import { OIDCConfig, OIDCProviderMetadata } from './types';
/**
 * JSON Web Key Set structure
 */
export interface JSONWebKeySet {
    keys: Array<{
        kty: string;
        kid?: string;
        use?: string;
        alg?: string;
        [key: string]: unknown;
    }>;
}
/**
 * ID Token claims after validation
 */
export interface ValidatedIdTokenClaims {
    iss: string;
    sub: string;
    aud: string | string[];
    exp: number;
    iat: number;
    nonce?: string;
    email?: string;
    name?: string;
    preferred_username?: string;
    groups?: string[];
    [key: string]: unknown;
}
type FetchFn = typeof fetch;
/**
 * Set the fetch function (for testing)
 */
export declare function setFetchFunction(fn: FetchFn): void;
/**
 * Reset the fetch function to the default
 */
export declare function resetFetchFunction(): void;
/**
 * Clear the JWKS cache
 */
export declare function clearJwksCache(): void;
/**
 * Fetch JWKS from the provider
 * @param metadata Provider metadata containing jwks_uri
 * @returns The JWKS
 */
export declare function fetchJwks(metadata: OIDCProviderMetadata): Promise<JSONWebKeySet>;
/**
 * Validate an ID token according to OIDC spec
 *
 * Validates:
 * - Signature using provider's JWKS
 * - Issuer matches expected issuer
 * - Audience contains client_id
 * - Token is not expired (with 5 min clock skew tolerance)
 * - Nonce matches expected nonce
 *
 * If signature verification fails, the JWKS cache is cleared and validation
 * is retried once. This handles the case where the OIDC provider has rotated
 * keys since the JWKS was cached.
 *
 * @param idToken The ID token string
 * @param config OIDC configuration
 * @param metadata Provider metadata
 * @param expectedNonce The nonce from the auth state
 * @returns Validated claims from the ID token
 * @throws OIDCError if validation fails
 */
export declare function validateIdToken(idToken: string, config: OIDCConfig, metadata: OIDCProviderMetadata, expectedNonce: string): Promise<ValidatedIdTokenClaims>;
export {};
//# sourceMappingURL=id-token-validation.d.ts.map