@p0security/cli 0.8.0 → 0.8.2

package/dist/plugins/aws/idc/index.js

@@ -0,0 +1,150 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.assumeRoleWithIdc = exports.registerClient = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const fetch_1 = require("../../../common/fetch");
+const retry_1 = require("../../../common/retry");
+const auth_1 = require("../../../drivers/auth");
+const login_1 = require("../../oidc/login");
+const HOURS = 60 * 60 * 1000;
+const DAYS = 24 * HOURS;
+const AWS_TOKEN_EXPIRY = 1 * HOURS;
+const AWS_CLIENT_TOKEN_EXPIRY = 90 * DAYS; // the token has lifetime of 90 days
+const AWS_SSO_SCOPES = ["sso:account:access"];
+const registerClient = (region) => __awaiter(void 0, void 0, void 0, function* () {
+    return yield (0, auth_1.cached)("aws-idc-client", () => __awaiter(void 0, void 0, void 0, function* () {
+        const init = {
+            method: "POST",
+            body: JSON.stringify({
+                clientName: "p0Cli",
+                clientType: "public",
+                grantTypes: [login_1.DEVICE_GRANT_TYPE],
+                scopes: AWS_SSO_SCOPES,
+            }),
+        };
+        const response = yield fetch(`https://oidc.${region}.amazonaws.com/client/register`, init);
+        return yield response.json();
+    }), { duration: AWS_CLIENT_TOKEN_EXPIRY }, (data) => data.clientSecretExpiresAt
+        ? data.clientSecretExpiresAt < Date.now()
+        : true);
+});
+exports.registerClient = registerClient;
+const awsIdcHelpers = (clientCredentials, idc) => {
+    const { clientId, clientSecret } = clientCredentials;
+    const { id, region } = idc;
+    const buildOidcAuthorizeRequest = () => ({
+        init: {
+            method: "POST",
+            body: JSON.stringify({
+                clientId,
+                clientSecret,
+                startUrl: `https://${id}.awsapps.com/start`,
+            }),
+        },
+        url: `https://oidc.${region}.amazonaws.com/device_authorization`,
+    });
+    const buildIdcTokenRequest = (authorizeResponse) => ({
+        url: `https://oidc.${region}.amazonaws.com/token`,
+        init: {
+            method: "POST",
+            body: JSON.stringify({
+                clientId,
+                clientSecret,
+                deviceCode: authorizeResponse.deviceCode,
+                grantType: login_1.DEVICE_GRANT_TYPE,
+            }),
+        },
+    });
+    /**
+     * Exchanges the oidc token for AWS credentials for a given account and permission set
+     * @param oidcResponse oidc token response fot he oidc /token endpoint
+     * @param request accountId and permissionSet to exchange for AWS credentials
+     * @returns
+     */
+    const exchangeForAwsCredentials = (oidcResponse, request) => __awaiter(void 0, void 0, void 0, function* () {
+        // There is a delay in between aws issuing the sso token and it being available for exchange for AWS credentials
+        // When exchanging token immediately, an "unauthorized" may will be thrown, so retry with sleep.
+        return yield (0, retry_1.retryWithSleep)(() => __awaiter(void 0, void 0, void 0, function* () {
+            const init = {
+                method: "GET",
+                headers: {
+                    "x-amz-sso_bearer_token": oidcResponse.accessToken,
+                },
+            };
+            const { accountId, permissionSet } = request;
+            if (accountId === undefined)
+                throw new Error("Could not find an AWS account ID for this access request");
+            const params = new URLSearchParams();
+            params.append("account_id", accountId);
+            params.append("role_name", permissionSet);
+            const response = yield fetch(`https://portal.sso.${region}.amazonaws.com/federation/credentials?${params.toString()}`, init);
+            if (!response.ok)
+                throw new Error(`Failed to fetch AWS credentials: ${response.statusText}: ${yield response.text()}`);
+            return yield response.json();
+        }), () => true, 3);
+    });
+    return {
+        loginSteps: {
+            providerType: "aws-oidc",
+            validateResponse: fetch_1.validateResponse,
+            buildAuthorizeRequest: buildOidcAuthorizeRequest,
+            buildTokenRequest: buildIdcTokenRequest,
+            processAuthzExpiry: (authorize) => ({
+                expires_in: authorize.expiresIn,
+                interval: authorize.interval,
+            }),
+            processAuthzResponse: (authorize) => ({
+                user_code: authorize.userCode,
+                verification_uri_complete: authorize.verificationUriComplete,
+            }),
+        },
+        exchangeForAwsCredentials,
+    };
+};
+/**
+ * Returns AWS credentials for the specified account and permission set for the authorized user
+ * @param args accountId, permissionSet and idc to assume role associated with the permission set
+ * @returns
+ */
+const assumeRoleWithIdc = (args) => __awaiter(void 0, void 0, void 0, function* () {
+    return yield (0, auth_1.cached)(`aws-idc-${args.accountId}-${args.permissionSet}`, () => __awaiter(void 0, void 0, void 0, function* () {
+        const { idc } = args;
+        const { region } = idc;
+        const clientSecrets = yield (0, exports.registerClient)(region);
+        const { loginSteps, exchangeForAwsCredentials } = awsIdcHelpers(clientSecrets, idc);
+        const oidcResponse = yield (0, auth_1.cached)("aws-idc-device-authorization", () => __awaiter(void 0, void 0, void 0, function* () {
+            const data = yield (0, login_1.oidcLogin)(loginSteps);
+            return Object.assign(Object.assign({}, data), { expiresAt: Date.now() + data.expiresIn * 1e3 });
+        }), { duration: AWS_TOKEN_EXPIRY }, (data) => (data.expiresAt ? data.expiresAt < Date.now() : true));
+        const credentials = yield exchangeForAwsCredentials(oidcResponse, {
+            accountId: args.accountId,
+            permissionSet: args.permissionSet,
+        });
+        return {
+            AWS_ACCESS_KEY_ID: credentials.roleCredentials.accessKeyId,
+            AWS_SECRET_ACCESS_KEY: credentials.roleCredentials.secretAccessKey,
+            AWS_SESSION_TOKEN: credentials.roleCredentials.sessionToken,
+            AWS_SECURITY_TOKEN: credentials.roleCredentials.sessionToken,
+            expiresAt: credentials.roleCredentials.expiration,
+        };
+    }), { duration: AWS_TOKEN_EXPIRY }, (data) => (data.expiresAt ? data.expiresAt < Date.now() : true));
+});
+exports.assumeRoleWithIdc = assumeRoleWithIdc;

package/dist/plugins/aws/ssh.d.ts

@@ -0,0 +1,13 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { SshProvider } from "../../types/ssh";
+import { AwsSshPermissionSpec, AwsSshRequest } from "./types";
+export declare const awsSshProvider: SshProvider<AwsSshPermissionSpec, undefined, AwsSshRequest>;

package/dist/plugins/aws/ssh.js

@@ -0,0 +1,24 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.awsSshProvider = void 0;
+exports.awsSshProvider = {
+    requestToSsh: (request) => {
+        const { permission, generated } = request;
+        const { instanceId, accountId, region } = permission.spec;
+        const { idc, ssh, name } = generated;
+        const { linuxUserName } = ssh;
+        const common = { linuxUserName, accountId, region, id: instanceId };
+        return !idc
+            ? Object.assign(Object.assign({}, common), { role: name, type: "aws", access: "role" }) : Object.assign(Object.assign({}, common), { idc, permissionSet: name, type: "aws", access: "idc" });
+    },
+    toCliRequest: (request) => __awaiter(void 0, void 0, void 0, function* () { return (Object.assign(Object.assign({}, request), { cliLocalData: undefined })); }),
+};

package/dist/plugins/aws/types.d.ts

@@ -8,6 +8,9 @@ This file is part of @p0security/cli
 
 You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
 **/
+import { PermissionSpec } from "../../types/request";
+import { CliPermissionSpec } from "../../types/ssh";
+import { CommonSshPermissionSpec } from "../ssh/types";
 export declare type AwsCredentials = {
     AWS_ACCESS_KEY_ID: string;
     AWS_SECRET_ACCESS_KEY: string;
@@ -38,7 +41,7 @@ export declare type AwsFederatedLogin = {
         };
     };
 };
-declare type AwsLogin = AwsFederatedLogin | AwsIamLogin | AwsIdcLogin;
+export declare type AwsLogin = AwsFederatedLogin | AwsIamLogin | AwsIdcLogin;
 export declare type AwsItemConfig = {
     label?: string;
     state: string;
@@ -50,21 +53,44 @@ export declare type AwsItem = {
 export declare type AwsConfig = {
     "iam-write": Record<string, AwsItemConfig>;
 };
-export declare type AwsSsh = {
-    permission: {
-        spec: {
-            instanceId: string;
-            accountId: string;
-            region: string;
-        };
-        type: "session";
+export declare type AwsSshPermission = {
+    spec: CommonSshPermissionSpec & {
+        instanceId: string;
+        accountId: string;
+        region: string;
+        type: "aws";
     };
-    generated: {
-        name: string;
-        ssh: {
-            linuxUserName: string;
-            publicKey: string;
-        };
+    type: "session";
+};
+export declare type AwsSshGenerated = {
+    name: string;
+    ssh: {
+        linuxUserName: string;
+    };
+    idc?: {
+        region: string;
+        id: string;
+    };
+};
+export declare type AwsSshPermissionSpec = PermissionSpec<"ssh", AwsSshPermission, AwsSshGenerated>;
+export declare type AwsSsh = CliPermissionSpec<AwsSshPermissionSpec, undefined>;
+export declare type BaseAwsSshRequest = {
+    linuxUserName: string;
+    accountId: string;
+    region: string;
+    id: string;
+    type: "aws";
+};
+export declare type AwsSshRoleRequest = BaseAwsSshRequest & {
+    role: string;
+    access: "role";
+};
+export declare type AwsSshIdcRequest = BaseAwsSshRequest & {
+    permissionSet: string;
+    idc: {
+        id: string;
+        region: string;
     };
+    access: "idc";
 };
-export {};
+export declare type AwsSshRequest = AwsSshIdcRequest | AwsSshRoleRequest;

package/dist/plugins/google/ssh-key.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Adds an ssh public key to the user object's sshPublicKeys array in Google Workspace.
+ * GCP OS Login uses these public keys to authenticate the user.
+ * Importing the same public key multiple times is idempotent.
+ *
+ * The user account and the access token is retrieved from the gcloud CLI.
+ *
+ * Returns the posix account to use for SSH access.
+ *
+ * See https://cloud.google.com/compute/docs/oslogin/rest/v1/users/importSshPublicKey
+ */
+export declare const importSshKey: (publicKey: string, options?: {
+    debug?: boolean;
+}) => Promise<string>;

package/dist/plugins/google/ssh-key.js

@@ -0,0 +1,80 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.importSshKey = void 0;
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+const subprocess_1 = require("../../common/subprocess");
+const stdio_1 = require("../../drivers/stdio");
+/**
+ * Adds an ssh public key to the user object's sshPublicKeys array in Google Workspace.
+ * GCP OS Login uses these public keys to authenticate the user.
+ * Importing the same public key multiple times is idempotent.
+ *
+ * The user account and the access token is retrieved from the gcloud CLI.
+ *
+ * Returns the posix account to use for SSH access.
+ *
+ * See https://cloud.google.com/compute/docs/oslogin/rest/v1/users/importSshPublicKey
+ */
+const importSshKey = (publicKey, options) => __awaiter(void 0, void 0, void 0, function* () {
+    var _a;
+    const debug = (_a = options === null || options === void 0 ? void 0 : options.debug) !== null && _a !== void 0 ? _a : false;
+    // Force debug=false otherwise it prints the access token
+    const accessToken = yield (0, subprocess_1.asyncSpawn)({ debug: false }, "gcloud", [
+        "auth",
+        "print-access-token",
+    ]);
+    const account = yield (0, subprocess_1.asyncSpawn)({ debug }, "gcloud", [
+        "config",
+        "get-value",
+        "account",
+    ]);
+    if (debug) {
+        (0, stdio_1.print2)(`Retrieved access token ${accessToken.slice(0, 10)}... for account ${account}`);
+    }
+    const url = `https://oslogin.googleapis.com/v1/users/${account}:importSshPublicKey`;
+    const response = yield fetch(url, {
+        method: "POST",
+        body: JSON.stringify({
+            key: publicKey,
+        }),
+        headers: {
+            Authorization: `Bearer ${accessToken}`,
+            "Content-Type": "application/json",
+        },
+    });
+    const data = yield response.json();
+    if (debug) {
+        (0, stdio_1.print2)(`Login profile for user after importing public key: ${JSON.stringify(data)}`);
+    }
+    const { loginProfile } = data;
+    // Find the primary POSIX account for the user, or the first in the array
+    const linuxAccounts = loginProfile.posixAccounts.filter((account) => account.operatingSystemType === "LINUX");
+    const posixAccount = linuxAccounts.find((account) => account.primary) ||
+        loginProfile.posixAccounts[0];
+    if (debug) {
+        (0, stdio_1.print2)(`Picked linux user name: ${posixAccount === null || posixAccount === void 0 ? void 0 : posixAccount.username}`);
+    }
+    if (!posixAccount) {
+        throw "No POSIX accounts configured for the user. Ask your Google Workspace administrator to configure the user's POSIX account.";
+    }
+    return posixAccount.username;
+});
+exports.importSshKey = importSshKey;

package/dist/plugins/google/ssh.d.ts

@@ -0,0 +1,15 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { SshProvider } from "../../types/ssh";
+import { GcpSshPermissionSpec, GcpSshRequest } from "./types";
+export declare const gcpSshProvider: SshProvider<GcpSshPermissionSpec, {
+    linuxUserName: string;
+}, GcpSshRequest>;

package/dist/plugins/google/ssh.js

@@ -0,0 +1,29 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.gcpSshProvider = void 0;
+const ssh_key_1 = require("./ssh-key");
+exports.gcpSshProvider = {
+    requestToSsh: (request) => {
+        return {
+            id: request.permission.spec.instanceName,
+            projectId: request.permission.spec.projectId,
+            zone: request.permission.spec.zone,
+            linuxUserName: request.cliLocalData.linuxUserName,
+            type: "gcloud",
+        };
+    },
+    toCliRequest: (request, options) => __awaiter(void 0, void 0, void 0, function* () {
+        return (Object.assign(Object.assign({}, request), { cliLocalData: {
+                linuxUserName: yield (0, ssh_key_1.importSshKey)(request.permission.spec.publicKey, options),
+            } }));
+    }),
+};

package/dist/plugins/google/types.d.ts

@@ -0,0 +1,57 @@
+/** Copyright © 2024-present P0 Security
+
+This file is part of @p0security/cli
+
+@p0security/cli is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License.
+
+@p0security/cli is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with @p0security/cli. If not, see <https://www.gnu.org/licenses/>.
+**/
+import { PermissionSpec } from "../../types/request";
+import { CliPermissionSpec } from "../../types/ssh";
+import { CommonSshPermissionSpec } from "../ssh/types";
+export declare type GcpSshPermission = {
+    spec: CommonSshPermissionSpec & {
+        instanceName: string;
+        projectId: string;
+        zone: string;
+        type: "gcloud";
+    };
+    type: "session";
+};
+export declare type GcpSshPermissionSpec = PermissionSpec<"ssh", GcpSshPermission>;
+export declare type GcpSsh = CliPermissionSpec<GcpSshPermissionSpec, {
+    linuxUserName: string;
+}>;
+export declare type GcpSshRequest = {
+    linuxUserName: string;
+    projectId: string;
+    zone: string;
+    id: string;
+    type: "gcloud";
+};
+declare type PosixAccount = {
+    username: string;
+    uid: string;
+    gid: string;
+    operatingSystemType: "LINUX" | "OPERATING_SYSTEM_TYPE_UNSPECIFIED" | "WINDOWS";
+    homeDirectory?: string;
+    primary?: boolean;
+};
+declare type SshPublicKey = {
+    key: string;
+    fingerprint?: string;
+    expirationTimeUsec?: number;
+};
+declare type LoginProfile = {
+    name: string;
+    posixAccounts: PosixAccount[];
+    sshPublicKeys: {
+        [fingerprint: string]: SshPublicKey;
+    };
+};
+export declare type ImportSshPublicKeyResponse = {
+    loginProfile: LoginProfile;
+};
+export {};

package/dist/plugins/google/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/plugins/login.d.ts

@@ -10,4 +10,7 @@ You should have received a copy of the GNU General Public License along with @p0
 **/
 import { TokenResponse } from "../types/oidc";
 import { OrgData } from "../types/org";
+declare const loginPlugins: readonly ["google", "okta", "ping", "oidc-pkce", "microsoft", "azure-oidc", "google-oidc", "aws-oidc"];
+export declare type LoginPluginType = (typeof loginPlugins)[number];
 export declare const pluginLoginMap: Record<string, (org: OrgData) => Promise<TokenResponse>>;
+export {};

package/dist/plugins/login.js

@@ -13,6 +13,16 @@ exports.pluginLoginMap = void 0;
 const login_1 = require("./google/login");
 const login_2 = require("./okta/login");
 const login_3 = require("./ping/login");
+const loginPlugins = [
+    "google",
+    "okta",
+    "ping",
+    "oidc-pkce",
+    "microsoft",
+    "azure-oidc",
+    "google-oidc",
+    "aws-oidc",
+];
 exports.pluginLoginMap = {
     google: login_1.googleLogin,
     okta: login_2.oktaLogin,

package/dist/plugins/oidc/login.d.ts

@@ -1,5 +1,36 @@
-import { TokenResponse } from "../../types/oidc";
+import { AuthorizeResponse, OidcLoginSteps } from "../../types/oidc";
 import { OrgData } from "../../types/org";
+export declare const DEVICE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code";
 export declare const validateProviderDomain: (org: OrgData) => void;
+/** Executes the first step of a device-authorization grant flow */
+export declare const authorize: <T>(request: {
+    url: string;
+    init: RequestInit;
+}, validateResponse: (response: Response) => Promise<Response>) => Promise<T>;
+/** Attempts to fetch this device's OIDC token
+ *
+ * The authorization may or may not be granted at this stage. If it is not, the
+ * authorization server will return "authorization_pending", in which case this
+ * function will return undefined.
+ */
+export declare const fetchOidcToken: <T>(request: {
+    url: string;
+    init: RequestInit;
+}) => Promise<T | undefined>;
+/** Waits until user device authorization is complete
+ *
+ * Returns the OIDC token after completion.
+ */
+export declare const waitForActivation: <A, T>(authorize: A, extractExpiryInterval: (authorize: A) => {
+    expires_in: number;
+    interval: number;
+}, tokenRequest: {
+    url: string;
+    init: RequestInit;
+}) => Promise<NonNullable<Awaited<T>>>;
+export declare const oidcLoginSteps: (org: OrgData, scope: string, urls: () => {
+    deviceAuthorizationUrl: string;
+    tokenUrl: string;
+}) => OidcLoginSteps<AuthorizeResponse>;
 /** Logs in to an Identity Provider via OIDC */
-export declare const oidcLogin: (org: OrgData, scope: string) => Promise<TokenResponse>;
+export declare const oidcLogin: <A, T>(steps: OidcLoginSteps<A>) => Promise<NonNullable<Awaited<T>>>;