@logto/client 2.2.3 → 2.3.0

package/lib/errors.cjs

@@ -1,11 +1,14 @@
 'use strict';
 
+var js = require('@logto/js');
+
 const logtoClientErrorCodes = Object.freeze({
     'sign_in_session.invalid': 'Invalid sign-in session.',
     'sign_in_session.not_found': 'Sign-in session not found.',
     not_authenticated: 'Not authenticated.',
     fetch_user_info_failed: 'Unable to fetch user info. The access token may be invalid.',
     user_cancelled: 'The user cancelled the action.',
+    missing_scope_organizations: `The \`${js.UserScope.Organizations}\` scope is required`,
 });
 class LogtoClientError extends Error {
     constructor(code, data) {

package/lib/errors.d.ts

@@ -4,6 +4,7 @@ declare const logtoClientErrorCodes: Readonly<{
     not_authenticated: "Not authenticated.";
     fetch_user_info_failed: "Unable to fetch user info. The access token may be invalid.";
     user_cancelled: "The user cancelled the action.";
+    missing_scope_organizations: "The `urn:logto:scope:organizations` scope is required";
 }>;
 export type LogtoClientErrorCode = keyof typeof logtoClientErrorCodes;
 export declare class LogtoClientError extends Error {

package/lib/errors.js

@@ -1,9 +1,12 @@
+import { UserScope } from '@logto/js';
+
 const logtoClientErrorCodes = Object.freeze({
     'sign_in_session.invalid': 'Invalid sign-in session.',
     'sign_in_session.not_found': 'Sign-in session not found.',
     not_authenticated: 'Not authenticated.',
     fetch_user_info_failed: 'Unable to fetch user info. The access token may be invalid.',
     user_cancelled: 'The user cancelled the action.',
+    missing_scope_organizations: `The \`${UserScope.Organizations}\` scope is required`,
 });
 class LogtoClientError extends Error {
     constructor(code, data) {

package/lib/index.cjs

@@ -14,6 +14,7 @@ var once = require('./utils/once.cjs');
 var types = require('./adapter/types.cjs');
 var requester = require('./utils/requester.cjs');
 
+/* eslint-disable max-lines */
 /**
  * The Logto base client class that provides the essential methods for
  * interacting with the Logto server.
@@ -24,13 +25,37 @@ var requester = require('./utils/requester.cjs');
 class LogtoClient {
     constructor(logtoConfig, adapter) {
         this.getOidcConfig = memoize.memoize(this.#getOidcConfig);
+        /**
+         * Get the access token from the storage with refresh strategy.
+         *
+         * - If the access token has expired, it will try to fetch a new one using the Refresh Token.
+         * - If there's an ongoing Promise to fetch the access token, it will return the Promise.
+         *
+         * If you want to get the access token claims, use {@link getAccessTokenClaims} instead.
+         *
+         * @param resource The resource that the access token is granted for. If not
+         * specified, the access token will be used for OpenID Connect or the default
+         * resource, as specified in the Logto Console.
+         * @returns The access token string.
+         * @throws LogtoClientError if the user is not authenticated.
+         */
+        this.getAccessToken = memoize.memoize(this.#getAccessToken);
+        /**
+         * Get the access token for the specified organization from the storage with refresh strategy.
+         *
+         * Scope {@link UserScope.Organizations} is required in the config to use organization-related
+         * methods.
+         *
+         * @param organizationId The ID of the organization that the access token is granted for.
+         * @returns The access token string.
+         * @throws LogtoClientError if the user is not authenticated.
+         * @remarks
+         * It uses the same refresh strategy as {@link getAccessToken}.
+         */
+        this.getOrganizationToken = memoize.memoize(this.#getOrganizationToken);
         this.getJwtVerifyGetKey = once.once(this.#getJwtVerifyGetKey);
         this.accessTokenMap = new Map();
-        this.logtoConfig = {
-            ...logtoConfig,
-            prompt: logtoConfig.prompt ?? js.Prompt.Consent,
-            scopes: js.withDefaultScopes(logtoConfig.scopes).split(' '),
-        };
+        this.logtoConfig = index.normalizeLogtoConfig(logtoConfig);
         this.adapter = new index$1.ClientAdapterInstance(adapter);
         void this.loadAccessTokenMap();
     }
@@ -53,36 +78,6 @@ class LogtoClient {
     async getIdToken() {
         return this.adapter.storage.getItem('idToken');
     }
-    /**
-     * Get the Access Token from the storage. If the Access Token has expired, it
-     * will try to fetch a new one using the Refresh Token.
-     *
-     * If you want to get the Access Token claims, use {@link getAccessTokenClaims} instead.
-     *
-     * @param resource The resource that the Access Token is granted for. If not
-     * specified, the Access Token will be used for OpenID Connect or the default
-     * resource, as specified in the Logto Console.
-     * @returns The Access Token string.
-     * @throws LogtoClientError if the user is not authenticated.
-     */
-    async getAccessToken(resource) {
-        if (!(await this.getIdToken())) {
-            throw new errors.LogtoClientError('not_authenticated');
-        }
-        const accessTokenKey = index$2.buildAccessTokenKey(resource);
-        const accessToken = this.accessTokenMap.get(accessTokenKey);
-        if (accessToken && accessToken.expiresAt > Date.now() / 1000) {
-            return accessToken.token;
-        }
-        // Since the access token has expired, delete it from the map.
-        if (accessToken) {
-            this.accessTokenMap.delete(accessTokenKey);
-        }
-        /**
-         * Need to fetch a new access token using refresh token.
-         */
-        return this.getAccessTokenByRefreshToken(resource);
-    }
     /**
      * Get the ID Token claims.
      */
@@ -94,16 +89,25 @@ class LogtoClient {
         return js.decodeIdToken(idToken);
     }
     /**
-     * Get the Access Token claims for the specified resource.
+     * Get the access token claims for the specified resource.
      *
-     * @param resource The resource that the Access Token is granted for. If not
-     * specified, the Access Token will be used for OpenID Connect or the default
+     * @param resource The resource that the access token is granted for. If not
+     * specified, the access token will be used for OpenID Connect or the default
      * resource, as specified in the Logto Console.
      */
     async getAccessTokenClaims(resource) {
         const accessToken = await this.getAccessToken(resource);
         return js.decodeAccessToken(accessToken);
     }
+    /**
+     * Get the organization token claims for the specified organization.
+     *
+     * @param organizationId The ID of the organization that the access token is granted for.
+     */
+    async getOrganizationTokenClaims(organizationId) {
+        const accessToken = await this.getOrganizationToken(organizationId);
+        return js.decodeAccessToken(accessToken);
+    }
     /**
      * Get the user information from the Userinfo Endpoint.
      *
@@ -278,12 +282,12 @@ class LogtoClient {
     async setRefreshToken(value) {
         return this.adapter.setStorageItem(types.PersistKey.RefreshToken, value);
     }
-    async getAccessTokenByRefreshToken(resource) {
+    async getAccessTokenByRefreshToken(resource, organizationId) {
         const currentRefreshToken = await this.getRefreshToken();
         if (!currentRefreshToken) {
             throw new errors.LogtoClientError('not_authenticated');
         }
-        const accessTokenKey = index$2.buildAccessTokenKey(resource);
+        const accessTokenKey = index$2.buildAccessTokenKey(resource, organizationId);
         const { appId: clientId } = this.logtoConfig;
         const { tokenEndpoint } = await this.getOidcConfig();
         const requestedAt = Math.round(Date.now() / 1000);
@@ -292,6 +296,7 @@ class LogtoClient {
             tokenEndpoint,
             refreshToken: currentRefreshToken,
             resource,
+            organizationId,
         }, this.adapter.requester);
         this.accessTokenMap.set(accessTokenKey, {
             token: accessToken,
@@ -358,7 +363,32 @@ class LogtoClient {
         const cachedJwkSet = new remoteJwkSet.CachedRemoteJwkSet(new URL(jwksUri), this.adapter);
         return async (...args) => cachedJwkSet.getKey(...args);
     }
+    async #getAccessToken(resource, organizationId) {
+        if (!(await this.isAuthenticated())) {
+            throw new errors.LogtoClientError('not_authenticated');
+        }
+        const accessTokenKey = index$2.buildAccessTokenKey(resource, organizationId);
+        const accessToken = this.accessTokenMap.get(accessTokenKey);
+        if (accessToken && accessToken.expiresAt > Date.now() / 1000) {
+            return accessToken.token;
+        }
+        // Since the access token has expired, delete it from the map.
+        if (accessToken) {
+            this.accessTokenMap.delete(accessTokenKey);
+        }
+        /**
+         * Need to fetch a new access token using refresh token.
+         */
+        return this.getAccessTokenByRefreshToken(resource, organizationId);
+    }
+    async #getOrganizationToken(organizationId) {
+        if (!this.logtoConfig.scopes?.includes(js.UserScope.Organizations)) {
+            throw new errors.LogtoClientError('missing_scope_organizations');
+        }
+        return this.#getAccessToken(undefined, organizationId);
+    }
 }
+/* eslint-enable max-lines */
 
 Object.defineProperty(exports, 'LogtoError', {
     enumerable: true,
@@ -376,6 +406,10 @@ Object.defineProperty(exports, 'Prompt', {
     enumerable: true,
     get: function () { return js.Prompt; }
 });
+Object.defineProperty(exports, 'ReservedResource', {
+    enumerable: true,
+    get: function () { return js.ReservedResource; }
+});
 Object.defineProperty(exports, 'ReservedScope', {
     enumerable: true,
     get: function () { return js.ReservedScope; }
@@ -384,9 +418,22 @@ Object.defineProperty(exports, 'UserScope', {
     enumerable: true,
     get: function () { return js.UserScope; }
 });
+Object.defineProperty(exports, 'buildOrganizationUrn', {
+    enumerable: true,
+    get: function () { return js.buildOrganizationUrn; }
+});
+Object.defineProperty(exports, 'getOrganizationIdFromUrn', {
+    enumerable: true,
+    get: function () { return js.getOrganizationIdFromUrn; }
+});
+Object.defineProperty(exports, 'organizationUrnPrefix', {
+    enumerable: true,
+    get: function () { return js.organizationUrnPrefix; }
+});
 exports.LogtoClientError = errors.LogtoClientError;
 exports.isLogtoAccessTokenMap = index.isLogtoAccessTokenMap;
 exports.isLogtoSignInSessionItem = index.isLogtoSignInSessionItem;
+exports.normalizeLogtoConfig = index.normalizeLogtoConfig;
 Object.defineProperty(exports, 'CacheKey', {
     enumerable: true,
     get: function () { return types.CacheKey; }

package/lib/index.d.ts

@@ -4,7 +4,7 @@ import { type JWTVerifyGetKey } from 'jose';
 import { ClientAdapterInstance, type ClientAdapter } from './adapter/index.js';
 import type { AccessToken, LogtoConfig, LogtoSignInSessionItem } from './types/index.js';
 export type { IdTokenClaims, LogtoErrorCode, UserInfoResponse, InteractionMode } from '@logto/js';
-export { LogtoError, LogtoRequestError, OidcError, Prompt, ReservedScope, UserScope, } from '@logto/js';
+export { LogtoError, LogtoRequestError, OidcError, Prompt, ReservedScope, ReservedResource, UserScope, organizationUrnPrefix, buildOrganizationUrn, getOrganizationIdFromUrn, } from '@logto/js';
 export * from './errors.js';
 export type { Storage, StorageKey, ClientAdapter } from './adapter/index.js';
 export { PersistKey, CacheKey } from './adapter/index.js';
@@ -19,8 +19,8 @@ export * from './types/index.js';
  */
 export default class LogtoClient {
     #private;
-    protected readonly logtoConfig: LogtoConfig;
-    protected readonly getOidcConfig: (this: unknown) => Promise<import("@silverhand/essentials").KeysToCamelCase<{
+    readonly logtoConfig: LogtoConfig;
+    readonly getOidcConfig: (this: unknown) => Promise<import("@silverhand/essentials").KeysToCamelCase<{
         authorization_endpoint: string;
         token_endpoint: string;
         userinfo_endpoint: string;
@@ -29,6 +29,34 @@ export default class LogtoClient {
         jwks_uri: string;
         issuer: string;
     }>>;
+    /**
+     * Get the access token from the storage with refresh strategy.
+     *
+     * - If the access token has expired, it will try to fetch a new one using the Refresh Token.
+     * - If there's an ongoing Promise to fetch the access token, it will return the Promise.
+     *
+     * If you want to get the access token claims, use {@link getAccessTokenClaims} instead.
+     *
+     * @param resource The resource that the access token is granted for. If not
+     * specified, the access token will be used for OpenID Connect or the default
+     * resource, as specified in the Logto Console.
+     * @returns The access token string.
+     * @throws LogtoClientError if the user is not authenticated.
+     */
+    readonly getAccessToken: (this: unknown, resource?: string | undefined, organizationId?: string | undefined) => Promise<string>;
+    /**
+     * Get the access token for the specified organization from the storage with refresh strategy.
+     *
+     * Scope {@link UserScope.Organizations} is required in the config to use organization-related
+     * methods.
+     *
+     * @param organizationId The ID of the organization that the access token is granted for.
+     * @returns The access token string.
+     * @throws LogtoClientError if the user is not authenticated.
+     * @remarks
+     * It uses the same refresh strategy as {@link getAccessToken}.
+     */
+    readonly getOrganizationToken: (this: unknown, organizationId: string) => Promise<string>;
     protected readonly getJwtVerifyGetKey: (...args: unknown[]) => Promise<JWTVerifyGetKey>;
     protected readonly adapter: ClientAdapterInstance;
     protected readonly accessTokenMap: Map<string, AccessToken>;
@@ -46,31 +74,24 @@ export default class LogtoClient {
      * use {@link getIdTokenClaims} instead.
      */
     getIdToken(): Promise<Nullable<string>>;
-    /**
-     * Get the Access Token from the storage. If the Access Token has expired, it
-     * will try to fetch a new one using the Refresh Token.
-     *
-     * If you want to get the Access Token claims, use {@link getAccessTokenClaims} instead.
-     *
-     * @param resource The resource that the Access Token is granted for. If not
-     * specified, the Access Token will be used for OpenID Connect or the default
-     * resource, as specified in the Logto Console.
-     * @returns The Access Token string.
-     * @throws LogtoClientError if the user is not authenticated.
-     */
-    getAccessToken(resource?: string): Promise<string>;
     /**
      * Get the ID Token claims.
      */
     getIdTokenClaims(): Promise<IdTokenClaims>;
     /**
-     * Get the Access Token claims for the specified resource.
+     * Get the access token claims for the specified resource.
      *
-     * @param resource The resource that the Access Token is granted for. If not
-     * specified, the Access Token will be used for OpenID Connect or the default
+     * @param resource The resource that the access token is granted for. If not
+     * specified, the access token will be used for OpenID Connect or the default
      * resource, as specified in the Logto Console.
      */
     getAccessTokenClaims(resource?: string): Promise<AccessTokenClaims>;
+    /**
+     * Get the organization token claims for the specified organization.
+     *
+     * @param organizationId The ID of the organization that the access token is granted for.
+     */
+    getOrganizationTokenClaims(organizationId: string): Promise<AccessTokenClaims>;
     /**
      * Get the user information from the Userinfo Endpoint.
      *

package/lib/index.js

@@ -1,16 +1,17 @@
-import { Prompt, withDefaultScopes, decodeIdToken, decodeAccessToken, fetchUserInfo, generateSignInUri, verifyAndParseCodeFromCallbackUri, fetchTokenByAuthorizationCode, revoke, generateSignOutUri, fetchTokenByRefreshToken, verifyIdToken, fetchOidcConfig } from '@logto/js';
-export { LogtoError, LogtoRequestError, OidcError, Prompt, ReservedScope, UserScope } from '@logto/js';
+import { decodeIdToken, decodeAccessToken, fetchUserInfo, generateSignInUri, verifyAndParseCodeFromCallbackUri, fetchTokenByAuthorizationCode, revoke, generateSignOutUri, fetchTokenByRefreshToken, verifyIdToken, fetchOidcConfig, UserScope } from '@logto/js';
+export { LogtoError, LogtoRequestError, OidcError, Prompt, ReservedResource, ReservedScope, UserScope, buildOrganizationUrn, getOrganizationIdFromUrn, organizationUrnPrefix } from '@logto/js';
 import { createRemoteJWKSet } from 'jose';
 import { ClientAdapterInstance } from './adapter/index.js';
 import { LogtoClientError } from './errors.js';
 import { CachedRemoteJwkSet } from './remote-jwk-set.js';
-import { isLogtoSignInSessionItem, isLogtoAccessTokenMap } from './types/index.js';
+import { normalizeLogtoConfig, isLogtoSignInSessionItem, isLogtoAccessTokenMap } from './types/index.js';
 import { buildAccessTokenKey, getDiscoveryEndpoint } from './utils/index.js';
 import { memoize } from './utils/memoize.js';
 import { once } from './utils/once.js';
 import { PersistKey, CacheKey } from './adapter/types.js';
 export { createRequester } from './utils/requester.js';
 
+/* eslint-disable max-lines */
 /**
  * The Logto base client class that provides the essential methods for
  * interacting with the Logto server.
@@ -21,13 +22,37 @@ export { createRequester } from './utils/requester.js';
 class LogtoClient {
     constructor(logtoConfig, adapter) {
         this.getOidcConfig = memoize(this.#getOidcConfig);
+        /**
+         * Get the access token from the storage with refresh strategy.
+         *
+         * - If the access token has expired, it will try to fetch a new one using the Refresh Token.
+         * - If there's an ongoing Promise to fetch the access token, it will return the Promise.
+         *
+         * If you want to get the access token claims, use {@link getAccessTokenClaims} instead.
+         *
+         * @param resource The resource that the access token is granted for. If not
+         * specified, the access token will be used for OpenID Connect or the default
+         * resource, as specified in the Logto Console.
+         * @returns The access token string.
+         * @throws LogtoClientError if the user is not authenticated.
+         */
+        this.getAccessToken = memoize(this.#getAccessToken);
+        /**
+         * Get the access token for the specified organization from the storage with refresh strategy.
+         *
+         * Scope {@link UserScope.Organizations} is required in the config to use organization-related
+         * methods.
+         *
+         * @param organizationId The ID of the organization that the access token is granted for.
+         * @returns The access token string.
+         * @throws LogtoClientError if the user is not authenticated.
+         * @remarks
+         * It uses the same refresh strategy as {@link getAccessToken}.
+         */
+        this.getOrganizationToken = memoize(this.#getOrganizationToken);
         this.getJwtVerifyGetKey = once(this.#getJwtVerifyGetKey);
         this.accessTokenMap = new Map();
-        this.logtoConfig = {
-            ...logtoConfig,
-            prompt: logtoConfig.prompt ?? Prompt.Consent,
-            scopes: withDefaultScopes(logtoConfig.scopes).split(' '),
-        };
+        this.logtoConfig = normalizeLogtoConfig(logtoConfig);
         this.adapter = new ClientAdapterInstance(adapter);
         void this.loadAccessTokenMap();
     }
@@ -50,36 +75,6 @@ class LogtoClient {
     async getIdToken() {
         return this.adapter.storage.getItem('idToken');
     }
-    /**
-     * Get the Access Token from the storage. If the Access Token has expired, it
-     * will try to fetch a new one using the Refresh Token.
-     *
-     * If you want to get the Access Token claims, use {@link getAccessTokenClaims} instead.
-     *
-     * @param resource The resource that the Access Token is granted for. If not
-     * specified, the Access Token will be used for OpenID Connect or the default
-     * resource, as specified in the Logto Console.
-     * @returns The Access Token string.
-     * @throws LogtoClientError if the user is not authenticated.
-     */
-    async getAccessToken(resource) {
-        if (!(await this.getIdToken())) {
-            throw new LogtoClientError('not_authenticated');
-        }
-        const accessTokenKey = buildAccessTokenKey(resource);
-        const accessToken = this.accessTokenMap.get(accessTokenKey);
-        if (accessToken && accessToken.expiresAt > Date.now() / 1000) {
-            return accessToken.token;
-        }
-        // Since the access token has expired, delete it from the map.
-        if (accessToken) {
-            this.accessTokenMap.delete(accessTokenKey);
-        }
-        /**
-         * Need to fetch a new access token using refresh token.
-         */
-        return this.getAccessTokenByRefreshToken(resource);
-    }
     /**
      * Get the ID Token claims.
      */
@@ -91,16 +86,25 @@ class LogtoClient {
         return decodeIdToken(idToken);
     }
     /**
-     * Get the Access Token claims for the specified resource.
+     * Get the access token claims for the specified resource.
      *
-     * @param resource The resource that the Access Token is granted for. If not
-     * specified, the Access Token will be used for OpenID Connect or the default
+     * @param resource The resource that the access token is granted for. If not
+     * specified, the access token will be used for OpenID Connect or the default
      * resource, as specified in the Logto Console.
      */
     async getAccessTokenClaims(resource) {
         const accessToken = await this.getAccessToken(resource);
         return decodeAccessToken(accessToken);
     }
+    /**
+     * Get the organization token claims for the specified organization.
+     *
+     * @param organizationId The ID of the organization that the access token is granted for.
+     */
+    async getOrganizationTokenClaims(organizationId) {
+        const accessToken = await this.getOrganizationToken(organizationId);
+        return decodeAccessToken(accessToken);
+    }
     /**
      * Get the user information from the Userinfo Endpoint.
      *
@@ -275,12 +279,12 @@ class LogtoClient {
     async setRefreshToken(value) {
         return this.adapter.setStorageItem(PersistKey.RefreshToken, value);
     }
-    async getAccessTokenByRefreshToken(resource) {
+    async getAccessTokenByRefreshToken(resource, organizationId) {
         const currentRefreshToken = await this.getRefreshToken();
         if (!currentRefreshToken) {
             throw new LogtoClientError('not_authenticated');
         }
-        const accessTokenKey = buildAccessTokenKey(resource);
+        const accessTokenKey = buildAccessTokenKey(resource, organizationId);
         const { appId: clientId } = this.logtoConfig;
         const { tokenEndpoint } = await this.getOidcConfig();
         const requestedAt = Math.round(Date.now() / 1000);
@@ -289,6 +293,7 @@ class LogtoClient {
             tokenEndpoint,
             refreshToken: currentRefreshToken,
             resource,
+            organizationId,
         }, this.adapter.requester);
         this.accessTokenMap.set(accessTokenKey, {
             token: accessToken,
@@ -355,6 +360,31 @@ class LogtoClient {
         const cachedJwkSet = new CachedRemoteJwkSet(new URL(jwksUri), this.adapter);
         return async (...args) => cachedJwkSet.getKey(...args);
     }
+    async #getAccessToken(resource, organizationId) {
+        if (!(await this.isAuthenticated())) {
+            throw new LogtoClientError('not_authenticated');
+        }
+        const accessTokenKey = buildAccessTokenKey(resource, organizationId);
+        const accessToken = this.accessTokenMap.get(accessTokenKey);
+        if (accessToken && accessToken.expiresAt > Date.now() / 1000) {
+            return accessToken.token;
+        }
+        // Since the access token has expired, delete it from the map.
+        if (accessToken) {
+            this.accessTokenMap.delete(accessTokenKey);
+        }
+        /**
+         * Need to fetch a new access token using refresh token.
+         */
+        return this.getAccessTokenByRefreshToken(resource, organizationId);
+    }
+    async #getOrganizationToken(organizationId) {
+        if (!this.logtoConfig.scopes?.includes(UserScope.Organizations)) {
+            throw new LogtoClientError('missing_scope_organizations');
+        }
+        return this.#getAccessToken(undefined, organizationId);
+    }
 }
+/* eslint-enable max-lines */
 
-export { CacheKey, LogtoClientError, PersistKey, LogtoClient as default, isLogtoAccessTokenMap, isLogtoSignInSessionItem };
+export { CacheKey, LogtoClientError, PersistKey, LogtoClient as default, isLogtoAccessTokenMap, isLogtoSignInSessionItem, normalizeLogtoConfig };

package/lib/mock.d.ts

@@ -66,7 +66,7 @@ export declare const createAdapters: (withCache?: boolean) => {
     generateCodeVerifier: jest.Mock<string, [], any>;
     generateState: jest.Mock<string, [], any>;
 };
-export declare const createClient: (prompt?: Prompt, storage?: MockedStorage, withCache?: boolean) => LogtoClientWithAccessors;
+export declare const createClient: (prompt?: Prompt, storage?: MockedStorage, withCache?: boolean, scopes?: string[]) => LogtoClientWithAccessors;
 /**
  * Make protected fields accessible for test
  */

package/lib/types/index.cjs

@@ -1,7 +1,28 @@
 'use strict';
 
 var js = require('@logto/js');
+var essentials = require('@silverhand/essentials');
 
+/**
+ * Normalize the Logto client configuration per the following rules:
+ *
+ * - Add default scopes (`openid`, `offline_access` and `profile`) if not provided.
+ * - Add {@link ReservedResource.Organization} to resources if {@link UserScope.Organizations} is included in scopes.
+ *
+ * @param config The Logto client configuration to be normalized.
+ * @returns The normalized Logto client configuration.
+ */
+const normalizeLogtoConfig = (config) => {
+    const { prompt = js.Prompt.Consent, scopes = [], resources, ...rest } = config;
+    return {
+        ...rest,
+        prompt,
+        scopes: js.withDefaultScopes(scopes).split(' '),
+        resources: scopes.includes(js.UserScope.Organizations)
+            ? essentials.deduplicate([...(resources ?? []), js.ReservedResource.Organization])
+            : resources,
+    };
+};
 const isLogtoSignInSessionItem = (data) => {
     if (!js.isArbitraryObject(data)) {
         return false;
@@ -24,3 +45,4 @@ const isLogtoAccessTokenMap = (data) => {
 
 exports.isLogtoAccessTokenMap = isLogtoAccessTokenMap;
 exports.isLogtoSignInSessionItem = isLogtoSignInSessionItem;
+exports.normalizeLogtoConfig = normalizeLogtoConfig;

package/lib/types/index.d.ts

@@ -1,4 +1,4 @@
-import type { Prompt } from '@logto/js';
+import { Prompt } from '@logto/js';
 /** The configuration object for the Logto client. */
 export type LogtoConfig = {
     /**
@@ -40,6 +40,16 @@ export type LogtoConfig = {
      */
     prompt?: Prompt;
 };
+/**
+ * Normalize the Logto client configuration per the following rules:
+ *
+ * - Add default scopes (`openid`, `offline_access` and `profile`) if not provided.
+ * - Add {@link ReservedResource.Organization} to resources if {@link UserScope.Organizations} is included in scopes.
+ *
+ * @param config The Logto client configuration to be normalized.
+ * @returns The normalized Logto client configuration.
+ */
+export declare const normalizeLogtoConfig: (config: LogtoConfig) => LogtoConfig;
 export type AccessToken = {
     /** The access token string. */
     token: string;

package/lib/types/index.js

@@ -1,5 +1,26 @@
-import { isArbitraryObject } from '@logto/js';
+import { Prompt, withDefaultScopes, UserScope, ReservedResource, isArbitraryObject } from '@logto/js';
+import { deduplicate } from '@silverhand/essentials';
 
+/**
+ * Normalize the Logto client configuration per the following rules:
+ *
+ * - Add default scopes (`openid`, `offline_access` and `profile`) if not provided.
+ * - Add {@link ReservedResource.Organization} to resources if {@link UserScope.Organizations} is included in scopes.
+ *
+ * @param config The Logto client configuration to be normalized.
+ * @returns The normalized Logto client configuration.
+ */
+const normalizeLogtoConfig = (config) => {
+    const { prompt = Prompt.Consent, scopes = [], resources, ...rest } = config;
+    return {
+        ...rest,
+        prompt,
+        scopes: withDefaultScopes(scopes).split(' '),
+        resources: scopes.includes(UserScope.Organizations)
+            ? deduplicate([...(resources ?? []), ReservedResource.Organization])
+            : resources,
+    };
+};
 const isLogtoSignInSessionItem = (data) => {
     if (!isArbitraryObject(data)) {
         return false;
@@ -20,4 +41,4 @@ const isLogtoAccessTokenMap = (data) => {
     });
 };
 
-export { isLogtoAccessTokenMap, isLogtoSignInSessionItem };
+export { isLogtoAccessTokenMap, isLogtoSignInSessionItem, normalizeLogtoConfig };

package/lib/types/index.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/utils/index.cjs

@@ -1,8 +1,9 @@
 'use strict';
 
 var js = require('@logto/js');
+var essentials = require('@silverhand/essentials');
 
-const buildAccessTokenKey = (resource = '', scopes = []) => `${scopes.slice().sort().join(' ')}@${resource}`;
+const buildAccessTokenKey = (resource = '', organizationId, scopes = []) => `${scopes.slice().sort().join(' ')}@${resource}${essentials.conditionalString(organizationId && `#${organizationId}`)}`;
 const getDiscoveryEndpoint = (endpoint) => new URL(js.discoveryPath, endpoint).toString();
 
 exports.buildAccessTokenKey = buildAccessTokenKey;

package/lib/utils/index.d.ts

@@ -1,3 +1,3 @@
 export * from './requester.js';
-export declare const buildAccessTokenKey: (resource?: string, scopes?: string[]) => string;
+export declare const buildAccessTokenKey: (resource?: string, organizationId?: string, scopes?: string[]) => string;
 export declare const getDiscoveryEndpoint: (endpoint: string) => string;

package/lib/utils/index.js

@@ -1,6 +1,7 @@
 import { discoveryPath } from '@logto/js';
+import { conditionalString } from '@silverhand/essentials';
 
-const buildAccessTokenKey = (resource = '', scopes = []) => `${scopes.slice().sort().join(' ')}@${resource}`;
+const buildAccessTokenKey = (resource = '', organizationId, scopes = []) => `${scopes.slice().sort().join(' ')}@${resource}${conditionalString(organizationId && `#${organizationId}`)}`;
 const getDiscoveryEndpoint = (endpoint) => new URL(discoveryPath, endpoint).toString();
 
 export { buildAccessTokenKey, getDiscoveryEndpoint };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/client",
-  "version": "2.2.3",
+  "version": "2.3.0",
   "type": "module",
   "main": "./lib/index.cjs",
   "module": "./lib/index.js",
@@ -21,10 +21,10 @@
     "directory": "packages/client"
   },
   "dependencies": {
-    "@logto/js": "^2.1.3",
+    "@logto/js": "^3.0.0",
     "@silverhand/essentials": "^2.6.2",
     "camelcase-keys": "^7.0.1",
-    "jose": "^4.13.2"
+    "jose": "^5.0.0"
   },
   "devDependencies": {
     "@silverhand/eslint-config": "^4.0.1",
@@ -36,7 +36,7 @@
     "eslint": "^8.44.0",
     "jest": "^29.5.0",
     "jest-matcher-specific-error": "^1.0.0",
-    "lint-staged": "^14.0.0",
+    "lint-staged": "^15.0.0",
     "nock": "^13.3.0",
     "prettier": "^3.0.0",
     "text-encoder": "^0.0.4",