1 | export declare class AuthConfig {
|
2 | /**
|
3 | * The client's id as registered with the auth server
|
4 | */
|
5 | clientId?: string;
|
6 | /**
|
7 | * The client's redirectUri as registered with the auth server
|
8 | */
|
9 | redirectUri?: string;
|
10 | /**
|
11 | * An optional second redirectUri where the auth server
|
12 | * redirects the user to after logging out.
|
13 | */
|
14 | postLogoutRedirectUri?: string;
|
15 | /**
|
16 | * Defines whether to use 'redirectUri' as a replacement
|
17 | * of 'postLogoutRedirectUri' if the latter is not set.
|
18 | */
|
19 | redirectUriAsPostLogoutRedirectUriFallback?: boolean;
|
20 | /**
|
21 | * The auth server's endpoint that allows to log
|
22 | * the user in when using implicit flow.
|
23 | */
|
24 | loginUrl?: string;
|
25 | /**
|
26 | * The requested scopes
|
27 | */
|
28 | scope?: string;
|
29 | resource?: string;
|
30 | rngUrl?: string;
|
31 | /**
|
32 | * Defines whether to use OpenId Connect during
|
33 | * implicit flow.
|
34 | */
|
35 | oidc?: boolean;
|
36 | /**
|
37 | * Defines whether to request an access token during
|
38 | * implicit flow.
|
39 | */
|
40 | requestAccessToken?: boolean;
|
41 | options?: any;
|
42 | /**
|
43 | * The issuer's uri.
|
44 | */
|
45 | issuer?: string;
|
46 | /**
|
47 | * The logout url.
|
48 | */
|
49 | logoutUrl?: string;
|
50 | /**
|
51 | * Defines whether to clear the hash fragment after logging in.
|
52 | */
|
53 | clearHashAfterLogin?: boolean;
|
54 | /**
|
55 | * Url of the token endpoint as defined by OpenId Connect and OAuth 2.
|
56 | */
|
57 | tokenEndpoint?: string;
|
58 | /**
|
59 | * Url of the revocation endpoint as defined by OpenId Connect and OAuth 2.
|
60 | */
|
61 | revocationEndpoint?: string;
|
62 | /**
|
63 | * Names of known parameters sent out in the TokenResponse. https://tools.ietf.org/html/rfc6749#section-5.1
|
64 | */
|
65 | customTokenParameters?: string[];
|
66 | /**
|
67 | * Url of the userinfo endpoint as defined by OpenId Connect.
|
68 | */
|
69 | userinfoEndpoint?: string;
|
70 | responseType?: string;
|
71 | /**
|
72 | * Defines whether additional debug information should
|
73 | * be shown at the console. Note that in certain browsers
|
74 | * the verbosity of the console needs to be explicitly set
|
75 | * to include Debug level messages.
|
76 | */
|
77 | showDebugInformation?: boolean;
|
78 | /**
|
79 | * The redirect uri used when doing silent refresh.
|
80 | */
|
81 | silentRefreshRedirectUri?: string;
|
82 | silentRefreshMessagePrefix?: string;
|
83 | /**
|
84 | * Set this to true to display the iframe used for
|
85 | * silent refresh for debugging.
|
86 | */
|
87 | silentRefreshShowIFrame?: boolean;
|
88 | /**
|
89 | * Timeout for silent refresh.
|
90 | * @internal
|
91 | * @deprecated use silentRefreshTimeout
|
92 | */
|
93 | siletRefreshTimeout?: number;
|
94 | /**
|
95 | * Timeout for silent refresh.
|
96 | */
|
97 | silentRefreshTimeout?: number;
|
98 | /**
|
99 | * Some auth servers don't allow using password flow
|
100 | * w/o a client secret while the standards do not
|
101 | * demand for it. In this case, you can set a password
|
102 | * here. As this password is exposed to the public
|
103 | * it does not bring additional security and is therefore
|
104 | * as good as using no password.
|
105 | */
|
106 | dummyClientSecret?: string;
|
107 | /**
|
108 | * Defines whether https is required.
|
109 | * The default value is remoteOnly which only allows
|
110 | * http for localhost, while every other domains need
|
111 | * to be used with https.
|
112 | */
|
113 | requireHttps?: boolean | 'remoteOnly';
|
114 | /**
|
115 | * Defines whether every url provided by the discovery
|
116 | * document has to start with the issuer's url.
|
117 | */
|
118 | strictDiscoveryDocumentValidation?: boolean;
|
119 | /**
|
120 | * JSON Web Key Set (https://tools.ietf.org/html/rfc7517)
|
121 | * with keys used to validate received id_tokens.
|
122 | * This is taken out of the disovery document. Can be set manually too.
|
123 | */
|
124 | jwks?: object;
|
125 | /**
|
126 | * Map with additional query parameter that are appended to
|
127 | * the request when initializing implicit flow.
|
128 | */
|
129 | customQueryParams?: object;
|
130 | silentRefreshIFrameName?: string;
|
131 | /**
|
132 | * Defines when the token_timeout event should be raised.
|
133 | * If you set this to the default value 0.75, the event
|
134 | * is triggered after 75% of the token's life time.
|
135 | */
|
136 | timeoutFactor?: number;
|
137 | /**
|
138 | * If true, the lib will try to check whether the user
|
139 | * is still logged in on a regular basis as described
|
140 | * in http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification
|
141 | */
|
142 | sessionChecksEnabled?: boolean;
|
143 | /**
|
144 | * Interval in msec for checking the session
|
145 | * according to http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification
|
146 | */
|
147 | sessionCheckIntervall?: number;
|
148 | /**
|
149 | * Url for the iframe used for session checks
|
150 | */
|
151 | sessionCheckIFrameUrl?: string;
|
152 | /**
|
153 | * Name of the iframe to use for session checks
|
154 | */
|
155 | sessionCheckIFrameName?: string;
|
156 | /**
|
157 | * This property has been introduced to disable at_hash checks
|
158 | * and is indented for Identity Provider that does not deliver
|
159 | * an at_hash EVEN THOUGH its recommended by the OIDC specs.
|
160 | * Of course, when disabling these checks then we are bypassing
|
161 | * a security check which means we are more vulnerable.
|
162 | */
|
163 | disableAtHashCheck?: boolean;
|
164 | /**
|
165 | * Defines wether to check the subject of a refreshed token after silent refresh.
|
166 | * Normally, it should be the same as before.
|
167 | */
|
168 | skipSubjectCheck?: boolean;
|
169 | useIdTokenHintForSilentRefresh?: boolean;
|
170 | /**
|
171 | * Defined whether to skip the validation of the issuer in the discovery document.
|
172 | * Normally, the discovey document's url starts with the url of the issuer.
|
173 | */
|
174 | skipIssuerCheck?: boolean;
|
175 | /**
|
176 | * According to rfc6749 it is recommended (but not required) that the auth
|
177 | * server exposes the access_token's life time in seconds.
|
178 | * This is a fallback value for the case this value is not exposed.
|
179 | */
|
180 | fallbackAccessTokenExpirationTimeInSec?: number;
|
181 | /**
|
182 | * final state sent to issuer is built as follows:
|
183 | * state = nonce + nonceStateSeparator + additional state
|
184 | * Default separator is ';' (encoded %3B).
|
185 | * In rare cases, this character might be forbidden or inconvenient to use by the issuer so it can be customized.
|
186 | */
|
187 | nonceStateSeparator?: string;
|
188 | /**
|
189 | * Set this to true to use HTTP BASIC auth for AJAX calls
|
190 | */
|
191 | useHttpBasicAuth?: boolean;
|
192 | /**
|
193 | * The window of time (in seconds) to allow the current time to deviate when validating id_token's iat and exp values.
|
194 | */
|
195 | clockSkewInSec?: number;
|
196 | /**
|
197 | * Decreases the Expiration time of tokens by this number of seconds
|
198 | */
|
199 | decreaseExpirationBySec?: number;
|
200 | /**
|
201 | * The interceptors waits this time span if there is no token
|
202 | */
|
203 | waitForTokenInMsec?: number;
|
204 | /**
|
205 | * Set this to true if you want to use silent refresh together with
|
206 | * code flow. As silent refresh is the only option for refreshing
|
207 | * with implicit flow, you don't need to explicitly turn it on in
|
208 | * this case.
|
209 | */
|
210 | useSilentRefresh?: any;
|
211 | /**
|
212 | * Code Flow is by defauld used together with PKCI which is also higly recommented.
|
213 | * You can disbale it here by setting this flag to true.
|
214 | * https://tools.ietf.org/html/rfc7636#section-1.1
|
215 | */
|
216 | disablePKCE?: boolean;
|
217 | /**
|
218 | * Set this to true to preserve the requested route including query parameters after code flow login.
|
219 | * This setting enables deep linking for the code flow.
|
220 | */
|
221 | preserveRequestedRoute?: boolean;
|
222 | /**
|
223 | * Allows to disable the timer for the id_token used
|
224 | * for token refresh
|
225 | */
|
226 | disableIdTokenTimer?: boolean;
|
227 | /**
|
228 | * Blocks other origins requesting a silent refresh
|
229 | */
|
230 | checkOrigin?: boolean;
|
231 | constructor(json?: Partial<AuthConfig>);
|
232 | /**
|
233 | * This property allows you to override the method that is used to open the login url,
|
234 | * allowing a way for implementations to specify their own method of routing to new
|
235 | * urls.
|
236 | */
|
237 | openUri?: (uri: string) => void;
|
238 | }
|