cidaas-javascript-sdk 4.2.4 → 4.3.1

package/dist/login-service/LoginService.model.d.ts

@@ -0,0 +1,142 @@
+import { LoginPrecheckRequest, VerificationType } from "../common/Common.model";
+export interface LoginWithCredentialsRequest {
+    /** User identifier used to login e.g. username, email or mobile number */
+    username: string;
+    /** Password required to login */
+    password: string;
+    /** Request id returned from the authorization call */
+    requestId: string;
+    /**
+     * Type of username used in login
+     * BREAKING TODO: change type to UsernameType only in next major version
+     * */
+    username_type?: UsernameType | string;
+    /** Field identifier to tell service, where to look for in case of custom username type */
+    field_key?: string;
+    /** Login provider configured in cidaas admin ui */
+    provider?: string;
+    /** DEPRECATED: Captcha string for captcha check */
+    captcha?: string;
+    /** DEPRECATED: Needed in case bot captcha check is activated */
+    bot_captcha_response?: string;
+    /** DEPRECATED: Token for validating csrf */
+    csrf_token?: string;
+    /** Device capacity */
+    dc?: string;
+    /** Device finger print */
+    device_fp?: string;
+    /** Id of captcha created in cidaas admin ui */
+    captcha_ref?: string;
+    /** Response language, which is configured in cidaas admin ui */
+    locale?: string;
+    /** DEPRECATED: Duplicate parameter, will be removed in next major release version */
+    rememberMe?: boolean;
+    /** Remember me flag to keep user signed in */
+    remember_me?: boolean;
+}
+/** Type of username used in login */
+export declare enum UsernameType {
+    Email = "email",
+    Mobile = "mobile",
+    UserName = "user_name",
+    Sub = "sub",
+    IdentityId = "identityid",
+    Custom = "custom"
+}
+export interface SocialProviderPathParameter {
+    /** Request id returned from the authorization call */
+    requestId: string;
+    /** Social login provider configured in cidaas admin ui */
+    provider: string;
+}
+export interface SocialProviderQueryParameter {
+    /** Device capacity */
+    dc?: string;
+    /** Device finger print */
+    device_fp?: string;
+}
+export interface PasswordlessLoginRequest {
+    /** Request id returned from the authorization call */
+    requestId: string;
+    /** Status id returned from MFA authentication */
+    status_id: string;
+    /**
+     * Type of verification to be used to authenticate user
+     * BREAKING TODO: change type to VerificationType only in next major version
+     * */
+    verificationType: VerificationType | string;
+    /**
+     * Masked sub (id of user), who will accept the consent.
+     * Either sub or q have to be provided, depends on what is given from the query parameter.
+     * */
+    sub?: string;
+    /**
+     * Masked sub (id of user), who will accept the consent.
+     * Either sub or q have to be provided, depends on what is given from the query parameter.
+     * */
+    q?: string;
+}
+/** DEPRECATED: MfaContinue should only need LoginPrecheckRequest. The change will be implemented in the next major version */
+export interface MfaContinueRequest extends LoginPrecheckRequest {
+    q?: string;
+    sub?: string;
+    requestId?: string;
+    status_id?: string;
+    verificationType?: string;
+    deviceInfo?: DeviceInfo;
+    device_fp?: string;
+}
+/** DEPRECATED: DeviceInfo is only used in MfaContinueRequest, which will be removed in the next major version */
+export interface DeviceInfo {
+    userAgent?: string;
+    ipAddress?: string;
+    lat?: string;
+    lon?: string;
+    deviceId?: string;
+    usedTime?: Date;
+    purpose?: string;
+    requestId?: string;
+    sub?: string;
+    pushNotificationId?: string;
+    deviceMake?: string;
+    deviceModel?: string;
+    deviceType?: string;
+}
+export interface FirstTimeChangePasswordRequest {
+    /** Id of "force change password setting" returned from the login call, which redirect to change password page */
+    loginSettingsId: string;
+    /** Old password to be changed */
+    old_password: string;
+    /** New password to replaced old password */
+    new_password: string;
+    /** Needed to confirm new password */
+    confirm_password: string;
+    sub?: string;
+    identityId?: string;
+    accessToken?: string;
+    client_id?: string;
+}
+export interface ProgressiveRegistrationHeader {
+    /** Request id returned from the authorization call */
+    requestId: string;
+    /** Identifier generated after successful authentication but unfulfilled prechecks */
+    trackId: string;
+    /** Response language, which is configured in cidaas admin ui */
+    acceptlanguage?: string;
+    /** Latitude is the string location parameter sent in the headers */
+    lat?: string;
+    /** Longitude is the string location parameter sent in the headers */
+    lon?: string;
+}
+export interface LoginAfterRegisterRequest {
+    /** Deprecated: will be removed in the next major release */
+    device_id?: string;
+    /** Device capacity */
+    dc?: string;
+    /** If true, will keep user logged in */
+    rememberMe?: boolean;
+    /** Identifier generated after successful registration */
+    trackId?: string;
+    /** Device fingerprint */
+    device_fp?: string;
+}

package/dist/login-service/LoginService.model.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UsernameType = void 0;
+/** Type of username used in login */
+var UsernameType;
+(function (UsernameType) {
+    UsernameType["Email"] = "email";
+    UsernameType["Mobile"] = "mobile";
+    UsernameType["UserName"] = "user_name";
+    UsernameType["Sub"] = "sub";
+    UsernameType["IdentityId"] = "identityid";
+    UsernameType["Custom"] = "custom";
+})(UsernameType = exports.UsernameType || (exports.UsernameType = {}));

package/dist/token-service/TokenService.d.ts

@@ -0,0 +1,139 @@
+import { GetAccessTokenRequest, RenewTokenRequest, TokenIntrospectionRequest } from "./TokenService.model";
+import { HTTPRequestHeader, LoginPrecheckRequest } from "../common/Common.model";
+/**
+ * To get a new token with the grant type refresh_token, call **renewToken()**.
+ * The refresh token to create a new token. The refresh token is received while creating an access token using the token endpoint and later can be used to fetch a new token without using credentials
+ * @example
+ * ```js
+ * const options = {
+ *   refresh_token: "your refresh token",
+ * }
+ *
+ * cidaas.renewToken(options)
+ *   .then(function (response) {
+ *     // type your code here
+ *   })
+ *   .catch(function (ex) {
+ *     // your failure code here
+ *   });
+ * ```
+ */
+export declare function renewToken(options: RenewTokenRequest): Promise<any>;
+/**
+ * To get a new token with the grant type authorization_code, call **getAccessToken()** with code to create a new token.
+ * Please refer to the api document https://docs.cidaas.com/docs/cidaas-iam/4ff850f48629a-generate-token for more details.
+ * @example
+ * ```js
+ * const options = {
+ *   code: "your code to be exchanged with access token",
+ * }
+ *
+ * cidaas.getAccessToken(options)
+ *   .then(function (response) {
+ *     // type your code here
+ *   })
+ *   .catch(function (ex) {
+ *     // your failure code here
+ *   });
+ * ```
+ */
+export declare function getAccessToken(options: GetAccessTokenRequest): Promise<any>;
+/**
+ * To validate an access token, call **validateAccessToken()**.
+ * Please refer to the api document https://docs.cidaas.com/docs/cidaas-iam/26ff31e2937f1-introspect-with-bearer-token for more details.
+ * @example
+ * ```js
+ * const options = {
+ *   token: "your access token",
+ *   token_type_hint: "accepted token type hints are access_token, id_token, refresh_token, sso",
+ * }
+ *
+ * cidaas.validateAccessToken(options)
+ * .then(function (response) {
+ *   // type your code here
+ * })
+ * .catch(function (ex) {
+ *   // your failure code here
+ * });
+ * ```
+ */
+export declare function validateAccessToken(options: TokenIntrospectionRequest): Promise<any>;
+/**
+ * To get precheck result after login, call **loginPrecheck()**. If there is missing information, user will be redirected to either accepting consent, changing password, continuing MFA process, or do progressive registration
+ * Please refer to the api document https://docs.cidaas.com/docs/cidaas-iam/aappczju1t3uh-precheck-information for more details.
+ * @example
+ * ```js
+ * const options = {
+ *   trackId: "your track id from login",
+ *   locale: "your preferred locale. DEPRECATED as it is not supported anymore. Will be removed in next major release",
+ * }
+ *
+ * cidaas.loginPrecheck(options)
+ * .then(function (response) {
+ *   // type your code here
+ * })
+ * .catch(function (ex) {
+ *   // your failure code here
+ * });
+ * ```
+ */
+export declare function loginPrecheck(options: LoginPrecheckRequest, headers?: HTTPRequestHeader): Promise<any>;
+/**
+ * To get the missing fields after login, call **getMissingFields()**.
+ * Please refer to the api document https://docs.cidaas.com/docs/cidaas-iam/aappczju1t3uh-precheck-information for more details.
+ * @example
+ * ```js
+ * const trackId = "your track id from login";
+ * cidaas.getMissingFields(trackId)
+ *   .then(function (response) {
+ *     // type your code here
+ * })
+ *   .catch(function (ex) {
+ *     // your failure code here
+ * });
+ * ```
+ */
+export declare function getMissingFields(trackId: string, headers?: HTTPRequestHeader): Promise<any>;
+/**
+ * To initiate device code, call **initiateDeviceCode()**.
+ * Please refer to the api document https://docs.cidaas.com/docs/cidaas-iam/b6d284f55be5e-authorization-request for more details.
+ * @example
+ * ```js
+ * const clientId = "your client id";
+ * cidaas.initiateDeviceCode(clientId)
+ *   .then(function (response) {
+ *     // type your code here
+ * })
+ *   .catch(function (ex) {
+ *     // your failure code here
+ * });
+ * ```
+ */
+export declare function initiateDeviceCode(clientId?: string): Promise<any>;
+/**
+ * To verify device code, call **deviceCodeVerify()**.
+ * @example
+ * ```js
+ * const code = "your code which has been send after initiateDeviceCode()";
+ * cidaas.deviceCodeVerify(code)
+ *   .then(function (response) {
+ *     // type your code here
+ * })
+ *   .catch(function (ex) {
+ *     // your failure code here
+ * });
+ * ```
+ */
+export declare function deviceCodeVerify(code: string): void;
+/**
+ * To check access token without having to call cidaas api, call **offlineTokenCheck()**. THe function will return true if the token is valid & false if the token is invalid.
+ * @example
+ * ```js
+ * cidaas.offlineTokenCheck('your access token');
+ * ```
+ */
+export declare function offlineTokenCheck(accessToken: string): {
+    isExpiryDateValid: boolean;
+    isScopesValid: boolean;
+    isIssuerValid: boolean;
+};

package/dist/token-service/TokenService.js

@@ -0,0 +1,242 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.offlineTokenCheck = exports.deviceCodeVerify = exports.initiateDeviceCode = exports.getMissingFields = exports.loginPrecheck = exports.validateAccessToken = exports.getAccessToken = exports.renewToken = void 0;
+const TokenService_model_1 = require("./TokenService.model");
+const Helper_1 = require("../common/Helper");
+const JwtHelper_1 = require("../common/JwtHelper");
+/**
+ * To get a new token with the grant type refresh_token, call **renewToken()**.
+ * The refresh token to create a new token. The refresh token is received while creating an access token using the token endpoint and later can be used to fetch a new token without using credentials
+ * @example
+ * ```js
+ * const options = {
+ *   refresh_token: "your refresh token",
+ * }
+ *
+ * cidaas.renewToken(options)
+ *   .then(function (response) {
+ *     // type your code here
+ *   })
+ *   .catch(function (ex) {
+ *     // your failure code here
+ *   });
+ * ```
+ */
+function renewToken(options) {
+    if (!options.refresh_token) {
+        throw new Helper_1.CustomException("refresh_token cannot be empty", 417);
+    }
+    options.client_id = window.webAuthSettings.client_id;
+    options.grant_type = TokenService_model_1.GrantType.RefreshToken;
+    const _serviceURL = window.webAuthSettings.authority + "/token-srv/token";
+    return Helper_1.Helper.createHttpPromise(options, _serviceURL, undefined, "POST");
+}
+exports.renewToken = renewToken;
+/**
+ * To get a new token with the grant type authorization_code, call **getAccessToken()** with code to create a new token.
+ * Please refer to the api document https://docs.cidaas.com/docs/cidaas-iam/4ff850f48629a-generate-token for more details.
+ * @example
+ * ```js
+ * const options = {
+ *   code: "your code to be exchanged with access token",
+ * }
+ *
+ * cidaas.getAccessToken(options)
+ *   .then(function (response) {
+ *     // type your code here
+ *   })
+ *   .catch(function (ex) {
+ *     // your failure code here
+ *   });
+ * ```
+ */
+function getAccessToken(options) {
+    var _a;
+    return __awaiter(this, void 0, void 0, function* () {
+        if (!options.code) {
+            throw new Helper_1.CustomException("code cannot be empty", 417);
+        }
+        options.client_id = window.webAuthSettings.client_id;
+        options.redirect_uri = window.webAuthSettings.redirect_uri;
+        options.grant_type = TokenService_model_1.GrantType.AuthorizationCode;
+        if (!window.webAuthSettings.disablePKCE) {
+            const signInRequest = yield window.usermanager.getClient().createSigninRequest(window.webAuthSettings);
+            options.code_verifier = (_a = signInRequest.state) === null || _a === void 0 ? void 0 : _a.code_verifier;
+        }
+        const _serviceURL = window.webAuthSettings.authority + "/token-srv/token";
+        return Helper_1.Helper.createHttpPromise(options, _serviceURL, undefined, "POST");
+    });
+}
+exports.getAccessToken = getAccessToken;
+/**
+ * To validate an access token, call **validateAccessToken()**.
+ * Please refer to the api document https://docs.cidaas.com/docs/cidaas-iam/26ff31e2937f1-introspect-with-bearer-token for more details.
+ * @example
+ * ```js
+ * const options = {
+ *   token: "your access token",
+ *   token_type_hint: "accepted token type hints are access_token, id_token, refresh_token, sso",
+ * }
+ *
+ * cidaas.validateAccessToken(options)
+ * .then(function (response) {
+ *   // type your code here
+ * })
+ * .catch(function (ex) {
+ *   // your failure code here
+ * });
+ * ```
+ */
+function validateAccessToken(options) {
+    if (!options.token) {
+        throw new Helper_1.CustomException("token cannot be empty", 417);
+    }
+    const _serviceURL = window.webAuthSettings.authority + "/token-srv/introspect";
+    return Helper_1.Helper.createHttpPromise(options, _serviceURL, false, "POST", options.token);
+}
+exports.validateAccessToken = validateAccessToken;
+/**
+ * To get precheck result after login, call **loginPrecheck()**. If there is missing information, user will be redirected to either accepting consent, changing password, continuing MFA process, or do progressive registration
+ * Please refer to the api document https://docs.cidaas.com/docs/cidaas-iam/aappczju1t3uh-precheck-information for more details.
+ * @example
+ * ```js
+ * const options = {
+ *   trackId: "your track id from login",
+ *   locale: "your preferred locale. DEPRECATED as it is not supported anymore. Will be removed in next major release",
+ * }
+ *
+ * cidaas.loginPrecheck(options)
+ * .then(function (response) {
+ *   // type your code here
+ * })
+ * .catch(function (ex) {
+ *   // your failure code here
+ * });
+ * ```
+ */
+function loginPrecheck(options, headers) {
+    const _serviceURL = window.webAuthSettings.authority + "/token-srv/prelogin/metadata/" + options.track_id;
+    return Helper_1.Helper.createHttpPromise(undefined, _serviceURL, false, "GET", undefined, headers);
+}
+exports.loginPrecheck = loginPrecheck;
+/**
+ * To get the missing fields after login, call **getMissingFields()**.
+ * Please refer to the api document https://docs.cidaas.com/docs/cidaas-iam/aappczju1t3uh-precheck-information for more details.
+ * @example
+ * ```js
+ * const trackId = "your track id from login";
+ * cidaas.getMissingFields(trackId)
+ *   .then(function (response) {
+ *     // type your code here
+ * })
+ *   .catch(function (ex) {
+ *     // your failure code here
+ * });
+ * ```
+ */
+function getMissingFields(trackId, headers) {
+    const _serviceURL = window.webAuthSettings.authority + "/token-srv/prelogin/metadata/" + trackId;
+    return Helper_1.Helper.createHttpPromise(undefined, _serviceURL, false, "GET", undefined, headers);
+}
+exports.getMissingFields = getMissingFields;
+/**
+ * To initiate device code, call **initiateDeviceCode()**.
+ * Please refer to the api document https://docs.cidaas.com/docs/cidaas-iam/b6d284f55be5e-authorization-request for more details.
+ * @example
+ * ```js
+ * const clientId = "your client id";
+ * cidaas.initiateDeviceCode(clientId)
+ *   .then(function (response) {
+ *     // type your code here
+ * })
+ *   .catch(function (ex) {
+ *     // your failure code here
+ * });
+ * ```
+ */
+function initiateDeviceCode(clientId) {
+    const clientid = clientId !== null && clientId !== void 0 ? clientId : window.webAuthSettings.client_id;
+    const _serviceURL = `${window.webAuthSettings.authority}/authz-srv/device/authz?client_id=${clientid}`;
+    return Helper_1.Helper.createHttpPromise(undefined, _serviceURL, false, "GET");
+}
+exports.initiateDeviceCode = initiateDeviceCode;
+/**
+ * To verify device code, call **deviceCodeVerify()**.
+ * @example
+ * ```js
+ * const code = "your code which has been send after initiateDeviceCode()";
+ * cidaas.deviceCodeVerify(code)
+ *   .then(function (response) {
+ *     // type your code here
+ * })
+ *   .catch(function (ex) {
+ *     // your failure code here
+ * });
+ * ```
+ */
+function deviceCodeVerify(code) {
+    const params = `user_code=${encodeURI(code)}`;
+    const url = `${window.webAuthSettings.authority}/token-srv/device/verify?${params}`;
+    try {
+        const options = {
+            user_code: encodeURI(code)
+        };
+        const form = Helper_1.Helper.createForm(url, options, 'GET');
+        document.body.appendChild(form);
+        form.submit();
+    }
+    catch (ex) {
+        throw new Error(String(ex));
+    }
+}
+exports.deviceCodeVerify = deviceCodeVerify;
+/**
+ * To check access token without having to call cidaas api, call **offlineTokenCheck()**. THe function will return true if the token is valid & false if the token is invalid.
+ * @example
+ * ```js
+ * cidaas.offlineTokenCheck('your access token');
+ * ```
+ */
+function offlineTokenCheck(accessToken) {
+    var _a, _b;
+    const result = {
+        isExpiryDateValid: false,
+        isScopesValid: false,
+        isIssuerValid: false,
+    };
+    const accessTokenHeaderAsJson = JwtHelper_1.JwtHelper.decodeTokenHeader(accessToken);
+    const accessTokenAsJson = JwtHelper_1.JwtHelper.decodeToken(accessToken);
+    if (!accessTokenAsJson || !accessTokenHeaderAsJson) {
+        return result;
+    }
+    else {
+        if (accessTokenAsJson.exp) {
+            const expirationDate = new Date(0);
+            expirationDate.setUTCSeconds(accessTokenAsJson.exp);
+            result.isExpiryDateValid = expirationDate.valueOf() > new Date().valueOf();
+        }
+        const accessTokenScopes = accessTokenAsJson.scopes;
+        const webAuthSettingScopes = (_b = (_a = window.webAuthSettings) === null || _a === void 0 ? void 0 : _a.scope) === null || _b === void 0 ? void 0 : _b.split(' ');
+        if ((accessTokenScopes === null || accessTokenScopes === void 0 ? void 0 : accessTokenScopes.length) === (webAuthSettingScopes === null || webAuthSettingScopes === void 0 ? void 0 : webAuthSettingScopes.length)) {
+            webAuthSettingScopes.forEach(webAuthSettingScope => {
+                const i = accessTokenScopes.indexOf(webAuthSettingScope);
+                if (i > -1) {
+                    accessTokenScopes.splice(i, 1);
+                }
+            });
+            result.isScopesValid = accessTokenScopes.length === 0;
+        }
+        result.isIssuerValid = accessTokenAsJson.iss === window.webAuthSettings.authority;
+    }
+    return result;
+}
+exports.offlineTokenCheck = offlineTokenCheck;

package/dist/token-service/TokenService.model.d.ts

@@ -0,0 +1,149 @@
+export interface TokenHeader {
+    /** Algorithm, which is used to secure token */
+    alg: string;
+    /** Key identifier to verify token signature */
+    kid: string;
+}
+export interface TokenClaim {
+    /** Issuer identifier */
+    iss: string;
+    /** Subject (User) identifier */
+    sub: string;
+    /** Client id, used during authentication or token generation */
+    aud: string;
+    /** Expiration time of token */
+    exp: number;
+    /** Time when token was generated */
+    iat: number;
+    /** A unique identifier for the token, which can be used to prevent reuse of the token */
+    jti: string;
+    /** Time when active authentication by user was done */
+    auth_time?: number;
+    /** String value used to associate a client session with an id token, and to mitigate replay attacks */
+    nonce?: string;
+    /** String specifying an Authentication Context Class Reference value */
+    acr?: string;
+    /** Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication */
+    amr?: string[];
+    /** Authorized party. The party to which the ID Token was issued */
+    azp?: string;
+    /** Access token hash value */
+    at_hash?: string;
+    /** Code hash value */
+    c_hash?: string;
+    /** List of user roles */
+    roles?: string[];
+    /** List of scopes requested */
+    scopes?: string[];
+    /** List of user group */
+    groups?: Group[];
+    /** Session identifier */
+    sid?: string;
+    /** Identity subject. Identity id of the user */
+    isub?: string;
+    /** Provider user identifier */
+    psub?: string;
+    /** Not before */
+    nbf?: number;
+    /** User agent hash */
+    ua_hash?: string;
+    /** List of unaccepted consents */
+    consents?: Consent[];
+    /** DEPRECATED: replaced with aud claim */
+    clientid?: string;
+    /** DEPRECATED: replaced with scopes claim */
+    scope?: string;
+    /** DEPRECATED: replaced with roles claim */
+    role?: string;
+}
+export interface Group {
+    /** Unique identifier for the group */
+    groupId: string;
+    /** List of group roles */
+    roles: string[];
+}
+export interface Consent {
+    /** Unique identifier for the consent */
+    consent_id: string;
+    /** Unique identifier for one particular consent version */
+    consent_version_id: string;
+    /** Consent Status whether it has been accepted */
+    accepted: boolean;
+    /** Time when the consent is created */
+    creation_time: string;
+}
+export interface RenewTokenRequest {
+    /** One time valid code that is used for issuing a new token */
+    refresh_token: string;
+    /** Unique identifier of client app, can be found in app setting under admin ui */
+    client_id?: string;
+    /**
+     * Type of grant used in token request
+     * BREAKING TODO: change type to GrantType only in next major version
+    */
+    grant_type?: GrantType | string;
+}
+/** Type of grant used in token request */
+export declare enum GrantType {
+    AuthorizationCode = "authorization_code",
+    Implicit = "implicit",
+    RefreshToken = "refresh_token",
+    Password = "password",
+    ClientCredentials = "client_credentials",
+    Internal = "internal",
+    DeviceCode = "urn:ietf:params:oauth:grant-type:device_code"
+}
+export interface GetAccessTokenRequest {
+    /** The code which you receive while using authorization code flow */
+    code: string;
+    /** When we choose PKCE method to generate token, we need to pass code_verifier which is a cryptographically random string */
+    code_verifier?: string;
+    /** Unique identifier of client app, can be found in app setting under admin ui */
+    client_id?: string;
+    /**
+     * Type of grant used in token request
+     * BREAKING TODO: change type to GrantType only in next major version
+     * */
+    grant_type?: GrantType | string;
+    /** Specify the url where the user needs to be redirected after successful login */
+    redirect_uri?: string;
+}
+export declare class TokenIntrospectionRequest {
+    /** access token to be inspected */
+    token: string;
+    /**
+     * Optional hint about the type of the submitted token.
+     * BREAKING TODO: change type to TokenTypeHint only in next major version
+     * */
+    token_type_hint?: TokenTypeHint | string;
+    /** List of roles to match */
+    roles?: string[];
+    /** List of scopes to match */
+    scopes?: string[];
+    /** List of groups to match */
+    groups?: GroupAllowed[];
+    /** If true, all roles have to be included. If false, only 1 role from the list is needed */
+    strictRoleValidation?: boolean;
+    /** If true, all group have to be included. If false, only 1 group from the list is needed */
+    strictGroupValidation?: boolean;
+    /** If true, all scopes have to be included. If false, only 1 scope from the list is needed */
+    strictScopeValidation?: boolean;
+    /** If true, all defined roles and/or groups and/or scopes validation has to be succesful. If false, only 1 of them is needed */
+    strictValidation?: boolean;
+}
+/** Optional hint about the type of the submitted token. */
+export declare enum TokenTypeHint {
+    AccessToken = "access_token",
+    RefreshToken = "refresh_token",
+    IdToken = "id_token",
+    Sid = "sid",
+    Sso = "sso"
+}
+export declare class GroupAllowed {
+    /** Unique group id */
+    id: string;
+    /** List of grouproles to match */
+    roles: string[];
+    /** If true, all roles have to be included. If false, only 1 role from the list is needed */
+    strictRoleValidation: boolean;
+}