1// @needsAudit
2/**
3 * Access token type.
4 *
5 * @see [Section 7.1](https://tools.ietf.org/html/rfc6749#section-7.1)
6 */
7export type TokenType = 'bearer' | 'mac';
8
9// @needsAudit
10/**
11 * A hint about the type of the token submitted for revocation. If not included then the server should attempt to deduce the token type.
12 *
13 * @see [Section 2.1](https://tools.ietf.org/html/rfc7009#section-2.1)
14 */
15export enum TokenTypeHint {
16  /**
17   * Access token.
18   *
19   * [Section 1.4](https://tools.ietf.org/html/rfc6749#section-1.4)
20   */
21  AccessToken = 'access_token',
22  /**
23   * Refresh token.
24   *
25   * [Section 1.5](https://tools.ietf.org/html/rfc6749#section-1.5)
26   */
27  RefreshToken = 'refresh_token',
28}
29
30// @needsAudit
31/**
32 * Config used to request a token refresh, revocation, or code exchange.
33 */
34export interface TokenRequestConfig {
35  /**
36   * A unique string representing the registration information provided by the client.
37   * The client identifier is not a secret; it is exposed to the resource owner and shouldn't be used
38   * alone for client authentication.
39   *
40   * The client identifier is unique to the authorization server.
41   *
42   * [Section 2.2](https://tools.ietf.org/html/rfc6749#section-2.2)
43   */
44  clientId: string;
45  /**
46   * Client secret supplied by an auth provider.
47   * There is no secure way to store this on the client.
48   *
49   * [Section 2.3.1](https://tools.ietf.org/html/rfc6749#section-2.3.1)
50   */
51  clientSecret?: string;
52  /**
53   * Extra query params that'll be added to the query string.
54   */
55  extraParams?: Record<string, string>;
56  /**
57   * List of strings to request access to.
58   *
59   * [Section 3.3](https://tools.ietf.org/html/rfc6749#section-3.3)
60   */
61  scopes?: string[];
62}
63
64// @needsAudit
65/**
66 * Config used to exchange an authorization code for an access token.
67 *
68 * @see [Section 4.1.3](https://tools.ietf.org/html/rfc6749#section-4.1.3)
69 */
70export interface AccessTokenRequestConfig extends TokenRequestConfig {
71  /**
72   * The authorization code received from the authorization server.
73   */
74  code: string;
75  /**
76   * If the `redirectUri` parameter was included in the `AuthRequest`, then it must be supplied here as well.
77   *
78   * [Section 3.1.2](https://tools.ietf.org/html/rfc6749#section-3.1.2)
79   */
80  redirectUri: string;
81}
82
83// @needsAudit
84/**
85 * Config used to request a token refresh, or code exchange.
86 *
87 * @see [Section 6](https://tools.ietf.org/html/rfc6749#section-6)
88 */
89export interface RefreshTokenRequestConfig extends TokenRequestConfig {
90  /**
91   * The refresh token issued to the client.
92   */
93  refreshToken?: string;
94}
95
96// @needsAudit
97/**
98 * Config used to revoke a token.
99 *
100 * @see [Section 2.1](https://tools.ietf.org/html/rfc7009#section-2.1)
101 */
102export interface RevokeTokenRequestConfig extends Partial<TokenRequestConfig> {
103  /**
104   * The token that the client wants to get revoked.
105   *
106   * [Section 3.1](https://tools.ietf.org/html/rfc6749#section-3.1)
107   */
108  token: string;
109  /**
110   * A hint about the type of the token submitted for revocation.
111   *
112   * [Section 3.2](https://tools.ietf.org/html/rfc6749#section-3.2)
113   */
114  tokenTypeHint?: TokenTypeHint;
115}
116
117// @needsAudit
118/**
119 * Grant type values used in dynamic client registration and auth requests.
120 *
121 * @see [Appendix A.10](https://tools.ietf.org/html/rfc6749#appendix-A.10)
122 */
123export enum GrantType {
124  /**
125   * Used for exchanging an authorization code for one or more tokens.
126   *
127   * [Section 4.1.3](https://tools.ietf.org/html/rfc6749#section-4.1.3)
128   */
129  AuthorizationCode = 'authorization_code',
130  /**
131   * Used when obtaining an access token.
132   *
133   * [Section 4.2](https://tools.ietf.org/html/rfc6749#section-4.2)
134   */
135  Implicit = 'implicit',
136  /**
137   * Used when exchanging a refresh token for a new token.
138   *
139   * [Section 6](https://tools.ietf.org/html/rfc6749#section-6)
140   */
141  RefreshToken = 'refresh_token',
142  /**
143   * Used for client credentials flow.
144   *
145   * [Section 4.4.2](https://tools.ietf.org/html/rfc6749#section-4.4.2)
146   */
147  ClientCredentials = 'client_credentials',
148}
149
150// @needsAudit @docsMissing
151/**
152 * Object returned from the server after a token response.
153 */
154export interface ServerTokenResponseConfig {
155  access_token: string;
156  token_type?: TokenType;
157  expires_in?: number;
158  refresh_token?: string;
159  scope?: string;
160  id_token?: string;
161  issued_at?: number;
162}
163
164// @needsAudit
165export interface TokenResponseConfig {
166  /**
167   * The access token issued by the authorization server.
168   *
169   * [Section 4.2.2](https://tools.ietf.org/html/rfc6749#section-4.2.2)
170   */
171  accessToken: string;
172  /**
173   * The type of the token issued. Value is case insensitive.
174   *
175   * [Section 7.1](https://tools.ietf.org/html/rfc6749#section-7.1)
176   */
177  tokenType?: TokenType;
178  /**
179   * The lifetime in seconds of the access token.
180   *
181   * For example, the value `3600` denotes that the access token will
182   * expire in one hour from the time the response was generated.
183   *
184   * If omitted, the authorization server should provide the
185   * expiration time via other means or document the default value.
186   *
187   * [Section 4.2.2](https://tools.ietf.org/html/rfc6749#section-4.2.2)
188   */
189  expiresIn?: number;
190  /**
191   * The refresh token, which can be used to obtain new access tokens using the same authorization grant.
192   *
193   * [Section 5.1](https://tools.ietf.org/html/rfc6749#section-5.1)
194   */
195  refreshToken?: string;
196  /**
197   * The scope of the access token. Only required if it's different to the scope that was requested by the client.
198   *
199   * [Section 3.3](https://tools.ietf.org/html/rfc6749#section-3.3)
200   */
201  scope?: string;
202  /**
203   * Required if the "state" parameter was present in the client
204   * authorization request.  The exact value received from the client.
205   *
206   * [Section 4.2.2](https://tools.ietf.org/html/rfc6749#section-4.2.2)
207   */
208  state?: string;
209  /**
210   * ID Token value associated with the authenticated session.
211   *
212   * [TokenResponse](https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse)
213   */
214  idToken?: string;
215  /**
216   * Time in seconds when the token was received by the client.
217   */
218  issuedAt?: number;
219}
220