@logto/client 2.2.4 → 2.3.1

package/lib/errors.cjs

@@ -1,11 +1,14 @@
 'use strict';
 
+var js = require('@logto/js');
+
 const logtoClientErrorCodes = Object.freeze({
     'sign_in_session.invalid': 'Invalid sign-in session.',
     'sign_in_session.not_found': 'Sign-in session not found.',
     not_authenticated: 'Not authenticated.',
     fetch_user_info_failed: 'Unable to fetch user info. The access token may be invalid.',
     user_cancelled: 'The user cancelled the action.',
+    missing_scope_organizations: `The \`${js.UserScope.Organizations}\` scope is required`,
 });
 class LogtoClientError extends Error {
     constructor(code, data) {

package/lib/errors.d.ts

@@ -4,6 +4,7 @@ declare const logtoClientErrorCodes: Readonly<{
     not_authenticated: "Not authenticated.";
     fetch_user_info_failed: "Unable to fetch user info. The access token may be invalid.";
     user_cancelled: "The user cancelled the action.";
+    missing_scope_organizations: "The `urn:logto:scope:organizations` scope is required";
 }>;
 export type LogtoClientErrorCode = keyof typeof logtoClientErrorCodes;
 export declare class LogtoClientError extends Error {

package/lib/errors.js

@@ -1,9 +1,12 @@
+import { UserScope } from '@logto/js';
+
 const logtoClientErrorCodes = Object.freeze({
     'sign_in_session.invalid': 'Invalid sign-in session.',
     'sign_in_session.not_found': 'Sign-in session not found.',
     not_authenticated: 'Not authenticated.',
     fetch_user_info_failed: 'Unable to fetch user info. The access token may be invalid.',
     user_cancelled: 'The user cancelled the action.',
+    missing_scope_organizations: `The \`${UserScope.Organizations}\` scope is required`,
 });
 class LogtoClientError extends Error {
     constructor(code, data) {

package/lib/index.cjs

@@ -14,6 +14,7 @@ var once = require('./utils/once.cjs');
 var types = require('./adapter/types.cjs');
 var requester = require('./utils/requester.cjs');
 
+/* eslint-disable max-lines */
 /**
  * The Logto base client class that provides the essential methods for
  * interacting with the Logto server.
@@ -23,9 +24,13 @@ var requester = require('./utils/requester.cjs');
  */
 class LogtoClient {
     constructor(logtoConfig, adapter) {
-        this.getOidcConfig = memoize.memoize(this.#getOidcConfig);
         /**
-         * Get the access token from the storage.
+         * Get the OIDC configuration from the discovery endpoint. This method will
+         * only fetch the configuration once and cache the result.
+         */
+        this.getOidcConfig = once.once(this.#getOidcConfig);
+        /**
+         * Get the access token from the storage with refresh strategy.
          *
          * - If the access token has expired, it will try to fetch a new one using the Refresh Token.
          * - If there's an ongoing Promise to fetch the access token, it will return the Promise.
@@ -39,13 +44,32 @@ class LogtoClient {
          * @throws LogtoClientError if the user is not authenticated.
          */
         this.getAccessToken = memoize.memoize(this.#getAccessToken);
+        /**
+         * Get the access token for the specified organization from the storage with refresh strategy.
+         *
+         * Scope {@link UserScope.Organizations} is required in the config to use organization-related
+         * methods.
+         *
+         * @param organizationId The ID of the organization that the access token is granted for.
+         * @returns The access token string.
+         * @throws LogtoClientError if the user is not authenticated.
+         * @remarks
+         * It uses the same refresh strategy as {@link getAccessToken}.
+         */
+        this.getOrganizationToken = memoize.memoize(this.#getOrganizationToken);
+        /**
+         * Handle the sign-in callback by parsing the authorization code from the
+         * callback URI and exchanging it for the tokens.
+         *
+         * @param callbackUri The callback URI, including the search params, that the user is redirected to after the sign-in flow is completed.
+         * The origin and pathname of this URI must match the origin and pathname of the redirect URI specified in {@link signIn}.
+         * In many cases you'll probably end up passing `window.location.href` as the argument to this function.
+         * @throws LogtoClientError if the sign-in session is not found.
+         */
+        this.handleSignInCallback = memoize.memoize(this.#handleSignInCallback);
         this.getJwtVerifyGetKey = once.once(this.#getJwtVerifyGetKey);
         this.accessTokenMap = new Map();
-        this.logtoConfig = {
-            ...logtoConfig,
-            prompt: logtoConfig.prompt ?? js.Prompt.Consent,
-            scopes: js.withDefaultScopes(logtoConfig.scopes).split(' '),
-        };
+        this.logtoConfig = index.normalizeLogtoConfig(logtoConfig);
         this.adapter = new index$1.ClientAdapterInstance(adapter);
         void this.loadAccessTokenMap();
     }
@@ -89,6 +113,15 @@ class LogtoClient {
         const accessToken = await this.getAccessToken(resource);
         return js.decodeAccessToken(accessToken);
     }
+    /**
+     * Get the organization token claims for the specified organization.
+     *
+     * @param organizationId The ID of the organization that the access token is granted for.
+     */
+    async getOrganizationTokenClaims(organizationId) {
+        const accessToken = await this.getOrganizationToken(organizationId);
+        return js.decodeAccessToken(accessToken);
+    }
     /**
      * Get the user information from the Userinfo Endpoint.
      *
@@ -164,50 +197,6 @@ class LogtoClient {
         const { origin, pathname } = new URL(url);
         return `${origin}${pathname}` === redirectUri;
     }
-    /**
-     * Handle the sign-in callback by parsing the authorization code from the
-     * callback URI and exchanging it for the tokens.
-     *
-     * @param callbackUri The callback URI, including the search params, that the user is redirected to after the sign-in flow is completed.
-     * The origin and pathname of this URI must match the origin and pathname of the redirect URI specified in {@link signIn}.
-     * In many cases you'll probably end up passing `window.location.href` as the argument to this function.
-     * @throws LogtoClientError if the sign-in session is not found.
-     */
-    async handleSignInCallback(callbackUri) {
-        const { requester } = this.adapter;
-        const signInSession = await this.getSignInSession();
-        if (!signInSession) {
-            throw new errors.LogtoClientError('sign_in_session.not_found');
-        }
-        const { redirectUri, state, codeVerifier } = signInSession;
-        const code = js.verifyAndParseCodeFromCallbackUri(callbackUri, redirectUri, state);
-        // NOTE: Will add scope to accessTokenKey when needed. (Linear issue LOG-1589)
-        const accessTokenKey = index$2.buildAccessTokenKey();
-        const { appId: clientId } = this.logtoConfig;
-        const { tokenEndpoint } = await this.getOidcConfig();
-        const requestedAt = Math.round(Date.now() / 1000);
-        const { idToken, refreshToken, accessToken, scope, expiresIn } = await js.fetchTokenByAuthorizationCode({
-            clientId,
-            tokenEndpoint,
-            redirectUri,
-            codeVerifier,
-            code,
-        }, requester);
-        await this.verifyIdToken(idToken);
-        await this.setRefreshToken(refreshToken ?? null);
-        await this.setIdToken(idToken);
-        this.accessTokenMap.set(accessTokenKey, {
-            token: accessToken,
-            scope,
-            /** The `expiresAt` variable provides an approximate estimation of the actual `exp` property
-             * in the token claims. It is utilized by the client to determine if the cached access token
-             * has expired and when a new access token should be requested.
-             */
-            expiresAt: requestedAt + expiresIn,
-        });
-        await this.saveAccessTokenMap();
-        await this.setSignInSession(null);
-    }
     /**
      * Start the sign-out flow with the specified redirect URI. The URI must be
      * registered in the Logto Console.
@@ -263,12 +252,12 @@ class LogtoClient {
     async setRefreshToken(value) {
         return this.adapter.setStorageItem(types.PersistKey.RefreshToken, value);
     }
-    async getAccessTokenByRefreshToken(resource) {
+    async getAccessTokenByRefreshToken(resource, organizationId) {
         const currentRefreshToken = await this.getRefreshToken();
         if (!currentRefreshToken) {
             throw new errors.LogtoClientError('not_authenticated');
         }
-        const accessTokenKey = index$2.buildAccessTokenKey(resource);
+        const accessTokenKey = index$2.buildAccessTokenKey(resource, organizationId);
         const { appId: clientId } = this.logtoConfig;
         const { tokenEndpoint } = await this.getOidcConfig();
         const requestedAt = Math.round(Date.now() / 1000);
@@ -277,6 +266,7 @@ class LogtoClient {
             tokenEndpoint,
             refreshToken: currentRefreshToken,
             resource,
+            organizationId,
         }, this.adapter.requester);
         this.accessTokenMap.set(accessTokenKey, {
             token: accessToken,
@@ -343,11 +333,11 @@ class LogtoClient {
         const cachedJwkSet = new remoteJwkSet.CachedRemoteJwkSet(new URL(jwksUri), this.adapter);
         return async (...args) => cachedJwkSet.getKey(...args);
     }
-    async #getAccessToken(resource) {
-        if (!(await this.getIdToken())) {
+    async #getAccessToken(resource, organizationId) {
+        if (!(await this.isAuthenticated())) {
             throw new errors.LogtoClientError('not_authenticated');
         }
-        const accessTokenKey = index$2.buildAccessTokenKey(resource);
+        const accessTokenKey = index$2.buildAccessTokenKey(resource, organizationId);
         const accessToken = this.accessTokenMap.get(accessTokenKey);
         if (accessToken && accessToken.expiresAt > Date.now() / 1000) {
             return accessToken.token;
@@ -359,9 +349,51 @@ class LogtoClient {
         /**
          * Need to fetch a new access token using refresh token.
          */
-        return this.getAccessTokenByRefreshToken(resource);
+        return this.getAccessTokenByRefreshToken(resource, organizationId);
+    }
+    async #getOrganizationToken(organizationId) {
+        if (!this.logtoConfig.scopes?.includes(js.UserScope.Organizations)) {
+            throw new errors.LogtoClientError('missing_scope_organizations');
+        }
+        return this.#getAccessToken(undefined, organizationId);
+    }
+    async #handleSignInCallback(callbackUri) {
+        const { requester } = this.adapter;
+        const signInSession = await this.getSignInSession();
+        if (!signInSession) {
+            throw new errors.LogtoClientError('sign_in_session.not_found');
+        }
+        const { redirectUri, state, codeVerifier } = signInSession;
+        const code = js.verifyAndParseCodeFromCallbackUri(callbackUri, redirectUri, state);
+        // NOTE: Will add scope to accessTokenKey when needed. (Linear issue LOG-1589)
+        const accessTokenKey = index$2.buildAccessTokenKey();
+        const { appId: clientId } = this.logtoConfig;
+        const { tokenEndpoint } = await this.getOidcConfig();
+        const requestedAt = Math.round(Date.now() / 1000);
+        const { idToken, refreshToken, accessToken, scope, expiresIn } = await js.fetchTokenByAuthorizationCode({
+            clientId,
+            tokenEndpoint,
+            redirectUri,
+            codeVerifier,
+            code,
+        }, requester);
+        await this.verifyIdToken(idToken);
+        await this.setRefreshToken(refreshToken ?? null);
+        await this.setIdToken(idToken);
+        this.accessTokenMap.set(accessTokenKey, {
+            token: accessToken,
+            scope,
+            /** The `expiresAt` variable provides an approximate estimation of the actual `exp` property
+             * in the token claims. It is utilized by the client to determine if the cached access token
+             * has expired and when a new access token should be requested.
+             */
+            expiresAt: requestedAt + expiresIn,
+        });
+        await this.saveAccessTokenMap();
+        await this.setSignInSession(null);
     }
 }
+/* eslint-enable max-lines */
 
 Object.defineProperty(exports, 'LogtoError', {
     enumerable: true,
@@ -379,6 +411,10 @@ Object.defineProperty(exports, 'Prompt', {
     enumerable: true,
     get: function () { return js.Prompt; }
 });
+Object.defineProperty(exports, 'ReservedResource', {
+    enumerable: true,
+    get: function () { return js.ReservedResource; }
+});
 Object.defineProperty(exports, 'ReservedScope', {
     enumerable: true,
     get: function () { return js.ReservedScope; }
@@ -387,9 +423,22 @@ Object.defineProperty(exports, 'UserScope', {
     enumerable: true,
     get: function () { return js.UserScope; }
 });
+Object.defineProperty(exports, 'buildOrganizationUrn', {
+    enumerable: true,
+    get: function () { return js.buildOrganizationUrn; }
+});
+Object.defineProperty(exports, 'getOrganizationIdFromUrn', {
+    enumerable: true,
+    get: function () { return js.getOrganizationIdFromUrn; }
+});
+Object.defineProperty(exports, 'organizationUrnPrefix', {
+    enumerable: true,
+    get: function () { return js.organizationUrnPrefix; }
+});
 exports.LogtoClientError = errors.LogtoClientError;
 exports.isLogtoAccessTokenMap = index.isLogtoAccessTokenMap;
 exports.isLogtoSignInSessionItem = index.isLogtoSignInSessionItem;
+exports.normalizeLogtoConfig = index.normalizeLogtoConfig;
 Object.defineProperty(exports, 'CacheKey', {
     enumerable: true,
     get: function () { return types.CacheKey; }

package/lib/index.d.ts

@@ -1,10 +1,10 @@
-import { type IdTokenClaims, type UserInfoResponse, type InteractionMode, type AccessTokenClaims } from '@logto/js';
+import { type IdTokenClaims, type UserInfoResponse, type InteractionMode, type AccessTokenClaims, type OidcConfigResponse } from '@logto/js';
 import { type Nullable } from '@silverhand/essentials';
 import { type JWTVerifyGetKey } from 'jose';
 import { ClientAdapterInstance, type ClientAdapter } from './adapter/index.js';
 import type { AccessToken, LogtoConfig, LogtoSignInSessionItem } from './types/index.js';
 export type { IdTokenClaims, LogtoErrorCode, UserInfoResponse, InteractionMode } from '@logto/js';
-export { LogtoError, LogtoRequestError, OidcError, Prompt, ReservedScope, UserScope, } from '@logto/js';
+export { LogtoError, LogtoRequestError, OidcError, Prompt, ReservedScope, ReservedResource, UserScope, organizationUrnPrefix, buildOrganizationUrn, getOrganizationIdFromUrn, } from '@logto/js';
 export * from './errors.js';
 export type { Storage, StorageKey, ClientAdapter } from './adapter/index.js';
 export { PersistKey, CacheKey } from './adapter/index.js';
@@ -20,17 +20,13 @@ export * from './types/index.js';
 export default class LogtoClient {
     #private;
     readonly logtoConfig: LogtoConfig;
-    readonly getOidcConfig: (this: unknown) => Promise<import("@silverhand/essentials").KeysToCamelCase<{
-        authorization_endpoint: string;
-        token_endpoint: string;
-        userinfo_endpoint: string;
-        end_session_endpoint: string;
-        revocation_endpoint: string;
-        jwks_uri: string;
-        issuer: string;
-    }>>;
     /**
-     * Get the access token from the storage.
+     * Get the OIDC configuration from the discovery endpoint. This method will
+     * only fetch the configuration once and cache the result.
+     */
+    readonly getOidcConfig: () => Promise<OidcConfigResponse>;
+    /**
+     * Get the access token from the storage with refresh strategy.
      *
      * - If the access token has expired, it will try to fetch a new one using the Refresh Token.
      * - If there's an ongoing Promise to fetch the access token, it will return the Promise.
@@ -43,7 +39,30 @@ export default class LogtoClient {
      * @returns The access token string.
      * @throws LogtoClientError if the user is not authenticated.
      */
-    readonly getAccessToken: (this: unknown, resource?: string | undefined) => Promise<string>;
+    readonly getAccessToken: (this: unknown, resource?: string | undefined, organizationId?: string | undefined) => Promise<string>;
+    /**
+     * Get the access token for the specified organization from the storage with refresh strategy.
+     *
+     * Scope {@link UserScope.Organizations} is required in the config to use organization-related
+     * methods.
+     *
+     * @param organizationId The ID of the organization that the access token is granted for.
+     * @returns The access token string.
+     * @throws LogtoClientError if the user is not authenticated.
+     * @remarks
+     * It uses the same refresh strategy as {@link getAccessToken}.
+     */
+    readonly getOrganizationToken: (this: unknown, organizationId: string) => Promise<string>;
+    /**
+     * Handle the sign-in callback by parsing the authorization code from the
+     * callback URI and exchanging it for the tokens.
+     *
+     * @param callbackUri The callback URI, including the search params, that the user is redirected to after the sign-in flow is completed.
+     * The origin and pathname of this URI must match the origin and pathname of the redirect URI specified in {@link signIn}.
+     * In many cases you'll probably end up passing `window.location.href` as the argument to this function.
+     * @throws LogtoClientError if the sign-in session is not found.
+     */
+    readonly handleSignInCallback: (this: unknown, callbackUri: string) => Promise<void>;
     protected readonly getJwtVerifyGetKey: (...args: unknown[]) => Promise<JWTVerifyGetKey>;
     protected readonly adapter: ClientAdapterInstance;
     protected readonly accessTokenMap: Map<string, AccessToken>;
@@ -73,6 +92,12 @@ export default class LogtoClient {
      * resource, as specified in the Logto Console.
      */
     getAccessTokenClaims(resource?: string): Promise<AccessTokenClaims>;
+    /**
+     * Get the organization token claims for the specified organization.
+     *
+     * @param organizationId The ID of the organization that the access token is granted for.
+     */
+    getOrganizationTokenClaims(organizationId: string): Promise<AccessTokenClaims>;
     /**
      * Get the user information from the Userinfo Endpoint.
      *
@@ -110,16 +135,6 @@ export default class LogtoClient {
      * @param url The current URL.
      */
     isSignInRedirected(url: string): Promise<boolean>;
-    /**
-     * Handle the sign-in callback by parsing the authorization code from the
-     * callback URI and exchanging it for the tokens.
-     *
-     * @param callbackUri The callback URI, including the search params, that the user is redirected to after the sign-in flow is completed.
-     * The origin and pathname of this URI must match the origin and pathname of the redirect URI specified in {@link signIn}.
-     * In many cases you'll probably end up passing `window.location.href` as the argument to this function.
-     * @throws LogtoClientError if the sign-in session is not found.
-     */
-    handleSignInCallback(callbackUri: string): Promise<void>;
     /**
      * Start the sign-out flow with the specified redirect URI. The URI must be
      * registered in the Logto Console.

package/lib/index.js

@@ -1,16 +1,17 @@
-import { Prompt, withDefaultScopes, decodeIdToken, decodeAccessToken, fetchUserInfo, generateSignInUri, verifyAndParseCodeFromCallbackUri, fetchTokenByAuthorizationCode, revoke, generateSignOutUri, fetchTokenByRefreshToken, verifyIdToken, fetchOidcConfig } from '@logto/js';
-export { LogtoError, LogtoRequestError, OidcError, Prompt, ReservedScope, UserScope } from '@logto/js';
+import { decodeIdToken, decodeAccessToken, fetchUserInfo, generateSignInUri, revoke, generateSignOutUri, fetchTokenByRefreshToken, verifyIdToken, fetchOidcConfig, UserScope, verifyAndParseCodeFromCallbackUri, fetchTokenByAuthorizationCode } from '@logto/js';
+export { LogtoError, LogtoRequestError, OidcError, Prompt, ReservedResource, ReservedScope, UserScope, buildOrganizationUrn, getOrganizationIdFromUrn, organizationUrnPrefix } from '@logto/js';
 import { createRemoteJWKSet } from 'jose';
 import { ClientAdapterInstance } from './adapter/index.js';
 import { LogtoClientError } from './errors.js';
 import { CachedRemoteJwkSet } from './remote-jwk-set.js';
-import { isLogtoSignInSessionItem, isLogtoAccessTokenMap } from './types/index.js';
+import { normalizeLogtoConfig, isLogtoSignInSessionItem, isLogtoAccessTokenMap } from './types/index.js';
 import { buildAccessTokenKey, getDiscoveryEndpoint } from './utils/index.js';
 import { memoize } from './utils/memoize.js';
 import { once } from './utils/once.js';
 import { PersistKey, CacheKey } from './adapter/types.js';
 export { createRequester } from './utils/requester.js';
 
+/* eslint-disable max-lines */
 /**
  * The Logto base client class that provides the essential methods for
  * interacting with the Logto server.
@@ -20,9 +21,13 @@ export { createRequester } from './utils/requester.js';
  */
 class LogtoClient {
     constructor(logtoConfig, adapter) {
-        this.getOidcConfig = memoize(this.#getOidcConfig);
         /**
-         * Get the access token from the storage.
+         * Get the OIDC configuration from the discovery endpoint. This method will
+         * only fetch the configuration once and cache the result.
+         */
+        this.getOidcConfig = once(this.#getOidcConfig);
+        /**
+         * Get the access token from the storage with refresh strategy.
          *
          * - If the access token has expired, it will try to fetch a new one using the Refresh Token.
          * - If there's an ongoing Promise to fetch the access token, it will return the Promise.
@@ -36,13 +41,32 @@ class LogtoClient {
          * @throws LogtoClientError if the user is not authenticated.
          */
         this.getAccessToken = memoize(this.#getAccessToken);
+        /**
+         * Get the access token for the specified organization from the storage with refresh strategy.
+         *
+         * Scope {@link UserScope.Organizations} is required in the config to use organization-related
+         * methods.
+         *
+         * @param organizationId The ID of the organization that the access token is granted for.
+         * @returns The access token string.
+         * @throws LogtoClientError if the user is not authenticated.
+         * @remarks
+         * It uses the same refresh strategy as {@link getAccessToken}.
+         */
+        this.getOrganizationToken = memoize(this.#getOrganizationToken);
+        /**
+         * Handle the sign-in callback by parsing the authorization code from the
+         * callback URI and exchanging it for the tokens.
+         *
+         * @param callbackUri The callback URI, including the search params, that the user is redirected to after the sign-in flow is completed.
+         * The origin and pathname of this URI must match the origin and pathname of the redirect URI specified in {@link signIn}.
+         * In many cases you'll probably end up passing `window.location.href` as the argument to this function.
+         * @throws LogtoClientError if the sign-in session is not found.
+         */
+        this.handleSignInCallback = memoize(this.#handleSignInCallback);
         this.getJwtVerifyGetKey = once(this.#getJwtVerifyGetKey);
         this.accessTokenMap = new Map();
-        this.logtoConfig = {
-            ...logtoConfig,
-            prompt: logtoConfig.prompt ?? Prompt.Consent,
-            scopes: withDefaultScopes(logtoConfig.scopes).split(' '),
-        };
+        this.logtoConfig = normalizeLogtoConfig(logtoConfig);
         this.adapter = new ClientAdapterInstance(adapter);
         void this.loadAccessTokenMap();
     }
@@ -86,6 +110,15 @@ class LogtoClient {
         const accessToken = await this.getAccessToken(resource);
         return decodeAccessToken(accessToken);
     }
+    /**
+     * Get the organization token claims for the specified organization.
+     *
+     * @param organizationId The ID of the organization that the access token is granted for.
+     */
+    async getOrganizationTokenClaims(organizationId) {
+        const accessToken = await this.getOrganizationToken(organizationId);
+        return decodeAccessToken(accessToken);
+    }
     /**
      * Get the user information from the Userinfo Endpoint.
      *
@@ -161,50 +194,6 @@ class LogtoClient {
         const { origin, pathname } = new URL(url);
         return `${origin}${pathname}` === redirectUri;
     }
-    /**
-     * Handle the sign-in callback by parsing the authorization code from the
-     * callback URI and exchanging it for the tokens.
-     *
-     * @param callbackUri The callback URI, including the search params, that the user is redirected to after the sign-in flow is completed.
-     * The origin and pathname of this URI must match the origin and pathname of the redirect URI specified in {@link signIn}.
-     * In many cases you'll probably end up passing `window.location.href` as the argument to this function.
-     * @throws LogtoClientError if the sign-in session is not found.
-     */
-    async handleSignInCallback(callbackUri) {
-        const { requester } = this.adapter;
-        const signInSession = await this.getSignInSession();
-        if (!signInSession) {
-            throw new LogtoClientError('sign_in_session.not_found');
-        }
-        const { redirectUri, state, codeVerifier } = signInSession;
-        const code = verifyAndParseCodeFromCallbackUri(callbackUri, redirectUri, state);
-        // NOTE: Will add scope to accessTokenKey when needed. (Linear issue LOG-1589)
-        const accessTokenKey = buildAccessTokenKey();
-        const { appId: clientId } = this.logtoConfig;
-        const { tokenEndpoint } = await this.getOidcConfig();
-        const requestedAt = Math.round(Date.now() / 1000);
-        const { idToken, refreshToken, accessToken, scope, expiresIn } = await fetchTokenByAuthorizationCode({
-            clientId,
-            tokenEndpoint,
-            redirectUri,
-            codeVerifier,
-            code,
-        }, requester);
-        await this.verifyIdToken(idToken);
-        await this.setRefreshToken(refreshToken ?? null);
-        await this.setIdToken(idToken);
-        this.accessTokenMap.set(accessTokenKey, {
-            token: accessToken,
-            scope,
-            /** The `expiresAt` variable provides an approximate estimation of the actual `exp` property
-             * in the token claims. It is utilized by the client to determine if the cached access token
-             * has expired and when a new access token should be requested.
-             */
-            expiresAt: requestedAt + expiresIn,
-        });
-        await this.saveAccessTokenMap();
-        await this.setSignInSession(null);
-    }
     /**
      * Start the sign-out flow with the specified redirect URI. The URI must be
      * registered in the Logto Console.
@@ -260,12 +249,12 @@ class LogtoClient {
     async setRefreshToken(value) {
         return this.adapter.setStorageItem(PersistKey.RefreshToken, value);
     }
-    async getAccessTokenByRefreshToken(resource) {
+    async getAccessTokenByRefreshToken(resource, organizationId) {
         const currentRefreshToken = await this.getRefreshToken();
         if (!currentRefreshToken) {
             throw new LogtoClientError('not_authenticated');
         }
-        const accessTokenKey = buildAccessTokenKey(resource);
+        const accessTokenKey = buildAccessTokenKey(resource, organizationId);
         const { appId: clientId } = this.logtoConfig;
         const { tokenEndpoint } = await this.getOidcConfig();
         const requestedAt = Math.round(Date.now() / 1000);
@@ -274,6 +263,7 @@ class LogtoClient {
             tokenEndpoint,
             refreshToken: currentRefreshToken,
             resource,
+            organizationId,
         }, this.adapter.requester);
         this.accessTokenMap.set(accessTokenKey, {
             token: accessToken,
@@ -340,11 +330,11 @@ class LogtoClient {
         const cachedJwkSet = new CachedRemoteJwkSet(new URL(jwksUri), this.adapter);
         return async (...args) => cachedJwkSet.getKey(...args);
     }
-    async #getAccessToken(resource) {
-        if (!(await this.getIdToken())) {
+    async #getAccessToken(resource, organizationId) {
+        if (!(await this.isAuthenticated())) {
             throw new LogtoClientError('not_authenticated');
         }
-        const accessTokenKey = buildAccessTokenKey(resource);
+        const accessTokenKey = buildAccessTokenKey(resource, organizationId);
         const accessToken = this.accessTokenMap.get(accessTokenKey);
         if (accessToken && accessToken.expiresAt > Date.now() / 1000) {
             return accessToken.token;
@@ -356,8 +346,50 @@ class LogtoClient {
         /**
          * Need to fetch a new access token using refresh token.
          */
-        return this.getAccessTokenByRefreshToken(resource);
+        return this.getAccessTokenByRefreshToken(resource, organizationId);
+    }
+    async #getOrganizationToken(organizationId) {
+        if (!this.logtoConfig.scopes?.includes(UserScope.Organizations)) {
+            throw new LogtoClientError('missing_scope_organizations');
+        }
+        return this.#getAccessToken(undefined, organizationId);
+    }
+    async #handleSignInCallback(callbackUri) {
+        const { requester } = this.adapter;
+        const signInSession = await this.getSignInSession();
+        if (!signInSession) {
+            throw new LogtoClientError('sign_in_session.not_found');
+        }
+        const { redirectUri, state, codeVerifier } = signInSession;
+        const code = verifyAndParseCodeFromCallbackUri(callbackUri, redirectUri, state);
+        // NOTE: Will add scope to accessTokenKey when needed. (Linear issue LOG-1589)
+        const accessTokenKey = buildAccessTokenKey();
+        const { appId: clientId } = this.logtoConfig;
+        const { tokenEndpoint } = await this.getOidcConfig();
+        const requestedAt = Math.round(Date.now() / 1000);
+        const { idToken, refreshToken, accessToken, scope, expiresIn } = await fetchTokenByAuthorizationCode({
+            clientId,
+            tokenEndpoint,
+            redirectUri,
+            codeVerifier,
+            code,
+        }, requester);
+        await this.verifyIdToken(idToken);
+        await this.setRefreshToken(refreshToken ?? null);
+        await this.setIdToken(idToken);
+        this.accessTokenMap.set(accessTokenKey, {
+            token: accessToken,
+            scope,
+            /** The `expiresAt` variable provides an approximate estimation of the actual `exp` property
+             * in the token claims. It is utilized by the client to determine if the cached access token
+             * has expired and when a new access token should be requested.
+             */
+            expiresAt: requestedAt + expiresIn,
+        });
+        await this.saveAccessTokenMap();
+        await this.setSignInSession(null);
     }
 }
+/* eslint-enable max-lines */
 
-export { CacheKey, LogtoClientError, PersistKey, LogtoClient as default, isLogtoAccessTokenMap, isLogtoSignInSessionItem };
+export { CacheKey, LogtoClientError, PersistKey, LogtoClient as default, isLogtoAccessTokenMap, isLogtoSignInSessionItem, normalizeLogtoConfig };

package/lib/mock.d.ts

@@ -1,5 +1,5 @@
 /// <reference types="jest" />
-import { Prompt } from '@logto/js';
+import { type OidcConfigResponse, Prompt } from '@logto/js';
 import { type Nullable } from '@silverhand/essentials';
 import type { Storage } from './adapter/index.js';
 import type { AccessToken, LogtoConfig, LogtoSignInSessionItem } from './index.js';
@@ -66,23 +66,15 @@ export declare const createAdapters: (withCache?: boolean) => {
     generateCodeVerifier: jest.Mock<string, [], any>;
     generateState: jest.Mock<string, [], any>;
 };
-export declare const createClient: (prompt?: Prompt, storage?: MockedStorage, withCache?: boolean) => LogtoClientWithAccessors;
+export declare const createClient: (prompt?: Prompt, storage?: MockedStorage, withCache?: boolean, scopes?: string[]) => LogtoClientWithAccessors;
 /**
  * Make protected fields accessible for test
  */
 export declare class LogtoClientWithAccessors extends LogtoClient {
-    runGetOidcConfig(): Promise<import("@silverhand/essentials").KeysToCamelCase<{
-        authorization_endpoint: string;
-        token_endpoint: string;
-        userinfo_endpoint: string;
-        end_session_endpoint: string;
-        revocation_endpoint: string;
-        jwks_uri: string;
-        issuer: string;
-    }>>;
+    runGetOidcConfig(): Promise<OidcConfigResponse>;
     runGetJwtVerifyGetKey(): Promise<import("jose").JWTVerifyGetKey>;
     getLogtoConfig(): Nullable<LogtoConfig>;
-    getSignInSessionItem(): Promise<Nullable<LogtoSignInSessionItem>>;
+    getSignInSession(): Promise<Nullable<LogtoSignInSessionItem>>;
     setSignInSessionItem(item: Nullable<LogtoSignInSessionItem>): Promise<void>;
     getAccessTokenMap(): Map<string, AccessToken>;
 }

package/lib/types/index.cjs

@@ -1,7 +1,28 @@
 'use strict';
 
 var js = require('@logto/js');
+var essentials = require('@silverhand/essentials');
 
+/**
+ * Normalize the Logto client configuration per the following rules:
+ *
+ * - Add default scopes (`openid`, `offline_access` and `profile`) if not provided.
+ * - Add {@link ReservedResource.Organization} to resources if {@link UserScope.Organizations} is included in scopes.
+ *
+ * @param config The Logto client configuration to be normalized.
+ * @returns The normalized Logto client configuration.
+ */
+const normalizeLogtoConfig = (config) => {
+    const { prompt = js.Prompt.Consent, scopes = [], resources, ...rest } = config;
+    return {
+        ...rest,
+        prompt,
+        scopes: js.withDefaultScopes(scopes).split(' '),
+        resources: scopes.includes(js.UserScope.Organizations)
+            ? essentials.deduplicate([...(resources ?? []), js.ReservedResource.Organization])
+            : resources,
+    };
+};
 const isLogtoSignInSessionItem = (data) => {
     if (!js.isArbitraryObject(data)) {
         return false;
@@ -24,3 +45,4 @@ const isLogtoAccessTokenMap = (data) => {
 
 exports.isLogtoAccessTokenMap = isLogtoAccessTokenMap;
 exports.isLogtoSignInSessionItem = isLogtoSignInSessionItem;
+exports.normalizeLogtoConfig = normalizeLogtoConfig;

package/lib/types/index.d.ts

@@ -1,4 +1,4 @@
-import type { Prompt } from '@logto/js';
+import { Prompt } from '@logto/js';
 /** The configuration object for the Logto client. */
 export type LogtoConfig = {
     /**
@@ -40,6 +40,16 @@ export type LogtoConfig = {
      */
     prompt?: Prompt;
 };
+/**
+ * Normalize the Logto client configuration per the following rules:
+ *
+ * - Add default scopes (`openid`, `offline_access` and `profile`) if not provided.
+ * - Add {@link ReservedResource.Organization} to resources if {@link UserScope.Organizations} is included in scopes.
+ *
+ * @param config The Logto client configuration to be normalized.
+ * @returns The normalized Logto client configuration.
+ */
+export declare const normalizeLogtoConfig: (config: LogtoConfig) => LogtoConfig;
 export type AccessToken = {
     /** The access token string. */
     token: string;

package/lib/types/index.js

@@ -1,5 +1,26 @@
-import { isArbitraryObject } from '@logto/js';
+import { Prompt, withDefaultScopes, UserScope, ReservedResource, isArbitraryObject } from '@logto/js';
+import { deduplicate } from '@silverhand/essentials';
 
+/**
+ * Normalize the Logto client configuration per the following rules:
+ *
+ * - Add default scopes (`openid`, `offline_access` and `profile`) if not provided.
+ * - Add {@link ReservedResource.Organization} to resources if {@link UserScope.Organizations} is included in scopes.
+ *
+ * @param config The Logto client configuration to be normalized.
+ * @returns The normalized Logto client configuration.
+ */
+const normalizeLogtoConfig = (config) => {
+    const { prompt = Prompt.Consent, scopes = [], resources, ...rest } = config;
+    return {
+        ...rest,
+        prompt,
+        scopes: withDefaultScopes(scopes).split(' '),
+        resources: scopes.includes(UserScope.Organizations)
+            ? deduplicate([...(resources ?? []), ReservedResource.Organization])
+            : resources,
+    };
+};
 const isLogtoSignInSessionItem = (data) => {
     if (!isArbitraryObject(data)) {
         return false;
@@ -20,4 +41,4 @@ const isLogtoAccessTokenMap = (data) => {
     });
 };
 
-export { isLogtoAccessTokenMap, isLogtoSignInSessionItem };
+export { isLogtoAccessTokenMap, isLogtoSignInSessionItem, normalizeLogtoConfig };

package/lib/types/index.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/utils/index.cjs

@@ -1,8 +1,9 @@
 'use strict';
 
 var js = require('@logto/js');
+var essentials = require('@silverhand/essentials');
 
-const buildAccessTokenKey = (resource = '', scopes = []) => `${scopes.slice().sort().join(' ')}@${resource}`;
+const buildAccessTokenKey = (resource = '', organizationId, scopes = []) => `${scopes.slice().sort().join(' ')}@${resource}${essentials.conditionalString(organizationId && `#${organizationId}`)}`;
 const getDiscoveryEndpoint = (endpoint) => new URL(js.discoveryPath, endpoint).toString();
 
 exports.buildAccessTokenKey = buildAccessTokenKey;

package/lib/utils/index.d.ts

@@ -1,3 +1,3 @@
 export * from './requester.js';
-export declare const buildAccessTokenKey: (resource?: string, scopes?: string[]) => string;
+export declare const buildAccessTokenKey: (resource?: string, organizationId?: string, scopes?: string[]) => string;
 export declare const getDiscoveryEndpoint: (endpoint: string) => string;

package/lib/utils/index.js

@@ -1,6 +1,7 @@
 import { discoveryPath } from '@logto/js';
+import { conditionalString } from '@silverhand/essentials';
 
-const buildAccessTokenKey = (resource = '', scopes = []) => `${scopes.slice().sort().join(' ')}@${resource}`;
+const buildAccessTokenKey = (resource = '', organizationId, scopes = []) => `${scopes.slice().sort().join(' ')}@${resource}${conditionalString(organizationId && `#${organizationId}`)}`;
 const getDiscoveryEndpoint = (endpoint) => new URL(discoveryPath, endpoint).toString();
 
 export { buildAccessTokenKey, getDiscoveryEndpoint };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/client",
-  "version": "2.2.4",
+  "version": "2.3.1",
   "type": "module",
   "main": "./lib/index.cjs",
   "module": "./lib/index.js",
@@ -21,10 +21,10 @@
     "directory": "packages/client"
   },
   "dependencies": {
-    "@logto/js": "^2.1.3",
+    "@logto/js": "^3.0.0",
     "@silverhand/essentials": "^2.6.2",
     "camelcase-keys": "^7.0.1",
-    "jose": "^4.13.2"
+    "jose": "^5.0.0"
   },
   "devDependencies": {
     "@silverhand/eslint-config": "^4.0.1",