mcp-auth-wrapper 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) Adam Jones (domdomegg)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,286 @@
+# mcp-auth-wrapper
+
+> Turn any local [MCP server](https://modelcontextprotocol.io/) into a multi-tenant hosted remote MCP, with per-user credentials.
+
+Connecting AI agents to tools can help you and your team be more productive. [MCP servers](https://modelcontextprotocol.io/docs/learn/server-concepts) are a great way to do this — but many of them only run locally and require per-user setup (like API keys) that can be difficult for non-technical users. What if you want your whole team to use one, each with their own credentials?
+
+mcp-auth-wrapper lets you do exactly this: it hosts any MCP server for multiple users with auth and configuration. Your team can login via your existing identity provider (Google Workspace, Microsoft Entra ID, Okta, Auth0, Keycloak, etc.), provide their per-user config in a simple form interface, and mcp-auth-wrapper will automatically spin up the MCP for each user.
+
+mcp-auth-wrapper works with Claude.ai, Claude Code and any other MCP client that supports remote servers.
+
+For those interested in the technical details, mcp-auth-wrapper wraps stdio MCP servers that accept environment variables as [streamable HTTP](https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#streamable-http) servers with [OAuth 2.1](https://oauth.net/2.1/) / [OpenID Connect](https://openid.net/developers/how-connect-works/). By default, user credentials are held only in memory but can be persisted to sqlite - it is recommended to use an encrypted volume for storage if doing this. mcp-auth-wrapper is horizontally scalable for larger deployments, and can be run easily with npx, Docker, Docker Compose or Kubernetes.
+
+## Usage
+
+Set `MCP_AUTH_WRAPPER_CONFIG` to a JSON config object and run:
+
+```bash
+MCP_AUTH_WRAPPER_CONFIG='{
+  "command": ["npx", "-y", "airtable-mcp-server"],
+  "auth": {"issuer": "https://auth.example.com"}
+}' npx mcp-auth-wrapper
+```
+
+This starts an HTTP MCP server on localhost:3000. When a user connects, they'll be redirected to your login provider. After logging in, if you've configured per-user environment variables (like API keys), they'll see a form to enter them. Then they're connected to their own MCP server process.
+
+<details>
+<summary>Other configuration methods</summary>
+
+The env var can also point to a file path:
+
+```bash
+MCP_AUTH_WRAPPER_CONFIG=/path/to/config.json npx mcp-auth-wrapper
+```
+
+Or create `mcp-auth-wrapper.config.json` in the working directory — it's picked up automatically:
+
+```bash
+npx mcp-auth-wrapper
+```
+
+</details>
+
+<details>
+<summary>Running with Docker</summary>
+
+```bash
+docker run -e 'MCP_AUTH_WRAPPER_CONFIG={"command":["npx","-y","airtable-mcp-server"],"auth":{"issuer":"https://auth.example.com"}}' -p 3000:3000 ghcr.io/domdomegg/mcp-auth-wrapper
+```
+
+</details>
+
+### Config
+
+Only `command` and `auth.issuer` are required. Everything else has sensible defaults.
+
+A full example:
+
+```json
+{
+  "command": ["npx", "-y", "airtable-mcp-server"],
+  "auth": {
+    "issuer": "https://keycloak.example.com/realms/myrealm",
+    "clientId": "my-wrapper",
+    "clientSecret": "...",
+    "scopes": ["openid", "profile"],
+    "userClaim": "preferred_username"
+  },
+  "envBase": {"NODE_ENV": "production"},
+  "envPerUser": [
+    {"name": "AIRTABLE_API_KEY", "label": "Airtable API Key", "secret": true}
+  ],
+  "storage": "/data/mcp.sqlite",
+  "port": 3000,
+  "host": "0.0.0.0",
+  "issuerUrl": "https://mcp.example.com",
+  "secret": "a-fixed-signing-key"
+}
+```
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| `command` | Yes | Command to spawn the MCP server, as an array (e.g. `["npx", "-y", "some-server"]`). |
+| `auth.issuer` | Yes | Your login provider's URL. Must support [OpenID Connect discovery](https://openid.net/specs/openid-connect-discovery-1_0.html). |
+| `auth.clientId` | No | Client ID registered with your login provider. Defaults to `"mcp-auth-wrapper"`. |
+| `auth.clientSecret` | No | Client secret. Omit for public clients. |
+| `auth.scopes` | No | Scopes to request during login. Defaults to `["openid"]`. |
+| `auth.userClaim` | No | Which field from the login token identifies the user. Defaults to `"sub"`. |
+| `envBase` | No | Environment variables shared across all user processes. |
+| `envPerUser` | No | Per-user env vars to collect during first login (e.g. API keys). Each has `name`, `label`, optional `description` and `secret`. |
+| `storage` | No | Where to store user params: `"memory"` (default), a SQLite file path, or an inline object (see [below](#other-examples)). |
+| `port` | No | Port to listen on. Defaults to `3000`. |
+| `host` | No | Host to bind to. Defaults to `0.0.0.0`. |
+| `issuerUrl` | No | Public URL of this server. Required when behind a reverse proxy. |
+| `secret` | No | Signing key for tokens. Random if not set. Set a fixed value to survive restarts. |
+
+Users can update their per-user env vars at any time via a **reconfigure** tool that's automatically added to the MCP server's tool list.
+
+<details>
+<summary>Advanced: scaling and persistence</summary>
+
+All auth state (tokens, sessions, in-flight logins) is stateless — tokens are self-contained encrypted blobs and each request gets a fresh transport. Nothing is stored server-side except user params (in `storage`) and the process pool (one subprocess per user).
+
+To survive restarts, set `secret` to a fixed value and use a SQLite file or inline storage for user params.
+
+To run multiple instances behind a load balancer, set `secret` to the same value across instances and point `storage` at a shared SQLite file (or use inline storage). If a user hits a different instance, it just spawns a new subprocess — this is transparent for stateless MCPs.
+
+</details>
+
+### Login provider examples
+
+<details>
+<summary>Google Workspace</summary>
+
+```json
+{
+  "command": ["npx", "-y", "some-mcp-server"],
+  "auth": {
+    "issuer": "https://accounts.google.com",
+    "clientId": "...",
+    "clientSecret": "..."
+  },
+  "envPerUser": [{"name": "API_KEY", "label": "API Key", "secret": true}]
+}
+```
+
+Create OAuth 2.0 credentials in the [Google Cloud Console](https://console.cloud.google.com/apis/credentials). Choose "Web application", add `https://<wrapper-host>/callback` as an authorized redirect URI. To restrict access to your organization, configure the OAuth consent screen as "Internal".
+
+</details>
+
+<details>
+<summary>Microsoft Entra ID</summary>
+
+```json
+{
+  "command": ["npx", "-y", "some-mcp-server"],
+  "auth": {
+    "issuer": "https://login.microsoftonline.com/<tenant-id>/v2.0",
+    "clientId": "...",
+    "clientSecret": "..."
+  },
+  "envPerUser": [{"name": "API_KEY", "label": "API Key", "secret": true}]
+}
+```
+
+Register an application in the [Azure portal](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps). Add `https://<wrapper-host>/callback` as a redirect URI under "Web". Create a client secret under "Certificates & secrets". Replace `<tenant-id>` with your directory (tenant) ID.
+
+</details>
+
+<details>
+<summary>Okta</summary>
+
+```json
+{
+  "command": ["npx", "-y", "some-mcp-server"],
+  "auth": {
+    "issuer": "https://your-org.okta.com",
+    "clientId": "...",
+    "clientSecret": "..."
+  },
+  "envPerUser": [{"name": "API_KEY", "label": "API Key", "secret": true}]
+}
+```
+
+Create a Web Application in Okta. Set the sign-in redirect URI to `https://<wrapper-host>/callback`. The issuer URL is your Okta org URL (or a custom authorization server URL if you use one).
+
+</details>
+
+<details>
+<summary>Keycloak</summary>
+
+```json
+{
+  "command": ["npx", "-y", "some-mcp-server"],
+  "auth": {
+    "issuer": "https://keycloak.example.com/realms/myrealm",
+    "clientSecret": "..."
+  },
+  "envPerUser": [{"name": "API_KEY", "label": "API Key", "secret": true}]
+}
+```
+
+Create an OpenID Connect client in your Keycloak realm with client ID `mcp-auth-wrapper` (or set `auth.clientId` to match). Set the redirect URI to `https://<wrapper-host>/callback`. Users are identified by `sub` (Keycloak user ID) by default. Set `auth.userClaim` to `preferred_username` to match by username instead.
+
+</details>
+
+<details>
+<summary>Auth0</summary>
+
+```json
+{
+  "command": ["npx", "-y", "some-mcp-server"],
+  "auth": {
+    "issuer": "https://your-tenant.auth0.com",
+    "clientId": "...",
+    "clientSecret": "..."
+  },
+  "envPerUser": [{"name": "API_KEY", "label": "API Key", "secret": true}]
+}
+```
+
+Create a Regular Web Application in Auth0. Add `https://<wrapper-host>/callback` as an allowed callback URL. Set `auth.clientId` to the Auth0 application's client ID. The `sub` claim in Auth0 is typically prefixed with the connection type (e.g. `auth0|abc123`).
+
+</details>
+
+<details>
+<summary>Authentik</summary>
+
+```json
+{
+  "command": ["npx", "-y", "some-mcp-server"],
+  "auth": {
+    "issuer": "https://authentik.example.com/application/o/myapp/",
+    "clientSecret": "...",
+    "userClaim": "preferred_username"
+  },
+  "envPerUser": [{"name": "API_KEY", "label": "API Key", "secret": true}]
+}
+```
+
+Create an OAuth2/OpenID Provider in Authentik with client ID `mcp-auth-wrapper` (or set `auth.clientId` to match). Set the redirect URI to `https://<wrapper-host>/callback`.
+
+</details>
+
+<details>
+<summary>Home Assistant (via hass-oidc-provider)</summary>
+
+Home Assistant doesn't natively support OpenID Connect. Use [hass-oidc-provider](https://github.com/domdomegg/hass-oidc-provider) to bridge the gap — it runs alongside Home Assistant and adds the missing pieces.
+
+```json
+{
+  "command": ["npx", "-y", "some-mcp-server"],
+  "auth": {
+    "issuer": "https://hass-oidc-provider.example.com"
+  },
+  "envPerUser": [{"name": "API_KEY", "label": "API Key", "secret": true}]
+}
+```
+
+Point `auth.issuer` at your hass-oidc-provider instance (not Home Assistant directly). The `sub` claim is the Home Assistant user ID. No `clientId` or `clientSecret` needed.
+
+</details>
+
+### Other examples
+
+<details>
+<summary>Inline users (no self-registration)</summary>
+
+By default, users enter their own credentials (e.g. API keys) via a form during first login, and can update them later via the reconfigure tool. If you'd rather hardcode all users upfront, use an inline `storage` object:
+
+```json
+{
+  "command": ["npx", "-y", "some-mcp-server"],
+  "auth": {
+    "issuer": "https://auth.example.com",
+    "clientSecret": "..."
+  },
+  "storage": {
+    "adam": {"API_KEY": "patXXX_adam"},
+    "bob": {"API_KEY": "patXXX_bob"}
+  }
+}
+```
+
+Users are matched by the `auth.userClaim` (default: `sub`) from the login token. Inline storage is read-only — users cannot update their own credentials.
+
+</details>
+
+## Contributing
+
+Pull requests are welcomed on GitHub! To get started:
+
+1. Install Git and Node.js
+2. Clone the repository
+3. Install dependencies with `npm install`
+4. Run `npm run test` to run tests
+5. Build with `npm run build`
+
+## Releases
+
+Versions follow the [semantic versioning spec](https://semver.org/).
+
+To release:
+
+1. Use `npm version <major | minor | patch>` to bump the version
+2. Run `git push --follow-tags` to push with tags
+3. Wait for GitHub Actions to publish to the NPM registry and GHCR (Docker).

package/dist/auth.d.ts

@@ -0,0 +1,29 @@
+import type { AuthConfig } from './types.js';
+type OidcDiscovery = {
+    authorization_endpoint: string;
+    token_endpoint: string;
+    jwks_uri: string;
+    issuer: string;
+};
+export declare class OidcClient {
+    private readonly config;
+    private discovery;
+    private discoveryExpiresAt;
+    private jwks;
+    constructor(config: AuthConfig);
+    getDiscovery(): Promise<OidcDiscovery>;
+    buildAuthorizeUrl(params: {
+        redirectUri: string;
+        state: string;
+        codeChallenge: string;
+    }): Promise<string>;
+    generateCodeVerifierAndChallenge(): {
+        codeVerifier: string;
+        codeChallenge: string;
+    };
+    exchangeCode(code: string, redirectUri: string, codeVerifier: string): Promise<{
+        claims: Record<string, unknown>;
+        userId: string;
+    }>;
+}
+export {};

package/dist/auth.js

@@ -0,0 +1,93 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OidcClient = void 0;
+const node_crypto_1 = require("node:crypto");
+const jose_1 = require("jose");
+const parseCacheTtl = (headers, defaultMs) => {
+    const cacheControl = headers.get('cache-control');
+    if (cacheControl) {
+        const match = /max-age=(\d+)/.exec(cacheControl);
+        if (match) {
+            return Number(match[1]) * 1000;
+        }
+    }
+    return defaultMs;
+};
+const DEFAULT_DISCOVERY_TTL_MS = 3_600_000; // 1 hour
+class OidcClient {
+    config;
+    discovery;
+    discoveryExpiresAt = 0;
+    jwks;
+    constructor(config) {
+        this.config = config;
+    }
+    async getDiscovery() {
+        if (this.discovery && Date.now() < this.discoveryExpiresAt) {
+            return this.discovery;
+        }
+        const url = `${this.config.issuer.replace(/\/$/, '')}/.well-known/openid-configuration`;
+        const res = await fetch(url);
+        if (!res.ok) {
+            throw new Error(`OIDC discovery failed: ${res.status} ${res.statusText}`);
+        }
+        this.discovery = await res.json();
+        this.discoveryExpiresAt = Date.now() + parseCacheTtl(res.headers, DEFAULT_DISCOVERY_TTL_MS);
+        return this.discovery;
+    }
+    async buildAuthorizeUrl(params) {
+        const disc = await this.getDiscovery();
+        const url = new URL(disc.authorization_endpoint);
+        url.searchParams.set('client_id', this.config.clientId);
+        url.searchParams.set('response_type', 'code');
+        url.searchParams.set('redirect_uri', params.redirectUri);
+        url.searchParams.set('state', params.state);
+        url.searchParams.set('scope', (this.config.scopes ?? ['openid']).join(' '));
+        url.searchParams.set('code_challenge', params.codeChallenge);
+        url.searchParams.set('code_challenge_method', 'S256');
+        return url.toString();
+    }
+    generateCodeVerifierAndChallenge() {
+        const codeVerifier = (0, node_crypto_1.randomBytes)(32).toString('base64url');
+        const codeChallenge = (0, node_crypto_1.createHash)('sha256').update(codeVerifier).digest('base64url');
+        return { codeVerifier, codeChallenge };
+    }
+    async exchangeCode(code, redirectUri, codeVerifier) {
+        const disc = await this.getDiscovery();
+        const params = new URLSearchParams({
+            grant_type: 'authorization_code',
+            code,
+            redirect_uri: redirectUri,
+            client_id: this.config.clientId,
+            code_verifier: codeVerifier,
+        });
+        if (this.config.clientSecret) {
+            params.set('client_secret', this.config.clientSecret);
+        }
+        const res = await fetch(disc.token_endpoint, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+            body: params.toString(),
+        });
+        if (!res.ok) {
+            const body = await res.text();
+            throw new Error(`Upstream token exchange failed: ${res.status} ${body}`);
+        }
+        const tokens = await res.json();
+        if (tokens.id_token) {
+            this.jwks ||= (0, jose_1.createRemoteJWKSet)(new URL(disc.jwks_uri));
+            const { payload } = await (0, jose_1.jwtVerify)(tokens.id_token, this.jwks, {
+                issuer: disc.issuer,
+                audience: this.config.clientId,
+            });
+            const claim = this.config.userClaim ?? 'sub';
+            const userId = payload[claim];
+            if (typeof userId !== 'string') {
+                throw new Error(`Upstream ID token missing claim "${claim}"`);
+            }
+            return { claims: payload, userId };
+        }
+        throw new Error('Upstream did not return an id_token');
+    }
+}
+exports.OidcClient = OidcClient;

package/dist/config.d.ts

@@ -0,0 +1,3 @@
+import type { WrapperConfig } from './types.js';
+export declare const parseConfig: (json: string) => WrapperConfig;
+export declare const loadConfig: (configOrPath: string) => WrapperConfig;

package/dist/config.js

@@ -0,0 +1,68 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadConfig = exports.parseConfig = void 0;
+const node_fs_1 = __importDefault(require("node:fs"));
+const parseConfig = (json) => {
+    const raw = JSON.parse(json);
+    if (!Array.isArray(raw.command) || raw.command.length === 0 || !raw.command.every((c) => typeof c === 'string')) {
+        throw new Error('Config must have a "command" array of strings');
+    }
+    if (!raw.auth || typeof raw.auth !== 'object') {
+        throw new Error('Config must have an "auth" object');
+    }
+    if (!raw.auth.issuer || typeof raw.auth.issuer !== 'string') {
+        throw new Error('Config auth must have an "issuer" string');
+    }
+    // Validate storage: string, object, or omitted (defaults to "memory")
+    if (raw.storage !== undefined) {
+        if (typeof raw.storage === 'object') {
+            if (Array.isArray(raw.storage) || Object.keys(raw.storage).length === 0) {
+                throw new Error('Config "storage" object must be a non-empty map of user IDs to env vars');
+            }
+        }
+        else if (typeof raw.storage !== 'string') {
+            throw new Error('Config "storage" must be a string, object, or omitted');
+        }
+    }
+    if (raw.envPerUser !== undefined) {
+        if (!Array.isArray(raw.envPerUser)) {
+            throw new Error('Config "envPerUser" must be an array');
+        }
+        for (const p of raw.envPerUser) {
+            if (!p.name || typeof p.name !== 'string') {
+                throw new Error('Each envPerUser entry must have a "name" string');
+            }
+            if (!p.label || typeof p.label !== 'string') {
+                throw new Error('Each envPerUser entry must have a "label" string');
+            }
+        }
+    }
+    return {
+        command: raw.command,
+        auth: {
+            issuer: raw.auth.issuer,
+            clientId: raw.auth.clientId ?? 'mcp-auth-wrapper',
+            clientSecret: raw.auth.clientSecret,
+            scopes: raw.auth.scopes ?? ['openid'],
+            userClaim: raw.auth.userClaim ?? 'sub',
+        },
+        storage: raw.storage ?? 'memory',
+        envBase: raw.envBase,
+        envPerUser: raw.envPerUser,
+        port: raw.port ?? 3000,
+        host: raw.host ?? '0.0.0.0',
+        issuerUrl: raw.issuerUrl,
+        secret: raw.secret,
+    };
+};
+exports.parseConfig = parseConfig;
+const loadConfig = (configOrPath) => {
+    if (configOrPath.trimStart().startsWith('{')) {
+        return (0, exports.parseConfig)(configOrPath);
+    }
+    return (0, exports.parseConfig)(node_fs_1.default.readFileSync(configOrPath, 'utf-8'));
+};
+exports.loadConfig = loadConfig;

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/index.js

@@ -0,0 +1,51 @@
+#!/usr/bin/env node
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const node_fs_1 = __importDefault(require("node:fs"));
+const config_js_1 = require("./config.js");
+const store_js_1 = require("./store.js");
+const auth_js_1 = require("./auth.js");
+const oauth_provider_js_1 = require("./oauth-provider.js");
+const process_pool_js_1 = require("./process-pool.js");
+const server_js_1 = require("./server.js");
+const DEFAULT_CONFIG_PATH = 'mcp-auth-wrapper.config.json';
+const main = async () => {
+    let configStr = process.env.MCP_AUTH_WRAPPER_CONFIG;
+    if (!configStr && node_fs_1.default.existsSync(DEFAULT_CONFIG_PATH)) {
+        configStr = DEFAULT_CONFIG_PATH;
+    }
+    if (!configStr) {
+        console.error('No config found. Set MCP_AUTH_WRAPPER_CONFIG or create mcp-auth-wrapper.config.json');
+        process.exit(1);
+    }
+    const config = (0, config_js_1.loadConfig)(configStr);
+    const store = new store_js_1.Store(config);
+    const oidcClient = new auth_js_1.OidcClient(config.auth);
+    const pool = new process_pool_js_1.ProcessPool(config.command[0], config.command.slice(1), config.envBase ?? {}, store);
+    const provider = new oauth_provider_js_1.WrapperOAuthProvider(oidcClient, config);
+    const app = (0, server_js_1.createApp)(config, pool, provider, oidcClient, store);
+    const port = config.port ?? 3000;
+    const host = config.host ?? '0.0.0.0';
+    const server = app.listen(port, host, () => {
+        console.log(`mcp-auth-wrapper listening on ${host}:${port}`);
+        console.log(`Wrapping: ${config.command.join(' ')}`);
+        console.log(`Auth: ${config.auth.issuer}`);
+        console.log(`Storage: ${typeof config.storage === 'string' ? config.storage : 'inline'}`);
+    });
+    const shutdown = async () => {
+        console.log('\nShutting down...');
+        server.close();
+        await pool.shutdown();
+        store.close();
+        process.exit(0);
+    };
+    process.on('SIGINT', shutdown);
+    process.on('SIGTERM', shutdown);
+};
+main().catch((err) => {
+    console.error(err);
+    process.exit(1);
+});

package/dist/oauth-provider.d.ts

@@ -0,0 +1,39 @@
+import type { Response } from 'express';
+import type { OAuthClientInformationFull, OAuthTokenRevocationRequest, OAuthTokens } from '@modelcontextprotocol/sdk/shared/auth.js';
+import type { AuthorizationParams, OAuthServerProvider } from '@modelcontextprotocol/sdk/server/auth/provider.js';
+import type { OAuthRegisteredClientsStore } from '@modelcontextprotocol/sdk/server/auth/clients.js';
+import type { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js';
+import type { OidcClient } from './auth.js';
+import type { WrapperConfig } from './types.js';
+/** Data encoded into the upstream state parameter. */
+type PendingAuthPayload = {
+    upstreamCodeVerifier: string;
+    clientId: string;
+    redirectUri: string;
+    codeChallenge: string;
+    state?: string;
+    scopes: string[];
+    expiresAt: number;
+    userId?: string;
+};
+export declare class WrapperOAuthProvider implements OAuthServerProvider {
+    private readonly oidcClient;
+    private readonly config;
+    readonly clientsStore: OAuthRegisteredClientsStore;
+    private readonly key;
+    constructor(oidcClient: OidcClient, config: WrapperConfig);
+    authorize(client: OAuthClientInformationFull, params: AuthorizationParams, res: Response): Promise<void>;
+    /** Unseal the state returned from the upstream callback. */
+    unsealState(sealedState: string): PendingAuthPayload | undefined;
+    /** Re-seal a modified payload (e.g. after adding userId). */
+    sealState(payload: PendingAuthPayload): string;
+    completeAuthorization(pending: PendingAuthPayload, userId: string): {
+        redirectUrl: string;
+    };
+    challengeForAuthorizationCode(_client: OAuthClientInformationFull, authorizationCode: string): Promise<string>;
+    exchangeAuthorizationCode(client: OAuthClientInformationFull, authorizationCode: string): Promise<OAuthTokens>;
+    exchangeRefreshToken(client: OAuthClientInformationFull, refreshToken: string): Promise<OAuthTokens>;
+    verifyAccessToken(token: string): Promise<AuthInfo>;
+    revokeToken(client: OAuthClientInformationFull, request: OAuthTokenRevocationRequest): Promise<void>;
+}
+export {};