import type { FastifyRequest } from 'fastify'; import type { ILogObj } from 'tslog'; import { Logger } from 'tslog'; import type { IApiAuthProvider, UserInfo } from '@citrineos/base'; import { ApiAuthenticationResult, ApiAuthorizationResult } from '@citrineos/base'; export interface OIDCConfig { jwksUri: string; issuer: string; audience?: string; cacheTime?: number; rateLimit?: boolean; } /** * OIDC authentication provider implementation */ export declare class OIDCAuthProvider implements IApiAuthProvider { private readonly _config; private readonly _logger; private readonly _jkwsClient; private readonly _rulesLoader; private readonly _defaultTenantId; /** * Creates a new Keycloak authentication provider * * @param config OIDC configuration * @param logger Optional logger instance */ constructor(config: OIDCConfig, logger?: Logger); extractToken(request: FastifyRequest): Promise; /** * Authenticates a JWT token from and OIDC provider * * @param token JWT token to authenticate * @returns Authentication result with user info if successful */ authenticateToken(token: string): Promise; /** * Authorizes a user for a specific request * This implementation checks if the user has the required permissions * for the requested URL and method * * @param user User information * @param request Fastify request * @returns Authorization result */ authorizeUser(user: UserInfo, request: FastifyRequest): Promise; /** * Fetches the public key from OIDC provider * @param {string} kid Key ID from the JWT header * @returns {Promise} Public key as a string * @private */ private fetchPublicKey; /** * Extracts roles from a decoded JWT token * * @param decoded The decoded JWT token * @returns Array of role strings * @private */ private extractRoles; /** * Check if a user has any of the required roles for a specific tenant * * @param user User with roles * @param requiredRoles Array of role names (without tenant prefix) * @returns True if user has any of the required roles */ private userHasRequiredRole; }