recker 1.0.20-next.b961eae → 1.0.20-next.e194d90

package/dist/plugins/auth/mtls.d.ts

@@ -0,0 +1,37 @@
+import { Middleware, Plugin } from '../../types/index.js';
+import type { Dispatcher } from 'undici';
+export interface MTLSOptions {
+    cert: string | Buffer;
+    key: string | Buffer;
+    ca?: string | Buffer | Array<string | Buffer>;
+    passphrase?: string;
+    certPath?: string;
+    keyPath?: string;
+    caPath?: string;
+    rejectUnauthorized?: boolean;
+    pfx?: string | Buffer;
+    pfxPassphrase?: string;
+    servername?: string;
+    minVersion?: 'TLSv1.2' | 'TLSv1.3';
+    maxVersion?: 'TLSv1.2' | 'TLSv1.3';
+    ciphers?: string;
+    ALPNProtocols?: string[];
+}
+export interface MTLSCertificateInfo {
+    subject: Record<string, string>;
+    issuer: Record<string, string>;
+    validFrom: Date;
+    validTo: Date;
+    fingerprint: string;
+    serialNumber: string;
+}
+export declare function parseCertificateInfo(cert: string | Buffer): MTLSCertificateInfo | null;
+export declare function isCertificateValid(cert: string | Buffer, bufferDays?: number): {
+    valid: boolean;
+    expiresAt?: Date;
+    error?: string;
+};
+export declare function mtls(options: MTLSOptions): Middleware;
+export declare function mtlsPlugin(options: MTLSOptions): Plugin;
+export declare function createMTLSAgent(options: MTLSOptions): Promise<Dispatcher>;
+export declare function verifyCertificateFingerprint(cert: string | Buffer, expectedFingerprint: string): boolean;

package/dist/plugins/auth/mtls.js

@@ -0,0 +1,140 @@
+async function loadCertificateFile(path) {
+    const fs = await import('node:fs/promises');
+    return fs.readFile(path);
+}
+export function parseCertificateInfo(cert) {
+    try {
+        const crypto = require('node:crypto');
+        const x509 = new crypto.X509Certificate(cert);
+        return {
+            subject: parseX509Name(x509.subject),
+            issuer: parseX509Name(x509.issuer),
+            validFrom: new Date(x509.validFrom),
+            validTo: new Date(x509.validTo),
+            fingerprint: x509.fingerprint256,
+            serialNumber: x509.serialNumber,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+function parseX509Name(name) {
+    const result = {};
+    const parts = name.split('\n');
+    for (const part of parts) {
+        const [key, value] = part.split('=');
+        if (key && value) {
+            result[key.trim()] = value.trim();
+        }
+    }
+    return result;
+}
+export function isCertificateValid(cert, bufferDays = 30) {
+    const info = parseCertificateInfo(cert);
+    if (!info) {
+        return { valid: false, error: 'Failed to parse certificate' };
+    }
+    const now = new Date();
+    const bufferMs = bufferDays * 24 * 60 * 60 * 1000;
+    if (now < info.validFrom) {
+        return { valid: false, expiresAt: info.validTo, error: 'Certificate not yet valid' };
+    }
+    if (now > info.validTo) {
+        return { valid: false, expiresAt: info.validTo, error: 'Certificate expired' };
+    }
+    if (now.getTime() + bufferMs > info.validTo.getTime()) {
+        return { valid: true, expiresAt: info.validTo, error: `Certificate expires soon (${info.validTo.toISOString()})` };
+    }
+    return { valid: true, expiresAt: info.validTo };
+}
+async function createTLSOptions(options) {
+    const tlsOptions = {};
+    if (options.certPath) {
+        tlsOptions.cert = await loadCertificateFile(options.certPath);
+    }
+    else if (options.cert) {
+        tlsOptions.cert = options.cert;
+    }
+    if (options.keyPath) {
+        tlsOptions.key = await loadCertificateFile(options.keyPath);
+    }
+    else if (options.key) {
+        tlsOptions.key = options.key;
+    }
+    if (options.caPath) {
+        tlsOptions.ca = await loadCertificateFile(options.caPath);
+    }
+    else if (options.ca) {
+        tlsOptions.ca = options.ca;
+    }
+    if (options.passphrase) {
+        tlsOptions.passphrase = options.passphrase;
+    }
+    if (options.pfx) {
+        tlsOptions.pfx = options.pfx;
+        if (options.pfxPassphrase) {
+            tlsOptions.passphrase = options.pfxPassphrase;
+        }
+    }
+    if (options.rejectUnauthorized !== undefined) {
+        tlsOptions.rejectUnauthorized = options.rejectUnauthorized;
+    }
+    if (options.servername) {
+        tlsOptions.servername = options.servername;
+    }
+    if (options.minVersion) {
+        tlsOptions.minVersion = options.minVersion;
+    }
+    if (options.maxVersion) {
+        tlsOptions.maxVersion = options.maxVersion;
+    }
+    if (options.ciphers) {
+        tlsOptions.ciphers = options.ciphers;
+    }
+    if (options.ALPNProtocols) {
+        tlsOptions.ALPNProtocols = options.ALPNProtocols;
+    }
+    return tlsOptions;
+}
+export function mtls(options) {
+    let validated = false;
+    return async (req, next) => {
+        if (!validated) {
+            if (options.cert || options.certPath) {
+                const cert = options.cert || (options.certPath ? await loadCertificateFile(options.certPath) : null);
+                if (cert) {
+                    const validation = isCertificateValid(cert);
+                    if (!validation.valid) {
+                        throw new Error(`mTLS certificate error: ${validation.error}`);
+                    }
+                }
+            }
+            validated = true;
+        }
+        return next(req);
+    };
+}
+export function mtlsPlugin(options) {
+    return (client) => {
+        client.use(mtls(options));
+    };
+}
+export async function createMTLSAgent(options) {
+    const { Agent } = await import('undici');
+    const tlsOptions = await createTLSOptions(options);
+    return new Agent({
+        connect: {
+            ...tlsOptions,
+        },
+    });
+}
+export function verifyCertificateFingerprint(cert, expectedFingerprint) {
+    const info = parseCertificateInfo(cert);
+    if (!info) {
+        return false;
+    }
+    const normalizedExpected = expectedFingerprint.replace(/:/g, '').toLowerCase();
+    const normalizedActual = info.fingerprint.replace(/:/g, '').toLowerCase();
+    return normalizedExpected === normalizedActual;
+}

package/dist/plugins/auth/oauth2.d.ts

@@ -0,0 +1,8 @@
+import { Middleware, Plugin } from '../../types/index.js';
+export interface OAuth2Options {
+    accessToken: string | (() => string | Promise<string>);
+    tokenType?: string;
+    onTokenExpired?: () => Promise<string>;
+}
+export declare function oauth2(options: OAuth2Options): Middleware;
+export declare function oauth2Plugin(options: OAuth2Options): Plugin;

package/dist/plugins/auth/oauth2.js

@@ -0,0 +1,26 @@
+export function oauth2(options) {
+    const tokenType = options.tokenType ?? 'Bearer';
+    return async (req, next) => {
+        const token = typeof options.accessToken === 'function'
+            ? await options.accessToken()
+            : options.accessToken;
+        const authReq = req.withHeader('Authorization', `${tokenType} ${token}`);
+        const response = await next(authReq);
+        if (response.status === 401 && options.onTokenExpired) {
+            try {
+                const newToken = await options.onTokenExpired();
+                const retryReq = req.withHeader('Authorization', `${tokenType} ${newToken}`);
+                return next(retryReq);
+            }
+            catch {
+                return response;
+            }
+        }
+        return response;
+    };
+}
+export function oauth2Plugin(options) {
+    return (client) => {
+        client.use(oauth2(options));
+    };
+}

package/dist/plugins/auth/oidc.d.ts

@@ -0,0 +1,55 @@
+import { Middleware, Plugin } from '../../types/index.js';
+export interface OIDCOptions {
+    issuer: string;
+    clientId: string;
+    clientSecret?: string;
+    redirectUri?: string;
+    scopes?: string[];
+    accessToken?: string | (() => string | Promise<string>);
+    refreshToken?: string;
+    tokenStorage?: {
+        get: () => Promise<OIDCTokens | null>;
+        set: (tokens: OIDCTokens) => Promise<void>;
+    };
+    audience?: string;
+    fetch?: typeof fetch;
+}
+export interface OIDCTokens {
+    accessToken: string;
+    refreshToken?: string;
+    idToken?: string;
+    expiresAt?: number;
+    tokenType?: string;
+}
+export interface OIDCDiscoveryDocument {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    userinfo_endpoint?: string;
+    jwks_uri: string;
+    revocation_endpoint?: string;
+    introspection_endpoint?: string;
+    end_session_endpoint?: string;
+    scopes_supported?: string[];
+    response_types_supported: string[];
+    grant_types_supported?: string[];
+    token_endpoint_auth_methods_supported?: string[];
+}
+declare function fetchDiscoveryDocument(issuer: string, customFetch?: typeof fetch): Promise<OIDCDiscoveryDocument>;
+declare function exchangeCode(discovery: OIDCDiscoveryDocument, options: OIDCOptions, code: string, codeVerifier?: string, customFetch?: typeof fetch): Promise<OIDCTokens>;
+declare function refreshTokens(discovery: OIDCDiscoveryDocument, options: OIDCOptions, refreshToken: string, customFetch?: typeof fetch): Promise<OIDCTokens>;
+declare function clientCredentialsFlow(discovery: OIDCDiscoveryDocument, options: OIDCOptions, customFetch?: typeof fetch): Promise<OIDCTokens>;
+export declare function generatePKCE(): {
+    codeVerifier: string;
+    codeChallenge: string;
+};
+export declare function generateAuthorizationUrl(options: OIDCOptions & {
+    state?: string;
+    nonce?: string;
+    pkce?: {
+        codeChallenge: string;
+    };
+}): Promise<string>;
+export declare function oidc(options: OIDCOptions): Middleware;
+export declare function oidcPlugin(options: OIDCOptions): Plugin;
+export { fetchDiscoveryDocument, exchangeCode, refreshTokens, clientCredentialsFlow };

package/dist/plugins/auth/oidc.js

@@ -0,0 +1,222 @@
+import { createHash, randomBytes } from 'node:crypto';
+const discoveryCache = new Map();
+async function fetchDiscoveryDocument(issuer, customFetch = fetch) {
+    const cached = discoveryCache.get(issuer);
+    if (cached && cached.expiresAt > Date.now()) {
+        return cached.doc;
+    }
+    const wellKnownUrl = `${issuer.replace(/\/$/, '')}/.well-known/openid-configuration`;
+    const response = await customFetch(wellKnownUrl);
+    if (!response.ok) {
+        throw new Error(`Failed to fetch OIDC discovery document: ${response.status}`);
+    }
+    const doc = await response.json();
+    discoveryCache.set(issuer, {
+        doc,
+        expiresAt: Date.now() + 3600000,
+    });
+    return doc;
+}
+async function exchangeCode(discovery, options, code, codeVerifier, customFetch = fetch) {
+    const params = new URLSearchParams({
+        grant_type: 'authorization_code',
+        client_id: options.clientId,
+        code,
+        redirect_uri: options.redirectUri || '',
+    });
+    if (options.clientSecret) {
+        params.set('client_secret', options.clientSecret);
+    }
+    if (codeVerifier) {
+        params.set('code_verifier', codeVerifier);
+    }
+    const response = await customFetch(discovery.token_endpoint, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: params.toString(),
+    });
+    if (!response.ok) {
+        const error = await response.text();
+        throw new Error(`Token exchange failed: ${error}`);
+    }
+    const data = await response.json();
+    return {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token,
+        idToken: data.id_token,
+        expiresAt: data.expires_in ? Date.now() + data.expires_in * 1000 : undefined,
+        tokenType: data.token_type || 'Bearer',
+    };
+}
+async function refreshTokens(discovery, options, refreshToken, customFetch = fetch) {
+    const params = new URLSearchParams({
+        grant_type: 'refresh_token',
+        client_id: options.clientId,
+        refresh_token: refreshToken,
+    });
+    if (options.clientSecret) {
+        params.set('client_secret', options.clientSecret);
+    }
+    const response = await customFetch(discovery.token_endpoint, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: params.toString(),
+    });
+    if (!response.ok) {
+        const error = await response.text();
+        throw new Error(`Token refresh failed: ${error}`);
+    }
+    const data = await response.json();
+    return {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token || refreshToken,
+        idToken: data.id_token,
+        expiresAt: data.expires_in ? Date.now() + data.expires_in * 1000 : undefined,
+        tokenType: data.token_type || 'Bearer',
+    };
+}
+async function clientCredentialsFlow(discovery, options, customFetch = fetch) {
+    if (!options.clientSecret) {
+        throw new Error('Client credentials flow requires clientSecret');
+    }
+    const params = new URLSearchParams({
+        grant_type: 'client_credentials',
+        client_id: options.clientId,
+        client_secret: options.clientSecret,
+    });
+    if (options.scopes && options.scopes.length > 0) {
+        params.set('scope', options.scopes.join(' '));
+    }
+    if (options.audience) {
+        params.set('audience', options.audience);
+    }
+    const response = await customFetch(discovery.token_endpoint, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: params.toString(),
+    });
+    if (!response.ok) {
+        const error = await response.text();
+        throw new Error(`Client credentials flow failed: ${error}`);
+    }
+    const data = await response.json();
+    return {
+        accessToken: data.access_token,
+        expiresAt: data.expires_in ? Date.now() + data.expires_in * 1000 : undefined,
+        tokenType: data.token_type || 'Bearer',
+    };
+}
+export function generatePKCE() {
+    const codeVerifier = randomBytes(32).toString('base64url');
+    const codeChallenge = createHash('sha256')
+        .update(codeVerifier)
+        .digest('base64url');
+    return { codeVerifier, codeChallenge };
+}
+export async function generateAuthorizationUrl(options) {
+    const discovery = await fetchDiscoveryDocument(options.issuer, options.fetch);
+    const params = new URLSearchParams({
+        response_type: 'code',
+        client_id: options.clientId,
+        redirect_uri: options.redirectUri || '',
+        scope: (options.scopes || ['openid']).join(' '),
+    });
+    if (options.state) {
+        params.set('state', options.state);
+    }
+    if (options.nonce) {
+        params.set('nonce', options.nonce);
+    }
+    if (options.pkce) {
+        params.set('code_challenge', options.pkce.codeChallenge);
+        params.set('code_challenge_method', 'S256');
+    }
+    if (options.audience) {
+        params.set('audience', options.audience);
+    }
+    return `${discovery.authorization_endpoint}?${params.toString()}`;
+}
+export function oidc(options) {
+    let cachedTokens = null;
+    let discoveryDoc = null;
+    const customFetch = options.fetch || fetch;
+    const getDiscovery = async () => {
+        if (!discoveryDoc) {
+            discoveryDoc = await fetchDiscoveryDocument(options.issuer, customFetch);
+        }
+        return discoveryDoc;
+    };
+    const getTokens = async () => {
+        if (options.tokenStorage) {
+            const stored = await options.tokenStorage.get();
+            if (stored) {
+                cachedTokens = stored;
+            }
+        }
+        if (cachedTokens && cachedTokens.expiresAt && cachedTokens.expiresAt > Date.now() + 60000) {
+            return cachedTokens;
+        }
+        if (cachedTokens?.refreshToken || options.refreshToken) {
+            const discovery = await getDiscovery();
+            const refreshToken = cachedTokens?.refreshToken || options.refreshToken;
+            try {
+                cachedTokens = await refreshTokens(discovery, options, refreshToken, customFetch);
+                if (options.tokenStorage) {
+                    await options.tokenStorage.set(cachedTokens);
+                }
+                return cachedTokens;
+            }
+            catch {
+            }
+        }
+        if (options.accessToken) {
+            const token = typeof options.accessToken === 'function'
+                ? await options.accessToken()
+                : options.accessToken;
+            return { accessToken: token, tokenType: 'Bearer' };
+        }
+        if (options.clientSecret) {
+            const discovery = await getDiscovery();
+            cachedTokens = await clientCredentialsFlow(discovery, options, customFetch);
+            if (options.tokenStorage) {
+                await options.tokenStorage.set(cachedTokens);
+            }
+            return cachedTokens;
+        }
+        throw new Error('No valid authentication method available. Provide accessToken, refreshToken, or clientSecret.');
+    };
+    return async (req, next) => {
+        const tokens = await getTokens();
+        const tokenType = tokens.tokenType || 'Bearer';
+        const authReq = req.withHeader('Authorization', `${tokenType} ${tokens.accessToken}`);
+        const response = await next(authReq);
+        if (response.status === 401 && (cachedTokens?.refreshToken || options.refreshToken)) {
+            try {
+                const discovery = await getDiscovery();
+                const refreshToken = cachedTokens?.refreshToken || options.refreshToken;
+                cachedTokens = await refreshTokens(discovery, options, refreshToken, customFetch);
+                if (options.tokenStorage) {
+                    await options.tokenStorage.set(cachedTokens);
+                }
+                const retryReq = req.withHeader('Authorization', `${cachedTokens.tokenType || 'Bearer'} ${cachedTokens.accessToken}`);
+                return next(retryReq);
+            }
+            catch {
+                return response;
+            }
+        }
+        return response;
+    };
+}
+export function oidcPlugin(options) {
+    return (client) => {
+        client.use(oidc(options));
+    };
+}
+export { fetchDiscoveryDocument, exchangeCode, refreshTokens, clientCredentialsFlow };

package/dist/plugins/auth/okta.d.ts

@@ -0,0 +1,47 @@
+import { Middleware, Plugin } from '../../types/index.js';
+import { OIDCTokens } from './oidc.js';
+export interface OktaOptions {
+    domain: string;
+    clientId: string;
+    clientSecret?: string;
+    authorizationServerId?: string;
+    scopes?: string[];
+    accessToken?: string | (() => string | Promise<string>);
+    refreshToken?: string;
+    tokenStorage?: {
+        get: () => Promise<OIDCTokens | null>;
+        set: (tokens: OIDCTokens) => Promise<void>;
+    };
+    apiToken?: string;
+}
+export declare function generateOktaAuthUrl(options: OktaOptions & {
+    redirectUri: string;
+    state?: string;
+    nonce?: string;
+    usePKCE?: boolean;
+    prompt?: 'none' | 'consent' | 'login';
+    idp?: string;
+    loginHint?: string;
+}): Promise<{
+    url: string;
+    codeVerifier?: string;
+}>;
+export declare function exchangeOktaCode(options: OktaOptions & {
+    code: string;
+    redirectUri: string;
+    codeVerifier?: string;
+}): Promise<OIDCTokens>;
+export declare function getOktaUserInfo(domain: string, authorizationServerId: string | undefined, accessToken: string): Promise<Record<string, unknown>>;
+export declare function introspectOktaToken(options: OktaOptions & {
+    token: string;
+    tokenTypeHint?: 'access_token' | 'refresh_token';
+}): Promise<{
+    active: boolean;
+    [key: string]: unknown;
+}>;
+export declare function revokeOktaToken(options: OktaOptions & {
+    token: string;
+    tokenTypeHint?: 'access_token' | 'refresh_token';
+}): Promise<void>;
+export declare function okta(options: OktaOptions): Middleware;
+export declare function oktaPlugin(options: OktaOptions): Plugin;

package/dist/plugins/auth/okta.js

@@ -0,0 +1,157 @@
+import { oidc, generatePKCE } from './oidc.js';
+function getOktaIssuer(domain, authorizationServerId) {
+    const serverId = authorizationServerId || 'default';
+    return `https://${domain}/oauth2/${serverId}`;
+}
+export async function generateOktaAuthUrl(options) {
+    const issuer = getOktaIssuer(options.domain, options.authorizationServerId);
+    const pkce = options.usePKCE ? generatePKCE() : undefined;
+    const params = new URLSearchParams({
+        response_type: 'code',
+        client_id: options.clientId,
+        redirect_uri: options.redirectUri,
+        scope: (options.scopes || ['openid', 'profile', 'email']).join(' '),
+    });
+    if (options.state) {
+        params.set('state', options.state);
+    }
+    if (options.nonce) {
+        params.set('nonce', options.nonce);
+    }
+    if (pkce) {
+        params.set('code_challenge', pkce.codeChallenge);
+        params.set('code_challenge_method', 'S256');
+    }
+    if (options.prompt) {
+        params.set('prompt', options.prompt);
+    }
+    if (options.idp) {
+        params.set('idp', options.idp);
+    }
+    if (options.loginHint) {
+        params.set('login_hint', options.loginHint);
+    }
+    return {
+        url: `${issuer}/v1/authorize?${params.toString()}`,
+        codeVerifier: pkce?.codeVerifier,
+    };
+}
+export async function exchangeOktaCode(options) {
+    const issuer = getOktaIssuer(options.domain, options.authorizationServerId);
+    const tokenUrl = `${issuer}/v1/token`;
+    const params = new URLSearchParams({
+        grant_type: 'authorization_code',
+        client_id: options.clientId,
+        code: options.code,
+        redirect_uri: options.redirectUri,
+    });
+    if (options.clientSecret) {
+        params.set('client_secret', options.clientSecret);
+    }
+    if (options.codeVerifier) {
+        params.set('code_verifier', options.codeVerifier);
+    }
+    const response = await fetch(tokenUrl, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            Accept: 'application/json',
+        },
+        body: params.toString(),
+    });
+    if (!response.ok) {
+        const error = await response.text();
+        throw new Error(`Okta token exchange failed: ${error}`);
+    }
+    const data = await response.json();
+    return {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token,
+        idToken: data.id_token,
+        expiresAt: data.expires_in ? Date.now() + data.expires_in * 1000 : undefined,
+        tokenType: data.token_type || 'Bearer',
+    };
+}
+export async function getOktaUserInfo(domain, authorizationServerId, accessToken) {
+    const issuer = getOktaIssuer(domain, authorizationServerId);
+    const response = await fetch(`${issuer}/v1/userinfo`, {
+        headers: {
+            Authorization: `Bearer ${accessToken}`,
+        },
+    });
+    if (!response.ok) {
+        throw new Error(`Failed to get user info: ${response.status}`);
+    }
+    return response.json();
+}
+export async function introspectOktaToken(options) {
+    const issuer = getOktaIssuer(options.domain, options.authorizationServerId);
+    const params = new URLSearchParams({
+        token: options.token,
+        client_id: options.clientId,
+    });
+    if (options.clientSecret) {
+        params.set('client_secret', options.clientSecret);
+    }
+    if (options.tokenTypeHint) {
+        params.set('token_type_hint', options.tokenTypeHint);
+    }
+    const response = await fetch(`${issuer}/v1/introspect`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+            Accept: 'application/json',
+        },
+        body: params.toString(),
+    });
+    if (!response.ok) {
+        throw new Error(`Token introspection failed: ${response.status}`);
+    }
+    return response.json();
+}
+export async function revokeOktaToken(options) {
+    const issuer = getOktaIssuer(options.domain, options.authorizationServerId);
+    const params = new URLSearchParams({
+        token: options.token,
+        client_id: options.clientId,
+    });
+    if (options.clientSecret) {
+        params.set('client_secret', options.clientSecret);
+    }
+    if (options.tokenTypeHint) {
+        params.set('token_type_hint', options.tokenTypeHint);
+    }
+    const response = await fetch(`${issuer}/v1/revoke`, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: params.toString(),
+    });
+    if (!response.ok) {
+        throw new Error(`Token revocation failed: ${response.status}`);
+    }
+}
+export function okta(options) {
+    if (options.apiToken) {
+        return async (req, next) => {
+            const authReq = req.withHeader('Authorization', `SSWS ${options.apiToken}`);
+            return next(authReq);
+        };
+    }
+    const issuer = getOktaIssuer(options.domain, options.authorizationServerId);
+    return oidc({
+        issuer,
+        clientId: options.clientId,
+        clientSecret: options.clientSecret,
+        scopes: options.scopes || ['openid', 'profile', 'email'],
+        accessToken: options.accessToken,
+        refreshToken: options.refreshToken,
+        tokenStorage: options.tokenStorage,
+    });
+}
+export function oktaPlugin(options) {
+    return (client) => {
+        client.use(okta(options));
+    };
+}