export interface EntraConfig {
    tenantId?: string;
    clientId?: string;
    clientSecret?: string;
    authority?: string;
}
export interface UserInfo {
    sub: string;
    email?: string;
    email_verified?: boolean;
    name?: string;
    picture?: string;
    given_name?: string;
    family_name?: string;
    nickname?: string;
    locale?: string;
    updated_at?: string;
    oid?: string;
    preferred_username?: string;
    unique_name?: string;
}
export interface TokenValidationResult {
    valid: boolean;
    user?: UserInfo;
    error?: string;
    scopes?: string[];
}
export declare class EntraClient {
    private jwksClient;
    private authority;
    private tenantId;
    private clientId;
    private clientSecret;
    constructor(config?: EntraConfig);
    /**
     * Get MS Entra OAuth authorization server metadata
     * Returns our proxy endpoints, not Microsoft's direct endpoints
     */
    getAuthorizationServerMetadata(): Promise<{
        issuer: string;
        authorization_endpoint: string;
        token_endpoint: string;
        userinfo_endpoint: string;
        jwks_uri: string;
        client_id: string;
        tenant_id: string;
        scopes_supported: string[];
        response_types_supported: string[];
        response_modes_supported: string[];
        grant_types_supported: string[];
        subject_types_supported: string[];
        id_token_signing_alg_values_supported: string[];
        token_endpoint_auth_methods_supported: string[];
        code_challenge_methods_supported: string[];
        claims_supported: string[];
    }>;
    /**
     * Proxy authorization request to MS Entra
     * IGNORES any client_id from Claude.ai and forces our Azure App Registration client_id
     * Maps custom MCP scopes to valid Microsoft Graph scopes
     */
    proxyAuthorizeRequest(params: URLSearchParams): Promise<string>;
    /**
     * Map custom MCP scopes to valid Microsoft Graph scopes
     * This allows Claude.ai to request MCP scopes while we send valid scopes to Microsoft
     */
    private mapMCPScopesToGraphScopes;
    /**
     * Map Microsoft Graph scopes back to MCP scopes for our application
     * This ensures our application sees the MCP scopes that Claude.ai originally requested
     */
    private mapGraphScopesToMCPScopes;
    /**
     * Proxy token request to MS Entra
     * IGNORES any client credentials from Claude.ai and uses our Azure App Registration
     */
    proxyTokenRequest(body: any): Promise<any>;
    /**
     * Validate access token with MS Entra
     */
    validateToken(token: string): Promise<TokenValidationResult>;
    /**
     * Validate JWT token
     */
    private validateJWT;
    /**
     * Validate opaque token using Microsoft Graph userinfo endpoint
     */
    private validateOpaqueToken;
    /**
     * Fetch user info from Microsoft Graph userinfo endpoint
     */
    private fetchUserInfo;
    /**
     * Check if user has required scopes for MCP operations
     */
    hasRequiredScopes(scopes: string[] | undefined, requiredScopes: string[]): boolean;
}
//# sourceMappingURL=entra-client.d.ts.map