@auth0/auth0-spa-js 2.4.0 → 2.5.0

package/dist/typings/Auth0Client.utils.d.ts

@@ -32,3 +32,35 @@ export declare const getAuthorizeParams: (clientOptions: Auth0ClientOptions & {
  * Function used to provide support for the deprecated onRedirect through openUrl.
  */
 export declare const patchOpenUrlWithOnRedirect: <T extends Pick<LogoutOptions, "openUrl" | "onRedirect">>(options: T) => T;
+/**
+ * @ignore
+ *
+ * Checks if all scopes are included inside other array of scopes
+ */
+export declare const allScopesAreIncluded: (scopeToInclude?: string, scopes?: string) => boolean;
+/**
+ * @ignore
+ *
+ * For backward compatibility we are going to check if we are going to downscope while doing a refresh request
+ * while MRRT is allowed. If the audience is the same for the refresh_token we are going to use and it has
+ * lower scopes than the ones originally in the token, we are going to return the scopes that were stored
+ * with the refresh_token in the tokenset.
+ * @param useMrrt Setting that the user can activate to use MRRT in their requests
+ * @param authorizationParams Contains the audience and scope that the user requested to obtain a token
+ * @param cachedAudience Audience stored with the refresh_token wich we are going to use in the request
+ * @param cachedScope Scope stored with the refresh_token wich we are going to use in the request
+ */
+export declare const getScopeToRequest: (useMrrt: boolean | undefined, authorizationParams: {
+    audience?: string;
+    scope: string;
+}, cachedAudience?: string, cachedScope?: string) => string;
+/**
+ * @ignore
+ *
+ * Checks if the refresh request has been done using MRRT
+ * @param cachedAudience Audience from the refresh token used to refresh
+ * @param cachedScope Scopes from the refresh token used to refresh
+ * @param requestAudience Audience sent to the server
+ * @param requestScope Scopes sent to the server
+ */
+export declare const isRefreshWithMrrt: (cachedAudience: string | undefined, cachedScope: string | undefined, requestAudience: string | undefined, requestScope: string) => boolean;

package/dist/typings/api.d.ts

@@ -1,2 +1,2 @@
 import { TokenEndpointOptions, TokenEndpointResponse } from './global';
-export declare function oauthToken({ baseUrl, timeout, audience, scope, auth0Client, useFormData, dpop, ...options }: TokenEndpointOptions, worker?: Worker): Promise<TokenEndpointResponse>;
+export declare function oauthToken({ baseUrl, timeout, audience, scope, auth0Client, useFormData, useMrrt, dpop, ...options }: TokenEndpointOptions, worker?: Worker): Promise<TokenEndpointResponse>;

package/dist/typings/cache/cache-manager.d.ts

@@ -7,7 +7,8 @@ export declare class CacheManager {
     constructor(cache: ICache, keyManifest?: CacheKeyManifest | undefined, nowProvider?: () => number | Promise<number>);
     setIdToken(clientId: string, idToken: string, decodedToken: DecodedToken): Promise<void>;
     getIdToken(cacheKey: CacheKey): Promise<IdTokenEntry | undefined>;
-    get(cacheKey: CacheKey, expiryAdjustmentSeconds?: number): Promise<Partial<CacheEntry> | undefined>;
+    get(cacheKey: CacheKey, expiryAdjustmentSeconds?: number, useMrrt?: boolean, cacheMode?: string): Promise<Partial<CacheEntry> | undefined>;
+    private modifiedCachedEntry;
     set(entry: CacheEntry): Promise<void>;
     clear(clientId?: string): Promise<void>;
     private wrapCacheEntry;
@@ -31,4 +32,20 @@ export declare class CacheManager {
      * @param allKeys A list of existing cache keys
      */
     private matchExistingCacheKey;
+    /**
+     * Returns the first entry that contains a refresh_token that satisfies the following conditions
+     * The keys inside the cache are in the format {prefix}::{clientId}::{audience}::{scope}.
+     * - `prefix` is strict equal to Auth0's internally configured `keyPrefix`
+     * - `clientId` is strict equal to the `cacheKey.clientId`
+     * @param keyToMatch The provided cache key
+     * @param allKeys A list of existing cache keys
+     */
+    private getEntryWithRefreshToken;
+    /**
+     * Updates in the cache all entries that has a match with previous refresh_token with the
+     * new refresh_token obtained from the server
+     * @param oldRefreshToken Old refresh_token used on refresh
+     * @param newRefreshToken New refresh_token obtained from the server after refresh
+    */
+    updateEntry(oldRefreshToken: string, newRefreshToken: string): Promise<void>;
 }

package/dist/typings/fetcher.d.ts

@@ -6,7 +6,11 @@ export type CustomFetchMinimalOutput = {
     headers: ResponseHeaders;
 };
 export type CustomFetchImpl<TOutput extends CustomFetchMinimalOutput> = (req: Request) => Promise<TOutput>;
-type AccessTokenFactory = () => Promise<string>;
+export type AuthParams = {
+    scope?: string[];
+    audience?: string;
+};
+type AccessTokenFactory = (authParams?: AuthParams) => Promise<string>;
 export type FetcherConfig<TOutput extends CustomFetchMinimalOutput> = {
     getAccessToken?: AccessTokenFactory;
     baseUrl?: string;
@@ -15,7 +19,7 @@ export type FetcherConfig<TOutput extends CustomFetchMinimalOutput> = {
 };
 export type FetcherHooks = {
     isDpopEnabled: () => boolean;
-    getAccessToken: () => Promise<string>;
+    getAccessToken: AccessTokenFactory;
     getDpopNonce: () => Promise<string | undefined>;
     setDpopNonce: (nonce: string) => Promise<void>;
     generateDpopProof: (params: {
@@ -34,15 +38,15 @@ export declare class Fetcher<TOutput extends CustomFetchMinimalOutput> {
     constructor(config: FetcherConfig<TOutput>, hooks: FetcherHooks);
     protected isAbsoluteUrl(url: string): boolean;
     protected buildUrl(baseUrl: string | undefined, url: string | undefined): string;
-    protected getAccessToken(): Promise<string>;
+    protected getAccessToken(authParams?: AuthParams): Promise<string>;
     protected buildBaseRequest(info: RequestInfo | URL, init: RequestInit | undefined): Request;
     protected setAuthorizationHeader(request: Request, accessToken: string): Promise<void>;
     protected setDpopProofHeader(request: Request, accessToken: string): Promise<void>;
-    protected prepareRequest(request: Request): Promise<void>;
+    protected prepareRequest(request: Request, authParams?: AuthParams): Promise<void>;
     protected getHeader(headers: ResponseHeaders, name: string): string;
     protected hasUseDpopNonceError(response: TOutput): boolean;
     protected handleResponse(response: TOutput, callbacks: FetchWithAuthCallbacks<TOutput>): Promise<TOutput>;
-    protected internalFetchWithAuth(info: RequestInfo | URL, init: RequestInit | undefined, callbacks: FetchWithAuthCallbacks<TOutput>): Promise<TOutput>;
-    fetchWithAuth(info: RequestInfo | URL, init?: RequestInit): Promise<TOutput>;
+    protected internalFetchWithAuth(info: RequestInfo | URL, init: RequestInit | undefined, callbacks: FetchWithAuthCallbacks<TOutput>, authParams?: AuthParams): Promise<TOutput>;
+    fetchWithAuth(info: RequestInfo | URL, init?: RequestInit, authParams?: AuthParams): Promise<TOutput>;
 }
 export {};

package/dist/typings/global.d.ts

@@ -243,6 +243,10 @@ export interface Auth0ClientOptions extends BaseLoginOptions {
      * **Note**: The worker is only used when `useRefreshTokens: true`, `cacheLocation: 'memory'`, and the `cache` is not custom.
      */
     workerUrl?: string;
+    /**
+     * If `true`, the SDK will allow the refreshing of tokens using MRRT
+     */
+    useMrrt?: boolean;
     /**
      * If `true`, DPoP (OAuth 2.0 Demonstrating Proof of Possession, RFC9449)
      * will be used to cryptographically bind tokens to this specific browser

package/dist/typings/http.d.ts

@@ -1,5 +1,5 @@
 import { FetchOptions } from './global';
 import { Dpop } from './dpop/dpop';
 export declare const createAbortController: () => AbortController;
-export declare const switchFetch: (fetchUrl: string, audience: string, scope: string, fetchOptions: FetchOptions, worker?: Worker, useFormData?: boolean, timeout?: number) => Promise<any>;
-export declare function getJSON<T>(url: string, timeout: number | undefined, audience: string, scope: string, options: FetchOptions, worker?: Worker, useFormData?: boolean, dpop?: Pick<Dpop, 'generateProof' | 'getNonce' | 'setNonce'>, isDpopRetry?: boolean): Promise<T>;
+export declare const switchFetch: (fetchUrl: string, audience: string, scope: string, fetchOptions: FetchOptions, worker?: Worker, useFormData?: boolean, timeout?: number, useMrrt?: boolean) => Promise<any>;
+export declare function getJSON<T>(url: string, timeout: number | undefined, audience: string, scope: string, options: FetchOptions, worker?: Worker, useFormData?: boolean, useMrrt?: boolean, dpop?: Pick<Dpop, 'generateProof' | 'getNonce' | 'setNonce'>, isDpopRetry?: boolean): Promise<T>;

package/dist/typings/version.d.ts

@@ -1,2 +1,2 @@
-declare const _default: "2.4.0";
+declare const _default: "2.5.0";
 export default _default;

package/dist/typings/worker/worker.types.d.ts

@@ -7,6 +7,7 @@ export type WorkerRefreshTokenMessage = {
     fetchUrl: string;
     fetchOptions: FetchOptions;
     useFormData?: boolean;
+    useMrrt?: boolean;
     auth: {
         audience: string;
         scope: string;

package/package.json

@@ -3,7 +3,7 @@
   "name": "@auth0/auth0-spa-js",
   "description": "Auth0 SDK for Single Page Applications using Authorization Code Grant Flow with PKCE",
   "license": "MIT",
-  "version": "2.4.0",
+  "version": "2.5.0",
   "main": "dist/lib/auth0-spa-js.cjs.js",
   "types": "dist/typings/index.d.ts",
   "module": "dist/auth0-spa-js.production.esm.js",
@@ -22,6 +22,11 @@
       ]
     }
   },
+  "dependencies": {
+    "browser-tabs-lock": "^1.2.15",
+    "dpop": "^2.1.1",
+    "es-cookie": "~1.3.2"
+  },
   "scripts": {
     "dev": "rimraf dist && rollup -c --watch",
     "start": "npm run dev",
@@ -54,14 +59,11 @@
     "@types/jest": "^28.1.7",
     "@typescript-eslint/eslint-plugin-tslint": "^5.33.1",
     "@typescript-eslint/parser": "^5.33.1",
-    "browser-tabs-lock": "^1.2.15",
     "browserstack-cypress-cli": "1.32.8",
     "cli-table": "^0.3.6",
     "concurrently": "^7.3.0",
-    "dpop": "^2.1.1",
     "cypress": "13.17.0",
     "es-check": "^7.0.1",
-    "es-cookie": "~1.3.2",
     "eslint": "^8.22.0",
     "eslint-plugin-security": "^1.5.0",
     "fake-indexeddb": "^6.0.1",

package/src/Auth0Client.ts

@@ -90,7 +90,10 @@ import {
   getAuthorizeParams,
   GET_TOKEN_SILENTLY_LOCK_KEY,
   OLD_IS_AUTHENTICATED_COOKIE_NAME,
-  patchOpenUrlWithOnRedirect
+  patchOpenUrlWithOnRedirect,
+  getScopeToRequest,
+  allScopesAreIncluded,
+  isRefreshWithMrrt
 } from './Auth0Client.utils';
 import { CustomTokenExchangeOptions } from './TokenExchange';
 import { Dpop } from './dpop/dpop';
@@ -321,8 +324,8 @@ export class Auth0Client {
       nonce,
       code_challenge,
       authorizationParams.redirect_uri ||
-        this.options.authorizationParams.redirect_uri ||
-        fallbackRedirectUri,
+      this.options.authorizationParams.redirect_uri ||
+      fallbackRedirectUri,
       authorizeOptions?.response_mode,
       thumbprint
     );
@@ -596,7 +599,7 @@ export class Auth0Client {
 
     try {
       await this.getTokenSilently(options);
-    } catch (_) {}
+    } catch (_) { }
   }
 
   /**
@@ -689,7 +692,8 @@ export class Auth0Client {
       const entry = await this._getEntryFromCache({
         scope: getTokenOptions.authorizationParams.scope,
         audience: getTokenOptions.authorizationParams.audience || 'default',
-        clientId: this.options.clientId
+        clientId: this.options.clientId,
+        cacheMode,
       });
 
       if (entry) {
@@ -789,7 +793,9 @@ export class Auth0Client {
         scope: localOptions.authorizationParams.scope,
         audience: localOptions.authorizationParams.audience || 'default',
         clientId: this.options.clientId
-      })
+      }),
+      undefined,
+      this.options.useMrrt
     );
 
     return cache!.access_token;
@@ -976,7 +982,9 @@ export class Auth0Client {
         scope: options.authorizationParams.scope,
         audience: options.authorizationParams.audience || 'default',
         clientId: this.options.clientId
-      })
+      }),
+      undefined,
+      this.options.useMrrt
     );
 
     // If you don't have a refresh token in memory
@@ -1004,6 +1012,13 @@ export class Auth0Client {
         ? options.timeoutInSeconds * 1000
         : null;
 
+    const scopesToRequest = getScopeToRequest(
+      this.options.useMrrt,
+      options.authorizationParams,
+      cache?.audience,
+      cache?.scope,
+    );
+
     try {
       const tokenResult = await this._requestToken({
         ...options.authorizationParams,
@@ -1011,7 +1026,51 @@ export class Auth0Client {
         refresh_token: cache && cache.refresh_token,
         redirect_uri,
         ...(timeout && { timeout })
-      });
+      },
+        {
+          scopesToRequest,
+        }
+      );
+
+      // If is refreshed with MRRT, we update all entries that have the old 
+      // refresh_token with the new one if the server responded with one
+      if (tokenResult.refresh_token && this.options.useMrrt && cache?.refresh_token) {
+        await this.cacheManager.updateEntry(
+          cache.refresh_token,
+          tokenResult.refresh_token
+        );
+      }
+
+      // Some scopes requested to the server might not be inside the refresh policies
+      // In order to return a token with all requested scopes when using MRRT we should
+      // check if all scopes are returned. If not, we will try to use an iframe to request
+      // a token.
+      if (this.options.useMrrt) {
+        const isRefreshMrrt = isRefreshWithMrrt(
+          cache?.audience,
+          cache?.scope,
+          options.authorizationParams.audience,
+          options.authorizationParams.scope,
+        );
+
+        if (isRefreshMrrt) {
+          const tokenHasAllScopes = allScopesAreIncluded(
+            scopesToRequest,
+            tokenResult.scope,
+          );
+
+          if (!tokenHasAllScopes) {
+            if (this.options.useRefreshTokensFallback) {
+              return await this._getTokenFromIFrame(options);
+            }
+
+            throw new MissingRefreshTokenError(
+              options.authorizationParams.audience || 'default',
+              options.authorizationParams.scope,
+            );
+          }
+        }
+      }
 
       return {
         ...tokenResult,
@@ -1084,11 +1143,13 @@ export class Auth0Client {
   private async _getEntryFromCache({
     scope,
     audience,
-    clientId
+    clientId,
+    cacheMode,
   }: {
     scope: string;
     audience: string;
     clientId: string;
+    cacheMode?: string;
   }): Promise<undefined | GetTokenSilentlyVerboseResponse> {
     const entry = await this.cacheManager.get(
       new CacheKey({
@@ -1096,7 +1157,9 @@ export class Auth0Client {
         audience,
         clientId
       }),
-      60 // get a new token if within 60 seconds of expiring
+      60, // get a new token if within 60 seconds of expiring
+      this.options.useMrrt,
+      cacheMode,
     );
 
     if (entry && entry.access_token) {
@@ -1134,7 +1197,7 @@ export class Auth0Client {
       | TokenExchangeRequestOptions,
     additionalParameters?: RequestTokenAdditionalParameters
   ) {
-    const { nonceIn, organization } = additionalParameters || {};
+    const { nonceIn, organization, scopesToRequest } = additionalParameters || {};
     const authResult = await oauthToken(
       {
         baseUrl: this.domainUrl,
@@ -1142,8 +1205,10 @@ export class Auth0Client {
         auth0Client: this.options.auth0Client,
         useFormData: this.options.useFormData,
         timeout: this.httpTimeoutMs,
+        useMrrt: this.options.useMrrt,
         dpop: this.dpop,
-        ...options
+        ...options,
+        scope: scopesToRequest || options.scope,
       },
       this.worker
     );
@@ -1298,7 +1363,7 @@ export class Auth0Client {
    * This is a drop-in replacement for the Fetch API's `fetch()` method, but will
    * handle certain authentication logic for you, like building the proper auth
    * headers or managing DPoP nonces and retries automatically.
-   * 
+   *
    * Check the `EXAMPLES.md` file for a deeper look into this method.
    */
   public createFetcher<TOutput extends CustomFetchMinimalOutput = Response>(
@@ -1312,7 +1377,13 @@ export class Auth0Client {
 
     return new Fetcher(config, {
       isDpopEnabled: () => !!this.options.useDpop,
-      getAccessToken: () => this.getTokenSilently(),
+      getAccessToken: authParams =>
+        this.getTokenSilently({
+          authorizationParams: {
+            scope: authParams?.scope?.join(' '),
+            audience: authParams?.audience
+          }
+        }),
       getDpopNonce: () => this.getDpopNonce(config.dpopNonceId),
       setDpopNonce: nonce => this.setDpopNonce(nonce),
       generateDpopProof: params => this.generateDpopProof(params)
@@ -1349,4 +1420,5 @@ interface TokenExchangeRequestOptions extends BaseRequestTokenOptions {
 interface RequestTokenAdditionalParameters {
   nonceIn?: string;
   organization?: string;
+  scopesToRequest?: string;
 }

package/src/Auth0Client.utils.ts

@@ -96,3 +96,69 @@ export const patchOpenUrlWithOnRedirect = <
 
   return result as T;
 };
+
+/**
+ * @ignore
+ * 
+ * Checks if all scopes are included inside other array of scopes
+ */
+export const allScopesAreIncluded = (scopeToInclude?: string, scopes?: string): boolean => {
+  const scopeGroup = scopes?.split(" ") || [];
+  const scopesToInclude = scopeToInclude?.split(" ") || [];
+  return scopesToInclude.every((key) => scopeGroup.includes(key));
+}
+
+/**
+ * @ignore
+ *
+ * For backward compatibility we are going to check if we are going to downscope while doing a refresh request
+ * while MRRT is allowed. If the audience is the same for the refresh_token we are going to use and it has
+ * lower scopes than the ones originally in the token, we are going to return the scopes that were stored
+ * with the refresh_token in the tokenset.
+ * @param useMrrt Setting that the user can activate to use MRRT in their requests
+ * @param authorizationParams Contains the audience and scope that the user requested to obtain a token
+ * @param cachedAudience Audience stored with the refresh_token wich we are going to use in the request
+ * @param cachedScope Scope stored with the refresh_token wich we are going to use in the request
+ */
+export const getScopeToRequest = (
+  useMrrt: boolean | undefined,
+  authorizationParams: { audience?: string, scope: string },
+  cachedAudience?: string,
+  cachedScope?: string
+): string => {
+  if (useMrrt && cachedAudience && cachedScope) {
+    if (authorizationParams.audience !== cachedAudience) {
+      return authorizationParams.scope;
+    }
+
+    const cachedScopes = cachedScope.split(" ");
+    const newScopes = authorizationParams.scope?.split(" ") || [];
+    const newScopesAreIncluded = newScopes.every((scope) => cachedScopes.includes(scope));
+
+    return cachedScopes.length >= newScopes.length && newScopesAreIncluded ? cachedScope : authorizationParams.scope;
+  }
+
+  return authorizationParams.scope;
+}
+
+/**
+ * @ignore
+ * 
+ * Checks if the refresh request has been done using MRRT
+ * @param cachedAudience Audience from the refresh token used to refresh
+ * @param cachedScope Scopes from the refresh token used to refresh
+ * @param requestAudience Audience sent to the server
+ * @param requestScope Scopes sent to the server
+ */
+export const isRefreshWithMrrt = (
+  cachedAudience: string | undefined,
+  cachedScope: string | undefined,
+  requestAudience: string | undefined,
+  requestScope: string,
+): boolean => {
+  if (cachedAudience !== requestAudience) {
+    return true;
+  }
+
+  return !allScopesAreIncluded(requestScope, cachedScope);
+}

package/src/api.ts

@@ -12,6 +12,7 @@ export async function oauthToken(
     scope,
     auth0Client,
     useFormData,
+    useMrrt,
     dpop,
     ...options
   }: TokenEndpointOptions,
@@ -20,10 +21,14 @@ export async function oauthToken(
   const isTokenExchange =
     options.grant_type === 'urn:ietf:params:oauth:grant-type:token-exchange';
 
+  const refreshWithMrrt =
+    options.grant_type === 'refresh_token' && useMrrt;
+
   const allParams = {
     ...options,
     ...(isTokenExchange && audience && { audience }),
-    ...(isTokenExchange && scope && { scope })
+    ...(isTokenExchange && scope && { scope }),
+    ...(refreshWithMrrt && { audience, scope })
   };
 
   const body = useFormData
@@ -51,6 +56,7 @@ export async function oauthToken(
     },
     worker,
     useFormData,
+    useMrrt,
     isDpopSupported ? dpop : undefined
   );
 }

package/src/cache/cache-manager.ts

@@ -69,7 +69,9 @@ export class CacheManager {
 
   async get(
     cacheKey: CacheKey,
-    expiryAdjustmentSeconds = DEFAULT_EXPIRY_ADJUSTMENT_SECONDS
+    expiryAdjustmentSeconds = DEFAULT_EXPIRY_ADJUSTMENT_SECONDS,
+    useMrrt = false,
+    cacheMode?: string
   ): Promise<Partial<CacheEntry> | undefined> {
     let wrappedEntry = await this.cache.get<WrappedCacheEntry>(
       cacheKey.toKey()
@@ -85,6 +87,13 @@ export class CacheManager {
       if (matchedKey) {
         wrappedEntry = await this.cache.get<WrappedCacheEntry>(matchedKey);
       }
+
+      // To refresh using MRRT we need to send a request to the server
+      // If cacheMode is 'cache-only', this will make us unable to call the server
+      // so it won't be needed to find a valid refresh token
+      if (!matchedKey && useMrrt && cacheMode !== 'cache-only') {
+        return this.getEntryWithRefreshToken(cacheKey, keys);
+      }
     }
 
     // If we still don't have an entry, exit.
@@ -97,12 +106,7 @@ export class CacheManager {
 
     if (wrappedEntry.expiresAt - expiryAdjustmentSeconds < nowSeconds) {
       if (wrappedEntry.body.refresh_token) {
-        wrappedEntry.body = {
-          refresh_token: wrappedEntry.body.refresh_token
-        };
-
-        await this.cache.set(cacheKey.toKey(), wrappedEntry);
-        return wrappedEntry.body;
+        return this.modifiedCachedEntry(wrappedEntry, cacheKey);
       }
 
       await this.cache.remove(cacheKey.toKey());
@@ -114,6 +118,24 @@ export class CacheManager {
     return wrappedEntry.body;
   }
 
+  private async modifiedCachedEntry(wrappedEntry: WrappedCacheEntry, cacheKey: CacheKey): Promise<Partial<CacheEntry>> {
+    // We need to keep audience and scope in order to check them later when doing refresh
+    // using MRRT. See getScopeToRequest method.
+    wrappedEntry.body = {
+      refresh_token: wrappedEntry.body.refresh_token,
+      audience: wrappedEntry.body.audience,
+      scope: wrappedEntry.body.scope,
+    };
+
+    await this.cache.set(cacheKey.toKey(), wrappedEntry);
+
+    return {
+      refresh_token: wrappedEntry.body.refresh_token,
+      audience: wrappedEntry.body.audience,
+      scope: wrappedEntry.body.scope,
+    };
+  }
+
   async set(entry: CacheEntry): Promise<void> {
     const cacheKey = new CacheKey({
       clientId: entry.client_id,
@@ -207,4 +229,57 @@ export class CacheManager {
       );
     })[0];
   }
+
+  /**
+   * Returns the first entry that contains a refresh_token that satisfies the following conditions
+   * The keys inside the cache are in the format {prefix}::{clientId}::{audience}::{scope}.
+   * - `prefix` is strict equal to Auth0's internally configured `keyPrefix`
+   * - `clientId` is strict equal to the `cacheKey.clientId`
+   * @param keyToMatch The provided cache key
+   * @param allKeys A list of existing cache keys
+   */
+  private async getEntryWithRefreshToken(keyToMatch: CacheKey, allKeys: Array<string>): Promise<Partial<CacheEntry> | undefined> {
+    for (const key of allKeys) {
+      const cacheKey = CacheKey.fromKey(key);
+
+      if (cacheKey.prefix === CACHE_KEY_PREFIX &&
+        cacheKey.clientId === keyToMatch.clientId) {
+        const cachedEntry = await this.cache.get<WrappedCacheEntry>(key);
+
+        if (cachedEntry?.body?.refresh_token) {
+          return this.modifiedCachedEntry(cachedEntry, keyToMatch);
+        }
+      }
+    }
+
+    return undefined;
+  }
+
+  /**
+   * Updates in the cache all entries that has a match with previous refresh_token with the
+   * new refresh_token obtained from the server
+   * @param oldRefreshToken Old refresh_token used on refresh
+   * @param newRefreshToken New refresh_token obtained from the server after refresh
+  */
+  async updateEntry(
+    oldRefreshToken: string,
+    newRefreshToken: string,
+  ): Promise<void> {
+    const allKeys = await this.getCacheKeys();
+
+    if (!allKeys) return;
+
+    for (const key of allKeys) {
+      const entry = await this.cache.get<WrappedCacheEntry>(key);
+
+      if (entry?.body?.refresh_token === oldRefreshToken) {
+        const cacheEntry = {
+          ...entry.body,
+          refresh_token: newRefreshToken,
+        } as CacheEntry;
+
+        await this.set(cacheEntry);
+      }
+    }
+  }
 }