"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.OIDCProvider = void 0;
/**
 * OIDC (OpenID Connect) SSO provider.
 * Supports Okta, Azure AD, Google Workspace.
 */
const openid_client_1 = require("openid-client");
class OIDCProvider {
    constructor(config) {
        this.config = config;
    }
    async generateAuthUrl() {
        const issuerUrl = new URL(this.config.issuer);
        const oidcConfig = await (0, openid_client_1.discovery)(issuerUrl, this.config.clientId, this.config.clientSecret);
        const state = (0, openid_client_1.randomState)();
        const params = new URLSearchParams({
            client_id: this.config.clientId,
            redirect_uri: this.config.redirectUri,
            response_type: 'code',
            scope: (this.config.scopes ?? ['openid', 'email', 'profile']).join(' '),
            state,
        });
        const url = (0, openid_client_1.buildAuthorizationUrl)(oidcConfig, params);
        return { url: url.href, state, codeVerifier: '' };
    }
    async handleCallback(params, expectedState, _codeVerifier) {
        const issuerUrl = new URL(this.config.issuer);
        const oidcConfig = await (0, openid_client_1.discovery)(issuerUrl, this.config.clientId, this.config.clientSecret);
        const currentUrl = new URL(`${this.config.redirectUri}?${params.toString()}`);
        const tokens = await (0, openid_client_1.authorizationCodeGrant)(oidcConfig, currentUrl, {
            expectedState,
        });
        const claims = tokens.claims();
        if (!claims) {
            throw new Error('OIDC: no claims in token response');
        }
        return {
            sub: String(claims['sub'] ?? ''),
            email: typeof claims['email'] === 'string' ? claims['email'] : undefined,
            name: typeof claims['name'] === 'string' ? claims['name'] : undefined,
        };
    }
}
exports.OIDCProvider = OIDCProvider;