alepha 0.15.0 → 0.15.1

package/dist/server/auth/index.d.ts

@@ -1,10 +1,9 @@
-import * as alepha181 from "alepha";
+import * as alepha206 from "alepha";
 import { Alepha, Async, KIND, Primitive, Static } from "alepha";
 import * as alepha_server_cookies0 from "alepha/server/cookies";
 import { Cookies, ServerCookiesProvider } from "alepha/server/cookies";
 import { DateTimeProvider } from "alepha/datetime";
 import { AccessTokenResponse, IssuerPrimitive, SecurityProvider, UserAccount } from "alepha/security";
-import { Configuration } from "openid-client";
 import * as alepha_logger0 from "alepha/logger";
 import * as alepha_server0 from "alepha/server";
 import { ServerLinksProvider } from "alepha/server/links";
@@ -20,45 +19,45 @@ declare const alephaServerAuthRoutes: {
 };
 //#endregion
 //#region ../../src/server/auth/schemas/authenticationProviderSchema.d.ts
-declare const authenticationProviderSchema: alepha181.TObject<{
-  name: alepha181.TString;
-  type: alepha181.TUnsafe<"OAUTH2" | "OIDC" | "CREDENTIALS">;
+declare const authenticationProviderSchema: alepha206.TObject<{
+  name: alepha206.TString;
+  type: alepha206.TUnsafe<"OAUTH2" | "OIDC" | "CREDENTIALS">;
 }>;
 type AuthenticationProvider = Static<typeof authenticationProviderSchema>;
 //#endregion
 //#region ../../src/server/auth/schemas/tokenResponseSchema.d.ts
-declare const tokenResponseSchema: alepha181.TObject<{
-  provider: alepha181.TString;
-  access_token: alepha181.TString;
-  issued_at: alepha181.TNumber;
-  expires_in: alepha181.TOptional<alepha181.TNumber>;
-  refresh_token: alepha181.TOptional<alepha181.TString>;
-  refresh_token_expires_in: alepha181.TOptional<alepha181.TNumber>;
-  refresh_expires_in: alepha181.TOptional<alepha181.TNumber>;
-  id_token: alepha181.TOptional<alepha181.TString>;
-  scope: alepha181.TOptional<alepha181.TString>;
-  user: alepha181.TObject<{
-    id: alepha181.TString;
-    name: alepha181.TOptional<alepha181.TString>;
-    email: alepha181.TOptional<alepha181.TString>;
-    username: alepha181.TOptional<alepha181.TString>;
-    picture: alepha181.TOptional<alepha181.TString>;
-    sessionId: alepha181.TOptional<alepha181.TString>;
-    organizations: alepha181.TOptional<alepha181.TArray<alepha181.TString>>;
-    roles: alepha181.TOptional<alepha181.TArray<alepha181.TString>>;
+declare const tokenResponseSchema: alepha206.TObject<{
+  provider: alepha206.TString;
+  access_token: alepha206.TString;
+  issued_at: alepha206.TNumber;
+  expires_in: alepha206.TOptional<alepha206.TNumber>;
+  refresh_token: alepha206.TOptional<alepha206.TString>;
+  refresh_token_expires_in: alepha206.TOptional<alepha206.TNumber>;
+  refresh_expires_in: alepha206.TOptional<alepha206.TNumber>;
+  id_token: alepha206.TOptional<alepha206.TString>;
+  scope: alepha206.TOptional<alepha206.TString>;
+  user: alepha206.TObject<{
+    id: alepha206.TString;
+    name: alepha206.TOptional<alepha206.TString>;
+    email: alepha206.TOptional<alepha206.TString>;
+    username: alepha206.TOptional<alepha206.TString>;
+    picture: alepha206.TOptional<alepha206.TString>;
+    sessionId: alepha206.TOptional<alepha206.TString>;
+    organizations: alepha206.TOptional<alepha206.TArray<alepha206.TString>>;
+    roles: alepha206.TOptional<alepha206.TArray<alepha206.TString>>;
   }>;
-  api: alepha181.TObject<{
-    prefix: alepha181.TOptional<alepha181.TString>;
-    links: alepha181.TArray<alepha181.TObject<{
-      name: alepha181.TString;
-      group: alepha181.TOptional<alepha181.TString>;
-      path: alepha181.TString;
-      method: alepha181.TOptional<alepha181.TString>;
-      requestBodyType: alepha181.TOptional<alepha181.TString>;
-      service: alepha181.TOptional<alepha181.TString>;
-      rawSchema: alepha181.TOptional<alepha181.TObject<{
-        body: alepha181.TOptional<alepha181.TString>;
-        response: alepha181.TOptional<alepha181.TString>;
+  api: alepha206.TObject<{
+    prefix: alepha206.TOptional<alepha206.TString>;
+    links: alepha206.TArray<alepha206.TObject<{
+      name: alepha206.TString;
+      group: alepha206.TOptional<alepha206.TString>;
+      path: alepha206.TString;
+      method: alepha206.TOptional<alepha206.TString>;
+      requestBodyType: alepha206.TOptional<alepha206.TString>;
+      service: alepha206.TOptional<alepha206.TString>;
+      rawSchema: alepha206.TOptional<alepha206.TObject<{
+        body: alepha206.TOptional<alepha206.TString>;
+        response: alepha206.TOptional<alepha206.TString>;
       }>>;
     }>>;
   }>;
@@ -66,49 +65,1075 @@ declare const tokenResponseSchema: alepha181.TObject<{
 type TokenResponse = Static<typeof tokenResponseSchema>;
 //#endregion
 //#region ../../src/server/auth/schemas/tokensSchema.d.ts
-declare const tokensSchema: alepha181.TObject<{
-  provider: alepha181.TString;
-  access_token: alepha181.TString;
-  issued_at: alepha181.TNumber;
-  expires_in: alepha181.TOptional<alepha181.TNumber>;
-  refresh_token: alepha181.TOptional<alepha181.TString>;
-  refresh_token_expires_in: alepha181.TOptional<alepha181.TNumber>;
-  refresh_expires_in: alepha181.TOptional<alepha181.TNumber>;
-  id_token: alepha181.TOptional<alepha181.TString>;
-  scope: alepha181.TOptional<alepha181.TString>;
+declare const tokensSchema: alepha206.TObject<{
+  provider: alepha206.TString;
+  access_token: alepha206.TString;
+  issued_at: alepha206.TNumber;
+  expires_in: alepha206.TOptional<alepha206.TNumber>;
+  refresh_token: alepha206.TOptional<alepha206.TString>;
+  refresh_token_expires_in: alepha206.TOptional<alepha206.TNumber>;
+  refresh_expires_in: alepha206.TOptional<alepha206.TNumber>;
+  id_token: alepha206.TOptional<alepha206.TString>;
+  scope: alepha206.TOptional<alepha206.TString>;
 }>;
 type Tokens = Static<typeof tokensSchema>;
 //#endregion
 //#region ../../src/server/auth/schemas/userinfoResponseSchema.d.ts
-declare const userinfoResponseSchema: alepha181.TObject<{
-  user: alepha181.TOptional<alepha181.TObject<{
-    id: alepha181.TString;
-    name: alepha181.TOptional<alepha181.TString>;
-    email: alepha181.TOptional<alepha181.TString>;
-    username: alepha181.TOptional<alepha181.TString>;
-    picture: alepha181.TOptional<alepha181.TString>;
-    sessionId: alepha181.TOptional<alepha181.TString>;
-    organizations: alepha181.TOptional<alepha181.TArray<alepha181.TString>>;
-    roles: alepha181.TOptional<alepha181.TArray<alepha181.TString>>;
+declare const userinfoResponseSchema: alepha206.TObject<{
+  user: alepha206.TOptional<alepha206.TObject<{
+    id: alepha206.TString;
+    name: alepha206.TOptional<alepha206.TString>;
+    email: alepha206.TOptional<alepha206.TString>;
+    username: alepha206.TOptional<alepha206.TString>;
+    picture: alepha206.TOptional<alepha206.TString>;
+    sessionId: alepha206.TOptional<alepha206.TString>;
+    organizations: alepha206.TOptional<alepha206.TArray<alepha206.TString>>;
+    roles: alepha206.TOptional<alepha206.TArray<alepha206.TString>>;
   }>>;
-  api: alepha181.TObject<{
-    prefix: alepha181.TOptional<alepha181.TString>;
-    links: alepha181.TArray<alepha181.TObject<{
-      name: alepha181.TString;
-      group: alepha181.TOptional<alepha181.TString>;
-      path: alepha181.TString;
-      method: alepha181.TOptional<alepha181.TString>;
-      requestBodyType: alepha181.TOptional<alepha181.TString>;
-      service: alepha181.TOptional<alepha181.TString>;
-      rawSchema: alepha181.TOptional<alepha181.TObject<{
-        body: alepha181.TOptional<alepha181.TString>;
-        response: alepha181.TOptional<alepha181.TString>;
+  api: alepha206.TObject<{
+    prefix: alepha206.TOptional<alepha206.TString>;
+    links: alepha206.TArray<alepha206.TObject<{
+      name: alepha206.TString;
+      group: alepha206.TOptional<alepha206.TString>;
+      path: alepha206.TString;
+      method: alepha206.TOptional<alepha206.TString>;
+      requestBodyType: alepha206.TOptional<alepha206.TString>;
+      service: alepha206.TOptional<alepha206.TString>;
+      rawSchema: alepha206.TOptional<alepha206.TObject<{
+        body: alepha206.TOptional<alepha206.TString>;
+        response: alepha206.TOptional<alepha206.TString>;
       }>>;
     }>>;
   }>;
 }>;
 type UserinfoResponse = Static<typeof userinfoResponseSchema>;
 //#endregion
+//#region ../../../../node_modules/oauth4webapi/build/index.d.ts
+/**
+ * JSON Object
+ */
+type JsonObject = { [Key in string]?: JsonValue };
+/**
+ * JSON Array
+ */
+type JsonArray = JsonValue[];
+/**
+ * JSON Primitives
+ */
+type JsonPrimitive = string | number | boolean | null;
+/**
+ * JSON Values
+ */
+type JsonValue = JsonPrimitive | JsonObject | JsonArray;
+/**
+ * Use to adjust the assumed current time. Positive and negative finite values representing seconds
+ * are allowed. Default is `0` (Date.now() + 0 seconds is used).
+ *
+ * @example
+ *
+ * When the local clock is mistakenly 1 hour in the past
+ *
+ * ```ts
+ * let client: oauth.Client = {
+ *   client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428',
+ *   // ... other metadata
+ *   [oauth.clockSkew]: +(60 * 60),
+ * }
+ * ```
+ *
+ * @example
+ *
+ * When the local clock is mistakenly 1 hour in the future
+ *
+ * ```ts
+ * let client: oauth.Client = {
+ *   client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428',
+ *   // ... other metadata
+ *   [oauth.clockSkew]: -(60 * 60),
+ * }
+ * ```
+ */
+declare const clockSkew: unique symbol;
+/**
+ * Use to set allowed clock tolerance when checking DateTime JWT Claims. Only positive finite values
+ * representing seconds are allowed. Default is `30` (30 seconds).
+ *
+ * @example
+ *
+ * Tolerate 30 seconds clock skew when validating JWT claims like exp or nbf.
+ *
+ * ```ts
+ * let client: oauth.Client = {
+ *   client_id: 'abc4ba37-4ab8-49b5-99d4-9441ba35d428',
+ *   // ... other metadata
+ *   [oauth.clockTolerance]: 30,
+ * }
+ * ```
+ */
+declare const clockTolerance: unique symbol;
+/**
+ * When configured on an interface that extends {@link HttpRequestOptions}, this applies to `options`
+ * parameter for functions that may trigger HTTP requests, this replaces the use of global fetch. As
+ * a fetch replacement the arguments and expected return are the same as fetch.
+ *
+ * In theory any module that claims to be compatible with the Fetch API can be used but your mileage
+ * may vary. No workarounds to allow use of non-conform {@link !Response}s will be considered.
+ *
+ * If you only need to update the {@link !Request} properties you do not need to use a Fetch API
+ * module, just change what you need and pass it to globalThis.fetch just like this module would
+ * normally do.
+ *
+ * Its intended use cases are:
+ *
+ * - {@link !Request}/{@link !Response} tracing and logging
+ * - Custom caching strategies for responses of Authorization Server Metadata and JSON Web Key Set
+ *   (JWKS) endpoints
+ * - Changing the {@link !Request} properties like headers, body, credentials, mode before it is passed
+ *   to fetch
+ *
+ * Known caveats:
+ *
+ * - Expect Type-related issues when passing the inputs through to fetch-like modules, they hardly
+ *   ever get their typings inline with actual fetch, you should `@ts-expect-error` them.
+ *
+ * @example
+ *
+ * Using [sindresorhus/ky](https://github.com/sindresorhus/ky) for retries and its hooks feature for
+ * logging outgoing requests and their responses.
+ *
+ * ```js
+ * import ky from 'ky'
+ *
+ * // example use
+ * await oauth.discoveryRequest(new URL('https://as.example.com'), {
+ *   [oauth.customFetch]: (...args) =>
+ *     ky(args[0], {
+ *       ...args[1],
+ *       hooks: {
+ *         beforeRequest: [
+ *           (request) => {
+ *             logRequest(request)
+ *           },
+ *         ],
+ *         beforeRetry: [
+ *           ({ request, error, retryCount }) => {
+ *             logRetry(request, error, retryCount)
+ *           },
+ *         ],
+ *         afterResponse: [
+ *           (request, _, response) => {
+ *             logResponse(request, response)
+ *           },
+ *         ],
+ *       },
+ *     }),
+ * })
+ * ```
+ *
+ * @example
+ *
+ * Using [nodejs/undici](https://github.com/nodejs/undici) to detect and use HTTP proxies.
+ *
+ * ```ts
+ * import * as undici from 'undici'
+ *
+ * // see https://undici.nodejs.org/#/docs/api/EnvHttpProxyAgent
+ * let envHttpProxyAgent = new undici.EnvHttpProxyAgent()
+ *
+ * // example use
+ * await oauth.discoveryRequest(new URL('https://as.example.com'), {
+ *   // @ts-ignore
+ *   [oauth.customFetch](...args) {
+ *     return undici.fetch(args[0], { ...args[1], dispatcher: envHttpProxyAgent }) // prettier-ignore
+ *   },
+ * })
+ * ```
+ *
+ * @example
+ *
+ * Using [nodejs/undici](https://github.com/nodejs/undici) to automatically retry network errors.
+ *
+ * ```ts
+ * import * as undici from 'undici'
+ *
+ * // see https://undici.nodejs.org/#/docs/api/RetryAgent
+ * let retryAgent = new undici.RetryAgent(new undici.Agent(), {
+ *   statusCodes: [],
+ *   errorCodes: [
+ *     'ECONNRESET',
+ *     'ECONNREFUSED',
+ *     'ENOTFOUND',
+ *     'ENETDOWN',
+ *     'ENETUNREACH',
+ *     'EHOSTDOWN',
+ *     'UND_ERR_SOCKET',
+ *   ],
+ * })
+ *
+ * // example use
+ * await oauth.discoveryRequest(new URL('https://as.example.com'), {
+ *   // @ts-ignore
+ *   [oauth.customFetch](...args) {
+ *     return undici.fetch(args[0], { ...args[1], dispatcher: retryAgent }) // prettier-ignore
+ *   },
+ * })
+ * ```
+ *
+ * @example
+ *
+ * Using [nodejs/undici](https://github.com/nodejs/undici) to mock responses in tests.
+ *
+ * ```ts
+ * import * as undici from 'undici'
+ *
+ * // see https://undici.nodejs.org/#/docs/api/MockAgent
+ * let mockAgent = new undici.MockAgent()
+ * mockAgent.disableNetConnect()
+ *
+ * // example use
+ * await oauth.discoveryRequest(new URL('https://as.example.com'), {
+ *   // @ts-ignore
+ *   [oauth.customFetch](...args) {
+ *     return undici.fetch(args[0], { ...args[1], dispatcher: mockAgent }) // prettier-ignore
+ *   },
+ * })
+ * ```
+ */
+declare const customFetch$1: unique symbol;
+/**
+ * Authorization Server Metadata
+ *
+ * @group Authorization Server Metadata
+ *
+ * @see [IANA OAuth Authorization Server Metadata registry](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata)
+ */
+interface AuthorizationServer {
+  /**
+   * Authorization server's Issuer Identifier URL.
+   */
+  readonly issuer: string;
+  /**
+   * URL of the authorization server's authorization endpoint.
+   */
+  readonly authorization_endpoint?: string;
+  /**
+   * URL of the authorization server's token endpoint.
+   */
+  readonly token_endpoint?: string;
+  /**
+   * URL of the authorization server's JWK Set document.
+   */
+  readonly jwks_uri?: string;
+  /**
+   * URL of the authorization server's Dynamic Client Registration Endpoint.
+   */
+  readonly registration_endpoint?: string;
+  /**
+   * JSON array containing a list of the `scope` values that this authorization server supports.
+   */
+  readonly scopes_supported?: string[];
+  /**
+   * JSON array containing a list of the `response_type` values that this authorization server
+   * supports.
+   */
+  readonly response_types_supported?: string[];
+  /**
+   * JSON array containing a list of the `response_mode` values that this authorization server
+   * supports.
+   */
+  readonly response_modes_supported?: string[];
+  /**
+   * JSON array containing a list of the `grant_type` values that this authorization server
+   * supports.
+   */
+  readonly grant_types_supported?: string[];
+  /**
+   * JSON array containing a list of client authentication methods supported by this token endpoint.
+   */
+  readonly token_endpoint_auth_methods_supported?: string[];
+  /**
+   * JSON array containing a list of the JWS signing algorithms supported by the token endpoint for
+   * the signature on the JWT used to authenticate the client at the token endpoint.
+   */
+  readonly token_endpoint_auth_signing_alg_values_supported?: string[];
+  /**
+   * URL of a page containing human-readable information that developers might want or need to know
+   * when using the authorization server.
+   */
+  readonly service_documentation?: string;
+  /**
+   * Languages and scripts supported for the user interface, represented as a JSON array of language
+   * tag values from RFC 5646.
+   */
+  readonly ui_locales_supported?: string[];
+  /**
+   * URL that the authorization server provides to the person registering the client to read about
+   * the authorization server's requirements on how the client can use the data provided by the
+   * authorization server.
+   */
+  readonly op_policy_uri?: string;
+  /**
+   * URL that the authorization server provides to the person registering the client to read about
+   * the authorization server's terms of service.
+   */
+  readonly op_tos_uri?: string;
+  /**
+   * URL of the authorization server's revocation endpoint.
+   */
+  readonly revocation_endpoint?: string;
+  /**
+   * JSON array containing a list of client authentication methods supported by this revocation
+   * endpoint.
+   */
+  readonly revocation_endpoint_auth_methods_supported?: string[];
+  /**
+   * JSON array containing a list of the JWS signing algorithms supported by the revocation endpoint
+   * for the signature on the JWT used to authenticate the client at the revocation endpoint.
+   */
+  readonly revocation_endpoint_auth_signing_alg_values_supported?: string[];
+  /**
+   * URL of the authorization server's introspection endpoint.
+   */
+  readonly introspection_endpoint?: string;
+  /**
+   * JSON array containing a list of client authentication methods supported by this introspection
+   * endpoint.
+   */
+  readonly introspection_endpoint_auth_methods_supported?: string[];
+  /**
+   * JSON array containing a list of the JWS signing algorithms supported by the introspection
+   * endpoint for the signature on the JWT used to authenticate the client at the introspection
+   * endpoint.
+   */
+  readonly introspection_endpoint_auth_signing_alg_values_supported?: string[];
+  /**
+   * PKCE code challenge methods supported by this authorization server.
+   */
+  readonly code_challenge_methods_supported?: string[];
+  /**
+   * Signed JWT containing metadata values about the authorization server as claims.
+   */
+  readonly signed_metadata?: string;
+  /**
+   * URL of the authorization server's device authorization endpoint.
+   */
+  readonly device_authorization_endpoint?: string;
+  /**
+   * Indicates authorization server support for mutual-TLS client certificate-bound access tokens.
+   */
+  readonly tls_client_certificate_bound_access_tokens?: boolean;
+  /**
+   * JSON object containing alternative authorization server endpoints, which a client intending to
+   * do mutual TLS will use in preference to the conventional endpoints.
+   */
+  readonly mtls_endpoint_aliases?: MTLSEndpointAliases;
+  /**
+   * URL of the authorization server's UserInfo Endpoint.
+   */
+  readonly userinfo_endpoint?: string;
+  /**
+   * JSON array containing a list of the Authentication Context Class References that this
+   * authorization server supports.
+   */
+  readonly acr_values_supported?: string[];
+  /**
+   * JSON array containing a list of the Subject Identifier types that this authorization server
+   * supports.
+   */
+  readonly subject_types_supported?: string[];
+  /**
+   * JSON array containing a list of the JWS `alg` values supported by the authorization server for
+   * the ID Token.
+   */
+  readonly id_token_signing_alg_values_supported?: string[];
+  /**
+   * JSON array containing a list of the JWE `alg` values supported by the authorization server for
+   * the ID Token.
+   */
+  readonly id_token_encryption_alg_values_supported?: string[];
+  /**
+   * JSON array containing a list of the JWE `enc` values supported by the authorization server for
+   * the ID Token.
+   */
+  readonly id_token_encryption_enc_values_supported?: string[];
+  /**
+   * JSON array containing a list of the JWS `alg` values supported by the UserInfo Endpoint.
+   */
+  readonly userinfo_signing_alg_values_supported?: string[];
+  /**
+   * JSON array containing a list of the JWE `alg` values supported by the UserInfo Endpoint.
+   */
+  readonly userinfo_encryption_alg_values_supported?: string[];
+  /**
+   * JSON array containing a list of the JWE `enc` values supported by the UserInfo Endpoint.
+   */
+  readonly userinfo_encryption_enc_values_supported?: string[];
+  /**
+   * JSON array containing a list of the JWS `alg` values supported by the authorization server for
+   * Request Objects.
+   */
+  readonly request_object_signing_alg_values_supported?: string[];
+  /**
+   * JSON array containing a list of the JWE `alg` values supported by the authorization server for
+   * Request Objects.
+   */
+  readonly request_object_encryption_alg_values_supported?: string[];
+  /**
+   * JSON array containing a list of the JWE `enc` values supported by the authorization server for
+   * Request Objects.
+   */
+  readonly request_object_encryption_enc_values_supported?: string[];
+  /**
+   * JSON array containing a list of the `display` parameter values that the authorization server
+   * supports.
+   */
+  readonly display_values_supported?: string[];
+  /**
+   * JSON array containing a list of the Claim Types that the authorization server supports.
+   */
+  readonly claim_types_supported?: string[];
+  /**
+   * JSON array containing a list of the Claim Names of the Claims that the authorization server MAY
+   * be able to supply values for.
+   */
+  readonly claims_supported?: string[];
+  /**
+   * Languages and scripts supported for values in Claims being returned, represented as a JSON
+   * array of RFC 5646 language tag values.
+   */
+  readonly claims_locales_supported?: string[];
+  /**
+   * Boolean value specifying whether the authorization server supports use of the `claims`
+   * parameter.
+   */
+  readonly claims_parameter_supported?: boolean;
+  /**
+   * Boolean value specifying whether the authorization server supports use of the `request`
+   * parameter.
+   */
+  readonly request_parameter_supported?: boolean;
+  /**
+   * Boolean value specifying whether the authorization server supports use of the `request_uri`
+   * parameter.
+   */
+  readonly request_uri_parameter_supported?: boolean;
+  /**
+   * Boolean value specifying whether the authorization server requires any `request_uri` values
+   * used to be pre-registered.
+   */
+  readonly require_request_uri_registration?: boolean;
+  /**
+   * Indicates where authorization request needs to be protected as Request Object and provided
+   * through either `request` or `request_uri` parameter.
+   */
+  readonly require_signed_request_object?: boolean;
+  /**
+   * URL of the authorization server's pushed authorization request endpoint.
+   */
+  readonly pushed_authorization_request_endpoint?: string;
+  /**
+   * Indicates whether the authorization server accepts authorization requests only via PAR.
+   */
+  readonly require_pushed_authorization_requests?: boolean;
+  /**
+   * JSON array containing a list of algorithms supported by the authorization server for
+   * introspection response signing.
+   */
+  readonly introspection_signing_alg_values_supported?: string[];
+  /**
+   * JSON array containing a list of algorithms supported by the authorization server for
+   * introspection response content key encryption (`alg` value).
+   */
+  readonly introspection_encryption_alg_values_supported?: string[];
+  /**
+   * JSON array containing a list of algorithms supported by the authorization server for
+   * introspection response content encryption (`enc` value).
+   */
+  readonly introspection_encryption_enc_values_supported?: string[];
+  /**
+   * Boolean value indicating whether the authorization server provides the `iss` parameter in the
+   * authorization response.
+   */
+  readonly authorization_response_iss_parameter_supported?: boolean;
+  /**
+   * JSON array containing a list of algorithms supported by the authorization server for
+   * introspection response signing.
+   */
+  readonly authorization_signing_alg_values_supported?: string[];
+  /**
+   * JSON array containing a list of algorithms supported by the authorization server for
+   * introspection response encryption (`alg` value).
+   */
+  readonly authorization_encryption_alg_values_supported?: string[];
+  /**
+   * JSON array containing a list of algorithms supported by the authorization server for
+   * introspection response encryption (`enc` value).
+   */
+  readonly authorization_encryption_enc_values_supported?: string[];
+  /**
+   * CIBA Backchannel Authentication Endpoint.
+   */
+  readonly backchannel_authentication_endpoint?: string;
+  /**
+   * JSON array containing a list of the JWS signing algorithms supported for validation of signed
+   * CIBA authentication requests.
+   */
+  readonly backchannel_authentication_request_signing_alg_values_supported?: string[];
+  /**
+   * Supported CIBA authentication result delivery modes.
+   */
+  readonly backchannel_token_delivery_modes_supported?: string[];
+  /**
+   * Indicates whether the authorization server supports the use of the CIBA `user_code` parameter.
+   */
+  readonly backchannel_user_code_parameter_supported?: boolean;
+  /**
+   * URL of an authorization server iframe that supports cross-origin communications for session
+   * state information with the RP Client, using the HTML5 postMessage API.
+   */
+  readonly check_session_iframe?: string;
+  /**
+   * JSON array containing a list of the JWS algorithms supported for DPoP Proof JWTs.
+   */
+  readonly dpop_signing_alg_values_supported?: string[];
+  /**
+   * URL at the authorization server to which an RP can perform a redirect to request that the
+   * End-User be logged out at the authorization server.
+   */
+  readonly end_session_endpoint?: string;
+  /**
+   * Boolean value specifying whether the authorization server can pass `iss` (issuer) and `sid`
+   * (session ID) query parameters to identify the RP session with the authorization server when the
+   * `frontchannel_logout_uri` is used.
+   */
+  readonly frontchannel_logout_session_supported?: boolean;
+  /**
+   * Boolean value specifying whether the authorization server supports HTTP-based logout.
+   */
+  readonly frontchannel_logout_supported?: boolean;
+  /**
+   * Boolean value specifying whether the authorization server can pass a `sid` (session ID) Claim
+   * in the Logout Token to identify the RP session with the OP.
+   */
+  readonly backchannel_logout_session_supported?: boolean;
+  /**
+   * Boolean value specifying whether the authorization server supports back-channel logout.
+   */
+  readonly backchannel_logout_supported?: boolean;
+  /**
+   * JSON array containing a list of resource identifiers for OAuth protected resources.
+   */
+  readonly protected_resources?: string[];
+  readonly [metadata: string]: JsonValue | undefined;
+}
+interface MTLSEndpointAliases extends Pick<AuthorizationServer, 'backchannel_authentication_endpoint' | 'device_authorization_endpoint' | 'introspection_endpoint' | 'pushed_authorization_request_endpoint' | 'revocation_endpoint' | 'token_endpoint' | 'userinfo_endpoint'> {
+  readonly [metadata: string]: string | undefined;
+}
+/**
+ * Recognized Client Metadata that have an effect on the exposed functionality.
+ *
+ * @see [IANA OAuth Client Registration Metadata registry](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#client-metadata)
+ */
+interface Client {
+  /**
+   * Client identifier.
+   */
+  client_id: string;
+  /**
+   * JWS `alg` algorithm required for signing the ID Token issued to this Client. When not
+   * configured the default is to allow only algorithms listed in
+   * {@link AuthorizationServer.id_token_signing_alg_values_supported `as.id_token_signing_alg_values_supported`}
+   * and fall back to `RS256` when the authorization server metadata is not set.
+   */
+  id_token_signed_response_alg?: string;
+  /**
+   * JWS `alg` algorithm required for signing authorization responses. When not configured the
+   * default is to allow only algorithms listed in
+   * {@link AuthorizationServer.authorization_signing_alg_values_supported `as.authorization_signing_alg_values_supported`}
+   * and fall back to `RS256` when the authorization server metadata is not set.
+   */
+  authorization_signed_response_alg?: string;
+  /**
+   * Boolean value specifying whether the {@link IDToken.auth_time `auth_time`} Claim in the ID Token
+   * is REQUIRED. Default is `false`.
+   */
+  require_auth_time?: boolean;
+  /**
+   * JWS `alg` algorithm REQUIRED for signing UserInfo Responses. When not configured the default is
+   * to allow only algorithms listed in
+   * {@link AuthorizationServer.userinfo_signing_alg_values_supported `as.userinfo_signing_alg_values_supported`}
+   * and fail otherwise.
+   */
+  userinfo_signed_response_alg?: string;
+  /**
+   * JWS `alg` algorithm REQUIRED for signed introspection responses. When not configured the
+   * default is to allow only algorithms listed in
+   * {@link AuthorizationServer.introspection_signing_alg_values_supported `as.introspection_signing_alg_values_supported`}
+   * and fall back to `RS256` when the authorization server metadata is not set.
+   */
+  introspection_signed_response_alg?: string;
+  /**
+   * Default Maximum Authentication Age.
+   */
+  default_max_age?: number;
+  /**
+   * Indicates the requirement for a client to use mutual TLS endpoint aliases defined by the AS
+   * where present. Default is `false`.
+   *
+   * When combined with {@link customFetch} (to use a Fetch API implementation that supports client
+   * certificates) this can be used to target security profiles that utilize Mutual-TLS for either
+   * client authentication or sender constraining.
+   *
+   * @example
+   *
+   * (Node.js) Using [nodejs/undici](https://github.com/nodejs/undici) for Mutual-TLS Client
+   * Authentication and Certificate-Bound Access Tokens support.
+   *
+   * ```ts
+   * import * as undici from 'undici'
+   *
+   * let as!: oauth.AuthorizationServer
+   * let client!: oauth.Client & { use_mtls_endpoint_aliases: true }
+   * let params!: URLSearchParams
+   * let key!: string // PEM-encoded key
+   * let cert!: string // PEM-encoded certificate
+   *
+   * let clientAuth = oauth.TlsClientAuth()
+   * let agent = new undici.Agent({ connect: { key, cert } })
+   *
+   * let response = await oauth.pushedAuthorizationRequest(as, client, clientAuth, params, {
+   *   // @ts-ignore
+   *   [oauth.customFetch]: (...args) =>
+   *     undici.fetch(args[0], { ...args[1], dispatcher: agent }),
+   * })
+   * ```
+   *
+   * @example
+   *
+   * (Deno) Using Deno.createHttpClient API for Mutual-TLS Client Authentication and
+   * Certificate-Bound Access Tokens support.
+   *
+   * ```ts
+   * let as!: oauth.AuthorizationServer
+   * let client!: oauth.Client & { use_mtls_endpoint_aliases: true }
+   * let params!: URLSearchParams
+   * let key!: string // PEM-encoded key
+   * let cert!: string // PEM-encoded certificate
+   *
+   * let clientAuth = oauth.TlsClientAuth()
+   * // @ts-ignore
+   * let agent = Deno.createHttpClient({ key, cert })
+   *
+   * let response = await oauth.pushedAuthorizationRequest(as, client, clientAuth, params, {
+   *   // @ts-ignore
+   *   [oauth.customFetch]: (...args) => fetch(args[0], { ...args[1], client: agent }),
+   * })
+   * ```
+   *
+   * @see [RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens](https://www.rfc-editor.org/rfc/rfc8705.html)
+   */
+  use_mtls_endpoint_aliases?: boolean;
+  /**
+   * See {@link clockSkew}.
+   */
+  [clockSkew]?: number;
+  /**
+   * See {@link clockTolerance}.
+   */
+  [clockTolerance]?: number;
+  [metadata: string]: JsonValue | undefined;
+}
+/**
+ * Removes all Symbol properties from a type
+ */
+type OmitSymbolProperties<T> = { [K in keyof T as K extends symbol ? never : K]: T[K] };
+//#endregion
+//#region ../../../../node_modules/openid-client/build/index.d.ts
+/**
+ * Implementation of the Client's Authentication Method at the Authorization
+ * Server.
+ *
+ * The default is {@link ClientSecretPost} if {@link ClientMetadata.client_secret}
+ * is present, {@link None} otherwise.
+ *
+ * Other Client Authentication Methods must be provided explicitly and their
+ * implementations are linked below.
+ *
+ * @see {@link ClientSecretBasic}
+ * @see {@link ClientSecretJwt}
+ * @see {@link ClientSecretPost}
+ * @see {@link None}
+ * @see {@link PrivateKeyJwt}
+ * @see {@link TlsClientAuth}
+ */
+type ClientAuth = (as: ServerMetadata, client: ClientMetadata, body: URLSearchParams, headers: Headers) => void;
+/**
+ * When set on a {@link Configuration}, this replaces the use of global fetch. As
+ * a fetch replacement the arguments and expected return are the same as fetch.
+ *
+ * In theory any module that claims to be compatible with the
+ * {@link !fetch Fetch API} can be used but your mileage may vary. No workarounds
+ * to allow use of non-conform {@link !Response} instances will be considered.
+ *
+ * If you only need to update the {@link !Request} properties you do not need to
+ * use a {@link !fetch Fetch API} module, just change what you need and pass it
+ * to globalThis.fetch just like this module would normally do.
+ *
+ * Its intended use cases are:
+ *
+ * - {@link !Request}/{@link !Response} tracing and logging
+ * - Custom caching strategies
+ * - Changing the {@link !Request} properties like headers, body, credentials, mode
+ *   before it is passed to fetch
+ *
+ * Known caveats:
+ *
+ * - Expect Type-related issues when passing the inputs through to fetch-like
+ *   modules, they hardly ever get their typings inline with actual fetch, you
+ *   should `@ts-expect-error` them.
+ *
+ * @example
+ *
+ * Using [sindresorhus/ky](https://github.com/sindresorhus/ky) for retries and
+ * its hooks feature for logging outgoing requests and their responses.
+ *
+ * ```ts
+ * import ky from 'ky'
+ *
+ * let config!: client.Configuration
+ * let logRequest!: (request: Request) => void
+ * let logResponse!: (request: Request, response: Response) => void
+ * let logRetry!: (
+ *   request: Request,
+ *   error: Error,
+ *   retryCount: number,
+ * ) => void
+ *
+ * config[client.customFetch] = (...args) =>
+ *   // @ts-expect-error
+ *   ky(args[0], {
+ *     ...args[1],
+ *     hooks: {
+ *       beforeRequest: [
+ *         (request) => {
+ *           logRequest(request)
+ *         },
+ *       ],
+ *       beforeRetry: [
+ *         ({ request, error, retryCount }) => {
+ *           logRetry(request, error, retryCount)
+ *         },
+ *       ],
+ *       afterResponse: [
+ *         (request, _, response) => {
+ *           logResponse(request, response)
+ *         },
+ *       ],
+ *     },
+ *   })
+ * ```
+ *
+ * @example
+ *
+ * Using [nodejs/undici](https://github.com/nodejs/undici) to detect and use
+ * HTTP proxies.
+ *
+ * ```ts
+ * import * as undici from 'undici'
+ *
+ * // see https://undici.nodejs.org/#/docs/api/EnvHttpProxyAgent
+ * let envHttpProxyAgent = new undici.EnvHttpProxyAgent()
+ *
+ * let config!: client.Configuration
+ *
+ * // @ts-ignore
+ * config[client.customFetch] = (...args) => {
+ *   // @ts-ignore
+ *   return undici.fetch(args[0], { ...args[1], dispatcher: envHttpProxyAgent }) // prettier-ignore
+ * }
+ * ```
+ *
+ * @example
+ *
+ * Using [nodejs/undici](https://github.com/nodejs/undici) to automatically
+ * retry network errors.
+ *
+ * ```ts
+ * import * as undici from 'undici'
+ *
+ * // see https://undici.nodejs.org/#/docs/api/RetryAgent
+ * let retryAgent = new undici.RetryAgent(new undici.Agent(), {
+ *   statusCodes: [],
+ *   errorCodes: [
+ *     'ECONNRESET',
+ *     'ECONNREFUSED',
+ *     'ENOTFOUND',
+ *     'ENETDOWN',
+ *     'ENETUNREACH',
+ *     'EHOSTDOWN',
+ *     'UND_ERR_SOCKET',
+ *   ],
+ * })
+ *
+ * let config!: client.Configuration
+ *
+ * // @ts-ignore
+ * config[client.customFetch] = (...args) => {
+ *   // @ts-ignore
+ *   return undici.fetch(args[0], { ...args[1], dispatcher: retryAgent }) // prettier-ignore
+ * }
+ * ```
+ *
+ * @example
+ *
+ * Using [nodejs/undici](https://github.com/nodejs/undici) to mock responses in
+ * tests.
+ *
+ * ```ts
+ * import * as undici from 'undici'
+ *
+ * // see https://undici.nodejs.org/#/docs/api/MockAgent
+ * let mockAgent = new undici.MockAgent()
+ * mockAgent.disableNetConnect()
+ *
+ * let config!: client.Configuration
+ *
+ * // @ts-ignore
+ * config[client.customFetch] = (...args) => {
+ *   // @ts-ignore
+ *   return undici.fetch(args[0], { ...args[1], dispatcher: mockAgent }) // prettier-ignore
+ * }
+ * ```
+ */
+declare const customFetch: typeof customFetch$1;
+type FetchBody = ArrayBuffer | null | ReadableStream | string | Uint8Array | undefined | URLSearchParams;
+/**
+ * A subset of the [IANA OAuth Client Metadata
+ * registry](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#client-metadata)
+ * that has an effect on how the Client functions
+ *
+ * @group You are probably looking for this
+ */
+interface ClientMetadata extends Client {
+  /**
+   * Client secret.
+   */
+  client_secret?: string;
+  /**
+   * Indicates the requirement for a client to use mutual TLS endpoint aliases
+   * indicated by the
+   * {@link ServerMetadata.mtls_endpoint_aliases Authorization Server Metadata}.
+   * Default is `false`.
+   *
+   * When combined with {@link customFetch} (to use a {@link !fetch Fetch API}
+   * implementation that supports client certificates) this can be used to
+   * target security profiles that utilize Mutual-TLS for either client
+   * authentication or sender constraining.
+   *
+   * @example
+   *
+   * (Node.js) Using [nodejs/undici](https://github.com/nodejs/undici) for
+   * Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
+   * support.
+   *
+   * ```ts
+   * import * as undici from 'undici'
+   *
+   * let config!: client.Configuration
+   * let key!: string // PEM-encoded key
+   * let cert!: string // PEM-encoded certificate
+   *
+   * let agent = new undici.Agent({ connect: { key, cert } })
+   *
+   * config[client.customFetch] = (...args) =>
+   *   // @ts-expect-error
+   *   undici.fetch(args[0], { ...args[1], dispatcher: agent })
+   * ```
+   *
+   * @example
+   *
+   * (Deno) Using Deno.createHttpClient API for Mutual-TLS Client Authentication
+   * and Certificate-Bound Access Tokens support.
+   *
+   * ```ts
+   * let config!: client.Configuration
+   * let key!: string // PEM-encoded key
+   * let cert!: string // PEM-encoded certificate
+   *
+   * // @ts-expect-error
+   * let agent = Deno.createHttpClient({ key, cert })
+   *
+   * config[client.customFetch] = (...args) =>
+   *   // @ts-expect-error
+   *   fetch(args[0], { ...args[1], client: agent })
+   * ```
+   *
+   * @see [RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens](https://www.rfc-editor.org/rfc/rfc8705.html)
+   */
+  use_mtls_endpoint_aliases?: boolean;
+}
+/**
+ * Authorization Server Metadata
+ *
+ * @group You are probably looking for this
+ *
+ * @see [IANA OAuth Authorization Server Metadata registry](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata)
+ */
+interface ServerMetadata extends AuthorizationServer {}
+interface ServerMetadataHelpers {
+  /**
+   * Determines whether the Authorization Server supports a given Code Challenge
+   * Method
+   *
+   * @param method Code Challenge Method. Default is `S256`
+   */
+  supportsPKCE(method?: string): boolean;
+}
+/**
+ * Public methods available on a {@link Configuration} instance
+ */
+interface ConfigurationMethods {
+  /**
+   * Used to retrieve the Authorization Server Metadata
+   */
+  serverMetadata(): Readonly<ServerMetadata> & ServerMetadataHelpers;
+  /**
+   * Used to retrieve the Client Metadata
+   */
+  clientMetadata(): Readonly<OmitSymbolProperties<ClientMetadata>>;
+}
+interface CustomFetchOptions {
+  /**
+   * The request body content to send to the server
+   */
+  body: FetchBody;
+  /**
+   * HTTP Headers
+   */
+  headers: Record<string, string>;
+  /**
+   * The
+   * {@link https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods request method}
+   */
+  method: string;
+  /**
+   * See {@link !Request.redirect}
+   */
+  redirect: 'manual';
+  /**
+   * An AbortSignal configured as per the {@link ConfigurationProperties.timeout}
+   * value
+   */
+  signal?: AbortSignal;
+}
+/**
+ * @see {@link customFetch}
+ */
+type CustomFetch = (
+/**
+ * URL the request is being made sent to {@link !fetch} as the `resource`
+ * argument
+ */
+url: string,
+/**
+ * Options otherwise sent to {@link !fetch} as the `options` argument
+ */
+options: CustomFetchOptions) => Promise<Response>;
+/**
+ * Public properties available on a {@link Configuration} instance
+ */
+interface ConfigurationProperties {
+  /**
+   * Custom {@link !fetch Fetch API} implementation to use for the HTTP Requests
+   * the client will be making.
+   *
+   * @see {@link customFetch}
+   */
+  [customFetch]?: CustomFetch;
+  /**
+   * Timeout (in seconds) for the HTTP Requests the client will be making.
+   * Default is `30` (seconds)
+   */
+  timeout?: number;
+}
+/**
+ * Configuration is an abstraction over the
+ * {@link ServerMetadata OAuth 2.0 Authorization Server metadata} and
+ * {@link ClientMetadata OAuth 2.0 Client metadata}
+ *
+ * Configuration instances are obtained either through
+ *
+ * - (RECOMMENDED) the {@link discovery} function that discovers the
+ *   {@link ServerMetadata OAuth 2.0 Authorization Server metadata} using the
+ *   Authorization Server's Issuer Identifier, or
+ * - The {@link Configuration} constructor if the
+ *   {@link ServerMetadata OAuth 2.0 Authorization Server metadata} is known
+ *   upfront
+ *
+ * @example
+ *
+ * (RECOMMENDED) Setting up a Configuration with a Server Metadata discovery
+ * step
+ *
+ * ```ts
+ * let server!: URL
+ * let clientId!: string
+ * let clientSecret!: string | undefined
+ *
+ * let config = await client.discovery(server, clientId, clientSecret)
+ * ```
+ *
+ * @example
+ *
+ * Setting up a Configuration with a constructor
+ *
+ * ```ts
+ * let server!: client.ServerMetadata
+ * let clientId!: string
+ * let clientSecret!: string | undefined
+ *
+ * let config = new client.Configuration(server, clientId, clientSecret)
+ * ```
+ *
+ * @group Configuration
+ */
+declare class Configuration implements ConfigurationMethods, ConfigurationProperties {
+  /**
+   * @param server Authorization Server Metadata
+   * @param clientId Client Identifier at the Authorization Server
+   * @param metadata Client Metadata, when a string is passed it is a shorthand
+   *   for passing just {@link ClientMetadata.client_secret}.
+   * @param clientAuthentication Implementation of the Client's Authentication
+   *   Method at the Authorization Server. Default is {@link ClientSecretPost}
+   *   using the {@link ClientMetadata.client_secret}.
+   */
+  constructor(server: ServerMetadata, clientId: string, metadata?: Partial<ClientMetadata> | string, clientAuthentication?: ClientAuth);
+  /**
+   * @ignore
+   */
+  serverMetadata(): Readonly<ServerMetadata> & ServerMetadataHelpers;
+  /**
+   * @ignore
+   */
+  clientMetadata(): Readonly<OmitSymbolProperties<ClientMetadata>>;
+  /**
+   * @ignore
+   */
+  get timeout(): number | undefined;
+  /**
+   * @ignore
+   */
+  set timeout(value: number | undefined);
+  /**
+   * @ignore
+   */
+  get [customFetch](): CustomFetch | undefined;
+  /**
+   * @ignore
+   */
+  set [customFetch](value: CustomFetch);
+}
+//#endregion
 //#region ../../src/server/auth/providers/ServerAuthProvider.d.ts
 declare class ServerAuthProvider {
   protected readonly log: alepha_logger0.Logger;
@@ -116,173 +1141,173 @@ declare class ServerAuthProvider {
   protected readonly serverCookiesProvider: ServerCookiesProvider;
   protected readonly dateTimeProvider: DateTimeProvider;
   protected readonly serverLinksProvider: ServerLinksProvider;
-  protected readonly authorizationCode: alepha_server_cookies0.AbstractCookiePrimitive<alepha181.TObject<{
-    provider: alepha181.TString;
-    realm: alepha181.TOptional<alepha181.TString>;
-    codeVerifier: alepha181.TOptional<alepha181.TString>;
-    redirectUri: alepha181.TOptional<alepha181.TString>;
-    state: alepha181.TOptional<alepha181.TString>;
-    nonce: alepha181.TOptional<alepha181.TString>;
+  protected readonly authorizationCode: alepha_server_cookies0.AbstractCookiePrimitive<alepha206.TObject<{
+    provider: alepha206.TString;
+    realm: alepha206.TOptional<alepha206.TString>;
+    codeVerifier: alepha206.TOptional<alepha206.TString>;
+    redirectUri: alepha206.TOptional<alepha206.TString>;
+    state: alepha206.TOptional<alepha206.TString>;
+    nonce: alepha206.TOptional<alepha206.TString>;
   }>>;
-  readonly tokens: alepha_server_cookies0.AbstractCookiePrimitive<alepha181.TObject<{
-    provider: alepha181.TString;
-    access_token: alepha181.TString;
-    issued_at: alepha181.TNumber;
-    expires_in: alepha181.TOptional<alepha181.TNumber>;
-    refresh_token: alepha181.TOptional<alepha181.TString>;
-    refresh_token_expires_in: alepha181.TOptional<alepha181.TNumber>;
-    refresh_expires_in: alepha181.TOptional<alepha181.TNumber>;
-    id_token: alepha181.TOptional<alepha181.TString>;
-    scope: alepha181.TOptional<alepha181.TString>;
+  readonly tokens: alepha_server_cookies0.AbstractCookiePrimitive<alepha206.TObject<{
+    provider: alepha206.TString;
+    access_token: alepha206.TString;
+    issued_at: alepha206.TNumber;
+    expires_in: alepha206.TOptional<alepha206.TNumber>;
+    refresh_token: alepha206.TOptional<alepha206.TString>;
+    refresh_token_expires_in: alepha206.TOptional<alepha206.TNumber>;
+    refresh_expires_in: alepha206.TOptional<alepha206.TNumber>;
+    id_token: alepha206.TOptional<alepha206.TString>;
+    scope: alepha206.TOptional<alepha206.TString>;
   }>>;
   get identities(): Array<AuthPrimitive>;
   getAuthenticationProviders(filters?: {
     realmName?: string;
   }): AuthenticationProvider[];
-  protected readonly configure: alepha181.HookPrimitive<"configure">;
+  protected readonly configure: alepha206.HookPrimitive<"configure">;
   protected getAccessTokens(tokens: Tokens): string | undefined;
   /**
-       * Fill request headers with access token from cookies or fallback to provider's fallback function.
-       */
-  protected readonly onRequest: alepha181.HookPrimitive<"server:onRequest">;
+   * Fill request headers with access token from cookies or fallback to provider's fallback function.
+   */
+  protected readonly onRequest: alepha206.HookPrimitive<"server:onRequest">;
   /**
-       * Convert cookies to tokens.
-       * If the tokens are expired, try to refresh them using the refresh token.
-       */
+   * Convert cookies to tokens.
+   * If the tokens are expired, try to refresh them using the refresh token.
+   */
   protected cookiesToTokens(cookies: Cookies): Promise<Tokens | undefined>;
   protected refreshTokens(tokens: Tokens): Promise<Tokens | undefined>;
   /**
-       * Get user information.
-       */
+   * Get user information.
+   */
   readonly userinfo: alepha_server0.RoutePrimitive<{
-    response: alepha181.TObject<{
-      user: alepha181.TOptional<alepha181.TObject<{
-        id: alepha181.TString;
-        name: alepha181.TOptional<alepha181.TString>;
-        email: alepha181.TOptional<alepha181.TString>;
-        username: alepha181.TOptional<alepha181.TString>;
-        picture: alepha181.TOptional<alepha181.TString>;
-        sessionId: alepha181.TOptional<alepha181.TString>;
-        organizations: alepha181.TOptional<alepha181.TArray<alepha181.TString>>;
-        roles: alepha181.TOptional<alepha181.TArray<alepha181.TString>>;
+    response: alepha206.TObject<{
+      user: alepha206.TOptional<alepha206.TObject<{
+        id: alepha206.TString;
+        name: alepha206.TOptional<alepha206.TString>;
+        email: alepha206.TOptional<alepha206.TString>;
+        username: alepha206.TOptional<alepha206.TString>;
+        picture: alepha206.TOptional<alepha206.TString>;
+        sessionId: alepha206.TOptional<alepha206.TString>;
+        organizations: alepha206.TOptional<alepha206.TArray<alepha206.TString>>;
+        roles: alepha206.TOptional<alepha206.TArray<alepha206.TString>>;
       }>>;
-      api: alepha181.TObject<{
-        prefix: alepha181.TOptional<alepha181.TString>;
-        links: alepha181.TArray<alepha181.TObject<{
-          name: alepha181.TString;
-          group: alepha181.TOptional<alepha181.TString>;
-          path: alepha181.TString;
-          method: alepha181.TOptional<alepha181.TString>;
-          requestBodyType: alepha181.TOptional<alepha181.TString>;
-          service: alepha181.TOptional<alepha181.TString>;
-          rawSchema: alepha181.TOptional<alepha181.TObject<{
-            body: alepha181.TOptional<alepha181.TString>;
-            response: alepha181.TOptional<alepha181.TString>;
+      api: alepha206.TObject<{
+        prefix: alepha206.TOptional<alepha206.TString>;
+        links: alepha206.TArray<alepha206.TObject<{
+          name: alepha206.TString;
+          group: alepha206.TOptional<alepha206.TString>;
+          path: alepha206.TString;
+          method: alepha206.TOptional<alepha206.TString>;
+          requestBodyType: alepha206.TOptional<alepha206.TString>;
+          service: alepha206.TOptional<alepha206.TString>;
+          rawSchema: alepha206.TOptional<alepha206.TObject<{
+            body: alepha206.TOptional<alepha206.TString>;
+            response: alepha206.TOptional<alepha206.TString>;
           }>>;
         }>>;
       }>;
     }>;
   }>;
   /**
-       * Refresh a token for internal providers.
-       */
+   * Refresh a token for internal providers.
+   */
   readonly refresh: alepha_server0.RoutePrimitive<{
-    query: alepha181.TObject<{
-      provider: alepha181.TString;
+    query: alepha206.TObject<{
+      provider: alepha206.TString;
     }>;
-    body: alepha181.TObject<{
-      refresh_token: alepha181.TString;
-      access_token: alepha181.TOptional<alepha181.TString>;
+    body: alepha206.TObject<{
+      refresh_token: alepha206.TString;
+      access_token: alepha206.TOptional<alepha206.TString>;
     }>;
-    response: alepha181.TObject<{
-      provider: alepha181.TString;
-      access_token: alepha181.TString;
-      issued_at: alepha181.TNumber;
-      expires_in: alepha181.TOptional<alepha181.TNumber>;
-      refresh_token: alepha181.TOptional<alepha181.TString>;
-      refresh_token_expires_in: alepha181.TOptional<alepha181.TNumber>;
-      refresh_expires_in: alepha181.TOptional<alepha181.TNumber>;
-      id_token: alepha181.TOptional<alepha181.TString>;
-      scope: alepha181.TOptional<alepha181.TString>;
+    response: alepha206.TObject<{
+      provider: alepha206.TString;
+      access_token: alepha206.TString;
+      issued_at: alepha206.TNumber;
+      expires_in: alepha206.TOptional<alepha206.TNumber>;
+      refresh_token: alepha206.TOptional<alepha206.TString>;
+      refresh_token_expires_in: alepha206.TOptional<alepha206.TNumber>;
+      refresh_expires_in: alepha206.TOptional<alepha206.TNumber>;
+      id_token: alepha206.TOptional<alepha206.TString>;
+      scope: alepha206.TOptional<alepha206.TString>;
     }>;
   }>;
   /**
-       * Login for local password-based authentication.
-       */
+   * Login for local password-based authentication.
+   */
   readonly token: alepha_server0.RoutePrimitive<{
-    query: alepha181.TObject<{
-      provider: alepha181.TString;
-      realm: alepha181.TOptional<alepha181.TString>;
+    query: alepha206.TObject<{
+      provider: alepha206.TString;
+      realm: alepha206.TOptional<alepha206.TString>;
     }>;
-    body: alepha181.TObject<{
-      username: alepha181.TString;
-      password: alepha181.TString;
+    body: alepha206.TObject<{
+      username: alepha206.TString;
+      password: alepha206.TString;
     }>;
-    response: alepha181.TObject<{
-      provider: alepha181.TString;
-      access_token: alepha181.TString;
-      issued_at: alepha181.TNumber;
-      expires_in: alepha181.TOptional<alepha181.TNumber>;
-      refresh_token: alepha181.TOptional<alepha181.TString>;
-      refresh_token_expires_in: alepha181.TOptional<alepha181.TNumber>;
-      refresh_expires_in: alepha181.TOptional<alepha181.TNumber>;
-      id_token: alepha181.TOptional<alepha181.TString>;
-      scope: alepha181.TOptional<alepha181.TString>;
-      user: alepha181.TObject<{
-        id: alepha181.TString;
-        name: alepha181.TOptional<alepha181.TString>;
-        email: alepha181.TOptional<alepha181.TString>;
-        username: alepha181.TOptional<alepha181.TString>;
-        picture: alepha181.TOptional<alepha181.TString>;
-        sessionId: alepha181.TOptional<alepha181.TString>;
-        organizations: alepha181.TOptional<alepha181.TArray<alepha181.TString>>;
-        roles: alepha181.TOptional<alepha181.TArray<alepha181.TString>>;
+    response: alepha206.TObject<{
+      provider: alepha206.TString;
+      access_token: alepha206.TString;
+      issued_at: alepha206.TNumber;
+      expires_in: alepha206.TOptional<alepha206.TNumber>;
+      refresh_token: alepha206.TOptional<alepha206.TString>;
+      refresh_token_expires_in: alepha206.TOptional<alepha206.TNumber>;
+      refresh_expires_in: alepha206.TOptional<alepha206.TNumber>;
+      id_token: alepha206.TOptional<alepha206.TString>;
+      scope: alepha206.TOptional<alepha206.TString>;
+      user: alepha206.TObject<{
+        id: alepha206.TString;
+        name: alepha206.TOptional<alepha206.TString>;
+        email: alepha206.TOptional<alepha206.TString>;
+        username: alepha206.TOptional<alepha206.TString>;
+        picture: alepha206.TOptional<alepha206.TString>;
+        sessionId: alepha206.TOptional<alepha206.TString>;
+        organizations: alepha206.TOptional<alepha206.TArray<alepha206.TString>>;
+        roles: alepha206.TOptional<alepha206.TArray<alepha206.TString>>;
       }>;
-      api: alepha181.TObject<{
-        prefix: alepha181.TOptional<alepha181.TString>;
-        links: alepha181.TArray<alepha181.TObject<{
-          name: alepha181.TString;
-          group: alepha181.TOptional<alepha181.TString>;
-          path: alepha181.TString;
-          method: alepha181.TOptional<alepha181.TString>;
-          requestBodyType: alepha181.TOptional<alepha181.TString>;
-          service: alepha181.TOptional<alepha181.TString>;
-          rawSchema: alepha181.TOptional<alepha181.TObject<{
-            body: alepha181.TOptional<alepha181.TString>;
-            response: alepha181.TOptional<alepha181.TString>;
+      api: alepha206.TObject<{
+        prefix: alepha206.TOptional<alepha206.TString>;
+        links: alepha206.TArray<alepha206.TObject<{
+          name: alepha206.TString;
+          group: alepha206.TOptional<alepha206.TString>;
+          path: alepha206.TString;
+          method: alepha206.TOptional<alepha206.TString>;
+          requestBodyType: alepha206.TOptional<alepha206.TString>;
+          service: alepha206.TOptional<alepha206.TString>;
+          rawSchema: alepha206.TOptional<alepha206.TObject<{
+            body: alepha206.TOptional<alepha206.TString>;
+            response: alepha206.TOptional<alepha206.TString>;
           }>>;
         }>>;
       }>;
     }>;
   }>;
   /**
-       * Oauth2/OIDC login route.
-       */
+   * Oauth2/OIDC login route.
+   */
   readonly login: alepha_server0.RoutePrimitive<{
-    query: alepha181.TObject<{
-      provider: alepha181.TString;
-      realm: alepha181.TOptional<alepha181.TString>;
-      redirect_uri: alepha181.TOptional<alepha181.TString>;
+    query: alepha206.TObject<{
+      provider: alepha206.TString;
+      realm: alepha206.TOptional<alepha206.TString>;
+      redirect_uri: alepha206.TOptional<alepha206.TString>;
     }>;
   }>;
   /**
-       * Callback for OAuth2/OIDC providers.
-       * It handles the authorization code flow and retrieves the access token.
-       */
+   * Callback for OAuth2/OIDC providers.
+   * It handles the authorization code flow and retrieves the access token.
+   */
   readonly callback: alepha_server0.RoutePrimitive<alepha_server0.RequestConfigSchema>;
   /**
-       * Logout route for OAuth2/OIDC providers.
-       */
+   * Logout route for OAuth2/OIDC providers.
+   */
   readonly logout: alepha_server0.RoutePrimitive<{
-    query: alepha181.TObject<{
-      post_logout_redirect_uri: alepha181.TOptional<alepha181.TString>;
+    query: alepha206.TObject<{
+      post_logout_redirect_uri: alepha206.TOptional<alepha206.TString>;
     }>;
   }>;
   /**
-       * Find an auth provider by name and optionally by realm.
-       * When realm is specified, it filters providers by both name and realm.
-       * This enables multi-realm setups where multiple providers share the same name (e.g., "credentials").
-       */
+   * Find an auth provider by name and optionally by realm.
+   * When realm is specified, it filters providers by both name and realm.
+   * This enables multi-realm setups where multiple providers share the same name (e.g., "credentials").
+   */
   protected provider(opts: string | {
     provider: string;
     realm?: string;
@@ -362,13 +1387,13 @@ declare const $auth: {
 };
 type AuthPrimitiveOptions = {
   /**
-       * Name of the identity provider.
-       * If not provided, it will be derived from the property key.
-       */
+   * Name of the identity provider.
+   * If not provided, it will be derived from the property key.
+   */
   name?: string;
   /**
-       * If true, auth provider will be skipped.
-       */
+   * If true, auth provider will be skipped.
+   */
   disabled?: boolean;
 } & (AuthExternal | AuthInternal);
 /**
@@ -376,22 +1401,22 @@ type AuthPrimitiveOptions = {
  */
 type AuthExternal = {
   /**
-       * Only OIDC is supported for external authentication.
-       */
+   * Only OIDC is supported for external authentication.
+   */
   oidc: OidcOptions;
   /**
-       * For anonymous access, this will expect a service account access token.
-       *
-       * ```ts
-       * class App {
-       *   anonymous = $serviceAccount(...);
-       *   auth = $auth({
-       *     // ... config ...
-       *     fallback: this.anonymous,
-       *   })
-       * }
-       * ```
-       */
+   * For anonymous access, this will expect a service account access token.
+   *
+   * ```ts
+   * class App {
+   *   anonymous = $serviceAccount(...);
+   *   auth = $auth({
+   *     // ... config ...
+   *     fallback: this.anonymous,
+   *   })
+   * }
+   * ```
+   */
   fallback?: () => Async<AccessToken>;
 };
 /**
@@ -404,32 +1429,32 @@ type AuthInternal = {
   issuer: IssuerPrimitive;
 } & ({
   /**
-       * The common username/password authentication.
-       *
-       * - It uses the OAuth2 Client Credentials flow to obtain an access token.
-       *
-       * This is usually used with a custom login form on your website or mobile app.
-       */
+   * The common username/password authentication.
+   *
+   * - It uses the OAuth2 Client Credentials flow to obtain an access token.
+   *
+   * This is usually used with a custom login form on your website or mobile app.
+   */
   credentials: CredentialsOptions;
 } | {
   /**
-       * OAuth2 authentication. Delegates authentication to an OAuth2 provider. (e.g. Google, GitHub, etc.)
-       *
-       * - It uses the OAuth2 Authorization Code flow to obtain an access token and user information.
-       *
-       * This is usually used with a login button that redirects to the OAuth2 provider.
-       */
+   * OAuth2 authentication. Delegates authentication to an OAuth2 provider. (e.g. Google, GitHub, etc.)
+   *
+   * - It uses the OAuth2 Authorization Code flow to obtain an access token and user information.
+   *
+   * This is usually used with a login button that redirects to the OAuth2 provider.
+   */
   oauth: OAuth2Options;
 } | {
   /**
-       * Like OAuth2, but uses OIDC (OpenID Connect) for authentication and user information retrieval.
-       * OIDC is an identity layer on top of OAuth2, providing user authentication and profile information.
-       *
-       * - It uses the OAuth2 Authorization Code flow to obtain an access token and user information.
-       * - PCKE (Proof Key for Code Exchange) is recommended for security.
-       *
-       * This is usually used with a login button that redirects to the OIDC provider.
-       */
+   * Like OAuth2, but uses OIDC (OpenID Connect) for authentication and user information retrieval.
+   * OIDC is an identity layer on top of OAuth2, providing user authentication and profile information.
+   *
+   * - It uses the OAuth2 Authorization Code flow to obtain an access token and user information.
+   * - PCKE (Proof Key for Code Exchange) is recommended for security.
+   *
+   * This is usually used with a login button that redirects to the OIDC provider.
+   */
   oidc: OidcOptions;
 });
 type CredentialsOptions = {
@@ -442,36 +1467,36 @@ interface Credentials {
 }
 interface OidcOptions {
   /**
-       * URL of the OIDC issuer.
-       */
+   * URL of the OIDC issuer.
+   */
   issuer: string;
   /**
-       * Client ID for the OIDC client.
-       */
+   * Client ID for the OIDC client.
+   */
   clientId: string;
   /**
-       * Client secret for the OIDC client.
-       * Optional if PKCE (Proof Key for Code Exchange) is used.
-       */
+   * Client secret for the OIDC client.
+   * Optional if PKCE (Proof Key for Code Exchange) is used.
+   */
   clientSecret?: string;
   /**
-       * Redirect URI for the OIDC client.
-       * This is where the user will be redirected after authentication.
-       */
+   * Redirect URI for the OIDC client.
+   * This is where the user will be redirected after authentication.
+   */
   redirectUri?: string;
   /**
-       * For external auth providers only.
-       * Take the ID token instead of the access token for validation.
-       */
+   * For external auth providers only.
+   * Take the ID token instead of the access token for validation.
+   */
   useIdToken?: boolean;
   /**
-       * URI to redirect the user after logout.
-       */
+   * URI to redirect the user after logout.
+   */
   logoutUri?: string;
   /**
-       * Optional scope for the OIDC client.
-       * @default "openid profile email".
-       */
+   * Optional scope for the OIDC client.
+   * @default "openid profile email".
+   */
   scope?: string;
   account?: LinkAccountFn;
 }
@@ -485,33 +1510,33 @@ interface LinkAccountOptions {
 type LinkAccountFn = (tokens: LinkAccountOptions) => Async<UserAccount>;
 interface OAuth2Options {
   /**
-       * URL of the OAuth2 authorization endpoint.
-       */
+   * URL of the OAuth2 authorization endpoint.
+   */
   clientId: string;
   /**
-       * Client secret for the OAuth2 client.
-       */
+   * Client secret for the OAuth2 client.
+   */
   clientSecret: string;
   /**
-       * URL of the OAuth2 authorization endpoint.
-       */
+   * URL of the OAuth2 authorization endpoint.
+   */
   authorization: string;
   /**
-       * URL of the OAuth2 token endpoint.
-       */
+   * URL of the OAuth2 token endpoint.
+   */
   token: string;
   /**
-       * Function to retrieve user profile information from the OAuth2 tokens.
-       */
+   * Function to retrieve user profile information from the OAuth2 tokens.
+   */
   userinfo: (tokens: Tokens) => Async<OAuth2Profile>;
   account?: LinkAccountFn;
   /**
-       * URL of the OAuth2 authorization endpoint.
-       */
+   * URL of the OAuth2 authorization endpoint.
+   */
   redirectUri?: string;
   /**
-       * URL of the OAuth2 authorization endpoint.
-       */
+   * URL of the OAuth2 authorization endpoint.
+   */
   scope?: string;
 }
 declare class AuthPrimitive extends Primitive<AuthPrimitiveOptions> {
@@ -524,14 +1549,14 @@ declare class AuthPrimitive extends Primitive<AuthPrimitiveOptions> {
   get scope(): string | undefined;
   get redirect_uri(): string | undefined;
   /**
-       * Refreshes the access token using the refresh token.
-       * Can be used on oauth2, oidc or credentials auth providers.
-       */
+   * Refreshes the access token using the refresh token.
+   * Can be used on oauth2, oidc or credentials auth providers.
+   */
   refresh(refreshToken: string, accessToken?: string): Promise<AccessTokenResponse>;
   /**
-       * Extracts user information from the access token.
-       * This is used to create a user account from the access token.
-       */
+   * Extracts user information from the access token.
+   * This is used to create a user account from the access token.
+   */
   user(tokens: Tokens): Promise<UserAccount>;
   protected getUserFromIdToken(idToken: string): OAuth2Profile;
   prepare(): Promise<void>;
@@ -584,10 +1609,10 @@ declare const $authGoogle: (realm: IssuerPrimitive & WithLinkFn, options?: Parti
 declare module "alepha" {
   interface State {
     /**
-             * The authenticated user account attached to the server request state.
-             *
-             * @internal
-             */
+     * The authenticated user account attached to the server request state.
+     *
+     * @internal
+     */
     "alepha.server.request.user"?: UserAccount;
   }
 }
@@ -604,7 +1629,7 @@ declare module "alepha" {
  * @see {@link ServerAuthProvider}
  * @module alepha.server.auth
  */
-declare const AlephaServerAuth: alepha181.Service<alepha181.Module>;
+declare const AlephaServerAuth: alepha206.Service<alepha206.Module>;
 //#endregion
 export { $auth, $authCredentials, $authGithub, $authGoogle, AccessToken, AlephaServerAuth, AuthExternal, AuthInternal, AuthPrimitive, AuthPrimitiveOptions, AuthenticationProvider, Credentials, CredentialsFn, CredentialsOptions, LinkAccountFn, LinkAccountOptions, OAuth2Options, OAuth2Profile, OidcOptions, ServerAuthProvider, TokenResponse, Tokens, UserinfoResponse, WithLinkFn, WithLoginFn, alephaServerAuthRoutes, authenticationProviderSchema, tokenResponseSchema, tokensSchema, userinfoResponseSchema };
 //# sourceMappingURL=index.d.ts.map