@auth0/auth0-spa-js 2.7.0 → 2.8.0

package/dist/typings/Auth0Client.d.ts

@@ -22,6 +22,7 @@ export declare class Auth0Client {
     private readonly userCache;
     private readonly myAccountApi;
     private worker?;
+    private readonly activeLockKeys;
     private readonly defaultOptions;
     constructor(options: Auth0ClientOptions);
     private _url;
@@ -207,7 +208,7 @@ export declare class Auth0Client {
     private _getIdTokenFromCache;
     private _getEntryFromCache;
     /**
-     * Releases any lock acquired by the current page that's not released yet
+     * Releases any locks acquired by the current page that are not released yet
      *
      * Get's called on the `pagehide` event.
      * https://developer.mozilla.org/en-US/docs/Web/API/Window/pagehide_event

package/dist/typings/Auth0Client.utils.d.ts

@@ -1,9 +1,13 @@
 import { ICache } from './cache';
-import { Auth0ClientOptions, AuthorizationParams, AuthorizeOptions, LogoutOptions } from './global';
+import { Auth0ClientOptions, AuthorizationParams, AuthorizeOptions, ClientAuthorizationParams, LogoutOptions } from './global';
 /**
  * @ignore
  */
 export declare const GET_TOKEN_SILENTLY_LOCK_KEY = "auth0.lock.getTokenSilently";
+/**
+ * @ignore
+ */
+export declare const buildGetTokenSilentlyLockKey: (clientId: string, audience: string) => string;
 /**
  * @ignore
  */
@@ -24,8 +28,10 @@ export declare const cacheFactory: (location: string) => () => ICache;
  * @ignore
  */
 export declare const getAuthorizeParams: (clientOptions: Auth0ClientOptions & {
-    authorizationParams: AuthorizationParams;
-}, scope: string, authorizationParams: AuthorizationParams, state: string, nonce: string, code_challenge: string, redirect_uri: string | undefined, response_mode: string | undefined, thumbprint: string | undefined) => AuthorizeOptions;
+    authorizationParams: ClientAuthorizationParams;
+}, scope: Record<string, string>, authorizationParams: AuthorizationParams & {
+    scope?: string | undefined;
+}, state: string, nonce: string, code_challenge: string, redirect_uri: string | undefined, response_mode: string | undefined, thumbprint: string | undefined) => AuthorizeOptions;
 /**
  * @ignore
  *

package/dist/typings/cache/cache-manager.d.ts

@@ -10,6 +10,7 @@ export declare class CacheManager {
     get(cacheKey: CacheKey, expiryAdjustmentSeconds?: number, useMrrt?: boolean, cacheMode?: string): Promise<Partial<CacheEntry> | undefined>;
     private modifiedCachedEntry;
     set(entry: CacheEntry): Promise<void>;
+    remove(client_id: string, audience?: string, scope?: string): Promise<void>;
     clear(clientId?: string): Promise<void>;
     private wrapCacheEntry;
     private getCacheKeys;

package/dist/typings/constants.d.ts

@@ -45,3 +45,4 @@ export declare const DEFAULT_AUTH0_CLIENT: {
     version: string;
 };
 export declare const DEFAULT_NOW_PROVIDER: () => number;
+export declare const DEFAULT_AUDIENCE = "default";

package/dist/typings/global.d.ts

@@ -97,6 +97,9 @@ export interface AuthorizationParams {
      */
     [key: string]: any;
 }
+export interface ClientAuthorizationParams extends Omit<AuthorizationParams, 'scope'> {
+    scope?: string | Record<string, string>;
+}
 interface BaseLoginOptions {
     /**
      * URL parameters that will be sent back to the Authorization Server. This can be known parameters
@@ -104,7 +107,7 @@ interface BaseLoginOptions {
      */
     authorizationParams?: AuthorizationParams;
 }
-export interface Auth0ClientOptions extends BaseLoginOptions {
+export interface Auth0ClientOptions {
     /**
      * Your Auth0 account domain such as `'example.auth0.com'`,
      * `'example.eu.auth0.com'` or , `'example.mycompany.com'`
@@ -256,6 +259,11 @@ export interface Auth0ClientOptions extends BaseLoginOptions {
      * The default setting is `false`.
      */
     useDpop?: boolean;
+    /**
+     * URL parameters that will be sent back to the Authorization Server. This can be known parameters
+     * defined by Auth0 or custom parameters that you define.
+     */
+    authorizationParams?: ClientAuthorizationParams;
 }
 /**
  * The possible locations where tokens can be stored

package/dist/typings/scope.d.ts

@@ -8,3 +8,28 @@
  * @returns {string} A string containing unique scopes separated by a single space.
  */
 export declare const getUniqueScopes: (...scopes: (string | undefined)[]) => string;
+/**
+ * @ignore
+ */
+/**
+ * We will check if the developer has created the client with a string or object of audience:scopes. We will inject
+ * the base scopes to each audience, and store the base ones inside default key. As well, if the developer created the Auth0Client
+ * with a string of scopes, we will store the requested ones with the base scopes inside the default key as well.
+ * @param authScopes The scopes requested by the user when creating the Auth0Client
+ * @param openIdScope openId scope
+ * @param extraScopes Other scopes to accumulate such as offline_access
+ * @returns {Record<string, string>} An object with all scopes that are going to be accumulated.
+ */
+export declare const injectDefaultScopes: (authScopes: string | Record<string, string> | undefined, openIdScope: string, ...extraScopes: string[]) => Record<string, string>;
+/**
+ * @ignore
+ */
+/**
+ * Will return a string of scopes. If a specific audience was requested and it exist inside the scopes object, we will return those
+ * related to that audience that we want to accumulate. If not, we will return the ones stored inside the default key.
+ * @param authScopes Object of audience:scopes that are going to be accumulated
+ * @param methodScopes The scopes requested for the developer in a specific request
+ * @param audience The audience the developer requested for an specific request or the one they configured in the Auth0Client
+ * @returns {string} A combination of Auth0Client scopes and the ones requested by the developer for a specific request
+ */
+export declare const scopesToRequest: (authScopes: Record<string, string>, methodScopes: string | undefined, audience: string | undefined) => string;

package/dist/typings/utils.d.ts

@@ -7,6 +7,12 @@ export declare const getCrypto: () => Crypto;
 export declare const createRandomString: () => string;
 export declare const encode: (value: string) => string;
 export declare const decode: (value: string) => string;
+/**
+ * Strips any property that is not present in ALLOWED_AUTH0CLIENT_PROPERTIES
+ * @param auth0Client - The full auth0Client object
+ * @returns The stripped auth0Client object
+ */
+export declare const stripAuth0Client: (auth0Client: any) => any;
 export declare const createQueryParams: ({ clientId: client_id, ...params }: any) => string;
 export declare const sha256: (s: string) => Promise<any>;
 export declare const urlDecodeB64: (input: string) => string;

package/dist/typings/version.d.ts

@@ -1,2 +1,2 @@
-declare const _default: "2.7.0";
+declare const _default: "2.8.0";
 export default _default;

package/package.json

@@ -3,7 +3,7 @@
   "name": "@auth0/auth0-spa-js",
   "description": "Auth0 SDK for Single Page Applications using Authorization Code Grant Flow with PKCE",
   "license": "MIT",
-  "version": "2.7.0",
+  "version": "2.8.0",
   "main": "dist/lib/auth0-spa-js.cjs.js",
   "types": "dist/typings/index.d.ts",
   "module": "dist/auth0-spa-js.production.esm.js",

package/src/Auth0Client.ts

@@ -18,7 +18,7 @@ import {
 
 import { oauthToken } from './api';
 
-import { getUniqueScopes } from './scope';
+import { injectDefaultScopes, scopesToRequest } from './scope';
 
 import {
   InMemoryCache,
@@ -59,7 +59,8 @@ import {
   DEFAULT_AUTH0_CLIENT,
   INVALID_REFRESH_TOKEN_ERROR_MESSAGE,
   DEFAULT_NOW_PROVIDER,
-  DEFAULT_FETCH_TIMEOUT_MS
+  DEFAULT_FETCH_TIMEOUT_MS,
+  DEFAULT_AUDIENCE
 } from './constants';
 
 import {
@@ -82,7 +83,8 @@ import {
   AuthenticationResult,
   ConnectAccountRedirectResult,
   RedirectConnectAccountOptions,
-  ResponseType
+  ResponseType,
+  ClientAuthorizationParams,
 } from './global';
 
 // @ts-ignore
@@ -94,7 +96,7 @@ import {
   buildOrganizationHintCookieName,
   cacheFactory,
   getAuthorizeParams,
-  GET_TOKEN_SILENTLY_LOCK_KEY,
+  buildGetTokenSilentlyLockKey,
   OLD_IS_AUTHENTICATED_COOKIE_NAME,
   patchOpenUrlWithOnRedirect,
   getScopeToRequest,
@@ -134,7 +136,7 @@ export class Auth0Client {
   private readonly cacheManager: CacheManager;
   private readonly domainUrl: string;
   private readonly tokenIssuer: string;
-  private readonly scope: string;
+  private readonly scope: Record<string, string>;
   private readonly cookieStorage: ClientStorage;
   private readonly dpop: Dpop | undefined;
   private readonly sessionCheckExpiryDays: number;
@@ -143,12 +145,14 @@ export class Auth0Client {
   private readonly nowProvider: () => number | Promise<number>;
   private readonly httpTimeoutMs: number;
   private readonly options: Auth0ClientOptions & {
-    authorizationParams: AuthorizationParams;
+    authorizationParams: ClientAuthorizationParams,
   };
   private readonly userCache: ICache = new InMemoryCache().enclosedCache;
   private readonly myAccountApi: MyAccountApiClient;
 
   private worker?: Worker;
+  private readonly activeLockKeys: Set<string> = new Set();
+
   private readonly defaultOptions: Partial<Auth0ClientOptions> = {
     authorizationParams: {
       scope: DEFAULT_SCOPE
@@ -218,9 +222,9 @@ export class Auth0Client {
     // 1. Always include `openid`
     // 2. Include the scopes provided in `authorizationParams. This defaults to `profile email`
     // 3. Add `offline_access` if `useRefreshTokens` is enabled
-    this.scope = getUniqueScopes(
-      'openid',
+    this.scope = injectDefaultScopes(
       this.options.authorizationParams.scope,
+      'openid',
       this.options.useRefreshTokens ? 'offline_access' : ''
     );
 
@@ -362,7 +366,7 @@ export class Auth0Client {
       nonce,
       code_verifier,
       scope: params.scope,
-      audience: params.audience || 'default',
+      audience: params.audience || DEFAULT_AUDIENCE,
       redirect_uri: params.redirect_uri,
       state,
       url
@@ -782,7 +786,11 @@ export class Auth0Client {
       authorizationParams: {
         ...this.options.authorizationParams,
         ...options.authorizationParams,
-        scope: getUniqueScopes(this.scope, options.authorizationParams?.scope)
+        scope: scopesToRequest(
+          this.scope,
+          options.authorizationParams?.scope,
+          options.authorizationParams?.audience || this.options.authorizationParams.audience,
+        )
       }
     };
 
@@ -806,7 +814,7 @@ export class Auth0Client {
     if (cacheMode !== 'off') {
       const entry = await this._getEntryFromCache({
         scope: getTokenOptions.authorizationParams.scope,
-        audience: getTokenOptions.authorizationParams.audience || 'default',
+        audience: getTokenOptions.authorizationParams.audience || DEFAULT_AUDIENCE,
         clientId: this.options.clientId,
         cacheMode,
       });
@@ -820,21 +828,26 @@ export class Auth0Client {
       return;
     }
 
-    if (
-      await retryPromise(
-        () => lock.acquireLock(GET_TOKEN_SILENTLY_LOCK_KEY, 5000),
-        10
-      )
-    ) {
-      try {
-        window.addEventListener('pagehide', this._releaseLockOnPageHide);
+    // Generate lock key based on client ID and audience for better isolation
+    const lockKey = buildGetTokenSilentlyLockKey(
+      this.options.clientId,
+      getTokenOptions.authorizationParams.audience || 'default'
+    );
 
+    if (await retryPromise(() => lock.acquireLock(lockKey, 5000), 10)) {
+      this.activeLockKeys.add(lockKey);
+
+      // Add event listener only if this is the first active lock
+      if (this.activeLockKeys.size === 1) {
+        window.addEventListener('pagehide', this._releaseLockOnPageHide);
+      }
+      try {
         // Check the cache a second time, because it may have been populated
         // by a previous call while this call was waiting to acquire the lock.
         if (cacheMode !== 'off') {
           const entry = await this._getEntryFromCache({
             scope: getTokenOptions.authorizationParams.scope,
-            audience: getTokenOptions.authorizationParams.audience || 'default',
+            audience: getTokenOptions.authorizationParams.audience || DEFAULT_AUDIENCE,
             clientId: this.options.clientId
           });
 
@@ -863,8 +876,12 @@ export class Auth0Client {
           expires_in
         };
       } finally {
-        await lock.releaseLock(GET_TOKEN_SILENTLY_LOCK_KEY);
-        window.removeEventListener('pagehide', this._releaseLockOnPageHide);
+        await lock.releaseLock(lockKey);
+        this.activeLockKeys.delete(lockKey);
+        // If we have no more locks, we can remove the event listener to clean up
+        if (this.activeLockKeys.size === 0) {
+          window.removeEventListener('pagehide', this._releaseLockOnPageHide);
+        }
       }
     } else {
       throw new TimeoutError();
@@ -892,7 +909,11 @@ export class Auth0Client {
       authorizationParams: {
         ...this.options.authorizationParams,
         ...options.authorizationParams,
-        scope: getUniqueScopes(this.scope, options.authorizationParams?.scope)
+        scope: scopesToRequest(
+          this.scope,
+          options.authorizationParams?.scope,
+          options.authorizationParams?.audience || this.options.authorizationParams.audience
+        )
       }
     };
 
@@ -906,7 +927,7 @@ export class Auth0Client {
     const cache = await this.cacheManager.get(
       new CacheKey({
         scope: localOptions.authorizationParams.scope,
-        audience: localOptions.authorizationParams.audience || 'default',
+        audience: localOptions.authorizationParams.audience || DEFAULT_AUDIENCE,
         clientId: this.options.clientId
       }),
       undefined,
@@ -1095,7 +1116,7 @@ export class Auth0Client {
     const cache = await this.cacheManager.get(
       new CacheKey({
         scope: options.authorizationParams.scope,
-        audience: options.authorizationParams.audience || 'default',
+        audience: options.authorizationParams.audience || DEFAULT_AUDIENCE,
         clientId: this.options.clientId
       }),
       undefined,
@@ -1112,7 +1133,7 @@ export class Auth0Client {
       }
 
       throw new MissingRefreshTokenError(
-        options.authorizationParams.audience || 'default',
+        options.authorizationParams.audience || DEFAULT_AUDIENCE,
         options.authorizationParams.scope
       );
     }
@@ -1179,6 +1200,14 @@ export class Auth0Client {
               return await this._getTokenFromIFrame(options);
             }
 
+            // Before throwing MissingScopesError, we have to remove the previously created entry
+            // to avoid storing wrong data
+            await this.cacheManager.remove(
+              this.options.clientId,
+              options.authorizationParams.audience,
+              options.authorizationParams.scope,
+            );
+
             const missingScopes = getMissingScopes(
               scopesToRequest,
               tokenResult.scope,
@@ -1196,7 +1225,7 @@ export class Auth0Client {
         ...tokenResult,
         scope: options.authorizationParams.scope,
         oauthTokenScope: tokenResult.scope,
-        audience: options.authorizationParams.audience || 'default'
+        audience: options.authorizationParams.audience || DEFAULT_AUDIENCE
       };
     } catch (e) {
       if (
@@ -1236,13 +1265,14 @@ export class Auth0Client {
   }
 
   private async _getIdTokenFromCache() {
-    const audience = this.options.authorizationParams.audience || 'default';
+    const audience = this.options.authorizationParams.audience || DEFAULT_AUDIENCE;
+    const scope = this.scope[audience];
 
     const cache = await this.cacheManager.getIdToken(
       new CacheKey({
         clientId: this.options.clientId,
         audience,
-        scope: this.scope
+        scope,
       })
     );
 
@@ -1299,13 +1329,18 @@ export class Auth0Client {
   }
 
   /**
-   * Releases any lock acquired by the current page that's not released yet
+   * Releases any locks acquired by the current page that are not released yet
    *
    * Get's called on the `pagehide` event.
    * https://developer.mozilla.org/en-US/docs/Web/API/Window/pagehide_event
    */
   private _releaseLockOnPageHide = async () => {
-    await lock.releaseLock(GET_TOKEN_SILENTLY_LOCK_KEY);
+    // Release all active locks
+    const lockKeysToRelease = Array.from(this.activeLockKeys);
+    for (const lockKey of lockKeysToRelease) {
+      await lock.releaseLock(lockKey);
+    }
+    this.activeLockKeys.clear();
 
     window.removeEventListener('pagehide', this._releaseLockOnPageHide);
   };
@@ -1343,7 +1378,7 @@ export class Auth0Client {
       ...authResult,
       decodedToken,
       scope: options.scope,
-      audience: options.audience || 'default',
+      audience: options.audience || DEFAULT_AUDIENCE,
       ...(authResult.scope ? { oauthTokenScope: authResult.scope } : null),
       client_id: this.options.clientId
     });
@@ -1415,7 +1450,11 @@ export class Auth0Client {
       grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
       subject_token: options.subject_token,
       subject_token_type: options.subject_token_type,
-      scope: getUniqueScopes(options.scope, this.scope),
+      scope: scopesToRequest(
+        this.scope,
+        options.scope,
+        options.audience || this.options.authorizationParams.audience
+      ),
       audience: options.audience || this.options.authorizationParams.audience
     });
   }

package/src/Auth0Client.utils.ts

@@ -3,15 +3,24 @@ import {
   Auth0ClientOptions,
   AuthorizationParams,
   AuthorizeOptions,
+  ClientAuthorizationParams,
   LogoutOptions
 } from './global';
-import { getUniqueScopes } from './scope';
+import { scopesToRequest } from './scope';
 
 /**
  * @ignore
  */
 export const GET_TOKEN_SILENTLY_LOCK_KEY = 'auth0.lock.getTokenSilently';
 
+/**
+ * @ignore
+ */
+export const buildGetTokenSilentlyLockKey = (
+  clientId: string,
+  audience: string
+) => `${GET_TOKEN_SILENTLY_LOCK_KEY}.${clientId}.${audience}`;
+
 /**
  * @ignore
  */
@@ -49,10 +58,10 @@ export const cacheFactory = (location: string) => {
  */
 export const getAuthorizeParams = (
   clientOptions: Auth0ClientOptions & {
-    authorizationParams: AuthorizationParams;
+    authorizationParams: ClientAuthorizationParams;
   },
-  scope: string,
-  authorizationParams: AuthorizationParams,
+  scope: Record<string, string>,
+  authorizationParams: AuthorizationParams & { scope?: string },
   state: string,
   nonce: string,
   code_challenge: string,
@@ -64,7 +73,7 @@ export const getAuthorizeParams = (
     client_id: clientOptions.clientId,
     ...clientOptions.authorizationParams,
     ...authorizationParams,
-    scope: getUniqueScopes(scope, authorizationParams.scope),
+    scope: scopesToRequest(scope, authorizationParams.scope, authorizationParams.audience),
     response_type: 'code',
     response_mode: response_mode || 'query',
     state,

package/src/api.ts

@@ -1,8 +1,8 @@
 import { TokenEndpointOptions, TokenEndpointResponse } from './global';
-import { DEFAULT_AUTH0_CLIENT } from './constants';
+import { DEFAULT_AUTH0_CLIENT, DEFAULT_AUDIENCE } from './constants';
 import * as dpopUtils from './dpop/utils';
 import { getJSON } from './http';
-import { createQueryParams } from './utils';
+import { createQueryParams, stripAuth0Client } from './utils';
 
 export async function oauthToken(
   {
@@ -21,8 +21,7 @@ export async function oauthToken(
   const isTokenExchange =
     options.grant_type === 'urn:ietf:params:oauth:grant-type:token-exchange';
 
-  const refreshWithMrrt =
-    options.grant_type === 'refresh_token' && useMrrt;
+  const refreshWithMrrt = options.grant_type === 'refresh_token' && useMrrt;
 
   const allParams = {
     ...options,
@@ -40,7 +39,7 @@ export async function oauthToken(
   return await getJSON<TokenEndpointResponse>(
     `${baseUrl}/oauth/token`,
     timeout,
-    audience || 'default',
+    audience || DEFAULT_AUDIENCE,
     scope,
     {
       method: 'POST',
@@ -50,7 +49,7 @@ export async function oauthToken(
           ? 'application/x-www-form-urlencoded'
           : 'application/json',
         'Auth0-Client': btoa(
-          JSON.stringify(auth0Client || DEFAULT_AUTH0_CLIENT)
+          JSON.stringify(stripAuth0Client(auth0Client || DEFAULT_AUTH0_CLIENT))
         )
       }
     },

package/src/cache/cache-manager.ts

@@ -149,6 +149,20 @@ export class CacheManager {
     await this.keyManifest?.add(cacheKey.toKey());
   }
 
+  async remove(
+    client_id: string,
+    audience?: string,
+    scope?: string,
+  ): Promise<void> {
+    const cacheKey = new CacheKey({
+      clientId: client_id,
+      scope: scope,
+      audience: audience
+    });
+
+    await this.cache.remove(cacheKey.toKey());
+  }
+
   async clear(clientId?: string): Promise<void> {
     const keys = await this.getCacheKeys();
 

package/src/constants.ts

@@ -60,3 +60,5 @@ export const DEFAULT_AUTH0_CLIENT = {
 };
 
 export const DEFAULT_NOW_PROVIDER = () => Date.now();
+
+export const DEFAULT_AUDIENCE = 'default';

package/src/global.ts

@@ -113,6 +113,10 @@ export interface AuthorizationParams {
   [key: string]: any;
 }
 
+export interface ClientAuthorizationParams extends Omit<AuthorizationParams, 'scope'> {
+  scope?: string | Record<string, string>
+};
+
 interface BaseLoginOptions {
   /**
    * URL parameters that will be sent back to the Authorization Server. This can be known parameters
@@ -121,7 +125,7 @@ interface BaseLoginOptions {
   authorizationParams?: AuthorizationParams;
 }
 
-export interface Auth0ClientOptions extends BaseLoginOptions {
+export interface Auth0ClientOptions {
   /**
    * Your Auth0 account domain such as `'example.auth0.com'`,
    * `'example.eu.auth0.com'` or , `'example.mycompany.com'`
@@ -288,6 +292,12 @@ export interface Auth0ClientOptions extends BaseLoginOptions {
    * The default setting is `false`.
    */
   useDpop?: boolean;
+
+  /**
+   * URL parameters that will be sent back to the Authorization Server. This can be known parameters
+   * defined by Auth0 or custom parameters that you define.
+   */
+  authorizationParams?: ClientAuthorizationParams;
 }
 
 /**

package/src/scope.ts

@@ -1,3 +1,5 @@
+import { DEFAULT_AUDIENCE } from "./constants";
+
 /**
  * @ignore
  */
@@ -15,3 +17,58 @@ const dedupe = (arr: string[]) => Array.from(new Set(arr));
 export const getUniqueScopes = (...scopes: (string | undefined)[]) => {
   return dedupe(scopes.filter(Boolean).join(' ').trim().split(/\s+/)).join(' ');
 };
+
+/**
+ * @ignore
+ */
+/**
+ * We will check if the developer has created the client with a string or object of audience:scopes. We will inject
+ * the base scopes to each audience, and store the base ones inside default key. As well, if the developer created the Auth0Client
+ * with a string of scopes, we will store the requested ones with the base scopes inside the default key as well.
+ * @param authScopes The scopes requested by the user when creating the Auth0Client
+ * @param openIdScope openId scope
+ * @param extraScopes Other scopes to accumulate such as offline_access
+ * @returns {Record<string, string>} An object with all scopes that are going to be accumulated.
+ */
+export const injectDefaultScopes = (authScopes: string | Record<string, string> | undefined, openIdScope: string, ...extraScopes: string[]): Record<string, string> => {
+  if (typeof authScopes !== 'object') {
+    return { [DEFAULT_AUDIENCE]: getUniqueScopes(openIdScope, authScopes, ...extraScopes) };
+  }
+
+  let requestedScopes: Record<string, string> = {
+    [DEFAULT_AUDIENCE]: getUniqueScopes(openIdScope, ...extraScopes),
+  };
+
+  Object.keys(authScopes).forEach((key) => {
+    const audienceScopes = authScopes[key];
+
+    requestedScopes[key] = getUniqueScopes(openIdScope, audienceScopes, ...extraScopes);
+  });
+
+  return requestedScopes;
+}
+
+/**
+ * @ignore
+ */
+/**
+ * Will return a string of scopes. If a specific audience was requested and it exist inside the scopes object, we will return those
+ * related to that audience that we want to accumulate. If not, we will return the ones stored inside the default key.
+ * @param authScopes Object of audience:scopes that are going to be accumulated
+ * @param methodScopes The scopes requested for the developer in a specific request
+ * @param audience The audience the developer requested for an specific request or the one they configured in the Auth0Client
+ * @returns {string} A combination of Auth0Client scopes and the ones requested by the developer for a specific request
+ */
+export const scopesToRequest = (authScopes: Record<string, string>, methodScopes: string | undefined, audience: string | undefined): string => {
+  let scope: string | undefined;
+
+  if (audience) {
+    scope = authScopes[audience];
+  }
+
+  if (!scope) {
+    scope = authScopes[DEFAULT_AUDIENCE];
+  }
+
+  return getUniqueScopes(scope, methodScopes);
+}