@axa-fr/react-oidc 6.6.0 → 6.6.2-alpha0

package/src/oidc/core/routes/OidcRoutes.spec.tsx

@@ -0,0 +1,15 @@
+import * as React from 'react';
+import OidcRoutes from './OidcRoutes';
+import {render} from "@testing-library/react";
+
+describe('Authenticating test suite', () => {
+  it('renders correctly', () => {
+    const props = {
+      children: 'http://url.com',
+      callbackComponent: () => <div>tcallback component</div>,
+      redirect_uri: 'http://example.com:3000/authentication/callback',
+    };
+    const { asFragment } = render(<OidcRoutes {...props} />);
+    expect(asFragment()).toMatchSnapshot();
+  });
+});

package/src/oidc/core/routes/OidcRoutes.tsx

@@ -0,0 +1,69 @@
+import React, { ComponentType, FC, PropsWithChildren, useEffect, useState } from 'react';
+import { getPath } from '../../vanilla/route-utils';
+import CallbackComponent from '../default-component/Callback.component';
+import SilentCallbackComponent from "../default-component/SilentCallback.component";
+import { CustomHistory } from "./withRouter";
+import SilentLoginComponent from "../default-component/SilentLogin.component";
+
+const defaultProps: Partial<OidcRoutesProps> = {
+
+};
+
+type OidcRoutesProps = {
+  callbackSuccessComponent?: ComponentType;
+  callbackErrorComponent?: ComponentType;
+  authenticatingComponent?: ComponentType;
+  configurationName:string;
+  redirect_uri: string;
+  silent_redirect_uri?: string;
+  silent_login_uri?:string;
+  withCustomHistory?: () => CustomHistory;
+};
+
+const OidcRoutes: FC<PropsWithChildren<OidcRoutesProps>> = ({
+  callbackErrorComponent,
+  callbackSuccessComponent,
+                                                              redirect_uri,
+                                                              silent_redirect_uri,
+                                                              silent_login_uri,
+  children, configurationName,
+  withCustomHistory=null,
+}) => {
+  // This exist because in next.js window outside useEffect is null
+  let pathname = window ? getPath(window.location.href) : '';
+  
+  const [path, setPath] = useState(pathname);
+  
+  useEffect(() => {
+    const setNewPath = () => setPath(getPath(window.location.href));
+    setNewPath();
+    window.addEventListener('popstate', setNewPath, false);
+    return () => window.removeEventListener('popstate', setNewPath, false);
+  }, []);
+  
+  const callbackPath = getPath(redirect_uri);
+
+  if(silent_redirect_uri){
+    if(path === getPath(silent_redirect_uri)){
+      return <SilentCallbackComponent configurationName={configurationName} />
+    }
+  }
+
+  if(silent_login_uri){
+    if(path === getPath(silent_login_uri)){
+      return <SilentLoginComponent configurationName={configurationName} />
+    }
+  }
+  
+  switch (path) {
+    case callbackPath:
+      return <CallbackComponent callBackError={callbackErrorComponent} callBackSuccess={callbackSuccessComponent} configurationName={configurationName} withCustomHistory={withCustomHistory} />;
+    default:
+      return <>{children}</>;
+  }
+};
+
+// @ts-ignore
+OidcRoutes.defaultProps = defaultProps;
+
+export default React.memo(OidcRoutes);

package/src/oidc/core/routes/__snapshots__/OidcRoutes.spec.tsx.snap

@@ -0,0 +1,7 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`Authenticating test suite renders correctly 1`] = `
+<DocumentFragment>
+  http://url.com
+</DocumentFragment>
+`;

package/src/oidc/core/routes/index.ts

@@ -0,0 +1,2 @@
+export { default as OidcRoutes } from './OidcRoutes';
+export { ReactOidcHistory } from './withRouter';

package/src/oidc/core/routes/withRouter.spec.tsx

@@ -0,0 +1,48 @@
+import React from 'react';
+import '@testing-library/jest-dom/extend-expect';
+import { CreateEvent, WindowInternal } from './withRouter';
+
+describe('WithRouter test Suite', () => {
+  const generateKeyMock = () => '123ABC';
+  const paramsMock = { bubbles: false, cancelable: false, detail: 'detail' };
+  beforeEach(() => {});
+  it('should CreateEvent return correct Event if not on IE', () => {
+    const windowMock = {
+      CustomEvent: jest.fn().mockImplementation((event, params) => {
+        return { event, params };
+      }),
+    };
+    const documentMock = {} as Document;
+    const res = CreateEvent((windowMock as unknown) as WindowInternal, documentMock)(
+      'event test',
+      paramsMock
+    );
+    expect(res).toEqual({
+      event: 'event test',
+      params: { bubbles: false, cancelable: false, detail: 'detail' },
+    });
+  });
+
+  it('should createEvent create a polyfill when the default func is undefined', () => {
+    const windowMock = {
+      Event: {
+        prototype: 'protoMock',
+      },
+    };
+    const evtMock = {
+      initCustomEvent: jest.fn(),
+    };
+    const documentMock = {
+      createEvent: jest.fn(() => evtMock),
+    };
+    const typedDocumentMock = (documentMock as unknown) as Document;
+    const res = CreateEvent((windowMock as unknown) as WindowInternal, typedDocumentMock)(
+      'event test',
+      paramsMock
+    );
+    expect(res).toEqual({ ...evtMock });
+    expect(documentMock.createEvent).toHaveBeenCalledWith('CustomEvent');
+    expect(evtMock.initCustomEvent).toHaveBeenCalledWith('event test', false, false, 'detail');
+  });
+  
+});

package/src/oidc/core/routes/withRouter.tsx

@@ -0,0 +1,64 @@
+import React from 'react';
+
+const generateKey = () =>
+  Math.random()
+    .toString(36)
+    .substr(2, 6);
+
+// Exported only for test
+export type WindowInternal = Window & {
+  CustomEvent?: new <T>(typeArg: string, eventInitDict?: CustomEventInit<T>) => CustomEvent<T>;
+  Event: typeof Event;
+};
+
+type IPrototype = {
+  prototype: any;
+};
+
+type InitCustomEventParams<T = any> = {
+  bubbles: boolean;
+  cancelable: boolean;
+  detail: T;
+};
+
+// IE Polyfill for CustomEvent
+export const CreateEvent = (windowInternal: WindowInternal, documentInternal: Document) => (
+  event: string,
+  params: InitCustomEventParams
+): CustomEvent => {
+  if (typeof windowInternal.CustomEvent === 'function') {
+    return new windowInternal.CustomEvent(event, params);
+  }
+  const paramsToFunction = params || { bubbles: false, cancelable: false, detail: undefined };
+  const evt: CustomEvent = documentInternal.createEvent('CustomEvent');
+  evt.initCustomEvent(event, paramsToFunction.bubbles, paramsToFunction.cancelable, paramsToFunction.detail);
+  (evt as CustomEvent & IPrototype).prototype = windowInternal.Event.prototype;
+  return evt;
+};
+
+type WindowHistoryState = typeof window.history.state;
+
+export interface ReactOidcHistory {
+  replaceState: (url?: string | null, stateHistory?: WindowHistoryState) => void;
+}
+
+export type CustomHistory = {
+  replaceState(url?: string | null, stateHistory?: WindowHistoryState): void;
+}
+
+const getHistory = (
+  windowInternal: WindowInternal,
+  CreateEventInternal: (event: string, params?: InitCustomEventParams) => CustomEvent,
+  generateKeyInternal: typeof generateKey
+): CustomHistory => {
+  return {
+    replaceState: (url?: string | null, stateHistory?: WindowHistoryState): void => {
+      const key = generateKeyInternal();
+      const state = stateHistory || windowInternal.history.state;
+      windowInternal.history.replaceState({ key, state }, null, url);
+      windowInternal.dispatchEvent(CreateEventInternal('popstate'));
+    },
+  };
+};
+
+export const getCustomHistory = () => getHistory(window, CreateEvent(window, document), generateKey);

package/src/oidc/index.ts

@@ -0,0 +1,5 @@
+export { withOidcSecure, OidcSecure } from "./OidcSecure";
+export { useOidcUser, OidcUserStatus} from "./User";
+export { useOidc, useOidcAccessToken, useOidcIdToken } from "./ReactOidc";
+export { withOidcFetch, useOidcFetch } from "./FetchToken";
+export { OidcProvider } from "./OidcProvider";

package/src/oidc/vanilla/OidcServiceWorker.js

@@ -0,0 +1,442 @@
+this.importScripts('OidcTrustedDomains.js');
+
+const id = Math.round(new Date().getTime() / 1000).toString();
+
+const acceptAnyDomainToken = "*";
+
+const keepAliveJsonFilename = "OidcKeepAliveServiceWorker.json";
+const handleInstall = (event) => {
+    console.log('[OidcServiceWorker] service worker installed ' + id);
+    event.waitUntil(self.skipWaiting());
+};
+
+const handleActivate = (event) => {
+    console.log('[OidcServiceWorker] service worker activated ' + id);
+    event.waitUntil(self.clients.claim());
+};
+
+let currentLoginCallbackConfigurationName = null;
+let database = {
+    default: {
+        configurationName: "default",
+        tokens: null,
+        status:null,
+        items:[],
+        nonce: null,
+        oidcServerConfiguration: null
+    }
+};
+
+const countLetter = (str, find)=> {
+    return (str.split(find)).length - 1;
+}
+
+const b64DecodeUnicode = (str) =>
+    decodeURIComponent(Array.prototype.map.call(atob(str), (c) => '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2)).join(''));
+const parseJwt = (token) => JSON.parse(b64DecodeUnicode(token.split('.')[1].replace('-', '+').replace('_', '/')));
+const extractTokenPayload=(token)=> {
+    try{
+        if (!token) {
+            return null;
+        }
+        if(countLetter(token,'.') === 2) {
+            return parseJwt(token);
+        } else {
+            return null;
+        }
+    } catch (e) {
+        console.warn(e);
+    }
+    return null;
+}
+
+const computeTimeLeft = (refreshTimeBeforeTokensExpirationInSecond, expiresAt)=>{
+    const currentTimeUnixSecond = new Date().getTime() /1000;
+    return Math.round(((expiresAt - refreshTimeBeforeTokensExpirationInSecond) - currentTimeUnixSecond));
+}
+
+const isTokensValid= (tokens) =>{
+    if(!tokens){
+        return false;
+    }
+    return computeTimeLeft(0, tokens.expiresAt) > 0;
+}
+
+// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation (excluding rules #1, #4, #5, #7, #8, #12, and #13 which did not apply).
+// https://github.com/openid/AppAuth-JS/issues/65
+const isTokensOidcValid =(tokens, nonce, oidcServerConfiguration) =>{
+    if(tokens.idTokenPayload) {
+        const idTokenPayload = tokens.idTokenPayload;
+        // 2: The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim.
+        if(oidcServerConfiguration.issuer !==  idTokenPayload.iss){
+            return false;
+        }
+        // 3: The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
+
+        // 6: If the ID Token is received via direct communication between the Client and the Token Endpoint (which it is in this flow), the TLS server validation MAY be used to validate the issuer in place of checking the token signature. The Client MUST validate the signature of all other ID Tokens according to JWS [JWS] using the algorithm specified in the JWT alg Header Parameter. The Client MUST use the keys provided by the Issuer.
+
+        // 9: The current time MUST be before the time represented by the exp Claim.
+        const currentTimeUnixSecond = new Date().getTime() /1000;
+        if(idTokenPayload.exp && idTokenPayload.exp < currentTimeUnixSecond) {
+            return false;
+        }
+        // 10: The iat Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces need to be stored to prevent attacks. The acceptable range is Client specific.
+        const timeInSevenDays = 60 * 60 * 24 * 7;
+        if(idTokenPayload.iat && (idTokenPayload.iat + timeInSevenDays) < currentTimeUnixSecond) {
+            return false;
+        }
+        // 11: If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked to verify that it is the same value as the one that was sent in the Authentication Request. The Client SHOULD check the nonce value for replay attacks. The precise method for detecting replay attacks is Client specific.
+        if (idTokenPayload.nonce && idTokenPayload.nonce !== nonce) {
+            return false;
+        }
+    }
+    return true;
+}
+
+function hideTokens(currentDatabaseElement) {
+    const configurationName = currentDatabaseElement.configurationName;
+    return (response) => {
+        if(response.status !== 200){
+            return response;
+        }
+        return response.json().then(tokens => {
+            if(!tokens.issued_at) {
+                const currentTimeUnixSecond = new Date().getTime() /1000;
+                tokens.issued_at = currentTimeUnixSecond;
+            }
+
+            const accessTokenPayload = extractTokenPayload(tokens.access_token);
+            const secureTokens = {
+                ...tokens,
+                access_token: ACCESS_TOKEN +"_" + configurationName,
+                accessTokenPayload : accessTokenPayload
+            };
+            tokens.accessTokenPayload = accessTokenPayload;
+
+            let _idTokenPayload = null;
+            if(tokens.id_token) {
+                _idTokenPayload = extractTokenPayload(tokens.id_token);
+                tokens.idTokenPayload = {..._idTokenPayload};
+                if(_idTokenPayload.nonce) {
+                    const keyNonce = NONCE_TOKEN + '_'+ currentDatabaseElement.configurationName;
+                    _idTokenPayload.nonce = keyNonce;
+                }
+                secureTokens.idTokenPayload = _idTokenPayload;
+            }
+            if(tokens.refresh_token){
+                secureTokens.refresh_token = REFRESH_TOKEN + "_" + configurationName;
+            }
+
+            const idTokenExpiresAt =(_idTokenPayload && _idTokenPayload.exp) ? _idTokenPayload.exp: Number.MAX_VALUE;
+            const accessTokenExpiresAt =  (accessTokenPayload && accessTokenPayload.exp)? accessTokenPayload.exp : tokens.issued_at + tokens.expires_in;
+            const expiresAt = idTokenExpiresAt < accessTokenExpiresAt ? idTokenExpiresAt : accessTokenExpiresAt;
+            secureTokens.expiresAt = expiresAt;
+           
+            tokens.expiresAt = expiresAt;
+
+            if(!isTokensOidcValid(tokens, currentDatabaseElement.nonce.nonce, currentDatabaseElement.oidcServerConfiguration)){
+                throw Error("Tokens are not OpenID valid");
+            }
+            
+            // When refresh_token is not rotated we reuse ald refresh_token
+            if(currentDatabaseElement.tokens != null && "refresh_token" in currentDatabaseElement.tokens && !("refresh_token" in tokens)){
+                const refreshToken = currentDatabaseElement.tokens.refresh_token;
+                currentDatabaseElement.tokens = {...tokens, refresh_token : refreshToken};
+            } else{
+                currentDatabaseElement.tokens = tokens;    
+            }
+            
+            currentDatabaseElement.status = "LOGGED_IN";
+            const body = JSON.stringify(secureTokens);
+            return new Response(body, response);
+        });
+    };
+}
+
+const getCurrentDatabasesTokenEndpoint = (database, url) => {
+    const databases = [];
+    for (const [key, value] of Object.entries(database)) {
+        if(value && value.oidcServerConfiguration !=null && url.startsWith(value.oidcServerConfiguration.tokenEndpoint)){
+            databases.push(value);
+        }
+    }
+    return databases;
+}
+
+const openidWellknownUrlEndWith  = "/.well-known/openid-configuration"
+const getCurrentDatabaseDomain = (database, url) => {
+    if(url.endsWith(openidWellknownUrlEndWith)){
+        return null;
+    }
+    for (const [key, currentDatabase] of Object.entries(database)) {
+        const oidcServerConfiguration = currentDatabase.oidcServerConfiguration;
+
+        if(!oidcServerConfiguration){
+            continue;
+        }
+
+        if(oidcServerConfiguration.tokenEndpoint && url === oidcServerConfiguration.tokenEndpoint){
+            continue;
+        }
+
+        const domainsToSendTokens = oidcServerConfiguration.userInfoEndpoint ? [
+            oidcServerConfiguration.userInfoEndpoint, ...trustedDomains[key]
+        ] : [...trustedDomains[key]];
+
+        let hasToSendToken = false;
+        if (domainsToSendTokens.find((f) => f === acceptAnyDomainToken)) {
+            hasToSendToken= true;
+        } else {
+            for (let i = 0; i < domainsToSendTokens.length; i++) {
+                const domain = domainsToSendTokens[i];
+                if (url.startsWith(domain)) {
+                    hasToSendToken = true;
+                    break;
+                }
+            }
+        }
+
+        if(hasToSendToken) {
+            if(!currentDatabase.tokens) {
+                return null;
+            }
+            return currentDatabase;
+        }
+    }
+
+    return null;
+}
+
+const serializeHeaders = (headers) => {
+    let headersObj = {};
+    for (let key of headers.keys()) {
+        headersObj[key] = headers.get(key);
+    }
+    return headersObj;
+};
+
+const REFRESH_TOKEN = 'REFRESH_TOKEN_SECURED_BY_OIDC_SERVICE_WORKER';
+const ACCESS_TOKEN = 'ACCESS_TOKEN_SECURED_BY_OIDC_SERVICE_WORKER';
+const NONCE_TOKEN = 'NONCE_SECURED_BY_OIDC_SERVICE_WORKER';
+
+const sleep = (ms) => new Promise(resolve => setTimeout(resolve, ms));
+
+const keepAliveAsync = async (event) => {
+    const originalRequest = event.request;
+    const isFromVanilla = originalRequest.headers.has('oidc-vanilla');
+    const init = {"status": 200, "statusText": 'oidc-service-worker'};
+    const response = new Response('{}', init);
+    if(!isFromVanilla) {
+        for(let i=0; i<240;i++){
+            await sleep(1000 + Math.floor(Math.random() * 1000));
+            const cache = await caches.open("oidc_dummy_cache");
+            await cache.put(event.request, response.clone());
+        }
+    }
+
+    return response;
+}
+
+const handleFetch = async (event) => {
+    const originalRequest = event.request;
+
+    if(originalRequest.url.includes(keepAliveJsonFilename) ){
+        event.respondWith(keepAliveAsync(event));
+        return;
+    }
+
+    const currentDatabaseForRequestAccessToken = getCurrentDatabaseDomain(database, originalRequest.url);
+    if(currentDatabaseForRequestAccessToken && currentDatabaseForRequestAccessToken.tokens && currentDatabaseForRequestAccessToken.tokens.access_token) {
+        while (currentDatabaseForRequestAccessToken.tokens && !isTokensValid(currentDatabaseForRequestAccessToken.tokens)){
+            await sleep(200);
+        }
+        const newRequest = new Request(originalRequest, {
+            headers: {
+                ...serializeHeaders(originalRequest.headers),
+                authorization: "Bearer " + currentDatabaseForRequestAccessToken.tokens.access_token
+            }
+        });
+        event.waitUntil(event.respondWith(fetch(newRequest)));
+        return;
+    }
+
+    if(event.request.method !== "POST"){
+        return;
+    }
+    let currentDatabase = null;
+    const currentDatabases = getCurrentDatabasesTokenEndpoint(database, originalRequest.url);
+    const numberDatabase = currentDatabases.length;
+    if(numberDatabase > 0) {
+        const maPromesse = new Promise((resolve, reject) => {
+            const clonedRequest = originalRequest.clone();
+            const response = clonedRequest.text().then(actualBody => {
+                if(actualBody.includes(REFRESH_TOKEN)) {
+                    let newBody = actualBody;
+                    for(let i= 0;i<numberDatabase;i++){
+                        const currentDb = currentDatabases[i];
+
+                        if(currentDb && currentDb.tokens != null) {
+                            const keyRefreshToken = REFRESH_TOKEN + '_'+ currentDb.configurationName;
+                            if(actualBody.includes(keyRefreshToken)) {
+                                newBody = newBody.replace(keyRefreshToken, encodeURIComponent(currentDb.tokens.refresh_token));
+                                currentDatabase = currentDb;
+                                break;
+                            }
+                        }
+                    }
+
+                    return fetch(originalRequest, {
+                        body: newBody,
+                        method: clonedRequest.method,
+                        headers: {
+                            ...serializeHeaders(originalRequest.headers),
+                        },
+                        mode: clonedRequest.mode,
+                        cache: clonedRequest.cache,
+                        redirect: clonedRequest.redirect,
+                        referrer: clonedRequest.referrer,
+                        credentials: clonedRequest.credentials,
+                        integrity: clonedRequest.integrity
+                    }).then(hideTokens(currentDatabase));
+                } else if(actualBody.includes("code_verifier=") && currentLoginCallbackConfigurationName){
+                    currentDatabase = database[currentLoginCallbackConfigurationName];
+                    currentLoginCallbackConfigurationName=null;
+                    return fetch(originalRequest,{
+                        body: actualBody,
+                        method: clonedRequest.method,
+                        headers: {
+                            ...serializeHeaders(originalRequest.headers),
+                        },
+                        mode: clonedRequest.mode,
+                        cache: clonedRequest.cache,
+                        redirect: clonedRequest.redirect,
+                        referrer: clonedRequest.referrer,
+                        credentials: clonedRequest.credentials,
+                        integrity: clonedRequest.integrity
+                    }).then(hideTokens(currentDatabase));
+                }
+            });
+            response.then(r => {
+                if(r !== undefined){
+                    resolve(r);
+                } else{
+                    console.log("success undefined");
+                    reject(new Error("Response is undefined inside a success"));
+                }
+            }).catch(err => {
+                if(err !== undefined) {
+                    reject(err);
+                } else{
+                    console.log("error undefined");
+                    reject(new Error("Response is undefined inside a error"));
+                }
+            });
+        });
+        event.waitUntil(event.respondWith(maPromesse));
+    }
+};
+
+self.addEventListener('install', handleInstall);
+self.addEventListener('activate', handleActivate);
+self.addEventListener('fetch', handleFetch);
+
+
+const checkDomain = (domains, endpoint) => {
+    if(!endpoint){
+        return;
+    }
+
+    const domain = domains.find(domain => endpoint.startsWith(domain));
+    if(!domain){
+        throw new Error("Domain " + endpoint + " is not trusted, please add domain in TrustedDomains.js");
+    }
+}
+
+addEventListener('message', event => {
+    const port = event.ports[0];
+    const data = event.data;
+    const configurationName = data.configurationName;
+    let currentDatabase = database[configurationName];
+
+    if(!currentDatabase){
+        database[configurationName] = {
+            tokens: null,
+            items:[],
+            oidcServerConfiguration: null,
+            status:null,
+            configurationName: configurationName,
+        };
+        currentDatabase = database[configurationName];
+        if(!trustedDomains[configurationName]) {
+            trustedDomains[configurationName] = [];
+        }
+    }
+    switch (data.type){
+        case "loadItems":
+            port.postMessage(database[configurationName].items);
+            return;
+        case "clear":
+            currentDatabase.tokens = null;
+            currentDatabase.items = null;
+            currentDatabase.status = data.data.status;
+            port.postMessage({configurationName});
+            return;
+        case "init":
+            const oidcServerConfiguration = data.data.oidcServerConfiguration;
+            const domains = trustedDomains[configurationName];
+            if (!domains.find(f => f === acceptAnyDomainToken)) {
+                checkDomain(domains, oidcServerConfiguration.tokenEndpoint);
+                checkDomain(domains, oidcServerConfiguration.userInfoEndpoint);
+                checkDomain(domains, oidcServerConfiguration.issuer);
+            }
+            currentDatabase.oidcServerConfiguration = oidcServerConfiguration;
+            const where = data.data.where;
+            if(where === "loginCallbackAsync" || where === "tryKeepExistingSessionAsync") {
+                currentLoginCallbackConfigurationName = configurationName;
+            } else{
+                currentLoginCallbackConfigurationName = null;
+            }
+
+            if(!currentDatabase.tokens){
+                port.postMessage({
+                    tokens:null,
+                    status: currentDatabase.status,
+                    configurationName});
+            } else {
+                const tokens = {
+                    ...currentDatabase.tokens,
+                    access_token: ACCESS_TOKEN + "_" + configurationName
+                };
+                if(tokens.refresh_token){
+                    tokens.refresh_token = REFRESH_TOKEN + "_" + configurationName;
+                }
+                if(tokens.idTokenPayload && tokens.idTokenPayload.nonce){
+                    tokens.idTokenPayload.nonce =  NONCE_TOKEN + "_" + configurationName;
+                }
+                port.postMessage({
+                    tokens,
+                    status: currentDatabase.status,
+                    configurationName
+                });
+            }
+            return;
+
+        case "setSessionState":
+            currentDatabase.sessionState = data.data.sessionState;
+            port.postMessage({configurationName});
+            return;
+        case "getSessionState":
+            const sessionState = currentDatabase.sessionState;
+            port.postMessage({configurationName, sessionState});
+            return;
+        case "setNonce":
+            currentDatabase.nonce = data.data.nonce;
+            port.postMessage({configurationName});
+            return;
+        default:
+            currentDatabase.items = { ...data.data };
+            port.postMessage({configurationName});
+            return;
+    }
+});
+

package/src/oidc/vanilla/OidcTrustedDomains.js

@@ -0,0 +1,16 @@
+
+// Add bellow trusted domains, access tokens will automatically injected to be send to
+// trusted domain can also be a path like https://www.myapi.com/users, 
+// then all subroute like https://www.myapi.com/useers/1 will be authorized to send access_token to.
+
+// Domains used by OIDC server must be also declared here
+const trustedDomains = {
+    default:["https://demo.duendesoftware.com", "https://kdhttps.auth0.com"],
+    config_classic: ["https://demo.duendesoftware.com"] ,
+    config_without_silent_login: ["https://demo.duendesoftware.com"] ,
+    config_without_refresh_token: ["https://demo.duendesoftware.com"],
+    config_without_refresh_token_silent_login: ["https://demo.duendesoftware.com"],
+    config_google: ["https://oauth2.googleapis.com", "https://openidconnect.googleapis.com"],
+    config_with_hash: ["https://demo.duendesoftware.com"]
+};
+