import { Request, Response, IRouter } from 'express';
import { OIDCConfig, OIDCUserInfo, OIDCCryptoService, ExternalUserService, ExternalUser } from './types';
/**
 * Validate and merge userinfo claims into ID token claims.
 *
 * Security considerations:
 * - Validates that userinfo sub matches ID token sub (OIDC Core spec requirement)
 * - Only merges safe claims (email, name, preferred_username, groups)
 * - Does NOT allow userinfo to overwrite security-critical claims (sub, iss, aud, nonce)
 *
 * @param idTokenClaims The validated claims from the ID token
 * @param userinfoClaims The claims from the userinfo endpoint
 * @param groupsAttribute The attribute name for groups (default: 'groups')
 * @throws OIDCError if userinfo sub doesn't match ID token sub
 */
export declare function validateAndMergeUserinfoClaims(idTokenClaims: Record<string, unknown>, userinfoClaims: Record<string, unknown>, groupsAttribute?: string): void;
/**
 * Dependencies injected by tokensecurity.
 * This interface defines the contract between tokensecurity and OIDC authentication.
 */
export interface OIDCAuthDependencies {
    /** Get parsed OIDC configuration */
    getOIDCConfig: () => OIDCConfig;
    /** Set session cookies after successful authentication */
    setSessionCookie: (res: Response, req: Request, token: string, username: string, options?: {
        rememberMe?: boolean;
    }) => void;
    /** Clear session cookies on logout */
    clearSessionCookie: (res: Response) => void;
    /** Generate a JWT for a user */
    generateJWT: (userId: string, expiration?: string) => string;
    /**
     * Crypto service for OIDC state encryption.
     * Provides a derived secret - OIDC handles its own encryption.
     */
    cryptoService: OIDCCryptoService;
    /**
     * User service for external authentication providers.
     * Abstracts user storage so OIDC doesn't need to know about
     * the underlying storage mechanism.
     */
    userService: ExternalUserService;
}
/**
 * Find or create a user from OIDC authentication.
 * This function looks up existing users by OIDC subject+issuer, or creates
 * a new user if auto-creation is enabled.
 *
 * For existing users, permissions are recalculated on each login based on
 * current group memberships. This allows permission changes to take effect
 * when group assignments change in the identity provider.
 */
export declare function findOrCreateOIDCUser(userInfo: OIDCUserInfo, oidcConfig: OIDCConfig, deps: Pick<OIDCAuthDependencies, 'userService'>): Promise<ExternalUser | null>;
/**
 * Register OIDC authentication routes.
 * This function adds the OIDC login, callback, and status endpoints to the Express app.
 */
export declare function registerOIDCRoutes(app: IRouter, deps: OIDCAuthDependencies): void;
//# sourceMappingURL=oidc-auth.d.ts.map