Class: MonoCloudOidcBackendClient

Extends

MonoCloudOidcClientBase

clockSkew

protected clockSkew: number = 0

Number of seconds to adjust the current time to account for clock differences between the client and server during time-based claim validation. Defaults to 0.

clockTolerance

protected clockTolerance: number = 300

Additional time tolerance in seconds applied when validating time-based claims (exp, nbf). Defaults to 300 (5 minutes).

Constructor

new MonoCloudOidcBackendClient(tenantDomain: string, audience: string, options?: MonoCloudOidcBackendClientOptions): MonoCloudOidcBackendClient

Creates a new instance of MonoCloudOidcBackendClient.

Parameters

Parameter	Type	Description
`tenantDomain`	`string`	The tenant domain URL.
`audience`	`string`	The expected audience value used to validate the `aud` claim in access tokens.
`options?`	`MonoCloudOidcBackendClientOptions`	Additional client configuration options.

Returns

MonoCloudOidcBackendClient

Overrides

MonoCloudOidcClientBase.constructor

decodeJwt()

static decodeJwt(jwt: string): JwtClaims

Decodes the payload of a JSON Web Token (JWT) and returns it as an object.

Note: THIS METHOD DOES NOT VERIFY JWT TOKENS.

Parameters

Parameter	Type	Description
`jwt`	`string`	JWT to decode.

Returns

JwtClaims

Decoded payload.

Throws

MonoCloudTokenError - If decoding fails

Inherited from

MonoCloudOidcClientBase.decodeJwt

fetcher()?

protected optional fetcher: {(input: URL | RequestInfo, init?: RequestInit): Promise<Response>; (input: string | URL | Request, init?: RequestInit): Promise<Response>; }

Custom fetch implementation used for making HTTP requests. Falls back to the global fetch if not provided.

Call Signature

(input: URL | RequestInfo, init?: RequestInit): Promise<Response>

MDN Reference

Parameters

Parameter	Type
`input`	`URL` \| `RequestInfo`
`init?`	`RequestInit`

Returns

Promise<Response>

Call Signature

(input: string | URL | Request, init?: RequestInit): Promise<Response>

MDN Reference

Parameters

Parameter	Type
`input`	`string` \| `URL` \| `Request`
`init?`	`RequestInit`

Returns

Promise<Response>

Inherited from

MonoCloudOidcClientBase.fetcher

getJwks()

getJwks(forceRefresh: boolean): Promise<Jwks>

Fetches the JSON Web Keys used to sign the ID token. The JWKS is cached for 5 minutes by default.

Parameters

Parameter	Type	Description
`forceRefresh`	`boolean`	If `true`, bypasses the cache and fetches fresh set of JWKS from the server.

Returns

Promise<Jwks>

The JSON Web Key Set containing the public keys for token verification.

Throws

MonoCloudHttpError - Thrown if there is a network error during the request or unexpected status code during the request or a serialization error while processing the response.

Inherited from

MonoCloudOidcClientBase.getJwks

getMetadata()

getMetadata(forceRefresh: boolean): Promise<IssuerMetadata>

Fetches the authorization server metadata from the .well-known endpoint. The metadata is cached for 5 minutes by default.

Parameters

Parameter	Type	Description
`forceRefresh`	`boolean`	If `true`, bypasses the cache and fetches fresh metadata from the server.

Returns

Promise<IssuerMetadata>

The issuer metadata for the tenant, retrieved from the OpenID Connect discovery endpoint.

Throws

MonoCloudHttpError - Thrown if there is a network error during the request or unexpected status code during the request or a serialization error while processing the response.

Inherited from

MonoCloudOidcClientBase.getMetadata

introspectAccessToken()

introspectAccessToken(accessToken: string, options?: IntrospectOptions): Promise<AccessTokenClaims>

Validates an opaque access token using the OAuth 2.0 Token Introspection endpoint (RFC 7662).

Parameters

Parameter	Type	Description
`accessToken`	`string`	The access token string to introspect.
`options?`	`IntrospectOptions`	Claims validation options.

Returns

Promise<AccessTokenClaims>

Validated access token claims (without the active field).

Throws

MonoCloudTokenError - If the token is not active or claim validation fails.

Throws

MonoCloudOPError - When the introspection endpoint returns a standardized OAuth 2.0 error response.

Throws

MonoCloudHttpError - Thrown if there is a network error during the request or unexpected status code during the request or a serialization error while processing the response.

Throws

MonoCloudValidationError - When the access token is empty or the introspection endpoint is not available in the issuer metadata or claims validation fails.

jwks?

protected optional jwks: Jwks

Cached JSON Web Key Set retrieved from the issuer's JWKS endpoint.

Inherited from

MonoCloudOidcClientBase.jwks

jwksCacheDuration

protected jwksCacheDuration: number = 300

Duration (in seconds) for which the JWKS is cached. Defaults to 300 (5 minutes).

Inherited from

MonoCloudOidcClientBase.jwksCacheDuration

jwksCacheExpiry

protected jwksCacheExpiry: number = 0

Timestamp (in seconds) when the cached JWKS expires.

Inherited from

MonoCloudOidcClientBase.jwksCacheExpiry

metadata?

protected optional metadata: IssuerMetadata

Cached issuer metadata retrieved from the OpenID Connect discovery endpoint.

Inherited from

MonoCloudOidcClientBase.metadata

metadataCacheDuration

protected metadataCacheDuration: number = 300

Duration (in seconds) for which the metadata is cached. Defaults to 300 (5 minutes).

Inherited from

MonoCloudOidcClientBase.metadataCacheDuration

metadataCacheExpiry

protected metadataCacheExpiry: number = 0

Timestamp (in seconds) when the cached metadata expires.

Inherited from

MonoCloudOidcClientBase.metadataCacheExpiry

setClockSkew()

setClockSkew(clockSkew: number): void

Sets clock skew used for access token time-based claim validation.

Parameters

Parameter	Type	Description
`clockSkew`	`number`	Number of seconds to adjust the current time to account for clock differences.

Returns

void

setClockTolerance()

setClockTolerance(clockTolerance: number): void

Sets clock tolerance used for access token time-based claim validation.

Parameters

Parameter	Type	Description
`clockTolerance`	`number`	Additional time tolerance in seconds for time-based claim validation.

Returns

void

tenantDomain

protected readonly tenantDomain: string

The normalized tenant domain URL used as the base for discovery endpoints.

Inherited from

MonoCloudOidcClientBase.tenantDomain

validateJwtAccessToken()

validateJwtAccessToken(accessToken: string, options?: ValidateJwtAccessTokenOptions): Promise<AccessTokenClaims>

Validates a JWT access token by verifying the signature and claims.

Parameters

Parameter	Type	Description
`accessToken`	`string`	The access token JWT string to validate.
`options?`	`ValidateJwtAccessTokenOptions`	Validation options.

Returns

Promise<AccessTokenClaims>

Validated access token claims.

Throws

MonoCloudTokenError - If JWT parsing, signature verification, or claim validation fails.

Throws

MonoCloudHttpError - Thrown if there is a network error during the request or unexpected status code during the request or a serialization error while processing the response.

Throws

MonoCloudValidationError - When the access token is empty or claims validation fails.