@toa.io/extensions.exposition 1.0.0-alpha.149 → 1.0.0-alpha.150

package/components/identity.federation/manifest.toa.yaml

@@ -41,6 +41,7 @@ operations:
     input:
       authority*: string
       credentials*: string
+      scheme: [bearer, code]
     output:
       properties:
         identity:
@@ -90,30 +91,29 @@ configuration:
           additionalProperties: false
           properties:
             iss:
-              description: Allowed origins for a token `iss` field
+              description: Allowed values for a token `iss` field
               type: string
               format: uri
             aud:
-              description: Acceptable `aud` value(s)
-              type: array
-              items:
-                type: string
-              uniqueItems: true
-              minItems: 1
-            secrets:
-              description: Symmetric encryption secrets
-              type: object
-              patternProperties:
-                ^HS\d{3}$:
-                  type: object
-                  patternProperties:
-                    ^\w+$:
-                      type: string
-                  minProperties: 1
-              additionalProperties: false
-              minProperties: 1
+              description: Acceptable `aud` value(s). Required for Authorization Code Flow.
+              anyOf:
+                - type: string
+                - type: array
+                  items: { type: string }
+                  uniqueItems: true
+                  minItems: 1
+            signature:
+              properties:
+                iss: { type: string }
+                kid: { type: string }
+                key: { type: string }
+              required: [iss, kid, key]
+            secret:
+              description: Client secret for the Identity Provider. Required for Authorization Code Flow.
+              type: string
           required:
             - iss
+        default: []
       principal:
         title: Principal
         description: Subject that will be assigned the `system` Role
@@ -128,13 +128,10 @@ configuration:
           - iss
           - sub
         additionalProperties: false
-      implicit:
-        title: Implicitly create Identity
-        description: |
-          Enabling this will make Identity inception impossible.
-          DEPRECATED: use `auth:assert`
+      assert:
+        title: Implicitly incept Identity for new credentials
         type: boolean
-        default: false
+        default: true
     additionalProperties: false
 
 stash: ~

package/components/identity.federation/operations/authenticate.d.ts

@@ -1,14 +1,16 @@
-import { type Maybe } from '@toa.io/types';
-import type { Context, IdToken } from './types';
-export declare const computation: (args_0: Input, context: Context) => Promise<Error | Promise<Maybe<Output>>>;
+import type { JWTPayload } from 'jose';
+import type { Maybe } from '@toa.io/types';
+import type { Context, Scheme } from './types';
+export declare function effect({ scheme, authority, credentials }: Input, context: Context): Promise<Maybe<Output>>;
 interface Input {
+    scheme: Scheme;
     authority: string;
     credentials: string;
 }
 interface Output {
     identity: {
         id: string;
-        claims: Pick<IdToken, 'iss' | 'sub' | 'aud'>;
+        claims: JWTPayload;
     };
 }
 export {};

package/components/identity.federation/operations/authenticate.js

@@ -1,21 +1,31 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.computation = void 0;
+exports.effect = void 0;
 const error_value_1 = require("error-value");
-const assertions_as_values_js_1 = require("./lib/assertions-as-values.js");
-const jwt_1 = require("./lib/jwt");
-async function authenticate({ authority, credentials }, context) {
-    const claims = await (0, jwt_1.decode)(credentials, context.configuration.trust, context.stash);
+const lib_1 = require("./lib");
+async function effect({ scheme, authority, credentials }, context) {
+    context.logs.debug('Authenticating', { scheme, authority, credentials });
+    const ctx = {
+        trust: context.configuration.trust,
+        stash: context.stash,
+        logs: context.logs
+    };
+    const claims = scheme === 'bearer'
+        ? await (0, lib_1.decode)(credentials, ctx)
+        : await (0, lib_1.exchange)(credentials, ctx);
+    if (claims instanceof Error)
+        return claims;
     const { iss, sub } = claims;
     context.logs.debug('Token claims', claims);
-    const identity = context.configuration.implicit
+    const identity = context.configuration.assert !== false
         ? await context.local.ensure({ entity: { authority, iss, sub } })
         : await context.local.observe({ query: { criteria: `authority==${authority};iss==${iss};sub==${sub}` } });
     if (identity === null)
         return ERR_NOT_FOUND;
+    if (identity instanceof Error)
+        return identity;
     return { identity: { id: identity.id, claims } };
 }
+exports.effect = effect;
 const ERR_NOT_FOUND = new error_value_1.Err('NOT_FOUND');
-// Exporting as a function returning assertion errors as values
-exports.computation = (0, assertions_as_values_js_1.assertionsAsValues)(authenticate);
 //# sourceMappingURL=authenticate.js.map

package/components/identity.federation/operations/authenticate.js.map

@@ -1 +1 @@
-{"version":3,"file":"authenticate.js","sourceRoot":"","sources":["../source/authenticate.ts"],"names":[],"mappings":";;;AACA,6CAAiC;AACjC,2EAAkE;AAClE,mCAAkC;AAGlC,KAAK,UAAU,YAAY,CAAE,EAAE,SAAS,EAAE,WAAW,EAAS,EAAE,OAAgB;IAC9E,MAAM,MAAM,GAAG,MAAM,IAAA,YAAM,EAAC,WAAW,EAAE,OAAO,CAAC,aAAa,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAA;IACpF,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,MAAM,CAAA;IAE3B,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,MAAM,CAAC,CAAA;IAE1C,MAAM,QAAQ,GAAG,OAAO,CAAC,aAAa,CAAC,QAAQ;QAC7C,CAAC,CAAC,MAAM,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC;QACjE,CAAC,CAAC,MAAM,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,cAAc,SAAS,SAAS,GAAG,SAAS,GAAG,EAAE,EAAE,EAAE,CAAC,CAAA;IAE3G,IAAI,QAAQ,KAAK,IAAI;QACnB,OAAO,aAAa,CAAA;IAEtB,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,EAAE,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,EAAE,CAAA;AAClD,CAAC;AAED,MAAM,aAAa,GAAG,IAAI,iBAAG,CAAC,WAAW,CAAC,CAAA;AAE1C,+DAA+D;AAClD,QAAA,WAAW,GAAG,IAAA,4CAAkB,EAAC,YAAY,CAAC,CAAA"}
+{"version":3,"file":"authenticate.js","sourceRoot":"","sources":["../source/authenticate.ts"],"names":[],"mappings":";;;AAAA,6CAAiC;AACjC,+BAAwC;AAMjC,KAAK,UAAU,MAAM,CAAE,EAAE,MAAM,EAAE,SAAS,EAAE,WAAW,EAAS,EAAE,OAAgB;IACvF,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC,CAAA;IAExE,MAAM,GAAG,GAAQ;QACf,KAAK,EAAE,OAAO,CAAC,aAAa,CAAC,KAAK;QAClC,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,IAAI,EAAE,OAAO,CAAC,IAAI;KACnB,CAAA;IAED,MAAM,MAAM,GAAG,MAAM,KAAK,QAAQ;QAChC,CAAC,CAAC,MAAM,IAAA,YAAM,EAAC,WAAW,EAAE,GAAG,CAAC;QAChC,CAAC,CAAC,MAAM,IAAA,cAAQ,EAAC,WAAW,EAAE,GAAG,CAAC,CAAA;IAEpC,IAAI,MAAM,YAAY,KAAK;QACzB,OAAO,MAAM,CAAA;IAEf,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,MAAM,CAAA;IAE3B,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,MAAM,CAAC,CAAA;IAE1C,MAAM,QAAQ,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,KAAK,KAAK;QACrD,CAAC,CAAC,MAAM,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC;QACjE,CAAC,CAAC,MAAM,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,cAAc,SAAS,SAAS,GAAG,SAAS,GAAG,EAAE,EAAE,EAAE,CAAC,CAAA;IAE3G,IAAI,QAAQ,KAAK,IAAI;QACnB,OAAO,aAAa,CAAA;IAEtB,IAAI,QAAQ,YAAY,KAAK;QAC3B,OAAO,QAAQ,CAAA;IAEjB,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,EAAE,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,EAAE,CAAA;AAClD,CAAC;AA/BD,wBA+BC;AAED,MAAM,aAAa,GAAG,IAAI,iBAAG,CAAC,WAAW,CAAC,CAAA"}

package/components/identity.federation/operations/decode.d.ts

@@ -1,2 +1,3 @@
-import type { Context, IdToken } from './types';
-export declare const computation: (token: string, context: Context) => Promise<Error | Promise<IdToken>>;
+import type { JWTPayload } from 'jose';
+import type { Context } from './types';
+export declare function effect(token: string, context: Context): Promise<JWTPayload | Error>;

package/components/identity.federation/operations/decode.js

@@ -1,33 +1,13 @@
 "use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.computation = void 0;
-const jwt = __importStar(require("./lib/jwt"));
-const assertions_as_values_1 = require("./lib/assertions-as-values");
-async function decode(token, context) {
-    return await jwt.decode(token, context.configuration.trust, context.stash);
+exports.effect = void 0;
+const lib_1 = require("./lib");
+async function effect(token, context) {
+    return await (0, lib_1.decode)(token, {
+        trust: context.configuration.trust,
+        stash: context.stash,
+        logs: context.logs
+    });
 }
-exports.computation = (0, assertions_as_values_1.assertionsAsValues)(decode);
+exports.effect = effect;
 //# sourceMappingURL=decode.js.map

package/components/identity.federation/operations/decode.js.map

@@ -1 +1 @@
-{"version":3,"file":"decode.js","sourceRoot":"","sources":["../source/decode.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,+CAAgC;AAChC,qEAA+D;AAG/D,KAAK,UAAU,MAAM,CAAE,KAAa,EAAE,OAAgB;IACpD,OAAO,MAAM,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,OAAO,CAAC,aAAa,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAA;AAC5E,CAAC;AAEY,QAAA,WAAW,GAAG,IAAA,yCAAkB,EAAC,MAAM,CAAC,CAAA"}
+{"version":3,"file":"decode.js","sourceRoot":"","sources":["../source/decode.ts"],"names":[],"mappings":";;;AAAA,+BAA8B;AAIvB,KAAK,UAAU,MAAM,CAAE,KAAa,EAAE,OAAgB;IAC3D,OAAO,MAAM,IAAA,YAAM,EAAC,KAAK,EAAE;QACzB,KAAK,EAAE,OAAO,CAAC,aAAa,CAAC,KAAK;QAClC,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,IAAI,EAAE,OAAO,CAAC,IAAI;KACnB,CAAC,CAAA;AACJ,CAAC;AAND,wBAMC"}

package/components/identity.federation/operations/incept.d.ts

@@ -1,5 +1,7 @@
-import type { Context } from './types';
+import type { Context, Scheme } from './types';
+export declare function effect(input: Input, context: Context): Promise<Output | Error>;
 export interface Input {
+    scheme: Scheme;
     authority: string;
     credentials: string;
     id?: string;
@@ -7,4 +9,3 @@ export interface Input {
 export interface Output {
     id: string;
 }
-export declare const effect: (input: Input, context: Context) => Promise<Error | Promise<Output>>;

package/components/identity.federation/operations/incept.js

@@ -1,14 +1,24 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.effect = void 0;
-const assertions_as_values_js_1 = require("./lib/assertions-as-values.js");
-const jwt_1 = require("./lib/jwt");
-async function incept(input, context) {
-    const { iss, sub } = await (0, jwt_1.decode)(input.credentials, context.configuration.trust, context.stash);
+const error_value_1 = require("error-value");
+const lib_1 = require("./lib");
+async function effect(input, context) {
+    if (input.scheme !== 'bearer')
+        return ERR_SCHEME;
+    const payload = await (0, lib_1.decode)(input.credentials, {
+        trust: context.configuration.trust,
+        stash: context.stash,
+        logs: context.logs
+    });
+    if (payload instanceof Error)
+        return payload;
+    const { iss, sub } = payload;
     const request = { input: { authority: input.authority, iss, sub } };
     if (input.id !== undefined)
         request.query = { id: input.id };
     return await context.local.transit(request);
 }
-exports.effect = (0, assertions_as_values_js_1.assertionsAsValues)(incept);
+exports.effect = effect;
+const ERR_SCHEME = new error_value_1.Err('ERR_SCHEME', 'Unsupported scheme');
 //# sourceMappingURL=incept.js.map

package/components/identity.federation/operations/incept.js.map

@@ -1 +1 @@
-{"version":3,"file":"incept.js","sourceRoot":"","sources":["../source/incept.ts"],"names":[],"mappings":";;;AAAA,2EAAkE;AAClE,mCAAkC;AAIlC,KAAK,UAAU,MAAM,CAAE,KAAY,EAAE,OAAgB;IACnD,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,MAAM,IAAA,YAAM,EAAC,KAAK,CAAC,WAAW,EAAE,OAAO,CAAC,aAAa,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAA;IAChG,MAAM,OAAO,GAA0B,EAAE,KAAK,EAAE,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,EAA+B,EAAE,CAAA;IAEvH,IAAI,KAAK,CAAC,EAAE,KAAK,SAAS;QACxB,OAAO,CAAC,KAAK,GAAG,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,CAAA;IAElC,OAAO,MAAM,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;AAC7C,CAAC;AAYY,QAAA,MAAM,GAAG,IAAA,4CAAkB,EAAC,MAAM,CAAC,CAAA"}
+{"version":3,"file":"incept.js","sourceRoot":"","sources":["../source/incept.ts"],"names":[],"mappings":";;;AAAA,6CAAiC;AACjC,+BAA8B;AAIvB,KAAK,UAAU,MAAM,CAAE,KAAY,EAAE,OAAgB;IAC1D,IAAI,KAAK,CAAC,MAAM,KAAK,QAAQ;QAAE,OAAO,UAAU,CAAA;IAEhD,MAAM,OAAO,GAAG,MAAM,IAAA,YAAM,EAAC,KAAK,CAAC,WAAW,EAAE;QAC9C,KAAK,EAAE,OAAO,CAAC,aAAa,CAAC,KAAK;QAClC,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,IAAI,EAAE,OAAO,CAAC,IAAI;KACnB,CAAC,CAAA;IAEF,IAAI,OAAO,YAAY,KAAK;QAC1B,OAAO,OAAO,CAAA;IAEhB,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,OAAO,CAAA;IAC5B,MAAM,OAAO,GAA0B,EAAE,KAAK,EAAE,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,EAA+B,EAAE,CAAA;IAEvH,IAAI,KAAK,CAAC,EAAE,KAAK,SAAS;QACxB,OAAO,CAAC,KAAK,GAAG,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,CAAA;IAElC,OAAO,MAAM,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;AAC7C,CAAC;AAnBD,wBAmBC;AAED,MAAM,UAAU,GAAG,IAAI,iBAAG,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAA"}

package/components/identity.federation/operations/lib/Configuration.d.ts

@@ -0,0 +1,39 @@
+export interface Configuration extends Record<string, unknown> {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    userinfo_endpoint: string;
+    jwks_uri: string;
+    registration_endpoint?: string;
+    scopes_supported?: string[];
+    response_types_supported: string[];
+    response_modes_supported?: string[];
+    grant_types_supported?: string[];
+    acr_values_supported?: string[];
+    subject_types_supported: string[];
+    id_token_signing_alg_values_supported: string[];
+    id_token_encryption_alg_values_supported?: string[];
+    id_token_encryption_enc_values_supported?: string[];
+    userinfo_signing_alg_values_supported?: string[];
+    userinfo_encryption_alg_values_supported?: string[];
+    userinfo_encryption_enc_values_supported?: string[];
+    request_object_signing_alg_values_supported?: string[];
+    request_object_encryption_alg_values_supported?: string[];
+    request_object_encryption_enc_values_supported?: string[];
+    token_endpoint_auth_methods_supported?: string[];
+    token_endpoint_auth_signing_alg_values_supported?: string[];
+    display_values_supported?: string[];
+    claim_types_supported?: string[];
+    claims_supported?: string[];
+    service_documentation?: string;
+    claims_locales_supported?: string[];
+    ui_locales_supported?: string[];
+    claims_parameter_supported?: boolean;
+    request_parameter_supported?: boolean;
+    request_uri_parameter_supported?: boolean;
+    require_request_uri_registration?: boolean;
+    op_policy_uri?: string;
+    op_tos_uri?: string;
+    check_session_iframe?: string;
+    end_session_endpoint?: string;
+}

package/components/identity.federation/operations/lib/Configuration.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=Configuration.js.map

package/components/identity.federation/operations/lib/Configuration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Configuration.js","sourceRoot":"","sources":["../../source/lib/Configuration.ts"],"names":[],"mappings":""}

package/components/identity.federation/operations/lib/Ctx.d.ts

@@ -0,0 +1,7 @@
+import type { Stash, telemetry } from '@toa.io/types';
+import type { Trust } from '../types';
+export interface Ctx {
+    trust: Trust[];
+    stash: Stash;
+    logs: telemetry.Logs;
+}

package/components/identity.federation/operations/lib/Ctx.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=Ctx.js.map

package/components/identity.federation/operations/lib/Ctx.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Ctx.js","sourceRoot":"","sources":["../../source/lib/Ctx.ts"],"names":[],"mappings":""}

package/components/identity.federation/operations/lib/Payload.d.ts

@@ -0,0 +1,5 @@
+import type * as jose from 'jose';
+export interface Payload extends jose.JWTPayload {
+    iss: string;
+    sub: string;
+}

package/components/identity.federation/operations/lib/Payload.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=Payload.js.map

package/components/identity.federation/operations/lib/Payload.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Payload.js","sourceRoot":"","sources":["../../source/lib/Payload.ts"],"names":[],"mappings":""}

package/components/identity.federation/operations/lib/decode.d.ts

@@ -0,0 +1,3 @@
+import type { Ctx } from './Ctx';
+import type { Payload } from './Payload';
+export declare function decode(token: string, ctx: Ctx): Promise<Payload | Error>;

package/components/identity.federation/operations/lib/decode.js

@@ -0,0 +1,59 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.decode = void 0;
+const jose = __importStar(require("jose"));
+const discovery_1 = require("./discovery");
+const errors_1 = require("./errors");
+const jwks = {};
+async function decode(token, ctx) {
+    const { iss, sub } = jose.decodeJwt(token);
+    if (typeof iss !== 'string')
+        return errors_1.ERR_ISS;
+    if (typeof sub !== 'string')
+        return errors_1.ERR_SUB;
+    const trusted = ctx.trust.find((trust) => trust.iss === iss);
+    if (trusted === undefined)
+        return errors_1.ERR_TRUST;
+    jwks[iss] ??= await (0, discovery_1.createRemoteJWKSet)(iss);
+    const { payload } = await jose.jwtVerify(token, jwks[iss], { audience: trusted.aud });
+    if (payload.jti !== undefined) {
+        const error = await validateJti(payload, ctx.stash);
+        if (error instanceof Error)
+            return error;
+    }
+    return payload;
+}
+exports.decode = decode;
+async function validateJti(payload, stash) {
+    if (payload.exp === undefined)
+        return errors_1.ERR_EXP;
+    const ttl = payload.exp - Math.floor(Date.now() / 1000);
+    const key = `identity:federation:jti:${payload.jti}`;
+    const ok = await stash.set(key, 1, 'EX', ttl, 'NX'); // set if not exists
+    if (ok === null)
+        return errors_1.ERR_REPLAY;
+}
+//# sourceMappingURL=decode.js.map

package/components/identity.federation/operations/lib/decode.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"decode.js","sourceRoot":"","sources":["../../source/lib/decode.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA4B;AAC5B,2CAAgD;AAChD,qCAA2E;AAK3E,MAAM,IAAI,GAAmE,EAAE,CAAA;AAExE,KAAK,UAAU,MAAM,CAAE,KAAa,EAAE,GAAQ;IACnD,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;IAE1C,IAAI,OAAO,GAAG,KAAK,QAAQ;QACzB,OAAO,gBAAO,CAAA;IAEhB,IAAI,OAAO,GAAG,KAAK,QAAQ;QACzB,OAAO,gBAAO,CAAA;IAEhB,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,KAAK,GAAG,CAAC,CAAA;IAE5D,IAAI,OAAO,KAAK,SAAS;QACvB,OAAO,kBAAS,CAAA;IAElB,IAAI,CAAC,GAAG,CAAC,KAAK,MAAM,IAAA,8BAAkB,EAAC,GAAG,CAAC,CAAA;IAE3C,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAA;IAErF,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,MAAM,WAAW,CAAC,OAAO,EAAE,GAAG,CAAC,KAAK,CAAC,CAAA;QAEnD,IAAI,KAAK,YAAY,KAAK;YACxB,OAAO,KAAK,CAAA;IAChB,CAAC;IAED,OAAO,OAAkB,CAAA;AAC3B,CAAC;AA1BD,wBA0BC;AAED,KAAK,UAAU,WAAW,CAAE,OAAwB,EAAE,KAAY;IAChE,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS;QAC3B,OAAO,gBAAO,CAAA;IAEhB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;IACvD,MAAM,GAAG,GAAG,2BAA2B,OAAO,CAAC,GAAG,EAAE,CAAA;IACpD,MAAM,EAAE,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,CAAA,CAAC,oBAAoB;IAExE,IAAI,EAAE,KAAK,IAAI;QACb,OAAO,mBAAU,CAAA;AACrB,CAAC"}

package/components/identity.federation/operations/lib/discovery.d.ts

@@ -0,0 +1,4 @@
+import * as jose from 'jose';
+import type { Configuration } from './Configuration';
+export declare function discover(iss: string): Promise<Configuration>;
+export declare function createRemoteJWKSet(iss: string): Promise<ReturnType<typeof jose.createRemoteJWKSet>>;

package/components/identity.federation/operations/lib/{assertions-as-values.js → discovery.js}

@@ -23,25 +23,27 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.assertionsAsValues = void 0;
-const assert = __importStar(require("node:assert"));
-const openspan_1 = require("openspan");
-/**
- * Wrapping function that returns assertion errors as function return value
- */
-function assertionsAsValues(fn) {
-    return async (...args) => {
-        try {
-            return await fn(...args);
-        }
-        catch (err) {
-            if (err instanceof assert.AssertionError) {
-                openspan_1.console.error('OIDC Authentication exception', { message: err.message });
-                return err;
-            }
-            throw err;
-        }
-    };
+exports.createRemoteJWKSet = exports.discover = void 0;
+const jose = __importStar(require("jose"));
+const cache = new Map();
+async function discover(iss) {
+    if (!cache.has(iss)) {
+        const configuration = await fetchConfiguration(iss);
+        cache.set(iss, configuration);
+    }
+    return cache.get(iss);
+}
+exports.discover = discover;
+async function fetchConfiguration(iss) {
+    const response = await fetch(`${iss}/.well-known/openid-configuration`);
+    if (!response.ok)
+        throw new Error('Failed to fetch OIDC configuration');
+    return await response.json();
+}
+async function createRemoteJWKSet(iss) {
+    const configuration = await discover(iss);
+    const url = new URL(configuration.jwks_uri);
+    return jose.createRemoteJWKSet(url);
 }
-exports.assertionsAsValues = assertionsAsValues;
-//# sourceMappingURL=assertions-as-values.js.map
+exports.createRemoteJWKSet = createRemoteJWKSet;
+//# sourceMappingURL=discovery.js.map

package/components/identity.federation/operations/lib/discovery.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"discovery.js","sourceRoot":"","sources":["../../source/lib/discovery.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA4B;AAG5B,MAAM,KAAK,GAAG,IAAI,GAAG,EAAyB,CAAA;AAEvC,KAAK,UAAU,QAAQ,CAAE,GAAW;IACzC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;QACpB,MAAM,aAAa,GAAG,MAAM,kBAAkB,CAAC,GAAG,CAAC,CAAA;QAEnD,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,aAAa,CAAC,CAAA;IAC/B,CAAC;IAED,OAAO,KAAK,CAAC,GAAG,CAAC,GAAG,CAAE,CAAA;AACxB,CAAC;AARD,4BAQC;AAED,KAAK,UAAU,kBAAkB,CAAE,GAAW;IAC5C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,mCAAmC,CAAC,CAAA;IAEvE,IAAI,CAAC,QAAQ,CAAC,EAAE;QACd,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAA;IAEvD,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAmB,CAAA;AAC/C,CAAC;AAEM,KAAK,UAAU,kBAAkB,CAAE,GAAW;IACnD,MAAM,aAAa,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,CAAA;IACzC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAA;IAE3C,OAAO,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAA;AACrC,CAAC;AALD,gDAKC"}

package/components/identity.federation/operations/lib/errors.d.ts

@@ -0,0 +1,11 @@
+import { Err } from 'error-value';
+export declare const ERR_TRUST: Err<"TRUST", any>;
+export declare const ERR_RESPONSE: Err<"RESPONSE", any>;
+export declare const ERR_CONFIG: Err<"CONFIG", any>;
+export declare const ERR_NO_TOKEN: Err<"NO_TOKEN", any>;
+export declare const ERR_ISS: Err<"ISS", any>;
+export declare const ERR_SUB: Err<"SUB", any>;
+export declare const ERR_EXP: Err<"EXP", any>;
+export declare const ERR_REPLAY: Err<"REPLAY", any>;
+export declare const ERR_CODE_NOT_ENABLED: Err<"CODE_NOT_ENABLED", any>;
+export declare const ERR_CODE_SCHEMA: Err<"CODE_SCHEMA", any>;

package/components/identity.federation/operations/lib/errors.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ERR_CODE_SCHEMA = exports.ERR_CODE_NOT_ENABLED = exports.ERR_REPLAY = exports.ERR_EXP = exports.ERR_SUB = exports.ERR_ISS = exports.ERR_NO_TOKEN = exports.ERR_CONFIG = exports.ERR_RESPONSE = exports.ERR_TRUST = void 0;
+const error_value_1 = require("error-value");
+exports.ERR_TRUST = new error_value_1.Err('TRUST', 'Issuer not trusted');
+exports.ERR_RESPONSE = new error_value_1.Err('RESPONSE', 'Request to IDP failed');
+exports.ERR_CONFIG = new error_value_1.Err('CONFIG', 'Invalid OpenID configuration');
+exports.ERR_NO_TOKEN = new error_value_1.Err('NO_TOKEN', 'No ID token received');
+exports.ERR_ISS = new error_value_1.Err('ISS', 'Invalid issuer claim');
+exports.ERR_SUB = new error_value_1.Err('SUB', 'Invalid subject claim');
+exports.ERR_EXP = new error_value_1.Err('EXP', 'Token does not have an expiration time');
+exports.ERR_REPLAY = new error_value_1.Err('REPLAY', 'Token has already been used');
+exports.ERR_CODE_NOT_ENABLED = new error_value_1.Err('CODE_NOT_ENABLED', 'Authorization code flow is not configured');
+exports.ERR_CODE_SCHEMA = new error_value_1.Err('CODE_SCHEMA', 'Invalid code credentials');
+//# sourceMappingURL=errors.js.map

package/components/identity.federation/operations/lib/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../source/lib/errors.ts"],"names":[],"mappings":";;;AAAA,6CAAiC;AAEpB,QAAA,SAAS,GAAG,IAAI,iBAAG,CAAC,OAAO,EAAE,oBAAoB,CAAC,CAAA;AAClD,QAAA,YAAY,GAAG,IAAI,iBAAG,CAAC,UAAU,EAAE,uBAAuB,CAAC,CAAA;AAC3D,QAAA,UAAU,GAAG,IAAI,iBAAG,CAAC,QAAQ,EAAE,8BAA8B,CAAC,CAAA;AAC9D,QAAA,YAAY,GAAG,IAAI,iBAAG,CAAC,UAAU,EAAE,sBAAsB,CAAC,CAAA;AAC1D,QAAA,OAAO,GAAG,IAAI,iBAAG,CAAC,KAAK,EAAE,sBAAsB,CAAC,CAAA;AAChD,QAAA,OAAO,GAAG,IAAI,iBAAG,CAAC,KAAK,EAAE,uBAAuB,CAAC,CAAA;AACjD,QAAA,OAAO,GAAG,IAAI,iBAAG,CAAC,KAAK,EAAE,wCAAwC,CAAC,CAAA;AAClE,QAAA,UAAU,GAAG,IAAI,iBAAG,CAAC,QAAQ,EAAE,6BAA6B,CAAC,CAAA;AAC7D,QAAA,oBAAoB,GAAG,IAAI,iBAAG,CAAC,kBAAkB,EAAE,2CAA2C,CAAC,CAAA;AAC/F,QAAA,eAAe,GAAG,IAAI,iBAAG,CAAC,aAAa,EAAE,0BAA0B,CAAC,CAAA"}

package/components/identity.federation/operations/lib/exchange.d.ts

@@ -0,0 +1,3 @@
+import type { Ctx } from './Ctx';
+import type { Payload } from './Payload';
+export declare function exchange(credentials: string, ctx: Ctx): Promise<Payload | Error>;

package/components/identity.federation/operations/lib/exchange.js

@@ -0,0 +1,107 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.exchange = void 0;
+const jose = __importStar(require("jose"));
+const discovery_1 = require("./discovery");
+const errors = __importStar(require("./errors"));
+const jwks = {};
+async function exchange(credentials, ctx) {
+    const properties = decode(credentials);
+    if (properties instanceof Error)
+        return properties;
+    const { code, iss, for: redirect } = properties;
+    const trusted = ctx.trust.find((trust) => trust.iss === iss);
+    if (trusted === undefined)
+        return errors.ERR_TRUST;
+    if (trusted.aud === undefined || (trusted.secret === undefined && trusted.signature === undefined))
+        return errors.ERR_CODE_NOT_ENABLED;
+    const configuration = await (0, discovery_1.discover)(iss);
+    if (configuration.token_endpoint === undefined)
+        return errors.ERR_CONFIG;
+    // array actually is not expected here, but it is a valid format
+    const aud = Array.isArray(trusted.aud) ? trusted.aud[0] : trusted.aud;
+    const secret = trusted.secret ?? await sign(trusted);
+    const params = new URLSearchParams();
+    params.append('grant_type', 'authorization_code');
+    params.append('code', code);
+    params.append('client_id', aud);
+    params.append('client_secret', secret);
+    params.append('redirect_uri', redirect);
+    ctx.logs.debug('Exchanging code', {
+        iss,
+        aud,
+        for: redirect,
+        auth: trusted.secret === undefined ? 'signature' : 'secret',
+        code
+    });
+    const response = await fetch(configuration.token_endpoint, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded'
+        },
+        body: params
+    });
+    if (!response.ok) {
+        ctx.logs.error('Code exchange failed', { status: response.status, text: await response.text() });
+        return errors.ERR_RESPONSE;
+    }
+    const tokens = await response.json();
+    if (tokens.id_token === undefined)
+        return errors.ERR_NO_TOKEN;
+    jwks[iss] ??= await (0, discovery_1.createRemoteJWKSet)(iss);
+    const { payload } = await jose.jwtVerify(tokens.id_token, jwks[iss], {
+        audience: trusted.aud,
+        issuer: iss
+    });
+    return payload;
+}
+exports.exchange = exchange;
+function decode(credentials) {
+    const json = Buffer.from(credentials, 'base64').toString('utf8');
+    const properties = JSON.parse(json);
+    if (typeof properties.code !== 'string' ||
+        typeof properties.iss !== 'string' ||
+        typeof properties.for !== 'string' ||
+        Object.keys(properties).length !== CREDENTIAL_PROPERTIES.length)
+        return errors.ERR_CODE_SCHEMA;
+    return properties;
+}
+async function sign(trust) {
+    const signature = trust.signature;
+    const aud = Array.isArray(trust.aud) ? trust.aud[0] : trust.aud;
+    const now = Math.floor(Date.now() / 1000);
+    const key = await jose.importPKCS8(signature.key, 'ES256');
+    return await new jose.SignJWT({})
+        .setProtectedHeader({ alg: 'ES256', kid: signature.kid })
+        .setIssuedAt(now)
+        .setExpirationTime(now + 300)
+        .setIssuer(signature.iss)
+        .setSubject(aud)
+        .setAudience(trust.iss)
+        .sign(key);
+}
+const CREDENTIAL_PROPERTIES = ['for', 'iss', 'code'];
+//# sourceMappingURL=exchange.js.map

package/components/identity.federation/operations/lib/exchange.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"exchange.js","sourceRoot":"","sources":["../../source/lib/exchange.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,2CAA4B;AAC5B,2CAA0D;AAC1D,iDAAkC;AAKlC,MAAM,IAAI,GAAmE,EAAE,CAAA;AAExE,KAAK,UAAU,QAAQ,CAAE,WAAmB,EAAE,GAAQ;IAC3D,MAAM,UAAU,GAAG,MAAM,CAAC,WAAW,CAAC,CAAA;IAEtC,IAAI,UAAU,YAAY,KAAK;QAC7B,OAAO,UAAU,CAAA;IAEnB,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,UAAU,CAAA;IAE/C,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,KAAK,GAAG,CAAC,CAAA;IAE5D,IAAI,OAAO,KAAK,SAAS;QACvB,OAAO,MAAM,CAAC,SAAS,CAAA;IAEzB,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,OAAO,CAAC,MAAM,KAAK,SAAS,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,CAAC;QAChG,OAAO,MAAM,CAAC,oBAAoB,CAAA;IAEpC,MAAM,aAAa,GAAG,MAAM,IAAA,oBAAQ,EAAC,GAAG,CAAC,CAAA;IAEzC,IAAI,aAAa,CAAC,cAAc,KAAK,SAAS;QAC5C,OAAO,MAAM,CAAC,UAAU,CAAA;IAE1B,gEAAgE;IAChE,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAA;IACrE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,MAAM,IAAI,CAAC,OAAO,CAAC,CAAA;IACpD,MAAM,MAAM,GAAG,IAAI,eAAe,EAAE,CAAA;IAEpC,MAAM,CAAC,MAAM,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAA;IACjD,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;IAC3B,MAAM,CAAC,MAAM,CAAC,WAAW,EAAE,GAAG,CAAC,CAAA;IAC/B,MAAM,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,CAAA;IACtC,MAAM,CAAC,MAAM,CAAC,cAAc,EAAE,QAAQ,CAAC,CAAA;IAEvC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,iBAAiB,EAAE;QAChC,GAAG;QACH,GAAG;QACH,GAAG,EAAE,QAAQ;QACb,IAAI,EAAE,OAAO,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ;QAC3D,IAAI;KACL,CAAC,CAAA;IAEF,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,CAAC,cAAc,EAAE;QACzD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,mCAAmC;SACpD;QACD,IAAI,EAAE,MAAM;KACb,CAAC,CAAA;IAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,sBAAsB,EAAE,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAA;QAEhG,OAAO,MAAM,CAAC,YAAY,CAAA;IAC5B,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA0B,CAAA;IAE5D,IAAI,MAAM,CAAC,QAAQ,KAAK,SAAS;QAC/B,OAAO,MAAM,CAAC,YAAY,CAAA;IAE5B,IAAI,CAAC,GAAG,CAAC,KAAK,MAAM,IAAA,8BAAkB,EAAC,GAAG,CAAC,CAAA;IAE3C,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,EAAE;QACnE,QAAQ,EAAE,OAAO,CAAC,GAAG;QACrB,MAAM,EAAE,GAAG;KACZ,CAAC,CAAA;IAEF,OAAO,OAAkB,CAAA;AAC3B,CAAC;AAnED,4BAmEC;AAED,SAAS,MAAM,CAAE,WAAmB;IAClC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;IAChE,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAe,CAAA;IAEjD,IACE,OAAO,UAAU,CAAC,IAAI,KAAK,QAAQ;QACnC,OAAO,UAAU,CAAC,GAAG,KAAK,QAAQ;QAClC,OAAO,UAAU,CAAC,GAAG,KAAK,QAAQ;QAClC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,MAAM,KAAK,qBAAqB,CAAC,MAAM;QAE/D,OAAO,MAAM,CAAC,eAAe,CAAA;IAE/B,OAAO,UAAU,CAAA;AACnB,CAAC;AAED,KAAK,UAAU,IAAI,CAAE,KAAY;IAC/B,MAAM,SAAS,GAAG,KAAK,CAAC,SAAU,CAAA;IAClC,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAI,CAAA;IAChE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;IACzC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;IAE1D,OAAO,MAAM,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;SAC9B,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,SAAS,CAAC,GAAG,EAAE,CAAC;SACxD,WAAW,CAAC,GAAG,CAAC;SAChB,iBAAiB,CAAC,GAAG,GAAG,GAAG,CAAC;SAC5B,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC;SACxB,UAAU,CAAC,GAAG,CAAC;SACf,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC;SACtB,IAAI,CAAC,GAAG,CAAC,CAAA;AACd,CAAC;AAED,MAAM,qBAAqB,GAA4B,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,CAAA"}

package/components/identity.federation/operations/lib/index.d.ts

@@ -0,0 +1,3 @@
+export { decode } from './decode';
+export { exchange } from './exchange';
+export { type Ctx } from './Ctx';