import type { OAuthConfig } from '#auth-utils'; export interface OAuthOidcConfig { /** * OAuth Client ID * * @default process.env.NUXT_OAUTH_OIDC_CLIENT_ID */ clientId?: string; /** * OAuth Client secret. * * @default process.env.NUXT_OAUTH_OIDC_CLIENT_SECRET */ clientSecret?: string; /** * OpenID configuration. If a string is passed, it is considered to be the full URL to the OpenID configuration endpoint * where all required endpoints are listed and fetched from automatically. * * Alternatively, an object can be set with the required endpoint URLs. * * @default process.env.NUXT_OAUTH_OIDC_OPENID_CONFIG * @example "https://my-provider.com/.well-known/openid-configuration" */ openidConfig?: string | OIDCConfiguration; /** * OAuth Scope * * @default ['openid'] * @example ['openid', 'profile', 'email'] */ scope?: string[]; /** * Redirect URL to to allow overriding for situations like prod failing to determine public hostname * * @default process.env.NUXT_OAUTH_OIDC_REDIRECT_URL */ redirectURL?: string; /** * Additional custom params that are passed to the specific endpoint requests. * Can be used to provide custom (query) params. */ params?: Partial>; } /** * Standard OIDC claims. * * @see: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims */ interface OidcUser { /** * Subject - Identifier for the End-User at the Issuer. */ sub: string; /** * End-User's full name in displayable form including all name parts, * possibly including titles and suffixes, ordered according to the * End-User's locale and preferences. */ name?: string; /** * Given name(s) or first name(s) of the End-User. Note that in some cultures, * people can have multiple given names; all can be present, with the names * being separated by space characters. */ given_name?: string; /** * Surname(s) or last name(s) of the End-User. Note that in some cultures, * people can have multiple family names or no family name; all can be present, * with the names being separated by space characters. */ family_name?: string; /** * Middle name(s) of the End-User. Note that in some cultures, people can have * multiple middle names; all can be present, with the names being separated by * space characters. Also note that in some cultures, middle names are not used. */ middle_name?: string; /** * Casual name of the End-User that may or may not be the same as the given_name. * For instance, a nickname value of Mike might be returned alongside a given_name * value of Michael. */ nickname?: string; /** * Shorthand name by which the End-User wishes to be referred to at the RP, such as * janedoe or j.doe. This value MAY be any valid JSON string including special * characters such as @, /, or whitespace. The RP MUST NOT rely upon this value * being unique. */ preferred_username?: string; /** * URL of the End-User's profile page. The contents of this Web page SHOULD be * about the End-User. */ profile?: string; /** * URL of the End-User's profile picture. This URL MUST refer to an image file * (for example, a PNG, JPEG, or GIF image file), rather than to a Web page * containing an image. Note that this URL SHOULD specifically reference a profile * photo of the End-User suitable for displaying when describing the End-User, * rather than an arbitrary photo taken by the End-User. */ picture?: string; /** * URL of the End-User's Web page or blog. This Web page SHOULD contain information * published by the End-User or an organization that the End-User is affiliated with. */ website?: string; /** * End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 * addr-spec syntax. The RP MUST NOT rely upon this value being unique. */ email?: string; /** * True if the End-User's e-mail address has been verified; otherwise false. * When this Claim Value is true, this means that the OP took affirmative steps * to ensure that this e-mail address was controlled by the End-User at the time * the verification was performed. The means by which an e-mail address is verified * is context specific, and dependent upon the trust framework or contractual * agreements within which the parties are operating. */ email_verified?: boolean; /** * End-User's gender. Values defined by this specification are female and male. * Other values MAY be used when neither of the defined values are applicable. */ gender?: string; /** * End-User's birthday, represented as an ISO 8601-1 YYYY-MM-DD format. The year * MAY be 0000, indicating that it is omitted. To represent only the year, YYYY * format is allowed. Note that depending on the underlying platform's date related * function, providing just year can result in varying month and day, so the * implementers need to take this factor into account to correctly process the dates. */ birthdate?: string; /** * String from IANA Time Zone Database representing the End-User's time zone. * For example, Europe/Paris or America/Los_Angeles. */ zoneinfo?: string; /** * End-User's locale, represented as a BCP47 language tag. This is typically an * ISO 639 Alpha-2 language code in lowercase and an ISO 3166-1 Alpha-2 country * code in uppercase, separated by a dash. For example, en-US or fr-CA. As a * compatibility note, some implementations have used an underscore as the separator * rather than a dash, for example, en_US; Relying Parties MAY choose to accept * this locale syntax as well. */ locale?: string; /** * End-User's preferred telephone number. E.164 is RECOMMENDED as the format of * this Claim, for example, +1 (555) 555-5555 or +56 (2) 687 2400. If the phone * number contains an extension, it is RECOMMENDED that the extension be represented * using the RFC 3966 extension syntax, for example, +1 (555) 555-5555;ext=5678. */ phone_number?: string; /** * True if the End-User's phone number has been verified; otherwise false. When * this Claim Value is true, this means that the OP took affirmative steps to * ensure that this phone number was controlled by the End-User at the time the * verification was performed. The means by which a phone number is verified is * context specific, and dependent upon the trust framework or contractual * agreements within which the parties are operating. When true, the phone_number * Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format. */ phone_number_verified?: boolean; /** * End-User's preferred postal address. */ address?: AddressClaim; /** * Time the End-User's information was last updated. Its value is a JSON number * representing the number of seconds from 1970-01-01T00:00:00Z as measured in * UTC until the date/time. */ updated_at?: number; } /** * Address claim structure as defined in OpenID Connect specification */ interface AddressClaim { /** Full mailing address, formatted for display or use on a mailing label */ formatted?: string; /** Full street address component, which may include house number, street name, post office box, and multi-line extended street address information */ street_address?: string; /** City or locality component */ locality?: string; /** State, province, prefecture, or region component */ region?: string; /** Zip code or postal code component */ postal_code?: string; /** Country name component */ country?: string; } interface OidcTokens { access_token: string; token_type: string; scope?: string; id_token?: string; refresh_token?: string; expires_in?: number; } interface OIDCConfiguration { authorization_endpoint: string; token_endpoint: string; userinfo_endpoint?: string; } /** * Event handler for generic OAuth using OIDC and PKCE. */ export declare function defineOAuthOidcEventHandler({ config, onSuccess, onError }: OAuthConfig): import("h3").EventHandler>; export {};