@tidecloak/js 0.13.1 → 0.13.5

package/dist/types/lib/tidecloak.d.ts

@@ -1,33 +1,327 @@
-export function getHumanReadableObject(modelId: any, data: any, expiry: any): any;
-export default TideCloak;
-declare function TideCloak(config: any): void;
-declare class TideCloak {
-    constructor(config: any);
+export default class TideCloak {
+    /**
+     * @param {KeycloakConfig} config
+     */
+    constructor(config: KeycloakConfig);
     didInitialize: boolean;
-    init: (initOptions?: {}) => any;
-    login: (options: any) => any;
-    ensureTokenReady: () => Promise<void>;
-    encrypt: (toEncrypt: any) => Promise<any>;
-    initEnclave: () => void;
-    decrypt: (toDecrypt: any) => Promise<any>;
-    createLoginUrl: (options: any) => Promise<string>;
-    logout: (options: any) => any;
-    createLogoutUrl: (options: any) => any;
-    register: (options: any) => any;
-    createRegisterUrl: (options: any) => Promise<string>;
-    createAccountUrl: (options: any) => string | undefined;
-    accountManagement: () => any;
-    hasRealmRole: (role: any) => boolean;
-    hasResourceRole: (role: any, resource: any) => boolean;
-    loadUserProfile: () => any;
-    loadUserInfo: () => any;
-    isTokenExpired: (minValidity: any) => boolean;
-    updateToken: (minValidity: any) => any;
-    clearToken: () => void;
-    checkThresholdRule: (key: any, idSubstring: any, ruleSettings: any, draftJson: any) => any;
-    createCardanoTxDraft: (txBody: any) => string;
-    sign: (signModel: any, authFlow: any, draft: any, authorizers: any, ruleSetting: any, expiry: any) => Promise<any>;
-    signCardanoTx: (txBody: any, authorizers: any, ruleSettings: any, expiry: any) => Promise<string>;
-    createRuleSettingsDraft: (ruleSettings: any, previousRuleSetting: any, previousRuleSettingCert: any) => string;
+    authenticated: boolean;
+    loginRequired: boolean;
+    /** @type {KeycloakResponseMode} */
+    responseMode: KeycloakResponseMode;
+    /** @type {KeycloakResponseType} */
+    responseType: KeycloakResponseType;
+    /** @type {KeycloakFlow} */
+    flow: KeycloakFlow;
+    /**
+     * Matches Keycloak: number | undefined (unset when skew unknown)
+     * @type {number | undefined}
+     */
+    timeSkew: number | undefined;
+    /** @type {string=} */
+    redirectUri: string | undefined;
+    /** @type {string=} */
+    silentCheckSsoRedirectUri: string | undefined;
+    /** @type {boolean} */
+    silentCheckSsoFallback: boolean;
+    /** @type {KeycloakPkceMethod} */
+    pkceMethod: KeycloakPkceMethod;
+    enableLogging: boolean;
+    /** @type {'GET' | 'POST'} */
+    logoutMethod: "GET" | "POST";
+    /** @type {string=} */
+    scope: string | undefined;
+    /** @type {string | undefined} */
+    acrValues: string | undefined;
+    messageReceiveTimeout: number;
+    /** @type {string=} */
+    idToken: string | undefined;
+    /** @type {KeycloakTokenParsed=} */
+    idTokenParsed: KeycloakTokenParsed | undefined;
+    /** @type {string=} */
+    token: string | undefined;
+    /** @type {KeycloakTokenParsed=} */
+    tokenParsed: KeycloakTokenParsed | undefined;
+    /** @type {string=} */
+    refreshToken: string | undefined;
+    /** @type {KeycloakTokenParsed=} */
+    refreshTokenParsed: KeycloakTokenParsed | undefined;
+    /** @type {string | undefined} */
+    doken: string | undefined;
+    /** @type {KeycloakTokenParsed | undefined} */
+    dokenParsed: KeycloakTokenParsed | undefined;
+    /** @type {any} */
+    requestEnclave: any;
+    /** @type {any} */
+    approvalEnclave: any;
+    /** @type {string=} */
+    clientId: string | undefined;
+    /** @type {string=} */
+    sessionId: string | undefined;
+    /** @type {string=} */
+    subject: string | undefined;
+    /** @type {string=} */
+    authServerUrl: string | undefined;
+    /** @type {string=} */
+    realm: string | undefined;
+    /** @type {KeycloakRoles=} */
+    realmAccess: KeycloakRoles | undefined;
+    /** @type {KeycloakResourceAccess=} */
+    resourceAccess: KeycloakResourceAccess | undefined;
+    /** @type {KeycloakProfile=} */
+    profile: KeycloakProfile | undefined;
+    /** @type {KeycloakUserInfo | undefined} */
+    userInfo: KeycloakUserInfo | undefined;
+    /** @type {Endpoints} */
+    endpoints: Endpoints;
+    /** @type {number=} */
+    tokenTimeoutHandle: number | undefined;
+    /** @type {() => void=} */
+    onAuthSuccess: (() => void) | undefined;
+    /** @type {(errorData?: KeycloakError) => void=} */
+    onAuthError: ((errorData?: KeycloakError) => void) | undefined;
+    /** @type {() => void=} */
+    onAuthRefreshSuccess: (() => void) | undefined;
+    /** @type {() => void=} */
+    onAuthRefreshError: (() => void) | undefined;
+    /** @type {() => void=} */
+    onTokenExpired: (() => void) | undefined;
+    /** @type {() => void=} */
+    onAuthLogout: (() => void) | undefined;
+    /** @type {(authenticated: boolean) => void=} */
+    onReady: ((authenticated: boolean) => void) | undefined;
+    /** @type {(status: 'success' | 'cancelled' | 'error', action: string) => void=} */
+    onActionUpdate: ((status: "success" | "cancelled" | "error", action: string) => void) | undefined;
+    /**
+     * @param {KeycloakInitOptions} initOptions
+     * @returns {Promise<boolean>}
+     */
+    init(initOptions?: KeycloakInitOptions): Promise<boolean>;
+    /**
+     * @param {KeycloakLoginOptions} [options]
+     * @returns {Promise<void>}
+     */
+    login(options?: KeycloakLoginOptions): Promise<void>;
+    /**
+     * Ensure the access token is valid, refreshing if needed.
+     * @returns {Promise<void>}
+     */
+    ensureTokenReady(): Promise<void>;
+    /**
+     * @param {KeycloakLoginOptions} [options]
+     * @returns {Promise<string>}
+     */
+    createLoginUrl(options?: KeycloakLoginOptions): Promise<string>;
+    /**
+     * @param {KeycloakLogoutOptions} [options]
+     * @returns {Promise<void>}
+     */
+    logout(options?: KeycloakLogoutOptions): Promise<void>;
+    /**
+     * @param {KeycloakLogoutOptions} [options]
+     * @returns {string}
+     */
+    createLogoutUrl(options?: KeycloakLogoutOptions): string;
+    /**
+     * @param {KeycloakRegisterOptions} [options]
+     * @returns {Promise<void>}
+     */
+    register(options?: KeycloakRegisterOptions): Promise<void>;
+    /**
+     * @param {KeycloakRegisterOptions} [options]
+     * @returns {Promise<string>}
+     */
+    createRegisterUrl(options?: KeycloakRegisterOptions): Promise<string>;
+    /**
+     * @param {KeycloakAccountOptions} [options]
+     * @returns {string}
+     */
+    createAccountUrl(options?: KeycloakAccountOptions): string;
+    /**
+     * @returns {Promise<void>}
+     */
+    accountManagement(): Promise<void>;
+    /**
+     * @param {string} role
+     * @returns {boolean}
+     */
+    hasRealmRole(role: string): boolean;
+    /**
+     * @param {string} role
+     * @param {string} [resource]
+     * @returns {boolean}
+     */
+    hasResourceRole(role: string, resource?: string): boolean;
+    /**
+     * @returns {Promise<KeycloakProfile>}
+     */
+    loadUserProfile(): Promise<KeycloakProfile>;
+    /**
+     * @returns {Promise<KeycloakUserInfo>}
+     */
+    loadUserInfo(): Promise<KeycloakUserInfo>;
+    /**
+     * @param {number} [minValidity]
+     * @returns {boolean}
+     */
+    isTokenExpired(minValidity?: number): boolean;
+    /**
+     * Matches Keycloak: minValidity is optional.
+     * @param {number} [minValidity]
+     * @returns {Promise<boolean>}
+     */
+    updateToken(minValidity?: number): Promise<boolean>;
+    clearToken(): void;
+    /**
+     * Initialize Tide RequestEnclave.
+     */
+    initRequestEnclave(): void;
+    /**
+     * Initialize Tide ApprovalEnclave.
+     */
+    initApprovalEnclave(): void;
+    /**
+     * Role-based encryption via Tide RequestEnclave.
+     * @param {{ data: string | Uint8Array, tags: string[] }[]} toEncrypt
+     * @returns {Promise<(string | Uint8Array)[]>}
+     */
+    encrypt(toEncrypt: {
+        data: string | Uint8Array;
+        tags: string[];
+    }[]): Promise<(string | Uint8Array)[]>;
+    /**
+     * Initialize a Tide request that requires operator approvals.
+     * @param {Uint8Array} encodedRequest
+     * @returns {Promise<Uint8Array>}
+     */
+    createTideRequest(encodedRequest: Uint8Array): Promise<Uint8Array>;
+    /**
+     * Request Tide operator approval.
+     * @param {{id: string, request: Uint8Array}[]} requests
+     * @returns {Promise<{approved: {id: string, request: Uint8Array}[], denied: {id: string}[], pending: {id: string}[]}>}
+     */
+    requestTideOperatorApproval(requests: {
+        id: string;
+        request: Uint8Array;
+    }[]): Promise<{
+        approved: {
+            id: string;
+            request: Uint8Array;
+        }[];
+        denied: {
+            id: string;
+        }[];
+        pending: {
+            id: string;
+        }[];
+    }>;
+    /**
+     * Execute a Tide Sign Request
+     * @param {Uint8Array} request
+     * @param {boolean} [waitForAll=false]
+     * @returns {Promise<Array>} Array of signatures
+     */
+    executeSignRequest(request: Uint8Array, waitForAll?: boolean): Promise<any[]>;
+    /**
+     * Role-based decryption via Tide RequestEnclave.
+     * @param {{ encrypted: string | Uint8Array, tags: string[] }[]} toDecrypt
+     * @returns {Promise<(string | Uint8Array)[]>}
+     */
+    decrypt(toDecrypt: {
+        encrypted: string | Uint8Array;
+        tags: string[];
+    }[]): Promise<(string | Uint8Array)[]>;
+    #private;
 }
-export { RequestEnclave, ApprovalEnclave } from "heimdall-tide";
+/**
+ * @typedef {Object} NetworkErrorOptionsProperties
+ * @property {Response} response
+ * @typedef {ErrorOptions & NetworkErrorOptionsProperties} NetworkErrorOptions
+ */
+export class NetworkError extends Error {
+    /**
+     * @param {string} message
+     * @param {NetworkErrorOptions} options
+     */
+    constructor(message: string, options: NetworkErrorOptions);
+    /** @type {Response} */
+    response: Response;
+}
+/**
+ * The JSON version of the adapter configuration.
+ */
+export type JsonConfig = {
+    /**
+     * The URL of the authentication server.
+     */
+    "auth-server-url": string;
+    /**
+     * The name of the realm.
+     */
+    realm: string;
+    /**
+     * The name of the resource, usually the client ID.
+     */
+    resource: string;
+};
+/**
+ * The successful token response from the authorization server, based on the {@link https://datatracker.ietf.org/doc/html/rfc6749#section-5.1 OAuth 2.0 Authorization Framework specification}.
+ */
+export type AccessTokenResponse = {
+    /**
+     * The access token issued by the authorization server.
+     */
+    access_token: string;
+    /**
+     * The type of the token issued by the authorization server.
+     */
+    token_type: string;
+    /**
+     * The lifetime in seconds of the access token.
+     */
+    expires_in?: number | undefined;
+    /**
+     * The refresh token issued by the authorization server.
+     */
+    refresh_token?: string | undefined;
+    /**
+     * The ID token issued by the authorization server, if requested.
+     */
+    id_token?: string | undefined;
+    /**
+     * The scope of the access token.
+     */
+    scope?: string | undefined;
+};
+export type Endpoints = {
+    authorize: () => string;
+    token: () => string;
+    logout: () => string;
+    checkSessionIframe: () => string;
+    thirdPartyCookiesIframe?: (() => string) | undefined;
+    register: () => string;
+    userinfo: () => string;
+};
+export type LoginIframe = {
+    enable: boolean;
+    callbackList: ((error: Error | null, value?: boolean) => void)[];
+    interval: number;
+    iframe?: HTMLIFrameElement | undefined;
+    iframeOrigin?: string | undefined;
+};
+export type CallbackState = {
+    state: string;
+    nonce: string;
+    redirectUri: string;
+    loginOptions?: KeycloakLoginOptions;
+    prompt?: KeycloakLoginOptions["prompt"];
+    pkceCodeVerifier?: string | undefined;
+};
+export type CallbackStorage = {
+    get: (state?: string) => CallbackState | null;
+    add: (state: CallbackState) => void;
+};
+export type NetworkErrorOptionsProperties = {
+    response: Response;
+};
+export type NetworkErrorOptions = ErrorOptions & NetworkErrorOptionsProperties;
+export { RequestEnclave, ApprovalEnclave, ApprovalEnclaveNew, TideMemory, BaseTideRequest, PolicySignRequest, Policy, PolicyParameters } from "heimdall-tide";

package/dist/types/policy-react.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/types/src/IAMService.d.ts

@@ -4,9 +4,16 @@ declare const IAMServiceInstance: IAMService;
 /**
  * Singleton IAMService wrapping the TideCloak client.
  *
+ * Supports two modes:
+ * - **Front-channel mode**: Browser handles all token operations (standard OIDC)
+ * - **Hybrid/BFF mode**: Browser handles PKCE, backend exchanges code for tokens (more secure)
+ *
+ * ---
+ * ## Front-channel Mode
+ *
  * Usage A: pass an onReady callback directly
  * ```js
- * import { IAMService } from 'tidecloak-js';
+ * import { IAMService } from '@tidecloak/js';
  * import tidecloakConfig from './tidecloakAdapter.json';
  *
  * IAMService.initIAM(tidecloakConfig, authenticated => {
@@ -22,11 +29,99 @@ declare const IAMServiceInstance: IAMService;
  *
  * await IAMService.initIAM(tidecloakConfig);
  * ```
+ *
+ * ---
+ * ## Hybrid/BFF Mode (Backend-For-Frontend)
+ *
+ * In hybrid mode, the browser generates PKCE and redirects to the IdP, but the
+ * backend exchanges the authorization code for tokens. This keeps tokens server-side
+ * for improved security.
+ *
+ * ### Config shape:
+ * ```js
+ * const hybridConfig = {
+ *   authMode: "hybrid",
+ *   oidc: {
+ *     authorizationEndpoint: "https://auth.example.com/realms/myrealm/protocol/openid-connect/auth",
+ *     clientId: "my-client",
+ *     redirectUri: "https://app.example.com/auth/callback",
+ *     scope: "openid profile email",  // optional, defaults to "openid profile email"
+ *     prompt: "login"                 // optional
+ *   },
+ *   tokenExchange: {
+ *     endpoint: "/api/authenticate",  // Backend endpoint that exchanges code for tokens
+ *     provider: "tidecloak-auth",     // optional, defaults to "tidecloak-auth"
+ *     headers: () => ({               // optional, custom headers (e.g., CSRF token)
+ *       "anti-csrf-token": getCSRFToken()
+ *     })
+ *   }
+ * };
+ * ```
+ *
+ * ### Login Page:
+ * ```js
+ * // Load config and trigger login
+ * await IAMService.loadConfig(hybridConfig);
+ * IAMService.doLogin("/dashboard");  // returnUrl after successful auth
+ * ```
+ *
+ * ### Redirect/Callback Page:
+ * ```js
+ * // initIAM handles the callback automatically - exchanges code for tokens via backend
+ * const authenticated = await IAMService.initIAM(hybridConfig);
+ * if (authenticated) {
+ *   const returnUrl = IAMService.getReturnUrl() || "/";
+ *   window.location.assign(returnUrl);
+ * }
+ * ```
+ *
+ * ### Token Exchange Request Format:
+ * The backend endpoint receives a POST request with:
+ * ```json
+ * {
+ *   "accessToken": "{\"code\":\"...\",\"code_verifier\":\"...\",\"redirect_uri\":\"...\"}",
+ *   "provider": "tidecloak-auth"
+ * }
+ * ```
+ *
+ * ---
+ * ## Events
+ * - `ready` - Emitted when initialization completes (with authenticated boolean)
+ * - `initError` - Emitted when initialization fails
+ * - `authSuccess` - Emitted on successful authentication
+ * - `authError` - Emitted on authentication failure
+ * - `authRefreshSuccess` - Emitted when token refresh succeeds (front-channel only)
+ * - `authRefreshError` - Emitted when token refresh fails (front-channel only)
+ * - `logout` - Emitted on logout
+ * - `tokenExpired` - Emitted when token expires (front-channel only)
  */
 declare class IAMService {
     _tc: TideCloak | null;
     _config: Object | null;
     _listeners: {};
+    _hybridAuthenticated: boolean;
+    _hybridReturnUrl: string | null;
+    _hybridCallbackHandled: boolean;
+    _hybridCallbackPromise: any;
+    _cachedCallbackData: {
+        isCallback: boolean;
+        code: string;
+        verifier: string;
+        redirectUri: any;
+        returnUrl: string;
+        provider: any;
+        error: string | null;
+        errorDescription: string | null;
+    } | {
+        isCallback: boolean;
+        code: string;
+        verifier: string;
+        redirectUri: any;
+        returnUrl: string;
+        provider: any;
+        error: null;
+        errorDescription: null;
+    } | null;
     /**
      * Register an event listener.
      * @param {'ready'|'initError'|'authSuccess'|'authError'|'authRefreshSuccess'|'authRefreshError'|'logout'|'tokenExpired'} event
@@ -43,6 +138,11 @@ declare class IAMService {
     off(event: string, handler: Function): this;
     /** @private */
     private _emit;
+    /**
+     * Check if running in hybrid mode.
+     * @returns {boolean}
+     */
+    isHybridMode(): boolean;
     /**
      * Load TideCloak configuration and instantiate the client once.
      * @param {Object} config - TideCloak configuration object.
@@ -51,6 +151,7 @@ declare class IAMService {
     loadConfig(config: Object): Promise<Object | null>;
     /**
      * Initialize the TideCloak SSO client with silent SSO check.
+     * In hybrid mode, handles the redirect callback if present.
      * @param {Object} config - TideCloak configuration object.
      * @param {Function} [onReady] - Optional callback for the 'ready' event.
      * @returns {Promise<boolean>} true if authenticated, else false.
@@ -60,47 +161,168 @@ declare class IAMService {
     private getTideCloakClient;
     /** @returns {Object} Loaded config */
     getConfig(): Object;
-    /** @returns {boolean} Whether there's a valid token */
+    /** @returns {boolean} Whether there's a valid token (or session in hybrid mode) */
     isLoggedIn(): boolean;
-    /** @returns {Promise<string>} Valid token (refreshing if needed) */
+    /**
+     * Get valid token (refreshing if needed).
+     * @returns {Promise<string>}
+     * @throws {Error} In hybrid mode (tokens are server-side)
+     */
     getToken(): Promise<string>;
-    /** Seconds until token expiry */
+    /**
+     * Seconds until token expiry.
+     * @returns {number}
+     * @throws {Error} In hybrid mode (tokens are server-side)
+     */
     getTokenExp(): number;
-    /** @returns {string} ID token */
+    /**
+     * Get ID token.
+     * @returns {string}
+     * @throws {Error} In hybrid mode (tokens are server-side)
+     */
     getIDToken(): string;
-    /** @returns {string} Username (preferred_username claim) */
+    /**
+     * Get username (preferred_username claim).
+     * @returns {string}
+     * @throws {Error} In hybrid mode (tokens are server-side)
+     */
     getName(): string;
     /**
-     *  @param {string} role - the name of the role to check
-     *  @returns {boolean} Whether the user has a given realm role */
+     * Get the return URL after successful hybrid authentication.
+     * Only available in hybrid mode after successful auth.
+     * @returns {string|null}
+     */
+    getReturnUrl(): string | null;
+    /**
+     * Check if user has a realm role.
+     * @param {string} role - the name of the role to check
+     * @returns {boolean} Whether the user has a given realm role
+     * @throws {Error} In hybrid mode (role checks not available client-side)
+     */
     hasRealmRole(role: string): boolean;
     /**
+     * Check if user has a client role.
      * @param {string} role - the name of the role to check
      * @param {string} [client] - optional client-ID (defaults to the configured adapter resource)
      * @returns {boolean} - whether the user has that role
+     * @throws {Error} In hybrid mode (role checks not available client-side)
      */
     hasClientRole(role: string, client?: string): boolean;
     /**
+     * Get custom claim from access token.
      * @param {string} key - The name of the claim to retrieve from the Access token's payload.
-     * @returns {*} Custom claim from access token */
+     * @returns {*} Custom claim from access token
+     * @throws {Error} In hybrid mode (tokens are server-side)
+     */
     getValueFromToken(key: string): any;
     /**
+     * Get custom claim from ID token.
      * @param {string} key - The name of the claim to retrieve from the ID token's payload.
-     * @returns {*} Custom claim from access token */
+     * @returns {*} Custom claim from ID token
+     * @throws {Error} In hybrid mode (tokens are server-side)
+     */
     getValueFromIDToken(key: string): any;
-    /** Refreshes token if expired or about to expire */
-    updateIAMToken(): Promise<any>;
-    /** Force immediate refresh (min validity = -1) */
-    forceUpdateToken(): Promise<any>;
-    /** Start login redirect */
-    doLogin(): void;
-    /** Encrypt data via adapter */
-    doEncrypt(data: any): Promise<any>;
-    /** Decrypt data via adapter */
-    doDecrypt(data: any): Promise<any>;
-    /** Logout, clear cookie, then redirect */
+    /**
+     * Refreshes token if expired or about to expire.
+     * @returns {Promise<boolean>}
+     * @throws {Error} In hybrid mode (token refresh handled server-side)
+     */
+    updateIAMToken(): Promise<boolean>;
+    /**
+     * Force immediate refresh (min validity = -1).
+     * @returns {Promise<boolean>}
+     * @throws {Error} In hybrid mode (token refresh handled server-side)
+     */
+    forceUpdateToken(): Promise<boolean>;
+    /**
+     * Start login redirect.
+     * In hybrid mode, initiates PKCE flow and redirects to IdP.
+     * @param {string} [returnUrl] - URL to redirect to after successful auth (hybrid mode only)
+     */
+    doLogin(returnUrl?: string): Promise<void> | undefined;
+    /**
+     * Encrypt data via adapter.
+     * Not available in hybrid mode (encryption requires client-side doken).
+     */
+    doEncrypt(data: any): Promise<(string | Uint8Array<ArrayBufferLike>)[]>;
+    /**
+     * Decrypt data via adapter.
+     * Not available in hybrid mode (decryption requires client-side doken).
+     */
+    doDecrypt(data: any): Promise<(string | Uint8Array<ArrayBufferLike>)[]>;
+    /**
+     * Logout, clear cookie/session, then redirect.
+     * In hybrid mode, clears local state and emits logout event.
+     */
     doLogout(): void;
-    /** Base URL for Tidecloak realm (no trailing slash) */
+    /**
+     * Base URL for Tidecloak realm (no trailing slash).
+     * In hybrid mode returns empty string.
+     */
     getBaseUrl(): any;
+    /**
+     * Start hybrid login flow: generate PKCE, store verifier, redirect to IdP.
+     * @private
+     * @param {string} returnUrl - URL to redirect to after successful auth
+     */
+    private _startHybridLogin;
+    /**
+     * Get hybrid callback data for custom token exchange.
+     * Use this when you need to handle token exchange with your own auth system
+     * (e.g., using a custom useLogin hook) instead of IAMService's built-in fetchJson.
+     *
+     * @param {Object} [opts] - Options
+     * @param {boolean} [opts.clearStorage=true] - Whether to clear sessionStorage after reading
+     * @param {string} [opts.redirectUri] - Override redirect URI (use when config isn't loaded)
+     * @param {string} [opts.provider] - Override provider (defaults to "tidecloak-auth")
+     * @returns {{
+     *   isCallback: boolean,
+     *   code: string,
+     *   verifier: string,
+     *   redirectUri: string,
+     *   returnUrl: string,
+     *   provider: string,
+     *   error: string|null,
+     *   errorDescription: string|null
+     * }}
+     *
+     * @example
+     * // With redirectUri override (recommended for callback pages after full navigation)
+     * const data = IAMService.getHybridCallbackData({
+     *   redirectUri: process.env.KEYCLOAK_REDIRECTURI,
+     * });
+     * if (data.isCallback && data.code && data.verifier) {
+     *   login.execute({
+     *     accessToken: JSON.stringify({
+     *       code: data.code,
+     *       code_verifier: data.verifier,
+     *       redirect_uri: data.redirectUri,
+     *     }),
+     *     provider: data.provider,
+     *   });
+     * }
+     */
+    getHybridCallbackData(opts?: {
+        clearStorage?: boolean | undefined;
+        redirectUri?: string | undefined;
+        provider?: string | undefined;
+    }): {
+        isCallback: boolean;
+        code: string;
+        verifier: string;
+        redirectUri: string;
+        returnUrl: string;
+        provider: string;
+        error: string | null;
+        errorDescription: string | null;
+    };
+    /**
+     * Handle hybrid redirect callback: exchange code for tokens via backend endpoint.
+     * @private
+     * @param {Object} opts - Options
+     * @param {string} [opts.onMissingVerifierRedirectTo] - URL to redirect if verifier is missing
+     * @returns {Promise<{handled: boolean, authenticated: boolean, returnUrl: string}>}
+     */
+    private _handleHybridRedirectCallback;
 }
-import TideCloak from "../lib/tidecloak";
+import TideCloak from "../lib/tidecloak.js";