base-idp 1.0.0

package/README.md

@@ -0,0 +1,162 @@
+# @squareexp/base-idp
+
+TypeScript SDK for integrating web apps and Node services with Base IDP.
+
+## Install
+
+```bash
+npm install @squareexp/base-idp
+```
+
+## Credential Source
+
+Get credentials from Base client registration (admin flow), not from local guesses.
+Use the registered:
+- `client_id`
+- optional `client_secret` (server-side only)
+- exact redirect URI
+- scope list
+- `allowed_auth_methods`
+- `requested_claims`
+
+## Fast Init
+
+The SDK ships with a bootstrap command that prints the env block and registration payload for a client, and can optionally POST the registration to Base:
+
+```bash
+npx base-idp init \
+  --client-id console-gateway \
+  --display-name "Base Console" \
+  --product console \
+  --app-domain console.cloud.squareexp.com \
+  --redirect-uri http://localhost:3010/api/auth/callback \
+  --allowed-redirect-uris http://localhost:3010/api/auth/callback \
+  --allowed-origins http://localhost:3010 \
+  --allowed-scopes "openid profile console:manage" \
+  --allowed-auth-methods password,magic_link \
+  --requested-claims email,profile
+```
+
+Add `--post --admin-token <token>` to register directly through the Base admin API.
+
+## Cloud Releases
+
+This package is also emitted as a release artifact when we cut an SDK release.
+The release bundle contains the packed npm tarball plus matching Go, Rust, and Laravel artifacts for the same Base IdP version.
+
+To generate the local release bundle:
+
+```bash
+./scripts/release-base-idp-sdks.sh sdk-v1.0.0
+```
+
+To download a published bundle:
+
+```bash
+gh release download sdk-v1.0.0 --repo <owner>/<repo>
+```
+
+## Environment
+
+Server-side:
+
+```env
+BASE_IDP_ISSUER=https://authlayer.squareexp.com
+BASE_IDP_CLIENT_ID=<your-client-id>
+BASE_IDP_CLIENT_SECRET=<your-client-secret-if-confidential>
+BASE_IDP_REDIRECT_URI=<exact-registered-callback-url>
+BASE_IDP_SCOPES="openid profile <product>:read <product>:write"
+BASE_IDP_REQUIRED_SCOPE=<product>:read
+BASE_IDP_AUDIENCE=square-experience
+```
+
+`BASE_IDP_SECRET` is still accepted by the runtime as a legacy alias, but `BASE_IDP_CLIENT_SECRET` is the preferred env name.
+
+Vite/browser-safe:
+
+```env
+VITE_BASE_IDP_ISSUER=https://authlayer.squareexp.com
+VITE_BASE_IDP_CLIENT_ID=<public-client-id>
+VITE_BASE_IDP_REDIRECT_URI=<exact-registered-callback-url>
+VITE_BASE_IDP_SCOPES="openid profile <product>:read"
+```
+
+Never expose `BASE_IDP_CLIENT_SECRET` in browser bundles.
+
+## Server-Side Backend Wiring
+
+Use these surfaces when your app server talks to Base:
+
+- `createNextBaseIdpAuth(...)` for Next.js App Router login and callback handlers
+- `BaseIdpServerClient` for direct token exchange, refresh, and verification
+- `createExpressMiddleware(...)` for Express / raw `http` route protection
+- `createNestBaseIdpGuard(...)` for NestJS guards
+
+If your service only needs to validate a bearer token, use the server client’s `verifyAccessToken(...)` method and keep the Base key + issuer in env. If the service also exchanges codes or refreshes tokens, provide the client secret too.
+
+## React Login Button
+
+```tsx
+import { createReactBaseIdpAuth } from "@squareexp/base-idp/react";
+
+const auth = createReactBaseIdpAuth({
+  issuer: "https://authlayer.squareexp.com",
+  clientId: "crm-web",
+  redirectUri: "https://crm.squareexp.com/auth/square/callback",
+  scopes: "openid profile crm:read crm:write",
+});
+
+export function LoginButton() {
+  return <button {...auth.buttonProps({ state: "/dashboard" })}>Continue with Base IdP</button>;
+}
+```
+
+## Next.js App Router
+
+```ts
+import { createNextBaseIdpAuth } from "@squareexp/base-idp/next";
+
+const baseIdp = createNextBaseIdpAuth({
+  issuer: process.env.BASE_IDP_ISSUER!,
+  clientId: process.env.BASE_IDP_CLIENT_ID!,
+  clientSecret: process.env.BASE_IDP_CLIENT_SECRET!,
+  redirectUri: process.env.BASE_IDP_REDIRECT_URI!,
+  scopes: process.env.BASE_IDP_SCOPES!,
+  requiredScope: "crm:read",
+});
+
+export const GET = baseIdp.login;
+```
+
+Callback route:
+
+```ts
+export const GET = baseIdp.callback;
+```
+
+## Express/Nest Route Protection
+
+```ts
+import { createExpressMiddleware, baseIdpConfigFromNodeEnv } from "@squareexp/base-idp/node";
+
+const requireBaseIdpAuth = createExpressMiddleware(baseIdpConfigFromNodeEnv(), {
+  requiredScope: "crm:read",
+  attachUser: true,
+});
+```
+
+## Server Token Verification
+
+```ts
+import { BaseIdpServerClient } from "@squareexp/base-idp/server";
+
+const baseIdp = new BaseIdpServerClient({
+  issuer: process.env.BASE_IDP_ISSUER!,
+  clientId: process.env.BASE_IDP_CLIENT_ID!,
+  redirectUri: process.env.BASE_IDP_REDIRECT_URI!,
+  scopes: process.env.BASE_IDP_SCOPES!,
+  requiredScope: "crm:read",
+});
+
+const principal = await baseIdp.verifyAccessToken(accessToken);
+```

package/dist/base64url.d.ts

@@ -0,0 +1,6 @@
+export declare function base64UrlEncode(bytes: Uint8Array): string;
+export declare function base64UrlDecode(value: string): Uint8Array;
+export declare function utf8Encode(value: string): Uint8Array;
+export declare function utf8Decode(value: Uint8Array): string;
+export declare function concatBytes(parts: Uint8Array[]): Uint8Array;
+//# sourceMappingURL=base64url.d.ts.map

package/dist/base64url.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base64url.d.ts","sourceRoot":"","sources":["../src/base64url.ts"],"names":[],"mappings":"AAAA,wBAAgB,eAAe,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CASzD;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,CAWzD;AAED,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,CAEpD;AAED,wBAAgB,UAAU,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAEpD;AAED,wBAAgB,WAAW,CAAC,KAAK,EAAE,UAAU,EAAE,GAAG,UAAU,CAS3D"}

package/dist/base64url.js

@@ -0,0 +1,39 @@
+export function base64UrlEncode(bytes) {
+    if (typeof Buffer !== "undefined") {
+        return Buffer.from(bytes).toString("base64url");
+    }
+    let binary = "";
+    for (const byte of bytes) {
+        binary += String.fromCharCode(byte);
+    }
+    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+export function base64UrlDecode(value) {
+    if (typeof Buffer !== "undefined") {
+        return new Uint8Array(Buffer.from(value, "base64url"));
+    }
+    const padded = value.replace(/-/g, "+").replace(/_/g, "/").padEnd(value.length + ((4 - (value.length % 4)) % 4), "=");
+    const binary = atob(padded);
+    const out = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        out[i] = binary.charCodeAt(i);
+    }
+    return out;
+}
+export function utf8Encode(value) {
+    return new TextEncoder().encode(value);
+}
+export function utf8Decode(value) {
+    return new TextDecoder().decode(value);
+}
+export function concatBytes(parts) {
+    const size = parts.reduce((sum, part) => sum + part.length, 0);
+    const out = new Uint8Array(size);
+    let offset = 0;
+    for (const part of parts) {
+        out.set(part, offset);
+        offset += part.length;
+    }
+    return out;
+}
+//# sourceMappingURL=base64url.js.map

package/dist/base64url.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"base64url.js","sourceRoot":"","sources":["../src/base64url.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,eAAe,CAAC,KAAiB;IAC/C,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAClD,CAAC;IACD,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AAClF,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,KAAa;IAC3C,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,CAAC;IACzD,CAAC;IACD,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACtH,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,GAAG,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,KAAa;IACtC,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,KAAiB;IAC1C,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,KAAmB;IAC7C,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,CAAC,GAAG,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAC/D,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACtB,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC;IACxB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/bootstrap.d.ts

@@ -0,0 +1,10 @@
+import { BaseIdPClient } from "./client.js";
+import type { BaseIdPConfig } from "./types.js";
+export declare function createClientBootstrap(config: BaseIdPConfig): {
+    client: BaseIdPClient;
+    init(): Promise<{
+        env: string;
+        config: import("./types.js").ResolvedConfig;
+    }>;
+};
+//# sourceMappingURL=bootstrap.d.ts.map

package/dist/bootstrap.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap.d.ts","sourceRoot":"","sources":["../src/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAEhD,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,aAAa;;;;;;EAc1D"}

package/dist/bootstrap.js

@@ -0,0 +1,18 @@
+import { BaseIdPClient } from "./client.js";
+export function createClientBootstrap(config) {
+    const client = new BaseIdPClient(config);
+    return {
+        client,
+        async init() {
+            const resolved = await client.resolveConfig();
+            const env = [
+                `BASE_IDP_KEY=${config.key}`,
+                `BASE_IDP_ISSUER=${resolved.issuer}`,
+            ];
+            if (config.secret)
+                env.push(`BASE_IDP_CLIENT_SECRET=${config.secret}`);
+            return { env: env.join("\n"), config: resolved };
+        },
+    };
+}
+//# sourceMappingURL=bootstrap.js.map

package/dist/bootstrap.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../src/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAG5C,MAAM,UAAU,qBAAqB,CAAC,MAAqB;IACzD,MAAM,MAAM,GAAG,IAAI,aAAa,CAAC,MAAM,CAAC,CAAC;IACzC,OAAO;QACL,MAAM;QACN,KAAK,CAAC,IAAI;YACR,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,aAAa,EAAE,CAAC;YAC9C,MAAM,GAAG,GAAG;gBACV,gBAAgB,MAAM,CAAC,GAAG,EAAE;gBAC5B,mBAAmB,QAAQ,CAAC,MAAM,EAAE;aACrC,CAAC;YACF,IAAI,MAAM,CAAC,MAAM;gBAAE,GAAG,CAAC,IAAI,CAAC,0BAA0B,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;YACvE,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;QACnD,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/cli.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":""}

package/dist/cli.js

@@ -0,0 +1,206 @@
+#!/usr/bin/env node
+async function main() {
+    const [, , command = "help", ...argv] = process.argv;
+    if (command !== "init" && command !== "test" && command !== "token" && command !== "help") {
+        printUsageAndExit(`Unknown command: ${command}`);
+    }
+    if (command === "help")
+        printUsageAndExit();
+    const args = parseArgs(argv);
+    if (command === "init") {
+        await initCommand(args);
+    }
+    else if (command === "test") {
+        await testCommand(args);
+    }
+    else if (command === "token") {
+        await tokenCommand(args);
+    }
+}
+async function initCommand(args) {
+    const key = stringArg(args, "key") || process.env.BASE_IDP_KEY;
+    const issuer = stringArg(args, "issuer") || process.env.BASE_IDP_ISSUER || "https://authlayer.squareexp.com";
+    const secret = stringArg(args, "client-secret") ||
+        stringArg(args, "secret") ||
+        process.env.BASE_IDP_CLIENT_SECRET ||
+        process.env.BASE_IDP_SECRET;
+    if (!key) {
+        printUsageAndExit("Missing --key (set BASE_IDP_KEY in your env or pass --key)");
+    }
+    const env = [
+        `BASE_IDP_KEY=${key}`,
+        `BASE_IDP_ISSUER=${issuer}`,
+    ];
+    if (secret)
+        env.push(`BASE_IDP_CLIENT_SECRET=${secret}`);
+    if (boolArg(args, "post", false)) {
+        const adminUrl = stringArg(args, "admin-url") || `${trimSlash(issuer)}/admin/v1/clients`;
+        const adminToken = stringArg(args, "admin-token");
+        if (!adminToken)
+            printUsageAndExit("--post requires --admin-token");
+        const response = await fetch(adminUrl, {
+            method: "POST",
+            headers: {
+                Accept: "application/json",
+                Authorization: `Bearer ${adminToken}`,
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify({
+                client_id: stringArg(args, "client-id") || undefined,
+                product: stringArg(args, "product") || "square",
+                display_name: stringArg(args, "display-name") || "My App",
+                app_domain: stringArg(args, "app-domain") || "",
+                allowed_redirect_uris: splitList(stringArg(args, "allowed-redirect-uris") || "").filter(Boolean),
+                allowed_scopes: splitList(stringArg(args, "allowed-scopes") || "openid profile"),
+                allowed_auth_methods: splitList(stringArg(args, "allowed-auth-methods") || "password,magic_link"),
+                confidential: boolArg(args, "confidential", true),
+            }),
+        });
+        const payload = await response.json().catch(() => ({}));
+        if (response.ok) {
+            console.log(JSON.stringify({ ok: true, payload }, null, 2));
+            console.log();
+        }
+        else {
+            console.error(JSON.stringify({ ok: false, status: response.status, payload }, null, 2));
+            process.exitCode = 1;
+        }
+    }
+    console.log(env.join("\n"));
+}
+async function testCommand(args) {
+    const issuer = stringArg(args, "issuer") || process.env.BASE_IDP_ISSUER || "https://authlayer.squareexp.com";
+    const key = stringArg(args, "key") || process.env.BASE_IDP_KEY;
+    console.log(`Testing Base IdP connection to ${issuer}...`);
+    try {
+        const health = await fetch(`${trimSlash(issuer)}/healthz`);
+        console.log(`  healthz: ${health.status} ${health.ok ? "OK" : "FAIL"}`);
+        const discovery = await fetch(`${trimSlash(issuer)}/.well-known/square-identity`);
+        console.log(`  discovery: ${discovery.status} ${discovery.ok ? "OK" : "FAIL"}`);
+        if (key) {
+            const config = await fetch(`${trimSlash(issuer)}/v1/client-config?key=${encodeURIComponent(key)}`);
+            console.log(`  client-config: ${config.status} ${config.ok ? "OK" : "FAIL"}`);
+        }
+        console.log("\nIdP is reachable.");
+    }
+    catch (err) {
+        console.error(`Connection failed: ${err}`);
+        process.exitCode = 1;
+    }
+}
+async function tokenCommand(args) {
+    const token = stringArg(args, "token") || args._[0];
+    if (!token)
+        printUsageAndExit("Missing token argument");
+    const parts = token.split(".");
+    if (parts.length !== 4 || parts[0] !== "v4" || parts[1] !== "public") {
+        console.error("Not a PASETO v4.public token");
+        process.exit(1);
+        return;
+    }
+    const header = { version: parts[0], purpose: parts[1] };
+    const payload = decodeBase64Url(parts[2]);
+    const footer = decodeBase64Url(parts[3]);
+    try {
+        const claims = JSON.parse(new TextDecoder().decode(payload));
+        const footerObj = JSON.parse(new TextDecoder().decode(footer));
+        console.log("=== PASETO v4.public Token ===");
+        console.log(JSON.stringify({
+            header,
+            footer: footerObj,
+            claims: {
+                ...claims,
+                exp: claims.exp ? new Date(Date.parse(claims.exp)).toISOString() : undefined,
+                nbf: claims.nbf ? new Date(Date.parse(claims.nbf)).toISOString() : undefined,
+                iat: claims.iat ? new Date(Date.parse(claims.iat)).toISOString() : undefined,
+            },
+        }, null, 2));
+        const now = Date.now();
+        if (claims.exp && Date.parse(claims.exp) <= now) {
+            console.log("\n⚠ Token is EXPIRED");
+        }
+    }
+    catch {
+        console.log(JSON.stringify({ header, payload: "[binary]",
+            footer: new TextDecoder().decode(footer) }, null, 2));
+    }
+}
+function decodeBase64Url(value) {
+    const padded = value.replace(/-/g, "+").replace(/_/g, "/");
+    const binary = atob(padded);
+    const out = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++)
+        out[i] = binary.charCodeAt(i);
+    return out;
+}
+function splitList(value) {
+    return value.split(/[,\s]+/).map((item) => item.trim()).filter(Boolean);
+}
+function stringArg(args, key) {
+    const value = args[key];
+    return typeof value === "string" ? value : "";
+}
+function boolArg(args, key, fallback) {
+    const value = args[key];
+    if (typeof value === "boolean")
+        return value;
+    if (typeof value === "string")
+        return !["0", "false", "no", "off"].includes(value.toLowerCase());
+    return fallback;
+}
+function parseArgs(argv) {
+    const args = { _: [] };
+    for (let i = 0; i < argv.length; i += 1) {
+        const raw = argv[i];
+        if (!raw.startsWith("--")) {
+            args._.push(raw);
+            continue;
+        }
+        const trimmed = raw.slice(2);
+        const equals = trimmed.indexOf("=");
+        if (equals >= 0) {
+            args[trimmed.slice(0, equals)] = trimmed.slice(equals + 1);
+            continue;
+        }
+        const key = trimmed;
+        const next = argv[i + 1];
+        if (!next || next.startsWith("--")) {
+            args[key] = true;
+            continue;
+        }
+        args[key] = next;
+        i += 1;
+    }
+    return args;
+}
+function trimSlash(value) {
+    return value.replace(/\/+$/, "");
+}
+function printUsageAndExit(reason) {
+    if (reason) {
+        console.error(reason);
+        console.error();
+    }
+    console.error(`Usage:
+  base-idp init  [--key <key>] [--issuer <url>]       Generate env config from a base key
+  base-idp test  [--issuer <url>] [--key <key>]        Test IdP connectivity
+  base-idp token <token>                               Decode and inspect a PASETO token
+
+Init options:
+  --key <key>                Base key (anon_key from Console)
+  --issuer <url>             Base IdP issuer URL
+  --client-secret <secret>   Client secret (confidential clients only)
+  --secret <secret>          Legacy alias for --client-secret
+  --post                     Register client + output env
+  --admin-token <token>      Admin token for --post
+
+Test options:
+  --issuer <url>             Base IdP issuer URL
+  --key <key>                Base key to test client-config endpoint
+`);
+    process.exit(1);
+    throw new Error(reason ?? "usage requested");
+}
+await main();
+export {};
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAOA,KAAK,UAAU,IAAI;IACjB,MAAM,CAAC,EAAE,AAAD,EAAG,OAAO,GAAG,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IACrD,IAAI,OAAO,KAAK,MAAM,IAAI,OAAO,KAAK,MAAM,IAAI,OAAO,KAAK,OAAO,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;QAC1F,iBAAiB,CAAC,oBAAoB,OAAO,EAAE,CAAC,CAAC;IACnD,CAAC;IACD,IAAI,OAAO,KAAK,MAAM;QAAE,iBAAiB,EAAE,CAAC;IAE5C,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IAE7B,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;QACvB,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;SAAM,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;QAC9B,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;SAAM,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;QAC/B,MAAM,YAAY,CAAC,IAAI,CAAC,CAAC;IAC3B,CAAC;AACH,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,IAAgB;IACzC,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IAC/D,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,iCAAiC,CAAC;IAC7G,MAAM,MAAM,GACV,SAAS,CAAC,IAAI,EAAE,eAAe,CAAC;QAChC,SAAS,CAAC,IAAI,EAAE,QAAQ,CAAC;QACzB,OAAO,CAAC,GAAG,CAAC,sBAAsB;QAClC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAE9B,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,iBAAiB,CAAC,4DAA4D,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,GAAG,GAAG;QACV,gBAAgB,GAAG,EAAE;QACrB,mBAAmB,MAAM,EAAE;KAC5B,CAAC;IACF,IAAI,MAAM;QAAE,GAAG,CAAC,IAAI,CAAC,0BAA0B,MAAM,EAAE,CAAC,CAAC;IAEzD,IAAI,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,EAAE,WAAW,CAAC,IAAI,GAAG,SAAS,CAAC,MAAM,CAAC,mBAAmB,CAAC;QACzF,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;QAClD,IAAI,CAAC,UAAU;YAAE,iBAAiB,CAAC,+BAA+B,CAAC,CAAC;QAEpE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,EAAE;YACrC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,MAAM,EAAE,kBAAkB;gBAC1B,aAAa,EAAE,UAAU,UAAU,EAAE;gBACrC,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,SAAS,EAAE,SAAS,CAAC,IAAI,EAAE,WAAW,CAAC,IAAI,SAAS;gBACpD,OAAO,EAAE,SAAS,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,QAAQ;gBAC/C,YAAY,EAAE,SAAS,CAAC,IAAI,EAAE,cAAc,CAAC,IAAI,QAAQ;gBACzD,UAAU,EAAE,SAAS,CAAC,IAAI,EAAE,YAAY,CAAC,IAAI,EAAE;gBAC/C,qBAAqB,EAAE,SAAS,CAAC,SAAS,CAAC,IAAI,EAAE,uBAAuB,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;gBAChG,cAAc,EAAE,SAAS,CAAC,SAAS,CAAC,IAAI,EAAE,gBAAgB,CAAC,IAAI,gBAAgB,CAAC;gBAChF,oBAAoB,EAAE,SAAS,CAAC,SAAS,CAAC,IAAI,EAAE,sBAAsB,CAAC,IAAI,qBAAqB,CAAC;gBACjG,YAAY,EAAE,OAAO,CAAC,IAAI,EAAE,cAAc,EAAE,IAAI,CAAC;aAClD,CAAC;SACH,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACxD,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YAC5D,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YACxF,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AAC9B,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,IAAgB;IACzC,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,iCAAiC,CAAC;IAC7G,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IAE/D,OAAO,CAAC,GAAG,CAAC,kCAAkC,MAAM,KAAK,CAAC,CAAC;IAE3D,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAC3D,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QAExE,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,8BAA8B,CAAC,CAAC;QAClF,OAAO,CAAC,GAAG,CAAC,gBAAgB,SAAS,CAAC,MAAM,IAAI,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QAEhF,IAAI,GAAG,EAAE,CAAC;YACR,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,yBAAyB,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACnG,OAAO,CAAC,GAAG,CAAC,oBAAoB,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QAChF,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;IACrC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,sBAAsB,GAAG,EAAE,CAAC,CAAC;QAC3C,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;IACvB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,IAAgB;IAC1C,MAAM,KAAK,GAAG,SAAS,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACpD,IAAI,CAAC,KAAK;QAAE,iBAAiB,CAAC,wBAAwB,CAAC,CAAC;IAExD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;QACrE,OAAO,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAC9C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAChB,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;IACxD,MAAM,OAAO,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAEzC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QAC7D,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;QAE/D,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;YACzB,MAAM;YACN,MAAM,EAAE,SAAS;YACjB,MAAM,EAAE;gBACN,GAAG,MAAM;gBACT,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS;gBAC5E,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS;gBAC5E,GAAG,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS;aAC7E;SACF,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAEb,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,CAAC;YAChD,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU;YACtD,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,GAAG,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IACtE,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;AAC1E,CAAC;AAED,SAAS,SAAS,CAAC,IAAgB,EAAE,GAAW;IAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IACxB,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;AAChD,CAAC;AAED,SAAS,OAAO,CAAC,IAAgB,EAAE,GAAW,EAAE,QAAiB;IAC/D,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IACxB,IAAI,OAAO,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAC7C,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,CAAC,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;IACjG,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,SAAS,CAAC,IAAc;IAC/B,MAAM,IAAI,GAAe,EAAE,CAAC,EAAE,EAAE,EAAE,CAAC;IACnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACjB,SAAS;QACX,CAAC;QACD,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC7B,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,MAAM,IAAI,CAAC,EAAE,CAAC;YAChB,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YAC3D,SAAS;QACX,CAAC;QACD,MAAM,GAAG,GAAG,OAAO,CAAC;QACpB,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACzB,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACnC,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;YACjB,SAAS;QACX,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;QACjB,CAAC,IAAI,CAAC,CAAC;IACT,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,iBAAiB,CAAC,MAAe;IACxC,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACtB,OAAO,CAAC,KAAK,EAAE,CAAC;IAClB,CAAC;IACD,OAAO,CAAC,KAAK,CAAC;;;;;;;;;;;;;;;;CAgBf,CAAC,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAChB,MAAM,IAAI,KAAK,CAAC,MAAM,IAAI,iBAAiB,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,IAAI,EAAE,CAAC"}

package/dist/client.d.ts

@@ -0,0 +1,20 @@
+import type { AuthorizeUrlOptions, BaseIdPConfig, BaseIdpIdentityMetadata, RefreshOptions, ResolvedConfig, BaseIdpPublicKeySet, TokenExchangeOptions, TokenPair } from "./types.js";
+export declare class BaseIdPClient {
+    private readonly rawConfig;
+    protected readonly cfg: Required<ResolvedConfig>;
+    private metadataCache?;
+    private keyCache?;
+    constructor(rawConfig: BaseIdPConfig);
+    get issuer(): string;
+    get clientId(): string;
+    scopes(value?: string | string[]): string[];
+    resolveConfig(): Promise<ResolvedConfig>;
+    discovery(force?: boolean): Promise<BaseIdpIdentityMetadata>;
+    publicKeys(force?: boolean): Promise<BaseIdpPublicKeySet>;
+    authorizeUrl(options?: AuthorizeUrlOptions): string;
+    exchangeCode(options: TokenExchangeOptions): Promise<TokenPair>;
+    refresh(options: RefreshOptions): Promise<TokenPair>;
+    private postToken;
+}
+export { BaseIdPClient as BaseIdpClient };
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,mBAAmB,EACnB,aAAa,EAGb,uBAAuB,EACvB,cAAc,EACd,cAAc,EACd,mBAAmB,EACnB,oBAAoB,EACpB,SAAS,EACV,MAAM,YAAY,CAAC;AAEpB,qBAAa,aAAa;IAMZ,OAAO,CAAC,QAAQ,CAAC,SAAS;IALtC,SAAS,CAAC,QAAQ,CAAC,GAAG,EAAE,QAAQ,CAAC,cAAc,CAAC,CAAC;IAEjD,OAAO,CAAC,aAAa,CAAC,CAA0B;IAChD,OAAO,CAAC,QAAQ,CAAC,CAAsB;gBAEV,SAAS,EAAE,aAAa;IA2BrD,IAAI,MAAM,IAAI,MAAM,CAEnB;IAED,IAAI,QAAQ,IAAI,MAAM,CAErB;IAED,MAAM,CAAC,KAAK,GAAE,MAAM,GAAG,MAAM,EAAoB,GAAG,MAAM,EAAE;IAItD,aAAa,IAAI,OAAO,CAAC,cAAc,CAAC;IA0BxC,SAAS,CAAC,KAAK,UAAQ,GAAG,OAAO,CAAC,uBAAuB,CAAC;IAa1D,UAAU,CAAC,KAAK,UAAQ,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAc7D,YAAY,CAAC,OAAO,GAAE,mBAAwB,GAAG,MAAM;IAsBjD,YAAY,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,SAAS,CAAC;IAiB/D,OAAO,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,SAAS,CAAC;YAgB5C,SAAS;CAexB;AAED,OAAO,EAAE,aAAa,IAAI,aAAa,EAAE,CAAC"}