Build the authorization URL for RFC 6749 §4.1 + RFC 7636 code flow.
codeVerifier MUST be a cryptographically strong URL-safe random string; the route
layer generates and stores it in the session before calling. Adapters compute
code_challenge via the shared pkce helper (codeChallenge(codeVerifier)); do
not accept a pre-computed challenge to avoid mismatches between transform methods.
nonce is optional — OIDC providers MUST forward it as the upstream nonce
authorization param so that the matching expectedNonce check in exchangeCode
binds the returned id_token to this session (OIDC Core §3.1.3.7). OAuth-only
providers (e.g. GitHub OAuth Apps) ignore it.
Exchange an authorization code for a normalized FederationProfile.
Adapters post to the IdP's token endpoint, optionally call the userinfo endpoint,
and return a FederationProfile. They MUST include issuer and sub; all other
standard fields are optional.
nonce is optional — OIDC providers MUST pass it as expectedNonce to the
upstream library so that the id_token nonce claim is verified against the
session-stored value (OIDC Core §3.1.3.7). OAuth-only providers ignore it.
Pure-function interface for an upstream OAuth 2 / OIDC identity provider.
Implementations MUST NOT expose vendor library types (passport, arctic, openid-client, etc) through this interface or through types exported alongside it. Adapters should keep vendor concerns below a ≤50-line facade (target).
State (CSRF
state, PKCEcodeVerifier) is managed by the session route layer and passed into both calls; providers never allocate state themselves.