npm - @axa-fr/oidc-client - Versions diffs - 7.4.1 → 7.5.0 - Mend

@axa-fr/oidc-client 7.4.1 → 7.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/README.md CHANGED Viewed

@@ -30,8 +30,9 @@ We provide a wrapper **@axa-fr/react-oidc** for **React** (compatible next.js) a
 @axa-fr/oidc-client is:
 - **Secure** :
-  - With the use of Service Worker, your tokens (refresh_token and access_token) are not accessible to the JavaScript client code (big protection against XSS attacks)
-  - OIDC using client side Code Credential Grant with pkce only
+    - With Demonstrating Proof of Possession (DPoP), your access_token and refresh_token are not usable outside your browser context (big protection)
+    - With the use of Service Worker, your tokens (refresh_token and/or access_token) are not accessible to the JavaScript client code (if you follow good practices from [`FAQ`](https://github.com/AxaFrance/oidc-client/blob/main/FAQ.md) section)
+    - OIDC using client side Code Credential Grant with pkce only
 - **Lightweight** : Unpacked Size on npm is **274 kB**
 - **Simple**
   - refresh_token and access_token are auto refreshed in background
@@ -112,6 +113,7 @@ export const configuration = {
   authority: 'https://demo.duendesoftware.com',
   service_worker_relative_url: '/OidcServiceWorker.js',
   service_worker_only: false,
+  demonstrating_proof_of_possession: true, // demonstrating proof of possession will work only if access_token is accessible from the client (This is because WebCrypto API is not available inside a Service Worker)
 };
 const href = window.location.href;
@@ -191,6 +193,7 @@ const configuration = {
     monitor_session: Boolean, // Add OpenID monitor session, default is false (more information https://openid.net/specs/openid-connect-session-1_0.html), if you need to set it to true consider https://infi.nl/nieuws/spa-necromancy/
     token_renew_mode: String, // Optional, update tokens based on the selected token(s) lifetime: "access_token_or_id_token_invalid" (default), "access_token_invalid", "id_token_invalid"
     logout_tokens_to_invalidate: Array<string>, // Optional tokens to invalidate during logout, default: ['access_token', 'refresh_token']
+    demonstrating_proof_of_possession: Boolean, // Optional, default is false, if true, the the Demonstrating Proof of Possession will be activated //https://www.rfc-editor.org/rfc/rfc9449.html#name-protected-resource-access
 };
 ```
@@ -316,6 +319,15 @@ export class OidcClient {
    * @returns A promise resolved with the user information, or rejected with an error.
    */
   async userInfoAsync<T extends OidcUserInfo = OidcUserInfo>(noCache = false): Promise<T>;
+  /**
+   * Generate Demonstration of proof of possession.
+   * @param accessToken The access token to use.
+   * @param url The url to use.
+   * @param method The method to use.
+   * @returns A promise resolved with the proof of possession.
+   */
+  async generateDemonstrationOfProofOfPossessionAsync(accessToken:string, url:string, method:string): Promise<string>;
 }
 ```

package/dist/crypto.d.ts CHANGED Viewed

@@ -1,3 +1,4 @@
 export declare const generateRandom: (size: number) => string;
 export declare function textEncodeLite(str: string): Uint8Array;
+export declare function base64urlOfHashOfASCIIEncodingAsync(code: string): Promise<string>;
 export declare const deriveChallengeAsync: (code: string) => Promise<string>;