server

type ActorClaim struct {
	Subject  string      `json:"sub"`
	ClientID string      `json:"client_id,omitempty"`
	Actor    *ActorClaim `json:"act,omitempty"` // Nested for delegation chains
}

type AuthRequest struct {
	// localRP is true if the request is from a relying party running on the
	// same machine as the idp server. It is mutually exclusive with rpNodeID
	// and funnelRP.
	LocalRP bool

	// rpNodeID is the NodeID of the relying party (who requested the auth, such
	// as Proxmox or Synology), not the user node who is being authenticated. It
	// is mutually exclusive with localRP and funnelRP.
	RPNodeID tailcfg.NodeID

	// funnelRP is non-nil if the request is from a relying party outside the
	// tailnet, via Tailscale Funnel. It is mutually exclusive with rpNodeID
	// and localRP.
	FunnelRP *FunnelClient

	// clientID is the "client_id" sent in the authorized request.
	ClientID string

	// nonce presented in the request.
	Nonce string

	// redirectURI is the redirect_uri presented in the request.
	RedirectURI string

	// resources are the resource URIs from RFC 8707 that the client is
	// requesting access to. These are validated at token issuance time.
	Resources []string

	// scopes are the OAuth 2.0 scopes requested by the client.
	// These are validated against supported scopes at authorization time.
	Scopes []string

	// codeChallenge is the PKCE code challenge from RFC 7636.
	// It is a derived value from the code_verifier that the client
	// will send during token exchange.
	CodeChallenge string

	// codeChallengeMethod is the method used to derive codeChallenge
	// from the code_verifier. Valid values are "plain" and "S256".
	// If empty, PKCE is not used for this request.
	CodeChallengeMethod string

	// remoteUser is the user who is being authenticated.
	RemoteUser *apitype.WhoIsResponse

	// validTill is the time until which the token is valid.
	// Authorization codes expire after 5 minutes per OAuth 2.0 best practices (RFC 6749 recommends max 10 minutes).
	ValidTill time.Time

	// IssuedAt is the time when the token was issued
	IssuedAt time.Time

	// NotValidBefore is the time before which the token is not valid yet
	NotValidBefore time.Time

	// jti is the unique identifier for the JWT token (JWT ID).
	// This is used for token introspection to return the jti claim.
	JTI string

	// Token exchange specific fields (RFC 8693)
	IsExchangedToken bool     // Indicates if this token was created via exchange
	OriginalClientID string   // The client that originally authenticated the user
	ExchangedBy      string   // The client that performed the exchange
	Audiences        []string // All intended audiences for the token

	// Delegation support (RFC 8693 act claim)
	ActorInfo *ActorClaim // For delegation scenarios
}

type CtxConn struct{}

type FunnelClient struct {
	ID                      string    `json:"client_id"`
	Secret                  string    `json:"client_secret,omitempty"`
	Name                    string    `json:"client_name,omitempty"`
	RedirectURIs            []string  `json:"redirect_uris"`
	TokenEndpointAuthMethod string    `json:"token_endpoint_auth_method,omitempty"`
	GrantTypes              []string  `json:"grant_types,omitempty"`
	ResponseTypes           []string  `json:"response_types,omitempty"`
	Scope                   string    `json:"scope,omitempty"`
	ClientURI               string    `json:"client_uri,omitempty"`
	LogoURI                 string    `json:"logo_uri,omitempty"`
	Contacts                []string  `json:"contacts,omitempty"`
	ApplicationType         string    `json:"application_type,omitempty"`
	DynamicallyRegistered   bool      `json:"dynamically_registered,omitempty"`
	CreatedAt               time.Time `json:"created_at"`

	// backwards compatibility for old clients that used a single string
	RedirectURI string `json:"redirect_uri"`
}

type IDPServer struct {
	// contains filtered or unexported fields
}