1 | import { GaxiosError, GaxiosOptions, GaxiosPromise, GaxiosResponse } from 'gaxios';
|
2 | import { JwkCertificate } from '../crypto/crypto';
|
3 | import { BodyResponseCallback } from '../transporters';
|
4 | import { AuthClient } from './authclient';
|
5 | import { Credentials } from './credentials';
|
6 | import { LoginTicket } from './loginticket';
|
7 |
|
8 |
|
9 |
|
10 |
|
11 |
|
12 | export interface CodeVerifierResults {
|
13 | |
14 |
|
15 |
|
16 |
|
17 | codeVerifier: string;
|
18 | |
19 |
|
20 |
|
21 |
|
22 | codeChallenge?: string;
|
23 | }
|
24 | export interface Certificates {
|
25 | [index: string]: string | JwkCertificate;
|
26 | }
|
27 | export interface PublicKeys {
|
28 | [index: string]: string;
|
29 | }
|
30 | export interface Headers {
|
31 | [index: string]: string;
|
32 | }
|
33 | export declare enum CodeChallengeMethod {
|
34 | Plain = "plain",
|
35 | S256 = "S256"
|
36 | }
|
37 | export declare enum CertificateFormat {
|
38 | PEM = "PEM",
|
39 | JWK = "JWK"
|
40 | }
|
41 | export interface GetTokenOptions {
|
42 | code: string;
|
43 | codeVerifier?: string;
|
44 | |
45 |
|
46 |
|
47 |
|
48 |
|
49 | client_id?: string;
|
50 | |
51 |
|
52 |
|
53 |
|
54 |
|
55 |
|
56 | redirect_uri?: string;
|
57 | }
|
58 | export interface TokenInfo {
|
59 | |
60 |
|
61 |
|
62 | aud: string;
|
63 | |
64 |
|
65 |
|
66 |
|
67 |
|
68 |
|
69 |
|
70 |
|
71 |
|
72 | user_id?: string;
|
73 | |
74 |
|
75 |
|
76 | scopes: string[];
|
77 | |
78 |
|
79 |
|
80 | expiry_date: number;
|
81 | |
82 |
|
83 |
|
84 |
|
85 |
|
86 |
|
87 | sub?: string;
|
88 | |
89 |
|
90 |
|
91 |
|
92 |
|
93 |
|
94 |
|
95 | azp?: string;
|
96 | |
97 |
|
98 |
|
99 |
|
100 |
|
101 |
|
102 |
|
103 |
|
104 |
|
105 |
|
106 | access_type?: string;
|
107 | |
108 |
|
109 |
|
110 |
|
111 |
|
112 | email?: string;
|
113 | |
114 |
|
115 |
|
116 | email_verified?: boolean;
|
117 | }
|
118 | export interface GenerateAuthUrlOpts {
|
119 | |
120 |
|
121 |
|
122 |
|
123 |
|
124 |
|
125 |
|
126 |
|
127 |
|
128 |
|
129 | access_type?: string;
|
130 | |
131 |
|
132 |
|
133 |
|
134 |
|
135 |
|
136 |
|
137 |
|
138 |
|
139 |
|
140 |
|
141 |
|
142 | hd?: string;
|
143 | |
144 |
|
145 |
|
146 | response_type?: string;
|
147 | |
148 |
|
149 |
|
150 |
|
151 | client_id?: string;
|
152 | |
153 |
|
154 |
|
155 |
|
156 |
|
157 |
|
158 |
|
159 | redirect_uri?: string;
|
160 | |
161 |
|
162 |
|
163 |
|
164 |
|
165 |
|
166 |
|
167 |
|
168 |
|
169 |
|
170 |
|
171 |
|
172 |
|
173 |
|
174 |
|
175 | scope?: string[] | string;
|
176 | |
177 |
|
178 |
|
179 |
|
180 |
|
181 |
|
182 |
|
183 |
|
184 |
|
185 |
|
186 |
|
187 |
|
188 |
|
189 |
|
190 |
|
191 |
|
192 |
|
193 | state?: string;
|
194 | |
195 |
|
196 |
|
197 |
|
198 |
|
199 |
|
200 |
|
201 | include_granted_scopes?: boolean;
|
202 | |
203 |
|
204 |
|
205 |
|
206 |
|
207 |
|
208 |
|
209 |
|
210 | login_hint?: string;
|
211 | |
212 |
|
213 |
|
214 |
|
215 |
|
216 |
|
217 |
|
218 |
|
219 |
|
220 |
|
221 | prompt?: string;
|
222 | |
223 |
|
224 |
|
225 |
|
226 |
|
227 |
|
228 |
|
229 |
|
230 | code_challenge_method?: CodeChallengeMethod;
|
231 | |
232 |
|
233 |
|
234 |
|
235 |
|
236 | code_challenge?: string;
|
237 | }
|
238 | export interface AccessTokenResponse {
|
239 | access_token: string;
|
240 | expiry_date: number;
|
241 | }
|
242 | export interface GetRefreshHandlerCallback {
|
243 | (): Promise<AccessTokenResponse>;
|
244 | }
|
245 | export interface GetTokenCallback {
|
246 | (err: GaxiosError | null, token?: Credentials | null, res?: GaxiosResponse | null): void;
|
247 | }
|
248 | export interface GetTokenResponse {
|
249 | tokens: Credentials;
|
250 | res: GaxiosResponse | null;
|
251 | }
|
252 | export interface GetAccessTokenCallback {
|
253 | (err: GaxiosError | null, token?: string | null, res?: GaxiosResponse | null): void;
|
254 | }
|
255 | export interface GetAccessTokenResponse {
|
256 | token?: string | null;
|
257 | res?: GaxiosResponse | null;
|
258 | }
|
259 | export interface RefreshAccessTokenCallback {
|
260 | (err: GaxiosError | null, credentials?: Credentials | null, res?: GaxiosResponse | null): void;
|
261 | }
|
262 | export interface RefreshAccessTokenResponse {
|
263 | credentials: Credentials;
|
264 | res: GaxiosResponse | null;
|
265 | }
|
266 | export interface RequestMetadataResponse {
|
267 | headers: Headers;
|
268 | res?: GaxiosResponse<void> | null;
|
269 | }
|
270 | export interface RequestMetadataCallback {
|
271 | (err: GaxiosError | null, headers?: Headers, res?: GaxiosResponse<void> | null): void;
|
272 | }
|
273 | export interface GetFederatedSignonCertsCallback {
|
274 | (err: GaxiosError | null, certs?: Certificates, response?: GaxiosResponse<void> | null): void;
|
275 | }
|
276 | export interface FederatedSignonCertsResponse {
|
277 | certs: Certificates;
|
278 | format: CertificateFormat;
|
279 | res?: GaxiosResponse<void> | null;
|
280 | }
|
281 | export interface GetIapPublicKeysCallback {
|
282 | (err: GaxiosError | null, pubkeys?: PublicKeys, response?: GaxiosResponse<void> | null): void;
|
283 | }
|
284 | export interface IapPublicKeysResponse {
|
285 | pubkeys: PublicKeys;
|
286 | res?: GaxiosResponse<void> | null;
|
287 | }
|
288 | export interface RevokeCredentialsResult {
|
289 | success: boolean;
|
290 | }
|
291 | export interface VerifyIdTokenOptions {
|
292 | idToken: string;
|
293 | audience?: string | string[];
|
294 | maxExpiry?: number;
|
295 | }
|
296 | export interface OAuth2ClientOptions extends RefreshOptions {
|
297 | clientId?: string;
|
298 | clientSecret?: string;
|
299 | redirectUri?: string;
|
300 | }
|
301 | export interface RefreshOptions {
|
302 | eagerRefreshThresholdMillis?: number;
|
303 | forceRefreshOnFailure?: boolean;
|
304 | }
|
305 | export declare class OAuth2Client extends AuthClient {
|
306 | private redirectUri?;
|
307 | private certificateCache;
|
308 | private certificateExpiry;
|
309 | private certificateCacheFormat;
|
310 | protected refreshTokenPromises: Map<string, Promise<GetTokenResponse>>;
|
311 | _clientId?: string;
|
312 | _clientSecret?: string;
|
313 | apiKey?: string;
|
314 | projectId?: string;
|
315 | eagerRefreshThresholdMillis: number;
|
316 | forceRefreshOnFailure: boolean;
|
317 | refreshHandler?: GetRefreshHandlerCallback;
|
318 | |
319 |
|
320 |
|
321 |
|
322 |
|
323 |
|
324 |
|
325 |
|
326 |
|
327 |
|
328 | constructor(options?: OAuth2ClientOptions);
|
329 | constructor(clientId?: string, clientSecret?: string, redirectUri?: string);
|
330 | protected static readonly GOOGLE_TOKEN_INFO_URL = "https://oauth2.googleapis.com/tokeninfo";
|
331 | /**
|
332 | * The base URL for auth endpoints.
|
333 | */
|
334 | private static readonly GOOGLE_OAUTH2_AUTH_BASE_URL_;
|
335 | /**
|
336 | * The base endpoint for token retrieval.
|
337 | */
|
338 | private static readonly GOOGLE_OAUTH2_TOKEN_URL_;
|
339 | /**
|
340 | * The base endpoint to revoke tokens.
|
341 | */
|
342 | private static readonly GOOGLE_OAUTH2_REVOKE_URL_;
|
343 | /**
|
344 | * Google Sign on certificates in PEM format.
|
345 | */
|
346 | private static readonly GOOGLE_OAUTH2_FEDERATED_SIGNON_PEM_CERTS_URL_;
|
347 | /**
|
348 | * Google Sign on certificates in JWK format.
|
349 | */
|
350 | private static readonly GOOGLE_OAUTH2_FEDERATED_SIGNON_JWK_CERTS_URL_;
|
351 | /**
|
352 | * Google Sign on certificates in JWK format.
|
353 | */
|
354 | private static readonly GOOGLE_OAUTH2_IAP_PUBLIC_KEY_URL_;
|
355 | /**
|
356 | * Clock skew - five minutes in seconds
|
357 | */
|
358 | private static readonly CLOCK_SKEW_SECS_;
|
359 | /**
|
360 | * Max Token Lifetime is one day in seconds
|
361 | */
|
362 | private static readonly MAX_TOKEN_LIFETIME_SECS_;
|
363 | /**
|
364 | * The allowed oauth token issuers.
|
365 | */
|
366 | private static readonly ISSUERS_;
|
367 | /**
|
368 | * Generates URL for consent page landing.
|
369 | * @param opts Options.
|
370 | * @return URL to consent page.
|
371 | */
|
372 | generateAuthUrl(opts?: GenerateAuthUrlOpts): string;
|
373 | generateCodeVerifier(): void;
|
374 | /**
|
375 | * Convenience method to automatically generate a code_verifier, and its
|
376 | * resulting SHA256. If used, this must be paired with a S256
|
377 | * code_challenge_method.
|
378 | *
|
379 | * For a full example see:
|
380 | * https://github.com/googleapis/google-auth-library-nodejs/blob/main/samples/oauth2-codeVerifier.js
|
381 | */
|
382 | generateCodeVerifierAsync(): Promise<CodeVerifierResults>;
|
383 | /**
|
384 | * Gets the access token for the given code.
|
385 | * @param code The authorization code.
|
386 | * @param callback Optional callback fn.
|
387 | */
|
388 | getToken(code: string): Promise<GetTokenResponse>;
|
389 | getToken(options: GetTokenOptions): Promise<GetTokenResponse>;
|
390 | getToken(code: string, callback: GetTokenCallback): void;
|
391 | getToken(options: GetTokenOptions, callback: GetTokenCallback): void;
|
392 | private getTokenAsync;
|
393 | /**
|
394 | * Refreshes the access token.
|
395 | * @param refresh_token Existing refresh token.
|
396 | * @private
|
397 | */
|
398 | protected refreshToken(refreshToken?: string | null): Promise<GetTokenResponse>;
|
399 | protected refreshTokenNoCache(refreshToken?: string | null): Promise<GetTokenResponse>;
|
400 | /**
|
401 | * Retrieves the access token using refresh token
|
402 | *
|
403 | * @deprecated use getRequestHeaders instead.
|
404 | * @param callback callback
|
405 | */
|
406 | refreshAccessToken(): Promise<RefreshAccessTokenResponse>;
|
407 | refreshAccessToken(callback: RefreshAccessTokenCallback): void;
|
408 | private refreshAccessTokenAsync;
|
409 | /**
|
410 | * Get a non-expired access token, after refreshing if necessary
|
411 | *
|
412 | * @param callback Callback to call with the access token
|
413 | */
|
414 | getAccessToken(): Promise<GetAccessTokenResponse>;
|
415 | getAccessToken(callback: GetAccessTokenCallback): void;
|
416 | private getAccessTokenAsync;
|
417 | /**
|
418 | * The main authentication interface. It takes an optional url which when
|
419 | * present is the endpoint being accessed, and returns a Promise which
|
420 | * resolves with authorization header fields.
|
421 | *
|
422 | * In OAuth2Client, the result has the form:
|
423 | * { Authorization: 'Bearer <access_token_value>' }
|
424 | * @param url The optional url being authorized
|
425 | */
|
426 | getRequestHeaders(url?: string): Promise<Headers>;
|
427 | protected getRequestMetadataAsync(url?: string | null): Promise<RequestMetadataResponse>;
|
428 | /**
|
429 | * Generates an URL to revoke the given token.
|
430 | * @param token The existing token to be revoked.
|
431 | */
|
432 | static getRevokeTokenUrl(token: string): string;
|
433 | /**
|
434 | * Revokes the access given to token.
|
435 | * @param token The existing token to be revoked.
|
436 | * @param callback Optional callback fn.
|
437 | */
|
438 | revokeToken(token: string): GaxiosPromise<RevokeCredentialsResult>;
|
439 | revokeToken(token: string, callback: BodyResponseCallback<RevokeCredentialsResult>): void;
|
440 | /**
|
441 | * Revokes access token and clears the credentials object
|
442 | * @param callback callback
|
443 | */
|
444 | revokeCredentials(): GaxiosPromise<RevokeCredentialsResult>;
|
445 | revokeCredentials(callback: BodyResponseCallback<RevokeCredentialsResult>): void;
|
446 | private revokeCredentialsAsync;
|
447 | /**
|
448 | * Provides a request implementation with OAuth 2.0 flow. If credentials have
|
449 | * a refresh_token, in cases of HTTP 401 and 403 responses, it automatically
|
450 | * asks for a new access token and replays the unsuccessful request.
|
451 | * @param opts Request options.
|
452 | * @param callback callback.
|
453 | * @return Request object
|
454 | */
|
455 | request<T>(opts: GaxiosOptions): GaxiosPromise<T>;
|
456 | request<T>(opts: GaxiosOptions, callback: BodyResponseCallback<T>): void;
|
457 | protected requestAsync<T>(opts: GaxiosOptions, retry?: boolean): Promise<GaxiosResponse<T>>;
|
458 | /**
|
459 | * Verify id token is token by checking the certs and audience
|
460 | * @param options that contains all options.
|
461 | * @param callback Callback supplying GoogleLogin if successful
|
462 | */
|
463 | verifyIdToken(options: VerifyIdTokenOptions): Promise<LoginTicket>;
|
464 | verifyIdToken(options: VerifyIdTokenOptions, callback: (err: Error | null, login?: LoginTicket) => void): void;
|
465 | private verifyIdTokenAsync;
|
466 | /**
|
467 | * Obtains information about the provisioned access token. Especially useful
|
468 | * if you want to check the scopes that were provisioned to a given token.
|
469 | *
|
470 | * @param accessToken Required. The Access Token for which you want to get
|
471 | * user info.
|
472 | */
|
473 | getTokenInfo(accessToken: string): Promise<TokenInfo>;
|
474 | /**
|
475 | * Gets federated sign-on certificates to use for verifying identity tokens.
|
476 | * Returns certs as array structure, where keys are key ids, and values
|
477 | * are certificates in either PEM or JWK format.
|
478 | * @param callback Callback supplying the certificates
|
479 | */
|
480 | getFederatedSignonCerts(): Promise<FederatedSignonCertsResponse>;
|
481 | getFederatedSignonCerts(callback: GetFederatedSignonCertsCallback): void;
|
482 | getFederatedSignonCertsAsync(): Promise<FederatedSignonCertsResponse>;
|
483 | /**
|
484 | * Gets federated sign-on certificates to use for verifying identity tokens.
|
485 | * Returns certs as array structure, where keys are key ids, and values
|
486 | * are certificates in either PEM or JWK format.
|
487 | * @param callback Callback supplying the certificates
|
488 | */
|
489 | getIapPublicKeys(): Promise<IapPublicKeysResponse>;
|
490 | getIapPublicKeys(callback: GetIapPublicKeysCallback): void;
|
491 | getIapPublicKeysAsync(): Promise<IapPublicKeysResponse>;
|
492 | verifySignedJwtWithCerts(): void;
|
493 | /**
|
494 | * Verify the id token is signed with the correct certificate
|
495 | * and is from the correct audience.
|
496 | * @param jwt The jwt to verify (The ID Token in this case).
|
497 | * @param certs The array of certs to test the jwt against.
|
498 | * @param requiredAudience The audience to test the jwt against.
|
499 | * @param issuers The allowed issuers of the jwt (Optional).
|
500 | * @param maxExpiry The max expiry the certificate can be (Optional).
|
501 | * @return Returns a promise resolving to LoginTicket on verification.
|
502 | */
|
503 | verifySignedJwtWithCertsAsync(jwt: string, certs: Certificates | PublicKeys, requiredAudience?: string | string[], issuers?: string[], maxExpiry?: number): Promise<LoginTicket>;
|
504 | /**
|
505 | * Returns a promise that resolves with AccessTokenResponse type if
|
506 | * refreshHandler is defined.
|
507 | * If not, nothing is returned.
|
508 | */
|
509 | private processAndValidateRefreshHandler;
|
510 | /**
|
511 | * Returns true if a token is expired or will expire within
|
512 | * eagerRefreshThresholdMillismilliseconds.
|
513 | * If there is no expiry time, assumes the token is not expired or expiring.
|
514 | */
|
515 | protected isTokenExpiring(): boolean;
|
516 | }
|