
+  profile: Profile,
+  tokens: TokenSet
+) => Awaitable<User>
+
+export type AccountCallback = (tokens: TokenSet) => TokenSet | undefined | void
+
+export interface OAuthProviderButtonStyles {
+  logo?: string
+  /**
+   * @deprecated
+   */
+  text?: string
+  /**
+   * @deprecated Please use 'brandColor' instead
+   */
+  bg?: string
+  brandColor?: string
+}
+
+/** TODO: Document */
+export interface OAuth2Config<Profile>
+  extends CommonProviderOptions,
+    PartialIssuer {
+  /**
+   * Identifies the provider when you want to sign in to
+   * a specific provider.
+   *
+   * @example
+   * ```ts
+   * signIn('github') // "github" is the provider ID
+   * ```
+   */
+  id: string
+  /** The name of the provider. shown on the default sign in page. */
+  name: string
+  /**
+   * OpenID Connect (OIDC) compliant providers can configure
+   * this instead of `authorize`/`token`/`userinfo` options
+   * without further configuration needed in most cases.
+   * You can still use the `authorize`/`token`/`userinfo`
+   * options for advanced control.
+   *
+   * [Authorization Server Metadata](https://datatracker.ietf.org/doc/html/rfc8414#section-3)
+   */
+  wellKnown?: string
+  issuer?: string
+  /**
+   * The login process will be initiated by sending the user to this URL.
+   *
+   * [Authorization endpoint](https://datatracker.ietf.org/doc/html/rfc6749#section-3.1)
+   */
+  authorization?: string | AuthorizationEndpointHandler
+  token?: string | TokenEndpointHandler
+  userinfo?: string | UserinfoEndpointHandler
+  type: "oauth"
+  /**
+   * Receives the full {@link Profile} returned by the OAuth provider, and returns a subset.
+   * It is used to create the user in the database.
+   *
+   * Defaults to: `id`, `email`, `name`, `image`
+   *
+   * @see [Database Adapter: User model](https://authjs.dev/reference/core/adapters#user)
+   */
+  profile?: ProfileCallback<Profile>
+  /**
+   * Receives the full {@link TokenSet} returned by the OAuth provider, and returns a subset.
+   * It is used to create the account associated with a user in the database.
+   *
+   * :::note
+   * You need to adjust your database's [Account model](https://authjs.dev/reference/core/adapters#account) to match the returned properties.
+   * Check out the documentation of your [database adapter](https://authjs.dev/reference/core/adapters) for more information.
+   * :::
+   *
+   * Defaults to: `access_token`, `id_token`, `refresh_token`, `expires_at`, `scope`, `token_type`, `session_state`
+   *
+   * @example
+   * ```ts
+   * import GitHub from "@auth/core/providers/github"
+   * // ...
+   * GitHub({
+   *   account(account) {
+   *     // https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens#refreshing-a-user-access-token-with-a-refresh-token
+   *     const refresh_token_expires_at =
+   *       Math.floor(Date.now() / 1000) + Number(account.refresh_token_expires_in)
+   *     return {
+   *       access_token: account.access_token,
+   *       expires_at: account.expires_at,
+   *       refresh_token: account.refresh_token,
+   *       refresh_token_expires_at
+   *     }
+   *   }
+   * })
+   * ```
+   *
+   * @see [Database Adapter: Account model](https://authjs.dev/reference/core/adapters#account)
+   * @see https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
+   * @see https://www.ietf.org/rfc/rfc6749.html#section-5.1
+   */
+  account?: AccountCallback
+  /**
+   * The CSRF protection performed on the callback endpoint.
+   * @default ["pkce"]
+   *
+   * @note When `redirectProxyUrl` or {@link AuthConfig.redirectProxyUrl} is set,
+   * `"state"` will be added to checks automatically.
+   *
+   * [RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients (PKCE)](https://www.rfc-editor.org/rfc/rfc7636.html#section-4) |
+   * [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.1) |
+   * [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) |
+   */
+  checks?: Array<"pkce" | "state" | "none">
+  clientId?: string
+  clientSecret?: string
+  /**
+   * Pass overrides to the underlying OAuth library.
+   * See [`oauth4webapi` client](https://github.com/panva/oauth4webapi/blob/main/docs/interfaces/Client.md) for details.
+   */
+  client?: Partial<Client & { token_endpoint_auth_method: string }>
+  style?: OAuthProviderButtonStyles
+  /**
+   * Normally, when you sign in with an OAuth provider and another account
+   * with the same email address already exists,
+   * the accounts are not linked automatically.
+   *
+   * Automatic account linking on sign in is not secure
+   * between arbitrary providers and is disabled by default.
+   * Learn more in our [Security FAQ](https://authjs.dev/concepts#security).
+   *
+   * However, it may be desirable to allow automatic account linking if you trust that the provider involved has securely verified the email address
+   * associated with the account. Set `allowDangerousEmailAccountLinking: true`
+   * to enable automatic account linking.
+   */
+  allowDangerousEmailAccountLinking?: boolean
+  redirectProxyUrl?: AuthConfig["redirectProxyUrl"]
+  /** @see {customFetch} */
+  [customFetch]?: typeof fetch
+  /**
+   * The options provided by the user.
+   * We will perform a deep-merge of these values
+   * with the default configuration.
+   *
+   * @internal
+   */
+  /** @see {conformInternal} */
+  [conformInternal]?: true
+  options?: OAuthUserConfig<Profile>
+}
+
+/**
+ * Extension of the {@link OAuth2Config}.
+ *
+ * @see https://openid.net/specs/openid-connect-core-1_0.html
+ */
+export interface OIDCConfig<Profile>
+  extends Omit<OAuth2Config<Profile>, "type" | "checks"> {
+  type: "oidc"
+  checks?: Array<NonNullable<OAuth2Config<Profile>["checks"]>[number] | "nonce">
+  /**
+   * If set to `false`, the `userinfo_endpoint` will be fetched for the user data.
+   * @note An `id_token` is still required to be returned during the authorization flow.
+   */
+  idToken?: boolean
+}
+
+export type OAuthConfig<Profile> = OIDCConfig<Profile> | OAuth2Config<Profile>
+
+export type OAuthEndpointType = "authorization" | "token" | "userinfo"
+
+/**
+ * We parsed `authorization`, `token` and `userinfo`
+ * to always contain a valid `URL`, with the params
+ * @internal
+ */
+export type OAuthConfigInternal<Profile> = Omit<
+  OAuthConfig<Profile>,
+  OAuthEndpointType | "redirectProxyUrl"
+> & {
+  authorization?: { url: URL }
+  token?: {
+    url: URL
+    request?: TokenEndpointHandler["request"]
+    clientPrivateKey?: CryptoKey | PrivateKey
+    /**
+     * @internal
+     * @deprecated
+     */
+    conform?: TokenEndpointHandler["conform"]
+  }
+  userinfo?: { url: URL; request?: UserinfoEndpointHandler["request"] }
+  /**
+   * Reconstructed from {@link OAuth2Config.redirectProxyUrl},
+   * adding the callback action and provider id onto the URL.
+   *
+   * If defined, it is favoured over {@link OAuthConfigInternal.callbackUrl} in the authorization request.
+   *
+   * When {@link InternalOptions.isOnRedirectProxy} is set, the actual value is saved in the decoded `state.origin` parameter.
+   *
+   * @example `"https://auth.example.com/api/auth/callback/:provider"`
+   *
+   */
+  redirectProxyUrl?: OAuth2Config<Profile>["redirectProxyUrl"]
+} & Pick<
+    Required<OAuthConfig<Profile>>,
+    "clientId" | "checks" | "profile" | "account"
+  >
+
+export type OIDCConfigInternal<Profile> = OAuthConfigInternal<Profile> & {
+  checks: OIDCConfig<Profile>["checks"]
+  idToken: OIDCConfig<Profile>["idToken"]
+}
+
+export type OAuthUserConfig<Profile> = Omit<
+  Partial<OAuthConfig<Profile>>,
+  "options" | "type"
+>
+
+export type OIDCUserConfig<Profile> = Omit<
+  Partial<OIDCConfig<Profile>>,
+  "options" | "type"
+>

package/src/providers/okta.ts

@@ -0,0 +1,111 @@
+/**
+ * <div class="provider" style={{backgroundColor: "#000", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
+ * <span>Built-in <b>Okta</b> integration.</span>
+ * <a href="https://okta.com/">
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/okta.svg" height="48" />
+ * </a>
+ * </div>
+ *
+ * @module providers/okta
+ */
+import type { OAuthConfig, OAuthUserConfig } from "./index.js"
+
+export interface OktaProfile extends Record<string, any> {
+  iss: string
+  ver: string
+  sub: string
+  aud: string
+  iat: string
+  exp: string
+  jti: string
+  auth_time: string
+  amr: string
+  idp: string
+  nonce: string
+  name: string
+  nickname: string
+  preferred_username: string
+  given_name: string
+  middle_name: string
+  family_name: string
+  email: string
+  email_verified: string
+  profile: string
+  zoneinfo: string
+  locale: string
+  address: string
+  phone_number: string
+  picture: string
+  website: string
+  gender: string
+  birthdate: string
+  updated_at: string
+  at_hash: string
+  c_hash: string
+}
+
+/**
+ * Add Okta login to your page.
+ *
+ * ### Setup
+ *
+ * #### Callback URL
+ * ```
+ * https://example.com/api/auth/callback/okta
+ * ```
+ *
+ * #### Configuration
+ *```ts
+ * import { Auth } from "@auth/core"
+ * import Okta from "@auth/core/providers/okta"
+ *
+ * const request = new Request(origin)
+ * const response = await Auth(request, {
+ *   providers: [
+ *     Okta({
+ *       clientId: OKTA_CLIENT_ID,
+ *       clientSecret: OKTA_CLIENT_SECRET,
+ *       issuer: OKTA_ISSUER,
+ *     }),
+ *   ],
+ * })
+ * ```
+ *
+ * ### Resources
+ *
+ *  - [Okta OAuth documentation](https://developer.okta.com/docs/reference/api/oidc)
+ *
+ * ### Notes
+ *
+ * By default, Auth.js assumes that the Okta provider is
+ * based on the [Open ID Connect](https://openid.net/specs/openid-connect-core-1_0.html) specification.
+ *
+ * :::tip
+ *
+ * The Okta provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/okta.ts).
+ * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
+ *
+ * :::
+ *
+ * :::info **Disclaimer**
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ *
+ * :::
+ */
+export default function Okta<P extends OktaProfile>(
+  options: OAuthUserConfig<P>
+): OAuthConfig<P> {
+  return {
+    id: "okta",
+    name: "Okta",
+    type: "oidc",
+    style: { bg: "#000", text: "#fff" },
+    checks: ["pkce", "state"],
+    options,
+  }
+}

package/src/providers/onelogin.ts

@@ -0,0 +1,75 @@
+/**
+ * <div class="provider" style={{backgroundColor: "#000", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
+ * <span>Built-in <b>OneLogin</b> integration.</span>
+ * <a href="https://onelogin.com/">
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/onelogin.svg" height="48" />
+ * </a>
+ * </div>
+ *
+ * @module providers/onelogin
+ */
+import type { OAuthConfig, OAuthUserConfig } from "./index.js"
+
+/**
+ * Add OneLogin login to your page.
+ *
+ * ### Setup
+ *
+ * #### Callback URL
+ * ```
+ * https://example.com/api/auth/callback/onelogin
+ * ```
+ *
+ * #### Configuration
+ *```ts
+ * import { Auth } from "@auth/core"
+ * import OneLogin from "@auth/core/providers/onelogin"
+ *
+ * const request = new Request(origin)
+ * const response = await Auth(request, {
+ *   providers: [
+ *     OneLogin({
+ *       clientId: ONELOGIN_CLIENT_ID,
+ *       clientSecret: ONELOGIN_CLIENT_SECRET,
+ *     }),
+ *   ],
+ * })
+ * ```
+ *
+ * ### Resources
+ *
+ *  - [OneLogin OAuth documentation](https://example.com)
+ *
+ * ### Notes
+ *
+ * By default, Auth.js assumes that the OneLogin provider is
+ * based on the [Open ID Connect](https://openid.net/specs/openid-connect-core-1_0.html) specification.
+ *
+ * :::tip
+ *
+ * The OneLogin provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/onelogin.ts).
+ * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
+ *
+ * :::
+ *
+ * :::info **Disclaimer**
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ *
+ * :::
+ */
+export default function OneLogin(
+  config: OAuthUserConfig<Record<string, any>>
+): OAuthConfig<Record<string, any>> {
+  return {
+    id: "onelogin",
+    name: "OneLogin",
+    type: "oidc",
+    wellKnown: `${config.issuer}/oidc/2/.well-known/openid-configuration`,
+    options: config,
+  }
+}

package/src/providers/ory-hydra.ts

@@ -0,0 +1,93 @@
+/**
+ * <div class="provider" style={{backgroundColor: "#000", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
+ * <span>Built-in <b>Ory Hydra</b> integration.</span>
+ * <a href="https://www.ory.sh/hydra/">
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/ory.svg" height="48" />
+ * </a>
+ * </div>
+ *
+ * @module providers/ory-hydra
+ */
+import type { OIDCConfig, OIDCUserConfig } from "./index.js"
+
+export interface OryHydraProfile extends Record<string, any> {
+  iss: string
+  ver: string
+  sub: string
+  aud: string
+  iat: string
+  exp: string
+  jti: string
+  amr: string
+  email?: string
+}
+
+/**
+ * Add Ory Hydra login to your page.
+ *
+ * ### Setup
+ *
+ * #### Callback URL
+ * ```
+ * https://example.com/api/auth/callback/hydra
+ * ```
+ *
+ * #### Configuration
+ *```ts
+ * import { Auth } from "@auth/core"
+ * import OryHydra from "@auth/core/providers/ory-hydra"
+ *
+ * const request = new Request(origin)
+ * const response = await Auth(request, {
+ *   providers: [
+ *     OryHydra({
+ *       clientId: ORY_HYDRA_CLIENT_ID,
+ *       clientSecret: ORY_HYDRA_CLIENT_SECRET,
+ *       issuer: ORY_HYDRA_ISSUER,
+ *     }),
+ *   ],
+ * })
+ * ```
+ *
+ * ### Resources
+ *
+ *  - [Ory Hydra documentation](https://www.ory.sh/docs/hydra/5min-tutorial)
+ *
+ * ### Notes
+ *
+ * Ory Hydra can be setup using the default Ory Network setup or self hosted on your own
+ * infrastructure.
+ * By default, Auth.js assumes that the Ory Hydra provider is
+ * based on the [Open ID Connect](https://openid.net/specs/openid-connect-core-1_0.html) specification.
+ *
+ * :::tip
+ *
+ * The Ory Hydra provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/ory-hydra.ts).
+ * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
+ *
+ * :::
+ *
+ * :::info **Disclaimer**
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ *
+ * :::
+ */
+export default function OryHydra<P extends OryHydraProfile>(
+  options: OIDCUserConfig<P>
+): OIDCConfig<P> {
+  return {
+    id: "hydra",
+    name: "Hydra",
+    type: "oidc",
+    style: {
+      bg: "#fff",
+      text: "#0F172A",
+    },
+    options,
+  }
+}

package/src/providers/osso.ts

@@ -0,0 +1,91 @@
+/**
+ * <div class="provider" style={{backgroundColor: "#000", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
+ * <span>Built-in <b>Osso</b> integration.</span>
+ * <a href="https://ossoapp.com/">
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/osso.svg" height="48" />
+ * </a>
+ * </div>
+ *
+ * @module providers/osso
+ */
+import type { OAuthConfig, OAuthUserConfig } from "./index.js"
+
+/**
+ * Add Osso login to your page.
+ *
+ * ### Setup
+ *
+ * #### Callback URL
+ * ```
+ * https://example.com/api/auth/callback/osso
+ * ```
+ *
+ * #### Configuration
+ *```ts
+ * import { Auth } from "@auth/core"
+ * import Osso from "@auth/core/providers/osso"
+ *
+ * const request = new Request(origin)
+ * const response = await Auth(request, {
+ *   providers: [
+ *     Osso({
+ *       clientId: OSSO_CLIENT_ID,
+ *       clientSecret: OSSO_CLIENT_SECRET,
+ *       issuer: OSSO_ISSUER,
+ *     }),
+ *   ],
+ * })
+ * ```
+ *
+ * ### Resources
+ * Osso is an open source service that handles SAML authentication against Identity Providers, normalizes profiles, and makes those profiles available to you in an OAuth 2.0 code grant flow.
+ * 
+ * - If you don't yet have an Osso instance, you can use [Osso's Demo App](https://demo.ossoapp.com) for your testing purposes. For documentation on deploying an Osso instance, see https://ossoapp.com/docs/deploy/overview/
+ *  - [Osso OAuth documentation](https://ossoapp.com/)
+ *
+ * You can configure your OAuth Clients on your Osso Admin UI, i.e. https://demo.ossoapp.com/admin/config - you'll need to get a Client ID and Secret and allow-list your redirect URIs.
+ * [SAML SSO differs a bit from OAuth](https://ossoapp.com/blog/saml-vs-oauth) - for every tenant who wants to sign in to your application using SAML, you and your customer need to perform a multi-step configuration in Osso's Admin UI and the admin dashboard of the tenant's Identity Provider. Osso provides documentation for providers like Okta and OneLogin, cloud-based IDPs who also offer a developer account that's useful for testing. Osso also provides a [Mock IDP](https://idp.ossoapp.com) that you can use for testing without needing to sign up for an Identity Provider service.
+
+ * See Osso's complete configuration and testing documentation at https://ossoapp.com/docs/configure/overview
+ * 
+ * ### Notes
+ *
+ * By default, Auth.js assumes that the Osso provider is
+ * based on the [OAuth 2](https://www.rfc-editor.org/rfc/rfc6749.html) specification.
+ *
+ * :::note
+ * 
+ * `issuer` should be the fully qualified domain e.g. `demo.ossoapp.com`
+ * 
+ * :::
+ * 
+ * :::tip
+ *
+ * The Osso provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/osso.ts).
+ * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
+ *
+ * :::
+ *
+ * :::info **Disclaimer**
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ *
+ * :::
+ */
+export default function Osso(
+  config: OAuthUserConfig<Record<string, any>>
+): OAuthConfig<Record<string, any>> {
+  return {
+    id: "osso",
+    name: "Osso",
+    type: "oauth",
+    authorization: `${config.issuer}oauth/authorize`,
+    token: `${config.issuer}oauth/token`,
+    userinfo: `${config.issuer}oauth/me`,
+    options: config,
+  }
+}