@auth0/auth0-spa-js 2.0.7 → 2.1.0

package/dist/typings/Auth0Client.d.ts

@@ -22,7 +22,7 @@ export declare class Auth0Client {
     private _url;
     private _authorizeUrl;
     private _verifyIdToken;
-    private _processOrgIdHint;
+    private _processOrgHint;
     private _prepareAuthorizeUrl;
     /**
      * ```js

package/dist/typings/global.d.ts

@@ -66,10 +66,13 @@ export interface AuthorizationParams {
      */
     connection?: string;
     /**
-     * The Id of an organization to log in to.
+     * The organization to log in to.
+     *
+     * This will specify an `organization` parameter in your user's login request.
+     *
+     * - If you provide an Organization ID (a string with the prefix `org_`), it will be validated against the `org_id` claim of your user's ID Token. The validation is case-sensitive.
+     * - If you provide an Organization Name (a string *without* the prefix `org_`), it will be validated against the `org_name` claim of your user's ID Token. The validation is case-insensitive.
      *
-     * This will specify an `organization` parameter in your user's login request and will add a step to validate
-     * the `org_id` claim in your user's ID Token.
      */
     organization?: string;
     /**
@@ -496,7 +499,7 @@ export interface JWTVerifyOptions {
     nonce?: string;
     leeway?: number;
     max_age?: number;
-    organizationId?: string;
+    organization?: string;
     now?: number;
 }
 export interface IdToken {
@@ -532,11 +535,12 @@ export interface IdToken {
     at_hash?: string;
     c_hash?: string;
     acr?: string;
-    amr?: string;
+    amr?: string[];
     sub_jwk?: string;
     cnf?: string;
     sid?: string;
     org_id?: string;
+    org_name?: string;
     [key: string]: any;
 }
 export declare class User {

package/dist/typings/transaction-manager.d.ts

@@ -6,14 +6,13 @@ interface Transaction {
     appState?: any;
     code_verifier: string;
     redirect_uri?: string;
-    organizationId?: string;
+    organization?: string;
     state?: string;
 }
 export declare class TransactionManager {
     private storage;
     private clientId;
     private cookieDomain?;
-    private transaction;
     private storageKey;
     constructor(storage: ClientStorage, clientId: string, cookieDomain?: string | undefined);
     create(transaction: Transaction): void;

package/dist/typings/version.d.ts

@@ -1,2 +1,2 @@
-declare const _default: "2.0.7";
+declare const _default: "2.1.0";
 export default _default;

package/package.json

@@ -3,7 +3,7 @@
   "name": "@auth0/auth0-spa-js",
   "description": "Auth0 SDK for Single Page Applications using Authorization Code Grant Flow with PKCE",
   "license": "MIT",
-  "version": "2.0.7",
+  "version": "2.1.0",
   "main": "dist/lib/auth0-spa-js.cjs.js",
   "types": "dist/typings/index.d.ts",
   "module": "dist/auth0-spa-js.production.esm.js",

package/src/Auth0Client.ts

@@ -208,7 +208,7 @@ export class Auth0Client {
     this.transactionManager = new TransactionManager(
       transactionStorage,
       this.options.clientId,
-      this.options.cookieDomain,
+      this.options.cookieDomain
     );
 
     this.nowProvider = this.options.nowProvider || DEFAULT_NOW_PROVIDER;
@@ -249,7 +249,7 @@ export class Auth0Client {
   private async _verifyIdToken(
     id_token: string,
     nonce?: string,
-    organizationId?: string
+    organization?: string
   ) {
     const now = await this.nowProvider();
 
@@ -258,16 +258,16 @@ export class Auth0Client {
       aud: this.options.clientId,
       id_token,
       nonce,
-      organizationId,
+      organization,
       leeway: this.options.leeway,
       max_age: parseNumber(this.options.authorizationParams.max_age),
       now
     });
   }
 
-  private _processOrgIdHint(organizationId?: string) {
-    if (organizationId) {
-      this.cookieStorage.save(this.orgHintCookieName, organizationId, {
+  private _processOrgHint(organization?: string) {
+    if (organization) {
+      this.cookieStorage.save(this.orgHintCookieName, organization, {
         daysUntilExpire: this.sessionCheckExpiryDays,
         cookieDomain: this.options.cookieDomain
       });
@@ -383,7 +383,7 @@ export class Auth0Client {
       throw new GenericError('state_mismatch', 'Invalid state');
     }
 
-    const organizationId =
+    const organization =
       options.authorizationParams?.organization ||
       this.options.authorizationParams.organization;
 
@@ -398,7 +398,7 @@ export class Auth0Client {
       },
       {
         nonceIn: params.nonce,
-        organizationId
+        organization
       }
     );
   }
@@ -449,7 +449,7 @@ export class Auth0Client {
     const { openUrl, fragment, appState, ...urlOptions } =
       patchOpenUrlWithOnRedirect(options);
 
-    const organizationId =
+    const organization =
       urlOptions.authorizationParams?.organization ||
       this.options.authorizationParams.organization;
 
@@ -460,7 +460,7 @@ export class Auth0Client {
     this.transactionManager.create({
       ...transaction,
       appState,
-      ...(organizationId && { organizationId })
+      ...(organization && { organization })
     });
 
     const urlWithFragment = fragment ? `${url}#${fragment}` : url;
@@ -516,7 +516,7 @@ export class Auth0Client {
       throw new GenericError('state_mismatch', 'Invalid state');
     }
 
-    const organizationId = transaction.organizationId;
+    const organization = transaction.organization;
     const nonceIn = transaction.nonce;
     const redirect_uri = transaction.redirect_uri;
 
@@ -529,7 +529,7 @@ export class Auth0Client {
         code: code as string,
         ...(redirect_uri ? { redirect_uri } : {})
       },
-      { nonceIn, organizationId }
+      { nonceIn, organization }
     );
 
     return {
@@ -862,10 +862,10 @@ export class Auth0Client {
       prompt: 'none'
     };
 
-    const orgIdHint = this.cookieStorage.get<string>(this.orgHintCookieName);
+    const orgHint = this.cookieStorage.get<string>(this.orgHintCookieName);
 
-    if (orgIdHint && !params.organization) {
-      params.organization = orgIdHint;
+    if (orgHint && !params.organization) {
+      params.organization = orgHint;
     }
 
     const {
@@ -912,7 +912,8 @@ export class Auth0Client {
           timeout: options.authorizationParams.timeout || this.httpTimeoutMs
         },
         {
-          nonceIn
+          nonceIn,
+          organization: params.organization
         }
       );
 
@@ -1095,7 +1096,7 @@ export class Auth0Client {
     options: PKCERequestTokenOptions | RefreshTokenRequestTokenOptions,
     additionalParameters?: RequestTokenAdditionalParameters
   ) {
-    const { nonceIn, organizationId } = additionalParameters || {};
+    const { nonceIn, organization } = additionalParameters || {};
     const authResult = await oauthToken(
       {
         baseUrl: this.domainUrl,
@@ -1111,7 +1112,7 @@ export class Auth0Client {
     const decodedToken = await this._verifyIdToken(
       authResult.id_token,
       nonceIn,
-      organizationId
+      organization
     );
 
     await this._saveEntryInCache({
@@ -1128,7 +1129,7 @@ export class Auth0Client {
       cookieDomain: this.options.cookieDomain
     });
 
-    this._processOrgIdHint(decodedToken.claims.org_id);
+    this._processOrgHint(organization);
 
     return { ...authResult, decodedToken };
   }
@@ -1154,5 +1155,5 @@ interface RefreshTokenRequestTokenOptions extends BaseRequestTokenOptions {
 
 interface RequestTokenAdditionalParameters {
   nonceIn?: string;
-  organizationId?: string;
+  organization?: string;
 }

package/src/global.ts

@@ -78,10 +78,13 @@ export interface AuthorizationParams {
   connection?: string;
 
   /**
-   * The Id of an organization to log in to.
+   * The organization to log in to.
+   *
+   * This will specify an `organization` parameter in your user's login request.
+   *
+   * - If you provide an Organization ID (a string with the prefix `org_`), it will be validated against the `org_id` claim of your user's ID Token. The validation is case-sensitive.
+   * - If you provide an Organization Name (a string *without* the prefix `org_`), it will be validated against the `org_name` claim of your user's ID Token. The validation is case-insensitive.
    *
-   * This will specify an `organization` parameter in your user's login request and will add a step to validate
-   * the `org_id` claim in your user's ID Token.
    */
   organization?: string;
 
@@ -551,7 +554,7 @@ export interface JWTVerifyOptions {
   nonce?: string;
   leeway?: number;
   max_age?: number;
-  organizationId?: string;
+  organization?: string;
   now?: number;
 }
 
@@ -588,11 +591,12 @@ export interface IdToken {
   at_hash?: string;
   c_hash?: string;
   acr?: string;
-  amr?: string;
+  amr?: string[];
   sub_jwk?: string;
   cnf?: string;
   sid?: string;
   org_id?: string;
+  org_name?: string;
   [key: string]: any;
 }
 

package/src/jwt.ts

@@ -193,15 +193,31 @@ export const verify = (options: JWTVerifyOptions) => {
     }
   }
 
-  if (options.organizationId) {
-    if (!decoded.claims.org_id) {
-      throw new Error(
-        'Organization ID (org_id) claim must be a string present in the ID token'
-      );
-    } else if (options.organizationId !== decoded.claims.org_id) {
-      throw new Error(
-        `Organization ID (org_id) claim mismatch in the ID token; expected "${options.organizationId}", found "${decoded.claims.org_id}"`
-      );
+  if (options.organization) {
+    const org = options.organization.trim();
+    if (org.startsWith('org_')) {
+      const orgId = org;
+      if (!decoded.claims.org_id) {
+        throw new Error(
+          'Organization ID (org_id) claim must be a string present in the ID token'
+        );
+      } else if (orgId !== decoded.claims.org_id) {
+        throw new Error(
+          `Organization ID (org_id) claim mismatch in the ID token; expected "${orgId}", found "${decoded.claims.org_id}"`
+        );
+      }
+    } else {
+      const orgName = org.toLowerCase();
+      // TODO should we verify if there is an `org_id` claim?
+      if (!decoded.claims.org_name) {
+        throw new Error(
+          'Organization Name (org_name) claim must be a string present in the ID token'
+        );
+      } else if (orgName !== decoded.claims.org_name.toLowerCase()) {
+        throw new Error(
+          `Organization Name (org_name) claim mismatch in the ID token; expected "${orgName}", found "${decoded.claims.org_name.toLowerCase()}"`
+        );
+      }
     }
   }
 

package/src/transaction-manager.ts

@@ -9,34 +9,33 @@ interface Transaction {
   appState?: any;
   code_verifier: string;
   redirect_uri?: string;
-  organizationId?: string;
+  organization?: string;
   state?: string;
 }
 
 export class TransactionManager {
-  private transaction: Transaction | undefined;
   private storageKey: string;
 
-  constructor(private storage: ClientStorage, private clientId: string, private cookieDomain?: string) {
+  constructor(
+    private storage: ClientStorage,
+    private clientId: string,
+    private cookieDomain?: string
+  ) {
     this.storageKey = `${TRANSACTION_STORAGE_KEY_PREFIX}.${this.clientId}`;
-    this.transaction = this.storage.get(this.storageKey);
   }
 
   public create(transaction: Transaction) {
-    this.transaction = transaction;
-
     this.storage.save(this.storageKey, transaction, {
       daysUntilExpire: 1,
-      cookieDomain: this.cookieDomain,
+      cookieDomain: this.cookieDomain
     });
   }
 
   public get(): Transaction | undefined {
-    return this.transaction;
+    return this.storage.get(this.storageKey);
   }
 
   public remove() {
-    delete this.transaction;
     this.storage.remove(this.storageKey, {
       cookieDomain: this.cookieDomain
     });

package/src/version.ts

@@ -1 +1 @@
-export default '2.0.7';
+export default '2.1.0';