@owlmeans/web-oidc-provider 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 OwlMeans Common — Fullstack typescript framework
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,677 @@
+# @owlmeans/web-oidc-provider
+
+Web-based OpenID Connect Provider functionality for OwlMeans Common Libraries. This package provides client-side authentication state management and interaction handling for OIDC Provider implementations, designed for React-based web applications with secure authentication flows.
+
+## Overview
+
+The `@owlmeans/web-oidc-provider` package serves as the web frontend component for OIDC Provider functionality in the OwlMeans ecosystem. It handles client-side authentication state management, interaction flows, and cookie-based session management. This package is designed for fullstack applications with focus on security and proper OIDC authentication flows.
+
+**Key Features:**
+- **Authentication State Management**: Client-side OIDC authentication state tracking and validation
+- **Interaction Handling**: OIDC interaction flow management with session persistence
+- **Cookie Management**: Secure cookie-based session and interaction tracking
+- **Multi-Entity Support**: Support for multiple entity authentication within the same session
+- **DID Integration**: Decentralized Identity (DID) linking and validation
+- **Stack-based Sessions**: Session stacking for complex authentication flows
+
+This package follows the OwlMeans "quadra" pattern as the **web** implementation, complementing:
+- **@owlmeans/oidc**: Common OIDC declarations and base functionality *(base package)*
+- **@owlmeans/server-oidc-provider**: Server-side OIDC provider implementation
+- **@owlmeans/web-oidc-provider**: Web client OIDC provider integration *(this package)*
+- **@owlmeans/web-oidc-rp**: Web client OIDC Relying Party implementation
+
+## Installation
+
+```bash
+npm install @owlmeans/web-oidc-provider
+```
+
+## Dependencies
+
+This package requires and integrates with:
+- `@owlmeans/oidc`: Core OIDC functionality and shared configuration
+- `@owlmeans/auth`: Authentication system and types
+- `@owlmeans/resource`: Resource management for interaction storage
+- `@owlmeans/web-client`: Web client framework and context
+- `universal-cookie`: Cookie management for cross-browser compatibility
+- React: Peer dependency for web components
+
+## Key Concepts
+
+### OIDC Authentication States
+
+The package manages various authentication states throughout the OIDC flow:
+
+- **Authenticated**: User has valid authentication credentials
+- **SameEntity**: Current user belongs to the same entity as the OIDC interaction
+- **IdLinked**: User has a linked Decentralized Identity (DID)
+- **ProfileExists**: User profile exists in the system
+- **RegistrationAllowed**: New user registration is permitted
+
+### Interaction Management
+
+OIDC interactions are managed with:
+- **Session Persistence**: Interactions persist across browser sessions via cookies
+- **Stack-based Flow**: Support for nested authentication flows and entity switching
+- **State Validation**: Continuous validation of authentication state
+- **Secure Storage**: Encrypted storage of interaction data via OwlMeans resource system
+
+### Cookie-based Session Management
+
+Secure session management using:
+- **Interaction Cookies**: Track current OIDC interaction sessions
+- **Configurable TTL**: Adjustable session timeouts and expiration
+- **Cross-domain Support**: Support for multi-domain OIDC flows
+- **Secure Settings**: HttpOnly and Secure cookie flags for production environments
+
+## API Reference
+
+### Factory Functions
+
+#### `makeAuthStateModel<C, T>(context, updateState): OidcAuthStateModel`
+
+Creates an OIDC authentication state model for managing client-side authentication flow.
+
+```typescript
+import { makeAuthStateModel } from '@owlmeans/web-oidc-provider'
+import { makeWebContext } from '@owlmeans/web-client'
+
+const context = makeWebContext(config)
+
+const authStateModel = makeAuthStateModel(context, async (uid: string) => {
+  // Update authentication state from server
+  const response = await fetch(`/api/oidc/auth-state/${uid}`)
+  return response.json()
+})
+```
+
+**Parameters:**
+- `context`: `AppContext<C>` - Web application context
+- `updateState`: `(uid: string) => Promise<{entityId?: string, did?: string}>` - Function to update authentication state from server
+
+**Returns:** `OidcAuthStateModel` - Authentication state model instance
+
+### Core Interfaces
+
+#### `OidcAuthStateModel`
+
+Main interface for managing OIDC authentication state on the client side.
+
+```typescript
+interface OidcAuthStateModel extends AuthStateProperties {
+  // Initialization and state management
+  init: (uid: string, reset?: boolean) => Promise<OidcAuthStateModel>
+  updateAuthState: (uid: string) => Promise<OidcAuthState[]>
+  
+  // State validation methods
+  isAuthenticated: () => boolean
+  isSameEntity: () => boolean
+  isIdLinked: () => boolean
+  profileExists: () => boolean
+  isRegistrationAllowed: () => boolean
+  
+  // Interaction management
+  finishInteraction: (skipState?: boolean) => Promise<void>
+  getState: () => OidcAuthState[]
+}
+```
+
+**Methods:**
+
+**`init(uid: string, reset?: boolean): Promise<OidcAuthStateModel>`**
+- **Purpose**: Initialize the authentication state model for a specific interaction
+- **Parameters**:
+  - `uid`: Unique interaction identifier
+  - `reset`: Optional flag to reset existing interaction stack
+- **Behavior**: 
+  - Loads existing state from cache or creates new state
+  - Manages interaction stack for nested flows
+  - Sets interaction cookies with appropriate TTL
+- **Returns**: Promise resolving to the initialized model
+- **Throws**: `SyntaxError` if no valid UID is provided
+
+**`updateAuthState(uid: string): Promise<OidcAuthState[]>`**
+- **Purpose**: Update authentication state by querying server and validating current session
+- **Parameters**: `uid` - Interaction identifier
+- **Behavior**:
+  - Calls server to get updated authentication status
+  - Validates current user against interaction entity
+  - Updates DID linking status
+  - Caches updated state
+- **Returns**: Promise resolving to array of current authentication states
+
+**`isAuthenticated(): boolean`**
+- **Purpose**: Check if user is currently authenticated
+- **Returns**: `true` if user has valid authentication
+
+**`isSameEntity(): boolean`**
+- **Purpose**: Check if authenticated user belongs to the same entity as the OIDC interaction
+- **Returns**: `true` if user entity matches interaction entity
+
+**`isIdLinked(): boolean`**
+- **Purpose**: Check if user has a linked Decentralized Identity (DID)
+- **Returns**: `true` if DID is linked to user account
+
+**`profileExists(): boolean`**
+- **Purpose**: Check if user profile exists in the system
+- **Returns**: `true` if user profile is available
+
+**`isRegistrationAllowed(): boolean`**
+- **Purpose**: Check if new user registration is permitted
+- **Returns**: `true` if registration is allowed
+
+**`finishInteraction(skipState?: boolean): Promise<void>`**
+- **Purpose**: Complete current interaction and restore previous session from stack
+- **Parameters**: `skipState` - Optional flag to skip state update
+- **Behavior**:
+  - Removes current interaction from cache
+  - Pops previous interaction from stack
+  - Updates cookies to previous session
+  - Optionally updates authentication state
+
+**`getState(): OidcAuthState[]`**
+- **Purpose**: Get current authentication states as array
+- **Returns**: Array of active authentication state flags
+
+#### `AuthStateProperties`
+
+Properties maintained by the authentication state model.
+
+```typescript
+interface AuthStateProperties {
+  did?: string           // Decentralized Identity identifier
+  entityId?: string      // Entity identifier for multi-tenant support
+  state: Set<OidcAuthState>  // Set of current authentication states
+  uid: string           // Unique interaction identifier
+}
+```
+
+#### `OidcInteraction`
+
+Resource record for persisting interaction state across sessions.
+
+```typescript
+interface OidcInteraction extends ResourceRecord {
+  stack: Array<{
+    token: string | null    // Previous session authentication token
+    uid: string            // Previous interaction identifier
+  }>
+}
+```
+
+#### `WithSharedConfig`
+
+Configuration interface for OIDC provider settings.
+
+```typescript
+interface WithSharedConfig {
+  oidc: OidcSharedConfig
+}
+```
+
+### Enums
+
+#### `OidcAuthState`
+
+Enumeration of possible authentication states during OIDC flows.
+
+```typescript
+enum OidcAuthState {
+  Authenticated = 'authenticated',           // User is authenticated
+  SameEntity = 'same-entity',               // User belongs to interaction entity
+  IdLinked = 'id-linked',                   // DID is linked to user
+  ProfileExists = 'profile-exists',         // User profile exists
+  RegistrationAllowed = 'registration-allowed'  // Registration permitted
+}
+```
+
+## Usage Examples
+
+### Basic OIDC Provider Integration
+
+```typescript
+import { makeAuthStateModel } from '@owlmeans/web-oidc-provider'
+import { makeWebContext } from '@owlmeans/web-client'
+
+// Configure web context with OIDC settings
+const config = {
+  service: 'oidc-provider',
+  oidc: {
+    clientCookie: {
+      interaction: {
+        name: '_oidc_interaction',
+        ttl: 3600  // 1 hour
+      }
+    }
+  }
+}
+
+const context = makeWebContext(config)
+
+// Create authentication state model
+const authState = makeAuthStateModel(context, async (uid) => {
+  // Fetch authentication state from server
+  const response = await fetch(`/api/oidc/interaction/${uid}/state`, {
+    credentials: 'include'
+  })
+  
+  if (!response.ok) {
+    throw new Error('Failed to fetch authentication state')
+  }
+  
+  return response.json()
+})
+
+// Initialize for specific interaction
+await authState.init(interactionId)
+```
+
+### OIDC Authentication Flow Management
+
+```typescript
+// Handle OIDC authentication flow
+const handleOidcFlow = async (interactionId: string) => {
+  try {
+    // Initialize authentication state
+    await authState.init(interactionId)
+    
+    // Check current authentication status
+    if (authState.isAuthenticated()) {
+      if (authState.isSameEntity()) {
+        // User is authenticated and belongs to correct entity
+        console.log('User authenticated for correct entity')
+        
+        if (authState.isIdLinked()) {
+          console.log('DID is linked to user account')
+        }
+        
+        // Proceed with OIDC authorization
+        await proceedWithAuthorization()
+      } else {
+        // User authenticated but for different entity
+        console.log('User needs to switch entities or re-authenticate')
+        await promptEntitySwitch()
+      }
+    } else {
+      // User not authenticated
+      if (authState.isRegistrationAllowed()) {
+        console.log('User can register or login')
+        await showLoginOrRegisterForm()
+      } else {
+        console.log('Registration not allowed, login required')
+        await showLoginForm()
+      }
+    }
+  } catch (error) {
+    console.error('OIDC flow error:', error)
+    await handleAuthenticationError(error)
+  }
+}
+
+const proceedWithAuthorization = async () => {
+  // Continue with OIDC authorization grant
+  const states = authState.getState()
+  console.log('Current states:', states)
+  
+  // Make authorization decision based on current state
+  window.location.href = '/oidc/auth/consent'
+}
+
+const showLoginForm = async () => {
+  // Display login form component
+  // After successful login, update authentication state
+  await authState.updateAuthState(authState.uid)
+}
+```
+
+### Multi-Entity Authentication
+
+```typescript
+// Handle entity switching in OIDC flows
+const handleEntitySwitch = async (newEntityId: string) => {
+  try {
+    // Store current interaction in stack
+    await authState.init(newEntityId, false)  // Don't reset stack
+    
+    // Check if user is already authenticated for new entity
+    if (authState.isAuthenticated() && authState.isSameEntity()) {
+      console.log('User already authenticated for target entity')
+      return true
+    }
+    
+    // Redirect to authentication for new entity
+    window.location.href = `/auth/entity/${newEntityId}`
+    
+  } catch (error) {
+    console.error('Entity switch error:', error)
+    return false
+  }
+}
+
+// Complete interaction and return to previous session
+const completeInteraction = async () => {
+  try {
+    await authState.finishInteraction()
+    console.log('Returned to previous interaction:', authState.uid)
+    
+    // Redirect to original application
+    window.location.href = '/dashboard'
+  } catch (error) {
+    console.error('Failed to complete interaction:', error)
+  }
+}
+```
+
+### DID Integration
+
+```typescript
+// Handle Decentralized Identity linking
+const handleDidLinking = async (didDocument: any) => {
+  try {
+    // Link DID to user account
+    const response = await fetch('/api/did/link', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      credentials: 'include',
+      body: JSON.stringify({
+        did: didDocument.id,
+        interactionId: authState.uid
+      })
+    })
+    
+    if (response.ok) {
+      // Update authentication state to reflect DID linking
+      await authState.updateAuthState(authState.uid)
+      
+      if (authState.isIdLinked()) {
+        console.log('DID successfully linked')
+        return true
+      }
+    }
+    
+    throw new Error('DID linking failed')
+  } catch (error) {
+    console.error('DID linking error:', error)
+    return false
+  }
+}
+
+// Verify DID authentication
+const verifyDidAuth = async (signature: string, challenge: string) => {
+  if (!authState.isIdLinked()) {
+    throw new Error('DID not linked to account')
+  }
+  
+  // Verify DID signature with server
+  const response = await fetch('/api/did/verify', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    credentials: 'include',
+    body: JSON.stringify({
+      signature,
+      challenge,
+      interactionId: authState.uid
+    })
+  })
+  
+  return response.ok
+}
+```
+
+### React Component Integration
+
+```typescript
+import React, { useEffect, useState } from 'react'
+import { makeAuthStateModel, OidcAuthState } from '@owlmeans/web-oidc-provider'
+
+interface OidcProviderProps {
+  interactionId: string
+  onStateChange?: (states: OidcAuthState[]) => void
+}
+
+const OidcProvider: React.FC<OidcProviderProps> = ({ 
+  interactionId, 
+  onStateChange 
+}) => {
+  const [authState, setAuthState] = useState<any>(null)
+  const [currentStates, setCurrentStates] = useState<OidcAuthState[]>([])
+  const [loading, setLoading] = useState(true)
+  const [error, setError] = useState<string | null>(null)
+
+  useEffect(() => {
+    const initializeAuth = async () => {
+      try {
+        setLoading(true)
+        
+        const model = makeAuthStateModel(context, async (uid) => {
+          // Fetch state from server
+          const response = await fetch(`/api/oidc/state/${uid}`)
+          return response.json()
+        })
+        
+        await model.init(interactionId)
+        const states = model.getState()
+        
+        setAuthState(model)
+        setCurrentStates(states)
+        onStateChange?.(states)
+      } catch (err) {
+        setError(err.message)
+      } finally {
+        setLoading(false)
+      }
+    }
+
+    initializeAuth()
+  }, [interactionId])
+
+  const handleLogin = async (credentials: any) => {
+    try {
+      // Perform login
+      await performLogin(credentials)
+      
+      // Update authentication state
+      const states = await authState.updateAuthState(interactionId)
+      setCurrentStates(states)
+      onStateChange?.(states)
+    } catch (err) {
+      setError(err.message)
+    }
+  }
+
+  const handleComplete = async () => {
+    try {
+      await authState.finishInteraction()
+      // Redirect or update UI
+    } catch (err) {
+      setError(err.message)
+    }
+  }
+
+  if (loading) return <div>Loading authentication...</div>
+  if (error) return <div>Error: {error}</div>
+
+  return (
+    <div className="oidc-provider">
+      <div className="auth-status">
+        <h3>Authentication Status</h3>
+        <ul>
+          {currentStates.map(state => (
+            <li key={state}>{state}</li>
+          ))}
+        </ul>
+      </div>
+      
+      {!authState.isAuthenticated() && (
+        <LoginForm onLogin={handleLogin} />
+      )}
+      
+      {authState.isAuthenticated() && authState.isSameEntity() && (
+        <ConsentForm onConsent={handleComplete} />
+      )}
+      
+      {authState.isAuthenticated() && !authState.isSameEntity() && (
+        <EntitySwitchForm onSwitch={handleEntitySwitch} />
+      )}
+    </div>
+  )
+}
+```
+
+## Configuration
+
+### OIDC Provider Configuration
+
+```typescript
+interface OidcProviderConfig {
+  oidc: {
+    clientCookie: {
+      interaction: {
+        name: string      // Cookie name for interaction tracking
+        ttl: number       // Time to live in seconds
+      }
+    }
+    provider: {
+      issuer: string        // OIDC provider issuer URL
+      clientId: string      // OAuth2 client identifier
+      redirectUri: string   // Redirect URI after authentication
+    }
+  }
+  defaultEntityId?: string  // Default entity for multi-tenant scenarios
+}
+```
+
+### Cookie Security Settings
+
+```typescript
+// Production cookie settings
+const productionCookieConfig = {
+  secure: true,           // Require HTTPS
+  httpOnly: true,         // Prevent XSS access
+  sameSite: 'strict',     // CSRF protection
+  domain: '.example.com', // Cross-subdomain access
+  path: '/'              // Site-wide access
+}
+```
+
+## Error Handling
+
+### Common Error Scenarios
+
+```typescript
+// Handle authentication state errors
+const handleAuthErrors = async (error: Error) => {
+  switch (error.message) {
+    case 'no-uid':
+      console.error('No interaction UID provided')
+      // Redirect to OIDC entry point
+      window.location.href = '/oidc/auth'
+      break
+      
+    case 'invalid-interaction':
+      console.error('Invalid or expired interaction')
+      // Clear cookies and restart flow
+      await clearInteractionCookies()
+      window.location.href = '/oidc/auth'
+      break
+      
+    case 'entity-mismatch':
+      console.error('User entity does not match interaction')
+      // Prompt for entity switch or re-authentication
+      await promptEntitySwitch()
+      break
+      
+    default:
+      console.error('Authentication error:', error)
+      // Show generic error message
+      showErrorMessage('Authentication failed. Please try again.')
+  }
+}
+
+// Cleanup after errors
+const clearInteractionCookies = async () => {
+  const cookies = new Cookies()
+  cookies.remove('_oidc_interaction', { path: '/' })
+  
+  // Clear cached state
+  await authState.finishInteraction(true)
+}
+```
+
+## Security Considerations
+
+### Cookie Security
+- **Secure Flags**: Always use `Secure` and `HttpOnly` flags in production
+- **SameSite Protection**: Configure `SameSite` attribute for CSRF protection
+- **TTL Management**: Implement appropriate session timeouts
+
+### State Validation
+- **Server Verification**: Always verify authentication state with server
+- **Entity Validation**: Validate user entity matches interaction requirements
+- **DID Verification**: Verify DID signatures using cryptographic validation
+
+### Session Management
+- **Stack Protection**: Limit interaction stack depth to prevent abuse
+- **Cache Security**: Secure in-memory state cache with appropriate cleanup
+- **Token Handling**: Secure handling of authentication tokens in stacked sessions
+
+## Integration with OwlMeans Ecosystem
+
+### Context Integration
+```typescript
+import { makeWebContext } from '@owlmeans/web-client'
+
+const context = makeWebContext(config)
+const authService = context.auth()
+```
+
+### Resource System Integration
+```typescript
+import { useStoreModel } from '@owlmeans/web-client'
+
+// Persistent interaction storage
+const interactionStore = useStoreModel<OidcInteraction>('oidc-interactions')
+```
+
+### Authentication System Integration
+```typescript
+import type { Auth } from '@owlmeans/auth'
+
+// Validate against OwlMeans auth system
+const currentUser: Auth = context.auth().user()
+const isAuthenticated = await context.auth().authenticated()
+```
+
+## Best Practices
+
+1. **State Synchronization**: Always synchronize client state with server state
+2. **Error Recovery**: Implement robust error recovery mechanisms
+3. **Security**: Use secure cookie settings and validate all state transitions
+4. **Performance**: Cache authentication state appropriately with proper TTL
+5. **User Experience**: Provide clear feedback during authentication flows
+6. **Multi-Entity**: Handle entity switching gracefully in multi-tenant scenarios
+
+## Related Packages
+
+- **@owlmeans/oidc**: Core OIDC functionality and shared configuration
+- **@owlmeans/server-oidc-provider**: Server-side OIDC provider implementation
+- **@owlmeans/web-oidc-rp**: Web OIDC Relying Party implementation
+- **@owlmeans/auth**: Core authentication system
+- **@owlmeans/web-client**: Web client framework and context
+- **@owlmeans/resource**: Resource management for state persistence
+
+## TypeScript Support
+
+This package is written in TypeScript and provides full type safety:
+
+```typescript
+import type { 
+  OidcAuthStateModel, 
+  OidcAuthState, 
+  OidcInteraction,
+  WithSharedConfig 
+} from '@owlmeans/web-oidc-provider'
+
+const authState: OidcAuthStateModel = makeAuthStateModel(context, updateFunction)
+const states: OidcAuthState[] = authState.getState()
+```

package/build/auth-state.d.ts

@@ -0,0 +1,7 @@
+import type { AppConfig, AppContext } from '@owlmeans/web-client';
+import type { OidcAuthStateModel } from './types.js';
+export declare const makeAuthStateModel: <C extends AppConfig, T extends AppContext<C>>(context: T, updateState: (uid: string) => Promise<{
+    entityId?: string;
+    did?: string;
+}>) => OidcAuthStateModel;
+//# sourceMappingURL=auth-state.d.ts.map

package/build/auth-state.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-state.d.ts","sourceRoot":"","sources":["../src/auth-state.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AACjE,OAAO,KAAK,EAAuB,kBAAkB,EAAqC,MAAM,YAAY,CAAA;AAM5G,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,SAAS,EAAE,CAAC,SAAS,UAAU,CAAC,CAAC,CAAC,WACpE,CAAC,eACG,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC;IAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,KACzE,kBAoHF,CAAA"}

package/build/auth-state.js

@@ -0,0 +1,97 @@
+import Cookies from 'universal-cookie';
+import { OidcAuthState } from './consts.js';
+const stateCache = {};
+export const makeAuthStateModel = (context, updateState) => {
+    const cookies = new Cookies(null, { path: '/' });
+    const config = context.cfg;
+    const store = () => context.auth().store();
+    const stackKey = `_oidc-interaction:stack`;
+    const cookieKey = config.oidc.clientCookie?.interaction?.name ?? '_interaction';
+    const cookieTtl = () => {
+        const ttl = (config.oidc.clientCookie?.interaction?.ttl ?? 3600) * 1000;
+        const expiration = new Date();
+        expiration.setTime(expiration.getTime() + ttl);
+        return expiration;
+    };
+    const model = {
+        state: new Set(),
+        uid: '',
+        getState: () => [...model.state],
+        init: async (uid, reset = false) => {
+            const currentUid = cookies.get(cookieKey);
+            if (currentUid != null && uid === '-') {
+                uid = currentUid;
+            }
+            if (uid == null) {
+                throw new SyntaxError('no-uid');
+            }
+            if (stateCache[uid] != null) {
+                Object.assign(model, stateCache[uid]);
+                return model;
+            }
+            if (currentUid != null && currentUid !== uid) {
+                let stack = await store().load(stackKey);
+                if (stack == null) {
+                    stack = { stack: [], id: stackKey };
+                }
+                else if (reset) {
+                    await store().save({ stack: [], id: stackKey });
+                }
+                else {
+                    const token = await context.auth().authenticated();
+                    stack.stack.push({ uid: currentUid, token });
+                    await store().save(stack);
+                }
+            }
+            // cookies.remove(cookieKey)
+            cookies.set(cookieKey, uid, { expires: cookieTtl() });
+            model.uid = uid;
+            await model.updateAuthState(uid);
+            stateCache[uid] = { ...model };
+            return model;
+        },
+        updateAuthState: async (uid) => {
+            model.state = new Set();
+            const serverState = await updateState(uid);
+            model.entityId = serverState.entityId ?? config.defaultEntityId;
+            model.did = serverState.did;
+            let user = null;
+            if (await context.auth().authenticated()) {
+                user = context.auth().user();
+                model.state.add(OidcAuthState.Authenticated);
+            }
+            if (model.entityId === user?.entityId) {
+                model.state.add(OidcAuthState.SameEntity);
+            }
+            if (model.did != null) {
+                model.state.add(OidcAuthState.IdLinked);
+            }
+            stateCache[uid] = { ...model };
+            return [...model.state];
+        },
+        isAuthenticated: () => model.state.has(OidcAuthState.Authenticated),
+        isSameEntity: () => model.state.has(OidcAuthState.SameEntity),
+        isIdLinked: () => model.state.has(OidcAuthState.IdLinked),
+        profileExists: () => model.state.has(OidcAuthState.ProfileExists),
+        isRegistrationAllowed: () => model.state.has(OidcAuthState.RegistrationAllowed),
+        finishInteraction: async (skipState = false) => {
+            const stack = await store().load(stackKey);
+            if (stateCache[model.uid] != null) {
+                delete stateCache[model.uid];
+            }
+            if (stack != null) {
+                const item = stack.stack.pop();
+                if (item != null) {
+                    model.uid = item.uid;
+                    cookies.set(cookieKey, model.uid, { expires: cookieTtl() });
+                    await store().save(stack);
+                    if (!skipState) {
+                        await model.updateAuthState(model.uid);
+                    }
+                }
+            }
+        }
+    };
+    return model;
+};
+//# sourceMappingURL=auth-state.js.map

package/build/auth-state.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-state.js","sourceRoot":"","sources":["../src/auth-state.ts"],"names":[],"mappings":"AAEA,OAAO,OAAO,MAAM,kBAAkB,CAAA;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAG3C,MAAM,UAAU,GAAwC,EAAE,CAAA;AAC1D,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAChC,OAAU,EACV,WAA0E,EACtD,EAAE;IACtB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAA;IAChD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAoE,CAAA;IAE3F,MAAM,KAAK,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,EAAmB,CAAA;IAE3D,MAAM,QAAQ,GAAG,yBAAyB,CAAA;IAC1C,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,EAAE,IAAI,IAAI,cAAc,CAAA;IAC/E,MAAM,SAAS,GAAG,GAAG,EAAE;QACrB,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,EAAE,GAAG,IAAI,IAAI,CAAC,GAAG,IAAI,CAAA;QAEvE,MAAM,UAAU,GAAG,IAAI,IAAI,EAAE,CAAA;QAC7B,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,CAAA;QAE9C,OAAO,UAAU,CAAA;IACnB,CAAC,CAAA;IAED,MAAM,KAAK,GAAuB;QAChC,KAAK,EAAE,IAAI,GAAG,EAAE;QAEhB,GAAG,EAAE,EAAE;QAEP,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC;QAEhC,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,GAAG,KAAK,EAAE,EAAE;YACjC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;YACzC,IAAI,UAAU,IAAI,IAAI,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;gBACtC,GAAG,GAAG,UAAU,CAAA;YAClB,CAAC;YACD,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;gBAChB,MAAM,IAAI,WAAW,CAAC,QAAQ,CAAC,CAAA;YACjC,CAAC;YACD,IAAI,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;gBAC5B,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAA;gBAErC,OAAO,KAAK,CAAA;YACd,CAAC;YACD,IAAI,UAAU,IAAI,IAAI,IAAI,UAAU,KAAK,GAAG,EAAE,CAAC;gBAC7C,IAAI,KAAK,GAAG,MAAM,KAAK,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;gBACxC,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;oBAClB,KAAK,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAA;gBACrC,CAAC;qBAAM,IAAI,KAAK,EAAE,CAAC;oBACjB,MAAM,KAAK,EAAE,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAA;gBACjD,CAAC;qBAAM,CAAC;oBACN,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC,aAAa,EAAE,CAAA;oBAClD,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,CAAA;oBAC5C,MAAM,KAAK,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;gBAC3B,CAAC;YACH,CAAC;YAED,4BAA4B;YAC5B,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,CAAC,CAAA;YAErD,KAAK,CAAC,GAAG,GAAG,GAAG,CAAA;YACf,MAAM,KAAK,CAAC,eAAe,CAAC,GAAG,CAAC,CAAA;YAEhC,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAA;YAE9B,OAAO,KAAK,CAAA;QACd,CAAC;QAED,eAAe,EAAE,KAAK,EAAC,GAAG,EAAC,EAAE;YAC3B,KAAK,CAAC,KAAK,GAAG,IAAI,GAAG,EAAiB,CAAA;YAEtC,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,GAAG,CAAC,CAAA;YAC1C,KAAK,CAAC,QAAQ,GAAG,WAAW,CAAC,QAAQ,IAAI,MAAM,CAAC,eAAe,CAAA;YAC/D,KAAK,CAAC,GAAG,GAAG,WAAW,CAAC,GAAG,CAAA;YAC3B,IAAI,IAAI,GAAgB,IAAI,CAAA;YAC5B,IAAI,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC,aAAa,EAAE,EAAE,CAAC;gBACzC,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAA;gBAC5B,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,aAAa,CAAC,CAAA;YAC9C,CAAC;YAED,IAAI,KAAK,CAAC,QAAQ,KAAK,IAAI,EAAE,QAAQ,EAAE,CAAC;gBACtC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,UAAU,CAAC,CAAA;YAC3C,CAAC;YAED,IAAI,KAAK,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC;gBACtB,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAA;YACzC,CAAC;YAED,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,KAAK,EAAE,CAAA;YAE9B,OAAO,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,CAAA;QACzB,CAAC;QAED,eAAe,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,aAAa,CAAC;QAEnE,YAAY,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,UAAU,CAAC;QAE7D,UAAU,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,QAAQ,CAAC;QAEzD,aAAa,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,aAAa,CAAC;QAEjE,qBAAqB,EAAE,GAAG,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,mBAAmB,CAAC;QAE/E,iBAAiB,EAAE,KAAK,EAAE,SAAS,GAAG,KAAK,EAAE,EAAE;YAC7C,MAAM,KAAK,GAAG,MAAM,KAAK,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;YAC1C,IAAI,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;gBAClC,OAAO,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;YAC9B,CAAC;YACD,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;gBAClB,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAA;gBAC9B,IAAI,IAAI,IAAI,IAAI,EAAE,CAAC;oBACjB,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAA;oBACpB,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,KAAK,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,CAAC,CAAA;oBAC3D,MAAM,KAAK,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;oBACzB,IAAI,CAAC,SAAS,EAAE,CAAC;wBACf,MAAM,KAAK,CAAC,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;oBACxC,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;KACF,CAAA;IAED,OAAO,KAAK,CAAA;AACd,CAAC,CAAA"}

package/build/consts.d.ts

@@ -0,0 +1,8 @@
+export declare enum OidcAuthState {
+    Authenticated = "authenticated",
+    SameEntity = "same-entity",
+    IdLinked = "id-linked",
+    ProfileExists = "profile-exists",
+    RegistrationAllowed = "registration-allowed"
+}
+//# sourceMappingURL=consts.d.ts.map

package/build/consts.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"consts.d.ts","sourceRoot":"","sources":["../src/consts.ts"],"names":[],"mappings":"AACA,oBAAY,aAAa;IACvB,aAAa,kBAAkB;IAC/B,UAAU,gBAAgB;IAC1B,QAAQ,cAAc;IACtB,aAAa,mBAAmB;IAChC,mBAAmB,yBAAyB;CAC7C"}

package/build/consts.js

@@ -0,0 +1,9 @@
+export var OidcAuthState;
+(function (OidcAuthState) {
+    OidcAuthState["Authenticated"] = "authenticated";
+    OidcAuthState["SameEntity"] = "same-entity";
+    OidcAuthState["IdLinked"] = "id-linked";
+    OidcAuthState["ProfileExists"] = "profile-exists";
+    OidcAuthState["RegistrationAllowed"] = "registration-allowed";
+})(OidcAuthState || (OidcAuthState = {}));
+//# sourceMappingURL=consts.js.map

package/build/consts.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"consts.js","sourceRoot":"","sources":["../src/consts.ts"],"names":[],"mappings":"AACA,MAAM,CAAN,IAAY,aAMX;AAND,WAAY,aAAa;IACvB,gDAA+B,CAAA;IAC/B,2CAA0B,CAAA;IAC1B,uCAAsB,CAAA;IACtB,iDAAgC,CAAA;IAChC,6DAA4C,CAAA;AAC9C,CAAC,EANW,aAAa,KAAb,aAAa,QAMxB"}

package/build/index.d.ts

@@ -0,0 +1,3 @@
+export type * from './types.js';
+export * from './auth-state.js';
+//# sourceMappingURL=index.d.ts.map

package/build/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,mBAAmB,YAAY,CAAA;AAC/B,cAAc,iBAAiB,CAAA"}

package/build/index.js

@@ -0,0 +1,2 @@
+export * from './auth-state.js';
+//# sourceMappingURL=index.js.map

package/build/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA,cAAc,iBAAiB,CAAA"}

package/build/types.d.ts

@@ -0,0 +1,30 @@
+import type { OidcSharedConfig } from '@owlmeans/oidc';
+import type { OidcAuthState } from './consts.js';
+import type { ResourceRecord } from '@owlmeans/resource';
+export interface OidcAuthStateModel extends AuthStateProperties {
+    init: (uid: string, reset?: boolean) => Promise<OidcAuthStateModel>;
+    updateAuthState: (uid: string) => Promise<OidcAuthState[]>;
+    isAuthenticated: () => boolean;
+    isSameEntity: () => boolean;
+    isIdLinked: () => boolean;
+    profileExists: () => boolean;
+    isRegistrationAllowed: () => boolean;
+    finishInteraction: (skipState?: boolean) => Promise<void>;
+    getState: () => OidcAuthState[];
+}
+export interface AuthStateProperties {
+    did?: string;
+    entityId?: string;
+    state: Set<OidcAuthState>;
+    uid: string;
+}
+export interface WithSharedConfig {
+    oidc: OidcSharedConfig;
+}
+export interface OidcInteraction extends ResourceRecord {
+    stack: {
+        token: string | null;
+        uid: string;
+    }[];
+}
+//# sourceMappingURL=types.d.ts.map

package/build/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAA;AACtD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAChD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAExD,MAAM,WAAW,kBAAmB,SAAQ,mBAAmB;IAC7D,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAA;IACnE,eAAe,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,aAAa,EAAE,CAAC,CAAA;IAE1D,eAAe,EAAE,MAAM,OAAO,CAAA;IAC9B,YAAY,EAAE,MAAM,OAAO,CAAA;IAC3B,UAAU,EAAE,MAAM,OAAO,CAAA;IACzB,aAAa,EAAE,MAAM,OAAO,CAAA;IAC5B,qBAAqB,EAAE,MAAM,OAAO,CAAA;IAEpC,iBAAiB,EAAE,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAA;IAEzD,QAAQ,EAAE,MAAM,aAAa,EAAE,CAAA;CAChC;AAED,MAAM,WAAW,mBAAmB;IAClC,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,KAAK,EAAE,GAAG,CAAC,aAAa,CAAC,CAAA;IACzB,GAAG,EAAE,MAAM,CAAA;CACZ;AAGD,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,gBAAgB,CAAA;CACvB;AAED,MAAM,WAAW,eAAgB,SAAQ,cAAc;IACrD,KAAK,EAAE;QACL,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;QACpB,GAAG,EAAE,MAAM,CAAA;KACZ,EAAE,CAAA;CACJ"}

package/build/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/build/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,42 @@
+{
+  "name": "@owlmeans/web-oidc-provider",
+  "version": "0.1.0",
+  "type": "module",
+  "scripts": {
+    "build": "tsc -b",
+    "dev": "sleep 372 && nodemon -e ts,tsx,json --watch src --exec \"tsc -p ./tsconfig.json\"",
+    "watch": "tsc -b -w --preserveWatchOutput --pretty"
+  },
+  "main": "build/index.js",
+  "module": "build/index.js",
+  "types": "build/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./build/index.js",
+      "require": "./build/index.js",
+      "default": "./build/index.js",
+      "module": "./build/index.js",
+      "types": "./build/index.d.ts"
+    }
+  },
+  "dependencies": {
+    "@owlmeans/auth": "^0.1.0",
+    "@owlmeans/oidc": "^0.1.0",
+    "@owlmeans/resource": "^0.1.0",
+    "@owlmeans/web-client": "^0.1.0",
+    "universal-cookie": "^7.2.1"
+  },
+  "peerDependencies": {
+    "react": "*"
+  },
+  "devDependencies": {
+    "@types/react": "^18.3.11",
+    "nodemon": "^3.1.7",
+    "npm-check": "^6.0.1",
+    "typescript": "^5.6.3"
+  },
+  "private": false,
+  "publishConfig": {
+    "access": "public"
+  }
+}

package/src/auth-state.ts

@@ -0,0 +1,127 @@
+import type { AppConfig, AppContext } from '@owlmeans/web-client'
+import type { AuthStateProperties, OidcAuthStateModel, OidcInteraction, WithSharedConfig } from './types.js'
+import Cookies from 'universal-cookie'
+import { OidcAuthState } from './consts.js'
+import type { Auth } from '@owlmeans/auth'
+
+const stateCache: Record<string, AuthStateProperties> = {}
+export const makeAuthStateModel = <C extends AppConfig, T extends AppContext<C>>(
+  context: T,
+  updateState: (uid: string) => Promise<{ entityId?: string, did?: string }>,
+): OidcAuthStateModel => {
+  const cookies = new Cookies(null, { path: '/' })
+  const config = context.cfg as Partial<AppConfig> as (Partial<AppConfig> & WithSharedConfig)
+
+  const store = () => context.auth().store<OidcInteraction>()
+
+  const stackKey = `_oidc-interaction:stack`
+  const cookieKey = config.oidc.clientCookie?.interaction?.name ?? '_interaction'
+  const cookieTtl = () => {
+    const ttl = (config.oidc.clientCookie?.interaction?.ttl ?? 3600) * 1000
+
+    const expiration = new Date()
+    expiration.setTime(expiration.getTime() + ttl)
+
+    return expiration
+  }
+
+  const model: OidcAuthStateModel = {
+    state: new Set(),
+
+    uid: '',
+
+    getState: () => [...model.state],
+
+    init: async (uid, reset = false) => {
+      const currentUid = cookies.get(cookieKey)
+      if (currentUid != null && uid === '-') {
+        uid = currentUid
+      }
+      if (uid == null) {
+        throw new SyntaxError('no-uid')
+      }
+      if (stateCache[uid] != null) {
+        Object.assign(model, stateCache[uid])
+
+        return model
+      }
+      if (currentUid != null && currentUid !== uid) {
+        let stack = await store().load(stackKey)
+        if (stack == null) {
+          stack = { stack: [], id: stackKey }
+        } else if (reset) {
+          await store().save({ stack: [], id: stackKey })
+        } else {
+          const token = await context.auth().authenticated()
+          stack.stack.push({ uid: currentUid, token })
+          await store().save(stack)
+        }
+      }
+
+      // cookies.remove(cookieKey)
+      cookies.set(cookieKey, uid, { expires: cookieTtl() })
+
+      model.uid = uid
+      await model.updateAuthState(uid)
+
+      stateCache[uid] = { ...model }
+
+      return model
+    },
+
+    updateAuthState: async uid => {
+      model.state = new Set<OidcAuthState>()
+
+      const serverState = await updateState(uid)
+      model.entityId = serverState.entityId ?? config.defaultEntityId
+      model.did = serverState.did
+      let user: Auth | null = null
+      if (await context.auth().authenticated()) {
+        user = context.auth().user()
+        model.state.add(OidcAuthState.Authenticated)
+      }
+
+      if (model.entityId === user?.entityId) {
+        model.state.add(OidcAuthState.SameEntity)
+      }
+
+      if (model.did != null) {
+        model.state.add(OidcAuthState.IdLinked)
+      }
+
+      stateCache[uid] = { ...model }
+
+      return [...model.state]
+    },
+
+    isAuthenticated: () => model.state.has(OidcAuthState.Authenticated),
+
+    isSameEntity: () => model.state.has(OidcAuthState.SameEntity),
+
+    isIdLinked: () => model.state.has(OidcAuthState.IdLinked),
+
+    profileExists: () => model.state.has(OidcAuthState.ProfileExists),
+
+    isRegistrationAllowed: () => model.state.has(OidcAuthState.RegistrationAllowed),
+
+    finishInteraction: async (skipState = false) => {
+      const stack = await store().load(stackKey)
+      if (stateCache[model.uid] != null) {
+        delete stateCache[model.uid]
+      }
+      if (stack != null) {
+        const item = stack.stack.pop()
+        if (item != null) {
+          model.uid = item.uid
+          cookies.set(cookieKey, model.uid, { expires: cookieTtl() })
+          await store().save(stack)
+          if (!skipState) {
+            await model.updateAuthState(model.uid)
+          }
+        }
+      }
+    }
+  }
+
+  return model
+}

package/src/consts.ts

@@ -0,0 +1,8 @@
+
+export enum OidcAuthState {
+  Authenticated = 'authenticated',
+  SameEntity = 'same-entity',
+  IdLinked = 'id-linked',
+  ProfileExists = 'profile-exists',
+  RegistrationAllowed = 'registration-allowed',
+}

package/src/index.ts

@@ -0,0 +1,3 @@
+
+export type * from './types.js'
+export * from './auth-state.js'

package/src/types.ts

@@ -0,0 +1,37 @@
+import type { OidcSharedConfig } from '@owlmeans/oidc'
+import type { OidcAuthState } from './consts.js'
+import type { ResourceRecord } from '@owlmeans/resource'
+
+export interface OidcAuthStateModel extends AuthStateProperties {
+  init: (uid: string, reset?: boolean) => Promise<OidcAuthStateModel>
+  updateAuthState: (uid: string) => Promise<OidcAuthState[]>
+
+  isAuthenticated: () => boolean
+  isSameEntity: () => boolean
+  isIdLinked: () => boolean
+  profileExists: () => boolean
+  isRegistrationAllowed: () => boolean
+
+  finishInteraction: (skipState?: boolean) => Promise<void>
+
+  getState: () => OidcAuthState[]
+}
+
+export interface AuthStateProperties {
+  did?: string
+  entityId?: string
+  state: Set<OidcAuthState>
+  uid: string
+}
+
+
+export interface WithSharedConfig {
+  oidc: OidcSharedConfig
+}
+
+export interface OidcInteraction extends ResourceRecord {
+  stack: {
+    token: string | null
+    uid: string
+  }[]
+}

package/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "extends": [
+    "../tsconfig.default.json",
+    "../tsconfig.react.json",
+  ],
+  "compilerOptions": {
+    "rootDir": "./src/", /* Specify the root folder within your source files. */
+    "outDir": "./build/", /* Specify an output folder for all emitted files. */
+    "moduleResolution": "Bundler",
+  },
+  "exclude": [
+    "./dist/**/*",
+    "./build/**/*",
+    "./*.ts"
+  ]
+}

package/tsconfig.tsbuildinfo

@@ -0,0 +1 @@
+{"root":["./src/auth-state.ts","./src/consts.ts","./src/index.ts","./src/types.ts"],"version":"5.6.3"}