/**
 * Options for authorization requests.
 * */
export interface AuthorizeOptions {
    /**
     * The unique identifier of the client application.
     * */
    clientId?: string;
    /**
     * The type of the response.
     * Can be "code", "id_token", "token" or a combination.
     * */
    responseType?: ResponseType;
    /**
     * The URI to redirect the user to after authorization.
     * */
    redirectUri?: string;
    /**
     * Space-separated list of scopes (e.g. "openid profile email").
     * */
    scope?: string;
    /**
     * The challenge derived from the code verifier.
     * */
    codeChallenge?: string;
    /**
     * The method used to derive the code challenge from the code verifier.
     * Must be "plain" or "S256".
     * Default is "S256".
     * */
    codeChallengeMethod?: CodeChallengeMethod;
    /**
     * The prompt parameter specifies how the authorization server should prompt the user for reauthentication.
     * Can be "none", "login", "consent" or "select_account".
     * Default is "none".
     * */
    prompt?: Prompt;
    /**
     * The response mode parameter defines how the authorization server returns the result of the authorization request.
     * Can be "query", "fragment", "form_post" or "web_message".
     * Default is "query" which means the result will be returned in the query string of the redirect URI.
     * */
    responseMode?: ResponseMode;
    /**
     * A random string to protect against CSRF attacks.
     * */
    state?: string;
    /**
     * A random value used to associate a client session with an ID token.
     * */
    nonce?: string;
    /**
     * Suggested username or email address to pre-fill the login form.
     * */
    loginHint?: string;
    /**
     * The unique identifier for the request, used to retrieve a pending authorization request.
     * Usually generated by the authorization server and used after the user has logged in to continue the authorization flow.
     * This is useful for resuming an authorization request after a user has logged in.
     * */
    requestId?: string;
    /**
     * Whether to automatically redirect the user.
     * If true, the user will be redirected to the authorization server.
     * If false, the authorization URL will be returned.
     * Default is true.
     * */
    autoRedirect?: boolean;
}
export type ResponseType = "code" | "token" | "id_token" | "token id_token" | "code id_token";
export type ResponseMode = "query" | "fragment" | "form_post" | "web_message";
export type Prompt = "none" | "login" | "consent" | "select_account";
export type CodeChallengeMethod = "plain" | "S256";
/**
 * The response from the authorization server after a successful silent authorization request.
 * */
export interface AuthorizeResponse {
    /**
     * The type of response received from the authorization server.
     * */
    type: string;
    /**
     * The state parameter returned by the authorization server.
     * */
    state: string;
    /**
     * The authorization code received from the authorization server.
     * */
    code?: string;
    /**
     * The ID token received from the authorization server.
     * */
    idToken?: string;
    /**
     * The access token received from the authorization server.
     * */
    accessToken?: string;
    /**
     * When the access token expires, in seconds.
     * */
    expiresIn?: number;
    /**
     * The error code returned by the authorization server, if any.
     * */
    error?: string;
    /**
     * The error description returned by the authorization server, if any.
     * */
    errorDescription?: string;
}
/**
 * Options for token exchange.
 * */
export interface TokenOptions {
    /**
     * The type of grant being requested.
     * */
    grantType: GrantType;
    /**
     * The unique identifier for the client application making the request.
     * */
    clientId: string;
    /**
     * The client secret for the client application, if required.
     * */
    clientSecret?: string;
    /**
     * The URL to redirect the user after authorization, if using the authorization code grant type.
     * */
    redirectUri?: string;
    /**
     * The code received from the authorization server, if using the authorization code grant type.
     * */
    code?: string;
    /**
     * The code verifier used in PKCE (Proof Key for Code Exchange), if using the authorization code grant type.
     * */
    codeVerifier?: string;
    /**
     * The refresh token used to get a new access token, if using the refresh token grant type.
     * */
    refreshToken?: string;
    /**
     * The username for the resource owner, if using the password grant type.
     * */
    username?: string;
    /**
     * The password for the resource owner, if using the password grant type.
     * */
    password?: string;
    /**
     * The scope of the access request, if applicable.
     * This is a space-separated list of scopes (e.g. "openid profile email").
     * */
    scope?: string;
    /**
     * The device code received from the authorization server, if using the device code grant type.
     * */
    deviceCode?: string;
    /**
     * The type of the client assertion being used for authentication. Used in JWT-based client authentication.
     * */
    clientAssertionType?: string;
    /**
     * The client assertion used for authentication, if applicable.
     * This is typically a JWT signed by the client.
     * */
    clientAssertion?: string;
    /**
     * The target audience for the access token.
     * */
    audience?: string;
}
export type GrantType = "authorization_code" | "refresh_token" | "client_credentials" | "password" | "urn:ietf:params:oauth:grant-type:device_code";
/**
 * The response from the authorization server after a token exchange.
 * */
export interface TokenResponse {
    /**
     * The type of token received from the authorization server.
     * */
    tokenType: string;
    /**
     * The access token received from the authorization server.
     * */
    accessToken: string;
    /**
     * When the access token expires, in seconds.
     * */
    expiresIn: number;
    /**
     * The refresh token received from the authorization server.
     * Only present if offline_access scope is requested.
     * */
    refreshToken?: string;
    /**
     * The ID token received from the authorization server.
     * Only present if openid scope is requested.
     * */
    idToken?: string;
    /**
     * The scope of the access token, as a space-separated list of scopes.
     * */
    scope?: string;
    /**
     * The type of token issued, used in scenarios like OAuth 2.0 Token Exchange.
     * */
    issuedTokenType?: string;
}
/**
 * The request object for logout.
 * */
export interface LogoutOptions {
    /**
     * The unique identifier for the client application making the request.
     * */
    clientId: string;
    /**
     * The ID token hint to validate the logout request.
     * */
    idTokenHint: string;
    /**
     * The URL to redirect the user after logout.
     * */
    postLogoutRedirectUri: string;
    /**
     * The state parameter to maintain state between the request and callback.
     * */
    state?: string;
    /**
     * The session ID to identify the user's session.
     * This is optional and may be used by the identity provider to track the session.
     * */
    sessionId?: string;
    /**
     * The reason for logout, if applicable.
     * This is optional and may be used by the identity provider to track the reason for logout.
     * */
    reason?: string;
}
/**
 * The user info response from the identity provider.
 * */
export interface UserInfoResponse {
    /**
     * The claims about the user.
     * */
    [claim: string]: string | number | boolean | null;
}
/**
 * The discovery document from the identity provider.
 * This document contains metadata about the identity provider's endpoints and supported features.
 * */
export interface OpenIdConfiguration {
    /**
     * The URL of the identity provider's issuer.
     * */
    issuer: string;
    /**
     * The URL of the identity provider's end session endpoint.
     * */
    jwksUri: string;
}
/**
 * The JSON Web Key (JWK) used for signing and verifying tokens.
 * */
export interface JsonWebKey {
    /**
     * The key type (e.g., "RSA", "EC").
     * */
    kty: string;
    /**
     * The key use (e.g., "sig" for signature, "enc" for encryption).
     * */
    use: string;
    /**
     * The key ID (kid) used to identify the key.
     * */
    kid: string;
    /**
     * The algorithm used for the key (e.g., "RS256", "ES256").
     * */
    alg: string;
    /**
     * The modulus of the RSA key.
     * */
    n: string;
    /**
     * The exponent of the RSA key.
     * */
    e: string;
}
/**
 * The JSON Web Key Set (JWKS) containing multiple JWKs.
 * */
export interface JsonWebKeySet {
    /**
     * The keys in the set.
     * */
    keys: JsonWebKey[];
}
