@okta/okta-auth-js 6.5.3 → 6.6.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +23 -0
- package/cjs/OktaAuth.js +23 -21
- package/cjs/OktaAuth.js.map +1 -1
- package/cjs/OktaUserAgent.js +2 -2
- package/cjs/ServiceManager.js +9 -9
- package/cjs/ServiceManager.js.map +1 -1
- package/cjs/TokenManager.js +6 -0
- package/cjs/TokenManager.js.map +1 -1
- package/cjs/errors/index.js +5 -0
- package/cjs/errors/index.js.map +1 -1
- package/cjs/http/request.js.map +1 -1
- package/cjs/idx/authenticate.js.map +1 -1
- package/cjs/idx/cancel.js.map +1 -1
- package/cjs/idx/emailVerify.js.map +1 -1
- package/cjs/idx/flow/FlowSpecification.js.map +1 -1
- package/cjs/idx/idxState/index.js +1 -1
- package/cjs/idx/idxState/index.js.map +1 -1
- package/cjs/idx/idxState/v1/generateIdxAction.js +2 -4
- package/cjs/idx/idxState/v1/generateIdxAction.js.map +1 -1
- package/cjs/idx/idxState/v1/idxResponseParser.js.map +1 -1
- package/cjs/idx/idxState/v1/makeIdxState.js.map +1 -1
- package/cjs/idx/idxState/v1/remediationParser.js.map +1 -1
- package/cjs/idx/interact.js +1 -3
- package/cjs/idx/interact.js.map +1 -1
- package/cjs/idx/introspect.js.map +1 -1
- package/cjs/idx/poll.js.map +1 -1
- package/cjs/idx/proceed.js.map +1 -1
- package/cjs/idx/recoverPassword.js.map +1 -1
- package/cjs/idx/register.js.map +1 -1
- package/cjs/idx/remediate.js +8 -12
- package/cjs/idx/remediate.js.map +1 -1
- package/cjs/idx/remediators/Base/AuthenticatorData.js.map +1 -1
- package/cjs/idx/remediators/Base/Remediator.js.map +1 -1
- package/cjs/idx/remediators/Base/SelectAuthenticator.js.map +1 -1
- package/cjs/idx/remediators/Base/VerifyAuthenticator.js.map +1 -1
- package/cjs/idx/remediators/EnrollPoll.js.map +1 -1
- package/cjs/idx/remediators/EnrollmentChannelData.js.map +1 -1
- package/cjs/idx/remediators/GenericRemediator/GenericRemediator.js +1 -3
- package/cjs/idx/remediators/GenericRemediator/GenericRemediator.js.map +1 -1
- package/cjs/idx/remediators/GenericRemediator/util.js +7 -1
- package/cjs/idx/remediators/GenericRemediator/util.js.map +1 -1
- package/cjs/idx/remediators/SelectEnrollmentChannel.js.map +1 -1
- package/cjs/idx/run.js +8 -10
- package/cjs/idx/run.js.map +1 -1
- package/cjs/idx/startTransaction.js.map +1 -1
- package/cjs/idx/transactionMeta.js.map +1 -1
- package/cjs/idx/types/api.js.map +1 -1
- package/cjs/idx/unlockAccount.js.map +1 -1
- package/cjs/idx/util.js +22 -27
- package/cjs/idx/util.js.map +1 -1
- package/cjs/oidc/endpoints/token.js.map +1 -1
- package/cjs/oidc/endpoints/well-known.js.map +1 -1
- package/cjs/oidc/exchangeCodeForTokens.js.map +1 -1
- package/cjs/oidc/getToken.js.map +1 -1
- package/cjs/oidc/getUserInfo.js.map +1 -1
- package/cjs/oidc/getWithPopup.js.map +1 -1
- package/cjs/oidc/getWithRedirect.js.map +1 -1
- package/cjs/oidc/getWithoutPrompt.js.map +1 -1
- package/cjs/oidc/handleOAuthResponse.js +1 -3
- package/cjs/oidc/handleOAuthResponse.js.map +1 -1
- package/cjs/oidc/renewToken.js.map +1 -1
- package/cjs/oidc/renewTokensWithRefresh.js +26 -15
- package/cjs/oidc/renewTokensWithRefresh.js.map +1 -1
- package/cjs/oidc/revokeToken.js.map +1 -1
- package/cjs/oidc/util/browser.js.map +1 -1
- package/cjs/oidc/util/defaultTokenParams.js.map +1 -1
- package/cjs/oidc/util/errors.js +8 -0
- package/cjs/oidc/util/errors.js.map +1 -1
- package/cjs/oidc/util/loginRedirect.js.map +1 -1
- package/cjs/oidc/util/oauth.js.map +1 -1
- package/cjs/oidc/util/oauthMeta.js.map +1 -1
- package/cjs/oidc/util/prepareTokenParams.js.map +1 -1
- package/cjs/oidc/util/validateClaims.js.map +1 -1
- package/cjs/oidc/verifyToken.js.map +1 -1
- package/cjs/options/index.js +5 -2
- package/cjs/options/index.js.map +1 -1
- package/cjs/tx/AuthTransaction.js +1 -1
- package/cjs/tx/AuthTransaction.js.map +1 -1
- package/cjs/tx/api.js +3 -5
- package/cjs/tx/api.js.map +1 -1
- package/cjs/tx/poll.js +1 -3
- package/cjs/tx/poll.js.map +1 -1
- package/dist/okta-auth-js.min.js +1 -1
- package/dist/okta-auth-js.min.js.map +1 -1
- package/dist/okta-auth-js.umd.js +1 -1
- package/dist/okta-auth-js.umd.js.map +1 -1
- package/esm/esm.browser.js +577 -446
- package/esm/esm.browser.js.map +1 -1
- package/esm/esm.node.mjs +577 -446
- package/esm/esm.node.mjs.map +1 -1
- package/lib/OktaAuth.d.ts +4 -4
- package/lib/ServiceManager.d.ts +2 -2
- package/lib/TokenManager.d.ts +1 -0
- package/lib/errors/index.d.ts +2 -1
- package/lib/http/request.d.ts +4 -4
- package/lib/idx/authenticate.d.ts +2 -2
- package/lib/idx/cancel.d.ts +2 -2
- package/lib/idx/emailVerify.d.ts +2 -2
- package/lib/idx/flow/FlowSpecification.d.ts +2 -2
- package/lib/idx/idxState/index.d.ts +3 -3
- package/lib/idx/idxState/v1/generateIdxAction.d.ts +2 -2
- package/lib/idx/idxState/v1/idxResponseParser.d.ts +3 -3
- package/lib/idx/idxState/v1/makeIdxState.d.ts +3 -3
- package/lib/idx/idxState/v1/remediationParser.d.ts +2 -2
- package/lib/idx/interact.d.ts +2 -2
- package/lib/idx/introspect.d.ts +2 -2
- package/lib/idx/poll.d.ts +2 -2
- package/lib/idx/proceed.d.ts +3 -3
- package/lib/idx/recoverPassword.d.ts +2 -2
- package/lib/idx/register.d.ts +2 -2
- package/lib/idx/remediate.d.ts +2 -2
- package/lib/idx/remediators/Base/AuthenticatorData.d.ts +2 -2
- package/lib/idx/remediators/Base/Remediator.d.ts +2 -2
- package/lib/idx/remediators/Base/SelectAuthenticator.d.ts +2 -2
- package/lib/idx/remediators/Base/VerifyAuthenticator.d.ts +2 -2
- package/lib/idx/remediators/EnrollPoll.d.ts +2 -2
- package/lib/idx/remediators/EnrollmentChannelData.d.ts +2 -2
- package/lib/idx/remediators/GenericRemediator/GenericRemediator.d.ts +2 -2
- package/lib/idx/remediators/SelectEnrollmentChannel.d.ts +2 -2
- package/lib/idx/run.d.ts +2 -2
- package/lib/idx/startTransaction.d.ts +2 -2
- package/lib/idx/transactionMeta.d.ts +7 -7
- package/lib/idx/types/api.d.ts +0 -1
- package/lib/idx/unlockAccount.d.ts +2 -2
- package/lib/idx/util.d.ts +6 -6
- package/lib/oidc/endpoints/token.d.ts +2 -2
- package/lib/oidc/endpoints/well-known.d.ts +3 -3
- package/lib/oidc/exchangeCodeForTokens.d.ts +2 -2
- package/lib/oidc/getToken.d.ts +2 -2
- package/lib/oidc/getUserInfo.d.ts +2 -2
- package/lib/oidc/getWithPopup.d.ts +2 -2
- package/lib/oidc/getWithRedirect.d.ts +2 -2
- package/lib/oidc/getWithoutPrompt.d.ts +2 -2
- package/lib/oidc/handleOAuthResponse.d.ts +2 -2
- package/lib/oidc/renewToken.d.ts +2 -2
- package/lib/oidc/renewTokensWithRefresh.d.ts +2 -2
- package/lib/oidc/revokeToken.d.ts +2 -2
- package/lib/oidc/util/browser.d.ts +2 -2
- package/lib/oidc/util/defaultTokenParams.d.ts +2 -2
- package/lib/oidc/util/errors.d.ts +3 -2
- package/lib/oidc/util/loginRedirect.d.ts +4 -4
- package/lib/oidc/util/oauth.d.ts +4 -4
- package/lib/oidc/util/oauthMeta.d.ts +2 -2
- package/lib/oidc/util/prepareTokenParams.d.ts +5 -5
- package/lib/oidc/util/validateClaims.d.ts +2 -2
- package/lib/oidc/verifyToken.d.ts +2 -2
- package/lib/tx/api.d.ts +2 -3
- package/lib/types/OktaAuthOptions.d.ts +2 -2
- package/lib/types/Service.d.ts +2 -2
- package/lib/types/TokenManager.d.ts +1 -0
- package/lib/types/UserClaims.d.ts +4 -1
- package/lib/types/api.d.ts +28 -8
- package/package.json +13 -23
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../lib/oidc/getUserInfo.ts"],"names":["getUserInfo","sdk","accessTokenObject","idTokenObject","tokenManager","getTokens","accessToken","idToken","reject","AuthSdkError","url","userinfoUrl","method","then","userInfo","sub","claims","catch","err","xhr","status","authenticateHeader","headers","get","getResponseHeader","errorMatches","match","errorDescriptionMatches","error","errorDescription","OAuthError"],"mappings":";;;;;;;;AAaA;;AACA;;AACA;;AACA;;AAhBA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMO,eAAeA,WAAf,
|
|
1
|
+
{"version":3,"sources":["../../../lib/oidc/getUserInfo.ts"],"names":["getUserInfo","sdk","accessTokenObject","idTokenObject","tokenManager","getTokens","accessToken","idToken","reject","AuthSdkError","url","userinfoUrl","method","then","userInfo","sub","claims","catch","err","xhr","status","authenticateHeader","headers","get","getResponseHeader","errorMatches","match","errorDescriptionMatches","error","errorDescription","OAuthError"],"mappings":";;;;;;;;AAaA;;AACA;;AACA;;AACA;;AAhBA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMO,eAAeA,WAAf,CACLC,GADK,EACAC,iBADA,EAELC,aAFK,EAGmB;AACxB;AACA,MAAI,CAACD,iBAAL,EAAwB;AACtBA,IAAAA,iBAAiB,GAAG,CAAC,MAAMD,GAAG,CAACG,YAAJ,CAAiBC,SAAjB,EAAP,EAAqCC,WAAzD;AACD;;AACD,MAAI,CAACH,aAAL,EAAoB;AAClBA,IAAAA,aAAa,GAAG,CAAC,MAAMF,GAAG,CAACG,YAAJ,CAAiBC,SAAjB,EAAP,EAAqCE,OAArD;AACD;;AAED,MAAI,CAACL,iBAAD,IAAsB,CAAC,0BAAcA,iBAAd,CAA3B,EAA6D;AAC3D,WAAO,iBAAQM,MAAR,CAAe,IAAIC,oBAAJ,CAAiB,6CAAjB,CAAf,CAAP;AACD;;AAED,MAAI,CAACN,aAAD,IAAkB,CAAC,sBAAUA,aAAV,CAAvB,EAAiD;AAC/C,WAAO,iBAAQK,MAAR,CAAe,IAAIC,oBAAJ,CAAiB,yCAAjB,CAAf,CAAP;AACD;;AAED,SAAO,uBAAYR,GAAZ,EAAiB;AACtBS,IAAAA,GAAG,EAAER,iBAAiB,CAACS,WADD;AAEtBC,IAAAA,MAAM,EAAE,KAFc;AAGtBN,IAAAA,WAAW,EAAEJ,iBAAiB,CAACI;AAHT,GAAjB,EAKJO,IALI,CAKCC,QAAQ,IAAI;AAChB;AACA,QAAIA,QAAQ,CAACC,GAAT,KAAiBZ,aAAa,CAACa,MAAd,CAAqBD,GAA1C,EAA+C;AAC7C,aAAOD,QAAP;AACD;;AACD,WAAO,iBAAQN,MAAR,CAAe,IAAIC,oBAAJ,CAAiB,wDAAjB,CAAf,CAAP;AACD,GAXI,EAYJQ,KAZI,CAYE,UAAUC,GAAV,EAAe;AACpB,QAAIA,GAAG,CAACC,GAAJ,KAAYD,GAAG,CAACC,GAAJ,CAAQC,MAAR,KAAmB,GAAnB,IAA0BF,GAAG,CAACC,GAAJ,CAAQC,MAAR,KAAmB,GAAzD,CAAJ,EAAmE;AACjE,UAAIC,kBAAJ;;AACA,UAAIH,GAAG,CAACC,GAAJ,CAAQG,OAAR,IAAmB,sBAAWJ,GAAG,CAACC,GAAJ,CAAQG,OAAR,CAAgBC,GAA3B,CAAnB,IAAsDL,GAAG,CAACC,GAAJ,CAAQG,OAAR,CAAgBC,GAAhB,CAAoB,kBAApB,CAA1D,EAAmG;AACjGF,QAAAA,kBAAkB,GAAGH,GAAG,CAACC,GAAJ,CAAQG,OAAR,CAAgBC,GAAhB,CAAoB,kBAApB,CAArB;AACD,OAFD,MAEO,IAAI,sBAAWL,GAAG,CAACC,GAAJ,CAAQK,iBAAnB,CAAJ,EAA2C;AAChDH,QAAAA,kBAAkB,GAAGH,GAAG,CAACC,GAAJ,CAAQK,iBAAR,CAA0B,kBAA1B,CAArB;AACD;;AACD,UAAIH,kBAAJ,EAAwB;AACtB,YAAII,YAAY,GAAGJ,kBAAkB,CAACK,KAAnB,CAAyB,eAAzB,KAA6C,EAAhE;AACA,YAAIC,uBAAuB,GAAGN,kBAAkB,CAACK,KAAnB,CAAyB,2BAAzB,KAAyD,EAAvF;AACA,YAAIE,KAAK,GAAGH,YAAY,CAAC,CAAD,CAAxB;AACA,YAAII,gBAAgB,GAAGF,uBAAuB,CAAC,CAAD,CAA9C;;AACA,YAAIC,KAAK,IAAIC,gBAAb,EAA+B;AAC7BX,UAAAA,GAAG,GAAG,IAAIY,kBAAJ,CAAeF,KAAf,EAAsBC,gBAAtB,CAAN;AACD;AACF;AACF;;AACD,UAAMX,GAAN;AACD,GA/BI,CAAP;AAgCD","sourcesContent":["/* eslint-disable complexity */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { isFunction } from '../util';\nimport { AuthSdkError, OAuthError } from '../errors';\nimport { httpRequest } from '../http';\nimport { AccessToken, IDToken, UserClaims, isAccessToken, isIDToken, CustomUserClaims } from '../types';\n\nexport async function getUserInfo<T extends CustomUserClaims = CustomUserClaims>(\n sdk, accessTokenObject: AccessToken,\n idTokenObject: IDToken\n): Promise<UserClaims<T>> {\n // If token objects were not passed, attempt to read from the TokenManager\n if (!accessTokenObject) {\n accessTokenObject = (await sdk.tokenManager.getTokens()).accessToken as AccessToken;\n }\n if (!idTokenObject) {\n idTokenObject = (await sdk.tokenManager.getTokens()).idToken as IDToken;\n }\n\n if (!accessTokenObject || !isAccessToken(accessTokenObject)) {\n return Promise.reject(new AuthSdkError('getUserInfo requires an access token object'));\n }\n\n if (!idTokenObject || !isIDToken(idTokenObject)) {\n return Promise.reject(new AuthSdkError('getUserInfo requires an ID token object'));\n }\n\n return httpRequest(sdk, {\n url: accessTokenObject.userinfoUrl,\n method: 'GET',\n accessToken: accessTokenObject.accessToken\n })\n .then(userInfo => {\n // Only return the userinfo response if subjects match to mitigate token substitution attacks\n if (userInfo.sub === idTokenObject.claims.sub) {\n return userInfo;\n }\n return Promise.reject(new AuthSdkError('getUserInfo request was rejected due to token mismatch'));\n })\n .catch(function (err) {\n if (err.xhr && (err.xhr.status === 401 || err.xhr.status === 403)) {\n var authenticateHeader;\n if (err.xhr.headers && isFunction(err.xhr.headers.get) && err.xhr.headers.get('WWW-Authenticate')) {\n authenticateHeader = err.xhr.headers.get('WWW-Authenticate');\n } else if (isFunction(err.xhr.getResponseHeader)) {\n authenticateHeader = err.xhr.getResponseHeader('WWW-Authenticate');\n }\n if (authenticateHeader) {\n var errorMatches = authenticateHeader.match(/error=\"(.*?)\"/) || [];\n var errorDescriptionMatches = authenticateHeader.match(/error_description=\"(.*?)\"/) || [];\n var error = errorMatches[1];\n var errorDescription = errorDescriptionMatches[1];\n if (error && errorDescription) {\n err = new OAuthError(error, errorDescription);\n }\n }\n }\n throw err;\n });\n}\n"],"file":"getUserInfo.js"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../lib/oidc/getWithPopup.ts"],"names":["getWithPopup","sdk","options","arguments","length","reject","AuthSdkError","popupWindow","display","responseMode"],"mappings":";;;;;;;;;;AAYA;;AAEA;;AACA;;AACA;;AAhBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOO,SAASA,YAAT,CAAsBC,GAAtB,
|
|
1
|
+
{"version":3,"sources":["../../../lib/oidc/getWithPopup.ts"],"names":["getWithPopup","sdk","options","arguments","length","reject","AuthSdkError","popupWindow","display","responseMode"],"mappings":";;;;;;;;;;AAYA;;AAEA;;AACA;;AACA;;AAhBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOO,SAASA,YAAT,CAAsBC,GAAtB,EAAkDC,OAAlD,EAAgG;AACrG,MAAIC,SAAS,CAACC,MAAV,GAAmB,CAAvB,EAA0B;AACxB,WAAO,iBAAQC,MAAR,CAAe,IAAIC,oBAAJ,CAAiB,sEAAjB,CAAf,CAAP;AACD,GAHoG,CAKrG;AACA;AACA;;;AACA,QAAMC,WAAW,GAAG,sBAAU,GAAV,EAAeL,OAAf,CAApB;AACAA,EAAAA,OAAO,GAAG,iBAAMA,OAAN,KAAkB,EAA5B;AACA,uBAAcA,OAAd,EAAuB;AACrBM,IAAAA,OAAO,EAAE,OADY;AAErBC,IAAAA,YAAY,EAAE,mBAFO;AAGrBF,IAAAA;AAHqB,GAAvB;AAKA,SAAO,wBAASN,GAAT,EAAcC,OAAd,CAAP;AACD","sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError } from '../errors';\nimport { OktaAuthOIDCInterface, TokenParams, TokenResponse } from '../types';\nimport { clone } from '../util';\nimport { getToken } from './getToken';\nimport { loadPopup } from './util';\n\nexport function getWithPopup(sdk: OktaAuthOIDCInterface, options: TokenParams): Promise<TokenResponse> {\n if (arguments.length > 2) {\n return Promise.reject(new AuthSdkError('As of version 3.0, \"getWithPopup\" takes only a single set of options'));\n }\n\n // some browsers (safari, firefox) block popup if it's initialed from an async process\n // here we create the popup window immediately after user interaction\n // then redirect to the /authorize endpoint when the requestUrl is available\n const popupWindow = loadPopup('/', options);\n options = clone(options) || {};\n Object.assign(options, {\n display: 'popup',\n responseMode: 'okta_post_message',\n popupWindow\n });\n return getToken(sdk, options);\n}\n"],"file":"getWithPopup.js"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../lib/oidc/getWithRedirect.ts"],"names":["getWithRedirect","sdk","options","arguments","length","reject","AuthSdkError","tokenParams","meta","requestUrl","urls","authorizeUrl","transactionManager","save","oauth","token","_setLocation"],"mappings":";;;;;;;;AAaA;;AAEA;;AACA;;AACA;;AAjBA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOO,eAAeA,eAAf,CAA+BC,GAA/B,
|
|
1
|
+
{"version":3,"sources":["../../../lib/oidc/getWithRedirect.ts"],"names":["getWithRedirect","sdk","options","arguments","length","reject","AuthSdkError","tokenParams","meta","requestUrl","urls","authorizeUrl","transactionManager","save","oauth","token","_setLocation"],"mappings":";;;;;;;;AAaA;;AAEA;;AACA;;AACA;;AAjBA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOO,eAAeA,eAAf,CAA+BC,GAA/B,EAA2DC,OAA3D,EAAiG;AACtG,MAAIC,SAAS,CAACC,MAAV,GAAmB,CAAvB,EAA0B;AACxB,WAAO,iBAAQC,MAAR,CAAe,IAAIC,oBAAJ,CAAiB,yEAAjB,CAAf,CAAP;AACD;;AAEDJ,EAAAA,OAAO,GAAG,iBAAMA,OAAN,KAAkB,EAA5B;AAEA,QAAMK,WAAW,GAAG,MAAM,+BAAmBN,GAAnB,EAAwBC,OAAxB,CAA1B;AACA,QAAMM,IAAI,GAAG,4BAAgBP,GAAhB,EAAqBM,WAArB,CAAb;AACA,QAAME,UAAU,GAAGD,IAAI,CAACE,IAAL,CAAUC,YAAV,GAAyB,qCAAqBJ,WAArB,CAA5C;AACAN,EAAAA,GAAG,CAACW,kBAAJ,CAAuBC,IAAvB,CAA4BL,IAA5B,EAAkC;AAAEM,IAAAA,KAAK,EAAE;AAAT,GAAlC;;AACAb,EAAAA,GAAG,CAACc,KAAJ,CAAUf,eAAV,CAA0BgB,YAA1B,CAAuCP,UAAvC;AACD","sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError } from '../errors';\nimport { OktaAuthOIDCInterface, TokenParams } from '../types';\nimport { clone } from '../util';\nimport { prepareTokenParams, createOAuthMeta } from './util';\nimport { buildAuthorizeParams } from './endpoints/authorize';\n\nexport async function getWithRedirect(sdk: OktaAuthOIDCInterface, options?: TokenParams): Promise<void> {\n if (arguments.length > 2) {\n return Promise.reject(new AuthSdkError('As of version 3.0, \"getWithRedirect\" takes only a single set of options'));\n }\n\n options = clone(options) || {};\n\n const tokenParams = await prepareTokenParams(sdk, options);\n const meta = createOAuthMeta(sdk, tokenParams);\n const requestUrl = meta.urls.authorizeUrl + buildAuthorizeParams(tokenParams);\n sdk.transactionManager.save(meta, { oauth: true });\n sdk.token.getWithRedirect._setLocation(requestUrl);\n}\n"],"file":"getWithRedirect.js"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../lib/oidc/getWithoutPrompt.ts"],"names":["getWithoutPrompt","sdk","options","arguments","length","reject","AuthSdkError","prompt","responseMode","display"],"mappings":";;;;;;;;;;AAYA;;AAEA;;AACA;;AAfA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMO,SAASA,gBAAT,CAA0BC,GAA1B,
|
|
1
|
+
{"version":3,"sources":["../../../lib/oidc/getWithoutPrompt.ts"],"names":["getWithoutPrompt","sdk","options","arguments","length","reject","AuthSdkError","prompt","responseMode","display"],"mappings":";;;;;;;;;;AAYA;;AAEA;;AACA;;AAfA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMO,SAASA,gBAAT,CAA0BC,GAA1B,EAAsDC,OAAtD,EAAoG;AACzG,MAAIC,SAAS,CAACC,MAAV,GAAmB,CAAvB,EAA0B;AACxB,WAAO,iBAAQC,MAAR,CAAe,IAAIC,oBAAJ,CAAiB,0EAAjB,CAAf,CAAP;AACD;;AAEDJ,EAAAA,OAAO,GAAG,iBAAMA,OAAN,KAAkB,EAA5B;AACA,uBAAcA,OAAd,EAAuB;AACrBK,IAAAA,MAAM,EAAE,MADa;AAErBC,IAAAA,YAAY,EAAE,mBAFO;AAGrBC,IAAAA,OAAO,EAAE;AAHY,GAAvB;AAKA,SAAO,wBAASR,GAAT,EAAcC,OAAd,CAAP;AACD","sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError } from '../errors';\nimport { OktaAuthOIDCInterface, TokenParams, TokenResponse } from '../types';\nimport { clone } from '../util';\nimport { getToken } from './getToken';\n\nexport function getWithoutPrompt(sdk: OktaAuthOIDCInterface, options: TokenParams): Promise<TokenResponse> {\n if (arguments.length > 2) {\n return Promise.reject(new AuthSdkError('As of version 3.0, \"getWithoutPrompt\" takes only a single set of options'));\n }\n \n options = clone(options) || {};\n Object.assign(options, {\n prompt: 'none',\n responseMode: 'okta_post_message',\n display: null\n });\n return getToken(sdk, options);\n}\n\n"],"file":"getWithoutPrompt.js"}
|
|
@@ -14,8 +14,6 @@ var _oauth = require("./util/oauth");
|
|
|
14
14
|
|
|
15
15
|
var _errors = require("../errors");
|
|
16
16
|
|
|
17
|
-
var _exchangeCodeForTokens = require("./exchangeCodeForTokens");
|
|
18
|
-
|
|
19
17
|
var _verifyToken = require("./verifyToken");
|
|
20
18
|
|
|
21
19
|
var _util2 = require("./util");
|
|
@@ -51,7 +49,7 @@ async function handleOAuthResponse(sdk, tokenParams, res, urls) {
|
|
|
51
49
|
// `exchangeCodeForTokens` will call /token then call `handleOauthResponse` recursively with the result
|
|
52
50
|
|
|
53
51
|
if (pkce && (res.code || res.interaction_code)) {
|
|
54
|
-
return
|
|
52
|
+
return sdk.token.exchangeCodeForTokens((0, _assign.default)({}, tokenParams, {
|
|
55
53
|
authorizationCode: res.code,
|
|
56
54
|
interactionCode: res.interaction_code
|
|
57
55
|
}), urls);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../lib/oidc/handleOAuthResponse.ts"],"names":["validateResponse","res","oauthParams","OAuthError","state","AuthSdkError","handleOAuthResponse","sdk","tokenParams","urls","pkce","options","code","interaction_code","authorizationCode","interactionCode","responseType","Array","isArray","scopes","scope","split","clientId","tokenDict","expiresIn","expires_in","tokenType","token_type","accessToken","access_token","idToken","id_token","refreshToken","refresh_token","now","Math","floor","Date","accessJwt","
|
|
1
|
+
{"version":3,"sources":["../../../lib/oidc/handleOAuthResponse.ts"],"names":["validateResponse","res","oauthParams","OAuthError","state","AuthSdkError","handleOAuthResponse","sdk","tokenParams","urls","pkce","options","code","interaction_code","token","exchangeCodeForTokens","authorizationCode","interactionCode","responseType","Array","isArray","scopes","scope","split","clientId","tokenDict","expiresIn","expires_in","tokenType","token_type","accessToken","access_token","idToken","id_token","refreshToken","refresh_token","now","Math","floor","Date","accessJwt","decode","claims","payload","expiresAt","Number","authorizeUrl","userinfoUrl","tokenUrl","issuer","idJwt","idTokenObj","exp","iat","validationParams","nonce","ignoreSignature","undefined","tokens"],"mappings":";;;;;;;;;;AAeA;;AACA;;AAGA;;AAWA;;AACA;;AA/BA;;AAEA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAmBA,SAASA,gBAAT,CAA0BC,GAA1B,EAA8CC,WAA9C,EAAwE;AACtE,MAAID,GAAG,CAAC,OAAD,CAAH,IAAgBA,GAAG,CAAC,mBAAD,CAAvB,EAA8C;AAC5C,UAAM,IAAIE,kBAAJ,CAAeF,GAAG,CAAC,OAAD,CAAlB,EAA6BA,GAAG,CAAC,mBAAD,CAAhC,CAAN;AACD;;AAED,MAAIA,GAAG,CAACG,KAAJ,KAAcF,WAAW,CAACE,KAA9B,EAAqC;AACnC,UAAM,IAAIC,oBAAJ,CAAiB,wDAAjB,CAAN;AACD;AACF;;AAEM,eAAeC,mBAAf,CACLC,GADK,EAELC,WAFK,EAGLP,GAHK,EAILQ,IAJK,EAKmB;AACxB,MAAIC,IAAI,GAAGH,GAAG,CAACI,OAAJ,CAAYD,IAAZ,KAAqB,KAAhC,CADwB,CAGxB;AACA;;AACA,MAAIA,IAAI,KAAKT,GAAG,CAACW,IAAJ,IAAYX,GAAG,CAACY,gBAArB,CAAR,EAAgD;AAC9C,WAAON,GAAG,CAACO,KAAJ,CAAUC,qBAAV,CAAgC,qBAAc,EAAd,EAAkBP,WAAlB,EAA+B;AACpEQ,MAAAA,iBAAiB,EAAEf,GAAG,CAACW,IAD6C;AAEpEK,MAAAA,eAAe,EAAEhB,GAAG,CAACY;AAF+C,KAA/B,CAAhC,EAGHJ,IAHG,CAAP;AAID;;AAEDD,EAAAA,WAAW,GAAGA,WAAW,IAAI,kCAAsBD,GAAtB,CAA7B;AACAE,EAAAA,IAAI,GAAGA,IAAI,IAAI,yBAAaF,GAAb,EAAkBC,WAAlB,CAAf;AAEA,MAAIU,YAAY,GAAGV,WAAW,CAACU,YAAZ,IAA4B,EAA/C;;AACA,MAAI,CAACC,KAAK,CAACC,OAAN,CAAcF,YAAd,CAAL,EAAkC;AAChCA,IAAAA,YAAY,GAAG,CAACA,YAAD,CAAf;AACD;;AAED,MAAIG,MAAJ;;AACA,MAAIpB,GAAG,CAACqB,KAAR,EAAe;AACbD,IAAAA,MAAM,GAAGpB,GAAG,CAACqB,KAAJ,CAAUC,KAAV,CAAgB,GAAhB,CAAT;AACD,GAFD,MAEO;AACLF,IAAAA,MAAM,GAAG,iBAAMb,WAAW,CAACa,MAAlB,CAAT;AACD;;AACD,MAAIG,QAAQ,GAAGhB,WAAW,CAACgB,QAAZ,IAAwBjB,GAAG,CAACI,OAAJ,CAAYa,QAAnD,CA1BwB,CA4BxB;;AACAxB,EAAAA,gBAAgB,CAACC,GAAD,EAAMO,WAAN,CAAhB;AAEA,MAAIiB,SAAS,GAAG,EAAhB;AACA,MAAIC,SAAS,GAAGzB,GAAG,CAAC0B,UAApB;AACA,MAAIC,SAAS,GAAG3B,GAAG,CAAC4B,UAApB;AACA,MAAIC,WAAW,GAAG7B,GAAG,CAAC8B,YAAtB;AACA,MAAIC,OAAO,GAAG/B,GAAG,CAACgC,QAAlB;AACA,MAAIC,YAAY,GAAGjC,GAAG,CAACkC,aAAvB;AACA,MAAIC,GAAG,GAAGC,IAAI,CAACC,KAAL,CAAWC,IAAI,CAACH,GAAL,KAAW,IAAtB,CAAV;;AAEA,MAAIN,WAAJ,EAAiB;AACf,QAAIU,SAAS,GAAGjC,GAAG,CAACO,KAAJ,CAAU2B,MAAV,CAAiBX,WAAjB,CAAhB;AACAL,IAAAA,SAAS,CAACK,WAAV,GAAwB;AACtBA,MAAAA,WAAW,EAAEA,WADS;AAEtBY,MAAAA,MAAM,EAAEF,SAAS,CAACG,OAFI;AAGtBC,MAAAA,SAAS,EAAEC,MAAM,CAACnB,SAAD,CAAN,GAAoBU,GAHT;AAItBR,MAAAA,SAAS,EAAEA,SAJW;AAKtBP,MAAAA,MAAM,EAAEA,MALc;AAMtByB,MAAAA,YAAY,EAAErC,IAAI,CAACqC,YANG;AAOtBC,MAAAA,WAAW,EAAEtC,IAAI,CAACsC;AAPI,KAAxB;AASD;;AAED,MAAIb,YAAJ,EAAkB;AAChBT,IAAAA,SAAS,CAACS,YAAV,GAAyB;AACvBA,MAAAA,YAAY,EAAEA,YADS;AAEvB;AACA;AACAU,MAAAA,SAAS,EAAEC,MAAM,CAACnB,SAAD,CAAN,GAAoBU,GAJR;AAKvBf,MAAAA,MAAM,EAAEA,MALe;AAMvB2B,MAAAA,QAAQ,EAAEvC,IAAI,CAACuC,QANQ;AAOvBF,MAAAA,YAAY,EAAErC,IAAI,CAACqC,YAPI;AAQvBG,MAAAA,MAAM,EAAExC,IAAI,CAACwC;AARU,KAAzB;AAUD;;AAED,MAAIjB,OAAJ,EAAa;AACX,QAAIkB,KAAK,GAAG3C,GAAG,CAACO,KAAJ,CAAU2B,MAAV,CAAiBT,OAAjB,CAAZ;AACA,QAAImB,UAAmB,GAAG;AACxBnB,MAAAA,OAAO,EAAEA,OADe;AAExBU,MAAAA,MAAM,EAAEQ,KAAK,CAACP,OAFU;AAGxBC,MAAAA,SAAS,EAAEM,KAAK,CAACP,OAAN,CAAcS,GAAd,GAAqBF,KAAK,CAACP,OAAN,CAAcU,GAAnC,GAA0CjB,GAH7B;AAGkC;AAC1Df,MAAAA,MAAM,EAAEA,MAJgB;AAKxByB,MAAAA,YAAY,EAAErC,IAAI,CAACqC,YALK;AAMxBG,MAAAA,MAAM,EAAExC,IAAI,CAACwC,MANW;AAOxBzB,MAAAA,QAAQ,EAAEA;AAPc,KAA1B;AAUA,QAAI8B,gBAAmC,GAAG;AACxC9B,MAAAA,QAAQ,EAAEA,QAD8B;AAExCyB,MAAAA,MAAM,EAAExC,IAAI,CAACwC,MAF2B;AAGxCM,MAAAA,KAAK,EAAE/C,WAAW,CAAC+C,KAHqB;AAIxCzB,MAAAA,WAAW,EAAEA;AAJ2B,KAA1C;;AAOA,QAAItB,WAAW,CAACgD,eAAZ,KAAgCC,SAApC,EAA+C;AAC7CH,MAAAA,gBAAgB,CAACE,eAAjB,GAAmChD,WAAW,CAACgD,eAA/C;AACD;;AAED,UAAM,8BAAYjD,GAAZ,EAAiB4C,UAAjB,EAA6BG,gBAA7B,CAAN;AACA7B,IAAAA,SAAS,CAACO,OAAV,GAAoBmB,UAApB;AACD,GA1FuB,CA4FxB;;;AACA,MAAI,sBAAAjC,YAAY,MAAZ,CAAAA,YAAY,EAAS,OAAT,CAAZ,KAAkC,CAAC,CAAnC,IAAwC,CAACO,SAAS,CAACK,WAAvD,EAAoE;AAClE;AACA,UAAM,IAAIzB,oBAAJ,CAAiB,+GAAjB,CAAN;AACD;;AACD,MAAI,sBAAAa,YAAY,MAAZ,CAAAA,YAAY,EAAS,UAAT,CAAZ,KAAqC,CAAC,CAAtC,IAA2C,CAACO,SAAS,CAACO,OAA1D,EAAmE;AACjE;AACA,UAAM,IAAI3B,oBAAJ,CAAiB,8GAAjB,CAAN;AACD;;AAED,SAAO;AACLqD,IAAAA,MAAM,EAAEjC,SADH;AAELrB,IAAAA,KAAK,EAAEH,GAAG,CAACG,KAFN;AAGLQ,IAAAA,IAAI,EAAEX,GAAG,CAACW;AAHL,GAAP;AAMD","sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n\n/* eslint-disable complexity, max-statements */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { clone } from '../util';\nimport {\n getOAuthUrls,\n} from './util/oauth';\nimport { AuthSdkError, OAuthError } from '../errors';\nimport {\n OktaAuthOIDCInterface,\n TokenVerifyParams,\n IDToken,\n OAuthResponse,\n TokenParams,\n TokenResponse,\n CustomUrls,\n Tokens,\n} from '../types';\nimport { verifyToken } from './verifyToken';\nimport { getDefaultTokenParams } from './util';\n\nfunction validateResponse(res: OAuthResponse, oauthParams: TokenParams) {\n if (res['error'] && res['error_description']) {\n throw new OAuthError(res['error'], res['error_description']);\n }\n\n if (res.state !== oauthParams.state) {\n throw new AuthSdkError('OAuth flow response state doesn\\'t match request state');\n }\n}\n\nexport async function handleOAuthResponse(\n sdk: OktaAuthOIDCInterface,\n tokenParams: TokenParams,\n res: OAuthResponse,\n urls?: CustomUrls\n): Promise<TokenResponse> {\n var pkce = sdk.options.pkce !== false;\n\n // The result contains an authorization_code and PKCE is enabled \n // `exchangeCodeForTokens` will call /token then call `handleOauthResponse` recursively with the result\n if (pkce && (res.code || res.interaction_code)) {\n return sdk.token.exchangeCodeForTokens(Object.assign({}, tokenParams, {\n authorizationCode: res.code,\n interactionCode: res.interaction_code\n }), urls);\n }\n\n tokenParams = tokenParams || getDefaultTokenParams(sdk);\n urls = urls || getOAuthUrls(sdk, tokenParams);\n\n var responseType = tokenParams.responseType || [];\n if (!Array.isArray(responseType)) {\n responseType = [responseType];\n }\n\n var scopes;\n if (res.scope) {\n scopes = res.scope.split(' ');\n } else {\n scopes = clone(tokenParams.scopes);\n }\n var clientId = tokenParams.clientId || sdk.options.clientId;\n\n // Handling the result from implicit flow or PKCE token exchange\n validateResponse(res, tokenParams);\n\n var tokenDict = {} as Tokens;\n var expiresIn = res.expires_in;\n var tokenType = res.token_type;\n var accessToken = res.access_token;\n var idToken = res.id_token;\n var refreshToken = res.refresh_token;\n var now = Math.floor(Date.now()/1000);\n\n if (accessToken) {\n var accessJwt = sdk.token.decode(accessToken);\n tokenDict.accessToken = {\n accessToken: accessToken,\n claims: accessJwt.payload,\n expiresAt: Number(expiresIn) + now,\n tokenType: tokenType!,\n scopes: scopes,\n authorizeUrl: urls.authorizeUrl!,\n userinfoUrl: urls.userinfoUrl!\n };\n }\n\n if (refreshToken) {\n tokenDict.refreshToken = {\n refreshToken: refreshToken,\n // should not be used, this is the accessToken expire time\n // TODO: remove \"expiresAt\" in the next major version OKTA-407224\n expiresAt: Number(expiresIn) + now, \n scopes: scopes,\n tokenUrl: urls.tokenUrl!,\n authorizeUrl: urls.authorizeUrl!,\n issuer: urls.issuer!,\n };\n }\n\n if (idToken) {\n var idJwt = sdk.token.decode(idToken);\n var idTokenObj: IDToken = {\n idToken: idToken,\n claims: idJwt.payload,\n expiresAt: idJwt.payload.exp! - idJwt.payload.iat! + now, // adjusting expiresAt to be in local time\n scopes: scopes,\n authorizeUrl: urls.authorizeUrl!,\n issuer: urls.issuer!,\n clientId: clientId!\n };\n\n var validationParams: TokenVerifyParams = {\n clientId: clientId!,\n issuer: urls.issuer!,\n nonce: tokenParams.nonce,\n accessToken: accessToken\n };\n\n if (tokenParams.ignoreSignature !== undefined) {\n validationParams.ignoreSignature = tokenParams.ignoreSignature;\n }\n\n await verifyToken(sdk, idTokenObj, validationParams);\n tokenDict.idToken = idTokenObj;\n }\n\n // Validate received tokens against requested response types \n if (responseType.indexOf('token') !== -1 && !tokenDict.accessToken) {\n // eslint-disable-next-line max-len\n throw new AuthSdkError('Unable to parse OAuth flow response: response type \"token\" was requested but \"access_token\" was not returned.');\n }\n if (responseType.indexOf('id_token') !== -1 && !tokenDict.idToken) {\n // eslint-disable-next-line max-len\n throw new AuthSdkError('Unable to parse OAuth flow response: response type \"id_token\" was requested but \"id_token\" was not returned.');\n }\n\n return {\n tokens: tokenDict,\n state: res.state!,\n code: res.code\n };\n \n}"],"file":"handleOAuthResponse.js"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../lib/oidc/renewToken.ts"],"names":["throwInvalidTokenError","AuthSdkError","getSingleToken","originalToken","tokens","idToken","accessToken","renewToken","sdk","token","tokenManager","getTokensSync","refreshToken","scopes","responseType","options","pkce","authorizeUrl","userinfoUrl","issuer","then","res"],"mappings":";;;;AAYA;;AACA;;AACA;;AACA;;AAfA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMA,SAASA,sBAAT,GAAkC;AAChC,QAAM,IAAIC,oBAAJ,CACJ,oFADI,CAAN;AAGD,C,CAED;;;AACA,SAASC,cAAT,CAAwBC,aAAxB,EAA8CC,MAA9C,EAA8D;AAC5D,MAAI,sBAAUD,aAAV,CAAJ,EAA8B;AAC5B,WAAOC,MAAM,CAACC,OAAd;AACD;;AACD,MAAI,0BAAcF,aAAd,CAAJ,EAAkC;AAChC,WAAOC,MAAM,CAACE,WAAd;AACD;;AACDN,EAAAA,sBAAsB;AACvB,C,CAED;;;AACO,eAAeO,UAAf,CAA0BC,GAA1B,
|
|
1
|
+
{"version":3,"sources":["../../../lib/oidc/renewToken.ts"],"names":["throwInvalidTokenError","AuthSdkError","getSingleToken","originalToken","tokens","idToken","accessToken","renewToken","sdk","token","tokenManager","getTokensSync","refreshToken","scopes","responseType","options","pkce","authorizeUrl","userinfoUrl","issuer","then","res"],"mappings":";;;;AAYA;;AACA;;AACA;;AACA;;AAfA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMA,SAASA,sBAAT,GAAkC;AAChC,QAAM,IAAIC,oBAAJ,CACJ,oFADI,CAAN;AAGD,C,CAED;;;AACA,SAASC,cAAT,CAAwBC,aAAxB,EAA8CC,MAA9C,EAA8D;AAC5D,MAAI,sBAAUD,aAAV,CAAJ,EAA8B;AAC5B,WAAOC,MAAM,CAACC,OAAd;AACD;;AACD,MAAI,0BAAcF,aAAd,CAAJ,EAAkC;AAChC,WAAOC,MAAM,CAACE,WAAd;AACD;;AACDN,EAAAA,sBAAsB;AACvB,C,CAED;;;AACO,eAAeO,UAAf,CAA0BC,GAA1B,EAAsDC,KAAtD,EAAgG;AACrG,MAAI,CAAC,sBAAUA,KAAV,CAAD,IAAqB,CAAC,0BAAcA,KAAd,CAA1B,EAAgD;AAC9CT,IAAAA,sBAAsB;AACvB;;AAED,MAAII,MAAM,GAAGI,GAAG,CAACE,YAAJ,CAAiBC,aAAjB,EAAb;;AACA,MAAIP,MAAM,CAACQ,YAAX,EAAyB;AACvBR,IAAAA,MAAM,GAAG,MAAM,oDAAuBI,GAAvB,EAA4B;AACzCK,MAAAA,MAAM,EAAEJ,KAAK,CAACI;AAD2B,KAA5B,EAEZT,MAAM,CAACQ,YAFK,CAAf;AAGA,WAAOV,cAAc,CAACO,KAAD,EAAQL,MAAR,CAArB;AACD;;AAED,MAAIU,YAAJ;;AACA,MAAIN,GAAG,CAACO,OAAJ,CAAYC,IAAhB,EAAsB;AACpBF,IAAAA,YAAY,GAAG,MAAf;AACD,GAFD,MAEO,IAAI,0BAAcL,KAAd,CAAJ,EAA0B;AAC/BK,IAAAA,YAAY,GAAG,OAAf;AACD,GAFM,MAEA;AACLA,IAAAA,YAAY,GAAG,UAAf;AACD;;AAED,QAAM;AAAED,IAAAA,MAAF;AAAUI,IAAAA,YAAV;AAAwBC,IAAAA,WAAxB;AAAqCC,IAAAA;AAArC,MAAgDV,KAAtD;AACA,SAAO,wCAAiBD,GAAjB,EAAsB;AAC3BM,IAAAA,YAD2B;AAE3BD,IAAAA,MAF2B;AAG3BI,IAAAA,YAH2B;AAI3BC,IAAAA,WAJ2B;AAK3BC,IAAAA;AAL2B,GAAtB,EAOJC,IAPI,CAOC,UAAUC,GAAV,EAAe;AACnB,WAAOnB,cAAc,CAACO,KAAD,EAAQY,GAAG,CAACjB,MAAZ,CAArB;AACD,GATI,CAAP;AAUD","sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError } from '../errors';\nimport { OktaAuthOIDCInterface, Token, Tokens, isAccessToken, AccessToken, IDToken, isIDToken } from '../types';\nimport { getWithoutPrompt } from './getWithoutPrompt';\nimport { renewTokensWithRefresh } from './renewTokensWithRefresh';\n\nfunction throwInvalidTokenError() {\n throw new AuthSdkError(\n 'Renew must be passed a token with an array of scopes and an accessToken or idToken'\n );\n}\n\n// Multiple tokens may have come back. Return only the token which was requested.\nfunction getSingleToken(originalToken: Token, tokens: Tokens) {\n if (isIDToken(originalToken)) {\n return tokens.idToken;\n }\n if (isAccessToken(originalToken)) {\n return tokens.accessToken;\n }\n throwInvalidTokenError();\n}\n\n// If we have a refresh token, renew using that, otherwise getWithoutPrompt\nexport async function renewToken(sdk: OktaAuthOIDCInterface, token: Token): Promise<Token | undefined> {\n if (!isIDToken(token) && !isAccessToken(token)) {\n throwInvalidTokenError();\n }\n\n let tokens = sdk.tokenManager.getTokensSync();\n if (tokens.refreshToken) {\n tokens = await renewTokensWithRefresh(sdk, {\n scopes: token.scopes,\n }, tokens.refreshToken);\n return getSingleToken(token, tokens);\n }\n\n var responseType;\n if (sdk.options.pkce) {\n responseType = 'code';\n } else if (isAccessToken(token)) {\n responseType = 'token';\n } else {\n responseType = 'id_token';\n }\n\n const { scopes, authorizeUrl, userinfoUrl, issuer } = token as (AccessToken & IDToken);\n return getWithoutPrompt(sdk, {\n responseType,\n scopes,\n authorizeUrl,\n userinfoUrl,\n issuer\n })\n .then(function (res) {\n return getSingleToken(token, res.tokens);\n });\n}\n"],"file":"renewToken.js"}
|
|
@@ -16,6 +16,8 @@ var _handleOAuthResponse = require("./handleOAuthResponse");
|
|
|
16
16
|
|
|
17
17
|
var _token = require("./endpoints/token");
|
|
18
18
|
|
|
19
|
+
var _errors2 = require("./util/errors");
|
|
20
|
+
|
|
19
21
|
/*!
|
|
20
22
|
* Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.
|
|
21
23
|
* The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
|
|
@@ -37,23 +39,32 @@ async function renewTokensWithRefresh(sdk, tokenParams, refreshTokenObject) {
|
|
|
37
39
|
throw new _errors.AuthSdkError('A clientId must be specified in the OktaAuth constructor to renew tokens');
|
|
38
40
|
}
|
|
39
41
|
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
42
|
+
try {
|
|
43
|
+
const renewTokenParams = (0, _assign.default)({}, tokenParams, {
|
|
44
|
+
clientId
|
|
45
|
+
});
|
|
46
|
+
const tokenResponse = await (0, _token.postRefreshToken)(sdk, renewTokenParams, refreshTokenObject);
|
|
47
|
+
const urls = (0, _oauth.getOAuthUrls)(sdk, tokenParams);
|
|
48
|
+
const {
|
|
49
|
+
tokens
|
|
50
|
+
} = await (0, _handleOAuthResponse.handleOAuthResponse)(sdk, renewTokenParams, tokenResponse, urls); // Support rotating refresh tokens
|
|
48
51
|
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
+
const {
|
|
53
|
+
refreshToken
|
|
54
|
+
} = tokens;
|
|
52
55
|
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
+
if (refreshToken && !(0, _refreshToken.isSameRefreshToken)(refreshToken, refreshTokenObject)) {
|
|
57
|
+
sdk.tokenManager.updateRefreshToken(refreshToken);
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
return tokens;
|
|
61
|
+
} catch (err) {
|
|
62
|
+
if ((0, _errors2.isRefreshTokenInvalidError)(err)) {
|
|
63
|
+
// if the refresh token is invalid, remove it from storage
|
|
64
|
+
sdk.tokenManager.removeRefreshToken();
|
|
65
|
+
}
|
|
56
66
|
|
|
57
|
-
|
|
67
|
+
throw err;
|
|
68
|
+
}
|
|
58
69
|
}
|
|
59
70
|
//# sourceMappingURL=renewTokensWithRefresh.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../lib/oidc/renewTokensWithRefresh.ts"],"names":["renewTokensWithRefresh","sdk","tokenParams","refreshTokenObject","clientId","options","AuthSdkError","renewTokenParams","tokenResponse","urls","tokens","refreshToken","tokenManager","updateRefreshToken"],"mappings":";;;;;;;;AAYA;;AACA;;AACA;;AAEA;;AACA;;
|
|
1
|
+
{"version":3,"sources":["../../../lib/oidc/renewTokensWithRefresh.ts"],"names":["renewTokensWithRefresh","sdk","tokenParams","refreshTokenObject","clientId","options","AuthSdkError","renewTokenParams","tokenResponse","urls","tokens","refreshToken","tokenManager","updateRefreshToken","err","removeRefreshToken"],"mappings":";;;;;;;;AAYA;;AACA;;AACA;;AAEA;;AACA;;AACA;;AAlBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AASO,eAAeA,sBAAf,CACLC,GADK,EAELC,WAFK,EAGLC,kBAHK,EAIY;AACjB,QAAM;AAAEC,IAAAA;AAAF,MAAeH,GAAG,CAACI,OAAzB;;AACA,MAAI,CAACD,QAAL,EAAe;AACb,UAAM,IAAIE,oBAAJ,CAAiB,0EAAjB,CAAN;AACD;;AAED,MAAI;AACF,UAAMC,gBAA6B,GAAG,qBAAc,EAAd,EAAkBL,WAAlB,EAA+B;AACnEE,MAAAA;AADmE,KAA/B,CAAtC;AAGA,UAAMI,aAAa,GAAG,MAAM,6BAAiBP,GAAjB,EAAsBM,gBAAtB,EAAwCJ,kBAAxC,CAA5B;AACA,UAAMM,IAAI,GAAG,yBAAaR,GAAb,EAAkBC,WAAlB,CAAb;AACA,UAAM;AAAEQ,MAAAA;AAAF,QAAa,MAAM,8CAAoBT,GAApB,EAAyBM,gBAAzB,EAA2CC,aAA3C,EAA0DC,IAA1D,CAAzB,CANE,CAQF;;AACA,UAAM;AAAEE,MAAAA;AAAF,QAAmBD,MAAzB;;AACA,QAAIC,YAAY,IAAI,CAAC,sCAAmBA,YAAnB,EAAiCR,kBAAjC,CAArB,EAA2E;AACzEF,MAAAA,GAAG,CAACW,YAAJ,CAAiBC,kBAAjB,CAAoCF,YAApC;AACD;;AAED,WAAOD,MAAP;AACD,GAfD,CAgBA,OAAOI,GAAP,EAAY;AACV,QAAI,yCAA2BA,GAA3B,CAAJ,EAAqC;AACnC;AACAb,MAAAA,GAAG,CAACW,YAAJ,CAAiBG,kBAAjB;AACD;;AACD,UAAMD,GAAN;AACD;AACF","sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError } from '../errors';\nimport { getOAuthUrls } from './util/oauth';\nimport { isSameRefreshToken } from './util/refreshToken';\nimport { OktaAuthOIDCInterface, TokenParams, RefreshToken, Tokens } from '../types';\nimport { handleOAuthResponse } from './handleOAuthResponse';\nimport { postRefreshToken } from './endpoints/token';\nimport { isRefreshTokenInvalidError } from './util/errors';\n\nexport async function renewTokensWithRefresh(\n sdk: OktaAuthOIDCInterface,\n tokenParams: TokenParams,\n refreshTokenObject: RefreshToken\n): Promise<Tokens> {\n const { clientId } = sdk.options;\n if (!clientId) {\n throw new AuthSdkError('A clientId must be specified in the OktaAuth constructor to renew tokens');\n }\n\n try {\n const renewTokenParams: TokenParams = Object.assign({}, tokenParams, {\n clientId,\n });\n const tokenResponse = await postRefreshToken(sdk, renewTokenParams, refreshTokenObject);\n const urls = getOAuthUrls(sdk, tokenParams);\n const { tokens } = await handleOAuthResponse(sdk, renewTokenParams, tokenResponse, urls);\n\n // Support rotating refresh tokens\n const { refreshToken } = tokens;\n if (refreshToken && !isSameRefreshToken(refreshToken, refreshTokenObject)) {\n sdk.tokenManager.updateRefreshToken(refreshToken);\n }\n\n return tokens;\n }\n catch (err) {\n if (isRefreshTokenInvalidError(err)) {\n // if the refresh token is invalid, remove it from storage\n sdk.tokenManager.removeRefreshToken();\n }\n throw err;\n }\n}\n"],"file":"renewTokensWithRefresh.js"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../lib/oidc/revokeToken.ts"],"names":["revokeToken","sdk","token","accessToken","refreshToken","AuthSdkError","clientId","options","clientSecret","revokeUrl","args","token_type_hint","creds","headers"],"mappings":";;;;;;;;AAcA;;AACA;;AACA;;AAGA;;AACA;;AApBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA;AAeA;AACO,eAAeA,WAAf,CAA2BC,GAA3B,
|
|
1
|
+
{"version":3,"sources":["../../../lib/oidc/revokeToken.ts"],"names":["revokeToken","sdk","token","accessToken","refreshToken","AuthSdkError","clientId","options","clientSecret","revokeUrl","args","token_type_hint","creds","headers"],"mappings":";;;;;;;;AAcA;;AACA;;AACA;;AAGA;;AACA;;AApBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA;AAeA;AACO,eAAeA,WAAf,CAA2BC,GAA3B,EAAuDC,KAAvD,EAA4F;AAAA;;AACjG,MAAIC,WAAW,GAAG,EAAlB;AACA,MAAIC,YAAY,GAAG,EAAnB;;AACA,MAAIF,KAAJ,EAAW;AACPC,IAAAA,WAAW,GAAID,KAAD,CAAuBC,WAArC;AACAC,IAAAA,YAAY,GAAIF,KAAD,CAAwBE,YAAvC;AACH;;AACD,MAAG,CAACD,WAAD,IAAgB,CAACC,YAApB,EAAkC;AAChC,UAAM,IAAIC,qBAAJ,CAAiB,oDAAjB,CAAN;AACD;;AACD,MAAIC,QAAQ,GAAGL,GAAG,CAACM,OAAJ,CAAYD,QAA3B;AACA,MAAIE,YAAY,GAAGP,GAAG,CAACM,OAAJ,CAAYC,YAA/B;;AACA,MAAI,CAACF,QAAL,EAAe;AACb,UAAM,IAAID,qBAAJ,CAAiB,4EAAjB,CAAN;AACD,GAdgG,CAejG;;;AACA,MAAII,SAAS,GAAG,yBAAaR,GAAb,EAAkBQ,SAAlC;AACA,MAAIC,IAAI,GAAG,wDAAc;AACvB;AACAC,IAAAA,eAAe,EAAEP,YAAY,GAAG,eAAH,GAAqB,cAF3B;AAGvBF,IAAAA,KAAK,EAAEE,YAAY,IAAID;AAHA,GAAd,kBAIF,CAJE,CAAX;AAKA,MAAIS,KAAK,GAAGJ,YAAY,GAAG,kBAAM,GAAEF,QAAS,IAAGE,YAAa,EAAjC,CAAH,GAAyC,kBAAKF,QAAL,CAAjE;AACA,SAAO,gBAAKL,GAAL,EAAUQ,SAAV,EAAqBC,IAArB,EAA2B;AAChCG,IAAAA,OAAO,EAAE;AACP,sBAAgB,mCADT;AAEP,uBAAiB,WAAWD;AAFrB;AADuB,GAA3B,CAAP;AAMD","sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\n\n/* eslint complexity:[0,8] */\nimport { post } from '../http';\nimport { toQueryString } from '../util';\nimport {\n getOAuthUrls,\n} from './util/oauth';\nimport { btoa } from '../crypto';\nimport AuthSdkError from '../errors/AuthSdkError';\nimport {\n OktaAuthOIDCInterface,\n RevocableToken,\n AccessToken,\n RefreshToken\n} from '../types';\n\n// refresh tokens have precedence to be revoked if no token is specified\nexport async function revokeToken(sdk: OktaAuthOIDCInterface, token: RevocableToken): Promise<any> {\n let accessToken = '';\n let refreshToken = '';\n if (token) { \n accessToken = (token as AccessToken).accessToken;\n refreshToken = (token as RefreshToken).refreshToken; \n }\n if(!accessToken && !refreshToken) { \n throw new AuthSdkError('A valid access or refresh token object is required');\n }\n var clientId = sdk.options.clientId;\n var clientSecret = sdk.options.clientSecret;\n if (!clientId) {\n throw new AuthSdkError('A clientId must be specified in the OktaAuth constructor to revoke a token');\n }\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n var revokeUrl = getOAuthUrls(sdk).revokeUrl!;\n var args = toQueryString({\n // eslint-disable-next-line camelcase\n token_type_hint: refreshToken ? 'refresh_token' : 'access_token', \n token: refreshToken || accessToken,\n }).slice(1);\n var creds = clientSecret ? btoa(`${clientId}:${clientSecret}`) : btoa(clientId);\n return post(sdk, revokeUrl, args, {\n headers: {\n 'Content-Type': 'application/x-www-form-urlencoded',\n 'Authorization': 'Basic ' + creds\n }\n });\n}\n"],"file":"revokeToken.js"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../lib/oidc/util/browser.ts"],"names":["addListener","eventTarget","name","fn","addEventListener","attachEvent","removeListener","removeEventListener","detachEvent","loadFrame","src","iframe","document","createElement","style","display","body","appendChild","loadPopup","options","title","popupTitle","appearance","window","open","addPostMessageListener","sdk","timeout","state","responseHandler","timeoutId","msgReceivedOrTimeout","resolve","reject","e","data","origin","getIssuerOrigin","AuthSdkError","setTimeout","finally","clearTimeout"],"mappings":";;;;;;;;;;;;AAcA;;AAdA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACA;;AACA;AAIO,SAASA,WAAT,CAAqBC,WAArB,EAAkCC,IAAlC,EAAwCC,EAAxC,EAA4C;AACjD,MAAIF,WAAW,CAACG,gBAAhB,EAAkC;AAChCH,IAAAA,WAAW,CAACG,gBAAZ,CAA6BF,IAA7B,EAAmCC,EAAnC;AACD,GAFD,MAEO;AACLF,IAAAA,WAAW,CAACI,WAAZ,CAAwB,OAAOH,IAA/B,EAAqCC,EAArC;AACD;AACF;;AAEM,SAASG,cAAT,CAAwBL,WAAxB,EAAqCC,IAArC,EAA2CC,EAA3C,EAA+C;AACpD,MAAIF,WAAW,CAACM,mBAAhB,EAAqC;AACnCN,IAAAA,WAAW,CAACM,mBAAZ,CAAgCL,IAAhC,EAAsCC,EAAtC;AACD,GAFD,MAEO;AACLF,IAAAA,WAAW,CAACO,WAAZ,CAAwB,OAAON,IAA/B,EAAqCC,EAArC;AACD;AACF;;AAEM,SAASM,SAAT,CAAmBC,GAAnB,EAAwB;AAC7B,MAAIC,MAAM,GAAGC,QAAQ,CAACC,aAAT,CAAuB,QAAvB,CAAb;AACAF,EAAAA,MAAM,CAACG,KAAP,CAAaC,OAAb,GAAuB,MAAvB;AACAJ,EAAAA,MAAM,CAACD,GAAP,GAAaA,GAAb;AAEA,SAAOE,QAAQ,CAACI,IAAT,CAAcC,WAAd,CAA0BN,MAA1B,CAAP;AACD;;AAEM,SAASO,SAAT,CAAmBR,GAAnB,EAAwBS,OAAxB,EAAiC;AACtC,MAAIC,KAAK,GAAGD,OAAO,CAACE,UAAR,IAAsB,gDAAlC;AACA,MAAIC,UAAU,GAAG,gDACf,0CADF;AAEA,SAAOC,MAAM,CAACC,IAAP,CAAYd,GAAZ,EAAiBU,KAAjB,EAAwBE,UAAxB,CAAP;AACD;;AAEM,SAASG,sBAAT,CAAgCC,GAAhC,
|
|
1
|
+
{"version":3,"sources":["../../../../lib/oidc/util/browser.ts"],"names":["addListener","eventTarget","name","fn","addEventListener","attachEvent","removeListener","removeEventListener","detachEvent","loadFrame","src","iframe","document","createElement","style","display","body","appendChild","loadPopup","options","title","popupTitle","appearance","window","open","addPostMessageListener","sdk","timeout","state","responseHandler","timeoutId","msgReceivedOrTimeout","resolve","reject","e","data","origin","getIssuerOrigin","AuthSdkError","setTimeout","finally","clearTimeout"],"mappings":";;;;;;;;;;;;AAcA;;AAdA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACA;;AACA;AAIO,SAASA,WAAT,CAAqBC,WAArB,EAAkCC,IAAlC,EAAwCC,EAAxC,EAA4C;AACjD,MAAIF,WAAW,CAACG,gBAAhB,EAAkC;AAChCH,IAAAA,WAAW,CAACG,gBAAZ,CAA6BF,IAA7B,EAAmCC,EAAnC;AACD,GAFD,MAEO;AACLF,IAAAA,WAAW,CAACI,WAAZ,CAAwB,OAAOH,IAA/B,EAAqCC,EAArC;AACD;AACF;;AAEM,SAASG,cAAT,CAAwBL,WAAxB,EAAqCC,IAArC,EAA2CC,EAA3C,EAA+C;AACpD,MAAIF,WAAW,CAACM,mBAAhB,EAAqC;AACnCN,IAAAA,WAAW,CAACM,mBAAZ,CAAgCL,IAAhC,EAAsCC,EAAtC;AACD,GAFD,MAEO;AACLF,IAAAA,WAAW,CAACO,WAAZ,CAAwB,OAAON,IAA/B,EAAqCC,EAArC;AACD;AACF;;AAEM,SAASM,SAAT,CAAmBC,GAAnB,EAAwB;AAC7B,MAAIC,MAAM,GAAGC,QAAQ,CAACC,aAAT,CAAuB,QAAvB,CAAb;AACAF,EAAAA,MAAM,CAACG,KAAP,CAAaC,OAAb,GAAuB,MAAvB;AACAJ,EAAAA,MAAM,CAACD,GAAP,GAAaA,GAAb;AAEA,SAAOE,QAAQ,CAACI,IAAT,CAAcC,WAAd,CAA0BN,MAA1B,CAAP;AACD;;AAEM,SAASO,SAAT,CAAmBR,GAAnB,EAAwBS,OAAxB,EAAiC;AACtC,MAAIC,KAAK,GAAGD,OAAO,CAACE,UAAR,IAAsB,gDAAlC;AACA,MAAIC,UAAU,GAAG,gDACf,0CADF;AAEA,SAAOC,MAAM,CAACC,IAAP,CAAYd,GAAZ,EAAiBU,KAAjB,EAAwBE,UAAxB,CAAP;AACD;;AAEM,SAASG,sBAAT,CAAgCC,GAAhC,EAA+DC,OAA/D,EAAwEC,KAAxE,EAA+E;AACpF,MAAIC,eAAJ;AACA,MAAIC,SAAJ;AACA,MAAIC,oBAAoB,GAAG,qBAAY,UAAUC,OAAV,EAAmBC,MAAnB,EAA2B;AAEhEJ,IAAAA,eAAe,GAAG,SAASA,eAAT,CAAyBK,CAAzB,EAA4B;AAC5C,UAAI,CAACA,CAAC,CAACC,IAAH,IAAWD,CAAC,CAACC,IAAF,CAAOP,KAAP,KAAiBA,KAAhC,EAAuC;AACrC;AACA;AACD,OAJ2C,CAM5C;AACA;AACA;AACA;;;AACA,UAAIM,CAAC,CAACE,MAAF,KAAaV,GAAG,CAACW,eAAJ,EAAjB,EAAwC;AACtC,eAAOJ,MAAM,CAAC,IAAIK,oBAAJ,CAAiB,iDAAjB,CAAD,CAAb;AACD;;AACDN,MAAAA,OAAO,CAACE,CAAC,CAACC,IAAH,CAAP;AACD,KAdD;;AAgBAnC,IAAAA,WAAW,CAACuB,MAAD,EAAS,SAAT,EAAoBM,eAApB,CAAX;AAEAC,IAAAA,SAAS,GAAGS,UAAU,CAAC,YAAY;AACjCN,MAAAA,MAAM,CAAC,IAAIK,oBAAJ,CAAiB,sBAAjB,CAAD,CAAN;AACD,KAFqB,EAEnBX,OAAO,IAAI,MAFQ,CAAtB;AAGD,GAvB0B,CAA3B;AAyBA,SAAOI,oBAAoB,CACxBS,OADI,CACI,YAAY;AACnBC,IAAAA,YAAY,CAACX,SAAD,CAAZ;AACAxB,IAAAA,cAAc,CAACiB,MAAD,EAAS,SAAT,EAAoBM,eAApB,CAAd;AACD,GAJI,CAAP;AAKD","sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\n/* global window, document */\n/* eslint-disable complexity, max-statements */\nimport { AuthSdkError } from '../../errors';\nimport { OktaAuthOptionsInterface } from '../../types';\n\nexport function addListener(eventTarget, name, fn) {\n if (eventTarget.addEventListener) {\n eventTarget.addEventListener(name, fn);\n } else {\n eventTarget.attachEvent('on' + name, fn);\n }\n}\n\nexport function removeListener(eventTarget, name, fn) {\n if (eventTarget.removeEventListener) {\n eventTarget.removeEventListener(name, fn);\n } else {\n eventTarget.detachEvent('on' + name, fn);\n }\n}\n\nexport function loadFrame(src) {\n var iframe = document.createElement('iframe');\n iframe.style.display = 'none';\n iframe.src = src;\n\n return document.body.appendChild(iframe);\n}\n\nexport function loadPopup(src, options) {\n var title = options.popupTitle || 'External Identity Provider User Authentication';\n var appearance = 'toolbar=no, scrollbars=yes, resizable=yes, ' +\n 'top=100, left=500, width=600, height=600';\n return window.open(src, title, appearance);\n}\n\nexport function addPostMessageListener(sdk: OktaAuthOptionsInterface, timeout, state) {\n var responseHandler;\n var timeoutId;\n var msgReceivedOrTimeout = new Promise(function (resolve, reject) {\n\n responseHandler = function responseHandler(e) {\n if (!e.data || e.data.state !== state) {\n // A message not meant for us\n return;\n }\n\n // Configuration mismatch between saved token and current app instance\n // This may happen if apps with different issuers are running on the same host url\n // If they share the same storage key, they may read and write tokens in the same location.\n // Common when developing against http://localhost\n if (e.origin !== sdk.getIssuerOrigin()) {\n return reject(new AuthSdkError('The request does not match client configuration'));\n }\n resolve(e.data);\n };\n\n addListener(window, 'message', responseHandler);\n\n timeoutId = setTimeout(function () {\n reject(new AuthSdkError('OAuth flow timed out'));\n }, timeout || 120000);\n });\n\n return msgReceivedOrTimeout\n .finally(function () {\n clearTimeout(timeoutId);\n removeListener(window, 'message', responseHandler);\n });\n}\n"],"file":"browser.js"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../lib/oidc/util/defaultTokenParams.ts"],"names":["getDefaultTokenParams","sdk","pkce","clientId","redirectUri","responseType","responseMode","scopes","state","ignoreSignature","options","defaultRedirectUri","window","location","href","undefined","nonce"],"mappings":";;;;AAcA;;AAEA;;AACA;;AAhBA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMO,SAASA,qBAAT,CAA+BC,GAA/B,
|
|
1
|
+
{"version":3,"sources":["../../../../lib/oidc/util/defaultTokenParams.ts"],"names":["getDefaultTokenParams","sdk","pkce","clientId","redirectUri","responseType","responseMode","scopes","state","ignoreSignature","options","defaultRedirectUri","window","location","href","undefined","nonce"],"mappings":";;;;AAcA;;AAEA;;AACA;;AAhBA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMO,SAASA,qBAAT,CAA+BC,GAA/B,EAA2E;AAChF,QAAM;AACJC,IAAAA,IADI;AAEJC,IAAAA,QAFI;AAGJC,IAAAA,WAHI;AAIJC,IAAAA,YAJI;AAKJC,IAAAA,YALI;AAMJC,IAAAA,MANI;AAOJC,IAAAA,KAPI;AAQJC,IAAAA;AARI,MASFR,GAAG,CAACS,OATR;AAUA,QAAMC,kBAAkB,GAAG,6BAAcC,MAAM,CAACC,QAAP,CAAgBC,IAA9B,GAAqCC,SAAhE;AACA,SAAO,sBAAW;AAChBb,IAAAA,IADgB;AAEhBC,IAAAA,QAFgB;AAGhBC,IAAAA,WAAW,EAAEA,WAAW,IAAIO,kBAHZ;AAIhBN,IAAAA,YAAY,EAAEA,YAAY,IAAI,CAAC,OAAD,EAAU,UAAV,CAJd;AAKhBC,IAAAA,YALgB;AAMhBE,IAAAA,KAAK,EAAEA,KAAK,IAAI,2BANA;AAOhBQ,IAAAA,KAAK,EAAE,2BAPS;AAQhBT,IAAAA,MAAM,EAAEA,MAAM,IAAI,CAAC,QAAD,EAAW,OAAX,CARF;AAShBE,IAAAA;AATgB,GAAX,CAAP;AAWD","sourcesContent":["\n/* global window */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { generateNonce, generateState } from './oauth';\nimport { OktaAuthOptionsInterface, TokenParams } from '../../types';\nimport { isBrowser } from '../../features';\nimport { removeNils } from '../../util';\n\nexport function getDefaultTokenParams(sdk: OktaAuthOptionsInterface): TokenParams {\n const {\n pkce,\n clientId,\n redirectUri,\n responseType,\n responseMode,\n scopes,\n state,\n ignoreSignature\n } = sdk.options;\n const defaultRedirectUri = isBrowser() ? window.location.href : undefined;\n return removeNils({\n pkce,\n clientId,\n redirectUri: redirectUri || defaultRedirectUri,\n responseType: responseType || ['token', 'id_token'],\n responseMode,\n state: state || generateState(),\n nonce: generateNonce(),\n scopes: scopes || ['openid', 'email'],\n ignoreSignature\n });\n}"],"file":"defaultTokenParams.js"}
|
package/cjs/oidc/util/errors.js
CHANGED
|
@@ -2,6 +2,9 @@
|
|
|
2
2
|
|
|
3
3
|
exports.isInteractionRequiredError = isInteractionRequiredError;
|
|
4
4
|
exports.isAuthorizationCodeError = isAuthorizationCodeError;
|
|
5
|
+
exports.isRefreshTokenInvalidError = isRefreshTokenInvalidError;
|
|
6
|
+
|
|
7
|
+
var _errors = require("../../errors");
|
|
5
8
|
|
|
6
9
|
/*!
|
|
7
10
|
* Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.
|
|
@@ -34,4 +37,9 @@ function isAuthorizationCodeError(sdk, error) {
|
|
|
34
37
|
const responseJSON = errorResponse === null || errorResponse === void 0 ? void 0 : errorResponse.responseJSON;
|
|
35
38
|
return sdk.options.pkce && (responseJSON === null || responseJSON === void 0 ? void 0 : responseJSON.error) === 'invalid_grant';
|
|
36
39
|
}
|
|
40
|
+
|
|
41
|
+
function isRefreshTokenInvalidError(error) {
|
|
42
|
+
// error: {"error":"invalid_grant","error_description":"The refresh token is invalid or expired."}
|
|
43
|
+
return (0, _errors.isOAuthError)(error) && error.errorCode === 'invalid_grant' && error.errorSummary === 'The refresh token is invalid or expired.';
|
|
44
|
+
}
|
|
37
45
|
//# sourceMappingURL=errors.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../lib/oidc/util/errors.ts"],"names":["isInteractionRequiredError","error","name","oauthError","errorCode","isAuthorizationCodeError","sdk","authApiError","errorResponse","xhr","responseJSON","options","pkce"],"mappings":"
|
|
1
|
+
{"version":3,"sources":["../../../../lib/oidc/util/errors.ts"],"names":["isInteractionRequiredError","error","name","oauthError","errorCode","isAuthorizationCodeError","sdk","authApiError","errorResponse","xhr","responseJSON","options","pkce","isRefreshTokenInvalidError","errorSummary"],"mappings":";;;;;;AAcA;;AAdA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMO,SAASA,0BAAT,CAAoCC,KAApC,EAAkD;AACvD,MAAIA,KAAK,CAACC,IAAN,KAAe,YAAnB,EAAiC;AAC/B,WAAO,KAAP;AACD;;AACD,QAAMC,UAAU,GAAGF,KAAnB;AACA,SAAQE,UAAU,CAACC,SAAX,KAAyB,sBAAjC;AACD;;AAEM,SAASC,wBAAT,CAAkCC,GAAlC,EAAiEL,KAAjE,EAA+E;AACpF,MAAIA,KAAK,CAACC,IAAN,KAAe,cAAnB,EAAmC;AACjC,WAAO,KAAP;AACD;;AACD,QAAMK,YAAY,GAAGN,KAArB,CAJoF,CAKpF;;AACA,QAAMO,aAAa,GAAGD,YAAY,CAACE,GAAnC;AACA,QAAMC,YAAY,GAAGF,aAAH,aAAGA,aAAH,uBAAGA,aAAa,CAAEE,YAApC;AACA,SAAOJ,GAAG,CAACK,OAAJ,CAAYC,IAAZ,IAAqB,CAAAF,YAAY,SAAZ,IAAAA,YAAY,WAAZ,YAAAA,YAAY,CAAET,KAAd,MAAkC,eAA9D;AACD;;AAEM,SAASY,0BAAT,CAAoCZ,KAApC,EAA6D;AAClE;AACA,SAAO,0BAAaA,KAAb,KACLA,KAAK,CAACG,SAAN,KAAoB,eADf,IAELH,KAAK,CAACa,YAAN,KAAuB,0CAFzB;AAGD","sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * \n * See the License for the specific language governing permissions and limitations under the License.\n */\n\n\nimport { OktaAuthOptionsInterface } from '../../types';\nimport { OAuthError, AuthApiError, isOAuthError } from '../../errors';\n\nexport function isInteractionRequiredError(error: Error) {\n if (error.name !== 'OAuthError') {\n return false;\n }\n const oauthError = error as OAuthError;\n return (oauthError.errorCode === 'interaction_required');\n}\n\nexport function isAuthorizationCodeError(sdk: OktaAuthOptionsInterface, error: Error) {\n if (error.name !== 'AuthApiError') {\n return false;\n }\n const authApiError = error as AuthApiError;\n // xhr property doesn't seem to match XMLHttpRequest type\n const errorResponse = authApiError.xhr as unknown as Record<string, unknown>;\n const responseJSON = errorResponse?.responseJSON as Record<string, unknown>;\n return sdk.options.pkce && (responseJSON?.error as string === 'invalid_grant');\n}\n\nexport function isRefreshTokenInvalidError(error: unknown): boolean {\n // error: {\"error\":\"invalid_grant\",\"error_description\":\"The refresh token is invalid or expired.\"}\n return isOAuthError(error) &&\n error.errorCode === 'invalid_grant' &&\n error.errorSummary === 'The refresh token is invalid or expired.';\n}\n"],"file":"errors.js"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../lib/oidc/util/loginRedirect.ts"],"names":["hasTokensInHash","hash","test","hasAuthorizationCode","hashOrSearch","hasInteractionCode","hasErrorInUrl","isRedirectUri","uri","sdk","authParams","options","redirectUri","isCodeFlow","pkce","responseType","responseMode","getHashOrSearch","codeFlow","useQuery","window","location","search","isLoginRedirect","href","hasCode","isInteractionRequired"],"mappings":";;;;;;;;;;;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACA;;AACA;AAGO,SAASA,eAAT,CAAyBC,IAAzB,EAAgD;AACrD,SAAO,wBAAwBC,IAAxB,CAA6BD,IAA7B,CAAP;AACD,C,CAED;;;AACO,SAASE,oBAAT,CAA8BC,YAA9B,EAA6D;AAClE,SAAO,WAAWF,IAAX,CAAgBE,YAAhB,CAAP;AACD,C,CAED;;;AACO,SAASC,kBAAT,CAA4BD,YAA5B,EAA2D;AAChE,SAAO,uBAAuBF,IAAvB,CAA4BE,YAA5B,CAAP;AACD;;AAEM,SAASE,aAAT,CAAuBF,YAAvB,EAAsD;AAC3D,SAAO,YAAYF,IAAZ,CAAiBE,YAAjB,KAAkC,uBAAuBF,IAAvB,CAA4BE,YAA5B,CAAzC;AACD;;AAEM,SAASG,aAAT,CAAuBC,GAAvB,EAAoCC,GAApC,
|
|
1
|
+
{"version":3,"sources":["../../../../lib/oidc/util/loginRedirect.ts"],"names":["hasTokensInHash","hash","test","hasAuthorizationCode","hashOrSearch","hasInteractionCode","hasErrorInUrl","isRedirectUri","uri","sdk","authParams","options","redirectUri","isCodeFlow","pkce","responseType","responseMode","getHashOrSearch","codeFlow","useQuery","window","location","search","isLoginRedirect","href","hasCode","isInteractionRequired"],"mappings":";;;;;;;;;;;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACA;;AACA;AAGO,SAASA,eAAT,CAAyBC,IAAzB,EAAgD;AACrD,SAAO,wBAAwBC,IAAxB,CAA6BD,IAA7B,CAAP;AACD,C,CAED;;;AACO,SAASE,oBAAT,CAA8BC,YAA9B,EAA6D;AAClE,SAAO,WAAWF,IAAX,CAAgBE,YAAhB,CAAP;AACD,C,CAED;;;AACO,SAASC,kBAAT,CAA4BD,YAA5B,EAA2D;AAChE,SAAO,uBAAuBF,IAAvB,CAA4BE,YAA5B,CAAP;AACD;;AAEM,SAASE,aAAT,CAAuBF,YAAvB,EAAsD;AAC3D,SAAO,YAAYF,IAAZ,CAAiBE,YAAjB,KAAkC,uBAAuBF,IAAvB,CAA4BE,YAA5B,CAAzC;AACD;;AAEM,SAASG,aAAT,CAAuBC,GAAvB,EAAoCC,GAApC,EAA4E;AACjF,MAAIC,UAAU,GAAGD,GAAG,CAACE,OAArB;;AACA,MAAI,CAACH,GAAD,IAAQ,CAACE,UAAU,CAACE,WAAxB,EAAqC;AACnC,WAAO,KAAP;AACD;;AACD,SAAO,sBAAAJ,GAAG,MAAH,CAAAA,GAAG,EAASE,UAAU,CAACE,WAApB,CAAH,KAAwC,CAA/C;AACD;;AAEM,SAASC,UAAT,CAAoBF,OAApB,EAA8C;AACnD,SAAOA,OAAO,CAACG,IAAR,IAAgBH,OAAO,CAACI,YAAR,KAAyB,MAAzC,IAAmDJ,OAAO,CAACK,YAAR,KAAyB,OAAnF;AACD;;AAEM,SAASC,eAAT,CAAyBN,OAAzB,EAAmD;AACxD,MAAIO,QAAQ,GAAGL,UAAU,CAACF,OAAD,CAAzB;AACA,MAAIQ,QAAQ,GAAGD,QAAQ,IAAIP,OAAO,CAACK,YAAR,KAAyB,UAApD;AACA,SAAOG,QAAQ,GAAGC,MAAM,CAACC,QAAP,CAAgBC,MAAnB,GAA4BF,MAAM,CAACC,QAAP,CAAgBpB,IAA3D;AACD;AAED;AACA;AACA;AACA;;;AACO,SAASsB,eAAT,CAA0Bd,GAA1B,EAAyD;AAC9D;AACA,MAAI,CAACF,aAAa,CAACa,MAAM,CAACC,QAAP,CAAgBG,IAAjB,EAAuBf,GAAvB,CAAlB,EAA8C;AAC5C,WAAO,KAAP;AACD,GAJ6D,CAM9D;;;AACA,MAAIS,QAAQ,GAAGL,UAAU,CAACJ,GAAG,CAACE,OAAL,CAAzB;AACA,MAAIP,YAAY,GAAGa,eAAe,CAACR,GAAG,CAACE,OAAL,CAAlC;;AAEA,MAAIL,aAAa,CAACF,YAAD,CAAjB,EAAiC;AAC/B,WAAO,IAAP;AACD;;AAED,MAAIc,QAAJ,EAAc;AACZ,QAAIO,OAAO,GAAItB,oBAAoB,CAACC,YAAD,CAApB,IAAsCC,kBAAkB,CAACD,YAAD,CAAvE;AACA,WAAOqB,OAAP;AACD,GAjB6D,CAmB9D;;;AACA,SAAOzB,eAAe,CAACoB,MAAM,CAACC,QAAP,CAAgBpB,IAAjB,CAAtB;AACD;AAED;AACA;AACA;AACA;;;AACO,SAASyB,qBAAT,CAAgCjB,GAAhC,EAA+DL,YAA/D,EAAsF;AAC3F,MAAI,CAACA,YAAL,EAAmB;AAAE;AACnB;AACA,QAAI,CAACmB,eAAe,CAACd,GAAD,CAApB,EAA0B;AACxB,aAAO,KAAP;AACD;;AAEDL,IAAAA,YAAY,GAAGa,eAAe,CAACR,GAAG,CAACE,OAAL,CAA9B;AACD;;AACD,SAAO,gCAAgCT,IAAhC,CAAqCE,YAArC,CAAP;AACD","sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\n/* global window */\n/* eslint-disable complexity, max-statements */\nimport { OktaAuthOptionsInterface, OktaAuthOptions } from '../../types';\n\nexport function hasTokensInHash(hash: string): boolean {\n return /((id|access)_token=)/i.test(hash);\n}\n\n// authorization_code\nexport function hasAuthorizationCode(hashOrSearch: string): boolean {\n return /(code=)/i.test(hashOrSearch);\n}\n\n// interaction_code\nexport function hasInteractionCode(hashOrSearch: string): boolean {\n return /(interaction_code=)/i.test(hashOrSearch);\n}\n\nexport function hasErrorInUrl(hashOrSearch: string): boolean {\n return /(error=)/i.test(hashOrSearch) || /(error_description)/i.test(hashOrSearch);\n}\n\nexport function isRedirectUri(uri: string, sdk: OktaAuthOptionsInterface): boolean {\n var authParams = sdk.options;\n if (!uri || !authParams.redirectUri) {\n return false;\n }\n return uri.indexOf(authParams.redirectUri) === 0;\n}\n\nexport function isCodeFlow(options: OktaAuthOptions) {\n return options.pkce || options.responseType === 'code' || options.responseMode === 'query';\n}\n\nexport function getHashOrSearch(options: OktaAuthOptions) {\n var codeFlow = isCodeFlow(options);\n var useQuery = codeFlow && options.responseMode !== 'fragment';\n return useQuery ? window.location.search : window.location.hash;\n}\n\n/**\n * Check if tokens or a code have been passed back into the url, which happens in\n * the OIDC (including social auth IDP) redirect flow.\n */\nexport function isLoginRedirect (sdk: OktaAuthOptionsInterface) {\n // First check, is this a redirect URI?\n if (!isRedirectUri(window.location.href, sdk)){\n return false;\n }\n\n // The location contains either a code, token, or an error + error_description\n var codeFlow = isCodeFlow(sdk.options);\n var hashOrSearch = getHashOrSearch(sdk.options);\n\n if (hasErrorInUrl(hashOrSearch)) {\n return true;\n }\n\n if (codeFlow) {\n var hasCode = hasAuthorizationCode(hashOrSearch) || hasInteractionCode(hashOrSearch);\n return hasCode;\n }\n\n // implicit flow, will always be hash fragment\n return hasTokensInHash(window.location.hash);\n}\n\n/**\n * Check if error=interaction_required has been passed back in the url, which happens in\n * the social auth IDP redirect flow.\n */\nexport function isInteractionRequired (sdk: OktaAuthOptionsInterface, hashOrSearch?: string) {\n if (!hashOrSearch) { // web only\n // First check, is this a redirect URI?\n if (!isLoginRedirect(sdk)){\n return false;\n }\n \n hashOrSearch = getHashOrSearch(sdk.options);\n }\n return /(error=interaction_required)/i.test(hashOrSearch);\n}"],"file":"loginRedirect.js"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../lib/oidc/util/oauth.ts"],"names":["generateState","generateNonce","getIssuer","sdk","options","issuer","getOAuthBaseUrl","baseUrl","getOAuthDomain","domain","split","getOAuthUrls","arguments","length","AuthSdkError","authorizeUrl","userinfoUrl","tokenUrl","logoutUrl","revokeUrl"],"mappings":";;;;;;;;;;;;AAaA;;AACA;;AAdA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACA;AAKO,SAASA,aAAT,GAAyB;AAC9B,SAAO,2BAAgB,EAAhB,CAAP;AACD;;AAEM,SAASC,aAAT,GAAyB;AAC9B,SAAO,2BAAgB,EAAhB,CAAP;AACD;;AAED,SAASC,SAAT,CAAmBC,GAAnB,
|
|
1
|
+
{"version":3,"sources":["../../../../lib/oidc/util/oauth.ts"],"names":["generateState","generateNonce","getIssuer","sdk","options","issuer","getOAuthBaseUrl","baseUrl","getOAuthDomain","domain","split","getOAuthUrls","arguments","length","AuthSdkError","authorizeUrl","userinfoUrl","tokenUrl","logoutUrl","revokeUrl"],"mappings":";;;;;;;;;;;;AAaA;;AACA;;AAdA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACA;AAKO,SAASA,aAAT,GAAyB;AAC9B,SAAO,2BAAgB,EAAhB,CAAP;AACD;;AAEM,SAASC,aAAT,GAAyB;AAC9B,SAAO,2BAAgB,EAAhB,CAAP;AACD;;AAED,SAASC,SAAT,CAAmBC,GAAnB,EAAkDC,OAAmB,GAAG,EAAxE,EAA4E;AAC1E,QAAMC,MAAM,GAAG,+BAAoBD,OAAO,CAACC,MAA5B,KAAuCF,GAAG,CAACC,OAAJ,CAAYC,MAAlE;AACA,SAAOA,MAAP;AACD;;AAEM,SAASC,eAAT,CAAyBH,GAAzB,EAAwDC,OAAmB,GAAG,EAA9E,EAAkF;AACvF,QAAMC,MAAM,GAAGH,SAAS,CAACC,GAAD,EAAMC,OAAN,CAAxB;AACA,QAAMG,OAAO,GAAG,sBAAAF,MAAM,MAAN,CAAAA,MAAM,EAAS,SAAT,CAAN,GAA4B,CAA5B,GAAgCA,MAAhC,GAAyCA,MAAM,GAAG,SAAlE;AACA,SAAOE,OAAP;AACD;;AAEM,SAASC,cAAT,CAAwBL,GAAxB,EAAuDC,OAAmB,GAAG,EAA7E,EAAiF;AACtF,QAAMC,MAAM,GAAGH,SAAS,CAACC,GAAD,EAAMC,OAAN,CAAxB;AACA,QAAMK,MAAM,GAAGJ,MAAM,CAACK,KAAP,CAAa,SAAb,EAAwB,CAAxB,CAAf;AACA,SAAOD,MAAP;AACD;;AAEM,SAASE,YAAT,CAAsBR,GAAtB,EAAqDC,OAArD,EAAuF;AAC5F,MAAIQ,SAAS,CAACC,MAAV,GAAmB,CAAvB,EAA0B;AACxB,UAAM,IAAIC,qBAAJ,CAAiB,sEAAjB,CAAN;AACD;;AACDV,EAAAA,OAAO,GAAGA,OAAO,IAAI,EAArB,CAJ4F,CAM5F;;AACA,MAAIW,YAAY,GAAG,+BAAoBX,OAAO,CAACW,YAA5B,KAA6CZ,GAAG,CAACC,OAAJ,CAAYW,YAA5E;AACA,MAAIV,MAAM,GAAGH,SAAS,CAACC,GAAD,EAAMC,OAAN,CAAtB;AACA,MAAIY,WAAW,GAAG,+BAAoBZ,OAAO,CAACY,WAA5B,KAA4Cb,GAAG,CAACC,OAAJ,CAAYY,WAA1E;AACA,MAAIC,QAAQ,GAAG,+BAAoBb,OAAO,CAACa,QAA5B,KAAyCd,GAAG,CAACC,OAAJ,CAAYa,QAApE;AACA,MAAIC,SAAS,GAAG,+BAAoBd,OAAO,CAACc,SAA5B,KAA0Cf,GAAG,CAACC,OAAJ,CAAYc,SAAtE;AACA,MAAIC,SAAS,GAAG,+BAAoBf,OAAO,CAACe,SAA5B,KAA0ChB,GAAG,CAACC,OAAJ,CAAYe,SAAtE;AAEA,MAAIZ,OAAO,GAAGD,eAAe,CAACH,GAAD,EAAMC,OAAN,CAA7B;AAEAW,EAAAA,YAAY,GAAGA,YAAY,IAAIR,OAAO,GAAG,eAAzC;AACAS,EAAAA,WAAW,GAAGA,WAAW,IAAIT,OAAO,GAAG,cAAvC;AACAU,EAAAA,QAAQ,GAAGA,QAAQ,IAAIV,OAAO,GAAG,WAAjC;AACAY,EAAAA,SAAS,GAAGA,SAAS,IAAIZ,OAAO,GAAG,YAAnC;AACAW,EAAAA,SAAS,GAAGA,SAAS,IAAIX,OAAO,GAAG,YAAnC;AAEA,SAAO;AACLF,IAAAA,MAAM,EAAEA,MADH;AAELU,IAAAA,YAAY,EAAEA,YAFT;AAGLC,IAAAA,WAAW,EAAEA,WAHR;AAILC,IAAAA,QAAQ,EAAEA,QAJL;AAKLE,IAAAA,SAAS,EAAEA,SALN;AAMLD,IAAAA,SAAS,EAAEA;AANN,GAAP;AAQD","sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\n/* eslint-disable complexity, max-statements */\nimport { genRandomString, removeTrailingSlash } from '../../util';\nimport AuthSdkError from '../../errors/AuthSdkError';\nimport { OktaAuthOptionsInterface, CustomUrls } from '../../types';\n\nexport function generateState() {\n return genRandomString(64);\n}\n\nexport function generateNonce() {\n return genRandomString(64);\n}\n\nfunction getIssuer(sdk: OktaAuthOptionsInterface, options: CustomUrls = {}) {\n const issuer = removeTrailingSlash(options.issuer) || sdk.options.issuer;\n return issuer;\n}\n\nexport function getOAuthBaseUrl(sdk: OktaAuthOptionsInterface, options: CustomUrls = {}) {\n const issuer = getIssuer(sdk, options);\n const baseUrl = issuer.indexOf('/oauth2') > 0 ? issuer : issuer + '/oauth2';\n return baseUrl;\n}\n\nexport function getOAuthDomain(sdk: OktaAuthOptionsInterface, options: CustomUrls = {}) {\n const issuer = getIssuer(sdk, options);\n const domain = issuer.split('/oauth2')[0];\n return domain;\n}\n\nexport function getOAuthUrls(sdk: OktaAuthOptionsInterface, options?: CustomUrls): CustomUrls {\n if (arguments.length > 2) {\n throw new AuthSdkError('As of version 3.0, \"getOAuthUrls\" takes only a single set of options');\n }\n options = options || {};\n\n // Get user-supplied arguments\n var authorizeUrl = removeTrailingSlash(options.authorizeUrl) || sdk.options.authorizeUrl;\n var issuer = getIssuer(sdk, options);\n var userinfoUrl = removeTrailingSlash(options.userinfoUrl) || sdk.options.userinfoUrl;\n var tokenUrl = removeTrailingSlash(options.tokenUrl) || sdk.options.tokenUrl;\n var logoutUrl = removeTrailingSlash(options.logoutUrl) || sdk.options.logoutUrl;\n var revokeUrl = removeTrailingSlash(options.revokeUrl) || sdk.options.revokeUrl;\n\n var baseUrl = getOAuthBaseUrl(sdk, options);\n\n authorizeUrl = authorizeUrl || baseUrl + '/v1/authorize';\n userinfoUrl = userinfoUrl || baseUrl + '/v1/userinfo';\n tokenUrl = tokenUrl || baseUrl + '/v1/token';\n revokeUrl = revokeUrl || baseUrl + '/v1/revoke';\n logoutUrl = logoutUrl || baseUrl + '/v1/logout';\n\n return {\n issuer: issuer,\n authorizeUrl: authorizeUrl,\n userinfoUrl: userinfoUrl,\n tokenUrl: tokenUrl,\n revokeUrl: revokeUrl,\n logoutUrl: logoutUrl\n };\n}\n"],"file":"oauth.js"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../lib/oidc/util/oauthMeta.ts"],"names":["createOAuthMeta","sdk","tokenParams","issuer","options","urls","oauthMeta","clientId","redirectUri","responseType","responseMode","scopes","state","nonce","ignoreSignature","pkce","pkceMeta","codeVerifier","codeChallengeMethod","codeChallenge"],"mappings":";;;;AAEA;;AAFA;AAIO,SAASA,eAAT,CACLC,GADK,EAELC,WAFK,EAGuC;AAC5C,QAAMC,MAAM,GAAGF,GAAG,CAACG,OAAJ,CAAYD,MAA3B;AACA,QAAME,IAAI,GAAG,yBAAaJ,GAAb,EAAkBC,WAAlB,CAAb;AACA,QAAMI,SAA+B,GAAG;AACtCH,IAAAA,MADsC;AAEtCE,IAAAA,IAFsC;AAGtCE,IAAAA,QAAQ,EAAEL,WAAW,CAACK,QAHgB;AAItCC,IAAAA,WAAW,EAAEN,WAAW,CAACM,WAJa;AAKtCC,IAAAA,YAAY,EAAEP,WAAW,CAACO,YALY;AAMtCC,IAAAA,YAAY,EAAER,WAAW,CAACQ,YANY;AAOtCC,IAAAA,MAAM,EAAET,WAAW,CAACS,MAPkB;AAQtCC,IAAAA,KAAK,EAAEV,WAAW,CAACU,KARmB;AAStCC,IAAAA,KAAK,EAAEX,WAAW,CAACW,KATmB;AAUtCC,IAAAA,eAAe,EAAEZ,WAAW,CAACY;AAVS,GAAxC;;AAaA,MAAIZ,WAAW,CAACa,IAAZ,KAAqB,KAAzB,EAAgC;AAC9B;AACA,WAAOT,SAAP;AACD;;AAED,QAAMU,QAA6B,GAAG,EACpC,GAAGV,SADiC;AAEpCW,IAAAA,YAAY,EAAEf,WAAW,CAACe,YAFU;AAGpCC,IAAAA,mBAAmB,EAAEhB,WAAW,CAACgB,mBAHG;AAIpCC,IAAAA,aAAa,EAAEjB,WAAW,CAACiB;AAJS,GAAtC;AAOA,SAAOH,QAAP;AACD","sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\nimport { OAuthTransactionMeta,
|
|
1
|
+
{"version":3,"sources":["../../../../lib/oidc/util/oauthMeta.ts"],"names":["createOAuthMeta","sdk","tokenParams","issuer","options","urls","oauthMeta","clientId","redirectUri","responseType","responseMode","scopes","state","nonce","ignoreSignature","pkce","pkceMeta","codeVerifier","codeChallengeMethod","codeChallenge"],"mappings":";;;;AAEA;;AAFA;AAIO,SAASA,eAAT,CACLC,GADK,EAELC,WAFK,EAGuC;AAC5C,QAAMC,MAAM,GAAGF,GAAG,CAACG,OAAJ,CAAYD,MAA3B;AACA,QAAME,IAAI,GAAG,yBAAaJ,GAAb,EAAkBC,WAAlB,CAAb;AACA,QAAMI,SAA+B,GAAG;AACtCH,IAAAA,MADsC;AAEtCE,IAAAA,IAFsC;AAGtCE,IAAAA,QAAQ,EAAEL,WAAW,CAACK,QAHgB;AAItCC,IAAAA,WAAW,EAAEN,WAAW,CAACM,WAJa;AAKtCC,IAAAA,YAAY,EAAEP,WAAW,CAACO,YALY;AAMtCC,IAAAA,YAAY,EAAER,WAAW,CAACQ,YANY;AAOtCC,IAAAA,MAAM,EAAET,WAAW,CAACS,MAPkB;AAQtCC,IAAAA,KAAK,EAAEV,WAAW,CAACU,KARmB;AAStCC,IAAAA,KAAK,EAAEX,WAAW,CAACW,KATmB;AAUtCC,IAAAA,eAAe,EAAEZ,WAAW,CAACY;AAVS,GAAxC;;AAaA,MAAIZ,WAAW,CAACa,IAAZ,KAAqB,KAAzB,EAAgC;AAC9B;AACA,WAAOT,SAAP;AACD;;AAED,QAAMU,QAA6B,GAAG,EACpC,GAAGV,SADiC;AAEpCW,IAAAA,YAAY,EAAEf,WAAW,CAACe,YAFU;AAGpCC,IAAAA,mBAAmB,EAAEhB,WAAW,CAACgB,mBAHG;AAIpCC,IAAAA,aAAa,EAAEjB,WAAW,CAACiB;AAJS,GAAtC;AAOA,SAAOH,QAAP;AACD","sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\nimport { OAuthTransactionMeta, OktaAuthOptionsInterface, PKCETransactionMeta, TokenParams } from '../../types';\nimport { getOAuthUrls } from './oauth';\n\nexport function createOAuthMeta(\n sdk: OktaAuthOptionsInterface, \n tokenParams: TokenParams\n): OAuthTransactionMeta | PKCETransactionMeta {\n const issuer = sdk.options.issuer!;\n const urls = getOAuthUrls(sdk, tokenParams);\n const oauthMeta: OAuthTransactionMeta = {\n issuer,\n urls,\n clientId: tokenParams.clientId!,\n redirectUri: tokenParams.redirectUri!,\n responseType: tokenParams.responseType!,\n responseMode: tokenParams.responseMode!,\n scopes: tokenParams.scopes!,\n state: tokenParams.state!,\n nonce: tokenParams.nonce!,\n ignoreSignature: tokenParams.ignoreSignature!,\n };\n\n if (tokenParams.pkce === false) {\n // Implicit flow or authorization_code without PKCE\n return oauthMeta;\n }\n\n const pkceMeta: PKCETransactionMeta = {\n ...oauthMeta,\n codeVerifier: tokenParams.codeVerifier!,\n codeChallengeMethod: tokenParams.codeChallengeMethod!,\n codeChallenge: tokenParams.codeChallenge!,\n };\n\n return pkceMeta;\n}\n"],"file":"oauthMeta.js"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../lib/oidc/util/prepareTokenParams.ts"],"names":["assertPKCESupport","sdk","features","isPKCESupported","errorMessage","isHTTPS","hasTextEncoder","AuthSdkError","validateCodeChallengeMethod","codeChallengeMethod","options","DEFAULT_CODE_CHALLENGE_METHOD","wellKnownResponse","methods","preparePKCE","tokenParams","codeVerifier","codeChallenge","PKCE","generateVerifier","computeChallenge","responseType","prepareTokenParams","defaults","pkce"],"mappings":";;;;;;;;;;;AAaA;;AACA;;AAEA;;AACA;;AACA;;AAlBA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAQO,SAASA,iBAAT,CAA2BC,GAA3B,
|
|
1
|
+
{"version":3,"sources":["../../../../lib/oidc/util/prepareTokenParams.ts"],"names":["assertPKCESupport","sdk","features","isPKCESupported","errorMessage","isHTTPS","hasTextEncoder","AuthSdkError","validateCodeChallengeMethod","codeChallengeMethod","options","DEFAULT_CODE_CHALLENGE_METHOD","wellKnownResponse","methods","preparePKCE","tokenParams","codeVerifier","codeChallenge","PKCE","generateVerifier","computeChallenge","responseType","prepareTokenParams","defaults","pkce"],"mappings":";;;;;;;;;;;AAaA;;AACA;;AAEA;;AACA;;AACA;;AAlBA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAQO,SAASA,iBAAT,CAA2BC,GAA3B,EAA2D;AAChE,MAAI,CAACA,GAAG,CAACC,QAAJ,CAAaC,eAAb,EAAL,EAAqC;AACnC,QAAIC,YAAY,GAAG,qFAAnB;;AACA,QAAI,CAACH,GAAG,CAACC,QAAJ,CAAaG,OAAb,EAAL,EAA6B;AAC3B;AACAD,MAAAA,YAAY,IAAI,kGAAhB;AACD;;AACD,QAAI,CAACH,GAAG,CAACC,QAAJ,CAAaI,cAAb,EAAL,EAAoC;AAClC;AACAF,MAAAA,YAAY,IAAI,wGAAhB;AACD;;AACD,UAAM,IAAIG,oBAAJ,CAAiBH,YAAjB,CAAN;AACD;AACF;;AAEM,eAAeI,2BAAf,CAA2CP,GAA3C,EAAuEQ,mBAAvE,EAAqG;AAC1G;AACAA,EAAAA,mBAAmB,GAAGA,mBAAmB,IAAIR,GAAG,CAACS,OAAJ,CAAYD,mBAAnC,IAA0DE,wCAAhF,CAF0G,CAI1G;;AACA,QAAMC,iBAAiB,GAAG,MAAM,6BAAaX,GAAb,CAAhC;AACA,MAAIY,OAAO,GAAGD,iBAAiB,CAAC,kCAAD,CAAjB,IAAyD,EAAvE;;AACA,MAAI,sBAAAC,OAAO,MAAP,CAAAA,OAAO,EAASJ,mBAAT,CAAP,KAAyC,CAAC,CAA9C,EAAiD;AAC/C,UAAM,IAAIF,oBAAJ,CAAiB,+BAAjB,CAAN;AACD;;AACD,SAAOE,mBAAP;AACD;;AAEM,eAAeK,WAAf,CACLb,GADK,EAELc,WAFK,EAGiB;AACtB,MAAI;AACFC,IAAAA,YADE;AAEFC,IAAAA,aAFE;AAGFR,IAAAA;AAHE,MAIAM,WAJJ,CADsB,CAOtB;;AACAE,EAAAA,aAAa,GAAGA,aAAa,IAAIhB,GAAG,CAACS,OAAJ,CAAYO,aAA7C;;AACA,MAAI,CAACA,aAAL,EAAoB;AAClBjB,IAAAA,iBAAiB,CAACC,GAAD,CAAjB;AACAe,IAAAA,YAAY,GAAGA,YAAY,IAAIE,cAAKC,gBAAL,EAA/B;AACAF,IAAAA,aAAa,GAAG,MAAMC,cAAKE,gBAAL,CAAsBJ,YAAtB,CAAtB;AACD;;AACDP,EAAAA,mBAAmB,GAAG,MAAMD,2BAA2B,CAACP,GAAD,EAAMQ,mBAAN,CAAvD,CAdsB,CAgBtB;;AACAM,EAAAA,WAAW,GAAG,EACZ,GAAGA,WADS;AAEZM,IAAAA,YAAY,EAAE,MAFF;AAEU;AACtBL,IAAAA,YAHY;AAIZC,IAAAA,aAJY;AAKZR,IAAAA;AALY,GAAd;AAQA,SAAOM,WAAP;AACD,C,CAED;;;AACO,eAAeO,kBAAf,CACLrB,GADK,EAELc,WAAwB,GAAG,EAFtB,EAGiB;AACtB;AACA,QAAMQ,QAAQ,GAAG,+CAAsBtB,GAAtB,CAAjB;AACAc,EAAAA,WAAW,GAAG,EAAE,GAAGQ,QAAL;AAAe,OAAGR;AAAlB,GAAd;;AAEA,MAAIA,WAAW,CAACS,IAAZ,KAAqB,KAAzB,EAAgC;AAC9B;AACA,WAAOT,WAAP;AACD;;AAED,SAAOD,WAAW,CAACb,GAAD,EAAMc,WAAN,CAAlB;AACD","sourcesContent":["/* eslint-disable complexity */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { getWellKnown } from '../endpoints/well-known';\nimport { AuthSdkError } from '../../errors';\nimport { OktaAuthFeaturesInterface, OktaAuthOIDCInterface, TokenParams } from '../../types';\nimport { getDefaultTokenParams } from './defaultTokenParams';\nimport { DEFAULT_CODE_CHALLENGE_METHOD } from '../../constants';\nimport PKCE from './pkce';\n\nexport function assertPKCESupport(sdk: OktaAuthFeaturesInterface) {\n if (!sdk.features.isPKCESupported()) {\n var errorMessage = 'PKCE requires a modern browser with encryption support running in a secure context.';\n if (!sdk.features.isHTTPS()) {\n // eslint-disable-next-line max-len\n errorMessage += '\\nThe current page is not being served with HTTPS protocol. PKCE requires secure HTTPS protocol.';\n }\n if (!sdk.features.hasTextEncoder()) {\n // eslint-disable-next-line max-len\n errorMessage += '\\n\"TextEncoder\" is not defined. To use PKCE, you may need to include a polyfill/shim for this browser.';\n }\n throw new AuthSdkError(errorMessage);\n }\n}\n\nexport async function validateCodeChallengeMethod(sdk: OktaAuthOIDCInterface, codeChallengeMethod?: string) {\n // set default code challenge method, if none provided\n codeChallengeMethod = codeChallengeMethod || sdk.options.codeChallengeMethod || DEFAULT_CODE_CHALLENGE_METHOD;\n\n // validate against .well-known/openid-configuration\n const wellKnownResponse = await getWellKnown(sdk);\n var methods = wellKnownResponse['code_challenge_methods_supported'] || [];\n if (methods.indexOf(codeChallengeMethod) === -1) {\n throw new AuthSdkError('Invalid code_challenge_method');\n }\n return codeChallengeMethod;\n}\n\nexport async function preparePKCE(\n sdk: OktaAuthOIDCInterface, \n tokenParams: TokenParams\n): Promise<TokenParams> {\n let {\n codeVerifier,\n codeChallenge,\n codeChallengeMethod\n } = tokenParams;\n\n // PKCE calculations can be avoided by passing a codeChallenge\n codeChallenge = codeChallenge || sdk.options.codeChallenge;\n if (!codeChallenge) {\n assertPKCESupport(sdk);\n codeVerifier = codeVerifier || PKCE.generateVerifier();\n codeChallenge = await PKCE.computeChallenge(codeVerifier);\n }\n codeChallengeMethod = await validateCodeChallengeMethod(sdk, codeChallengeMethod);\n\n // Clone/copy the params. Set PKCE values\n tokenParams = {\n ...tokenParams,\n responseType: 'code', // responseType is forced\n codeVerifier,\n codeChallenge,\n codeChallengeMethod\n };\n\n return tokenParams;\n}\n\n// Prepares params for a call to /authorize or /token\nexport async function prepareTokenParams(\n sdk: OktaAuthOIDCInterface,\n tokenParams: TokenParams = {}\n): Promise<TokenParams> {\n // build params using defaults + options\n const defaults = getDefaultTokenParams(sdk);\n tokenParams = { ...defaults, ...tokenParams };\n\n if (tokenParams.pkce === false) {\n // Implicit flow or authorization_code without PKCE\n return tokenParams;\n }\n\n return preparePKCE(sdk, tokenParams);\n}"],"file":"prepareTokenParams.js"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../../lib/oidc/util/validateClaims.ts"],"names":["validateClaims","sdk","claims","validationParams","aud","clientId","iss","issuer","nonce","AuthSdkError","now","Math","floor","Date","iat","exp","options","ignoreLifetime","maxClockSkew"],"mappings":";;;;;;AAeA;;AAfA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACA;AAKO,SAASA,cAAT,CAAwBC,GAAxB,
|
|
1
|
+
{"version":3,"sources":["../../../../lib/oidc/util/validateClaims.ts"],"names":["validateClaims","sdk","claims","validationParams","aud","clientId","iss","issuer","nonce","AuthSdkError","now","Math","floor","Date","iat","exp","options","ignoreLifetime","maxClockSkew"],"mappings":";;;;;;AAeA;;AAfA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACA;AAKO,SAASA,cAAT,CAAwBC,GAAxB,EAAuDC,MAAvD,EAA2EC,gBAA3E,EAAgH;AACrH,MAAIC,GAAG,GAAGD,gBAAgB,CAACE,QAA3B;AACA,MAAIC,GAAG,GAAGH,gBAAgB,CAACI,MAA3B;AACA,MAAIC,KAAK,GAAGL,gBAAgB,CAACK,KAA7B;;AAEA,MAAI,CAACN,MAAD,IAAW,CAACI,GAAZ,IAAmB,CAACF,GAAxB,EAA6B;AAC3B,UAAM,IAAIK,qBAAJ,CAAiB,kDAAjB,CAAN;AACD;;AAED,MAAID,KAAK,IAAIN,MAAM,CAACM,KAAP,KAAiBA,KAA9B,EAAqC;AACnC,UAAM,IAAIC,qBAAJ,CAAiB,wDAAjB,CAAN;AACD;;AAED,MAAIC,GAAG,GAAGC,IAAI,CAACC,KAAL,CAAWC,IAAI,CAACH,GAAL,KAAW,IAAtB,CAAV;;AAEA,MAAIR,MAAM,CAACI,GAAP,KAAeA,GAAnB,EAAwB;AACtB,UAAM,IAAIG,qBAAJ,CAAiB,iBAAiBP,MAAM,CAACI,GAAxB,GAA8B,IAA9B,GACrB,kBADqB,GACAA,GADA,GACM,GADvB,CAAN;AAED;;AAED,MAAIJ,MAAM,CAACE,GAAP,KAAeA,GAAnB,EAAwB;AACtB,UAAM,IAAIK,qBAAJ,CAAiB,mBAAmBP,MAAM,CAACE,GAA1B,GAAgC,IAAhC,GACrB,kBADqB,GACAA,GADA,GACM,GADvB,CAAN;AAED;;AAED,MAAIF,MAAM,CAACY,GAAP,GAAcZ,MAAM,CAACa,GAAzB,EAA+B;AAC7B,UAAM,IAAIN,qBAAJ,CAAiB,sCAAjB,CAAN;AACD;;AAED,MAAI,CAACR,GAAG,CAACe,OAAJ,CAAYC,cAAjB,EAAiC;AAC/B,QAAKP,GAAG,GAAGT,GAAG,CAACe,OAAJ,CAAYE,YAAnB,GAAoChB,MAAM,CAACa,GAA/C,EAAqD;AACnD,YAAM,IAAIN,qBAAJ,CAAiB,wCAAjB,CAAN;AACD;;AAED,QAAIP,MAAM,CAACY,GAAP,GAAeJ,GAAG,GAAGT,GAAG,CAACe,OAAJ,CAAYE,YAArC,EAAqD;AACnD,YAAM,IAAIT,qBAAJ,CAAiB,kCAAjB,CAAN;AACD;AACF;AACF","sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\n/* eslint-disable complexity, max-statements */\n\nimport AuthSdkError from '../../errors/AuthSdkError';\nimport { OktaAuthOptionsInterface, TokenVerifyParams, UserClaims } from '../../types';\n\nexport function validateClaims(sdk: OktaAuthOptionsInterface, claims: UserClaims, validationParams: TokenVerifyParams) {\n var aud = validationParams.clientId;\n var iss = validationParams.issuer;\n var nonce = validationParams.nonce;\n\n if (!claims || !iss || !aud) {\n throw new AuthSdkError('The jwt, iss, and aud arguments are all required');\n }\n\n if (nonce && claims.nonce !== nonce) {\n throw new AuthSdkError('OAuth flow response nonce doesn\\'t match request nonce');\n }\n\n var now = Math.floor(Date.now()/1000);\n\n if (claims.iss !== iss) {\n throw new AuthSdkError('The issuer [' + claims.iss + '] ' +\n 'does not match [' + iss + ']');\n }\n\n if (claims.aud !== aud) {\n throw new AuthSdkError('The audience [' + claims.aud + '] ' +\n 'does not match [' + aud + ']');\n }\n\n if (claims.iat! > claims.exp!) {\n throw new AuthSdkError('The JWT expired before it was issued');\n }\n\n if (!sdk.options.ignoreLifetime) {\n if ((now - sdk.options.maxClockSkew!) > claims.exp!) {\n throw new AuthSdkError('The JWT expired and is no longer valid');\n }\n\n if (claims.iat! > (now + sdk.options.maxClockSkew!)) {\n throw new AuthSdkError('The JWT was issued in the future');\n }\n }\n}\n"],"file":"validateClaims.js"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../../lib/oidc/verifyToken.ts"],"names":["verifyToken","sdk","token","validationParams","idToken","AuthSdkError","jwt","configuredIssuer","issuer","options","validationOptions","clientId","ignoreSignature","payload","features","isTokenVerifySupported","key","header","kid","valid","sdkCrypto","accessToken","claims","at_hash","hash","getOidcHash"],"mappings":";;;;;;;;;;;;AAcA;;AACA;;AACA;;AAEA;;AACA;;;;;;AAnBA;;AACA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAQA;AACO,eAAeA,WAAf,CAA2BC,GAA3B,
|
|
1
|
+
{"version":3,"sources":["../../../lib/oidc/verifyToken.ts"],"names":["verifyToken","sdk","token","validationParams","idToken","AuthSdkError","jwt","configuredIssuer","issuer","options","validationOptions","clientId","ignoreSignature","payload","features","isTokenVerifySupported","key","header","kid","valid","sdkCrypto","accessToken","claims","at_hash","hash","getOidcHash"],"mappings":";;;;;;;;;;;;AAcA;;AACA;;AACA;;AAEA;;AACA;;;;;;AAnBA;;AACA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAQA;AACO,eAAeA,WAAf,CAA2BC,GAA3B,EAAuDC,KAAvD,EAAuEC,gBAAvE,EAA8H;AACnI,MAAI,CAACD,KAAD,IAAU,CAACA,KAAK,CAACE,OAArB,EAA8B;AAC5B,UAAM,IAAIC,oBAAJ,CAAiB,+BAAjB,CAAN;AACD,GAHkI,CAKnI;;;AACA,MAAIC,GAAG,GAAG,8BAAYJ,KAAK,CAACE,OAAlB,CAAV,CANmI,CAQnI;AACA;;AACA,QAAMG,gBAAgB,GAAG,CAAAJ,gBAAgB,SAAhB,IAAAA,gBAAgB,WAAhB,YAAAA,gBAAgB,CAAEK,MAAlB,KAA4BP,GAAG,CAACQ,OAAJ,CAAYD,MAAjE;AACA,QAAM;AAAEA,IAAAA;AAAF,MAAa,MAAM,6BAAaP,GAAb,EAAkBM,gBAAlB,CAAzB;AAEA,MAAIG,iBAAoC,GAAG,qBAAc;AACvD;AACAC,IAAAA,QAAQ,EAAEV,GAAG,CAACQ,OAAJ,CAAYE,QAFiC;AAGvDC,IAAAA,eAAe,EAAEX,GAAG,CAACQ,OAAJ,CAAYG;AAH0B,GAAd,EAIxCT,gBAJwC,EAItB;AACnB;AACAK,IAAAA;AAFmB,GAJsB,CAA3C,CAbmI,CAsBnI;;AACA,4BAAeP,GAAf,EAAoBK,GAAG,CAACO,OAAxB,EAAiCH,iBAAjC,EAvBmI,CAyBnI;AACA;;AACA,MAAIA,iBAAiB,CAACE,eAAlB,IAAqC,IAArC,IAA6C,CAACX,GAAG,CAACa,QAAJ,CAAaC,sBAAb,EAAlD,EAAyF;AACvF,WAAOb,KAAP;AACD,GA7BkI,CA+BnI;;;AACA,QAAMc,GAAG,GAAG,MAAM,uBAAOf,GAAP,EAAYC,KAAK,CAACM,MAAlB,EAA0BF,GAAG,CAACW,MAAJ,CAAWC,GAArC,CAAlB;AACA,QAAMC,KAAK,GAAG,MAAMC,SAAS,CAACpB,WAAV,CAAsBE,KAAK,CAACE,OAA5B,EAAqCY,GAArC,CAApB;;AACA,MAAI,CAACG,KAAL,EAAY;AACV,UAAM,IAAId,oBAAJ,CAAiB,kCAAjB,CAAN;AACD;;AACD,MAAIF,gBAAgB,IAAIA,gBAAgB,CAACkB,WAArC,IAAoDnB,KAAK,CAACoB,MAAN,CAAaC,OAArE,EAA8E;AAC5E,UAAMC,IAAI,GAAG,MAAMJ,SAAS,CAACK,WAAV,CAAsBtB,gBAAgB,CAACkB,WAAvC,CAAnB;;AACA,QAAIG,IAAI,KAAKtB,KAAK,CAACoB,MAAN,CAAaC,OAA1B,EAAmC;AACjC,YAAM,IAAIlB,oBAAJ,CAAiB,gCAAjB,CAAN;AACD;AACF;;AACD,SAAOH,KAAP;AACD","sourcesContent":["/* eslint-disable max-len */\n/* eslint-disable complexity */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { getWellKnown, getKey } from './endpoints/well-known';\nimport { validateClaims } from './util';\nimport { AuthSdkError } from '../errors';\nimport { IDToken, OktaAuthOIDCInterface, TokenVerifyParams } from '../types';\nimport { decodeToken } from './decodeToken';\nimport * as sdkCrypto from '../crypto';\n\n// Verify the id token\nexport async function verifyToken(sdk: OktaAuthOIDCInterface, token: IDToken, validationParams: TokenVerifyParams): Promise<IDToken> {\n if (!token || !token.idToken) {\n throw new AuthSdkError('Only idTokens may be verified');\n }\n\n // Decode the Jwt object (may throw)\n var jwt = decodeToken(token.idToken);\n\n // The configured issuer may point to a frontend proxy.\n // Get the \"real\" issuer from .well-known/openid-configuration\n const configuredIssuer = validationParams?.issuer || sdk.options.issuer;\n const { issuer } = await getWellKnown(sdk, configuredIssuer);\n\n var validationOptions: TokenVerifyParams = Object.assign({\n // base options, can be overridden by params\n clientId: sdk.options.clientId,\n ignoreSignature: sdk.options.ignoreSignature\n }, validationParams, {\n // final options, cannot be overridden\n issuer\n });\n\n // Standard claim validation (may throw)\n validateClaims(sdk, jwt.payload, validationOptions);\n\n // If the browser doesn't support native crypto or we choose not\n // to verify the signature, bail early\n if (validationOptions.ignoreSignature == true || !sdk.features.isTokenVerifySupported()) {\n return token;\n }\n\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n const key = await getKey(sdk, token.issuer, jwt.header.kid!);\n const valid = await sdkCrypto.verifyToken(token.idToken, key);\n if (!valid) {\n throw new AuthSdkError('The token signature is not valid');\n }\n if (validationParams && validationParams.accessToken && token.claims.at_hash) {\n const hash = await sdkCrypto.getOidcHash(validationParams.accessToken);\n if (hash !== token.claims.at_hash) {\n throw new AuthSdkError('Token hash verification failed');\n }\n }\n return token;\n}\n"],"file":"verifyToken.js"}
|
package/cjs/options/index.js
CHANGED
|
@@ -49,7 +49,7 @@ function mergeOptions(options, args) {
|
|
|
49
49
|
}
|
|
50
50
|
|
|
51
51
|
function buildOptions(args = {}) {
|
|
52
|
-
var _args$idx;
|
|
52
|
+
var _args$idx, _args$idx2;
|
|
53
53
|
|
|
54
54
|
(0, _builderUtil.assertValidConfig)(args);
|
|
55
55
|
args = mergeOptions(getDefaultOptions(), args);
|
|
@@ -89,7 +89,10 @@ function buildOptions(args = {}) {
|
|
|
89
89
|
activationToken: args.activationToken,
|
|
90
90
|
// BETA WARNING: configs in this section are subject to change without a breaking change notice
|
|
91
91
|
idx: {
|
|
92
|
-
useGenericRemediator: !!((_args$idx = args.idx) !== null && _args$idx !== void 0 && _args$idx.useGenericRemediator)
|
|
92
|
+
useGenericRemediator: !!((_args$idx = args.idx) !== null && _args$idx !== void 0 && _args$idx.useGenericRemediator),
|
|
93
|
+
// false by default
|
|
94
|
+
exchangeCodeForTokens: ((_args$idx2 = args.idx) === null || _args$idx2 === void 0 ? void 0 : _args$idx2.exchangeCodeForTokens) !== false // true by default
|
|
95
|
+
|
|
93
96
|
},
|
|
94
97
|
// Give the developer the ability to disable token signature validation.
|
|
95
98
|
ignoreSignature: !!args.ignoreSignature,
|