import { OidcMetadata, SigninResponse } from "oidc-client-ts";
import { IDelegatedAuthConfig } from "../client";
import { OidcError } from "./error";
/**
 * re-export for backwards compatibility
 * @deprecated use OidcError
 */
export { OidcError as OidcDiscoveryError };
export type ValidatedIssuerConfig = {
    authorizationEndpoint: string;
    tokenEndpoint: string;
    registrationEndpoint?: string;
};
/**
 * Validates MSC2965 m.authentication config
 * Returns valid configuration
 * @param wellKnown - client well known as returned from ./well-known/client/matrix
 * @returns config - when present and valid
 * @throws when config is not found or invalid
 */
export declare const validateWellKnownAuthentication: (authentication?: IDelegatedAuthConfig) => IDelegatedAuthConfig;
/**
 * Validates issuer `.well-known/openid-configuration`
 * As defined in RFC5785 https://openid.net/specs/openid-connect-discovery-1_0.html
 * validates that OP is compatible with Element's OIDC flow
 * @param wellKnown - json object
 * @returns valid issuer config
 * @throws Error - when issuer config is not found or is invalid
 */
export declare const validateOIDCIssuerWellKnown: (wellKnown: unknown) => ValidatedIssuerConfig;
/**
 * Metadata from OIDC authority discovery
 * With validated properties required in type
 */
export type ValidatedIssuerMetadata = Partial<OidcMetadata> & Pick<OidcMetadata, "issuer" | "authorization_endpoint" | "token_endpoint" | "registration_endpoint" | "revocation_endpoint" | "response_types_supported" | "grant_types_supported" | "code_challenge_methods_supported">;
/**
 * Wraps validateOIDCIssuerWellKnown in a type assertion
 * that asserts expected properties are present
 * (Typescript assertions cannot be arrow functions)
 * @param metadata - issuer openid-configuration response
 * @throws when metadata validation fails
 */
export declare function isValidatedIssuerMetadata(metadata: Partial<OidcMetadata>): asserts metadata is ValidatedIssuerMetadata;
/**
 * Validate idToken
 * https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
 * @param idToken - id token from token endpoint
 * @param issuer - issuer for the OP as found during discovery
 * @param clientId - this client's id as registered with the OP
 * @param nonce - nonce used in the authentication request
 * @throws when id token is invalid
 */
export declare const validateIdToken: (idToken: string | undefined, issuer: string, clientId: string, nonce: string) => void;
/**
 * State we ask OidcClient to store when starting oidc authorization flow (in `generateOidcAuthorizationUrl`)
 * so that we can access it on return from the OP and complete login
 */
export type UserState = {
    /**
     * Remember which server we were trying to login to
     */
    homeserverUrl: string;
    identityServerUrl?: string;
    /**
     * Used to validate id token
     */
    nonce: string;
};
/**
 * Validate stored user state exists and is valid
 * @param userState - userState returned by oidcClient.processSigninResponse
 * @throws when userState is invalid
 */
export declare function validateStoredUserState(userState: unknown): asserts userState is UserState;
/**
 * The expected response type from the token endpoint during authorization code flow
 * Normalized to always use capitalized 'Bearer' for token_type
 *
 * See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.4,
 * https://openid.net/specs/openid-connect-basic-1_0.html#TokenOK.
 */
export type BearerTokenResponse = {
    token_type: "Bearer";
    access_token: string;
    scope: string;
    refresh_token?: string;
    expires_in?: number;
    expires_at?: number;
    id_token?: string;
};
/**
 * Make required properties required in type
 */
type ValidSignInResponse = SigninResponse & BearerTokenResponse & {
    token_type: "Bearer" | "bearer";
};
export declare function validateBearerTokenResponse(response: unknown): asserts response is ValidSignInResponse;
//# sourceMappingURL=validate.d.ts.map