export = IdentityService;
/**
 * @typedef {import('../util/Types').ServiceCredentials} ServiceCredentials
 * @typedef {import('../util/Types').IdentityServiceCredentials} IdentityServiceCredentials
 * @typedef {import('../util/Types').ServiceConfig} ServiceConfig
 * @typedef {import('../util/Types').IdentityServiceConfig} IdentityServiceConfig *
 * @typedef {import('../util/Types').SecurityContextConfig} SecurityContextConfig *
 * @typedef {import('../util/Types').TokenFetchOptions} TokenFetchOptions
 * @typedef {import('../util/Types').IdentityServiceTokenFetchOptions} IdentityServiceTokenFetchOptions
 * @typedef {import('../util/Types').TokenFetchResponse} TokenFetchResponse
 * @typedef {import('../util/Types').IdTokenFetchResponse} IdTokenFetchResponse
 * @typedef {import('../util/Types').RefreshableTokenFetchResponse} RefreshableTokenFetchResponse
 */
/**
 * This {@link Service} class is constructed from SAP Identity Service credentials to provide an API with selected functionality against that service instance, e.g. token validation and token fetches.
 */
declare class IdentityService extends Service {
    /** @type {import("../util/Types").CacheConfig} */
    static DEFAULT_ID_TOKEN_CACHE_CONFIG: import("../util/Types").CacheConfig;
    /**
     * Returns an issuer URL based on the issuer of the token if it can be succesfully validated against a list of trusted domains.
     * @param {IdentityServiceToken} token token from which issuer is extracted
     * @param {Array<string>} trustedDomains a list of trusted domains
     * @returns {String} URL of issuer if its domain is either a trusted domain or a subdomain of a trusted domain
     * @throws {UntrustedIssuerError} if issuer is empty, not trusted or not a valid URL
     */
    static getSafeUrlFromTokenIssuer: (token: IdentityServiceToken, trustedDomains?: Array<string>) => string;
    /**
     * Validates that the client owning the given certificate is the owner of the token.
     * The validation is based on proof-of-posession via certificate binding of tokens as described in {@link https://datatracker.ietf.org/doc/html/rfc8705 RFC 8705}.
     * The validation is succesful if the token contains an base64url-encoded x5t thumbprint under claim {@link CNF_X5T_CLAIM cnf.x5t#S256} that matches the given certificate.
     * The client certificate against which the validation is performed, is typically extracted from the {@link FWD_CLIENT_CERT_HEADER x-forwarded-client-cert} request header where it is put by BTP after TLS termination.
     * @param {IdentityServiceToken} token
     * @param {X509Certificate} cert client certificate parsed as X509Certificate
     */
    static validateTokenOwnership(token: IdentityServiceToken, cert: X509Certificate): void;
    /**
     * Builds the configuration of this IdentityService based on the provided configuration and default values.
     * @param {ServiceConfig & IdentityServiceConfig} config
     * @override
     */
    static override buildServiceConfiguration(config: ServiceConfig & IdentityServiceConfig): import("../util/Types").ServiceConfig & import("../util/Types").IdentityServiceConfig;
    /**
     * @param {ServiceCredentials & IdentityServiceCredentials} credentials
     * @param {ServiceConfig & IdentityServiceConfig} [serviceConfiguration={}]
     */
    constructor(credentials: ServiceCredentials & IdentityServiceCredentials, serviceConfiguration?: ServiceConfig & IdentityServiceConfig);
    config: import("../util/Types").ServiceConfig & import("../util/Types").IdentityServiceConfig;
    /**
     * @override
     * @param {String|IdentityServiceToken} token token as JWT or IdentityServiceToken object
     * @param {SecurityContextConfig} contextConfig
     * @returns {Promise<IdentityServiceSecurityContext>}
     */
    override createSecurityContext(token: string | IdentityServiceToken, contextConfig?: SecurityContextConfig): Promise<IdentityServiceSecurityContext>;
    /**
     * @override
     * @param {IdentityServiceToken} token
     * @param {SecurityContextConfig} contextConfig
     */
    override validateToken(token: IdentityServiceToken, contextConfig: SecurityContextConfig): Promise<void>;
    fetchJwks({ clientid, app_tid, azp, clientCertificatePem }: {
        clientid: any;
        app_tid: any;
        azp: any;
        clientCertificatePem: any;
    }, { correlationId, extractHeaders }: {
        correlationId: any;
        extractHeaders: any;
    }): Promise<any>;
    /**
     * Fetches a token from this service with this service's client credentials.
     * @param {TokenFetchOptions & IdentityServiceTokenFetchOptions} options
     * @returns {Promise<TokenFetchResponse>}
     */
    fetchClientCredentialsToken(options?: TokenFetchOptions & IdentityServiceTokenFetchOptions): Promise<TokenFetchResponse>;
    /**
     * Fetches a user token from this service with the given username and password.
     * @param {String} username
     * @param {String} password
     * @param {TokenFetchOptions & IdentityServiceTokenFetchOptions} options
     * @returns {Promise<TokenFetchResponse & IdTokenFetchResponse & RefreshableTokenFetchResponse>}
     */
    fetchPasswordToken(username: string, password: string, options?: TokenFetchOptions & IdentityServiceTokenFetchOptions): Promise<TokenFetchResponse & IdTokenFetchResponse & RefreshableTokenFetchResponse>;
    /**
     * Fetches a JWT bearer token from this service with the given user token as assertion.
     * @param {String} assertion JWT bearer token used as assertion
     * @param {TokenFetchOptions & IdentityServiceTokenFetchOptions} options
     * @returns {Promise<TokenFetchResponse & IdTokenFetchResponse & RefreshableTokenFetchResponse>}
     */
    fetchJwtBearerToken(assertion: string, options?: TokenFetchOptions & IdentityServiceTokenFetchOptions): Promise<TokenFetchResponse & IdTokenFetchResponse & RefreshableTokenFetchResponse>;
    /**
     * @internal
     *
     * Internal method that MUST NOT be called with tokens before the token has been validated.
     * Returns an OAuth id token for the user of the given token.
     * If the token is already an id token, it is returned as is.
     * If the token is from a technical user, an error is thrown.
     * If the token is an access token, it is exchanged for an id token.
     *
     * Subsequent calls with access tokens will return a cached (but definitely not yet expired) id token.
     * The cache is configured by the `idTokenCache` service configuration property of this instance.
     *
     * @param {IdentityServiceToken} validatedToken - a validated token of a user for which the id token is required
     * @param {TokenFetchOptions & IdentityServiceTokenFetchOptions} [options] - custom token fetch options
     * @returns {Promise<string>} - the id token as raw jwt string
     * @throws {Error} if the token is from a technical user
     */
    _getIdToken(validatedToken: IdentityServiceToken, options?: TokenFetchOptions & IdentityServiceTokenFetchOptions): Promise<string>;
    /**
     * @internal
     * Gets the ID token cache for this IdentityService instance.
     *
     * @returns {import("../util/Types").Cache} The ID token cache.
     */
    get idTokenCache(): import("../util/Types").Cache;
    /** @override */
    override buildTokenRequest(grant_type: any, options: any): {
        checkServerIdentity?: ((hostname: string, cert: import("node:tls").DetailedPeerCertificate) => Error | undefined) | undefined;
        rejectUnauthorized?: boolean | undefined;
        servername?: string | undefined;
        _defaultAgent?: import("node:http").Agent | undefined;
        agent?: import("node:http").Agent | boolean | undefined;
        auth?: string | null | undefined;
        createConnection?: ((options: import("node:http").ClientRequestArgs, oncreate: (err: Error | null, socket: import("node:stream").Duplex) => void) => import("node:stream").Duplex | null | undefined) | undefined;
        defaultPort?: number | string | undefined;
        family?: number | undefined;
        headers?: import("node:http").OutgoingHttpHeaders | readonly string[] | undefined;
        host?: string | null | undefined;
        hostname?: string | null | undefined;
        insecureHTTPParser?: boolean | undefined;
        localAddress?: string | undefined;
        localPort?: number | undefined;
        lookup?: import("node:net").LookupFunction | undefined;
        maxHeaderSize?: number | undefined;
        method?: string | undefined;
        path?: string | null | undefined;
        port?: number | string | null | undefined;
        protocol?: string | null | undefined;
        setDefaultHeaders?: boolean | undefined;
        setHost?: boolean | undefined;
        signal?: AbortSignal | undefined;
        socketPath?: string | undefined;
        timeout: number | undefined;
        uniqueHeaders?: Array<string | string[]> | undefined;
        joinDuplicateHeaders?: boolean | undefined;
        hints?: number | undefined;
        ALPNCallback?: ((arg: {
            servername: string;
            protocols: string[];
        }) => string | undefined) | undefined;
        allowPartialTrustChain?: boolean | undefined;
        ca?: string | Buffer | Array<string | Buffer> | undefined;
        cert?: string | Buffer | Array<string | Buffer> | undefined;
        sigalgs?: string | undefined;
        ciphers?: string | undefined;
        clientCertEngine?: string | undefined;
        crl?: string | Buffer | Array<string | Buffer> | undefined;
        dhparam?: string | Buffer | undefined;
        ecdhCurve?: string | undefined;
        honorCipherOrder?: boolean | undefined;
        key?: string | Buffer | Array<string | Buffer | import("node:tls").KeyObject> | undefined;
        privateKeyEngine?: string | undefined;
        privateKeyIdentifier?: string | undefined;
        maxVersion?: import("node:tls").SecureVersion | undefined;
        minVersion?: import("node:tls").SecureVersion | undefined;
        passphrase?: string | undefined;
        pfx?: string | Buffer | Array<string | Buffer | import("node:tls").PxfObject> | undefined;
        secureOptions?: number | undefined;
        secureProtocol?: string | undefined;
        sessionIdContext?: string | undefined;
        ticketKeys?: Buffer | undefined;
        sessionTimeout?: number | undefined;
        retry: boolean | import("../util/Types").RetryConfig;
    };
    /**
     * @override
     * @inheritdoc
     */
    override getTokenUrl(grant_type: any, options?: {}): Promise<URL>;
    /**
     * Returns whether proof token validation has been enabled via the service's configuration.
     * @returns {Boolean}
     */
    hasProofTokenEnabled(): boolean;
    /**
     * Returns whether x5t proof of token ownership validation has been enabled via the service's configuration.
     * @returns {Boolean}
     */
    hasX5tEnabled(): boolean;
    #private;
}
declare namespace IdentityService {
    export { X509Certificate, ServiceCredentials, IdentityServiceCredentials, ServiceConfig, IdentityServiceConfig, SecurityContextConfig, TokenFetchOptions, IdentityServiceTokenFetchOptions, TokenFetchResponse, IdTokenFetchResponse, RefreshableTokenFetchResponse };
}
import Service = require("./Service");
import IdentityServiceToken = require("../token/IdentityServiceToken");
import IdentityServiceSecurityContext = require("../context/IdentityServiceSecurityContext");
type X509Certificate = import("crypto").X509Certificate;
type ServiceCredentials = import("../util/Types").ServiceCredentials;
type IdentityServiceCredentials = import("../util/Types").IdentityServiceCredentials;
type ServiceConfig = import("../util/Types").ServiceConfig;
type IdentityServiceConfig = import("../util/Types").IdentityServiceConfig;
type SecurityContextConfig = import("../util/Types").SecurityContextConfig;
type TokenFetchOptions = import("../util/Types").TokenFetchOptions;
type IdentityServiceTokenFetchOptions = import("../util/Types").IdentityServiceTokenFetchOptions;
type TokenFetchResponse = import("../util/Types").TokenFetchResponse;
type IdTokenFetchResponse = import("../util/Types").IdTokenFetchResponse;
type RefreshableTokenFetchResponse = import("../util/Types").RefreshableTokenFetchResponse;
//# sourceMappingURL=IdentityService.d.ts.map