@auth0/auth0-spa-js 2.2.0 → 2.3.0

package/dist/typings/Auth0Client.d.ts

@@ -204,7 +204,7 @@ export declare class Auth0Client {
      * - `subject_token_type`: The type of the external token (validated by this function).
      * - `scope`: A unique set of scopes, generated by merging the scopes supplied in the options
      *            with the SDK’s default scopes.
-     * - `audience`: The target audience, as determined by the SDK's authorization configuration.
+     * - `audience`: The target audience from the options, with fallback to the SDK's authorization configuration.
      *
      * **Example Usage:**
      *
@@ -213,15 +213,15 @@ export declare class Auth0Client {
      * const options: CustomTokenExchangeOptions = {
      *   subject_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp...',
      *   subject_token_type: 'urn:acme:legacy-system-token',
-     *   scope: ['openid', 'profile']
+     *   scope: "openid profile"
      * };
      *
      * // Exchange the external token for Auth0 tokens
      * try {
      *   const tokenResponse = await instance.exchangeToken(options);
-     *   console.log('Token response:', tokenResponse);
+     *   // Use tokenResponse.access_token, tokenResponse.id_token, etc.
      * } catch (error) {
-     *   console.error('Token exchange failed:', error);
+     *   // Handle token exchange error
      * }
      * ```
      */

package/dist/typings/TokenExchange.d.ts

@@ -36,12 +36,13 @@ export type CustomTokenExchangeOptions = {
      * The target audience for the requested Auth0 token
      *
      * @remarks
-     * Must match exactly with an API identifier configured in your Auth0 tenant
+     * Must match exactly with an API identifier configured in your Auth0 tenant.
+     * If not provided, falls back to the client's default audience.
      *
      * @example
      * "https://api.your-service.com/v1"
      */
-    audience: string;
+    audience?: string;
     /**
      * Space-separated list of OAuth 2.0 scopes being requested
      *

package/dist/typings/global.d.ts

@@ -72,6 +72,8 @@ export interface AuthorizationParams {
      *
      * - If you provide an Organization ID (a string with the prefix `org_`), it will be validated against the `org_id` claim of your user's ID Token. The validation is case-sensitive.
      * - If you provide an Organization Name (a string *without* the prefix `org_`), it will be validated against the `org_name` claim of your user's ID Token. The validation is case-insensitive.
+     *   To use an Organization Name you must have "Allow Organization Names in Authentication API" switched on in your Auth0 settings dashboard.
+     *   More information is available on the [Auth0 documentation portal](https://auth0.com/docs/manage-users/organizations/configure-organizations/use-org-name-authentication-api)
      *
      */
     organization?: string;

package/dist/typings/version.d.ts

@@ -1,2 +1,2 @@
-declare const _default: "2.2.0";
+declare const _default: "2.3.0";
 export default _default;

package/package.json

@@ -3,7 +3,7 @@
   "name": "@auth0/auth0-spa-js",
   "description": "Auth0 SDK for Single Page Applications using Authorization Code Grant Flow with PKCE",
   "license": "MIT",
-  "version": "2.2.0",
+  "version": "2.3.0",
   "main": "dist/lib/auth0-spa-js.cjs.js",
   "types": "dist/typings/index.d.ts",
   "module": "dist/auth0-spa-js.production.esm.js",

package/src/Auth0Client.ts

@@ -901,7 +901,15 @@ export class Auth0Client {
       const authorizeTimeout =
         options.timeoutInSeconds || this.options.authorizeTimeoutInSeconds;
 
-      const codeResult = await runIframe(url, this.domainUrl, authorizeTimeout);
+      // Extract origin from domainUrl, fallback to domainUrl if URL parsing fails
+      let eventOrigin: string;
+      try {
+        eventOrigin = new URL(this.domainUrl).origin;
+      } catch {
+        eventOrigin = this.domainUrl;
+      }
+
+      const codeResult = await runIframe(url, eventOrigin, authorizeTimeout);
 
       if (stateIn !== codeResult.state) {
         throw new GenericError('state_mismatch', 'Invalid state');
@@ -1171,7 +1179,7 @@ export class Auth0Client {
    * - `subject_token_type`: The type of the external token (validated by this function).
    * - `scope`: A unique set of scopes, generated by merging the scopes supplied in the options
    *            with the SDK’s default scopes.
-   * - `audience`: The target audience, as determined by the SDK's authorization configuration.
+   * - `audience`: The target audience from the options, with fallback to the SDK's authorization configuration.
    *
    * **Example Usage:**
    *
@@ -1180,15 +1188,15 @@ export class Auth0Client {
    * const options: CustomTokenExchangeOptions = {
    *   subject_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp...',
    *   subject_token_type: 'urn:acme:legacy-system-token',
-   *   scope: ['openid', 'profile']
+   *   scope: "openid profile"
    * };
    *
    * // Exchange the external token for Auth0 tokens
    * try {
    *   const tokenResponse = await instance.exchangeToken(options);
-   *   console.log('Token response:', tokenResponse);
+   *   // Use tokenResponse.access_token, tokenResponse.id_token, etc.
    * } catch (error) {
-   *   console.error('Token exchange failed:', error);
+   *   // Handle token exchange error
    * }
    * ```
    */
@@ -1200,7 +1208,7 @@ export class Auth0Client {
       subject_token: options.subject_token,
       subject_token_type: options.subject_token_type,
       scope: getUniqueScopes(options.scope, this.scope),
-      audience: this.options.authorizationParams.audience
+      audience: options.audience || this.options.authorizationParams.audience
     });
   }
 }

package/src/TokenExchange.ts

@@ -38,12 +38,13 @@ export type CustomTokenExchangeOptions = {
    * The target audience for the requested Auth0 token
    *
    * @remarks
-   * Must match exactly with an API identifier configured in your Auth0 tenant
+   * Must match exactly with an API identifier configured in your Auth0 tenant.
+   * If not provided, falls back to the client's default audience.
    *
    * @example
    * "https://api.your-service.com/v1"
    */
-  audience: string;
+  audience?: string;
 
   /**
    * Space-separated list of OAuth 2.0 scopes being requested

package/src/api.ts

@@ -15,9 +15,18 @@ export async function oauthToken(
   }: TokenEndpointOptions,
   worker?: Worker
 ) {
+  const isTokenExchange =
+    options.grant_type === 'urn:ietf:params:oauth:grant-type:token-exchange';
+
+  const allParams = {
+    ...options,
+    ...(isTokenExchange && audience && { audience }),
+    ...(isTokenExchange && scope && { scope })
+  };
+
   const body = useFormData
-    ? createQueryParams(options)
-    : JSON.stringify(options);
+    ? createQueryParams(allParams)
+    : JSON.stringify(allParams);
 
   return await getJSON<TokenEndpointResponse>(
     `${baseUrl}/oauth/token`,

package/src/global.ts

@@ -84,6 +84,8 @@ export interface AuthorizationParams {
    *
    * - If you provide an Organization ID (a string with the prefix `org_`), it will be validated against the `org_id` claim of your user's ID Token. The validation is case-sensitive.
    * - If you provide an Organization Name (a string *without* the prefix `org_`), it will be validated against the `org_name` claim of your user's ID Token. The validation is case-insensitive.
+   *   To use an Organization Name you must have "Allow Organization Names in Authentication API" switched on in your Auth0 settings dashboard.
+   *   More information is available on the [Auth0 documentation portal](https://auth0.com/docs/manage-users/organizations/configure-organizations/use-org-name-authentication-api)
    *
    */
   organization?: string;

package/src/version.ts

@@ -1 +1 @@
-export default '2.2.0';
+export default '2.3.0';