/**
 * KeycloakProvider - Keycloak OpenID Connect provider implementation
 *
 * Provides JWT validation, session management, and RBAC for Keycloak.
 */
import type { AuthProviderConfig, AuthUser, TokenValidationResult } from "../../types/index.js";
import { BaseAuthProvider } from "./BaseAuthProvider.js";
/**
 * KeycloakProvider - Keycloak OpenID Connect integration
 *
 * Features:
 * - Keycloak JWT token validation
 * - JWKS-based signature verification
 * - Realm roles and client roles support
 * - Resource access for fine-grained permissions
 * - Session management
 *
 * @example
 * ```typescript
 * const provider = new KeycloakProvider({
 *   type: 'keycloak',
 *   serverUrl: 'https://keycloak.example.com',
 *   realm: 'your-realm',
 *   clientId: 'your-client-id',
 * });
 *
 * const result = await provider.authenticateToken(accessToken);
 * if (result.valid) {
 *   console.log('User:', result.user);
 * }
 * ```
 */
export declare class KeycloakProvider extends BaseAuthProvider {
    readonly type: "keycloak";
    private keycloakConfig;
    private jwksUri;
    private jwksCacheDuration;
    private expectedIssuer;
    constructor(config: AuthProviderConfig);
    /**
     * Validate and authenticate a Keycloak JWT token
     */
    authenticateToken(token: string): Promise<TokenValidationResult>;
    /**
     * Verify token signature using JWKS
     */
    private verifySignature;
    /**
     * Fetch JWKS with caching
     */
    private getJWKS;
    /**
     * Extract Keycloak-specific user data from claims
     */
    private extractKeycloakUser;
    /**
     * Get user from Keycloak Admin API
     * Note: Requires client credentials with admin access
     */
    getUser(userId: string): Promise<AuthUser | null>;
}