@logto/client 3.0.0-alpha.2 → 3.0.4

package/README.md

@@ -3,7 +3,7 @@
 [![Build Status](https://github.com/logto-io/js/actions/workflows/main.yml/badge.svg)](https://github.com/logto-io/js/actions/workflows/main.yml)
 [![Codecov](https://img.shields.io/codecov/c/github/logto-io/js)](https://app.codecov.io/gh/logto-io/js?branch=master)
 
-The Logto JavaScript Client SDK written in TypeScript. Check out our [docs](https://docs.logto.io/sdk/JavaScript/client/) for more information.
+The Logto JavaScript Client SDK written in TypeScript.
 
 ## Installation
 
@@ -42,7 +42,7 @@ To implement a platform-specific SDK, you should implement the following adapter
 5. generateCodeVerifier: generate code verifier.
 6. generateCodeChallenge: generate code challenge.
 
-See the [adapters.ts](./src/adapter.ts) for more information.
+See the [adapters](./src/adapter/index.ts) for more information.
 
 ## Resources
 

package/lib/adapter/defaults.d.ts

@@ -1,10 +1,12 @@
 import type { JWTVerifyGetKey } from 'jose';
 import { type StandardLogtoClient } from '../client.js';
 import { type JwtVerifier } from './types.js';
-export declare const verifyIdToken: (idToken: string, clientId: string, issuer: string, jwks: JWTVerifyGetKey) => Promise<void>;
+export declare const defaultClockTolerance = 300;
+export declare const verifyIdToken: (idToken: string, clientId: string, issuer: string, jwks: JWTVerifyGetKey, clockTolerance?: number) => Promise<void>;
 export declare class DefaultJwtVerifier implements JwtVerifier {
     protected client: StandardLogtoClient;
+    readonly clockTolerance: number;
     protected getJwtVerifyGetKey?: JWTVerifyGetKey;
-    constructor(client: StandardLogtoClient);
+    constructor(client: StandardLogtoClient, clockTolerance?: number);
     verifyIdToken(idToken: string): Promise<void>;
 }

package/lib/adapter/defaults.js

@@ -1,25 +1,24 @@
 import { LogtoError } from '@logto/js';
 import { createRemoteJWKSet, jwtVerify } from 'jose';
 
-const issuedAtTimeTolerance = 300; // 5 minutes
-const verifyIdToken = async (idToken, clientId, issuer, jwks) => {
-    const result = await jwtVerify(idToken, jwks, { audience: clientId, issuer });
-    if (Math.abs((result.payload.iat ?? 0) - Date.now() / 1000) > issuedAtTimeTolerance) {
+const defaultClockTolerance = 300; // 5 minutes
+const verifyIdToken = async (idToken, clientId, issuer, jwks, clockTolerance = defaultClockTolerance) => {
+    const result = await jwtVerify(idToken, jwks, { audience: clientId, issuer, clockTolerance });
+    if (Math.abs((result.payload.iat ?? 0) - Date.now() / 1000) > clockTolerance) {
         throw new LogtoError('id_token.invalid_iat');
     }
 };
 class DefaultJwtVerifier {
-    constructor(client) {
+    constructor(client, clockTolerance = defaultClockTolerance) {
         this.client = client;
+        this.clockTolerance = clockTolerance;
     }
     async verifyIdToken(idToken) {
         const { appId } = this.client.logtoConfig;
         const { issuer, jwksUri } = await this.client.getOidcConfig();
-        if (!this.getJwtVerifyGetKey) {
-            this.getJwtVerifyGetKey = createRemoteJWKSet(new URL(jwksUri));
-        }
-        await verifyIdToken(idToken, appId, issuer, this.getJwtVerifyGetKey);
+        this.getJwtVerifyGetKey ||= createRemoteJWKSet(new URL(jwksUri));
+        await verifyIdToken(idToken, appId, issuer, this.getJwtVerifyGetKey, this.clockTolerance);
     }
 }
 
-export { DefaultJwtVerifier, verifyIdToken };
+export { DefaultJwtVerifier, defaultClockTolerance, verifyIdToken };

package/lib/adapter/types.d.ts

@@ -39,16 +39,17 @@ export type InferStorageKey<S> = S extends Storage<infer Key> ? Key : never;
  * @param url The URL to navigate to.
  * @param parameters The parameters for the navigation.
  * @param parameters.redirectUri The redirect URI that the user will be redirected to after the
- * flow is completed. That is, the "redirect URI" for sign-in and "post-logout redirect URI" for
- * sign-out.
- * @param parameters.for The purpose of the navigation. It can be either "sign-in" or "sign-out".
+ * flow is completed. That is, the "redirect URI" for "sign-in" and "post-logout redirect URI" for
+ * "sign-out". For the "post-sign-in" navigation, it should be ignored.
+ * @param parameters.for The purpose of the navigation. It can be either "sign-in", "sign-out", or
+ * "post-sign-in".
  * @remarks Usually, the `redirectUri` parameter can be ignored unless the client needs to pass the
  * redirect scheme or other parameters to the native app, such as `ASWebAuthenticationSession` in
  * iOS.
  */
 export type Navigate = (url: string, parameters: {
     redirectUri?: string;
-    for: 'sign-in' | 'sign-out';
+    for: 'sign-in' | 'sign-out' | 'post-sign-in';
 }) => void | Promise<void>;
 export type JwtVerifier = {
     verifyIdToken(idToken: string): Promise<void>;

package/lib/client.d.ts

@@ -1,7 +1,23 @@
-import { type IdTokenClaims, type UserInfoResponse, type InteractionMode, type AccessTokenClaims, type OidcConfigResponse } from '@logto/js';
+import { type IdTokenClaims, type UserInfoResponse, type AccessTokenClaims, type OidcConfigResponse, type SignInUriParameters } from '@logto/js';
 import { type Nullable } from '@silverhand/essentials';
 import { ClientAdapterInstance, type ClientAdapter, type JwtVerifier } from './adapter/index.js';
 import type { AccessToken, LogtoConfig, LogtoSignInSessionItem } from './types/index.js';
+export type SignInOptions = {
+    /**
+     * The redirect URI that the user will be redirected to after the sign-in flow is completed.
+     */
+    redirectUri: string | URL;
+    /**
+     * The URI that the user will be redirected to after `redirectUri` successfully handled the
+     * sign-in callback. If not specified, the user will stay on the `redirectUri` page.
+     */
+    postRedirectUri?: string | URL;
+    /**
+     * The prompt parameter to be used for the authorization request.
+     * Note: If specified, it will override the prompt value in Logto configs.
+     */
+    prompt?: SignInUriParameters['prompt'];
+} & Pick<SignInUriParameters, 'interactionMode' | 'firstScreen' | 'identifiers' | 'loginHint' | 'directSignIn' | 'extraParams'>;
 /**
  * The Logto base client class that provides the essential methods for
  * interacting with the Logto server.
@@ -50,6 +66,14 @@ export declare class StandardLogtoClient {
      * It uses the same refresh strategy as {@link getAccessToken}.
      */
     readonly getOrganizationToken: (this: unknown, organizationId: string) => Promise<string>;
+    /**
+     * Clear the access token from the cache storage.
+     */
+    readonly clearAccessToken: (this: unknown) => Promise<void>;
+    /**
+     * Clear all cached tokens from storage.
+     */
+    readonly clearAllTokens: (this: unknown) => Promise<void>;
     /**
      * Handle the sign-in callback by parsing the authorization code from the
      * callback URI and exchanging it for the tokens.
@@ -61,9 +85,15 @@ export declare class StandardLogtoClient {
      */
     readonly handleSignInCallback: (this: unknown, callbackUri: string) => Promise<void>;
     readonly adapter: ClientAdapterInstance;
-    readonly jwtVerifier: JwtVerifier;
+    protected jwtVerifierInstance: JwtVerifier;
     protected readonly accessTokenMap: Map<string, AccessToken>;
+    get jwtVerifier(): JwtVerifier;
     constructor(logtoConfig: LogtoConfig, adapter: ClientAdapter, buildJwtVerifier: (client: StandardLogtoClient) => JwtVerifier);
+    /**
+     * Set the JWT verifier for the client.
+     * @param buildJwtVerifier The JWT verifier instance or a function that returns the JWT verifier instance.
+     */
+    setJwtVerifier(buildJwtVerifier: JwtVerifier | ((client: StandardLogtoClient) => JwtVerifier)): void;
     /**
      * Check if the user is authenticated by checking if the ID token exists.
      */
@@ -107,6 +137,33 @@ export declare class StandardLogtoClient {
      */
     fetchUserInfo(): Promise<UserInfoResponse>;
     /**
+     * Start the sign-in flow with the specified options.
+     *
+     * The redirect URI is required and it must be registered in the Logto Console.
+     *
+     * The user will be redirected to that URI after the sign-in flow is completed,
+     * and the client will be able to get the authorization code from the URI.
+     * To fetch the tokens from the authorization code, use {@link handleSignInCallback}
+     * after the user is redirected in the callback URI.
+     *
+     * @param options The options for the sign-in flow.
+     */
+    signIn(options: SignInOptions): Promise<void>;
+    /**
+     * Start the sign-in flow with the specified options.
+     *
+     * The redirect URI is required and it must be registered in the Logto Console.
+     *
+     * The user will be redirected to that URI after the sign-in flow is completed,
+     * and the client will be able to get the authorization code from the URI.
+     * To fetch the tokens from the authorization code, use {@link handleSignInCallback}
+     * after the user is redirected in the callback URI.
+     *
+     * @param redirectUri See {@link SignInOptions.redirectUri}.
+     */
+    signIn(redirectUri: SignInOptions['redirectUri']): Promise<void>;
+    /**
+     *
      * Start the sign-in flow with the specified redirect URI. The URI must be
      * registered in the Logto Console.
      *
@@ -115,14 +172,12 @@ export declare class StandardLogtoClient {
      * To fetch the tokens from the authorization code, use {@link handleSignInCallback}
      * after the user is redirected in the callback URI.
      *
-     * @param redirectUri The redirect URI that the user will be redirected to after the sign-in flow is completed.
-     * @param interactionMode The interaction mode to be used for the authorization request. Note it's not
-     * a part of the OIDC standard, but a Logto-specific extension. Defaults to `signIn`.
-     *
-     * @see {@link https://docs.logto.io/docs/recipes/integrate-logto/vanilla-js/#sign-in | Sign in} for more information.
-     * @see {@link InteractionMode}
+     * @deprecated Use the object parameter instead.
+     * @param redirectUri See {@link SignInOptions.redirectUri}.
+     * @param interactionMode See {@link SignInOptions.interactionMode}.
+     * @param loginHint See {@link SignInOptions.loginHint}.
      */
-    signIn(redirectUri: string, interactionMode?: InteractionMode): Promise<void>;
+    signIn(redirectUri: SignInOptions['redirectUri'], interactionMode?: SignInOptions['interactionMode'], loginHint?: SignInOptions['loginHint']): Promise<void>;
     /**
      * Check if the user is redirected from the sign-in page by checking if the
      * current URL matches the redirect URI in the sign-in session.

package/lib/client.js

@@ -7,6 +7,7 @@ import { memoize } from './utils/memoize.js';
 import { once } from './utils/once.js';
 import { PersistKey, CacheKey } from './adapter/types.js';
 
+/* eslint-disable max-lines */
 /**
  * The Logto base client class that provides the essential methods for
  * interacting with the Logto server.
@@ -20,6 +21,9 @@ import { PersistKey, CacheKey } from './adapter/types.js';
  * can use `StandardLogtoClient` and provide your own JWT verifier.
  */
 class StandardLogtoClient {
+    get jwtVerifier() {
+        return this.jwtVerifierInstance;
+    }
     constructor(logtoConfig, adapter, buildJwtVerifier) {
         /**
          * Get the OIDC configuration from the discovery endpoint. This method will
@@ -54,6 +58,14 @@ class StandardLogtoClient {
          * It uses the same refresh strategy as {@link getAccessToken}.
          */
         this.getOrganizationToken = memoize(this.#getOrganizationToken);
+        /**
+         * Clear the access token from the cache storage.
+         */
+        this.clearAccessToken = memoize(this.#clearAccessToken);
+        /**
+         * Clear all cached tokens from storage.
+         */
+        this.clearAllTokens = memoize(this.#clearAllTokens);
         /**
          * Handle the sign-in callback by parsing the authorization code from the
          * callback URI and exchanging it for the tokens.
@@ -67,9 +79,17 @@ class StandardLogtoClient {
         this.accessTokenMap = new Map();
         this.logtoConfig = normalizeLogtoConfig(logtoConfig);
         this.adapter = new ClientAdapterInstance(adapter);
-        this.jwtVerifier = buildJwtVerifier(this);
+        this.jwtVerifierInstance = buildJwtVerifier(this);
         void this.loadAccessTokenMap();
     }
+    /**
+     * Set the JWT verifier for the client.
+     * @param buildJwtVerifier The JWT verifier instance or a function that returns the JWT verifier instance.
+     */
+    setJwtVerifier(buildJwtVerifier) {
+        this.jwtVerifierInstance =
+            typeof buildJwtVerifier === 'function' ? buildJwtVerifier(this) : buildJwtVerifier;
+    }
     /**
      * Check if the user is authenticated by checking if the ID token exists.
      */
@@ -137,24 +157,23 @@ class StandardLogtoClient {
         }
         return fetchUserInfo(userinfoEndpoint, accessToken, this.adapter.requester);
     }
-    /**
-     * Start the sign-in flow with the specified redirect URI. The URI must be
-     * registered in the Logto Console.
-     *
-     * The user will be redirected to that URI after the sign-in flow is completed,
-     * and the client will be able to get the authorization code from the URI.
-     * To fetch the tokens from the authorization code, use {@link handleSignInCallback}
-     * after the user is redirected in the callback URI.
-     *
-     * @param redirectUri The redirect URI that the user will be redirected to after the sign-in flow is completed.
-     * @param interactionMode The interaction mode to be used for the authorization request. Note it's not
-     * a part of the OIDC standard, but a Logto-specific extension. Defaults to `signIn`.
-     *
-     * @see {@link https://docs.logto.io/docs/recipes/integrate-logto/vanilla-js/#sign-in | Sign in} for more information.
-     * @see {@link InteractionMode}
-     */
-    async signIn(redirectUri, interactionMode) {
-        const { appId: clientId, prompt, resources, scopes } = this.logtoConfig;
+    async signIn(options, mode, hint) {
+        const { redirectUri: redirectUriUrl, postRedirectUri: postRedirectUriUrl, firstScreen, identifiers, interactionMode, loginHint, directSignIn, extraParams, prompt, } = typeof options === 'string' || options instanceof URL
+            ? {
+                redirectUri: options,
+                postRedirectUri: undefined,
+                firstScreen: undefined,
+                identifiers: undefined,
+                interactionMode: mode,
+                loginHint: hint,
+                directSignIn: undefined,
+                extraParams: undefined,
+                prompt: undefined,
+            }
+            : options;
+        const redirectUri = redirectUriUrl.toString();
+        const postRedirectUri = postRedirectUriUrl?.toString();
+        const { appId: clientId, prompt: promptViaConfig, resources, scopes } = this.logtoConfig;
         const { authorizationEndpoint } = await this.getOidcConfig();
         const [codeVerifier, state] = await Promise.all([
             this.adapter.generateCodeVerifier(),
@@ -164,18 +183,22 @@ class StandardLogtoClient {
         const signInUri = generateSignInUri({
             authorizationEndpoint,
             clientId,
-            redirectUri,
+            redirectUri: redirectUri.toString(),
             codeChallenge,
             state,
             scopes,
             resources,
-            prompt,
+            prompt: prompt ?? promptViaConfig,
+            firstScreen,
+            identifiers,
             interactionMode,
+            loginHint,
+            directSignIn,
+            extraParams,
         });
         await Promise.all([
-            this.setSignInSession({ redirectUri, codeVerifier, state }),
-            this.setRefreshToken(null),
-            this.setIdToken(null),
+            this.setSignInSession({ redirectUri, postRedirectUri, codeVerifier, state }),
+            this.clearAllTokens(),
         ]);
         await this.adapter.navigate(signInUri, { redirectUri, for: 'sign-in' });
     }
@@ -223,12 +246,7 @@ class StandardLogtoClient {
             postLogoutRedirectUri,
             clientId,
         });
-        this.accessTokenMap.clear();
-        await Promise.all([
-            this.setRefreshToken(null),
-            this.setIdToken(null),
-            this.adapter.storage.removeItem('accessToken'),
-        ]);
+        await this.clearAllTokens();
         await this.adapter.navigate(url, { redirectUri: postLogoutRedirectUri, for: 'sign-out' });
     }
     async getSignInSession() {
@@ -342,12 +360,19 @@ class StandardLogtoClient {
         }
         return this.getAccessToken(undefined, organizationId);
     }
+    async #clearAccessToken() {
+        this.accessTokenMap.clear();
+        await this.adapter.storage.removeItem('accessToken');
+    }
+    async #clearAllTokens() {
+        await Promise.all([this.setRefreshToken(null), this.setIdToken(null), this.clearAccessToken()]);
+    }
     async #handleSignInCallback(callbackUri) {
         const signInSession = await this.getSignInSession();
         if (!signInSession) {
             throw new LogtoClientError('sign_in_session.not_found');
         }
-        const { redirectUri, state, codeVerifier } = signInSession;
+        const { redirectUri, postRedirectUri, state, codeVerifier } = signInSession;
         const code = verifyAndParseCodeFromCallbackUri(callbackUri, redirectUri, state);
         // NOTE: Will add scope to accessTokenKey when needed. (Linear issue LOG-1589)
         const accessTokenKey = buildAccessTokenKey();
@@ -375,7 +400,11 @@ class StandardLogtoClient {
         });
         await this.saveAccessTokenMap();
         await this.setSignInSession(null);
+        if (postRedirectUri) {
+            await this.adapter.navigate(postRedirectUri, { for: 'post-sign-in' });
+        }
     }
 }
+/* eslint-enable max-lines */
 
 export { StandardLogtoClient };

package/lib/index.js

@@ -1,6 +1,6 @@
 import { DefaultJwtVerifier } from './adapter/defaults.js';
 import { StandardLogtoClient } from './client.js';
-export { LogtoError, LogtoRequestError, OidcError, Prompt, ReservedResource, ReservedScope, UserScope, buildOrganizationUrn, getOrganizationIdFromUrn, organizationUrnPrefix } from '@logto/js';
+export { LogtoError, LogtoRequestError, OidcError, Prompt, ReservedResource, ReservedScope, UserScope, buildOrganizationUrn, getOrganizationIdFromUrn, isLogtoRequestError, organizationUrnPrefix } from '@logto/js';
 export { LogtoClientError } from './errors.js';
 import '@silverhand/essentials';
 export { CacheKey, PersistKey } from './adapter/types.js';

package/lib/mock.d.ts

@@ -1,6 +1,7 @@
-/// <reference types="jest" />
 import { type OidcConfigResponse, Prompt } from '@logto/js';
 import { type Nullable } from '@silverhand/essentials';
+import nock from 'nock';
+import { type Mock } from 'vitest';
 import type { Storage } from './adapter/index.js';
 import type { AccessToken, LogtoConfig, LogtoSignInSessionItem } from './index.js';
 import LogtoClient from './index.js';
@@ -14,57 +15,43 @@ export declare class MockedStorage implements Storage<string> {
     removeItem(key: string): Promise<void>;
     reset(values: Record<string, string>): void;
 }
-export declare const authorizationEndpoint: string;
-export declare const userinfoEndpoint: string;
-export declare const tokenEndpoint: string;
-export declare const endSessionEndpoint: string;
-export declare const revocationEndpoint: string;
-export declare const jwksUri: string;
+export declare const authorizationEndpoint = "https://logto.dev/oidc/auth";
+export declare const userinfoEndpoint = "https://logto.dev/oidc/me";
+export declare const tokenEndpoint = "https://logto.dev/oidc/token";
+export declare const endSessionEndpoint = "https://logto.dev/oidc/session/end";
+export declare const revocationEndpoint = "https://logto.dev/oidc/token/revocation";
+export declare const jwksUri = "https://logto.dev/oidc/jwks";
 export declare const issuer = "http://localhost:443/oidc";
 export declare const redirectUri = "http://localhost:3000/callback";
 export declare const postSignOutRedirectUri = "http://localhost:3000";
 export declare const mockCodeChallenge = "code_challenge_value";
 export declare const mockedCodeVerifier = "code_verifier_value";
 export declare const mockedState = "state_value";
+export declare const mockedUserHint = "johndoe@example.com";
 export declare const mockedSignInUri: string;
 export declare const mockedSignInUriWithLoginPrompt: string;
 export declare const mockedSignUpUri: string;
+export declare const mockedSignInUriWithLoginHint: string;
 export declare const accessToken = "access_token_value";
 export declare const refreshToken = "new_refresh_token_value";
 export declare const idToken = "id_token_value";
 export declare const currentUnixTimeStamp: number;
-export declare const mockFetchOidcConfig: (delay?: number) => jest.Mock<Promise<{
-    authorizationEndpoint: string;
-    tokenEndpoint: string;
-    userinfoEndpoint: string;
-    endSessionEndpoint: string;
-    revocationEndpoint: string;
-    jwksUri: string;
-    issuer: string;
-}>, [], any>;
-export declare const fetchOidcConfig: jest.Mock<Promise<{
-    authorizationEndpoint: string;
-    tokenEndpoint: string;
-    userinfoEndpoint: string;
-    endSessionEndpoint: string;
-    revocationEndpoint: string;
-    jwksUri: string;
-    issuer: string;
-}>, [], any>;
-export declare const requester: jest.Mock<any, any, any>;
-export declare const failingRequester: jest.Mock<any, any, any>;
-export declare const navigate: jest.Mock<any, any, any>;
-export declare const generateCodeChallenge: jest.Mock<Promise<string>, [], any>;
-export declare const generateCodeVerifier: jest.Mock<string, [], any>;
-export declare const generateState: jest.Mock<string, [], any>;
+export declare const mockFetchOidcConfig: (delay?: number) => Mock<() => Promise<OidcConfigResponse>>;
+export declare const fetchOidcConfig: Mock<() => Promise<OidcConfigResponse>>;
+export declare const requester: Mock<(...args: any[]) => any>;
+export declare const failingRequester: Mock<(...args: any[]) => any>;
+export declare const navigate: Mock<(...args: any[]) => any>;
+export declare const generateCodeChallenge: Mock<() => Promise<string>>;
+export declare const generateCodeVerifier: Mock<() => string>;
+export declare const generateState: Mock<() => string>;
 export declare const createAdapters: (withCache?: boolean) => {
-    requester: jest.Mock<any, any, any>;
+    requester: Mock<(...args: any[]) => any>;
     storage: MockedStorage;
     unstable_cache: import("@silverhand/essentials").Optional<MockedStorage>;
-    navigate: jest.Mock<any, any, any>;
-    generateCodeChallenge: jest.Mock<Promise<string>, [], any>;
-    generateCodeVerifier: jest.Mock<string, [], any>;
-    generateState: jest.Mock<string, [], any>;
+    navigate: Mock<(...args: any[]) => any>;
+    generateCodeChallenge: Mock<() => Promise<string>>;
+    generateCodeVerifier: Mock<() => string>;
+    generateState: Mock<() => string>;
 };
 export declare const createClient: (prompt?: Prompt, storage?: MockedStorage, withCache?: boolean, scopes?: string[]) => LogtoClientWithAccessors;
 /**
@@ -77,3 +64,4 @@ export declare class LogtoClientWithAccessors extends LogtoClient {
     setSignInSessionItem(item: Nullable<LogtoSignInSessionItem>): Promise<void>;
     getAccessTokenMap(): Map<string, AccessToken>;
 }
+export declare const nocked: nock.Scope;

package/lib/shim.d.ts

@@ -3,10 +3,10 @@
  * JWT verifier. It can avoid the use of `jose` package which is useful for certain environments
  * that don't support native modules like `crypto`. (e.g. React Native)
  */
-export type { IdTokenClaims, LogtoErrorCode, UserInfoResponse, InteractionMode } from '@logto/js';
-export { LogtoError, LogtoRequestError, OidcError, Prompt, ReservedScope, ReservedResource, UserScope, organizationUrnPrefix, buildOrganizationUrn, getOrganizationIdFromUrn, } from '@logto/js';
+export type { AccessTokenClaims, IdTokenClaims, LogtoErrorCode, UserInfoResponse, InteractionMode, } from '@logto/js';
+export { LogtoError, LogtoRequestError, OidcError, Prompt, ReservedScope, ReservedResource, UserScope, organizationUrnPrefix, buildOrganizationUrn, getOrganizationIdFromUrn, isLogtoRequestError, } from '@logto/js';
 export * from './errors.js';
-export type { Storage, StorageKey, ClientAdapter } from './adapter/index.js';
+export type { Storage, StorageKey, ClientAdapter, JwtVerifier } from './adapter/index.js';
 export { PersistKey, CacheKey } from './adapter/index.js';
 export { createRequester } from './utils/index.js';
 export * from './types/index.js';

package/lib/shim.js

@@ -1,4 +1,4 @@
-export { LogtoError, LogtoRequestError, OidcError, Prompt, ReservedResource, ReservedScope, UserScope, buildOrganizationUrn, getOrganizationIdFromUrn, organizationUrnPrefix } from '@logto/js';
+export { LogtoError, LogtoRequestError, OidcError, Prompt, ReservedResource, ReservedScope, UserScope, buildOrganizationUrn, getOrganizationIdFromUrn, isLogtoRequestError, organizationUrnPrefix } from '@logto/js';
 export { LogtoClientError } from './errors.js';
 import '@silverhand/essentials';
 export { CacheKey, PersistKey } from './adapter/types.js';

package/lib/types/index.d.ts

@@ -39,12 +39,20 @@ export type LogtoConfig = {
      * The prompt parameter to be used for the authorization request.
      */
     prompt?: Prompt | Prompt[];
+    /**
+     * Whether to include reserved scopes (`openid`, `offline_access` and `profile`) in the scopes.
+     *
+     * @default true
+     */
+    includeReservedScopes?: boolean;
 };
 /**
  * Normalize the Logto client configuration per the following rules:
  *
- * - Add default scopes (`openid`, `offline_access` and `profile`) if not provided.
- * - Add {@link ReservedResource.Organization} to resources if {@link UserScope.Organizations} is included in scopes.
+ * - Add default scopes (`openid`, `offline_access` and `profile`) if not provided and
+ * `includeReservedScopes` is `true`.
+ * - Add {@link ReservedResource.Organization} to resources if {@link UserScope.Organizations} is
+ * included in scopes.
  *
  * @param config The Logto client configuration to be normalized.
  * @returns The normalized Logto client configuration.
@@ -62,6 +70,7 @@ export declare const isLogtoSignInSessionItem: (data: unknown) => data is LogtoS
 export declare const isLogtoAccessTokenMap: (data: unknown) => data is Record<string, AccessToken>;
 export type LogtoSignInSessionItem = {
     redirectUri: string;
+    postRedirectUri?: string;
     codeVerifier: string;
     state: string;
 };

package/lib/types/index.js

@@ -1,21 +1,24 @@
-import { Prompt, withDefaultScopes, UserScope, ReservedResource, isArbitraryObject } from '@logto/js';
+import { Prompt, withReservedScopes, UserScope, ReservedResource, isArbitraryObject } from '@logto/js';
 import { deduplicate } from '@silverhand/essentials';
 
 /**
  * Normalize the Logto client configuration per the following rules:
  *
- * - Add default scopes (`openid`, `offline_access` and `profile`) if not provided.
- * - Add {@link ReservedResource.Organization} to resources if {@link UserScope.Organizations} is included in scopes.
+ * - Add default scopes (`openid`, `offline_access` and `profile`) if not provided and
+ * `includeReservedScopes` is `true`.
+ * - Add {@link ReservedResource.Organization} to resources if {@link UserScope.Organizations} is
+ * included in scopes.
  *
  * @param config The Logto client configuration to be normalized.
  * @returns The normalized Logto client configuration.
  */
 const normalizeLogtoConfig = (config) => {
     const { prompt = Prompt.Consent, scopes = [], resources, ...rest } = config;
+    const includeReservedScopes = config.includeReservedScopes ?? true;
     return {
         ...rest,
         prompt,
-        scopes: withDefaultScopes(scopes).split(' '),
+        scopes: includeReservedScopes ? withReservedScopes(scopes).split(' ') : scopes,
         resources: scopes.includes(UserScope.Organizations)
             ? deduplicate([...(resources ?? []), ReservedResource.Organization])
             : resources,

package/lib/utils/memoize.js

@@ -1,7 +1,7 @@
 function memoize(run) {
     const promiseCache = new Map();
     const memoized = async function (...args) {
-        const promiseKey = args[0];
+        const promiseKey = JSON.stringify(args);
         const cachedPromise = promiseCache.get(promiseKey);
         if (cachedPromise) {
             return cachedPromise;

package/lib/utils/requester.js

@@ -1,4 +1,4 @@
-import { isLogtoRequestError, LogtoError, LogtoRequestError } from '@logto/js';
+import { isLogtoRequestErrorJson, LogtoError, LogtoRequestError } from '@logto/js';
 
 /**
  * A factory function that creates a requester by accepting a `fetch`-like function.
@@ -11,14 +11,15 @@ const createRequester = (fetchFunction) => {
     return async (...args) => {
         const response = await fetchFunction(...args);
         if (!response.ok) {
+            const cloned = response.clone();
             const responseJson = await response.json();
             console.error(`Logto requester error: [status=${response.status}]`, responseJson);
-            if (!isLogtoRequestError(responseJson)) {
+            if (!isLogtoRequestErrorJson(responseJson)) {
                 throw new LogtoError('unexpected_response_error', responseJson);
             }
             // Expected request error from server
             const { code, message } = responseJson;
-            throw new LogtoRequestError(code, message);
+            throw new LogtoRequestError(code, message, cloned);
         }
         return response.json();
     };