client

type Client interface {
	// Login performs the OAuth PKCE flow and returns tokens.
	Login(ctx context.Context) (*Tokens, error)

	// Refresh refreshes an access token using a refresh token.
	Refresh(ctx context.Context, refreshToken string) (*Tokens, error)
}

type Config struct {
	// IssuerURL is the OIDC issuer URL (e.g., https://dex.example.com).
	IssuerURL string

	// ClientID is the OAuth client ID.
	ClientID string

	// Resource is the optional OAuth protected resource to request tokens for.
	// Leave empty for standard OIDC providers that do not use RFC 8707 resource parameters.
	Resource string

	// BrandingURL is the URL to fetch branding config from (optional).
	// When set, the client fetches SuccessPageConfig from this endpoint
	// before login so it can resolve branding rules client-side in OIDC mode.
	BrandingURL string

	// RedirectPort is the local port for the callback server.
	// When zero, a free loopback port is selected automatically.
	RedirectPort int

	// Scopes are the OAuth scopes to request.
	Scopes []string

	// Headless uses the device authorization flow (RFC 8628) instead of
	// the local callback server. Use for SSH or headless environments.
	Headless bool
}

type OIDCConfig struct {
	Issuer                      string   `json:"issuer"`
	AuthorizationEndpoint       string   `json:"authorization_endpoint"`
	TokenEndpoint               string   `json:"token_endpoint"`
	DeviceAuthorizationEndpoint string   `json:"device_authorization_endpoint"`
	JwksURI                     string   `json:"jwks_uri"`
	ScopesSupported             []string `json:"scopes_supported"`
}

type Tokens struct {
	AccessToken          string    `json:"access_token"`
	RefreshToken         string    `json:"refresh_token,omitempty"`
	TokenType            string    `json:"token_type"`
	ExpiresIn            int       `json:"expires_in"`
	ExpiresAt            time.Time `json:"expires_at"`
	RefreshTokenIssuedAt time.Time `json:"refresh_token_issued_at,omitempty"`
}