/**
 * Lightweight Dex OIDC client for PRD #380, Task 2.3.
 *
 * Three pure utility functions using only node:http/node:https.
 * No external dependencies. Dex is trusted in-cluster, so ID tokens
 * are decoded without signature verification.
 */
import type { DexConfig } from './types';
/**
 * Build the Dex OIDC authorization URL for the browser redirect.
 *
 * Uses dexConfig.issuerUrl (the external Dex URL) because this URL
 * is followed by the user's browser, not the MCP server.
 */
export declare function buildAuthorizeUrl(dexConfig: DexConfig, params: {
    redirectUri: string;
    state: string;
    scope?: string;
}): string;
/**
 * Exchange a Dex authorization code for tokens.
 *
 * Uses dexConfig.tokenEndpoint (the in-cluster URL) for server-to-server
 * communication. Posts application/x-www-form-urlencoded with client credentials.
 */
export declare function exchangeDexCode(dexConfig: DexConfig, code: string, redirectUri: string): Promise<{
    idToken: string;
    accessToken: string;
}>;
/**
 * Decode a Dex ID token payload without signature verification.
 *
 * Dex is trusted in-cluster — the token was received directly from
 * Dex's token endpoint over the internal network. No JWKS needed.
 */
export declare function parseIdToken(idToken: string): {
    sub: string;
    email?: string;
    groups?: string[];
};
//# sourceMappingURL=dex-client.d.ts.map