@okta/okta-auth-js 7.11.3 → 7.12.0

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+# 7.12.0
+
+### Features
+
+- [#1573](https://github.com/okta/okta-auth-js/pull/1573) feat: adds `token.getWithIDPPopup()` method
+  - A [`Cross-Origin-Opener-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) resilient method of acquiring tokens using via external IDPs.
+  - See [documentation](https://github.com/okta/okta-auth-js?tab=readme-ov-file#tokengetwithidppopupoptions) for more detailed explanation
+
+- [#1584](https://github.com/okta/okta-auth-js/pull/1584) feat: adds `dpopOptions.allowBearerTokens` configuration
+
 # 7.11.3
 
 ### Fixes

package/README.md

@@ -415,6 +415,10 @@ const config = {
   // other configurations
   pkce: true,     // required
   dpop: true,
+  dpopOptions: {
+    // set to `true` to skip the validation to check the resulting token response includes `token_type: DPoP`
+    allowBearerTokens: false    // defaults to `false`, tokens are validated to include `token_type: DPoP`
+  }
 };
 
 const authClient = new OktaAuth(config);
@@ -575,6 +579,20 @@ Default value is `false`. Set to `true` to enable `DPoP` (Demonstrating Proof-of
 
 See Guide: [Enabling DPoP](#enabling-dpop)
 
+#### `dpopOptions`
+
+Default value:
+```javascript
+dpopOptions: {
+  allowBearerTokens: false
+}
+```
+
+See Guide: [Enabling DPoP](#enabling-dpop)
+
+#### `dpopOptions.allowBearerTokens`
+
+When `false`, dpop-enabled token requests are validated to contain `token_type: DPoP` and will throw otherwise. Set to `true` to skip this validation and allow `Bearer` tokens as a possible `token_type`. This can be useful during a migration, to avoid needing to update a web application simutaneously with Okta Org configurations. Defaults to `false`
 
 #### responseMode
 
@@ -1036,6 +1054,7 @@ The amount of time, in seconds, a tab needs to be inactive for the `RenewOnTabAc
 * [token](#token)
   * [token.getWithoutPrompt](#tokengetwithoutpromptoptions)
   * [token.getWithPopup](#tokengetwithpopupoptions)
+  * [token.getWithIDPPopup](#tokengetwithidppopupoptions)
   * [token.getWithRedirect](#tokengetwithredirectoptions)
   * [token.parseFromUrl](#tokenparsefromurloptions)
   * [token.decode](#tokendecodeidtokenstring)
@@ -1342,6 +1361,13 @@ Stores tokens from redirect url into storage (for login flow), then redirect use
 
 > **Note:** `handleRedirect` throws `OAuthError` or `AuthSdkError` in case there are errors during token retrieval or authenticator enrollment.
 
+### `handleIDPPopupRedirect(url?)`
+
+> :link: web browser only <br>
+> :hourglass: async
+
+Used in conjunction with [`token.getWithIDPPopup`](#tokengetwithidppopupoptions). Handles the redirect from the Authorization Server back to the web application. This method relays the resulting OAuth2 response from the popup window to the main window.
+
 ### `setHeaders()`
 
 Can set (or unset) request headers after construction.
@@ -1621,6 +1647,59 @@ authClient.token.getWithPopup(options)
 });
 ```
 
+#### `token.getWithIDPPopup(options)`
+
+> :exclamation: Read tradeoffs carefully, this method has user experience implications
+
+> :link: web browser only <br>
+> :hourglass: async
+
+Using [External Identity Providers](https://developer.okta.com/docs/concepts/identity-providers/) in conjunction with [`token.getWithPopup`](#tokengetwithpopupoptions) can fail when an external (non-Okta) IDP sets their [`Cross-Origin-Opener-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) to something other than `unsafe-none` on _any_ document loaded in the authentication flow. This causes the spawned popup window and main browser window to run in isolated `Browser Context Groups` ([BCG](https://developer.mozilla.org/en-US/docs/Glossary/Browsing_context)); this results in the following
+
+1. The popup and main window can no longer communicate via [`window.postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage)
+2. The main window can no longer detect if the popup window is closed
+
+[`token.getWithIDPPopup`](#tokengetwithidppopupoptions) is designed for deployments which require the use of a popup window _and_ rely on external IDPs. This method can authenticate a user regardless of the IDP's [`Cross-Origin-Opener-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy), however it does come with some tradeoffs (see [Tradeoffs](#tradeoffs) below)
+
+##### Comparison of `token.getWithPopup(options)` vs `token.getWithIDPPopup(options)`
+
+Both methods invoke the [`/authorize`](https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/CustomAS/#tag/CustomAS/operation/authorizeCustomAS) endpoint of the target authorization server in a popup window, however they differ in their [`responseMode`](https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/CustomAS/#tag/CustomAS/operation/authorizeCustomAS!in=query&path=response_mode&t=request) parameter
+* [`token.getWithPopup`](#tokengetwithpopupoptions) utilizes `okta_post_message`, which enables cross-origin communication via [`window.postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage). After successful authentication, the resulting authorization code is broadcast from the popup window to the main window to complete the authentication flow.
+    * This approach requires the main and popup windows to share a [BCG](https://developer.mozilla.org/en-US/docs/Glossary/Browsing_context)
+* [`token.getWithIDPPopup`](#tokengetwithidppopupoptions) utilizes `query` instead. After successful authentication, a redirect to the provided `redirectUri` is performed. In order for the authentication flow to complete, the `redirectUri` must relay the OAuth2 response from the popup to the main window via [`handleIDPPopupRedirect`](#handleidppopupredirecturl).
+    * This approach does not require a shared [BCG](https://developer.mozilla.org/en-US/docs/Glossary/Browsing_context) and therefore is resilient to stricter [`Cross-Origin-Opener-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) policies, however the lack of communication capabilities between the main and popup windows may result in an awkward user experience (see [Tradeoffs](#tradeoffs) below)
+
+> :exclamation: [`token.getWithPopup`](#tokengetwithpopupoptions) is always the preferred method. [`token.getWithIDPPopup`](#tokengetwithidppopupoptions) should only be used if your Okta configuration includes external IDPs
+
+##### Usage
+```javascript
+const { promise, cancel } = authClient.token.getWithIDPPopup({
+  redirectUri: 'http://localhost:8080/popup/callback',
+});
+const { tokens } = await promise;
+authClient.tokenManager.setTokens(tokens);
+```
+
+> The `redirectUri` must be a registered callback route. See [Login redirect URIs](#login-redirect-uris)
+
+#### Tradeoffs
+1. Since [`window.postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) can no longer be relied upon, the popup window's flow needs to end on the same origin as the application requesting tokens. After successful authentication, the popup window will be redirect to the provided `redirectUri`, which needs to call `authClient.handleIDPPopupRedirect()`. In Single Page Apps (with a router), it's recommended to host a dedicated route, but this logic can be performed on the main page as well.
+
+> NOTE: this will _not_ use the same value as `redirectUri` passed via the `OktaAuth` constructor
+
+```javascript
+// example implementation
+// (loaded within popup as result of redirect to the `redirectUri`)
+authClient.handleIDPPopupRedirect();
+window.close();     // recommended, closes the popup window
+```
+
+2. As mentioned above, the main window cannot detect when the popup window is closed. If a user manually closes the popup window before completing authentication, the resulting `promise` variable will still be `pending` (until a configurable timeout). A `cancel` method is provided to prevent awaiting for the promise to timeout, however this may still result in an awkward user experience.
+    1. It's important to provide a button on the page to invoke `cancel`. If the user closes the popup window without invoking `cancel`, the `promise` will eventually timeout. This could result in a poor user experience.
+    2. However, assuming a `cancel` button is available on the page, it's possible for a user to select the `cancel` action on the main window without closing the popup window. If the user _then_ completes the authentication flow in the popup window, this will _not_ result in tokens being issued to the main window (application). This may also result in a poor user experience.
+
+> Carefully consider these user experience tradeoffs before choosing to implement this method!
+
 #### `token.getWithRedirect(options)`
 
 > :link: web browser only <br>

package/cjs/core/mixin.js

@@ -4,6 +4,7 @@ exports.mixinCore = mixinCore;
 var _parseFromUrl = require("../oidc/parseFromUrl");
 var _AuthStateManager = require("./AuthStateManager");
 var _ServiceManager = require("./ServiceManager");
+var _errors = require("../errors");
 function mixinCore(Base) {
   return class OktaAuthCore extends Base {
     constructor(...args) {
@@ -72,6 +73,19 @@ function mixinCore(Base) {
         window.location.replace(originalUri);
       }
     }
+    handleIDPPopupRedirect(url = window.location.href) {
+      const res = (0, _parseFromUrl.parseOAuthResponseFromUrl)(this, {
+        responseMode: 'query',
+        url
+      });
+      if (res.state) {
+        const channel = new BroadcastChannel(`popup-callback:${res.state}`);
+        channel.postMessage(res);
+        channel.close();
+      } else {
+        throw new _errors.AuthSdkError('Unable to parse auth code params');
+      }
+    }
   };
 }
 //# sourceMappingURL=mixin.js.map

package/cjs/core/mixin.js.map

@@ -1 +1 @@
-{"version":3,"file":"mixin.js","names":["mixinCore","Base","OktaAuthCore","constructor","args","authStateManager","AuthStateManager","serviceManager","ServiceManager","options","services","start","tokenManager","token","isLoginRedirect","updateAuthState","stop","handleRedirect","originalUri","handleLoginRedirect","undefined","tokens","state","setTokens","getOriginalUri","oAuthResponse","parseOAuthResponseFromUrl","storeTokensFromRedirect","e","removeOriginalUri","restoreOriginalUri","window","location","replace"],"sources":["../../../lib/core/mixin.ts"],"sourcesContent":["import { parseOAuthResponseFromUrl } from '../oidc/parseFromUrl';\nimport { OktaAuthConstructor } from '../base/types';\nimport {\n  OAuthStorageManagerInterface,\n  OAuthTransactionMeta,\n  OktaAuthOAuthInterface,\n  PKCETransactionMeta,\n  Tokens,\n  TransactionManagerInterface,\n} from '../oidc/types';\nimport { AuthStateManager } from './AuthStateManager';\nimport { ServiceManager } from './ServiceManager';\nimport { OktaAuthCoreInterface, OktaAuthCoreOptions } from './types';\n\nexport function mixinCore\n<\n  M extends OAuthTransactionMeta = PKCETransactionMeta,\n  S extends OAuthStorageManagerInterface<M> = OAuthStorageManagerInterface<M>,\n  O extends OktaAuthCoreOptions = OktaAuthCoreOptions,\n  TM extends TransactionManagerInterface = TransactionManagerInterface,\n  TBase extends OktaAuthConstructor<OktaAuthOAuthInterface<M, S, O, TM>>\n    = OktaAuthConstructor<OktaAuthOAuthInterface<M, S, O, TM>>\n>\n(Base: TBase): TBase & OktaAuthConstructor<OktaAuthCoreInterface<M, S, O, TM>>\n{\n  return class OktaAuthCore extends Base implements OktaAuthCoreInterface<M, S, O, TM>\n  {\n    authStateManager: AuthStateManager<M, S, O>;\n    serviceManager: ServiceManager<M, S, O>;\n    \n    constructor(...args: any[]) {\n      super(...args);\n\n      // AuthStateManager\n      this.authStateManager = new AuthStateManager<M, S, O>(this);\n\n      // ServiceManager\n      this.serviceManager = new ServiceManager<M, S, O>(this, this.options.services);\n    }\n\n    async start() {\n      await this.serviceManager.start();\n      // TODO: review tokenManager.start\n      this.tokenManager.start();\n      if (!this.token.isLoginRedirect()) {\n        await this.authStateManager.updateAuthState();\n      }\n    }\n  \n    async stop() {\n      // TODO: review tokenManager.stop\n      this.tokenManager.stop();\n      await this.serviceManager.stop();\n    }\n\n    async handleRedirect(originalUri?: string): Promise<void> {\n      await this.handleLoginRedirect(undefined, originalUri);\n    }\n\n    // eslint-disable-next-line complexity\n    async handleLoginRedirect(tokens?: Tokens, originalUri?: string): Promise<void> {\n      let state = this.options.state;\n  \n      // Store tokens and update AuthState by the emitted events\n      if (tokens) {\n        this.tokenManager.setTokens(tokens);\n        originalUri = originalUri || this.getOriginalUri(this.options.state);\n      } else if (this.isLoginRedirect()) {\n        try {\n          // For redirect flow, get state from the URL and use it to retrieve the originalUri\n          const oAuthResponse = await parseOAuthResponseFromUrl(this, {});\n          state = oAuthResponse.state;\n          originalUri = originalUri || this.getOriginalUri(state);\n          await this.storeTokensFromRedirect();\n        } catch(e) {\n          // auth state should be updated\n          await this.authStateManager.updateAuthState();\n          throw e;\n        }\n      } else {\n        return; // nothing to do\n      }\n      \n      // ensure auth state has been updated\n      await this.authStateManager.updateAuthState();\n  \n      // clear originalUri from storage\n      this.removeOriginalUri(state);\n  \n      // Redirect to originalUri\n      const { restoreOriginalUri } = this.options;\n      if (restoreOriginalUri) {\n        await restoreOriginalUri(this, originalUri);\n      } else if (originalUri) {\n        window.location.replace(originalUri);\n      }\n    }\n  };\n}\n"],"mappings":";;;AAAA;AAUA;AACA;AAGO,SAASA,SAAS,CASxBC,IAAW,EACZ;EACE,OAAO,MAAMC,YAAY,SAASD,IAAI,CACtC;IAIEE,WAAW,CAAC,GAAGC,IAAW,EAAE;MAC1B,KAAK,CAAC,GAAGA,IAAI,CAAC;;MAEd;MACA,IAAI,CAACC,gBAAgB,GAAG,IAAIC,kCAAgB,CAAU,IAAI,CAAC;;MAE3D;MACA,IAAI,CAACC,cAAc,GAAG,IAAIC,8BAAc,CAAU,IAAI,EAAE,IAAI,CAACC,OAAO,CAACC,QAAQ,CAAC;IAChF;IAEA,MAAMC,KAAK,GAAG;MACZ,MAAM,IAAI,CAACJ,cAAc,CAACI,KAAK,EAAE;MACjC;MACA,IAAI,CAACC,YAAY,CAACD,KAAK,EAAE;MACzB,IAAI,CAAC,IAAI,CAACE,KAAK,CAACC,eAAe,EAAE,EAAE;QACjC,MAAM,IAAI,CAACT,gBAAgB,CAACU,eAAe,EAAE;MAC/C;IACF;IAEA,MAAMC,IAAI,GAAG;MACX;MACA,IAAI,CAACJ,YAAY,CAACI,IAAI,EAAE;MACxB,MAAM,IAAI,CAACT,cAAc,CAACS,IAAI,EAAE;IAClC;IAEA,MAAMC,cAAc,CAACC,WAAoB,EAAiB;MACxD,MAAM,IAAI,CAACC,mBAAmB,CAACC,SAAS,EAAEF,WAAW,CAAC;IACxD;;IAEA;IACA,MAAMC,mBAAmB,CAACE,MAAe,EAAEH,WAAoB,EAAiB;MAC9E,IAAII,KAAK,GAAG,IAAI,CAACb,OAAO,CAACa,KAAK;;MAE9B;MACA,IAAID,MAAM,EAAE;QACV,IAAI,CAACT,YAAY,CAACW,SAAS,CAACF,MAAM,CAAC;QACnCH,WAAW,GAAGA,WAAW,IAAI,IAAI,CAACM,cAAc,CAAC,IAAI,CAACf,OAAO,CAACa,KAAK,CAAC;MACtE,CAAC,MAAM,IAAI,IAAI,CAACR,eAAe,EAAE,EAAE;QACjC,IAAI;UACF;UACA,MAAMW,aAAa,GAAG,MAAM,IAAAC,uCAAyB,EAAC,IAAI,EAAE,CAAC,CAAC,CAAC;UAC/DJ,KAAK,GAAGG,aAAa,CAACH,KAAK;UAC3BJ,WAAW,GAAGA,WAAW,IAAI,IAAI,CAACM,cAAc,CAACF,KAAK,CAAC;UACvD,MAAM,IAAI,CAACK,uBAAuB,EAAE;QACtC,CAAC,CAAC,OAAMC,CAAC,EAAE;UACT;UACA,MAAM,IAAI,CAACvB,gBAAgB,CAACU,eAAe,EAAE;UAC7C,MAAMa,CAAC;QACT;MACF,CAAC,MAAM;QACL,OAAO,CAAC;MACV;;MAEA;MACA,MAAM,IAAI,CAACvB,gBAAgB,CAACU,eAAe,EAAE;;MAE7C;MACA,IAAI,CAACc,iBAAiB,CAACP,KAAK,CAAC;;MAE7B;MACA,MAAM;QAAEQ;MAAmB,CAAC,GAAG,IAAI,CAACrB,OAAO;MAC3C,IAAIqB,kBAAkB,EAAE;QACtB,MAAMA,kBAAkB,CAAC,IAAI,EAAEZ,WAAW,CAAC;MAC7C,CAAC,MAAM,IAAIA,WAAW,EAAE;QACtBa,MAAM,CAACC,QAAQ,CAACC,OAAO,CAACf,WAAW,CAAC;MACtC;IACF;EACF,CAAC;AACH"}
+{"version":3,"file":"mixin.js","names":["mixinCore","Base","OktaAuthCore","constructor","args","authStateManager","AuthStateManager","serviceManager","ServiceManager","options","services","start","tokenManager","token","isLoginRedirect","updateAuthState","stop","handleRedirect","originalUri","handleLoginRedirect","undefined","tokens","state","setTokens","getOriginalUri","oAuthResponse","parseOAuthResponseFromUrl","storeTokensFromRedirect","e","removeOriginalUri","restoreOriginalUri","window","location","replace","handleIDPPopupRedirect","url","href","res","responseMode","channel","BroadcastChannel","postMessage","close","AuthSdkError"],"sources":["../../../lib/core/mixin.ts"],"sourcesContent":["import { parseOAuthResponseFromUrl } from '../oidc/parseFromUrl';\nimport { OktaAuthConstructor } from '../base/types';\nimport {\n  OAuthStorageManagerInterface,\n  OAuthTransactionMeta,\n  OktaAuthOAuthInterface,\n  PKCETransactionMeta,\n  Tokens,\n  TransactionManagerInterface,\n} from '../oidc/types';\nimport { AuthStateManager } from './AuthStateManager';\nimport { ServiceManager } from './ServiceManager';\nimport { OktaAuthCoreInterface, OktaAuthCoreOptions } from './types';\nimport { AuthSdkError } from '../errors';\n\nexport function mixinCore\n<\n  M extends OAuthTransactionMeta = PKCETransactionMeta,\n  S extends OAuthStorageManagerInterface<M> = OAuthStorageManagerInterface<M>,\n  O extends OktaAuthCoreOptions = OktaAuthCoreOptions,\n  TM extends TransactionManagerInterface = TransactionManagerInterface,\n  TBase extends OktaAuthConstructor<OktaAuthOAuthInterface<M, S, O, TM>>\n    = OktaAuthConstructor<OktaAuthOAuthInterface<M, S, O, TM>>\n>\n(Base: TBase): TBase & OktaAuthConstructor<OktaAuthCoreInterface<M, S, O, TM>>\n{\n  return class OktaAuthCore extends Base implements OktaAuthCoreInterface<M, S, O, TM>\n  {\n    authStateManager: AuthStateManager<M, S, O>;\n    serviceManager: ServiceManager<M, S, O>;\n    \n    constructor(...args: any[]) {\n      super(...args);\n\n      // AuthStateManager\n      this.authStateManager = new AuthStateManager<M, S, O>(this);\n\n      // ServiceManager\n      this.serviceManager = new ServiceManager<M, S, O>(this, this.options.services);\n    }\n\n    async start() {\n      await this.serviceManager.start();\n      // TODO: review tokenManager.start\n      this.tokenManager.start();\n      if (!this.token.isLoginRedirect()) {\n        await this.authStateManager.updateAuthState();\n      }\n    }\n  \n    async stop() {\n      // TODO: review tokenManager.stop\n      this.tokenManager.stop();\n      await this.serviceManager.stop();\n    }\n\n    async handleRedirect(originalUri?: string): Promise<void> {\n      await this.handleLoginRedirect(undefined, originalUri);\n    }\n\n    // eslint-disable-next-line complexity\n    async handleLoginRedirect(tokens?: Tokens, originalUri?: string): Promise<void> {\n      let state = this.options.state;\n  \n      // Store tokens and update AuthState by the emitted events\n      if (tokens) {\n        this.tokenManager.setTokens(tokens);\n        originalUri = originalUri || this.getOriginalUri(this.options.state);\n      } else if (this.isLoginRedirect()) {\n        try {\n          // For redirect flow, get state from the URL and use it to retrieve the originalUri\n          const oAuthResponse = await parseOAuthResponseFromUrl(this, {});\n          state = oAuthResponse.state;\n          originalUri = originalUri || this.getOriginalUri(state);\n          await this.storeTokensFromRedirect();\n        } catch(e) {\n          // auth state should be updated\n          await this.authStateManager.updateAuthState();\n          throw e;\n        }\n      } else {\n        return; // nothing to do\n      }\n      \n      // ensure auth state has been updated\n      await this.authStateManager.updateAuthState();\n  \n      // clear originalUri from storage\n      this.removeOriginalUri(state);\n  \n      // Redirect to originalUri\n      const { restoreOriginalUri } = this.options;\n      if (restoreOriginalUri) {\n        await restoreOriginalUri(this, originalUri);\n      } else if (originalUri) {\n        window.location.replace(originalUri);\n      }\n    }\n\n    handleIDPPopupRedirect (url = window.location.href) {\n      const res = parseOAuthResponseFromUrl(this, { responseMode: 'query', url });\n      if (res.state) {\n        const channel = new BroadcastChannel(`popup-callback:${res.state}`);\n        channel.postMessage(res);\n        channel.close();\n      }\n      else {\n        throw new AuthSdkError('Unable to parse auth code params');\n      }\n    }\n  };\n}\n"],"mappings":";;;AAAA;AAUA;AACA;AAEA;AAEO,SAASA,SAAS,CASxBC,IAAW,EACZ;EACE,OAAO,MAAMC,YAAY,SAASD,IAAI,CACtC;IAIEE,WAAW,CAAC,GAAGC,IAAW,EAAE;MAC1B,KAAK,CAAC,GAAGA,IAAI,CAAC;;MAEd;MACA,IAAI,CAACC,gBAAgB,GAAG,IAAIC,kCAAgB,CAAU,IAAI,CAAC;;MAE3D;MACA,IAAI,CAACC,cAAc,GAAG,IAAIC,8BAAc,CAAU,IAAI,EAAE,IAAI,CAACC,OAAO,CAACC,QAAQ,CAAC;IAChF;IAEA,MAAMC,KAAK,GAAG;MACZ,MAAM,IAAI,CAACJ,cAAc,CAACI,KAAK,EAAE;MACjC;MACA,IAAI,CAACC,YAAY,CAACD,KAAK,EAAE;MACzB,IAAI,CAAC,IAAI,CAACE,KAAK,CAACC,eAAe,EAAE,EAAE;QACjC,MAAM,IAAI,CAACT,gBAAgB,CAACU,eAAe,EAAE;MAC/C;IACF;IAEA,MAAMC,IAAI,GAAG;MACX;MACA,IAAI,CAACJ,YAAY,CAACI,IAAI,EAAE;MACxB,MAAM,IAAI,CAACT,cAAc,CAACS,IAAI,EAAE;IAClC;IAEA,MAAMC,cAAc,CAACC,WAAoB,EAAiB;MACxD,MAAM,IAAI,CAACC,mBAAmB,CAACC,SAAS,EAAEF,WAAW,CAAC;IACxD;;IAEA;IACA,MAAMC,mBAAmB,CAACE,MAAe,EAAEH,WAAoB,EAAiB;MAC9E,IAAII,KAAK,GAAG,IAAI,CAACb,OAAO,CAACa,KAAK;;MAE9B;MACA,IAAID,MAAM,EAAE;QACV,IAAI,CAACT,YAAY,CAACW,SAAS,CAACF,MAAM,CAAC;QACnCH,WAAW,GAAGA,WAAW,IAAI,IAAI,CAACM,cAAc,CAAC,IAAI,CAACf,OAAO,CAACa,KAAK,CAAC;MACtE,CAAC,MAAM,IAAI,IAAI,CAACR,eAAe,EAAE,EAAE;QACjC,IAAI;UACF;UACA,MAAMW,aAAa,GAAG,MAAM,IAAAC,uCAAyB,EAAC,IAAI,EAAE,CAAC,CAAC,CAAC;UAC/DJ,KAAK,GAAGG,aAAa,CAACH,KAAK;UAC3BJ,WAAW,GAAGA,WAAW,IAAI,IAAI,CAACM,cAAc,CAACF,KAAK,CAAC;UACvD,MAAM,IAAI,CAACK,uBAAuB,EAAE;QACtC,CAAC,CAAC,OAAMC,CAAC,EAAE;UACT;UACA,MAAM,IAAI,CAACvB,gBAAgB,CAACU,eAAe,EAAE;UAC7C,MAAMa,CAAC;QACT;MACF,CAAC,MAAM;QACL,OAAO,CAAC;MACV;;MAEA;MACA,MAAM,IAAI,CAACvB,gBAAgB,CAACU,eAAe,EAAE;;MAE7C;MACA,IAAI,CAACc,iBAAiB,CAACP,KAAK,CAAC;;MAE7B;MACA,MAAM;QAAEQ;MAAmB,CAAC,GAAG,IAAI,CAACrB,OAAO;MAC3C,IAAIqB,kBAAkB,EAAE;QACtB,MAAMA,kBAAkB,CAAC,IAAI,EAAEZ,WAAW,CAAC;MAC7C,CAAC,MAAM,IAAIA,WAAW,EAAE;QACtBa,MAAM,CAACC,QAAQ,CAACC,OAAO,CAACf,WAAW,CAAC;MACtC;IACF;IAEAgB,sBAAsB,CAAEC,GAAG,GAAGJ,MAAM,CAACC,QAAQ,CAACI,IAAI,EAAE;MAClD,MAAMC,GAAG,GAAG,IAAAX,uCAAyB,EAAC,IAAI,EAAE;QAAEY,YAAY,EAAE,OAAO;QAAEH;MAAI,CAAC,CAAC;MAC3E,IAAIE,GAAG,CAACf,KAAK,EAAE;QACb,MAAMiB,OAAO,GAAG,IAAIC,gBAAgB,CAAE,kBAAiBH,GAAG,CAACf,KAAM,EAAC,CAAC;QACnEiB,OAAO,CAACE,WAAW,CAACJ,GAAG,CAAC;QACxBE,OAAO,CAACG,KAAK,EAAE;MACjB,CAAC,MACI;QACH,MAAM,IAAIC,oBAAY,CAAC,kCAAkC,CAAC;MAC5D;IACF;EACF,CAAC;AACH"}

package/cjs/http/OktaUserAgent.js

@@ -20,7 +20,7 @@ var _features = require("../features");
 class OktaUserAgent {
   constructor() {
     // add base sdk env
-    this.environments = [`okta-auth-js/${"7.11.3"}`];
+    this.environments = [`okta-auth-js/${"7.12.0"}`];
     this.maybeAddNodeEnvironment();
   }
   addEnvironment(env) {
@@ -32,7 +32,7 @@ class OktaUserAgent {
     };
   }
   getVersion() {
-    return "7.11.3";
+    return "7.12.0";
   }
   maybeAddNodeEnvironment() {
     if ((0, _features.isBrowser)() || !process || !process.versions) {

package/cjs/oidc/factory/api.js

@@ -59,6 +59,7 @@ function createTokenAPI(sdk, queue) {
     exchangeCodeForTokens: _exchangeCodeForTokens.exchangeCodeForTokens.bind(null, sdk),
     getWithoutPrompt: _getWithoutPrompt.getWithoutPrompt.bind(null, sdk),
     getWithPopup: _getWithPopup.getWithPopup.bind(null, sdk),
+    getWithIDPPopup: _getWithPopup.getWithIDPPopup.bind(null, sdk),
     getWithRedirect: getWithRedirectFn,
     parseFromUrl: parseFromUrlApi,
     decode: _decodeToken.decodeToken,

package/cjs/oidc/factory/api.js.map

@@ -1 +1 @@
-{"version":3,"file":"api.js","names":["createTokenAPI","sdk","queue","useQueue","method","PromiseQueue","prototype","push","bind","getWithRedirectFn","getWithRedirect","parseFromUrlFn","parseFromUrl","parseFromUrlApi","Object","assign","_getHistory","window","history","_getLocation","location","_getDocument","document","token","prepareTokenParams","exchangeCodeForTokens","getWithoutPrompt","getWithPopup","decode","decodeToken","revoke","revokeToken","renew","renewToken","renewTokensWithRefresh","renewTokens","getUserInfo","accessTokenObject","idTokenObject","verify","verifyToken","isLoginRedirect","introspect","oidcIntrospect","toWrap","forEach","key","createEndpoints","authorize","enrollAuthenticator"],"sources":["../../../../lib/oidc/factory/api.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\n\nimport { PromiseQueue } from '../../util';\nimport { decodeToken } from '../decodeToken';\nimport { exchangeCodeForTokens } from '../exchangeCodeForTokens';\nimport { getUserInfo } from '../getUserInfo';\nimport { getWithoutPrompt } from '../getWithoutPrompt';\nimport { getWithPopup } from '../getWithPopup';\nimport { getWithRedirect } from '../getWithRedirect';\nimport { parseFromUrl } from '../parseFromUrl';\nimport { renewToken } from '../renewToken';\nimport { renewTokens } from '../renewTokens';\nimport { renewTokensWithRefresh } from '../renewTokensWithRefresh';\nimport { revokeToken } from '../revokeToken';\nimport { oidcIntrospect } from '../introspect';\nimport {\n  AccessToken,\n  CustomUserClaims,\n  GetWithRedirectFunction,\n  IDToken,\n  OktaAuthOAuthInterface,\n  ParseFromUrlInterface,\n  TokenAPI,\n  UserClaims,\n  Endpoints,\n} from '../types';\nimport { isLoginRedirect, prepareTokenParams } from '../util';\nimport { verifyToken } from '../verifyToken';\nimport { enrollAuthenticator } from '../enrollAuthenticator';\n\n// Factory\nexport function createTokenAPI(sdk: OktaAuthOAuthInterface, queue: PromiseQueue): TokenAPI {\n  const useQueue = (method) => {\n    return PromiseQueue.prototype.push.bind(queue, method, null);\n  };\n\n  const getWithRedirectFn = useQueue(getWithRedirect.bind(null, sdk)) as GetWithRedirectFunction;\n\n  // eslint-disable-next-line max-len\n  const parseFromUrlFn = useQueue(parseFromUrl.bind(null, sdk)) as ParseFromUrlInterface;\n  const parseFromUrlApi: ParseFromUrlInterface = Object.assign(parseFromUrlFn, {\n    // This is exposed so we can mock getting window.history in our tests\n    _getHistory: function() {\n      return window.history;\n    },\n\n    // This is exposed so we can mock getting window.location in our tests\n    _getLocation: function() {\n      return window.location;\n    },\n\n    // This is exposed so we can mock getting window.document in our tests\n    _getDocument: function() {\n      return window.document;\n    }\n  });\n\n  const token: TokenAPI ={\n    prepareTokenParams: prepareTokenParams.bind(null, sdk),\n    exchangeCodeForTokens: exchangeCodeForTokens.bind(null, sdk),\n    getWithoutPrompt: getWithoutPrompt.bind(null, sdk),\n    getWithPopup: getWithPopup.bind(null, sdk),\n    getWithRedirect: getWithRedirectFn,\n    parseFromUrl: parseFromUrlApi,\n    decode: decodeToken,\n    revoke: revokeToken.bind(null, sdk),\n    renew: renewToken.bind(null, sdk),\n    renewTokensWithRefresh: renewTokensWithRefresh.bind(null, sdk),\n    renewTokens: renewTokens.bind(null, sdk),\n    getUserInfo: <C extends CustomUserClaims = CustomUserClaims>(\n      accessTokenObject: AccessToken,\n      idTokenObject: IDToken\n    ): Promise<UserClaims<C>> => {\n      return getUserInfo(sdk, accessTokenObject, idTokenObject);\n    },\n    verify: verifyToken.bind(null, sdk),\n    isLoginRedirect: isLoginRedirect.bind(null, sdk),\n    introspect: oidcIntrospect.bind(null, sdk),\n  };\n\n  // Wrap certain async token API methods using PromiseQueue to avoid issues with concurrency\n  // 'getWithRedirect' and 'parseFromUrl' are already wrapped\n  const toWrap = [\n    'getWithoutPrompt',\n    'getWithPopup',\n    'revoke',\n    'renew',\n    'renewTokensWithRefresh',\n    'renewTokens'\n  ];\n  toWrap.forEach(key => {\n    token[key] = useQueue(token[key]);\n  });\n\n  return token;\n}\n\nexport function createEndpoints(sdk: OktaAuthOAuthInterface): Endpoints {\n  return {\n    authorize: {\n      enrollAuthenticator: enrollAuthenticator.bind(null, sdk),\n    }\n  };\n}\n"],"mappings":";;;;AAaA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAYA;AACA;AACA;AAvCA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AA8BA;AACO,SAASA,cAAc,CAACC,GAA2B,EAAEC,KAAmB,EAAY;EACzF,MAAMC,QAAQ,GAAIC,MAAM,IAAK;IAC3B,OAAOC,kBAAY,CAACC,SAAS,CAACC,IAAI,CAACC,IAAI,CAACN,KAAK,EAAEE,MAAM,EAAE,IAAI,CAAC;EAC9D,CAAC;EAED,MAAMK,iBAAiB,GAAGN,QAAQ,CAACO,gCAAe,CAACF,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC,CAA4B;;EAE9F;EACA,MAAMU,cAAc,GAAGR,QAAQ,CAACS,0BAAY,CAACJ,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC,CAA0B;EACtF,MAAMY,eAAsC,GAAGC,MAAM,CAACC,MAAM,CAACJ,cAAc,EAAE;IAC3E;IACAK,WAAW,EAAE,YAAW;MACtB,OAAOC,MAAM,CAACC,OAAO;IACvB,CAAC;IAED;IACAC,YAAY,EAAE,YAAW;MACvB,OAAOF,MAAM,CAACG,QAAQ;IACxB,CAAC;IAED;IACAC,YAAY,EAAE,YAAW;MACvB,OAAOJ,MAAM,CAACK,QAAQ;IACxB;EACF,CAAC,CAAC;EAEF,MAAMC,KAAe,GAAE;IACrBC,kBAAkB,EAAEA,yBAAkB,CAAChB,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IACtDwB,qBAAqB,EAAEA,4CAAqB,CAACjB,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IAC5DyB,gBAAgB,EAAEA,kCAAgB,CAAClB,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IAClD0B,YAAY,EAAEA,0BAAY,CAACnB,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IAC1CS,eAAe,EAAED,iBAAiB;IAClCG,YAAY,EAAEC,eAAe;IAC7Be,MAAM,EAAEC,wBAAW;IACnBC,MAAM,EAAEC,wBAAW,CAACvB,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IACnC+B,KAAK,EAAEC,sBAAU,CAACzB,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IACjCiC,sBAAsB,EAAEA,8CAAsB,CAAC1B,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IAC9DkC,WAAW,EAAEA,wBAAW,CAAC3B,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IACxCmC,WAAW,EAAE,CACXC,iBAA8B,EAC9BC,aAAsB,KACK;MAC3B,OAAO,IAAAF,wBAAW,EAACnC,GAAG,EAAEoC,iBAAiB,EAAEC,aAAa,CAAC;IAC3D,CAAC;IACDC,MAAM,EAAEC,wBAAW,CAAChC,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IACnCwC,eAAe,EAAEA,sBAAe,CAACjC,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IAChDyC,UAAU,EAAEC,0BAAc,CAACnC,IAAI,CAAC,IAAI,EAAEP,GAAG;EAC3C,CAAC;;EAED;EACA;EACA,MAAM2C,MAAM,GAAG,CACb,kBAAkB,EAClB,cAAc,EACd,QAAQ,EACR,OAAO,EACP,wBAAwB,EACxB,aAAa,CACd;EACDA,MAAM,CAACC,OAAO,CAACC,GAAG,IAAI;IACpBvB,KAAK,CAACuB,GAAG,CAAC,GAAG3C,QAAQ,CAACoB,KAAK,CAACuB,GAAG,CAAC,CAAC;EACnC,CAAC,CAAC;EAEF,OAAOvB,KAAK;AACd;AAEO,SAASwB,eAAe,CAAC9C,GAA2B,EAAa;EACtE,OAAO;IACL+C,SAAS,EAAE;MACTC,mBAAmB,EAAEA,wCAAmB,CAACzC,IAAI,CAAC,IAAI,EAAEP,GAAG;IACzD;EACF,CAAC;AACH"}
+{"version":3,"file":"api.js","names":["createTokenAPI","sdk","queue","useQueue","method","PromiseQueue","prototype","push","bind","getWithRedirectFn","getWithRedirect","parseFromUrlFn","parseFromUrl","parseFromUrlApi","Object","assign","_getHistory","window","history","_getLocation","location","_getDocument","document","token","prepareTokenParams","exchangeCodeForTokens","getWithoutPrompt","getWithPopup","getWithIDPPopup","decode","decodeToken","revoke","revokeToken","renew","renewToken","renewTokensWithRefresh","renewTokens","getUserInfo","accessTokenObject","idTokenObject","verify","verifyToken","isLoginRedirect","introspect","oidcIntrospect","toWrap","forEach","key","createEndpoints","authorize","enrollAuthenticator"],"sources":["../../../../lib/oidc/factory/api.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\n\nimport { PromiseQueue } from '../../util';\nimport { decodeToken } from '../decodeToken';\nimport { exchangeCodeForTokens } from '../exchangeCodeForTokens';\nimport { getUserInfo } from '../getUserInfo';\nimport { getWithoutPrompt } from '../getWithoutPrompt';\nimport { getWithPopup, getWithIDPPopup } from '../getWithPopup';\nimport { getWithRedirect } from '../getWithRedirect';\nimport { parseFromUrl } from '../parseFromUrl';\nimport { renewToken } from '../renewToken';\nimport { renewTokens } from '../renewTokens';\nimport { renewTokensWithRefresh } from '../renewTokensWithRefresh';\nimport { revokeToken } from '../revokeToken';\nimport { oidcIntrospect } from '../introspect';\nimport {\n  AccessToken,\n  CustomUserClaims,\n  GetWithRedirectFunction,\n  IDToken,\n  OktaAuthOAuthInterface,\n  ParseFromUrlInterface,\n  TokenAPI,\n  UserClaims,\n  Endpoints,\n} from '../types';\nimport { isLoginRedirect, prepareTokenParams } from '../util';\nimport { verifyToken } from '../verifyToken';\nimport { enrollAuthenticator } from '../enrollAuthenticator';\n\n// Factory\nexport function createTokenAPI(sdk: OktaAuthOAuthInterface, queue: PromiseQueue): TokenAPI {\n  const useQueue = (method) => {\n    return PromiseQueue.prototype.push.bind(queue, method, null);\n  };\n\n  const getWithRedirectFn = useQueue(getWithRedirect.bind(null, sdk)) as GetWithRedirectFunction;\n\n  // eslint-disable-next-line max-len\n  const parseFromUrlFn = useQueue(parseFromUrl.bind(null, sdk)) as ParseFromUrlInterface;\n  const parseFromUrlApi: ParseFromUrlInterface = Object.assign(parseFromUrlFn, {\n    // This is exposed so we can mock getting window.history in our tests\n    _getHistory: function() {\n      return window.history;\n    },\n\n    // This is exposed so we can mock getting window.location in our tests\n    _getLocation: function() {\n      return window.location;\n    },\n\n    // This is exposed so we can mock getting window.document in our tests\n    _getDocument: function() {\n      return window.document;\n    }\n  });\n\n  const token: TokenAPI ={\n    prepareTokenParams: prepareTokenParams.bind(null, sdk),\n    exchangeCodeForTokens: exchangeCodeForTokens.bind(null, sdk),\n    getWithoutPrompt: getWithoutPrompt.bind(null, sdk),\n    getWithPopup: getWithPopup.bind(null, sdk),\n    getWithIDPPopup: getWithIDPPopup.bind(null, sdk),\n    getWithRedirect: getWithRedirectFn,\n    parseFromUrl: parseFromUrlApi,\n    decode: decodeToken,\n    revoke: revokeToken.bind(null, sdk),\n    renew: renewToken.bind(null, sdk),\n    renewTokensWithRefresh: renewTokensWithRefresh.bind(null, sdk),\n    renewTokens: renewTokens.bind(null, sdk),\n    getUserInfo: <C extends CustomUserClaims = CustomUserClaims>(\n      accessTokenObject: AccessToken,\n      idTokenObject: IDToken\n    ): Promise<UserClaims<C>> => {\n      return getUserInfo(sdk, accessTokenObject, idTokenObject);\n    },\n    verify: verifyToken.bind(null, sdk),\n    isLoginRedirect: isLoginRedirect.bind(null, sdk),\n    introspect: oidcIntrospect.bind(null, sdk),\n  };\n\n  // Wrap certain async token API methods using PromiseQueue to avoid issues with concurrency\n  // 'getWithRedirect' and 'parseFromUrl' are already wrapped\n  const toWrap = [\n    'getWithoutPrompt',\n    'getWithPopup',\n    'revoke',\n    'renew',\n    'renewTokensWithRefresh',\n    'renewTokens'\n  ];\n  toWrap.forEach(key => {\n    token[key] = useQueue(token[key]);\n  });\n\n  return token;\n}\n\nexport function createEndpoints(sdk: OktaAuthOAuthInterface): Endpoints {\n  return {\n    authorize: {\n      enrollAuthenticator: enrollAuthenticator.bind(null, sdk),\n    }\n  };\n}\n"],"mappings":";;;;AAaA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAYA;AACA;AACA;AAvCA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AA8BA;AACO,SAASA,cAAc,CAACC,GAA2B,EAAEC,KAAmB,EAAY;EACzF,MAAMC,QAAQ,GAAIC,MAAM,IAAK;IAC3B,OAAOC,kBAAY,CAACC,SAAS,CAACC,IAAI,CAACC,IAAI,CAACN,KAAK,EAAEE,MAAM,EAAE,IAAI,CAAC;EAC9D,CAAC;EAED,MAAMK,iBAAiB,GAAGN,QAAQ,CAACO,gCAAe,CAACF,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC,CAA4B;;EAE9F;EACA,MAAMU,cAAc,GAAGR,QAAQ,CAACS,0BAAY,CAACJ,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC,CAA0B;EACtF,MAAMY,eAAsC,GAAGC,MAAM,CAACC,MAAM,CAACJ,cAAc,EAAE;IAC3E;IACAK,WAAW,EAAE,YAAW;MACtB,OAAOC,MAAM,CAACC,OAAO;IACvB,CAAC;IAED;IACAC,YAAY,EAAE,YAAW;MACvB,OAAOF,MAAM,CAACG,QAAQ;IACxB,CAAC;IAED;IACAC,YAAY,EAAE,YAAW;MACvB,OAAOJ,MAAM,CAACK,QAAQ;IACxB;EACF,CAAC,CAAC;EAEF,MAAMC,KAAe,GAAE;IACrBC,kBAAkB,EAAEA,yBAAkB,CAAChB,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IACtDwB,qBAAqB,EAAEA,4CAAqB,CAACjB,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IAC5DyB,gBAAgB,EAAEA,kCAAgB,CAAClB,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IAClD0B,YAAY,EAAEA,0BAAY,CAACnB,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IAC1C2B,eAAe,EAAEA,6BAAe,CAACpB,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IAChDS,eAAe,EAAED,iBAAiB;IAClCG,YAAY,EAAEC,eAAe;IAC7BgB,MAAM,EAAEC,wBAAW;IACnBC,MAAM,EAAEC,wBAAW,CAACxB,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IACnCgC,KAAK,EAAEC,sBAAU,CAAC1B,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IACjCkC,sBAAsB,EAAEA,8CAAsB,CAAC3B,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IAC9DmC,WAAW,EAAEA,wBAAW,CAAC5B,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IACxCoC,WAAW,EAAE,CACXC,iBAA8B,EAC9BC,aAAsB,KACK;MAC3B,OAAO,IAAAF,wBAAW,EAACpC,GAAG,EAAEqC,iBAAiB,EAAEC,aAAa,CAAC;IAC3D,CAAC;IACDC,MAAM,EAAEC,wBAAW,CAACjC,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IACnCyC,eAAe,EAAEA,sBAAe,CAAClC,IAAI,CAAC,IAAI,EAAEP,GAAG,CAAC;IAChD0C,UAAU,EAAEC,0BAAc,CAACpC,IAAI,CAAC,IAAI,EAAEP,GAAG;EAC3C,CAAC;;EAED;EACA;EACA,MAAM4C,MAAM,GAAG,CACb,kBAAkB,EAClB,cAAc,EACd,QAAQ,EACR,OAAO,EACP,wBAAwB,EACxB,aAAa,CACd;EACDA,MAAM,CAACC,OAAO,CAACC,GAAG,IAAI;IACpBxB,KAAK,CAACwB,GAAG,CAAC,GAAG5C,QAAQ,CAACoB,KAAK,CAACwB,GAAG,CAAC,CAAC;EACnC,CAAC,CAAC;EAEF,OAAOxB,KAAK;AACd;AAEO,SAASyB,eAAe,CAAC/C,GAA2B,EAAa;EACtE,OAAO;IACLgD,SAAS,EAAE;MACTC,mBAAmB,EAAEA,wCAAmB,CAAC1C,IAAI,CAAC,IAAI,EAAEP,GAAG;IACzD;EACF,CAAC;AACH"}

package/cjs/oidc/getToken.js

@@ -107,11 +107,11 @@ function getToken(sdk, options) {
     requestUrl = endpoint + (0, _authorize.buildAuthorizeParams)(tokenParams);
 
     // Determine the flow type
-    var flowType;
+    var flowType = 'IMPLICIT';
     if (tokenParams.sessionToken || tokenParams.display === null) {
       flowType = 'IFRAME';
     } else if (tokenParams.display === 'popup') {
-      flowType = 'POPUP';
+      flowType = options.idpPopup ? 'IDP_POPUP' : 'POPUP';
     } else {
       flowType = 'IMPLICIT';
     }
@@ -141,7 +141,7 @@ function getToken(sdk, options) {
         }
 
         // Redirect for authorization
-        // popupWindown can be null when popup is blocked
+        // popupWindow can be null when popup is blocked
         if (popupWindow) {
           popupWindow.location.assign(requestUrl);
         }
@@ -171,6 +171,20 @@ function getToken(sdk, options) {
             popupWindow.close();
           }
         });
+      case 'IDP_POPUP':
+        // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+        var idpPromise = (0, _util.addIDPPopupLisenter)(sdk, options.timeout, options.channel, tokenParams.state);
+
+        // Redirect for authorization
+        // popupWindow can be null when popup is blocked
+        if (popupWindow) {
+          popupWindow.location.assign(requestUrl);
+        } else {
+          throw new _AuthSdkError.default('Unable to open popup window');
+        }
+        return idpPromise.then(function (res) {
+          return (0, _handleOAuthResponse.handleOAuthResponse)(sdk, tokenParams, res, urls);
+        });
       default:
         throw new _AuthSdkError.default('The full page redirect flow is not supported');
     }

package/cjs/oidc/getToken.js.map

@@ -1 +1 @@
-{"version":3,"file":"getToken.js","names":["getToken","sdk","options","arguments","length","Promise","reject","AuthSdkError","popupWindow","undefined","prepareTokenParams","then","tokenParams","sessionTokenOverrides","prompt","responseMode","display","idpOverrides","sessionToken","Object","assign","idp","requestUrl","endpoint","urls","getOAuthUrls","codeVerifier","tokenUrl","authorizeUrl","buildAuthorizeParams","flowType","iframePromise","addPostMessageListener","timeout","state","iframeEl","loadFrame","res","handleOAuthResponse","finally","document","body","contains","parentElement","removeChild","oauthPromise","features","isPopupPostMessageSupported","location","popupPromise","resolve","closePoller","setInterval","closed","clearInterval","catch","err","close"],"sources":["../../../lib/oidc/getToken.ts"],"sourcesContent":["\n/* global document */\n/* eslint-disable complexity, max-statements */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport {\n  getOAuthUrls,\n  loadFrame,\n  addPostMessageListener\n} from './util';\n\nimport AuthSdkError from '../errors/AuthSdkError';\n\nimport {\n  OktaAuthOAuthInterface,\n  TokenParams,\n  PopupParams,\n  OAuthResponse,\n} from './types';\n\nimport { prepareTokenParams } from './util/prepareTokenParams';\nimport { buildAuthorizeParams } from './endpoints/authorize';\nimport { handleOAuthResponse } from './handleOAuthResponse';\n/*\n * Retrieve an idToken from an Okta or a third party idp\n *\n * Two main flows:\n *\n *  1) Exchange a sessionToken for a token\n *\n *    Required:\n *      clientId: passed via the OktaAuth constructor or into getToken\n *      sessionToken: 'yourtoken'\n *\n *    Optional:\n *      redirectUri: defaults to window.location.href\n *      scopes: defaults to ['openid', 'email']\n *\n *    Forced:\n *      prompt: 'none'\n *      responseMode: 'okta_post_message'\n *      display: undefined\n *\n *  2) Get a token from an idp\n *\n *    Required:\n *      clientId: passed via the OktaAuth constructor or into getToken\n *\n *    Optional:\n *      redirectUri: defaults to window.location.href\n *      scopes: defaults to ['openid', 'email']\n *      idp: defaults to Okta as an idp\n *      prompt: no default. Pass 'none' to throw an error if user is not signed in\n *\n *    Forced:\n *      display: 'popup'\n *\n *  Only common optional params shown. Any OAuth parameters not explicitly forced are available to override\n *\n * @param {Object} oauthOptions\n * @param {String} [oauthOptions.clientId] ID of this client\n * @param {String} [oauthOptions.redirectUri] URI that the iframe or popup will go to once authenticated\n * @param {String[]} [oauthOptions.scopes] OAuth 2.0 scopes to request (openid must be specified)\n * @param {String} [oauthOptions.idp] ID of an external IdP to use for user authentication\n * @param {String} [oauthOptions.sessionToken] Bootstrap Session Token returned by the Okta Authentication API\n * @param {String} [oauthOptions.prompt] Determines whether the Okta login will be displayed on failure.\n *                                       Use 'none' to prevent this behavior\n *\n * @param {Object} options\n * @param {Integer} [options.timeout] Time in ms before the flow is automatically terminated. Defaults to 120000\n * @param {String} [options.popupTitle] Title dispayed in the popup.\n *                                      Defaults to 'External Identity Provider User Authentication'\n */\nexport function getToken(sdk: OktaAuthOAuthInterface, options: TokenParams & PopupParams) {\n  if (arguments.length > 2) {\n    return Promise.reject(new AuthSdkError('As of version 3.0, \"getToken\" takes only a single set of options'));\n  }\n\n  options = options || {};\n\n  // window object cannot be serialized, save for later use\n  // TODO: move popup related params into a separate options object\n  const popupWindow = options.popupWindow;\n  options.popupWindow = undefined;\n\n  return prepareTokenParams(sdk, options)\n    .then(function (tokenParams: TokenParams) {\n\n      // Start overriding any options that don't make sense\n      var sessionTokenOverrides = {\n        prompt: 'none',\n        responseMode: 'okta_post_message',\n        display: null\n      };\n\n      var idpOverrides = {\n        display: 'popup'\n      };\n\n      if (options.sessionToken) {\n        Object.assign(tokenParams, sessionTokenOverrides);\n      } else if (options.idp) {\n        Object.assign(tokenParams, idpOverrides);\n      }\n\n      // Use the query params to build the authorize url\n      var requestUrl,\n        endpoint,\n        urls;\n\n      // Get authorizeUrl and issuer\n      urls = getOAuthUrls(sdk, tokenParams);\n      endpoint = options.codeVerifier ? urls.tokenUrl : urls.authorizeUrl;\n      requestUrl = endpoint + buildAuthorizeParams(tokenParams);\n\n      // Determine the flow type\n      var flowType;\n      if (tokenParams.sessionToken || tokenParams.display === null) {\n        flowType = 'IFRAME';\n      } else if (tokenParams.display === 'popup') {\n        flowType = 'POPUP';\n      } else {\n        flowType = 'IMPLICIT';\n      }\n\n      // Execute the flow type\n      switch (flowType) {\n        case 'IFRAME':\n          var iframePromise = addPostMessageListener(sdk, options.timeout, tokenParams.state);\n          var iframeEl = loadFrame(requestUrl);\n          return iframePromise\n            .then(function (res) {\n              return handleOAuthResponse(sdk, tokenParams, res as OAuthResponse, urls);\n            })\n            .finally(function () {\n              if (document.body.contains(iframeEl)) {\n                iframeEl.parentElement?.removeChild(iframeEl);\n              }\n            });\n\n        case 'POPUP':\n          var oauthPromise; // resolves with OAuth response\n\n          // Add listener on postMessage before window creation, so\n          // postMessage isn't triggered before we're listening\n          if (tokenParams.responseMode === 'okta_post_message') {\n            if (!sdk.features.isPopupPostMessageSupported()) {\n              throw new AuthSdkError('This browser doesn\\'t have full postMessage support');\n            }\n            oauthPromise = addPostMessageListener(sdk, options.timeout, tokenParams.state);\n          }\n\n          // Redirect for authorization\n          // popupWindown can be null when popup is blocked\n          if (popupWindow) { \n            popupWindow.location.assign(requestUrl);\n          }\n\n          // The popup may be closed without receiving an OAuth response. Setup a poller to monitor the window.\n          var popupPromise = new Promise(function (resolve, reject) {\n            var closePoller = setInterval(function () {\n              if (!popupWindow || popupWindow.closed) {\n                clearInterval(closePoller);\n                reject(new AuthSdkError('Unable to parse OAuth flow response'));\n              }\n            }, 100);\n\n            // Proxy the OAuth promise results\n            oauthPromise\n              .then(function (res) {\n                clearInterval(closePoller);\n                resolve(res);\n              })\n              .catch(function (err) {\n                clearInterval(closePoller);\n                reject(err);\n              });\n          });\n\n          return popupPromise\n            .then(function (res) {\n              return handleOAuthResponse(sdk, tokenParams, res as OAuthResponse, urls);\n            })\n            .finally(function () {\n              if (popupWindow && !popupWindow.closed) {\n                popupWindow.close();\n              }\n            });\n\n        default:\n          throw new AuthSdkError('The full page redirect flow is not supported');\n      }\n    });\n}"],"mappings":";;;;AAeA;AAMA;AASA;AACA;AACA;AA/BA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAmBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,SAASA,QAAQ,CAACC,GAA2B,EAAEC,OAAkC,EAAE;EACxF,IAAIC,SAAS,CAACC,MAAM,GAAG,CAAC,EAAE;IACxB,OAAOC,OAAO,CAACC,MAAM,CAAC,IAAIC,qBAAY,CAAC,kEAAkE,CAAC,CAAC;EAC7G;EAEAL,OAAO,GAAGA,OAAO,IAAI,CAAC,CAAC;;EAEvB;EACA;EACA,MAAMM,WAAW,GAAGN,OAAO,CAACM,WAAW;EACvCN,OAAO,CAACM,WAAW,GAAGC,SAAS;EAE/B,OAAO,IAAAC,sCAAkB,EAACT,GAAG,EAAEC,OAAO,CAAC,CACpCS,IAAI,CAAC,UAAUC,WAAwB,EAAE;IAExC;IACA,IAAIC,qBAAqB,GAAG;MAC1BC,MAAM,EAAE,MAAM;MACdC,YAAY,EAAE,mBAAmB;MACjCC,OAAO,EAAE;IACX,CAAC;IAED,IAAIC,YAAY,GAAG;MACjBD,OAAO,EAAE;IACX,CAAC;IAED,IAAId,OAAO,CAACgB,YAAY,EAAE;MACxBC,MAAM,CAACC,MAAM,CAACR,WAAW,EAAEC,qBAAqB,CAAC;IACnD,CAAC,MAAM,IAAIX,OAAO,CAACmB,GAAG,EAAE;MACtBF,MAAM,CAACC,MAAM,CAACR,WAAW,EAAEK,YAAY,CAAC;IAC1C;;IAEA;IACA,IAAIK,UAAU,EACZC,QAAQ,EACRC,IAAI;;IAEN;IACAA,IAAI,GAAG,IAAAC,kBAAY,EAACxB,GAAG,EAAEW,WAAW,CAAC;IACrCW,QAAQ,GAAGrB,OAAO,CAACwB,YAAY,GAAGF,IAAI,CAACG,QAAQ,GAAGH,IAAI,CAACI,YAAY;IACnEN,UAAU,GAAGC,QAAQ,GAAG,IAAAM,+BAAoB,EAACjB,WAAW,CAAC;;IAEzD;IACA,IAAIkB,QAAQ;IACZ,IAAIlB,WAAW,CAACM,YAAY,IAAIN,WAAW,CAACI,OAAO,KAAK,IAAI,EAAE;MAC5Dc,QAAQ,GAAG,QAAQ;IACrB,CAAC,MAAM,IAAIlB,WAAW,CAACI,OAAO,KAAK,OAAO,EAAE;MAC1Cc,QAAQ,GAAG,OAAO;IACpB,CAAC,MAAM;MACLA,QAAQ,GAAG,UAAU;IACvB;;IAEA;IACA,QAAQA,QAAQ;MACd,KAAK,QAAQ;QACX,IAAIC,aAAa,GAAG,IAAAC,4BAAsB,EAAC/B,GAAG,EAAEC,OAAO,CAAC+B,OAAO,EAAErB,WAAW,CAACsB,KAAK,CAAC;QACnF,IAAIC,QAAQ,GAAG,IAAAC,eAAS,EAACd,UAAU,CAAC;QACpC,OAAOS,aAAa,CACjBpB,IAAI,CAAC,UAAU0B,GAAG,EAAE;UACnB,OAAO,IAAAC,wCAAmB,EAACrC,GAAG,EAAEW,WAAW,EAAEyB,GAAG,EAAmBb,IAAI,CAAC;QAC1E,CAAC,CAAC,CACDe,OAAO,CAAC,YAAY;UACnB,IAAIC,QAAQ,CAACC,IAAI,CAACC,QAAQ,CAACP,QAAQ,CAAC,EAAE;YACpCA,QAAQ,CAACQ,aAAa,EAAEC,WAAW,CAACT,QAAQ,CAAC;UAC/C;QACF,CAAC,CAAC;MAEN,KAAK,OAAO;QACV,IAAIU,YAAY,CAAC,CAAC;;QAElB;QACA;QACA,IAAIjC,WAAW,CAACG,YAAY,KAAK,mBAAmB,EAAE;UACpD,IAAI,CAACd,GAAG,CAAC6C,QAAQ,CAACC,2BAA2B,EAAE,EAAE;YAC/C,MAAM,IAAIxC,qBAAY,CAAC,qDAAqD,CAAC;UAC/E;UACAsC,YAAY,GAAG,IAAAb,4BAAsB,EAAC/B,GAAG,EAAEC,OAAO,CAAC+B,OAAO,EAAErB,WAAW,CAACsB,KAAK,CAAC;QAChF;;QAEA;QACA;QACA,IAAI1B,WAAW,EAAE;UACfA,WAAW,CAACwC,QAAQ,CAAC5B,MAAM,CAACE,UAAU,CAAC;QACzC;;QAEA;QACA,IAAI2B,YAAY,GAAG,IAAI5C,OAAO,CAAC,UAAU6C,OAAO,EAAE5C,MAAM,EAAE;UACxD,IAAI6C,WAAW,GAAGC,WAAW,CAAC,YAAY;YACxC,IAAI,CAAC5C,WAAW,IAAIA,WAAW,CAAC6C,MAAM,EAAE;cACtCC,aAAa,CAACH,WAAW,CAAC;cAC1B7C,MAAM,CAAC,IAAIC,qBAAY,CAAC,qCAAqC,CAAC,CAAC;YACjE;UACF,CAAC,EAAE,GAAG,CAAC;;UAEP;UACAsC,YAAY,CACTlC,IAAI,CAAC,UAAU0B,GAAG,EAAE;YACnBiB,aAAa,CAACH,WAAW,CAAC;YAC1BD,OAAO,CAACb,GAAG,CAAC;UACd,CAAC,CAAC,CACDkB,KAAK,CAAC,UAAUC,GAAG,EAAE;YACpBF,aAAa,CAACH,WAAW,CAAC;YAC1B7C,MAAM,CAACkD,GAAG,CAAC;UACb,CAAC,CAAC;QACN,CAAC,CAAC;QAEF,OAAOP,YAAY,CAChBtC,IAAI,CAAC,UAAU0B,GAAG,EAAE;UACnB,OAAO,IAAAC,wCAAmB,EAACrC,GAAG,EAAEW,WAAW,EAAEyB,GAAG,EAAmBb,IAAI,CAAC;QAC1E,CAAC,CAAC,CACDe,OAAO,CAAC,YAAY;UACnB,IAAI/B,WAAW,IAAI,CAACA,WAAW,CAAC6C,MAAM,EAAE;YACtC7C,WAAW,CAACiD,KAAK,EAAE;UACrB;QACF,CAAC,CAAC;MAEN;QACE,MAAM,IAAIlD,qBAAY,CAAC,8CAA8C,CAAC;IAAC;EAE7E,CAAC,CAAC;AACN"}
+{"version":3,"file":"getToken.js","names":["getToken","sdk","options","arguments","length","Promise","reject","AuthSdkError","popupWindow","undefined","prepareTokenParams","then","tokenParams","sessionTokenOverrides","prompt","responseMode","display","idpOverrides","sessionToken","Object","assign","idp","requestUrl","endpoint","urls","getOAuthUrls","codeVerifier","tokenUrl","authorizeUrl","buildAuthorizeParams","flowType","idpPopup","iframePromise","addPostMessageListener","timeout","state","iframeEl","loadFrame","res","handleOAuthResponse","finally","document","body","contains","parentElement","removeChild","oauthPromise","features","isPopupPostMessageSupported","location","popupPromise","resolve","closePoller","setInterval","closed","clearInterval","catch","err","close","idpPromise","addIDPPopupLisenter","channel"],"sources":["../../../lib/oidc/getToken.ts"],"sourcesContent":["\n/* global document */\n/* eslint-disable complexity, max-statements */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport {\n  getOAuthUrls,\n  loadFrame,\n  addPostMessageListener,\n  addIDPPopupLisenter\n} from './util';\n\nimport AuthSdkError from '../errors/AuthSdkError';\n\nimport {\n  OktaAuthOAuthInterface,\n  TokenParams,\n  PopupParams,\n  OAuthResponse,\n} from './types';\n\nimport { prepareTokenParams } from './util/prepareTokenParams';\nimport { buildAuthorizeParams } from './endpoints/authorize';\nimport { handleOAuthResponse } from './handleOAuthResponse';\n/*\n * Retrieve an idToken from an Okta or a third party idp\n *\n * Two main flows:\n *\n *  1) Exchange a sessionToken for a token\n *\n *    Required:\n *      clientId: passed via the OktaAuth constructor or into getToken\n *      sessionToken: 'yourtoken'\n *\n *    Optional:\n *      redirectUri: defaults to window.location.href\n *      scopes: defaults to ['openid', 'email']\n *\n *    Forced:\n *      prompt: 'none'\n *      responseMode: 'okta_post_message'\n *      display: undefined\n *\n *  2) Get a token from an idp\n *\n *    Required:\n *      clientId: passed via the OktaAuth constructor or into getToken\n *\n *    Optional:\n *      redirectUri: defaults to window.location.href\n *      scopes: defaults to ['openid', 'email']\n *      idp: defaults to Okta as an idp\n *      prompt: no default. Pass 'none' to throw an error if user is not signed in\n *\n *    Forced:\n *      display: 'popup'\n *\n *  Only common optional params shown. Any OAuth parameters not explicitly forced are available to override\n *\n * @param {Object} oauthOptions\n * @param {String} [oauthOptions.clientId] ID of this client\n * @param {String} [oauthOptions.redirectUri] URI that the iframe or popup will go to once authenticated\n * @param {String[]} [oauthOptions.scopes] OAuth 2.0 scopes to request (openid must be specified)\n * @param {String} [oauthOptions.idp] ID of an external IdP to use for user authentication\n * @param {String} [oauthOptions.sessionToken] Bootstrap Session Token returned by the Okta Authentication API\n * @param {String} [oauthOptions.prompt] Determines whether the Okta login will be displayed on failure.\n *                                       Use 'none' to prevent this behavior\n *\n * @param {Object} options\n * @param {Integer} [options.timeout] Time in ms before the flow is automatically terminated. Defaults to 120000\n * @param {String} [options.popupTitle] Title dispayed in the popup.\n *                                      Defaults to 'External Identity Provider User Authentication'\n */\nexport function getToken(sdk: OktaAuthOAuthInterface, options: TokenParams & PopupParams) {\n  if (arguments.length > 2) {\n    return Promise.reject(new AuthSdkError('As of version 3.0, \"getToken\" takes only a single set of options'));\n  }\n\n  options = options || {};\n\n  // window object cannot be serialized, save for later use\n  // TODO: move popup related params into a separate options object\n  const popupWindow = options.popupWindow;\n  options.popupWindow = undefined;\n\n  return prepareTokenParams(sdk, options)\n    .then(function (tokenParams: TokenParams) {\n\n      // Start overriding any options that don't make sense\n      var sessionTokenOverrides = {\n        prompt: 'none',\n        responseMode: 'okta_post_message',\n        display: null\n      };\n\n      var idpOverrides = {\n        display: 'popup'\n      };\n\n      if (options.sessionToken) {\n        Object.assign(tokenParams, sessionTokenOverrides);\n      } else if (options.idp) {\n        Object.assign(tokenParams, idpOverrides);\n      }\n\n      // Use the query params to build the authorize url\n      var requestUrl,\n        endpoint,\n        urls;\n\n      // Get authorizeUrl and issuer\n      urls = getOAuthUrls(sdk, tokenParams);\n      endpoint = options.codeVerifier ? urls.tokenUrl : urls.authorizeUrl;\n      requestUrl = endpoint + buildAuthorizeParams(tokenParams);\n\n      // Determine the flow type\n      var flowType: 'IFRAME' | 'POPUP' | 'IDP_POPUP' | 'IMPLICIT' = 'IMPLICIT';\n      if (tokenParams.sessionToken || tokenParams.display === null) {\n        flowType = 'IFRAME';\n      }\n      else if (tokenParams.display === 'popup') {\n        flowType = options.idpPopup ? 'IDP_POPUP' : 'POPUP';\n      }\n      else {\n        flowType = 'IMPLICIT';\n      }\n\n      // Execute the flow type\n      switch (flowType) {\n        case 'IFRAME':\n          var iframePromise = addPostMessageListener(sdk, options.timeout, tokenParams.state);\n          var iframeEl = loadFrame(requestUrl);\n          return iframePromise\n            .then(function (res) {\n              return handleOAuthResponse(sdk, tokenParams, res as OAuthResponse, urls);\n            })\n            .finally(function () {\n              if (document.body.contains(iframeEl)) {\n                iframeEl.parentElement?.removeChild(iframeEl);\n              }\n            });\n\n        case 'POPUP':\n          var oauthPromise; // resolves with OAuth response\n\n          // Add listener on postMessage before window creation, so\n          // postMessage isn't triggered before we're listening\n          if (tokenParams.responseMode === 'okta_post_message') {\n            if (!sdk.features.isPopupPostMessageSupported()) {\n              throw new AuthSdkError('This browser doesn\\'t have full postMessage support');\n            }\n            oauthPromise = addPostMessageListener(sdk, options.timeout, tokenParams.state);\n          }\n\n          // Redirect for authorization\n          // popupWindow can be null when popup is blocked\n          if (popupWindow) {\n            popupWindow.location.assign(requestUrl);\n          }\n\n          // The popup may be closed without receiving an OAuth response. Setup a poller to monitor the window.\n          var popupPromise = new Promise(function (resolve, reject) {\n            var closePoller = setInterval(function () {\n              if (!popupWindow || popupWindow.closed) {\n                clearInterval(closePoller);\n                reject(new AuthSdkError('Unable to parse OAuth flow response'));\n              }\n            }, 100);\n\n            // Proxy the OAuth promise results\n            oauthPromise\n              .then(function (res) {\n                clearInterval(closePoller);\n                resolve(res);\n              })\n              .catch(function (err) {\n                clearInterval(closePoller);\n                reject(err);\n              });\n          });\n\n          return popupPromise\n            .then(function (res) {\n              return handleOAuthResponse(sdk, tokenParams, res as OAuthResponse, urls);\n            })\n            .finally(function () {\n              if (popupWindow && !popupWindow.closed) {\n                popupWindow.close();\n              }\n            });\n\n        case 'IDP_POPUP':\n          // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n          var idpPromise = addIDPPopupLisenter(sdk, options.timeout, options.channel!, tokenParams.state!);\n\n          // Redirect for authorization\n          // popupWindow can be null when popup is blocked\n          if (popupWindow) {\n            popupWindow.location.assign(requestUrl);\n          }\n          else {\n            throw new AuthSdkError('Unable to open popup window');\n          }\n\n          return idpPromise\n          .then(function (res) {\n            return handleOAuthResponse(sdk, tokenParams, res as OAuthResponse, urls);\n          });\n\n        default:\n          throw new AuthSdkError('The full page redirect flow is not supported');\n      }\n    });\n}"],"mappings":";;;;AAeA;AAOA;AASA;AACA;AACA;AAhCA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAoBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACO,SAASA,QAAQ,CAACC,GAA2B,EAAEC,OAAkC,EAAE;EACxF,IAAIC,SAAS,CAACC,MAAM,GAAG,CAAC,EAAE;IACxB,OAAOC,OAAO,CAACC,MAAM,CAAC,IAAIC,qBAAY,CAAC,kEAAkE,CAAC,CAAC;EAC7G;EAEAL,OAAO,GAAGA,OAAO,IAAI,CAAC,CAAC;;EAEvB;EACA;EACA,MAAMM,WAAW,GAAGN,OAAO,CAACM,WAAW;EACvCN,OAAO,CAACM,WAAW,GAAGC,SAAS;EAE/B,OAAO,IAAAC,sCAAkB,EAACT,GAAG,EAAEC,OAAO,CAAC,CACpCS,IAAI,CAAC,UAAUC,WAAwB,EAAE;IAExC;IACA,IAAIC,qBAAqB,GAAG;MAC1BC,MAAM,EAAE,MAAM;MACdC,YAAY,EAAE,mBAAmB;MACjCC,OAAO,EAAE;IACX,CAAC;IAED,IAAIC,YAAY,GAAG;MACjBD,OAAO,EAAE;IACX,CAAC;IAED,IAAId,OAAO,CAACgB,YAAY,EAAE;MACxBC,MAAM,CAACC,MAAM,CAACR,WAAW,EAAEC,qBAAqB,CAAC;IACnD,CAAC,MAAM,IAAIX,OAAO,CAACmB,GAAG,EAAE;MACtBF,MAAM,CAACC,MAAM,CAACR,WAAW,EAAEK,YAAY,CAAC;IAC1C;;IAEA;IACA,IAAIK,UAAU,EACZC,QAAQ,EACRC,IAAI;;IAEN;IACAA,IAAI,GAAG,IAAAC,kBAAY,EAACxB,GAAG,EAAEW,WAAW,CAAC;IACrCW,QAAQ,GAAGrB,OAAO,CAACwB,YAAY,GAAGF,IAAI,CAACG,QAAQ,GAAGH,IAAI,CAACI,YAAY;IACnEN,UAAU,GAAGC,QAAQ,GAAG,IAAAM,+BAAoB,EAACjB,WAAW,CAAC;;IAEzD;IACA,IAAIkB,QAAuD,GAAG,UAAU;IACxE,IAAIlB,WAAW,CAACM,YAAY,IAAIN,WAAW,CAACI,OAAO,KAAK,IAAI,EAAE;MAC5Dc,QAAQ,GAAG,QAAQ;IACrB,CAAC,MACI,IAAIlB,WAAW,CAACI,OAAO,KAAK,OAAO,EAAE;MACxCc,QAAQ,GAAG5B,OAAO,CAAC6B,QAAQ,GAAG,WAAW,GAAG,OAAO;IACrD,CAAC,MACI;MACHD,QAAQ,GAAG,UAAU;IACvB;;IAEA;IACA,QAAQA,QAAQ;MACd,KAAK,QAAQ;QACX,IAAIE,aAAa,GAAG,IAAAC,4BAAsB,EAAChC,GAAG,EAAEC,OAAO,CAACgC,OAAO,EAAEtB,WAAW,CAACuB,KAAK,CAAC;QACnF,IAAIC,QAAQ,GAAG,IAAAC,eAAS,EAACf,UAAU,CAAC;QACpC,OAAOU,aAAa,CACjBrB,IAAI,CAAC,UAAU2B,GAAG,EAAE;UACnB,OAAO,IAAAC,wCAAmB,EAACtC,GAAG,EAAEW,WAAW,EAAE0B,GAAG,EAAmBd,IAAI,CAAC;QAC1E,CAAC,CAAC,CACDgB,OAAO,CAAC,YAAY;UACnB,IAAIC,QAAQ,CAACC,IAAI,CAACC,QAAQ,CAACP,QAAQ,CAAC,EAAE;YACpCA,QAAQ,CAACQ,aAAa,EAAEC,WAAW,CAACT,QAAQ,CAAC;UAC/C;QACF,CAAC,CAAC;MAEN,KAAK,OAAO;QACV,IAAIU,YAAY,CAAC,CAAC;;QAElB;QACA;QACA,IAAIlC,WAAW,CAACG,YAAY,KAAK,mBAAmB,EAAE;UACpD,IAAI,CAACd,GAAG,CAAC8C,QAAQ,CAACC,2BAA2B,EAAE,EAAE;YAC/C,MAAM,IAAIzC,qBAAY,CAAC,qDAAqD,CAAC;UAC/E;UACAuC,YAAY,GAAG,IAAAb,4BAAsB,EAAChC,GAAG,EAAEC,OAAO,CAACgC,OAAO,EAAEtB,WAAW,CAACuB,KAAK,CAAC;QAChF;;QAEA;QACA;QACA,IAAI3B,WAAW,EAAE;UACfA,WAAW,CAACyC,QAAQ,CAAC7B,MAAM,CAACE,UAAU,CAAC;QACzC;;QAEA;QACA,IAAI4B,YAAY,GAAG,IAAI7C,OAAO,CAAC,UAAU8C,OAAO,EAAE7C,MAAM,EAAE;UACxD,IAAI8C,WAAW,GAAGC,WAAW,CAAC,YAAY;YACxC,IAAI,CAAC7C,WAAW,IAAIA,WAAW,CAAC8C,MAAM,EAAE;cACtCC,aAAa,CAACH,WAAW,CAAC;cAC1B9C,MAAM,CAAC,IAAIC,qBAAY,CAAC,qCAAqC,CAAC,CAAC;YACjE;UACF,CAAC,EAAE,GAAG,CAAC;;UAEP;UACAuC,YAAY,CACTnC,IAAI,CAAC,UAAU2B,GAAG,EAAE;YACnBiB,aAAa,CAACH,WAAW,CAAC;YAC1BD,OAAO,CAACb,GAAG,CAAC;UACd,CAAC,CAAC,CACDkB,KAAK,CAAC,UAAUC,GAAG,EAAE;YACpBF,aAAa,CAACH,WAAW,CAAC;YAC1B9C,MAAM,CAACmD,GAAG,CAAC;UACb,CAAC,CAAC;QACN,CAAC,CAAC;QAEF,OAAOP,YAAY,CAChBvC,IAAI,CAAC,UAAU2B,GAAG,EAAE;UACnB,OAAO,IAAAC,wCAAmB,EAACtC,GAAG,EAAEW,WAAW,EAAE0B,GAAG,EAAmBd,IAAI,CAAC;QAC1E,CAAC,CAAC,CACDgB,OAAO,CAAC,YAAY;UACnB,IAAIhC,WAAW,IAAI,CAACA,WAAW,CAAC8C,MAAM,EAAE;YACtC9C,WAAW,CAACkD,KAAK,EAAE;UACrB;QACF,CAAC,CAAC;MAEN,KAAK,WAAW;QACd;QACA,IAAIC,UAAU,GAAG,IAAAC,yBAAmB,EAAC3D,GAAG,EAAEC,OAAO,CAACgC,OAAO,EAAEhC,OAAO,CAAC2D,OAAO,EAAGjD,WAAW,CAACuB,KAAK,CAAE;;QAEhG;QACA;QACA,IAAI3B,WAAW,EAAE;UACfA,WAAW,CAACyC,QAAQ,CAAC7B,MAAM,CAACE,UAAU,CAAC;QACzC,CAAC,MACI;UACH,MAAM,IAAIf,qBAAY,CAAC,6BAA6B,CAAC;QACvD;QAEA,OAAOoD,UAAU,CAChBhD,IAAI,CAAC,UAAU2B,GAAG,EAAE;UACnB,OAAO,IAAAC,wCAAmB,EAACtC,GAAG,EAAEW,WAAW,EAAE0B,GAAG,EAAmBd,IAAI,CAAC;QAC1E,CAAC,CAAC;MAEJ;QACE,MAAM,IAAIjB,qBAAY,CAAC,8CAA8C,CAAC;IAAC;EAE7E,CAAC,CAAC;AACN"}

package/cjs/oidc/getWithPopup.js

@@ -1,5 +1,6 @@
 "use strict";
 
+exports.getWithIDPPopup = getWithIDPPopup;
 exports.getWithPopup = getWithPopup;
 var _errors = require("../errors");
 var _util = require("../util");
@@ -35,4 +36,51 @@ function getWithPopup(sdk, options) {
   });
   return (0, _getToken.getToken)(sdk, options);
 }
+function getWithIDPPopup(sdk, options) {
+  try {
+    // eslint-disable-next-line compat/compat
+    if (!BroadcastChannel) {
+      throw new _errors.AuthSdkError('Modern browser with `BroadcastChannel` support is required to use this method');
+    }
+    if (!options.redirectUri) {
+      throw new _errors.AuthSdkError('`redirectUri` is a required param for `getWithIDPPopup`');
+    }
+    if (!options.state) {
+      options.state = (0, _util2.generateState)();
+    }
+
+    // some browsers (safari, firefox) block popup if it's initialed from an async process
+    // here we create the popup window immediately after user interaction
+    // then redirect to the /authorize endpoint when the requestUrl is available
+    const popupWindow = (0, _util2.loadPopup)('/', options);
+    // eslint-disable-next-line compat/compat
+    const channel = new BroadcastChannel(`popup-callback:${options.state}`);
+    options = (0, _util.clone)(options) || {};
+    Object.assign(options, {
+      display: 'popup',
+      responseMode: 'query',
+      popupWindow,
+      idpPopup: true,
+      channel
+    });
+    let cancelPromise;
+    const promise = new Promise((resolve, reject) => {
+      cancelPromise = reject;
+      return (0, _getToken.getToken)(sdk, options).then(res => resolve(res)).catch(err => reject(err));
+    });
+    const cancel = () => {
+      channel.close();
+      cancelPromise(new _errors.AuthSdkError('Popup flow canceled'));
+    };
+    return {
+      promise,
+      cancel
+    };
+  } catch (err) {
+    return {
+      promise: Promise.reject(err),
+      cancel: () => {} // noop, no need to for method when error is thrown
+    };
+  }
+}
 //# sourceMappingURL=getWithPopup.js.map

package/cjs/oidc/getWithPopup.js.map

@@ -1 +1 @@
-{"version":3,"file":"getWithPopup.js","names":["getWithPopup","sdk","options","arguments","length","Promise","reject","AuthSdkError","popupWindow","loadPopup","clone","Object","assign","display","responseMode","getToken"],"sources":["../../../lib/oidc/getWithPopup.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError } from '../errors';\nimport { OktaAuthOAuthInterface, TokenParams, TokenResponse } from './types';\nimport { clone } from '../util';\nimport { getToken } from './getToken';\nimport { loadPopup } from './util';\n\nexport function getWithPopup(sdk: OktaAuthOAuthInterface, options: TokenParams): Promise<TokenResponse> {\n  if (arguments.length > 2) {\n    return Promise.reject(new AuthSdkError('As of version 3.0, \"getWithPopup\" takes only a single set of options'));\n  }\n\n  // some browsers (safari, firefox) block popup if it's initialed from an async process\n  // here we create the popup window immediately after user interaction\n  // then redirect to the /authorize endpoint when the requestUrl is available\n  const popupWindow = loadPopup('/', options);\n  options = clone(options) || {};\n  Object.assign(options, {\n    display: 'popup',\n    responseMode: 'okta_post_message',\n    popupWindow\n  });\n  return getToken(sdk, options);\n}\n"],"mappings":";;;AAYA;AAEA;AACA;AACA;AAhBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAOO,SAASA,YAAY,CAACC,GAA2B,EAAEC,OAAoB,EAA0B;EACtG,IAAIC,SAAS,CAACC,MAAM,GAAG,CAAC,EAAE;IACxB,OAAOC,OAAO,CAACC,MAAM,CAAC,IAAIC,oBAAY,CAAC,sEAAsE,CAAC,CAAC;EACjH;;EAEA;EACA;EACA;EACA,MAAMC,WAAW,GAAG,IAAAC,gBAAS,EAAC,GAAG,EAAEP,OAAO,CAAC;EAC3CA,OAAO,GAAG,IAAAQ,WAAK,EAACR,OAAO,CAAC,IAAI,CAAC,CAAC;EAC9BS,MAAM,CAACC,MAAM,CAACV,OAAO,EAAE;IACrBW,OAAO,EAAE,OAAO;IAChBC,YAAY,EAAE,mBAAmB;IACjCN;EACF,CAAC,CAAC;EACF,OAAO,IAAAO,kBAAQ,EAACd,GAAG,EAAEC,OAAO,CAAC;AAC/B"}
+{"version":3,"file":"getWithPopup.js","names":["getWithPopup","sdk","options","arguments","length","Promise","reject","AuthSdkError","popupWindow","loadPopup","clone","Object","assign","display","responseMode","getToken","getWithIDPPopup","BroadcastChannel","redirectUri","state","generateState","channel","idpPopup","cancelPromise","promise","resolve","then","res","catch","err","cancel","close"],"sources":["../../../lib/oidc/getWithPopup.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError } from '../errors';\nimport { OktaAuthOAuthInterface, TokenParams, TokenResponse } from './types';\nimport { clone } from '../util';\nimport { getToken } from './getToken';\nimport { loadPopup, generateState } from './util';\n\nexport function getWithPopup(sdk: OktaAuthOAuthInterface, options: TokenParams): Promise<TokenResponse> {\n  if (arguments.length > 2) {\n    return Promise.reject(new AuthSdkError('As of version 3.0, \"getWithPopup\" takes only a single set of options'));\n  }\n\n  // some browsers (safari, firefox) block popup if it's initialed from an async process\n  // here we create the popup window immediately after user interaction\n  // then redirect to the /authorize endpoint when the requestUrl is available\n  const popupWindow = loadPopup('/', options);\n  options = clone(options) || {};\n  Object.assign(options, {\n    display: 'popup',\n    responseMode: 'okta_post_message',\n    popupWindow\n  });\n  return getToken(sdk, options);\n}\n\nexport function getWithIDPPopup(\n  sdk: OktaAuthOAuthInterface,\n  options: Omit<TokenParams, 'redirectUri'> & { redirectUri: string }\n): { cancel: () => void, promise: Promise<TokenResponse> } {\n try {\n   // eslint-disable-next-line compat/compat\n   if (!BroadcastChannel) {\n    throw new AuthSdkError('Modern browser with `BroadcastChannel` support is required to use this method');\n  }\n\n  if (!options.redirectUri) {\n    throw new AuthSdkError('`redirectUri` is a required param for `getWithIDPPopup`');\n  }\n\n  if (!options.state) {\n    options.state = generateState();\n  }\n\n  // some browsers (safari, firefox) block popup if it's initialed from an async process\n  // here we create the popup window immediately after user interaction\n  // then redirect to the /authorize endpoint when the requestUrl is available\n  const popupWindow = loadPopup('/', options);\n  // eslint-disable-next-line compat/compat\n  const channel = new BroadcastChannel(`popup-callback:${options.state}`);\n\n  options = clone(options) || {};\n  Object.assign(options, {\n    display: 'popup',\n    responseMode: 'query',\n    popupWindow,\n    idpPopup: true,\n    channel,\n  });\n\n  let cancelPromise;\n  const promise = new Promise<TokenResponse>((resolve, reject) => {\n    cancelPromise = reject;\n    return getToken(sdk, options)\n    .then((res) => resolve(res))\n    .catch(err => reject(err));\n  });\n\n  const cancel = () => {\n    channel.close();\n    cancelPromise(new AuthSdkError('Popup flow canceled'));\n  };\n\n  return {\n    promise,\n    cancel\n  };\n }\n catch (err) {\n  return {\n    promise: Promise.reject(err),\n    cancel: () => {}    // noop, no need to for method when error is thrown\n  };\n }\n}\n"],"mappings":";;;;AAYA;AAEA;AACA;AACA;AAhBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAOO,SAASA,YAAY,CAACC,GAA2B,EAAEC,OAAoB,EAA0B;EACtG,IAAIC,SAAS,CAACC,MAAM,GAAG,CAAC,EAAE;IACxB,OAAOC,OAAO,CAACC,MAAM,CAAC,IAAIC,oBAAY,CAAC,sEAAsE,CAAC,CAAC;EACjH;;EAEA;EACA;EACA;EACA,MAAMC,WAAW,GAAG,IAAAC,gBAAS,EAAC,GAAG,EAAEP,OAAO,CAAC;EAC3CA,OAAO,GAAG,IAAAQ,WAAK,EAACR,OAAO,CAAC,IAAI,CAAC,CAAC;EAC9BS,MAAM,CAACC,MAAM,CAACV,OAAO,EAAE;IACrBW,OAAO,EAAE,OAAO;IAChBC,YAAY,EAAE,mBAAmB;IACjCN;EACF,CAAC,CAAC;EACF,OAAO,IAAAO,kBAAQ,EAACd,GAAG,EAAEC,OAAO,CAAC;AAC/B;AAEO,SAASc,eAAe,CAC7Bf,GAA2B,EAC3BC,OAAmE,EACV;EAC1D,IAAI;IACF;IACA,IAAI,CAACe,gBAAgB,EAAE;MACtB,MAAM,IAAIV,oBAAY,CAAC,+EAA+E,CAAC;IACzG;IAEA,IAAI,CAACL,OAAO,CAACgB,WAAW,EAAE;MACxB,MAAM,IAAIX,oBAAY,CAAC,yDAAyD,CAAC;IACnF;IAEA,IAAI,CAACL,OAAO,CAACiB,KAAK,EAAE;MAClBjB,OAAO,CAACiB,KAAK,GAAG,IAAAC,oBAAa,GAAE;IACjC;;IAEA;IACA;IACA;IACA,MAAMZ,WAAW,GAAG,IAAAC,gBAAS,EAAC,GAAG,EAAEP,OAAO,CAAC;IAC3C;IACA,MAAMmB,OAAO,GAAG,IAAIJ,gBAAgB,CAAE,kBAAiBf,OAAO,CAACiB,KAAM,EAAC,CAAC;IAEvEjB,OAAO,GAAG,IAAAQ,WAAK,EAACR,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9BS,MAAM,CAACC,MAAM,CAACV,OAAO,EAAE;MACrBW,OAAO,EAAE,OAAO;MAChBC,YAAY,EAAE,OAAO;MACrBN,WAAW;MACXc,QAAQ,EAAE,IAAI;MACdD;IACF,CAAC,CAAC;IAEF,IAAIE,aAAa;IACjB,MAAMC,OAAO,GAAG,IAAInB,OAAO,CAAgB,CAACoB,OAAO,EAAEnB,MAAM,KAAK;MAC9DiB,aAAa,GAAGjB,MAAM;MACtB,OAAO,IAAAS,kBAAQ,EAACd,GAAG,EAAEC,OAAO,CAAC,CAC5BwB,IAAI,CAAEC,GAAG,IAAKF,OAAO,CAACE,GAAG,CAAC,CAAC,CAC3BC,KAAK,CAACC,GAAG,IAAIvB,MAAM,CAACuB,GAAG,CAAC,CAAC;IAC5B,CAAC,CAAC;IAEF,MAAMC,MAAM,GAAG,MAAM;MACnBT,OAAO,CAACU,KAAK,EAAE;MACfR,aAAa,CAAC,IAAIhB,oBAAY,CAAC,qBAAqB,CAAC,CAAC;IACxD,CAAC;IAED,OAAO;MACLiB,OAAO;MACPM;IACF,CAAC;EACF,CAAC,CACD,OAAOD,GAAG,EAAE;IACX,OAAO;MACLL,OAAO,EAAEnB,OAAO,CAACC,MAAM,CAACuB,GAAG,CAAC;MAC5BC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAI;IACtB,CAAC;EACF;AACD"}

package/cjs/oidc/handleOAuthResponse.js

@@ -29,12 +29,6 @@ function validateResponse(res, oauthParams) {
   if (res.state !== oauthParams.state) {
     throw new _errors.AuthSdkError('OAuth flow response state doesn\'t match request state');
   }
-
-  // https://datatracker.ietf.org/doc/html/rfc9449#token-response
-  // "A token_type of DPoP MUST be included in the access token response to signal to the client"
-  if (oauthParams.dpop && res.token_type !== 'DPoP') {
-    throw new _errors.AuthSdkError('Unable to parse OAuth flow response: DPoP was configured but "token_type" was not DPoP');
-  }
 }
 async function handleOAuthResponse(sdk, tokenParams, res, urls) {
   const pkce = sdk.options.pkce !== false;
@@ -63,6 +57,19 @@ async function handleOAuthResponse(sdk, tokenParams, res, urls) {
 
   // Handling the result from implicit flow or PKCE token exchange
   validateResponse(res, tokenParams);
+  if (tokenParams.dpop) {
+    const {
+      allowBearerTokens
+    } = sdk.options?.dpopOptions ?? {
+      allowBearerTokens: false
+    };
+
+    // https://datatracker.ietf.org/doc/html/rfc9449#token-response
+    // "A token_type of DPoP MUST be included in the access token response to signal to the client"
+    if (!allowBearerTokens && res.token_type !== 'DPoP') {
+      throw new _errors.AuthSdkError('Unable to parse OAuth flow response: DPoP was configured but "token_type" was not DPoP');
+    }
+  }
   const tokenDict = {};
   const expiresIn = res.expires_in;
   const tokenType = res.token_type;

package/cjs/oidc/handleOAuthResponse.js.map

@@ -1 +1 @@
-{"version":3,"file":"handleOAuthResponse.js","names":["validateResponse","res","oauthParams","OAuthError","state","AuthSdkError","dpop","token_type","handleOAuthResponse","sdk","tokenParams","urls","pkce","options","code","interaction_code","token","exchangeCodeForTokens","Object","assign","authorizationCode","interactionCode","getDefaultTokenParams","getOAuthUrls","responseType","Array","isArray","scopes","scope","split","clone","clientId","tokenDict","expiresIn","expires_in","tokenType","accessToken","access_token","idToken","id_token","refreshToken","refresh_token","now","Math","floor","Date","accessJwt","decode","claims","payload","expiresAt","Number","authorizeUrl","userinfoUrl","dpopPairId","extraParams","tokenUrl","issuer","idJwt","idTokenObj","exp","iat","validationParams","nonce","acrValues","ignoreSignature","undefined","verifyToken","indexOf","tokens"],"sources":["../../../lib/oidc/handleOAuthResponse.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n\n/* eslint-disable complexity, max-statements */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { clone } from '../util';\nimport {\n  getOAuthUrls,\n} from './util/oauth';\nimport { AuthSdkError, OAuthError } from '../errors';\nimport {\n  OktaAuthOAuthInterface,\n  TokenVerifyParams,\n  IDToken,\n  OAuthResponse,\n  TokenParams,\n  TokenResponse,\n  CustomUrls,\n  Tokens,\n} from './types';\nimport { verifyToken } from './verifyToken';\nimport { getDefaultTokenParams } from './util';\n\nfunction validateResponse(res: OAuthResponse, oauthParams: TokenParams) {\n  if (res['error'] && res['error_description']) {\n    throw new OAuthError(res['error'], res['error_description']);\n  }\n\n  if (res.state !== oauthParams.state) {\n    throw new AuthSdkError('OAuth flow response state doesn\\'t match request state');\n  }\n\n  // https://datatracker.ietf.org/doc/html/rfc9449#token-response\n  // \"A token_type of DPoP MUST be included in the access token response to signal to the client\"\n  if (oauthParams.dpop && res.token_type !== 'DPoP') {\n    throw new AuthSdkError('Unable to parse OAuth flow response: DPoP was configured but \"token_type\" was not DPoP');\n  }\n}\n\nexport async function handleOAuthResponse(\n  sdk: OktaAuthOAuthInterface,\n  tokenParams: TokenParams,\n  res: OAuthResponse,\n  urls?: CustomUrls\n): Promise<TokenResponse> {\n  const pkce = sdk.options.pkce !== false;\n\n\n  // The result contains an authorization_code and PKCE is enabled \n  // `exchangeCodeForTokens` will call /token then call `handleOauthResponse` recursively with the result\n  if (pkce && (res.code || res.interaction_code)) {\n    return sdk.token.exchangeCodeForTokens(Object.assign({}, tokenParams, {\n      authorizationCode: res.code,\n      interactionCode: res.interaction_code\n    }), urls);\n  }\n\n  tokenParams = tokenParams || getDefaultTokenParams(sdk);\n  urls = urls || getOAuthUrls(sdk, tokenParams);\n\n  let responseType = tokenParams.responseType || [];\n  if (!Array.isArray(responseType) && responseType !== 'none') {\n    responseType = [responseType];\n  }\n\n  let scopes;\n  if (res.scope) {\n    scopes = res.scope.split(' ');\n  } else {\n    scopes = clone(tokenParams.scopes);\n  }\n  const clientId = tokenParams.clientId || sdk.options.clientId;\n\n  // Handling the result from implicit flow or PKCE token exchange\n  validateResponse(res, tokenParams);\n\n  const tokenDict = {} as Tokens;\n  const expiresIn = res.expires_in;\n  const tokenType = res.token_type;\n  const accessToken = res.access_token;\n  const idToken = res.id_token;\n  const refreshToken = res.refresh_token;\n  const now = Math.floor(Date.now()/1000);\n\n  if (accessToken) {\n    const accessJwt = sdk.token.decode(accessToken);\n    tokenDict.accessToken = {\n      accessToken: accessToken,\n      claims: accessJwt.payload,\n      expiresAt: Number(expiresIn) + now,\n      tokenType: tokenType!,\n      scopes: scopes,\n      authorizeUrl: urls.authorizeUrl!,\n      userinfoUrl: urls.userinfoUrl!\n    };\n\n    if (tokenParams.dpopPairId) {\n      tokenDict.accessToken.dpopPairId = tokenParams.dpopPairId;\n    }\n\n    if (tokenParams.extraParams) {\n      tokenDict.accessToken.extraParams = tokenParams.extraParams;\n    }\n  }\n\n  if (refreshToken) {\n    tokenDict.refreshToken = {\n      refreshToken: refreshToken,\n      // should not be used, this is the accessToken expire time\n      // TODO: remove \"expiresAt\" in the next major version OKTA-407224\n      expiresAt: Number(expiresIn) + now, \n      scopes: scopes,\n      tokenUrl: urls.tokenUrl!,\n      authorizeUrl: urls.authorizeUrl!,\n      issuer: urls.issuer!,\n    };\n\n    if (tokenParams.dpopPairId) {\n      tokenDict.refreshToken.dpopPairId = tokenParams.dpopPairId;\n    }\n\n    if (tokenParams.extraParams) {\n      tokenDict.refreshToken.extraParams = tokenParams.extraParams;\n    }\n  }\n\n  if (idToken) {\n    const idJwt = sdk.token.decode(idToken);\n    const idTokenObj: IDToken = {\n      idToken: idToken,\n      claims: idJwt.payload,\n      expiresAt: idJwt.payload.exp! - idJwt.payload.iat! + now, // adjusting expiresAt to be in local time\n      scopes: scopes,\n      authorizeUrl: urls.authorizeUrl!,\n      issuer: urls.issuer!,\n      clientId: clientId!\n    };\n\n    if (tokenParams.extraParams) {\n      idTokenObj.extraParams = tokenParams.extraParams;\n    }\n\n    const validationParams: TokenVerifyParams = {\n      clientId: clientId!,\n      issuer: urls.issuer!,\n      nonce: tokenParams.nonce,\n      accessToken: accessToken,\n      acrValues: tokenParams.acrValues\n    };\n\n    if (tokenParams.ignoreSignature !== undefined) {\n      validationParams.ignoreSignature = tokenParams.ignoreSignature;\n    }\n\n    await verifyToken(sdk, idTokenObj, validationParams);\n    tokenDict.idToken = idTokenObj;\n  }\n\n  // Validate received tokens against requested response types \n  if (responseType.indexOf('token') !== -1 && !tokenDict.accessToken) {\n    // eslint-disable-next-line max-len\n    throw new AuthSdkError('Unable to parse OAuth flow response: response type \"token\" was requested but \"access_token\" was not returned.');\n  }\n  if (responseType.indexOf('id_token') !== -1 && !tokenDict.idToken) {\n    // eslint-disable-next-line max-len\n    throw new AuthSdkError('Unable to parse OAuth flow response: response type \"id_token\" was requested but \"id_token\" was not returned.');\n  }\n\n  return {\n    tokens: tokenDict,\n    state: res.state!,\n    code: res.code,\n    responseType\n  };\n  \n}"],"mappings":";;;AAeA;AACA;AAGA;AAWA;AACA;AA/BA;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAmBA,SAASA,gBAAgB,CAACC,GAAkB,EAAEC,WAAwB,EAAE;EACtE,IAAID,GAAG,CAAC,OAAO,CAAC,IAAIA,GAAG,CAAC,mBAAmB,CAAC,EAAE;IAC5C,MAAM,IAAIE,kBAAU,CAACF,GAAG,CAAC,OAAO,CAAC,EAAEA,GAAG,CAAC,mBAAmB,CAAC,CAAC;EAC9D;EAEA,IAAIA,GAAG,CAACG,KAAK,KAAKF,WAAW,CAACE,KAAK,EAAE;IACnC,MAAM,IAAIC,oBAAY,CAAC,wDAAwD,CAAC;EAClF;;EAEA;EACA;EACA,IAAIH,WAAW,CAACI,IAAI,IAAIL,GAAG,CAACM,UAAU,KAAK,MAAM,EAAE;IACjD,MAAM,IAAIF,oBAAY,CAAC,wFAAwF,CAAC;EAClH;AACF;AAEO,eAAeG,mBAAmB,CACvCC,GAA2B,EAC3BC,WAAwB,EACxBT,GAAkB,EAClBU,IAAiB,EACO;EACxB,MAAMC,IAAI,GAAGH,GAAG,CAACI,OAAO,CAACD,IAAI,KAAK,KAAK;;EAGvC;EACA;EACA,IAAIA,IAAI,KAAKX,GAAG,CAACa,IAAI,IAAIb,GAAG,CAACc,gBAAgB,CAAC,EAAE;IAC9C,OAAON,GAAG,CAACO,KAAK,CAACC,qBAAqB,CAACC,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAET,WAAW,EAAE;MACpEU,iBAAiB,EAAEnB,GAAG,CAACa,IAAI;MAC3BO,eAAe,EAAEpB,GAAG,CAACc;IACvB,CAAC,CAAC,EAAEJ,IAAI,CAAC;EACX;EAEAD,WAAW,GAAGA,WAAW,IAAI,IAAAY,4BAAqB,EAACb,GAAG,CAAC;EACvDE,IAAI,GAAGA,IAAI,IAAI,IAAAY,mBAAY,EAACd,GAAG,EAAEC,WAAW,CAAC;EAE7C,IAAIc,YAAY,GAAGd,WAAW,CAACc,YAAY,IAAI,EAAE;EACjD,IAAI,CAACC,KAAK,CAACC,OAAO,CAACF,YAAY,CAAC,IAAIA,YAAY,KAAK,MAAM,EAAE;IAC3DA,YAAY,GAAG,CAACA,YAAY,CAAC;EAC/B;EAEA,IAAIG,MAAM;EACV,IAAI1B,GAAG,CAAC2B,KAAK,EAAE;IACbD,MAAM,GAAG1B,GAAG,CAAC2B,KAAK,CAACC,KAAK,CAAC,GAAG,CAAC;EAC/B,CAAC,MAAM;IACLF,MAAM,GAAG,IAAAG,WAAK,EAACpB,WAAW,CAACiB,MAAM,CAAC;EACpC;EACA,MAAMI,QAAQ,GAAGrB,WAAW,CAACqB,QAAQ,IAAItB,GAAG,CAACI,OAAO,CAACkB,QAAQ;;EAE7D;EACA/B,gBAAgB,CAACC,GAAG,EAAES,WAAW,CAAC;EAElC,MAAMsB,SAAS,GAAG,CAAC,CAAW;EAC9B,MAAMC,SAAS,GAAGhC,GAAG,CAACiC,UAAU;EAChC,MAAMC,SAAS,GAAGlC,GAAG,CAACM,UAAU;EAChC,MAAM6B,WAAW,GAAGnC,GAAG,CAACoC,YAAY;EACpC,MAAMC,OAAO,GAAGrC,GAAG,CAACsC,QAAQ;EAC5B,MAAMC,YAAY,GAAGvC,GAAG,CAACwC,aAAa;EACtC,MAAMC,GAAG,GAAGC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACH,GAAG,EAAE,GAAC,IAAI,CAAC;EAEvC,IAAIN,WAAW,EAAE;IACf,MAAMU,SAAS,GAAGrC,GAAG,CAACO,KAAK,CAAC+B,MAAM,CAACX,WAAW,CAAC;IAC/CJ,SAAS,CAACI,WAAW,GAAG;MACtBA,WAAW,EAAEA,WAAW;MACxBY,MAAM,EAAEF,SAAS,CAACG,OAAO;MACzBC,SAAS,EAAEC,MAAM,CAAClB,SAAS,CAAC,GAAGS,GAAG;MAClCP,SAAS,EAAEA,SAAU;MACrBR,MAAM,EAAEA,MAAM;MACdyB,YAAY,EAAEzC,IAAI,CAACyC,YAAa;MAChCC,WAAW,EAAE1C,IAAI,CAAC0C;IACpB,CAAC;IAED,IAAI3C,WAAW,CAAC4C,UAAU,EAAE;MAC1BtB,SAAS,CAACI,WAAW,CAACkB,UAAU,GAAG5C,WAAW,CAAC4C,UAAU;IAC3D;IAEA,IAAI5C,WAAW,CAAC6C,WAAW,EAAE;MAC3BvB,SAAS,CAACI,WAAW,CAACmB,WAAW,GAAG7C,WAAW,CAAC6C,WAAW;IAC7D;EACF;EAEA,IAAIf,YAAY,EAAE;IAChBR,SAAS,CAACQ,YAAY,GAAG;MACvBA,YAAY,EAAEA,YAAY;MAC1B;MACA;MACAU,SAAS,EAAEC,MAAM,CAAClB,SAAS,CAAC,GAAGS,GAAG;MAClCf,MAAM,EAAEA,MAAM;MACd6B,QAAQ,EAAE7C,IAAI,CAAC6C,QAAS;MACxBJ,YAAY,EAAEzC,IAAI,CAACyC,YAAa;MAChCK,MAAM,EAAE9C,IAAI,CAAC8C;IACf,CAAC;IAED,IAAI/C,WAAW,CAAC4C,UAAU,EAAE;MAC1BtB,SAAS,CAACQ,YAAY,CAACc,UAAU,GAAG5C,WAAW,CAAC4C,UAAU;IAC5D;IAEA,IAAI5C,WAAW,CAAC6C,WAAW,EAAE;MAC3BvB,SAAS,CAACQ,YAAY,CAACe,WAAW,GAAG7C,WAAW,CAAC6C,WAAW;IAC9D;EACF;EAEA,IAAIjB,OAAO,EAAE;IACX,MAAMoB,KAAK,GAAGjD,GAAG,CAACO,KAAK,CAAC+B,MAAM,CAACT,OAAO,CAAC;IACvC,MAAMqB,UAAmB,GAAG;MAC1BrB,OAAO,EAAEA,OAAO;MAChBU,MAAM,EAAEU,KAAK,CAACT,OAAO;MACrBC,SAAS,EAAEQ,KAAK,CAACT,OAAO,CAACW,GAAG,GAAIF,KAAK,CAACT,OAAO,CAACY,GAAI,GAAGnB,GAAG;MAAE;MAC1Df,MAAM,EAAEA,MAAM;MACdyB,YAAY,EAAEzC,IAAI,CAACyC,YAAa;MAChCK,MAAM,EAAE9C,IAAI,CAAC8C,MAAO;MACpB1B,QAAQ,EAAEA;IACZ,CAAC;IAED,IAAIrB,WAAW,CAAC6C,WAAW,EAAE;MAC3BI,UAAU,CAACJ,WAAW,GAAG7C,WAAW,CAAC6C,WAAW;IAClD;IAEA,MAAMO,gBAAmC,GAAG;MAC1C/B,QAAQ,EAAEA,QAAS;MACnB0B,MAAM,EAAE9C,IAAI,CAAC8C,MAAO;MACpBM,KAAK,EAAErD,WAAW,CAACqD,KAAK;MACxB3B,WAAW,EAAEA,WAAW;MACxB4B,SAAS,EAAEtD,WAAW,CAACsD;IACzB,CAAC;IAED,IAAItD,WAAW,CAACuD,eAAe,KAAKC,SAAS,EAAE;MAC7CJ,gBAAgB,CAACG,eAAe,GAAGvD,WAAW,CAACuD,eAAe;IAChE;IAEA,MAAM,IAAAE,wBAAW,EAAC1D,GAAG,EAAEkD,UAAU,EAAEG,gBAAgB,CAAC;IACpD9B,SAAS,CAACM,OAAO,GAAGqB,UAAU;EAChC;;EAEA;EACA,IAAInC,YAAY,CAAC4C,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAACpC,SAAS,CAACI,WAAW,EAAE;IAClE;IACA,MAAM,IAAI/B,oBAAY,CAAC,+GAA+G,CAAC;EACzI;EACA,IAAImB,YAAY,CAAC4C,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,IAAI,CAACpC,SAAS,CAACM,OAAO,EAAE;IACjE;IACA,MAAM,IAAIjC,oBAAY,CAAC,8GAA8G,CAAC;EACxI;EAEA,OAAO;IACLgE,MAAM,EAAErC,SAAS;IACjB5B,KAAK,EAAEH,GAAG,CAACG,KAAM;IACjBU,IAAI,EAAEb,GAAG,CAACa,IAAI;IACdU;EACF,CAAC;AAEH"}
+{"version":3,"file":"handleOAuthResponse.js","names":["validateResponse","res","oauthParams","OAuthError","state","AuthSdkError","handleOAuthResponse","sdk","tokenParams","urls","pkce","options","code","interaction_code","token","exchangeCodeForTokens","Object","assign","authorizationCode","interactionCode","getDefaultTokenParams","getOAuthUrls","responseType","Array","isArray","scopes","scope","split","clone","clientId","dpop","allowBearerTokens","dpopOptions","token_type","tokenDict","expiresIn","expires_in","tokenType","accessToken","access_token","idToken","id_token","refreshToken","refresh_token","now","Math","floor","Date","accessJwt","decode","claims","payload","expiresAt","Number","authorizeUrl","userinfoUrl","dpopPairId","extraParams","tokenUrl","issuer","idJwt","idTokenObj","exp","iat","validationParams","nonce","acrValues","ignoreSignature","undefined","verifyToken","indexOf","tokens"],"sources":["../../../lib/oidc/handleOAuthResponse.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n\n/* eslint-disable complexity, max-statements */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { clone } from '../util';\nimport {\n  getOAuthUrls,\n} from './util/oauth';\nimport { AuthSdkError, OAuthError } from '../errors';\nimport {\n  OktaAuthOAuthInterface,\n  TokenVerifyParams,\n  IDToken,\n  OAuthResponse,\n  TokenParams,\n  TokenResponse,\n  CustomUrls,\n  Tokens,\n} from './types';\nimport { verifyToken } from './verifyToken';\nimport { getDefaultTokenParams } from './util';\n\nfunction validateResponse(res: OAuthResponse, oauthParams: TokenParams) {\n  if (res['error'] && res['error_description']) {\n    throw new OAuthError(res['error'], res['error_description']);\n  }\n\n  if (res.state !== oauthParams.state) {\n    throw new AuthSdkError('OAuth flow response state doesn\\'t match request state');\n  }\n}\n\nexport async function handleOAuthResponse(\n  sdk: OktaAuthOAuthInterface,\n  tokenParams: TokenParams,\n  res: OAuthResponse,\n  urls?: CustomUrls\n): Promise<TokenResponse> {\n  const pkce = sdk.options.pkce !== false;\n\n  // The result contains an authorization_code and PKCE is enabled \n  // `exchangeCodeForTokens` will call /token then call `handleOauthResponse` recursively with the result\n  if (pkce && (res.code || res.interaction_code)) {\n    return sdk.token.exchangeCodeForTokens(Object.assign({}, tokenParams, {\n      authorizationCode: res.code,\n      interactionCode: res.interaction_code\n    }), urls);\n  }\n\n  tokenParams = tokenParams || getDefaultTokenParams(sdk);\n  urls = urls || getOAuthUrls(sdk, tokenParams);\n\n  let responseType = tokenParams.responseType || [];\n  if (!Array.isArray(responseType) && responseType !== 'none') {\n    responseType = [responseType];\n  }\n\n  let scopes;\n  if (res.scope) {\n    scopes = res.scope.split(' ');\n  } else {\n    scopes = clone(tokenParams.scopes);\n  }\n  const clientId = tokenParams.clientId || sdk.options.clientId;\n\n  // Handling the result from implicit flow or PKCE token exchange\n  validateResponse(res, tokenParams);\n\n  if (tokenParams.dpop) {\n    const { allowBearerTokens } = sdk.options?.dpopOptions ?? { allowBearerTokens: false };\n\n    // https://datatracker.ietf.org/doc/html/rfc9449#token-response\n    // \"A token_type of DPoP MUST be included in the access token response to signal to the client\"\n    if (!allowBearerTokens && res.token_type !== 'DPoP') {\n      throw new AuthSdkError('Unable to parse OAuth flow response: DPoP was configured but \"token_type\" was not DPoP');\n    }\n  }\n\n  const tokenDict = {} as Tokens;\n  const expiresIn = res.expires_in;\n  const tokenType = res.token_type;\n  const accessToken = res.access_token;\n  const idToken = res.id_token;\n  const refreshToken = res.refresh_token;\n  const now = Math.floor(Date.now()/1000);\n\n  if (accessToken) {\n    const accessJwt = sdk.token.decode(accessToken);\n    tokenDict.accessToken = {\n      accessToken: accessToken,\n      claims: accessJwt.payload,\n      expiresAt: Number(expiresIn) + now,\n      tokenType: tokenType!,\n      scopes: scopes,\n      authorizeUrl: urls.authorizeUrl!,\n      userinfoUrl: urls.userinfoUrl!\n    };\n\n    if (tokenParams.dpopPairId) {\n      tokenDict.accessToken.dpopPairId = tokenParams.dpopPairId;\n    }\n\n    if (tokenParams.extraParams) {\n      tokenDict.accessToken.extraParams = tokenParams.extraParams;\n    }\n  }\n\n  if (refreshToken) {\n    tokenDict.refreshToken = {\n      refreshToken: refreshToken,\n      // should not be used, this is the accessToken expire time\n      // TODO: remove \"expiresAt\" in the next major version OKTA-407224\n      expiresAt: Number(expiresIn) + now, \n      scopes: scopes,\n      tokenUrl: urls.tokenUrl!,\n      authorizeUrl: urls.authorizeUrl!,\n      issuer: urls.issuer!,\n    };\n\n    if (tokenParams.dpopPairId) {\n      tokenDict.refreshToken.dpopPairId = tokenParams.dpopPairId;\n    }\n\n    if (tokenParams.extraParams) {\n      tokenDict.refreshToken.extraParams = tokenParams.extraParams;\n    }\n  }\n\n  if (idToken) {\n    const idJwt = sdk.token.decode(idToken);\n    const idTokenObj: IDToken = {\n      idToken: idToken,\n      claims: idJwt.payload,\n      expiresAt: idJwt.payload.exp! - idJwt.payload.iat! + now, // adjusting expiresAt to be in local time\n      scopes: scopes,\n      authorizeUrl: urls.authorizeUrl!,\n      issuer: urls.issuer!,\n      clientId: clientId!\n    };\n\n    if (tokenParams.extraParams) {\n      idTokenObj.extraParams = tokenParams.extraParams;\n    }\n\n    const validationParams: TokenVerifyParams = {\n      clientId: clientId!,\n      issuer: urls.issuer!,\n      nonce: tokenParams.nonce,\n      accessToken: accessToken,\n      acrValues: tokenParams.acrValues\n    };\n\n    if (tokenParams.ignoreSignature !== undefined) {\n      validationParams.ignoreSignature = tokenParams.ignoreSignature;\n    }\n\n    await verifyToken(sdk, idTokenObj, validationParams);\n    tokenDict.idToken = idTokenObj;\n  }\n\n  // Validate received tokens against requested response types \n  if (responseType.indexOf('token') !== -1 && !tokenDict.accessToken) {\n    // eslint-disable-next-line max-len\n    throw new AuthSdkError('Unable to parse OAuth flow response: response type \"token\" was requested but \"access_token\" was not returned.');\n  }\n  if (responseType.indexOf('id_token') !== -1 && !tokenDict.idToken) {\n    // eslint-disable-next-line max-len\n    throw new AuthSdkError('Unable to parse OAuth flow response: response type \"id_token\" was requested but \"id_token\" was not returned.');\n  }\n\n  return {\n    tokens: tokenDict,\n    state: res.state!,\n    code: res.code,\n    responseType\n  };\n  \n}"],"mappings":";;;AAeA;AACA;AAGA;AAWA;AACA;AA/BA;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAmBA,SAASA,gBAAgB,CAACC,GAAkB,EAAEC,WAAwB,EAAE;EACtE,IAAID,GAAG,CAAC,OAAO,CAAC,IAAIA,GAAG,CAAC,mBAAmB,CAAC,EAAE;IAC5C,MAAM,IAAIE,kBAAU,CAACF,GAAG,CAAC,OAAO,CAAC,EAAEA,GAAG,CAAC,mBAAmB,CAAC,CAAC;EAC9D;EAEA,IAAIA,GAAG,CAACG,KAAK,KAAKF,WAAW,CAACE,KAAK,EAAE;IACnC,MAAM,IAAIC,oBAAY,CAAC,wDAAwD,CAAC;EAClF;AACF;AAEO,eAAeC,mBAAmB,CACvCC,GAA2B,EAC3BC,WAAwB,EACxBP,GAAkB,EAClBQ,IAAiB,EACO;EACxB,MAAMC,IAAI,GAAGH,GAAG,CAACI,OAAO,CAACD,IAAI,KAAK,KAAK;;EAEvC;EACA;EACA,IAAIA,IAAI,KAAKT,GAAG,CAACW,IAAI,IAAIX,GAAG,CAACY,gBAAgB,CAAC,EAAE;IAC9C,OAAON,GAAG,CAACO,KAAK,CAACC,qBAAqB,CAACC,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAET,WAAW,EAAE;MACpEU,iBAAiB,EAAEjB,GAAG,CAACW,IAAI;MAC3BO,eAAe,EAAElB,GAAG,CAACY;IACvB,CAAC,CAAC,EAAEJ,IAAI,CAAC;EACX;EAEAD,WAAW,GAAGA,WAAW,IAAI,IAAAY,4BAAqB,EAACb,GAAG,CAAC;EACvDE,IAAI,GAAGA,IAAI,IAAI,IAAAY,mBAAY,EAACd,GAAG,EAAEC,WAAW,CAAC;EAE7C,IAAIc,YAAY,GAAGd,WAAW,CAACc,YAAY,IAAI,EAAE;EACjD,IAAI,CAACC,KAAK,CAACC,OAAO,CAACF,YAAY,CAAC,IAAIA,YAAY,KAAK,MAAM,EAAE;IAC3DA,YAAY,GAAG,CAACA,YAAY,CAAC;EAC/B;EAEA,IAAIG,MAAM;EACV,IAAIxB,GAAG,CAACyB,KAAK,EAAE;IACbD,MAAM,GAAGxB,GAAG,CAACyB,KAAK,CAACC,KAAK,CAAC,GAAG,CAAC;EAC/B,CAAC,MAAM;IACLF,MAAM,GAAG,IAAAG,WAAK,EAACpB,WAAW,CAACiB,MAAM,CAAC;EACpC;EACA,MAAMI,QAAQ,GAAGrB,WAAW,CAACqB,QAAQ,IAAItB,GAAG,CAACI,OAAO,CAACkB,QAAQ;;EAE7D;EACA7B,gBAAgB,CAACC,GAAG,EAAEO,WAAW,CAAC;EAElC,IAAIA,WAAW,CAACsB,IAAI,EAAE;IACpB,MAAM;MAAEC;IAAkB,CAAC,GAAGxB,GAAG,CAACI,OAAO,EAAEqB,WAAW,IAAI;MAAED,iBAAiB,EAAE;IAAM,CAAC;;IAEtF;IACA;IACA,IAAI,CAACA,iBAAiB,IAAI9B,GAAG,CAACgC,UAAU,KAAK,MAAM,EAAE;MACnD,MAAM,IAAI5B,oBAAY,CAAC,wFAAwF,CAAC;IAClH;EACF;EAEA,MAAM6B,SAAS,GAAG,CAAC,CAAW;EAC9B,MAAMC,SAAS,GAAGlC,GAAG,CAACmC,UAAU;EAChC,MAAMC,SAAS,GAAGpC,GAAG,CAACgC,UAAU;EAChC,MAAMK,WAAW,GAAGrC,GAAG,CAACsC,YAAY;EACpC,MAAMC,OAAO,GAAGvC,GAAG,CAACwC,QAAQ;EAC5B,MAAMC,YAAY,GAAGzC,GAAG,CAAC0C,aAAa;EACtC,MAAMC,GAAG,GAAGC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACH,GAAG,EAAE,GAAC,IAAI,CAAC;EAEvC,IAAIN,WAAW,EAAE;IACf,MAAMU,SAAS,GAAGzC,GAAG,CAACO,KAAK,CAACmC,MAAM,CAACX,WAAW,CAAC;IAC/CJ,SAAS,CAACI,WAAW,GAAG;MACtBA,WAAW,EAAEA,WAAW;MACxBY,MAAM,EAAEF,SAAS,CAACG,OAAO;MACzBC,SAAS,EAAEC,MAAM,CAAClB,SAAS,CAAC,GAAGS,GAAG;MAClCP,SAAS,EAAEA,SAAU;MACrBZ,MAAM,EAAEA,MAAM;MACd6B,YAAY,EAAE7C,IAAI,CAAC6C,YAAa;MAChCC,WAAW,EAAE9C,IAAI,CAAC8C;IACpB,CAAC;IAED,IAAI/C,WAAW,CAACgD,UAAU,EAAE;MAC1BtB,SAAS,CAACI,WAAW,CAACkB,UAAU,GAAGhD,WAAW,CAACgD,UAAU;IAC3D;IAEA,IAAIhD,WAAW,CAACiD,WAAW,EAAE;MAC3BvB,SAAS,CAACI,WAAW,CAACmB,WAAW,GAAGjD,WAAW,CAACiD,WAAW;IAC7D;EACF;EAEA,IAAIf,YAAY,EAAE;IAChBR,SAAS,CAACQ,YAAY,GAAG;MACvBA,YAAY,EAAEA,YAAY;MAC1B;MACA;MACAU,SAAS,EAAEC,MAAM,CAAClB,SAAS,CAAC,GAAGS,GAAG;MAClCnB,MAAM,EAAEA,MAAM;MACdiC,QAAQ,EAAEjD,IAAI,CAACiD,QAAS;MACxBJ,YAAY,EAAE7C,IAAI,CAAC6C,YAAa;MAChCK,MAAM,EAAElD,IAAI,CAACkD;IACf,CAAC;IAED,IAAInD,WAAW,CAACgD,UAAU,EAAE;MAC1BtB,SAAS,CAACQ,YAAY,CAACc,UAAU,GAAGhD,WAAW,CAACgD,UAAU;IAC5D;IAEA,IAAIhD,WAAW,CAACiD,WAAW,EAAE;MAC3BvB,SAAS,CAACQ,YAAY,CAACe,WAAW,GAAGjD,WAAW,CAACiD,WAAW;IAC9D;EACF;EAEA,IAAIjB,OAAO,EAAE;IACX,MAAMoB,KAAK,GAAGrD,GAAG,CAACO,KAAK,CAACmC,MAAM,CAACT,OAAO,CAAC;IACvC,MAAMqB,UAAmB,GAAG;MAC1BrB,OAAO,EAAEA,OAAO;MAChBU,MAAM,EAAEU,KAAK,CAACT,OAAO;MACrBC,SAAS,EAAEQ,KAAK,CAACT,OAAO,CAACW,GAAG,GAAIF,KAAK,CAACT,OAAO,CAACY,GAAI,GAAGnB,GAAG;MAAE;MAC1DnB,MAAM,EAAEA,MAAM;MACd6B,YAAY,EAAE7C,IAAI,CAAC6C,YAAa;MAChCK,MAAM,EAAElD,IAAI,CAACkD,MAAO;MACpB9B,QAAQ,EAAEA;IACZ,CAAC;IAED,IAAIrB,WAAW,CAACiD,WAAW,EAAE;MAC3BI,UAAU,CAACJ,WAAW,GAAGjD,WAAW,CAACiD,WAAW;IAClD;IAEA,MAAMO,gBAAmC,GAAG;MAC1CnC,QAAQ,EAAEA,QAAS;MACnB8B,MAAM,EAAElD,IAAI,CAACkD,MAAO;MACpBM,KAAK,EAAEzD,WAAW,CAACyD,KAAK;MACxB3B,WAAW,EAAEA,WAAW;MACxB4B,SAAS,EAAE1D,WAAW,CAAC0D;IACzB,CAAC;IAED,IAAI1D,WAAW,CAAC2D,eAAe,KAAKC,SAAS,EAAE;MAC7CJ,gBAAgB,CAACG,eAAe,GAAG3D,WAAW,CAAC2D,eAAe;IAChE;IAEA,MAAM,IAAAE,wBAAW,EAAC9D,GAAG,EAAEsD,UAAU,EAAEG,gBAAgB,CAAC;IACpD9B,SAAS,CAACM,OAAO,GAAGqB,UAAU;EAChC;;EAEA;EACA,IAAIvC,YAAY,CAACgD,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAACpC,SAAS,CAACI,WAAW,EAAE;IAClE;IACA,MAAM,IAAIjC,oBAAY,CAAC,+GAA+G,CAAC;EACzI;EACA,IAAIiB,YAAY,CAACgD,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,IAAI,CAACpC,SAAS,CAACM,OAAO,EAAE;IACjE;IACA,MAAM,IAAInC,oBAAY,CAAC,8GAA8G,CAAC;EACxI;EAEA,OAAO;IACLkE,MAAM,EAAErC,SAAS;IACjB9B,KAAK,EAAEH,GAAG,CAACG,KAAM;IACjBQ,IAAI,EAAEX,GAAG,CAACW,IAAI;IACdU;EACF,CAAC;AAEH"}

package/cjs/oidc/index.js

@@ -13,6 +13,7 @@ var _exportNames = {
   getToken: true,
   getWithoutPrompt: true,
   getWithPopup: true,
+  getWithIDPPopup: true,
   getWithRedirect: true,
   parseFromUrl: true,
   oidcIntrospect: true
@@ -41,6 +42,12 @@ Object.defineProperty(exports, "getUserInfo", {
     return _getUserInfo.getUserInfo;
   }
 });
+Object.defineProperty(exports, "getWithIDPPopup", {
+  enumerable: true,
+  get: function () {
+    return _getWithPopup.getWithIDPPopup;
+  }
+});
 Object.defineProperty(exports, "getWithPopup", {
   enumerable: true,
   get: function () {

package/cjs/oidc/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","names":[],"sources":["../../../lib/oidc/index.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nexport * from './factory';\nexport * from './mixin';\nexport * from './storage';\nexport * from './endpoints';\nexport * from './options';\nexport * from './types';\nexport * from './TokenManager';\nexport * from './TransactionManager';\nexport * from './util';\n\nexport { decodeToken } from './decodeToken';\nexport { revokeToken } from './revokeToken';\nexport { renewToken } from './renewToken';\nexport { renewTokensWithRefresh } from './renewTokensWithRefresh';\nexport { renewTokens } from './renewTokens';\nexport { verifyToken } from './verifyToken';\nexport { getUserInfo } from './getUserInfo';\nexport { handleOAuthResponse } from './handleOAuthResponse';\nexport { exchangeCodeForTokens } from './exchangeCodeForTokens';\nexport { getToken } from './getToken';\nexport { getWithoutPrompt } from './getWithoutPrompt';\nexport { getWithPopup } from './getWithPopup';\nexport { getWithRedirect } from './getWithRedirect';\nexport { parseFromUrl } from './parseFromUrl';\nexport { oidcIntrospect } from './introspect';\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAYA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA"}
+{"version":3,"file":"index.js","names":[],"sources":["../../../lib/oidc/index.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nexport * from './factory';\nexport * from './mixin';\nexport * from './storage';\nexport * from './endpoints';\nexport * from './options';\nexport * from './types';\nexport * from './TokenManager';\nexport * from './TransactionManager';\nexport * from './util';\n\nexport { decodeToken } from './decodeToken';\nexport { revokeToken } from './revokeToken';\nexport { renewToken } from './renewToken';\nexport { renewTokensWithRefresh } from './renewTokensWithRefresh';\nexport { renewTokens } from './renewTokens';\nexport { verifyToken } from './verifyToken';\nexport { getUserInfo } from './getUserInfo';\nexport { handleOAuthResponse } from './handleOAuthResponse';\nexport { exchangeCodeForTokens } from './exchangeCodeForTokens';\nexport { getToken } from './getToken';\nexport { getWithoutPrompt } from './getWithoutPrompt';\nexport { getWithPopup, getWithIDPPopup } from './getWithPopup';\nexport { getWithRedirect } from './getWithRedirect';\nexport { parseFromUrl } from './parseFromUrl';\nexport { oidcIntrospect } from './introspect';\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAYA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA"}

package/cjs/oidc/options/OAuthOptionsConstructor.js

@@ -81,7 +81,10 @@ function createOAuthOptionsConstructor() {
       this.acrValues = options.acrValues;
       this.maxAge = options.maxAge;
       this.dpop = options.dpop === true; // dpop defaults to false
-
+      this.dpopOptions = {
+        allowBearerTokens: false,
+        ...options.dpopOptions
+      };
       this.tokenManager = options.tokenManager;
       this.postLogoutRedirectUri = options.postLogoutRedirectUri;
       this.restoreOriginalUri = options.restoreOriginalUri;