@logto/js 2.0.0 → 2.0.1

package/lib/consts/index.cjs

@@ -0,0 +1,83 @@
+'use strict';
+
+const ContentType = {
+    formUrlEncoded: { 'Content-Type': 'application/x-www-form-urlencoded' },
+};
+exports.TokenGrantType = void 0;
+(function (TokenGrantType) {
+    TokenGrantType["AuthorizationCode"] = "authorization_code";
+    TokenGrantType["RefreshToken"] = "refresh_token";
+})(exports.TokenGrantType || (exports.TokenGrantType = {}));
+exports.QueryKey = void 0;
+(function (QueryKey) {
+    QueryKey["ClientId"] = "client_id";
+    QueryKey["Code"] = "code";
+    QueryKey["CodeChallenge"] = "code_challenge";
+    QueryKey["CodeChallengeMethod"] = "code_challenge_method";
+    QueryKey["CodeVerifier"] = "code_verifier";
+    QueryKey["Error"] = "error";
+    QueryKey["ErrorDescription"] = "error_description";
+    QueryKey["GrantType"] = "grant_type";
+    QueryKey["IdToken"] = "id_token";
+    QueryKey["IdTokenHint"] = "id_token_hint";
+    QueryKey["PostLogoutRedirectUri"] = "post_logout_redirect_uri";
+    QueryKey["Prompt"] = "prompt";
+    QueryKey["RedirectUri"] = "redirect_uri";
+    QueryKey["RefreshToken"] = "refresh_token";
+    QueryKey["Resource"] = "resource";
+    QueryKey["ResponseType"] = "response_type";
+    QueryKey["Scope"] = "scope";
+    QueryKey["State"] = "state";
+    QueryKey["Token"] = "token";
+    // Need to align with the OIDC extraParams settings in core
+    QueryKey["InteractionMode"] = "interaction_mode";
+})(exports.QueryKey || (exports.QueryKey = {}));
+exports.Prompt = void 0;
+(function (Prompt) {
+    Prompt["Consent"] = "consent";
+    Prompt["Login"] = "login";
+})(exports.Prompt || (exports.Prompt = {}));
+// TODO: @sijie @charles find a proper way to sync scopes constants with core
+exports.ReservedScope = void 0;
+(function (ReservedScope) {
+    ReservedScope["OpenId"] = "openid";
+    ReservedScope["OfflineAccess"] = "offline_access";
+})(exports.ReservedScope || (exports.ReservedScope = {}));
+/**
+ * Scopes for ID Token and Userinfo Endpoint.
+ */
+exports.UserScope = void 0;
+(function (UserScope) {
+    /**
+     * Scope for basic user info.
+     *
+     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     */
+    UserScope["Profile"] = "profile";
+    /**
+     * Scope for user email address.
+     *
+     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     */
+    UserScope["Email"] = "email";
+    /**
+     * Scope for user phone number.
+     *
+     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     */
+    UserScope["Phone"] = "phone";
+    /**
+     * Scope for user's custom data.
+     *
+     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     */
+    UserScope["CustomData"] = "custom_data";
+    /**
+     * Scope for user's social identity details.
+     *
+     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     */
+    UserScope["Identities"] = "identities";
+})(exports.UserScope || (exports.UserScope = {}));
+
+exports.ContentType = ContentType;

package/lib/consts/index.d.ts

@@ -0,0 +1,74 @@
+export declare const ContentType: {
+    formUrlEncoded: {
+        'Content-Type': string;
+    };
+};
+export declare enum TokenGrantType {
+    AuthorizationCode = "authorization_code",
+    RefreshToken = "refresh_token"
+}
+export declare enum QueryKey {
+    ClientId = "client_id",
+    Code = "code",
+    CodeChallenge = "code_challenge",
+    CodeChallengeMethod = "code_challenge_method",
+    CodeVerifier = "code_verifier",
+    Error = "error",
+    ErrorDescription = "error_description",
+    GrantType = "grant_type",
+    IdToken = "id_token",
+    IdTokenHint = "id_token_hint",
+    PostLogoutRedirectUri = "post_logout_redirect_uri",
+    Prompt = "prompt",
+    RedirectUri = "redirect_uri",
+    RefreshToken = "refresh_token",
+    Resource = "resource",
+    ResponseType = "response_type",
+    Scope = "scope",
+    State = "state",
+    Token = "token",
+    InteractionMode = "interaction_mode"
+}
+export declare enum Prompt {
+    Consent = "consent",
+    Login = "login"
+}
+export declare enum ReservedScope {
+    OpenId = "openid",
+    OfflineAccess = "offline_access"
+}
+/**
+ * Scopes for ID Token and Userinfo Endpoint.
+ */
+export declare enum UserScope {
+    /**
+     * Scope for basic user info.
+     *
+     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     */
+    Profile = "profile",
+    /**
+     * Scope for user email address.
+     *
+     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     */
+    Email = "email",
+    /**
+     * Scope for user phone number.
+     *
+     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     */
+    Phone = "phone",
+    /**
+     * Scope for user's custom data.
+     *
+     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     */
+    CustomData = "custom_data",
+    /**
+     * Scope for user's social identity details.
+     *
+     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     */
+    Identities = "identities"
+}

package/lib/consts/index.js

@@ -0,0 +1,81 @@
+const ContentType = {
+    formUrlEncoded: { 'Content-Type': 'application/x-www-form-urlencoded' },
+};
+var TokenGrantType;
+(function (TokenGrantType) {
+    TokenGrantType["AuthorizationCode"] = "authorization_code";
+    TokenGrantType["RefreshToken"] = "refresh_token";
+})(TokenGrantType || (TokenGrantType = {}));
+var QueryKey;
+(function (QueryKey) {
+    QueryKey["ClientId"] = "client_id";
+    QueryKey["Code"] = "code";
+    QueryKey["CodeChallenge"] = "code_challenge";
+    QueryKey["CodeChallengeMethod"] = "code_challenge_method";
+    QueryKey["CodeVerifier"] = "code_verifier";
+    QueryKey["Error"] = "error";
+    QueryKey["ErrorDescription"] = "error_description";
+    QueryKey["GrantType"] = "grant_type";
+    QueryKey["IdToken"] = "id_token";
+    QueryKey["IdTokenHint"] = "id_token_hint";
+    QueryKey["PostLogoutRedirectUri"] = "post_logout_redirect_uri";
+    QueryKey["Prompt"] = "prompt";
+    QueryKey["RedirectUri"] = "redirect_uri";
+    QueryKey["RefreshToken"] = "refresh_token";
+    QueryKey["Resource"] = "resource";
+    QueryKey["ResponseType"] = "response_type";
+    QueryKey["Scope"] = "scope";
+    QueryKey["State"] = "state";
+    QueryKey["Token"] = "token";
+    // Need to align with the OIDC extraParams settings in core
+    QueryKey["InteractionMode"] = "interaction_mode";
+})(QueryKey || (QueryKey = {}));
+var Prompt;
+(function (Prompt) {
+    Prompt["Consent"] = "consent";
+    Prompt["Login"] = "login";
+})(Prompt || (Prompt = {}));
+// TODO: @sijie @charles find a proper way to sync scopes constants with core
+var ReservedScope;
+(function (ReservedScope) {
+    ReservedScope["OpenId"] = "openid";
+    ReservedScope["OfflineAccess"] = "offline_access";
+})(ReservedScope || (ReservedScope = {}));
+/**
+ * Scopes for ID Token and Userinfo Endpoint.
+ */
+var UserScope;
+(function (UserScope) {
+    /**
+     * Scope for basic user info.
+     *
+     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     */
+    UserScope["Profile"] = "profile";
+    /**
+     * Scope for user email address.
+     *
+     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     */
+    UserScope["Email"] = "email";
+    /**
+     * Scope for user phone number.
+     *
+     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     */
+    UserScope["Phone"] = "phone";
+    /**
+     * Scope for user's custom data.
+     *
+     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     */
+    UserScope["CustomData"] = "custom_data";
+    /**
+     * Scope for user's social identity details.
+     *
+     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     */
+    UserScope["Identities"] = "identities";
+})(UserScope || (UserScope = {}));
+
+export { ContentType, Prompt, QueryKey, ReservedScope, TokenGrantType, UserScope };

package/lib/core/fetch-token.cjs

@@ -0,0 +1,47 @@
+'use strict';
+
+var camelcaseKeys = require('camelcase-keys');
+var index = require('../consts/index.cjs');
+
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
+
+var camelcaseKeys__default = /*#__PURE__*/_interopDefault(camelcaseKeys);
+
+const fetchTokenByAuthorizationCode = async ({ clientId, tokenEndpoint, redirectUri, codeVerifier, code, resource, }, requester) => {
+    const parameters = new URLSearchParams();
+    parameters.append(index.QueryKey.ClientId, clientId);
+    parameters.append(index.QueryKey.Code, code);
+    parameters.append(index.QueryKey.CodeVerifier, codeVerifier);
+    parameters.append(index.QueryKey.RedirectUri, redirectUri);
+    parameters.append(index.QueryKey.GrantType, index.TokenGrantType.AuthorizationCode);
+    if (resource) {
+        parameters.append(index.QueryKey.Resource, resource);
+    }
+    const snakeCaseCodeTokenResponse = await requester(tokenEndpoint, {
+        method: 'POST',
+        headers: index.ContentType.formUrlEncoded,
+        body: parameters,
+    });
+    return camelcaseKeys__default.default(snakeCaseCodeTokenResponse);
+};
+const fetchTokenByRefreshToken = async ({ clientId, tokenEndpoint, refreshToken, resource, scopes }, requester) => {
+    const parameters = new URLSearchParams();
+    parameters.append(index.QueryKey.ClientId, clientId);
+    parameters.append(index.QueryKey.RefreshToken, refreshToken);
+    parameters.append(index.QueryKey.GrantType, index.TokenGrantType.RefreshToken);
+    if (resource) {
+        parameters.append(index.QueryKey.Resource, resource);
+    }
+    if (scopes?.length) {
+        parameters.append(index.QueryKey.Scope, scopes.join(' '));
+    }
+    const snakeCaseRefreshTokenTokenResponse = await requester(tokenEndpoint, {
+        method: 'POST',
+        headers: index.ContentType.formUrlEncoded,
+        body: parameters,
+    });
+    return camelcaseKeys__default.default(snakeCaseRefreshTokenTokenResponse);
+};
+
+exports.fetchTokenByAuthorizationCode = fetchTokenByAuthorizationCode;
+exports.fetchTokenByRefreshToken = fetchTokenByRefreshToken;

package/lib/core/fetch-token.d.ts

@@ -0,0 +1,36 @@
+import type { KeysToCamelCase } from '@silverhand/essentials';
+import type { Requester } from '../types/index.js';
+export type FetchTokenByAuthorizationCodeParameters = {
+    clientId: string;
+    tokenEndpoint: string;
+    redirectUri: string;
+    codeVerifier: string;
+    code: string;
+    resource?: string;
+};
+export type FetchTokenByRefreshTokenParameters = {
+    clientId: string;
+    tokenEndpoint: string;
+    refreshToken: string;
+    resource?: string;
+    scopes?: string[];
+};
+type SnakeCaseCodeTokenResponse = {
+    access_token: string;
+    refresh_token?: string;
+    id_token: string;
+    scope: string;
+    expires_in: number;
+};
+export type CodeTokenResponse = KeysToCamelCase<SnakeCaseCodeTokenResponse>;
+type SnakeCaseRefreshTokenTokenResponse = {
+    access_token: string;
+    refresh_token: string;
+    id_token?: string;
+    scope: string;
+    expires_in: number;
+};
+export type RefreshTokenTokenResponse = KeysToCamelCase<SnakeCaseRefreshTokenTokenResponse>;
+export declare const fetchTokenByAuthorizationCode: ({ clientId, tokenEndpoint, redirectUri, codeVerifier, code, resource, }: FetchTokenByAuthorizationCodeParameters, requester: Requester) => Promise<CodeTokenResponse>;
+export declare const fetchTokenByRefreshToken: ({ clientId, tokenEndpoint, refreshToken, resource, scopes }: FetchTokenByRefreshTokenParameters, requester: Requester) => Promise<RefreshTokenTokenResponse>;
+export {};

package/lib/core/fetch-token.js

@@ -0,0 +1,40 @@
+import camelcaseKeys from 'camelcase-keys';
+import { QueryKey, TokenGrantType, ContentType } from '../consts/index.js';
+
+const fetchTokenByAuthorizationCode = async ({ clientId, tokenEndpoint, redirectUri, codeVerifier, code, resource, }, requester) => {
+    const parameters = new URLSearchParams();
+    parameters.append(QueryKey.ClientId, clientId);
+    parameters.append(QueryKey.Code, code);
+    parameters.append(QueryKey.CodeVerifier, codeVerifier);
+    parameters.append(QueryKey.RedirectUri, redirectUri);
+    parameters.append(QueryKey.GrantType, TokenGrantType.AuthorizationCode);
+    if (resource) {
+        parameters.append(QueryKey.Resource, resource);
+    }
+    const snakeCaseCodeTokenResponse = await requester(tokenEndpoint, {
+        method: 'POST',
+        headers: ContentType.formUrlEncoded,
+        body: parameters,
+    });
+    return camelcaseKeys(snakeCaseCodeTokenResponse);
+};
+const fetchTokenByRefreshToken = async ({ clientId, tokenEndpoint, refreshToken, resource, scopes }, requester) => {
+    const parameters = new URLSearchParams();
+    parameters.append(QueryKey.ClientId, clientId);
+    parameters.append(QueryKey.RefreshToken, refreshToken);
+    parameters.append(QueryKey.GrantType, TokenGrantType.RefreshToken);
+    if (resource) {
+        parameters.append(QueryKey.Resource, resource);
+    }
+    if (scopes?.length) {
+        parameters.append(QueryKey.Scope, scopes.join(' '));
+    }
+    const snakeCaseRefreshTokenTokenResponse = await requester(tokenEndpoint, {
+        method: 'POST',
+        headers: ContentType.formUrlEncoded,
+        body: parameters,
+    });
+    return camelcaseKeys(snakeCaseRefreshTokenTokenResponse);
+};
+
+export { fetchTokenByAuthorizationCode, fetchTokenByRefreshToken };

package/lib/core/fetch-token.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/core/index.d.ts

@@ -0,0 +1,6 @@
+export * from './fetch-token.js';
+export * from './oidc-config.js';
+export * from './revoke.js';
+export * from './sign-in.js';
+export * from './sign-out.js';
+export * from './user-info.js';

package/lib/core/oidc-config.cjs

@@ -0,0 +1,13 @@
+'use strict';
+
+var camelcaseKeys = require('camelcase-keys');
+
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
+
+var camelcaseKeys__default = /*#__PURE__*/_interopDefault(camelcaseKeys);
+
+const discoveryPath = '/oidc/.well-known/openid-configuration';
+const fetchOidcConfig = async (endpoint, requester) => camelcaseKeys__default.default(await requester(endpoint));
+
+exports.discoveryPath = discoveryPath;
+exports.fetchOidcConfig = fetchOidcConfig;

package/lib/core/oidc-config.d.ts

@@ -0,0 +1,15 @@
+import type { KeysToCamelCase } from '@silverhand/essentials';
+import type { Requester } from '../types/index.js';
+type OidcConfigSnakeCaseResponse = {
+    authorization_endpoint: string;
+    token_endpoint: string;
+    userinfo_endpoint: string;
+    end_session_endpoint: string;
+    revocation_endpoint: string;
+    jwks_uri: string;
+    issuer: string;
+};
+export declare const discoveryPath = "/oidc/.well-known/openid-configuration";
+export type OidcConfigResponse = KeysToCamelCase<OidcConfigSnakeCaseResponse>;
+export declare const fetchOidcConfig: (endpoint: string, requester: Requester) => Promise<OidcConfigResponse>;
+export {};

package/lib/core/oidc-config.js

@@ -0,0 +1,6 @@
+import camelcaseKeys from 'camelcase-keys';
+
+const discoveryPath = '/oidc/.well-known/openid-configuration';
+const fetchOidcConfig = async (endpoint, requester) => camelcaseKeys(await requester(endpoint));
+
+export { discoveryPath, fetchOidcConfig };

package/lib/core/oidc-config.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/core/revoke.cjs

@@ -0,0 +1,14 @@
+'use strict';
+
+var index = require('../consts/index.cjs');
+
+const revoke = async (revocationEndpoint, clientId, token, requester) => requester(revocationEndpoint, {
+    method: 'POST',
+    headers: index.ContentType.formUrlEncoded,
+    body: new URLSearchParams({
+        [index.QueryKey.ClientId]: clientId,
+        [index.QueryKey.Token]: token,
+    }),
+});
+
+exports.revoke = revoke;

package/lib/core/revoke.d.ts

@@ -0,0 +1,2 @@
+import type { Requester } from '../types/index.js';
+export declare const revoke: (revocationEndpoint: string, clientId: string, token: string, requester: Requester) => Promise<void>;

package/lib/core/revoke.js

@@ -0,0 +1,12 @@
+import { ContentType, QueryKey } from '../consts/index.js';
+
+const revoke = async (revocationEndpoint, clientId, token, requester) => requester(revocationEndpoint, {
+    method: 'POST',
+    headers: ContentType.formUrlEncoded,
+    body: new URLSearchParams({
+        [QueryKey.ClientId]: clientId,
+        [QueryKey.Token]: token,
+    }),
+});
+
+export { revoke };

package/lib/core/revoke.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/core/sign-in.cjs

@@ -0,0 +1,31 @@
+'use strict';
+
+var index = require('../consts/index.cjs');
+require('@silverhand/essentials');
+require('jose');
+var scopes = require('../utils/scopes.cjs');
+
+const codeChallengeMethod = 'S256';
+const responseType = 'code';
+const generateSignInUri = ({ authorizationEndpoint, clientId, redirectUri, codeChallenge, state, scopes: scopes$1, resources, prompt, interactionMode, }) => {
+    const urlSearchParameters = new URLSearchParams({
+        [index.QueryKey.ClientId]: clientId,
+        [index.QueryKey.RedirectUri]: redirectUri,
+        [index.QueryKey.CodeChallenge]: codeChallenge,
+        [index.QueryKey.CodeChallengeMethod]: codeChallengeMethod,
+        [index.QueryKey.State]: state,
+        [index.QueryKey.ResponseType]: responseType,
+        [index.QueryKey.Prompt]: prompt ?? index.Prompt.Consent,
+        [index.QueryKey.Scope]: scopes.withDefaultScopes(scopes$1),
+    });
+    for (const resource of resources ?? []) {
+        urlSearchParameters.append(index.QueryKey.Resource, resource);
+    }
+    // Set interactionMode to signUp for a create account user experience
+    if (interactionMode) {
+        urlSearchParameters.append(index.QueryKey.InteractionMode, interactionMode);
+    }
+    return `${authorizationEndpoint}?${urlSearchParameters.toString()}`;
+};
+
+exports.generateSignInUri = generateSignInUri;

package/lib/core/sign-in.d.ts

@@ -0,0 +1,14 @@
+import { Prompt } from '../consts/index.js';
+import type { InteractionMode } from '../types/index.js';
+export type SignInUriParameters = {
+    authorizationEndpoint: string;
+    clientId: string;
+    redirectUri: string;
+    codeChallenge: string;
+    state: string;
+    scopes?: string[];
+    resources?: string[];
+    prompt?: Prompt;
+    interactionMode?: InteractionMode;
+};
+export declare const generateSignInUri: ({ authorizationEndpoint, clientId, redirectUri, codeChallenge, state, scopes, resources, prompt, interactionMode, }: SignInUriParameters) => string;

package/lib/core/sign-in.js

@@ -0,0 +1,29 @@
+import { QueryKey, Prompt } from '../consts/index.js';
+import '@silverhand/essentials';
+import 'jose';
+import { withDefaultScopes } from '../utils/scopes.js';
+
+const codeChallengeMethod = 'S256';
+const responseType = 'code';
+const generateSignInUri = ({ authorizationEndpoint, clientId, redirectUri, codeChallenge, state, scopes, resources, prompt, interactionMode, }) => {
+    const urlSearchParameters = new URLSearchParams({
+        [QueryKey.ClientId]: clientId,
+        [QueryKey.RedirectUri]: redirectUri,
+        [QueryKey.CodeChallenge]: codeChallenge,
+        [QueryKey.CodeChallengeMethod]: codeChallengeMethod,
+        [QueryKey.State]: state,
+        [QueryKey.ResponseType]: responseType,
+        [QueryKey.Prompt]: prompt ?? Prompt.Consent,
+        [QueryKey.Scope]: withDefaultScopes(scopes),
+    });
+    for (const resource of resources ?? []) {
+        urlSearchParameters.append(QueryKey.Resource, resource);
+    }
+    // Set interactionMode to signUp for a create account user experience
+    if (interactionMode) {
+        urlSearchParameters.append(QueryKey.InteractionMode, interactionMode);
+    }
+    return `${authorizationEndpoint}?${urlSearchParameters.toString()}`;
+};
+
+export { generateSignInUri };

package/lib/core/sign-in.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/core/sign-out.cjs

@@ -0,0 +1,13 @@
+'use strict';
+
+var index = require('../consts/index.cjs');
+
+const generateSignOutUri = ({ endSessionEndpoint, clientId, postLogoutRedirectUri, }) => {
+    const urlSearchParameters = new URLSearchParams({ [index.QueryKey.ClientId]: clientId });
+    if (postLogoutRedirectUri) {
+        urlSearchParameters.append(index.QueryKey.PostLogoutRedirectUri, postLogoutRedirectUri);
+    }
+    return `${endSessionEndpoint}?${urlSearchParameters.toString()}`;
+};
+
+exports.generateSignOutUri = generateSignOutUri;

package/lib/core/sign-out.d.ts

@@ -0,0 +1,7 @@
+type SignOutUriParameters = {
+    endSessionEndpoint: string;
+    clientId: string;
+    postLogoutRedirectUri?: string;
+};
+export declare const generateSignOutUri: ({ endSessionEndpoint, clientId, postLogoutRedirectUri, }: SignOutUriParameters) => string;
+export {};

package/lib/core/sign-out.js

@@ -0,0 +1,11 @@
+import { QueryKey } from '../consts/index.js';
+
+const generateSignOutUri = ({ endSessionEndpoint, clientId, postLogoutRedirectUri, }) => {
+    const urlSearchParameters = new URLSearchParams({ [QueryKey.ClientId]: clientId });
+    if (postLogoutRedirectUri) {
+        urlSearchParameters.append(QueryKey.PostLogoutRedirectUri, postLogoutRedirectUri);
+    }
+    return `${endSessionEndpoint}?${urlSearchParameters.toString()}`;
+};
+
+export { generateSignOutUri };

package/lib/core/sign-out.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/core/user-info.cjs

@@ -0,0 +1,7 @@
+'use strict';
+
+const fetchUserInfo = async (userInfoEndpoint, accessToken, requester) => requester(userInfoEndpoint, {
+    headers: { Authorization: `Bearer ${accessToken}` },
+});
+
+exports.fetchUserInfo = fetchUserInfo;

package/lib/core/user-info.d.ts

@@ -0,0 +1,20 @@
+import type { Nullable } from '@silverhand/essentials';
+import type { Requester } from '../types/index.js';
+type Identity = {
+    userId: string;
+    details?: Record<string, unknown>;
+};
+export type UserInfoResponse = {
+    sub: string;
+    name?: Nullable<string>;
+    username?: Nullable<string>;
+    picture?: Nullable<string>;
+    email?: Nullable<string>;
+    email_verified?: boolean;
+    phone_number?: Nullable<string>;
+    phone_number_verified?: boolean;
+    custom_data?: unknown;
+    identities?: Record<string, Identity>;
+};
+export declare const fetchUserInfo: (userInfoEndpoint: string, accessToken: string, requester: Requester) => Promise<UserInfoResponse>;
+export {};

package/lib/core/user-info.js

@@ -0,0 +1,5 @@
+const fetchUserInfo = async (userInfoEndpoint, accessToken, requester) => requester(userInfoEndpoint, {
+    headers: { Authorization: `Bearer ${accessToken}` },
+});
+
+export { fetchUserInfo };

package/lib/core/user-info.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/index.cjs

@@ -0,0 +1,56 @@
+'use strict';
+
+var fetchToken = require('./core/fetch-token.cjs');
+var oidcConfig = require('./core/oidc-config.cjs');
+var revoke = require('./core/revoke.cjs');
+var signIn = require('./core/sign-in.cjs');
+var signOut = require('./core/sign-out.cjs');
+var userInfo = require('./core/user-info.cjs');
+var callbackUri = require('./utils/callback-uri.cjs');
+var errors = require('./utils/errors.cjs');
+var idToken = require('./utils/id-token.cjs');
+var scopes = require('./utils/scopes.cjs');
+var arbitraryObject = require('./utils/arbitrary-object.cjs');
+var index = require('./consts/index.cjs');
+
+
+
+exports.fetchTokenByAuthorizationCode = fetchToken.fetchTokenByAuthorizationCode;
+exports.fetchTokenByRefreshToken = fetchToken.fetchTokenByRefreshToken;
+exports.discoveryPath = oidcConfig.discoveryPath;
+exports.fetchOidcConfig = oidcConfig.fetchOidcConfig;
+exports.revoke = revoke.revoke;
+exports.generateSignInUri = signIn.generateSignInUri;
+exports.generateSignOutUri = signOut.generateSignOutUri;
+exports.fetchUserInfo = userInfo.fetchUserInfo;
+exports.parseUriParameters = callbackUri.parseUriParameters;
+exports.verifyAndParseCodeFromCallbackUri = callbackUri.verifyAndParseCodeFromCallbackUri;
+exports.LogtoError = errors.LogtoError;
+exports.LogtoRequestError = errors.LogtoRequestError;
+exports.OidcError = errors.OidcError;
+exports.isLogtoRequestError = errors.isLogtoRequestError;
+exports.decodeIdToken = idToken.decodeIdToken;
+exports.verifyIdToken = idToken.verifyIdToken;
+exports.withDefaultScopes = scopes.withDefaultScopes;
+exports.isArbitraryObject = arbitraryObject.isArbitraryObject;
+exports.ContentType = index.ContentType;
+Object.defineProperty(exports, 'Prompt', {
+	enumerable: true,
+	get: function () { return index.Prompt; }
+});
+Object.defineProperty(exports, 'QueryKey', {
+	enumerable: true,
+	get: function () { return index.QueryKey; }
+});
+Object.defineProperty(exports, 'ReservedScope', {
+	enumerable: true,
+	get: function () { return index.ReservedScope; }
+});
+Object.defineProperty(exports, 'TokenGrantType', {
+	enumerable: true,
+	get: function () { return index.TokenGrantType; }
+});
+Object.defineProperty(exports, 'UserScope', {
+	enumerable: true,
+	get: function () { return index.UserScope; }
+});

package/lib/index.d.ts

@@ -0,0 +1,4 @@
+export * from './core/index.js';
+export * from './utils/index.js';
+export * from './consts/index.js';
+export * from './types/index.js';

package/lib/index.js

@@ -0,0 +1,12 @@
+export { fetchTokenByAuthorizationCode, fetchTokenByRefreshToken } from './core/fetch-token.js';
+export { discoveryPath, fetchOidcConfig } from './core/oidc-config.js';
+export { revoke } from './core/revoke.js';
+export { generateSignInUri } from './core/sign-in.js';
+export { generateSignOutUri } from './core/sign-out.js';
+export { fetchUserInfo } from './core/user-info.js';
+export { parseUriParameters, verifyAndParseCodeFromCallbackUri } from './utils/callback-uri.js';
+export { LogtoError, LogtoRequestError, OidcError, isLogtoRequestError } from './utils/errors.js';
+export { decodeIdToken, verifyIdToken } from './utils/id-token.js';
+export { withDefaultScopes } from './utils/scopes.js';
+export { isArbitraryObject } from './utils/arbitrary-object.js';
+export { ContentType, Prompt, QueryKey, ReservedScope, TokenGrantType, UserScope } from './consts/index.js';

package/lib/types/index.d.ts

@@ -0,0 +1,6 @@
+export type LogtoRequestErrorBody = {
+    code: string;
+    message: string;
+};
+export type Requester = <T>(...args: Parameters<typeof fetch>) => Promise<T>;
+export type InteractionMode = 'signIn' | 'signUp';

package/lib/utils/arbitrary-object.cjs

@@ -0,0 +1,5 @@
+'use strict';
+
+const isArbitraryObject = (data) => typeof data === 'object' && data !== null;
+
+exports.isArbitraryObject = isArbitraryObject;

package/lib/utils/arbitrary-object.d.ts

@@ -0,0 +1 @@
+export declare const isArbitraryObject: (data: unknown) => data is Record<string, unknown>;

package/lib/utils/arbitrary-object.js

@@ -0,0 +1,3 @@
+const isArbitraryObject = (data) => typeof data === 'object' && data !== null;
+
+export { isArbitraryObject };

package/lib/utils/callback-uri.cjs

@@ -0,0 +1,36 @@
+'use strict';
+
+var essentials = require('@silverhand/essentials');
+var index = require('../consts/index.cjs');
+var errors = require('./errors.cjs');
+
+const parseUriParameters = (uri) => {
+    const [, queryString = ''] = uri.split('?');
+    return new URLSearchParams(queryString);
+};
+const verifyAndParseCodeFromCallbackUri = (callbackUri, redirectUri, state) => {
+    if (!callbackUri.startsWith(redirectUri)) {
+        throw new errors.LogtoError('callback_uri_verification.redirect_uri_mismatched');
+    }
+    const uriParameters = parseUriParameters(callbackUri);
+    const error = essentials.conditional(uriParameters.get(index.QueryKey.Error));
+    const errorDescription = essentials.conditional(uriParameters.get(index.QueryKey.ErrorDescription));
+    if (error) {
+        throw new errors.LogtoError('callback_uri_verification.error_found', new errors.OidcError(error, errorDescription));
+    }
+    const stateFromCallbackUri = uriParameters.get(index.QueryKey.State);
+    if (!stateFromCallbackUri) {
+        throw new errors.LogtoError('callback_uri_verification.missing_state');
+    }
+    if (stateFromCallbackUri !== state) {
+        throw new errors.LogtoError('callback_uri_verification.state_mismatched');
+    }
+    const code = uriParameters.get(index.QueryKey.Code);
+    if (!code) {
+        throw new errors.LogtoError('callback_uri_verification.missing_code');
+    }
+    return code;
+};
+
+exports.parseUriParameters = parseUriParameters;
+exports.verifyAndParseCodeFromCallbackUri = verifyAndParseCodeFromCallbackUri;

package/lib/utils/callback-uri.d.ts

@@ -0,0 +1,2 @@
+export declare const parseUriParameters: (uri: string) => URLSearchParams;
+export declare const verifyAndParseCodeFromCallbackUri: (callbackUri: string, redirectUri: string, state: string) => string;

package/lib/utils/callback-uri.js

@@ -0,0 +1,33 @@
+import { conditional } from '@silverhand/essentials';
+import { QueryKey } from '../consts/index.js';
+import { LogtoError, OidcError } from './errors.js';
+
+const parseUriParameters = (uri) => {
+    const [, queryString = ''] = uri.split('?');
+    return new URLSearchParams(queryString);
+};
+const verifyAndParseCodeFromCallbackUri = (callbackUri, redirectUri, state) => {
+    if (!callbackUri.startsWith(redirectUri)) {
+        throw new LogtoError('callback_uri_verification.redirect_uri_mismatched');
+    }
+    const uriParameters = parseUriParameters(callbackUri);
+    const error = conditional(uriParameters.get(QueryKey.Error));
+    const errorDescription = conditional(uriParameters.get(QueryKey.ErrorDescription));
+    if (error) {
+        throw new LogtoError('callback_uri_verification.error_found', new OidcError(error, errorDescription));
+    }
+    const stateFromCallbackUri = uriParameters.get(QueryKey.State);
+    if (!stateFromCallbackUri) {
+        throw new LogtoError('callback_uri_verification.missing_state');
+    }
+    if (stateFromCallbackUri !== state) {
+        throw new LogtoError('callback_uri_verification.state_mismatched');
+    }
+    const code = uriParameters.get(QueryKey.Code);
+    if (!code) {
+        throw new LogtoError('callback_uri_verification.missing_code');
+    }
+    return code;
+};
+
+export { parseUriParameters, verifyAndParseCodeFromCallbackUri };

package/lib/utils/callback-uri.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/utils/errors.cjs

@@ -0,0 +1,45 @@
+'use strict';
+
+var arbitraryObject = require('./arbitrary-object.cjs');
+
+const logtoErrorCodes = Object.freeze({
+    'id_token.invalid_iat': 'Invalid issued at time in the ID token',
+    'id_token.invalid_token': 'Invalid ID token',
+    'callback_uri_verification.redirect_uri_mismatched': 'The callback URI mismatches the redirect URI.',
+    'callback_uri_verification.error_found': 'Error found in the callback URI',
+    'callback_uri_verification.missing_state': 'Missing state in the callback URI',
+    'callback_uri_verification.state_mismatched': 'State mismatched in the callback URI',
+    'callback_uri_verification.missing_code': 'Missing code in the callback URI',
+    crypto_subtle_unavailable: 'Crypto.subtle is unavailable in insecure contexts (non-HTTPS).',
+    unexpected_response_error: 'Unexpected response error from the server.',
+});
+class LogtoError extends Error {
+    constructor(code, data) {
+        super(logtoErrorCodes[code]);
+        this.code = code;
+        this.data = data;
+    }
+}
+const isLogtoRequestError = (data) => {
+    if (!arbitraryObject.isArbitraryObject(data)) {
+        return false;
+    }
+    return typeof data.code === 'string' && typeof data.message === 'string';
+};
+class LogtoRequestError extends Error {
+    constructor(code, message) {
+        super(message);
+        this.code = code;
+    }
+}
+class OidcError {
+    constructor(error, errorDescription) {
+        this.error = error;
+        this.errorDescription = errorDescription;
+    }
+}
+
+exports.LogtoError = LogtoError;
+exports.LogtoRequestError = LogtoRequestError;
+exports.OidcError = OidcError;
+exports.isLogtoRequestError = isLogtoRequestError;

package/lib/utils/errors.d.ts

@@ -0,0 +1,31 @@
+declare const logtoErrorCodes: Readonly<{
+    'id_token.invalid_iat': "Invalid issued at time in the ID token";
+    'id_token.invalid_token': "Invalid ID token";
+    'callback_uri_verification.redirect_uri_mismatched': "The callback URI mismatches the redirect URI.";
+    'callback_uri_verification.error_found': "Error found in the callback URI";
+    'callback_uri_verification.missing_state': "Missing state in the callback URI";
+    'callback_uri_verification.state_mismatched': "State mismatched in the callback URI";
+    'callback_uri_verification.missing_code': "Missing code in the callback URI";
+    crypto_subtle_unavailable: "Crypto.subtle is unavailable in insecure contexts (non-HTTPS).";
+    unexpected_response_error: "Unexpected response error from the server.";
+}>;
+export type LogtoErrorCode = keyof typeof logtoErrorCodes;
+export declare class LogtoError extends Error {
+    code: LogtoErrorCode;
+    data: unknown;
+    constructor(code: LogtoErrorCode, data?: unknown);
+}
+export declare const isLogtoRequestError: (data: unknown) => data is {
+    code: string;
+    message: string;
+};
+export declare class LogtoRequestError extends Error {
+    code: string;
+    constructor(code: string, message: string);
+}
+export declare class OidcError {
+    error: string;
+    errorDescription?: string | undefined;
+    constructor(error: string, errorDescription?: string | undefined);
+}
+export {};

package/lib/utils/errors.js

@@ -0,0 +1,40 @@
+import { isArbitraryObject } from './arbitrary-object.js';
+
+const logtoErrorCodes = Object.freeze({
+    'id_token.invalid_iat': 'Invalid issued at time in the ID token',
+    'id_token.invalid_token': 'Invalid ID token',
+    'callback_uri_verification.redirect_uri_mismatched': 'The callback URI mismatches the redirect URI.',
+    'callback_uri_verification.error_found': 'Error found in the callback URI',
+    'callback_uri_verification.missing_state': 'Missing state in the callback URI',
+    'callback_uri_verification.state_mismatched': 'State mismatched in the callback URI',
+    'callback_uri_verification.missing_code': 'Missing code in the callback URI',
+    crypto_subtle_unavailable: 'Crypto.subtle is unavailable in insecure contexts (non-HTTPS).',
+    unexpected_response_error: 'Unexpected response error from the server.',
+});
+class LogtoError extends Error {
+    constructor(code, data) {
+        super(logtoErrorCodes[code]);
+        this.code = code;
+        this.data = data;
+    }
+}
+const isLogtoRequestError = (data) => {
+    if (!isArbitraryObject(data)) {
+        return false;
+    }
+    return typeof data.code === 'string' && typeof data.message === 'string';
+};
+class LogtoRequestError extends Error {
+    constructor(code, message) {
+        super(message);
+        this.code = code;
+    }
+}
+class OidcError {
+    constructor(error, errorDescription) {
+        this.error = error;
+        this.errorDescription = errorDescription;
+    }
+}
+
+export { LogtoError, LogtoRequestError, OidcError, isLogtoRequestError };

package/lib/utils/errors.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/utils/id-token.cjs

@@ -0,0 +1,63 @@
+'use strict';
+
+var essentials = require('@silverhand/essentials');
+var jose = require('jose');
+var arbitraryObject = require('./arbitrary-object.cjs');
+var errors = require('./errors.cjs');
+
+const issuedAtTimeTolerance = 60;
+/* eslint-disable complexity */
+/**
+ * @link [ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)
+ */
+function assertIdTokenClaims(data) {
+    if (!arbitraryObject.isArbitraryObject(data)) {
+        throw new TypeError('IdToken is expected to be an object');
+    }
+    for (const key of ['iss', 'sub', 'aud']) {
+        if (typeof data[key] !== 'string') {
+            throw new TypeError(`At path: IdToken.${key}: expected a string`);
+        }
+    }
+    for (const key of ['exp', 'iat']) {
+        if (typeof data[key] !== 'number') {
+            throw new TypeError(`At path: IdToken.${key}: expected a number`);
+        }
+    }
+    for (const key of ['at_hash', 'name', 'username', 'picture', 'email', 'phone_number']) {
+        if (data[key] === undefined) {
+            continue;
+        }
+        if (typeof data[key] !== 'string' && data[key] !== null) {
+            throw new TypeError(`At path: IdToken.${key}: expected null or a string`);
+        }
+    }
+    for (const key of ['email_verified', 'phone_number_verified']) {
+        if (data[key] === undefined) {
+            continue;
+        }
+        if (typeof data[key] !== 'boolean') {
+            throw new TypeError(`At path: IdToken.${key}: expected a boolean`);
+        }
+    }
+}
+/* eslint-enable complexity */
+const verifyIdToken = async (idToken, clientId, issuer, jwks) => {
+    const result = await jose.jwtVerify(idToken, jwks, { audience: clientId, issuer });
+    if (Math.abs((result.payload.iat ?? 0) - Date.now() / 1000) > issuedAtTimeTolerance) {
+        throw new errors.LogtoError('id_token.invalid_iat');
+    }
+};
+const decodeIdToken = (token) => {
+    const { 1: encodedPayload } = token.split('.');
+    if (!encodedPayload) {
+        throw new errors.LogtoError('id_token.invalid_token');
+    }
+    const json = essentials.urlSafeBase64.decode(encodedPayload);
+    const idTokenClaims = JSON.parse(json);
+    assertIdTokenClaims(idTokenClaims);
+    return idTokenClaims;
+};
+
+exports.decodeIdToken = decodeIdToken;
+exports.verifyIdToken = verifyIdToken;

package/lib/utils/id-token.d.ts

@@ -0,0 +1,19 @@
+import type { Nullable } from '@silverhand/essentials';
+import type { JWTVerifyGetKey } from 'jose';
+export type IdTokenClaims = {
+    iss: string;
+    sub: string;
+    aud: string;
+    exp: number;
+    iat: number;
+    at_hash?: Nullable<string>;
+    name?: Nullable<string>;
+    username?: Nullable<string>;
+    picture?: Nullable<string>;
+    email?: Nullable<string>;
+    email_verified?: boolean;
+    phone_number?: Nullable<string>;
+    phone_number_verified?: boolean;
+};
+export declare const verifyIdToken: (idToken: string, clientId: string, issuer: string, jwks: JWTVerifyGetKey) => Promise<void>;
+export declare const decodeIdToken: (token: string) => IdTokenClaims;

package/lib/utils/id-token.js

@@ -0,0 +1,60 @@
+import { urlSafeBase64 } from '@silverhand/essentials';
+import { jwtVerify } from 'jose';
+import { isArbitraryObject } from './arbitrary-object.js';
+import { LogtoError } from './errors.js';
+
+const issuedAtTimeTolerance = 60;
+/* eslint-disable complexity */
+/**
+ * @link [ID Token](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)
+ */
+function assertIdTokenClaims(data) {
+    if (!isArbitraryObject(data)) {
+        throw new TypeError('IdToken is expected to be an object');
+    }
+    for (const key of ['iss', 'sub', 'aud']) {
+        if (typeof data[key] !== 'string') {
+            throw new TypeError(`At path: IdToken.${key}: expected a string`);
+        }
+    }
+    for (const key of ['exp', 'iat']) {
+        if (typeof data[key] !== 'number') {
+            throw new TypeError(`At path: IdToken.${key}: expected a number`);
+        }
+    }
+    for (const key of ['at_hash', 'name', 'username', 'picture', 'email', 'phone_number']) {
+        if (data[key] === undefined) {
+            continue;
+        }
+        if (typeof data[key] !== 'string' && data[key] !== null) {
+            throw new TypeError(`At path: IdToken.${key}: expected null or a string`);
+        }
+    }
+    for (const key of ['email_verified', 'phone_number_verified']) {
+        if (data[key] === undefined) {
+            continue;
+        }
+        if (typeof data[key] !== 'boolean') {
+            throw new TypeError(`At path: IdToken.${key}: expected a boolean`);
+        }
+    }
+}
+/* eslint-enable complexity */
+const verifyIdToken = async (idToken, clientId, issuer, jwks) => {
+    const result = await jwtVerify(idToken, jwks, { audience: clientId, issuer });
+    if (Math.abs((result.payload.iat ?? 0) - Date.now() / 1000) > issuedAtTimeTolerance) {
+        throw new LogtoError('id_token.invalid_iat');
+    }
+};
+const decodeIdToken = (token) => {
+    const { 1: encodedPayload } = token.split('.');
+    if (!encodedPayload) {
+        throw new LogtoError('id_token.invalid_token');
+    }
+    const json = urlSafeBase64.decode(encodedPayload);
+    const idTokenClaims = JSON.parse(json);
+    assertIdTokenClaims(idTokenClaims);
+    return idTokenClaims;
+};
+
+export { decodeIdToken, verifyIdToken };

package/lib/utils/id-token.test.d.ts

@@ -0,0 +1 @@
+export {};

package/lib/utils/index.d.ts

@@ -0,0 +1,5 @@
+export * from './callback-uri.js';
+export * from './errors.js';
+export * from './id-token.js';
+export * from './scopes.js';
+export * from './arbitrary-object.js';

package/lib/utils/scopes.cjs

@@ -0,0 +1,15 @@
+'use strict';
+
+var index = require('../consts/index.cjs');
+
+/**
+ * @param originalScopes
+ * @return scopes should contain all default scopes (`openid`, `offline_access` and `profile`)
+ */
+const withDefaultScopes = (originalScopes) => {
+    const reservedScopes = Object.values(index.ReservedScope);
+    const uniqueScopes = new Set([...reservedScopes, index.UserScope.Profile, ...(originalScopes ?? [])]);
+    return Array.from(uniqueScopes).join(' ');
+};
+
+exports.withDefaultScopes = withDefaultScopes;

package/lib/utils/scopes.d.ts

@@ -0,0 +1,5 @@
+/**
+ * @param originalScopes
+ * @return scopes should contain all default scopes (`openid`, `offline_access` and `profile`)
+ */
+export declare const withDefaultScopes: (originalScopes?: string[]) => string;

package/lib/utils/scopes.js

@@ -0,0 +1,13 @@
+import { ReservedScope, UserScope } from '../consts/index.js';
+
+/**
+ * @param originalScopes
+ * @return scopes should contain all default scopes (`openid`, `offline_access` and `profile`)
+ */
+const withDefaultScopes = (originalScopes) => {
+    const reservedScopes = Object.values(ReservedScope);
+    const uniqueScopes = new Set([...reservedScopes, UserScope.Profile, ...(originalScopes ?? [])]);
+    return Array.from(uniqueScopes).join(' ');
+};
+
+export { withDefaultScopes };

package/lib/utils/scopes.test.d.ts

@@ -0,0 +1 @@
+export {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/js",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "type": "module",
   "main": "./lib/index.cjs",
   "module": "./lib/index.js",