@okta/okta-auth-js 7.12.0-rc1 → 7.12.1

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+# 7.12.1
+
+### Fixes
+
+- [#1585](https://github.com/okta/okta-auth-js/pull/1585) fix: `idx.poll` now respects `exchangeCodeForTokens` and `withCredentials` options
+
 # 7.12.0
 
 ### Features
@@ -8,6 +14,20 @@
   - A [`Cross-Origin-Opener-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) resilient method of acquiring tokens using via external IDPs.
   - See [documentation](https://github.com/okta/okta-auth-js?tab=readme-ov-file#tokengetwithidppopupoptions) for more detailed explanation
 
+- [#1584](https://github.com/okta/okta-auth-js/pull/1584) feat: adds `dpopOptions.allowBearerTokens` configuration
+
+# 7.11.3
+
+### Fixes
+
+- [#1583](https://github.com/okta/okta-auth-js/pull/1583) fix: corrects `@babel/runtime` version
+
+# 7.11.2
+
+### Fixes
+
+- [#1581](https://github.com/okta/okta-auth-js/pull/1581) fix: bumps `@babel/runtime` version
+
 # 7.11.1
 
 ### Fixes

package/README.md

@@ -415,6 +415,10 @@ const config = {
   // other configurations
   pkce: true,     // required
   dpop: true,
+  dpopOptions: {
+    // set to `true` to skip the validation to check the resulting token response includes `token_type: DPoP`
+    allowBearerTokens: false    // defaults to `false`, tokens are validated to include `token_type: DPoP`
+  }
 };
 
 const authClient = new OktaAuth(config);
@@ -575,6 +579,20 @@ Default value is `false`. Set to `true` to enable `DPoP` (Demonstrating Proof-of
 
 See Guide: [Enabling DPoP](#enabling-dpop)
 
+#### `dpopOptions`
+
+Default value:
+```javascript
+dpopOptions: {
+  allowBearerTokens: false
+}
+```
+
+See Guide: [Enabling DPoP](#enabling-dpop)
+
+#### `dpopOptions.allowBearerTokens`
+
+When `false`, dpop-enabled token requests are validated to contain `token_type: DPoP` and will throw otherwise. Set to `true` to skip this validation and allow `Bearer` tokens as a possible `token_type`. This can be useful during a migration, to avoid needing to update a web application simutaneously with Okta Org configurations. Defaults to `false`
 
 #### responseMode
 
@@ -1662,6 +1680,8 @@ const { tokens } = await promise;
 authClient.tokenManager.setTokens(tokens);
 ```
 
+> The `redirectUri` must be a registered callback route. See [Login redirect URIs](#login-redirect-uris)
+
 #### Tradeoffs
 1. Since [`window.postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) can no longer be relied upon, the popup window's flow needs to end on the same origin as the application requesting tokens. After successful authentication, the popup window will be redirect to the provided `redirectUri`, which needs to call `authClient.handleIDPPopupRedirect()`. In Single Page Apps (with a router), it's recommended to host a dedicated route, but this logic can be performed on the main page as well.
 

package/cjs/http/OktaUserAgent.js

@@ -20,7 +20,7 @@ var _features = require("../features");
 class OktaUserAgent {
   constructor() {
     // add base sdk env
-    this.environments = [`okta-auth-js/${"7.12.0-rc1"}`];
+    this.environments = [`okta-auth-js/${"7.12.1"}`];
     this.maybeAddNodeEnvironment();
   }
   addEnvironment(env) {
@@ -32,7 +32,7 @@ class OktaUserAgent {
     };
   }
   getVersion() {
-    return "7.12.0-rc1";
+    return "7.12.1";
   }
   maybeAddNodeEnvironment() {
     if ((0, _features.isBrowser)() || !process || !process.versions) {

package/cjs/http/OktaUserAgent.js.map

@@ -1 +1 @@
-{"version":3,"file":"OktaUserAgent.js","names":["OktaUserAgent","constructor","environments","maybeAddNodeEnvironment","addEnvironment","env","push","getHttpHeader","join","getVersion","isBrowser","process","versions","node","version"],"sources":["../../../lib/http/OktaUserAgent.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\n\n/* global SDK_VERSION */\n\nimport { isBrowser } from '../features';\nexport class OktaUserAgent {\n  environments: string[];\n\n  constructor() {\n    // add base sdk env\n    this.environments = [`okta-auth-js/${SDK_VERSION}`];\n    this.maybeAddNodeEnvironment();\n  }\n\n  addEnvironment(env: string) {\n    this.environments.push(env);\n  }\n\n  getHttpHeader() {\n    return { 'X-Okta-User-Agent-Extended': this.environments.join(' ') };\n  }\n\n  getVersion() {\n    return SDK_VERSION;\n  }\n\n  maybeAddNodeEnvironment() {\n    if (isBrowser() || !process || !process.versions) {\n      return;\n    }\n    const { node: version } = process.versions;\n    this.environments.push(`nodejs/${version}`);\n  }\n}\n"],"mappings":";;;AAeA;AAfA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA;;AAGO,MAAMA,aAAa,CAAC;EAGzBC,WAAW,GAAG;IACZ;IACA,IAAI,CAACC,YAAY,GAAG,CAAE,gBAAa,YAAc,EAAC,CAAC;IACnD,IAAI,CAACC,uBAAuB,EAAE;EAChC;EAEAC,cAAc,CAACC,GAAW,EAAE;IAC1B,IAAI,CAACH,YAAY,CAACI,IAAI,CAACD,GAAG,CAAC;EAC7B;EAEAE,aAAa,GAAG;IACd,OAAO;MAAE,4BAA4B,EAAE,IAAI,CAACL,YAAY,CAACM,IAAI,CAAC,GAAG;IAAE,CAAC;EACtE;EAEAC,UAAU,GAAG;IACX;EACF;EAEAN,uBAAuB,GAAG;IACxB,IAAI,IAAAO,mBAAS,GAAE,IAAI,CAACC,OAAO,IAAI,CAACA,OAAO,CAACC,QAAQ,EAAE;MAChD;IACF;IACA,MAAM;MAAEC,IAAI,EAAEC;IAAQ,CAAC,GAAGH,OAAO,CAACC,QAAQ;IAC1C,IAAI,CAACV,YAAY,CAACI,IAAI,CAAE,UAASQ,OAAQ,EAAC,CAAC;EAC7C;AACF;AAAC"}
+{"version":3,"file":"OktaUserAgent.js","names":["OktaUserAgent","constructor","environments","maybeAddNodeEnvironment","addEnvironment","env","push","getHttpHeader","join","getVersion","isBrowser","process","versions","node","version"],"sources":["../../../lib/http/OktaUserAgent.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\n\n/* global SDK_VERSION */\n\nimport { isBrowser } from '../features';\nexport class OktaUserAgent {\n  environments: string[];\n\n  constructor() {\n    // add base sdk env\n    this.environments = [`okta-auth-js/${SDK_VERSION}`];\n    this.maybeAddNodeEnvironment();\n  }\n\n  addEnvironment(env: string) {\n    this.environments.push(env);\n  }\n\n  getHttpHeader() {\n    return { 'X-Okta-User-Agent-Extended': this.environments.join(' ') };\n  }\n\n  getVersion() {\n    return SDK_VERSION;\n  }\n\n  maybeAddNodeEnvironment() {\n    if (isBrowser() || !process || !process.versions) {\n      return;\n    }\n    const { node: version } = process.versions;\n    this.environments.push(`nodejs/${version}`);\n  }\n}\n"],"mappings":";;;AAeA;AAfA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA;;AAGO,MAAMA,aAAa,CAAC;EAGzBC,WAAW,GAAG;IACZ;IACA,IAAI,CAACC,YAAY,GAAG,CAAE,gBAAa,QAAc,EAAC,CAAC;IACnD,IAAI,CAACC,uBAAuB,EAAE;EAChC;EAEAC,cAAc,CAACC,GAAW,EAAE;IAC1B,IAAI,CAACH,YAAY,CAACI,IAAI,CAACD,GAAG,CAAC;EAC7B;EAEAE,aAAa,GAAG;IACd,OAAO;MAAE,4BAA4B,EAAE,IAAI,CAACL,YAAY,CAACM,IAAI,CAAC,GAAG;IAAE,CAAC;EACtE;EAEAC,UAAU,GAAG;IACX;EACF;EAEAN,uBAAuB,GAAG;IACxB,IAAI,IAAAO,mBAAS,GAAE,IAAI,CAACC,OAAO,IAAI,CAACA,OAAO,CAACC,QAAQ,EAAE;MAChD;IACF;IACA,MAAM;MAAEC,IAAI,EAAEC;IAAQ,CAAC,GAAGH,OAAO,CAACC,QAAQ;IAC1C,IAAI,CAACV,YAAY,CAACI,IAAI,CAAE,UAASQ,OAAQ,EAAC,CAAC;EAC7C;AACF;AAAC"}

package/cjs/idx/poll.js

@@ -17,8 +17,14 @@ var _util = require("../util");
  */
 
 async function poll(authClient, options = {}) {
+  const {
+    withCredentials,
+    exchangeCodeForTokens
+  } = options;
   let transaction = await (0, _proceed.proceed)(authClient, {
-    startPolling: true
+    startPolling: true,
+    withCredentials,
+    exchangeCodeForTokens
   });
   const meta = (0, _transactionMeta.getSavedTransactionMeta)(authClient);
   let availablePollingRemeditaions = meta?.remediations?.find(remediation => remediation.includes('poll'));

package/cjs/idx/poll.js.map

@@ -1 +1 @@
-{"version":3,"file":"poll.js","names":["poll","authClient","options","transaction","proceed","startPolling","meta","getSavedTransactionMeta","availablePollingRemeditaions","remediations","find","remediation","includes","length","warn","Number","isInteger","refresh","Promise","resolve","reject","setTimeout","nextStep","err"],"sources":["../../../lib/idx/poll.ts"],"sourcesContent":["/*!\n * Copyright (c) 2021-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { proceed } from './proceed';\n\nimport { \n  IdxPollOptions,\n  IdxTransaction,\n  OktaAuthIdxInterface,\n} from './types';\nimport { getSavedTransactionMeta } from './transactionMeta';\nimport { warn } from '../util';\n\nexport async function poll(authClient: OktaAuthIdxInterface, options: IdxPollOptions = {}): Promise<IdxTransaction> {\n  let transaction = await proceed(authClient, {\n    startPolling: true\n  });\n\n  const meta = getSavedTransactionMeta(authClient);\n  let availablePollingRemeditaions = meta?.remediations?.find(remediation => remediation.includes('poll'));\n  if (!availablePollingRemeditaions?.length) {\n    warn('No polling remediations available at the current IDX flow stage');\n  }\n\n  if (Number.isInteger(options.refresh)) {\n    return new Promise(function (resolve, reject) {\n      setTimeout(async function () {\n        try {\n          const refresh = transaction.nextStep?.poll?.refresh;\n          if (refresh) {\n            resolve(poll(authClient, {\n              refresh\n            }));\n          } else {\n            resolve(transaction);\n          }\n        } catch (err) {\n          reject(err);\n        }\n      }, options.refresh);\n    });\n  }\n\n  return transaction;\n}\n"],"mappings":";;;AAYA;AAOA;AACA;AApBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAYO,eAAeA,IAAI,CAACC,UAAgC,EAAEC,OAAuB,GAAG,CAAC,CAAC,EAA2B;EAClH,IAAIC,WAAW,GAAG,MAAM,IAAAC,gBAAO,EAACH,UAAU,EAAE;IAC1CI,YAAY,EAAE;EAChB,CAAC,CAAC;EAEF,MAAMC,IAAI,GAAG,IAAAC,wCAAuB,EAACN,UAAU,CAAC;EAChD,IAAIO,4BAA4B,GAAGF,IAAI,EAAEG,YAAY,EAAEC,IAAI,CAACC,WAAW,IAAIA,WAAW,CAACC,QAAQ,CAAC,MAAM,CAAC,CAAC;EACxG,IAAI,CAACJ,4BAA4B,EAAEK,MAAM,EAAE;IACzC,IAAAC,UAAI,EAAC,iEAAiE,CAAC;EACzE;EAEA,IAAIC,MAAM,CAACC,SAAS,CAACd,OAAO,CAACe,OAAO,CAAC,EAAE;IACrC,OAAO,IAAIC,OAAO,CAAC,UAAUC,OAAO,EAAEC,MAAM,EAAE;MAC5CC,UAAU,CAAC,kBAAkB;QAC3B,IAAI;UACF,MAAMJ,OAAO,GAAGd,WAAW,CAACmB,QAAQ,EAAEtB,IAAI,EAAEiB,OAAO;UACnD,IAAIA,OAAO,EAAE;YACXE,OAAO,CAACnB,IAAI,CAACC,UAAU,EAAE;cACvBgB;YACF,CAAC,CAAC,CAAC;UACL,CAAC,MAAM;YACLE,OAAO,CAAChB,WAAW,CAAC;UACtB;QACF,CAAC,CAAC,OAAOoB,GAAG,EAAE;UACZH,MAAM,CAACG,GAAG,CAAC;QACb;MACF,CAAC,EAAErB,OAAO,CAACe,OAAO,CAAC;IACrB,CAAC,CAAC;EACJ;EAEA,OAAOd,WAAW;AACpB"}
+{"version":3,"file":"poll.js","names":["poll","authClient","options","withCredentials","exchangeCodeForTokens","transaction","proceed","startPolling","meta","getSavedTransactionMeta","availablePollingRemeditaions","remediations","find","remediation","includes","length","warn","Number","isInteger","refresh","Promise","resolve","reject","setTimeout","nextStep","err"],"sources":["../../../lib/idx/poll.ts"],"sourcesContent":["/*!\n * Copyright (c) 2021-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { proceed } from './proceed';\n\nimport { \n  IdxPollOptions,\n  IdxTransaction,\n  OktaAuthIdxInterface,\n} from './types';\nimport { getSavedTransactionMeta } from './transactionMeta';\nimport { warn } from '../util';\n\nexport async function poll(authClient: OktaAuthIdxInterface, options: IdxPollOptions = {}): Promise<IdxTransaction> {\n  const { withCredentials, exchangeCodeForTokens } = options;\n  let transaction = await proceed(authClient, {\n    startPolling: true,\n    withCredentials,\n    exchangeCodeForTokens\n  });\n\n  const meta = getSavedTransactionMeta(authClient);\n  let availablePollingRemeditaions = meta?.remediations?.find(remediation => remediation.includes('poll'));\n  if (!availablePollingRemeditaions?.length) {\n    warn('No polling remediations available at the current IDX flow stage');\n  }\n\n  if (Number.isInteger(options.refresh)) {\n    return new Promise(function (resolve, reject) {\n      setTimeout(async function () {\n        try {\n          const refresh = transaction.nextStep?.poll?.refresh;\n          if (refresh) {\n            resolve(poll(authClient, {\n              refresh\n            }));\n          } else {\n            resolve(transaction);\n          }\n        } catch (err) {\n          reject(err);\n        }\n      }, options.refresh);\n    });\n  }\n\n  return transaction;\n}\n"],"mappings":";;;AAYA;AAOA;AACA;AApBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAYO,eAAeA,IAAI,CAACC,UAAgC,EAAEC,OAAuB,GAAG,CAAC,CAAC,EAA2B;EAClH,MAAM;IAAEC,eAAe;IAAEC;EAAsB,CAAC,GAAGF,OAAO;EAC1D,IAAIG,WAAW,GAAG,MAAM,IAAAC,gBAAO,EAACL,UAAU,EAAE;IAC1CM,YAAY,EAAE,IAAI;IAClBJ,eAAe;IACfC;EACF,CAAC,CAAC;EAEF,MAAMI,IAAI,GAAG,IAAAC,wCAAuB,EAACR,UAAU,CAAC;EAChD,IAAIS,4BAA4B,GAAGF,IAAI,EAAEG,YAAY,EAAEC,IAAI,CAACC,WAAW,IAAIA,WAAW,CAACC,QAAQ,CAAC,MAAM,CAAC,CAAC;EACxG,IAAI,CAACJ,4BAA4B,EAAEK,MAAM,EAAE;IACzC,IAAAC,UAAI,EAAC,iEAAiE,CAAC;EACzE;EAEA,IAAIC,MAAM,CAACC,SAAS,CAAChB,OAAO,CAACiB,OAAO,CAAC,EAAE;IACrC,OAAO,IAAIC,OAAO,CAAC,UAAUC,OAAO,EAAEC,MAAM,EAAE;MAC5CC,UAAU,CAAC,kBAAkB;QAC3B,IAAI;UACF,MAAMJ,OAAO,GAAGd,WAAW,CAACmB,QAAQ,EAAExB,IAAI,EAAEmB,OAAO;UACnD,IAAIA,OAAO,EAAE;YACXE,OAAO,CAACrB,IAAI,CAACC,UAAU,EAAE;cACvBkB;YACF,CAAC,CAAC,CAAC;UACL,CAAC,MAAM;YACLE,OAAO,CAAChB,WAAW,CAAC;UACtB;QACF,CAAC,CAAC,OAAOoB,GAAG,EAAE;UACZH,MAAM,CAACG,GAAG,CAAC;QACb;MACF,CAAC,EAAEvB,OAAO,CAACiB,OAAO,CAAC;IACrB,CAAC,CAAC;EACJ;EAEA,OAAOd,WAAW;AACpB"}

package/cjs/idx/types/api.js.map

@@ -1 +1 @@
-{"version":3,"file":"api.js","names":["IdxStatus","AuthenticatorKey","IdxFeature","isAuthenticator","obj","key","id"],"sources":["../../../../lib/idx/types/api.ts"],"sourcesContent":["/*!\n * Copyright (c) 2021-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { APIError } from '../../errors/types';\nimport {\n  OktaAuthOAuthInterface,\n  MinimalOktaOAuthInterface,\n  Tokens,\n  TransactionManagerConstructor,\n  TransactionManagerInterface\n} from '../../oidc/types';\nimport { FlowIdentifier } from './FlowIdentifier';\nimport {\n  IdxActions,\n  IdxAuthenticator,\n  IdxContext,\n  IdxForm,\n  IdxMessage,\n  IdxOption,\n  IdxRemediation,\n  IdxResponse,\n  RawIdxResponse,\n  IdxActionParams,\n  IdpConfig,\n  IdxToPersist,\n  ChallengeData,\n  ActivationData,\n} from './idx-js';\nimport {\n  AccountUnlockOptions,\n  AuthenticationOptions,\n  CancelOptions,\n  InteractOptions,\n  IntrospectOptions,\n  OktaAuthIdxOptions,\n  PasswordRecoveryOptions,\n  ProceedOptions,\n  RegistrationOptions,\n  StartOptions,\n  IdxTransactionMetaOptions\n} from './options';\nimport { IdxTransactionMeta } from './meta';\nimport { IdxStorageManagerInterface, SavedIdxResponse } from './storage';\nimport type {\n  WebauthnEnrollValues,\n  WebauthnVerificationValues\n} from '../authenticator';\nimport { OktaAuthConstructor, FingerprintAPI } from '../../base/types';\n\nexport enum IdxStatus {\n  SUCCESS = 'SUCCESS',\n  PENDING = 'PENDING',\n  FAILURE = 'FAILURE',\n  TERMINAL = 'TERMINAL',\n  CANCELED = 'CANCELED',\n}\n\nexport enum AuthenticatorKey {\n  OKTA_PASSWORD = 'okta_password',\n  OKTA_EMAIL = 'okta_email',\n  PHONE_NUMBER = 'phone_number',\n  GOOGLE_AUTHENTICATOR = 'google_otp',\n  SECURITY_QUESTION = 'security_question',\n  OKTA_VERIFY = 'okta_verify',\n  WEBAUTHN = 'webauthn',\n}\n\nexport type Input = {\n  name: string;\n  key?: string;\n  type?: string;\n  label?: string;\n  value?: string | {form: IdxForm} | Input[];\n  minLength?: number;\n  maxLength?: number;\n  secret?: boolean;\n  required?: boolean;\n  options?: IdxOption[];\n  mutable?: boolean;\n  visible?: boolean;\n  customLabel?: boolean\n}\n\n\nexport interface IdxPollOptions {\n  required?: boolean;\n  refresh?: number;\n}\n\nexport type NextStep = {\n  name: string;\n  authenticator?: IdxAuthenticator;\n  canSkip?: boolean;\n  canResend?: boolean;\n  inputs?: Input[];\n  poll?: IdxPollOptions;\n  authenticatorEnrollments?: IdxAuthenticator[];\n  // eslint-disable-next-line no-use-before-define\n  action?: (params?: IdxActionParams) => Promise<IdxTransaction>;\n  idp?: IdpConfig;\n  href?: string;\n  relatesTo?: {\n    type?: string;\n    value: IdxAuthenticator;\n  };\n  refresh?: number;\n}\n\nexport enum IdxFeature {\n  PASSWORD_RECOVERY = 'recover-password',\n  REGISTRATION = 'enroll-profile',\n  SOCIAL_IDP = 'redirect-idp',\n  ACCOUNT_UNLOCK = 'unlock-account',\n}\n\n\nexport interface IdxTransaction {\n  status: IdxStatus;\n  tokens?: Tokens;\n  nextStep?: NextStep;\n  messages?: IdxMessage[];\n  error?: APIError | IdxResponse;\n  meta?: IdxTransactionMeta;\n  enabledFeatures?: IdxFeature[];\n  availableSteps?: NextStep[];\n  requestDidSucceed?: boolean;\n  stepUp?: boolean;\n  \n  // from idx-js, used by signin widget\n  proceed: (remediationName: string, params: unknown) => Promise<IdxResponse>;\n  neededToProceed: IdxRemediation[];\n  rawIdxState: RawIdxResponse;\n  interactionCode?: string;\n  actions: IdxActions;\n  context: IdxContext;\n}\n\n\nexport type Authenticator = {\n  id?: string;\n  key?: string;\n  methodType?: string;\n  phoneNumber?: string;\n  channel?: string;\n};\n\nexport function isAuthenticator(obj: any): obj is Authenticator {\n  return obj && (obj.key || obj.id);\n}\n\nexport interface RemediationResponse {\n  idxResponse: IdxResponse;\n  nextStep?: NextStep;\n  messages?: IdxMessage[];\n  terminal?: boolean;\n  canceled?: boolean;\n}\n\nexport interface InteractResponse {\n  state?: string;\n  interactionHandle: string;\n  meta: IdxTransactionMeta;\n}\n\nexport interface EmailVerifyCallbackResponse {\n  state: string;\n  otp: string;\n}\n\nexport interface MinimalIdxAPI {\n  // lowest level api\n  makeIdxResponse: (rawIdxResponse: RawIdxResponse, toPersist: IdxToPersist, requestDidSucceed: boolean) => IdxResponse;\n\n  // flow control\n  start: (options?: StartOptions) => Promise<IdxTransaction>;\n  canProceed(options?: ProceedOptions): boolean;\n  proceed: (options?: ProceedOptions) => Promise<IdxTransaction>;\n\n  // call `start` instead of `startTransaction`. `startTransaction` will be removed in next major version (7.0)\n  startTransaction: (options?: StartOptions) => Promise<IdxTransaction>;\n\n  // transaction meta\n  getSavedTransactionMeta: (options?: IdxTransactionMetaOptions) => IdxTransactionMeta | undefined;\n  createTransactionMeta: (options?: IdxTransactionMetaOptions) => Promise<IdxTransactionMeta>;\n  getTransactionMeta: (options?: IdxTransactionMetaOptions) => Promise<IdxTransactionMeta>;\n  saveTransactionMeta: (meta: unknown) => void;\n  clearTransactionMeta: () => void;\n  isTransactionMetaValid: (meta: unknown) => boolean;\n}\n\nexport interface IdxAPI {\n  // lowest level api\n  interact: (options?: InteractOptions) => Promise<InteractResponse>;\n  introspect: (options?: IntrospectOptions) => Promise<IdxResponse>;\n  makeIdxResponse: (rawIdxResponse: RawIdxResponse, toPersist: IdxToPersist, requestDidSucceed: boolean) => IdxResponse;\n\n  // flow entrypoints\n  authenticate: (options?: AuthenticationOptions) => Promise<IdxTransaction>;\n  register: (options?: RegistrationOptions) => Promise<IdxTransaction>;\n  recoverPassword: (options?: PasswordRecoveryOptions) => Promise<IdxTransaction>;\n  unlockAccount: (options?: AccountUnlockOptions) => Promise<IdxTransaction>;\n  poll: (options?: IdxPollOptions) => Promise<IdxTransaction>;\n\n  // flow control\n  start: (options?: StartOptions) => Promise<IdxTransaction>;\n  canProceed(options?: ProceedOptions): boolean;\n  proceed: (options?: ProceedOptions) => Promise<IdxTransaction>;\n  cancel: (options?: CancelOptions) => Promise<IdxTransaction>;\n  getFlow(): FlowIdentifier | undefined;\n  setFlow(flow: FlowIdentifier): void;\n\n  // call `start` instead of `startTransaction`. `startTransaction` will be removed in next major version (7.0)\n  startTransaction: (options?: StartOptions) => Promise<IdxTransaction>;\n\n  // redirect callbacks\n  isInteractionRequired: (hashOrSearch?: string) => boolean;\n  isInteractionRequiredError: (error: Error) => boolean; \n  handleInteractionCodeRedirect: (url: string) => Promise<void>;\n  isEmailVerifyCallback: (search: string) => boolean;\n  parseEmailVerifyCallback: (search: string) => EmailVerifyCallbackResponse;\n  handleEmailVerifyCallback: (search: string) => Promise<IdxTransaction | undefined>;\n  isEmailVerifyCallbackError: (error: Error) => boolean;\n\n  // transaction meta\n  getSavedTransactionMeta: (options?: IdxTransactionMetaOptions) => IdxTransactionMeta | undefined;\n  createTransactionMeta: (options?: IdxTransactionMetaOptions) => Promise<IdxTransactionMeta>;\n  getTransactionMeta: (options?: IdxTransactionMetaOptions) => Promise<IdxTransactionMeta>;\n  saveTransactionMeta: (meta: unknown) => void;\n  clearTransactionMeta: () => void;\n  isTransactionMetaValid: (meta: unknown) => boolean;\n}\n\nexport interface IdxTransactionManagerInterface extends TransactionManagerInterface {\n  saveIdxResponse(data: SavedIdxResponse): void;\n  loadIdxResponse(options?: IntrospectOptions): SavedIdxResponse | null;\n  clearIdxResponse(): void;\n}\n\nexport type IdxTransactionManagerConstructor = TransactionManagerConstructor<IdxTransactionManagerInterface>;\n\nexport interface WebauthnAPI {\n  getAssertion(credential: PublicKeyCredential): WebauthnVerificationValues;\n  getAttestation(credential: PublicKeyCredential): WebauthnEnrollValues;\n  buildCredentialRequestOptions(\n    challengeData: ChallengeData, authenticatorEnrollments: IdxAuthenticator[]\n  ): CredentialRequestOptions;\n  buildCredentialCreationOptions(\n    activationData: ActivationData, authenticatorEnrollments: IdxAuthenticator[]\n  ): CredentialCreationOptions;\n}\n\n\nexport interface OktaAuthIdxInterface\n<\n  M extends IdxTransactionMeta = IdxTransactionMeta,\n  S extends IdxStorageManagerInterface<M> = IdxStorageManagerInterface<M>,\n  O extends OktaAuthIdxOptions = OktaAuthIdxOptions,\n  TM extends IdxTransactionManagerInterface = IdxTransactionManagerInterface\n>\n  extends OktaAuthOAuthInterface<M, S, O, TM>\n{\n  idx: IdxAPI;\n  fingerprint: FingerprintAPI;\n}\n\nexport interface MinimalOktaAuthIdxInterface\n<\n  M extends IdxTransactionMeta = IdxTransactionMeta,\n  S extends IdxStorageManagerInterface<M> = IdxStorageManagerInterface<M>,\n  O extends OktaAuthIdxOptions = OktaAuthIdxOptions,\n  TM extends IdxTransactionManagerInterface = IdxTransactionManagerInterface\n>\n  extends MinimalOktaOAuthInterface<M, S, O, TM>\n{\n  idx: MinimalIdxAPI;\n  fingerprint: FingerprintAPI;\n}\n\nexport interface OktaAuthIdxConstructor\n<\n  I extends MinimalOktaAuthIdxInterface = OktaAuthIdxInterface\n>\n extends OktaAuthConstructor<I>\n{\n  new(...args: any[]): I;\n  webauthn: WebauthnAPI;\n}\n"],"mappings":";;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,GAVA,IA0DYA,SAAS;AAAA;AAAA,WAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAATA,SAAS;AAAA,GAATA,SAAS,yBAATA,SAAS;AAAA,IAQTC,gBAAgB;AAAA;AAAA,WAAhBA,gBAAgB;EAAhBA,gBAAgB;EAAhBA,gBAAgB;EAAhBA,gBAAgB;EAAhBA,gBAAgB;EAAhBA,gBAAgB;EAAhBA,gBAAgB;EAAhBA,gBAAgB;AAAA,GAAhBA,gBAAgB,gCAAhBA,gBAAgB;AAAA,IAmDhBC,UAAU;AAAA;AAAA,WAAVA,UAAU;EAAVA,UAAU;EAAVA,UAAU;EAAVA,UAAU;EAAVA,UAAU;AAAA,GAAVA,UAAU,0BAAVA,UAAU;AAsCf,SAASC,eAAe,CAACC,GAAQ,EAAwB;EAC9D,OAAOA,GAAG,KAAKA,GAAG,CAACC,GAAG,IAAID,GAAG,CAACE,EAAE,CAAC;AACnC"}
+{"version":3,"file":"api.js","names":["IdxStatus","AuthenticatorKey","IdxFeature","isAuthenticator","obj","key","id"],"sources":["../../../../lib/idx/types/api.ts"],"sourcesContent":["/*!\n * Copyright (c) 2021-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { APIError } from '../../errors/types';\nimport {\n  OktaAuthOAuthInterface,\n  MinimalOktaOAuthInterface,\n  Tokens,\n  TransactionManagerConstructor,\n  TransactionManagerInterface\n} from '../../oidc/types';\nimport { FlowIdentifier } from './FlowIdentifier';\nimport {\n  IdxActions,\n  IdxAuthenticator,\n  IdxContext,\n  IdxForm,\n  IdxMessage,\n  IdxOption,\n  IdxRemediation,\n  IdxResponse,\n  RawIdxResponse,\n  IdxActionParams,\n  IdpConfig,\n  IdxToPersist,\n  ChallengeData,\n  ActivationData,\n} from './idx-js';\nimport {\n  IdxOptions,\n  AccountUnlockOptions,\n  AuthenticationOptions,\n  CancelOptions,\n  InteractOptions,\n  IntrospectOptions,\n  OktaAuthIdxOptions,\n  PasswordRecoveryOptions,\n  ProceedOptions,\n  RegistrationOptions,\n  StartOptions,\n  IdxTransactionMetaOptions\n} from './options';\nimport { IdxTransactionMeta } from './meta';\nimport { IdxStorageManagerInterface, SavedIdxResponse } from './storage';\nimport type {\n  WebauthnEnrollValues,\n  WebauthnVerificationValues\n} from '../authenticator';\nimport { OktaAuthConstructor, FingerprintAPI } from '../../base/types';\n\nexport enum IdxStatus {\n  SUCCESS = 'SUCCESS',\n  PENDING = 'PENDING',\n  FAILURE = 'FAILURE',\n  TERMINAL = 'TERMINAL',\n  CANCELED = 'CANCELED',\n}\n\nexport enum AuthenticatorKey {\n  OKTA_PASSWORD = 'okta_password',\n  OKTA_EMAIL = 'okta_email',\n  PHONE_NUMBER = 'phone_number',\n  GOOGLE_AUTHENTICATOR = 'google_otp',\n  SECURITY_QUESTION = 'security_question',\n  OKTA_VERIFY = 'okta_verify',\n  WEBAUTHN = 'webauthn',\n}\n\nexport type Input = {\n  name: string;\n  key?: string;\n  type?: string;\n  label?: string;\n  value?: string | {form: IdxForm} | Input[];\n  minLength?: number;\n  maxLength?: number;\n  secret?: boolean;\n  required?: boolean;\n  options?: IdxOption[];\n  mutable?: boolean;\n  visible?: boolean;\n  customLabel?: boolean\n}\n\n\nexport interface IdxPollOptions extends Pick<IdxOptions, 'exchangeCodeForTokens' | 'withCredentials' > {\n  required?: boolean;\n  refresh?: number;\n}\n\nexport type NextStep = {\n  name: string;\n  authenticator?: IdxAuthenticator;\n  canSkip?: boolean;\n  canResend?: boolean;\n  inputs?: Input[];\n  poll?: IdxPollOptions;\n  authenticatorEnrollments?: IdxAuthenticator[];\n  // eslint-disable-next-line no-use-before-define\n  action?: (params?: IdxActionParams) => Promise<IdxTransaction>;\n  idp?: IdpConfig;\n  href?: string;\n  relatesTo?: {\n    type?: string;\n    value: IdxAuthenticator;\n  };\n  refresh?: number;\n}\n\nexport enum IdxFeature {\n  PASSWORD_RECOVERY = 'recover-password',\n  REGISTRATION = 'enroll-profile',\n  SOCIAL_IDP = 'redirect-idp',\n  ACCOUNT_UNLOCK = 'unlock-account',\n}\n\n\nexport interface IdxTransaction {\n  status: IdxStatus;\n  tokens?: Tokens;\n  nextStep?: NextStep;\n  messages?: IdxMessage[];\n  error?: APIError | IdxResponse;\n  meta?: IdxTransactionMeta;\n  enabledFeatures?: IdxFeature[];\n  availableSteps?: NextStep[];\n  requestDidSucceed?: boolean;\n  stepUp?: boolean;\n  \n  // from idx-js, used by signin widget\n  proceed: (remediationName: string, params: unknown) => Promise<IdxResponse>;\n  neededToProceed: IdxRemediation[];\n  rawIdxState: RawIdxResponse;\n  interactionCode?: string;\n  actions: IdxActions;\n  context: IdxContext;\n}\n\n\nexport type Authenticator = {\n  id?: string;\n  key?: string;\n  methodType?: string;\n  phoneNumber?: string;\n  channel?: string;\n};\n\nexport function isAuthenticator(obj: any): obj is Authenticator {\n  return obj && (obj.key || obj.id);\n}\n\nexport interface RemediationResponse {\n  idxResponse: IdxResponse;\n  nextStep?: NextStep;\n  messages?: IdxMessage[];\n  terminal?: boolean;\n  canceled?: boolean;\n}\n\nexport interface InteractResponse {\n  state?: string;\n  interactionHandle: string;\n  meta: IdxTransactionMeta;\n}\n\nexport interface EmailVerifyCallbackResponse {\n  state: string;\n  otp: string;\n}\n\nexport interface MinimalIdxAPI {\n  // lowest level api\n  makeIdxResponse: (rawIdxResponse: RawIdxResponse, toPersist: IdxToPersist, requestDidSucceed: boolean) => IdxResponse;\n\n  // flow control\n  start: (options?: StartOptions) => Promise<IdxTransaction>;\n  canProceed(options?: ProceedOptions): boolean;\n  proceed: (options?: ProceedOptions) => Promise<IdxTransaction>;\n\n  // call `start` instead of `startTransaction`. `startTransaction` will be removed in next major version (7.0)\n  startTransaction: (options?: StartOptions) => Promise<IdxTransaction>;\n\n  // transaction meta\n  getSavedTransactionMeta: (options?: IdxTransactionMetaOptions) => IdxTransactionMeta | undefined;\n  createTransactionMeta: (options?: IdxTransactionMetaOptions) => Promise<IdxTransactionMeta>;\n  getTransactionMeta: (options?: IdxTransactionMetaOptions) => Promise<IdxTransactionMeta>;\n  saveTransactionMeta: (meta: unknown) => void;\n  clearTransactionMeta: () => void;\n  isTransactionMetaValid: (meta: unknown) => boolean;\n}\n\nexport interface IdxAPI {\n  // lowest level api\n  interact: (options?: InteractOptions) => Promise<InteractResponse>;\n  introspect: (options?: IntrospectOptions) => Promise<IdxResponse>;\n  makeIdxResponse: (rawIdxResponse: RawIdxResponse, toPersist: IdxToPersist, requestDidSucceed: boolean) => IdxResponse;\n\n  // flow entrypoints\n  authenticate: (options?: AuthenticationOptions) => Promise<IdxTransaction>;\n  register: (options?: RegistrationOptions) => Promise<IdxTransaction>;\n  recoverPassword: (options?: PasswordRecoveryOptions) => Promise<IdxTransaction>;\n  unlockAccount: (options?: AccountUnlockOptions) => Promise<IdxTransaction>;\n  poll: (options?: IdxPollOptions) => Promise<IdxTransaction>;\n\n  // flow control\n  start: (options?: StartOptions) => Promise<IdxTransaction>;\n  canProceed(options?: ProceedOptions): boolean;\n  proceed: (options?: ProceedOptions) => Promise<IdxTransaction>;\n  cancel: (options?: CancelOptions) => Promise<IdxTransaction>;\n  getFlow(): FlowIdentifier | undefined;\n  setFlow(flow: FlowIdentifier): void;\n\n  // call `start` instead of `startTransaction`. `startTransaction` will be removed in next major version (7.0)\n  startTransaction: (options?: StartOptions) => Promise<IdxTransaction>;\n\n  // redirect callbacks\n  isInteractionRequired: (hashOrSearch?: string) => boolean;\n  isInteractionRequiredError: (error: Error) => boolean; \n  handleInteractionCodeRedirect: (url: string) => Promise<void>;\n  isEmailVerifyCallback: (search: string) => boolean;\n  parseEmailVerifyCallback: (search: string) => EmailVerifyCallbackResponse;\n  handleEmailVerifyCallback: (search: string) => Promise<IdxTransaction | undefined>;\n  isEmailVerifyCallbackError: (error: Error) => boolean;\n\n  // transaction meta\n  getSavedTransactionMeta: (options?: IdxTransactionMetaOptions) => IdxTransactionMeta | undefined;\n  createTransactionMeta: (options?: IdxTransactionMetaOptions) => Promise<IdxTransactionMeta>;\n  getTransactionMeta: (options?: IdxTransactionMetaOptions) => Promise<IdxTransactionMeta>;\n  saveTransactionMeta: (meta: unknown) => void;\n  clearTransactionMeta: () => void;\n  isTransactionMetaValid: (meta: unknown) => boolean;\n}\n\nexport interface IdxTransactionManagerInterface extends TransactionManagerInterface {\n  saveIdxResponse(data: SavedIdxResponse): void;\n  loadIdxResponse(options?: IntrospectOptions): SavedIdxResponse | null;\n  clearIdxResponse(): void;\n}\n\nexport type IdxTransactionManagerConstructor = TransactionManagerConstructor<IdxTransactionManagerInterface>;\n\nexport interface WebauthnAPI {\n  getAssertion(credential: PublicKeyCredential): WebauthnVerificationValues;\n  getAttestation(credential: PublicKeyCredential): WebauthnEnrollValues;\n  buildCredentialRequestOptions(\n    challengeData: ChallengeData, authenticatorEnrollments: IdxAuthenticator[]\n  ): CredentialRequestOptions;\n  buildCredentialCreationOptions(\n    activationData: ActivationData, authenticatorEnrollments: IdxAuthenticator[]\n  ): CredentialCreationOptions;\n}\n\n\nexport interface OktaAuthIdxInterface\n<\n  M extends IdxTransactionMeta = IdxTransactionMeta,\n  S extends IdxStorageManagerInterface<M> = IdxStorageManagerInterface<M>,\n  O extends OktaAuthIdxOptions = OktaAuthIdxOptions,\n  TM extends IdxTransactionManagerInterface = IdxTransactionManagerInterface\n>\n  extends OktaAuthOAuthInterface<M, S, O, TM>\n{\n  idx: IdxAPI;\n  fingerprint: FingerprintAPI;\n}\n\nexport interface MinimalOktaAuthIdxInterface\n<\n  M extends IdxTransactionMeta = IdxTransactionMeta,\n  S extends IdxStorageManagerInterface<M> = IdxStorageManagerInterface<M>,\n  O extends OktaAuthIdxOptions = OktaAuthIdxOptions,\n  TM extends IdxTransactionManagerInterface = IdxTransactionManagerInterface\n>\n  extends MinimalOktaOAuthInterface<M, S, O, TM>\n{\n  idx: MinimalIdxAPI;\n  fingerprint: FingerprintAPI;\n}\n\nexport interface OktaAuthIdxConstructor\n<\n  I extends MinimalOktaAuthIdxInterface = OktaAuthIdxInterface\n>\n extends OktaAuthConstructor<I>\n{\n  new(...args: any[]): I;\n  webauthn: WebauthnAPI;\n}\n"],"mappings":";;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,GAVA,IA2DYA,SAAS;AAAA;AAAA,WAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAATA,SAAS;AAAA,GAATA,SAAS,yBAATA,SAAS;AAAA,IAQTC,gBAAgB;AAAA;AAAA,WAAhBA,gBAAgB;EAAhBA,gBAAgB;EAAhBA,gBAAgB;EAAhBA,gBAAgB;EAAhBA,gBAAgB;EAAhBA,gBAAgB;EAAhBA,gBAAgB;EAAhBA,gBAAgB;AAAA,GAAhBA,gBAAgB,gCAAhBA,gBAAgB;AAAA,IAmDhBC,UAAU;AAAA;AAAA,WAAVA,UAAU;EAAVA,UAAU;EAAVA,UAAU;EAAVA,UAAU;EAAVA,UAAU;AAAA,GAAVA,UAAU,0BAAVA,UAAU;AAsCf,SAASC,eAAe,CAACC,GAAQ,EAAwB;EAC9D,OAAOA,GAAG,KAAKA,GAAG,CAACC,GAAG,IAAID,GAAG,CAACE,EAAE,CAAC;AACnC"}

package/cjs/oidc/handleOAuthResponse.js

@@ -29,12 +29,6 @@ function validateResponse(res, oauthParams) {
   if (res.state !== oauthParams.state) {
     throw new _errors.AuthSdkError('OAuth flow response state doesn\'t match request state');
   }
-
-  // https://datatracker.ietf.org/doc/html/rfc9449#token-response
-  // "A token_type of DPoP MUST be included in the access token response to signal to the client"
-  if (oauthParams.dpop && res.token_type !== 'DPoP') {
-    throw new _errors.AuthSdkError('Unable to parse OAuth flow response: DPoP was configured but "token_type" was not DPoP');
-  }
 }
 async function handleOAuthResponse(sdk, tokenParams, res, urls) {
   const pkce = sdk.options.pkce !== false;
@@ -63,6 +57,19 @@ async function handleOAuthResponse(sdk, tokenParams, res, urls) {
 
   // Handling the result from implicit flow or PKCE token exchange
   validateResponse(res, tokenParams);
+  if (tokenParams.dpop) {
+    const {
+      allowBearerTokens
+    } = sdk.options?.dpopOptions ?? {
+      allowBearerTokens: false
+    };
+
+    // https://datatracker.ietf.org/doc/html/rfc9449#token-response
+    // "A token_type of DPoP MUST be included in the access token response to signal to the client"
+    if (!allowBearerTokens && res.token_type !== 'DPoP') {
+      throw new _errors.AuthSdkError('Unable to parse OAuth flow response: DPoP was configured but "token_type" was not DPoP');
+    }
+  }
   const tokenDict = {};
   const expiresIn = res.expires_in;
   const tokenType = res.token_type;

package/cjs/oidc/handleOAuthResponse.js.map

@@ -1 +1 @@
-{"version":3,"file":"handleOAuthResponse.js","names":["validateResponse","res","oauthParams","OAuthError","state","AuthSdkError","dpop","token_type","handleOAuthResponse","sdk","tokenParams","urls","pkce","options","code","interaction_code","token","exchangeCodeForTokens","Object","assign","authorizationCode","interactionCode","getDefaultTokenParams","getOAuthUrls","responseType","Array","isArray","scopes","scope","split","clone","clientId","tokenDict","expiresIn","expires_in","tokenType","accessToken","access_token","idToken","id_token","refreshToken","refresh_token","now","Math","floor","Date","accessJwt","decode","claims","payload","expiresAt","Number","authorizeUrl","userinfoUrl","dpopPairId","extraParams","tokenUrl","issuer","idJwt","idTokenObj","exp","iat","validationParams","nonce","acrValues","ignoreSignature","undefined","verifyToken","indexOf","tokens"],"sources":["../../../lib/oidc/handleOAuthResponse.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n\n/* eslint-disable complexity, max-statements */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { clone } from '../util';\nimport {\n  getOAuthUrls,\n} from './util/oauth';\nimport { AuthSdkError, OAuthError } from '../errors';\nimport {\n  OktaAuthOAuthInterface,\n  TokenVerifyParams,\n  IDToken,\n  OAuthResponse,\n  TokenParams,\n  TokenResponse,\n  CustomUrls,\n  Tokens,\n} from './types';\nimport { verifyToken } from './verifyToken';\nimport { getDefaultTokenParams } from './util';\n\nfunction validateResponse(res: OAuthResponse, oauthParams: TokenParams) {\n  if (res['error'] && res['error_description']) {\n    throw new OAuthError(res['error'], res['error_description']);\n  }\n\n  if (res.state !== oauthParams.state) {\n    throw new AuthSdkError('OAuth flow response state doesn\\'t match request state');\n  }\n\n  // https://datatracker.ietf.org/doc/html/rfc9449#token-response\n  // \"A token_type of DPoP MUST be included in the access token response to signal to the client\"\n  if (oauthParams.dpop && res.token_type !== 'DPoP') {\n    throw new AuthSdkError('Unable to parse OAuth flow response: DPoP was configured but \"token_type\" was not DPoP');\n  }\n}\n\nexport async function handleOAuthResponse(\n  sdk: OktaAuthOAuthInterface,\n  tokenParams: TokenParams,\n  res: OAuthResponse,\n  urls?: CustomUrls\n): Promise<TokenResponse> {\n  const pkce = sdk.options.pkce !== false;\n\n  // The result contains an authorization_code and PKCE is enabled \n  // `exchangeCodeForTokens` will call /token then call `handleOauthResponse` recursively with the result\n  if (pkce && (res.code || res.interaction_code)) {\n    return sdk.token.exchangeCodeForTokens(Object.assign({}, tokenParams, {\n      authorizationCode: res.code,\n      interactionCode: res.interaction_code\n    }), urls);\n  }\n\n  tokenParams = tokenParams || getDefaultTokenParams(sdk);\n  urls = urls || getOAuthUrls(sdk, tokenParams);\n\n  let responseType = tokenParams.responseType || [];\n  if (!Array.isArray(responseType) && responseType !== 'none') {\n    responseType = [responseType];\n  }\n\n  let scopes;\n  if (res.scope) {\n    scopes = res.scope.split(' ');\n  } else {\n    scopes = clone(tokenParams.scopes);\n  }\n  const clientId = tokenParams.clientId || sdk.options.clientId;\n\n  // Handling the result from implicit flow or PKCE token exchange\n  validateResponse(res, tokenParams);\n\n  const tokenDict = {} as Tokens;\n  const expiresIn = res.expires_in;\n  const tokenType = res.token_type;\n  const accessToken = res.access_token;\n  const idToken = res.id_token;\n  const refreshToken = res.refresh_token;\n  const now = Math.floor(Date.now()/1000);\n\n  if (accessToken) {\n    const accessJwt = sdk.token.decode(accessToken);\n    tokenDict.accessToken = {\n      accessToken: accessToken,\n      claims: accessJwt.payload,\n      expiresAt: Number(expiresIn) + now,\n      tokenType: tokenType!,\n      scopes: scopes,\n      authorizeUrl: urls.authorizeUrl!,\n      userinfoUrl: urls.userinfoUrl!\n    };\n\n    if (tokenParams.dpopPairId) {\n      tokenDict.accessToken.dpopPairId = tokenParams.dpopPairId;\n    }\n\n    if (tokenParams.extraParams) {\n      tokenDict.accessToken.extraParams = tokenParams.extraParams;\n    }\n  }\n\n  if (refreshToken) {\n    tokenDict.refreshToken = {\n      refreshToken: refreshToken,\n      // should not be used, this is the accessToken expire time\n      // TODO: remove \"expiresAt\" in the next major version OKTA-407224\n      expiresAt: Number(expiresIn) + now, \n      scopes: scopes,\n      tokenUrl: urls.tokenUrl!,\n      authorizeUrl: urls.authorizeUrl!,\n      issuer: urls.issuer!,\n    };\n\n    if (tokenParams.dpopPairId) {\n      tokenDict.refreshToken.dpopPairId = tokenParams.dpopPairId;\n    }\n\n    if (tokenParams.extraParams) {\n      tokenDict.refreshToken.extraParams = tokenParams.extraParams;\n    }\n  }\n\n  if (idToken) {\n    const idJwt = sdk.token.decode(idToken);\n    const idTokenObj: IDToken = {\n      idToken: idToken,\n      claims: idJwt.payload,\n      expiresAt: idJwt.payload.exp! - idJwt.payload.iat! + now, // adjusting expiresAt to be in local time\n      scopes: scopes,\n      authorizeUrl: urls.authorizeUrl!,\n      issuer: urls.issuer!,\n      clientId: clientId!\n    };\n\n    if (tokenParams.extraParams) {\n      idTokenObj.extraParams = tokenParams.extraParams;\n    }\n\n    const validationParams: TokenVerifyParams = {\n      clientId: clientId!,\n      issuer: urls.issuer!,\n      nonce: tokenParams.nonce,\n      accessToken: accessToken,\n      acrValues: tokenParams.acrValues\n    };\n\n    if (tokenParams.ignoreSignature !== undefined) {\n      validationParams.ignoreSignature = tokenParams.ignoreSignature;\n    }\n\n    await verifyToken(sdk, idTokenObj, validationParams);\n    tokenDict.idToken = idTokenObj;\n  }\n\n  // Validate received tokens against requested response types \n  if (responseType.indexOf('token') !== -1 && !tokenDict.accessToken) {\n    // eslint-disable-next-line max-len\n    throw new AuthSdkError('Unable to parse OAuth flow response: response type \"token\" was requested but \"access_token\" was not returned.');\n  }\n  if (responseType.indexOf('id_token') !== -1 && !tokenDict.idToken) {\n    // eslint-disable-next-line max-len\n    throw new AuthSdkError('Unable to parse OAuth flow response: response type \"id_token\" was requested but \"id_token\" was not returned.');\n  }\n\n  return {\n    tokens: tokenDict,\n    state: res.state!,\n    code: res.code,\n    responseType\n  };\n  \n}"],"mappings":";;;AAeA;AACA;AAGA;AAWA;AACA;AA/BA;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAmBA,SAASA,gBAAgB,CAACC,GAAkB,EAAEC,WAAwB,EAAE;EACtE,IAAID,GAAG,CAAC,OAAO,CAAC,IAAIA,GAAG,CAAC,mBAAmB,CAAC,EAAE;IAC5C,MAAM,IAAIE,kBAAU,CAACF,GAAG,CAAC,OAAO,CAAC,EAAEA,GAAG,CAAC,mBAAmB,CAAC,CAAC;EAC9D;EAEA,IAAIA,GAAG,CAACG,KAAK,KAAKF,WAAW,CAACE,KAAK,EAAE;IACnC,MAAM,IAAIC,oBAAY,CAAC,wDAAwD,CAAC;EAClF;;EAEA;EACA;EACA,IAAIH,WAAW,CAACI,IAAI,IAAIL,GAAG,CAACM,UAAU,KAAK,MAAM,EAAE;IACjD,MAAM,IAAIF,oBAAY,CAAC,wFAAwF,CAAC;EAClH;AACF;AAEO,eAAeG,mBAAmB,CACvCC,GAA2B,EAC3BC,WAAwB,EACxBT,GAAkB,EAClBU,IAAiB,EACO;EACxB,MAAMC,IAAI,GAAGH,GAAG,CAACI,OAAO,CAACD,IAAI,KAAK,KAAK;;EAEvC;EACA;EACA,IAAIA,IAAI,KAAKX,GAAG,CAACa,IAAI,IAAIb,GAAG,CAACc,gBAAgB,CAAC,EAAE;IAC9C,OAAON,GAAG,CAACO,KAAK,CAACC,qBAAqB,CAACC,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAET,WAAW,EAAE;MACpEU,iBAAiB,EAAEnB,GAAG,CAACa,IAAI;MAC3BO,eAAe,EAAEpB,GAAG,CAACc;IACvB,CAAC,CAAC,EAAEJ,IAAI,CAAC;EACX;EAEAD,WAAW,GAAGA,WAAW,IAAI,IAAAY,4BAAqB,EAACb,GAAG,CAAC;EACvDE,IAAI,GAAGA,IAAI,IAAI,IAAAY,mBAAY,EAACd,GAAG,EAAEC,WAAW,CAAC;EAE7C,IAAIc,YAAY,GAAGd,WAAW,CAACc,YAAY,IAAI,EAAE;EACjD,IAAI,CAACC,KAAK,CAACC,OAAO,CAACF,YAAY,CAAC,IAAIA,YAAY,KAAK,MAAM,EAAE;IAC3DA,YAAY,GAAG,CAACA,YAAY,CAAC;EAC/B;EAEA,IAAIG,MAAM;EACV,IAAI1B,GAAG,CAAC2B,KAAK,EAAE;IACbD,MAAM,GAAG1B,GAAG,CAAC2B,KAAK,CAACC,KAAK,CAAC,GAAG,CAAC;EAC/B,CAAC,MAAM;IACLF,MAAM,GAAG,IAAAG,WAAK,EAACpB,WAAW,CAACiB,MAAM,CAAC;EACpC;EACA,MAAMI,QAAQ,GAAGrB,WAAW,CAACqB,QAAQ,IAAItB,GAAG,CAACI,OAAO,CAACkB,QAAQ;;EAE7D;EACA/B,gBAAgB,CAACC,GAAG,EAAES,WAAW,CAAC;EAElC,MAAMsB,SAAS,GAAG,CAAC,CAAW;EAC9B,MAAMC,SAAS,GAAGhC,GAAG,CAACiC,UAAU;EAChC,MAAMC,SAAS,GAAGlC,GAAG,CAACM,UAAU;EAChC,MAAM6B,WAAW,GAAGnC,GAAG,CAACoC,YAAY;EACpC,MAAMC,OAAO,GAAGrC,GAAG,CAACsC,QAAQ;EAC5B,MAAMC,YAAY,GAAGvC,GAAG,CAACwC,aAAa;EACtC,MAAMC,GAAG,GAAGC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACH,GAAG,EAAE,GAAC,IAAI,CAAC;EAEvC,IAAIN,WAAW,EAAE;IACf,MAAMU,SAAS,GAAGrC,GAAG,CAACO,KAAK,CAAC+B,MAAM,CAACX,WAAW,CAAC;IAC/CJ,SAAS,CAACI,WAAW,GAAG;MACtBA,WAAW,EAAEA,WAAW;MACxBY,MAAM,EAAEF,SAAS,CAACG,OAAO;MACzBC,SAAS,EAAEC,MAAM,CAAClB,SAAS,CAAC,GAAGS,GAAG;MAClCP,SAAS,EAAEA,SAAU;MACrBR,MAAM,EAAEA,MAAM;MACdyB,YAAY,EAAEzC,IAAI,CAACyC,YAAa;MAChCC,WAAW,EAAE1C,IAAI,CAAC0C;IACpB,CAAC;IAED,IAAI3C,WAAW,CAAC4C,UAAU,EAAE;MAC1BtB,SAAS,CAACI,WAAW,CAACkB,UAAU,GAAG5C,WAAW,CAAC4C,UAAU;IAC3D;IAEA,IAAI5C,WAAW,CAAC6C,WAAW,EAAE;MAC3BvB,SAAS,CAACI,WAAW,CAACmB,WAAW,GAAG7C,WAAW,CAAC6C,WAAW;IAC7D;EACF;EAEA,IAAIf,YAAY,EAAE;IAChBR,SAAS,CAACQ,YAAY,GAAG;MACvBA,YAAY,EAAEA,YAAY;MAC1B;MACA;MACAU,SAAS,EAAEC,MAAM,CAAClB,SAAS,CAAC,GAAGS,GAAG;MAClCf,MAAM,EAAEA,MAAM;MACd6B,QAAQ,EAAE7C,IAAI,CAAC6C,QAAS;MACxBJ,YAAY,EAAEzC,IAAI,CAACyC,YAAa;MAChCK,MAAM,EAAE9C,IAAI,CAAC8C;IACf,CAAC;IAED,IAAI/C,WAAW,CAAC4C,UAAU,EAAE;MAC1BtB,SAAS,CAACQ,YAAY,CAACc,UAAU,GAAG5C,WAAW,CAAC4C,UAAU;IAC5D;IAEA,IAAI5C,WAAW,CAAC6C,WAAW,EAAE;MAC3BvB,SAAS,CAACQ,YAAY,CAACe,WAAW,GAAG7C,WAAW,CAAC6C,WAAW;IAC9D;EACF;EAEA,IAAIjB,OAAO,EAAE;IACX,MAAMoB,KAAK,GAAGjD,GAAG,CAACO,KAAK,CAAC+B,MAAM,CAACT,OAAO,CAAC;IACvC,MAAMqB,UAAmB,GAAG;MAC1BrB,OAAO,EAAEA,OAAO;MAChBU,MAAM,EAAEU,KAAK,CAACT,OAAO;MACrBC,SAAS,EAAEQ,KAAK,CAACT,OAAO,CAACW,GAAG,GAAIF,KAAK,CAACT,OAAO,CAACY,GAAI,GAAGnB,GAAG;MAAE;MAC1Df,MAAM,EAAEA,MAAM;MACdyB,YAAY,EAAEzC,IAAI,CAACyC,YAAa;MAChCK,MAAM,EAAE9C,IAAI,CAAC8C,MAAO;MACpB1B,QAAQ,EAAEA;IACZ,CAAC;IAED,IAAIrB,WAAW,CAAC6C,WAAW,EAAE;MAC3BI,UAAU,CAACJ,WAAW,GAAG7C,WAAW,CAAC6C,WAAW;IAClD;IAEA,MAAMO,gBAAmC,GAAG;MAC1C/B,QAAQ,EAAEA,QAAS;MACnB0B,MAAM,EAAE9C,IAAI,CAAC8C,MAAO;MACpBM,KAAK,EAAErD,WAAW,CAACqD,KAAK;MACxB3B,WAAW,EAAEA,WAAW;MACxB4B,SAAS,EAAEtD,WAAW,CAACsD;IACzB,CAAC;IAED,IAAItD,WAAW,CAACuD,eAAe,KAAKC,SAAS,EAAE;MAC7CJ,gBAAgB,CAACG,eAAe,GAAGvD,WAAW,CAACuD,eAAe;IAChE;IAEA,MAAM,IAAAE,wBAAW,EAAC1D,GAAG,EAAEkD,UAAU,EAAEG,gBAAgB,CAAC;IACpD9B,SAAS,CAACM,OAAO,GAAGqB,UAAU;EAChC;;EAEA;EACA,IAAInC,YAAY,CAAC4C,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAACpC,SAAS,CAACI,WAAW,EAAE;IAClE;IACA,MAAM,IAAI/B,oBAAY,CAAC,+GAA+G,CAAC;EACzI;EACA,IAAImB,YAAY,CAAC4C,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,IAAI,CAACpC,SAAS,CAACM,OAAO,EAAE;IACjE;IACA,MAAM,IAAIjC,oBAAY,CAAC,8GAA8G,CAAC;EACxI;EAEA,OAAO;IACLgE,MAAM,EAAErC,SAAS;IACjB5B,KAAK,EAAEH,GAAG,CAACG,KAAM;IACjBU,IAAI,EAAEb,GAAG,CAACa,IAAI;IACdU;EACF,CAAC;AAEH"}
+{"version":3,"file":"handleOAuthResponse.js","names":["validateResponse","res","oauthParams","OAuthError","state","AuthSdkError","handleOAuthResponse","sdk","tokenParams","urls","pkce","options","code","interaction_code","token","exchangeCodeForTokens","Object","assign","authorizationCode","interactionCode","getDefaultTokenParams","getOAuthUrls","responseType","Array","isArray","scopes","scope","split","clone","clientId","dpop","allowBearerTokens","dpopOptions","token_type","tokenDict","expiresIn","expires_in","tokenType","accessToken","access_token","idToken","id_token","refreshToken","refresh_token","now","Math","floor","Date","accessJwt","decode","claims","payload","expiresAt","Number","authorizeUrl","userinfoUrl","dpopPairId","extraParams","tokenUrl","issuer","idJwt","idTokenObj","exp","iat","validationParams","nonce","acrValues","ignoreSignature","undefined","verifyToken","indexOf","tokens"],"sources":["../../../lib/oidc/handleOAuthResponse.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n\n/* eslint-disable complexity, max-statements */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { clone } from '../util';\nimport {\n  getOAuthUrls,\n} from './util/oauth';\nimport { AuthSdkError, OAuthError } from '../errors';\nimport {\n  OktaAuthOAuthInterface,\n  TokenVerifyParams,\n  IDToken,\n  OAuthResponse,\n  TokenParams,\n  TokenResponse,\n  CustomUrls,\n  Tokens,\n} from './types';\nimport { verifyToken } from './verifyToken';\nimport { getDefaultTokenParams } from './util';\n\nfunction validateResponse(res: OAuthResponse, oauthParams: TokenParams) {\n  if (res['error'] && res['error_description']) {\n    throw new OAuthError(res['error'], res['error_description']);\n  }\n\n  if (res.state !== oauthParams.state) {\n    throw new AuthSdkError('OAuth flow response state doesn\\'t match request state');\n  }\n}\n\nexport async function handleOAuthResponse(\n  sdk: OktaAuthOAuthInterface,\n  tokenParams: TokenParams,\n  res: OAuthResponse,\n  urls?: CustomUrls\n): Promise<TokenResponse> {\n  const pkce = sdk.options.pkce !== false;\n\n  // The result contains an authorization_code and PKCE is enabled \n  // `exchangeCodeForTokens` will call /token then call `handleOauthResponse` recursively with the result\n  if (pkce && (res.code || res.interaction_code)) {\n    return sdk.token.exchangeCodeForTokens(Object.assign({}, tokenParams, {\n      authorizationCode: res.code,\n      interactionCode: res.interaction_code\n    }), urls);\n  }\n\n  tokenParams = tokenParams || getDefaultTokenParams(sdk);\n  urls = urls || getOAuthUrls(sdk, tokenParams);\n\n  let responseType = tokenParams.responseType || [];\n  if (!Array.isArray(responseType) && responseType !== 'none') {\n    responseType = [responseType];\n  }\n\n  let scopes;\n  if (res.scope) {\n    scopes = res.scope.split(' ');\n  } else {\n    scopes = clone(tokenParams.scopes);\n  }\n  const clientId = tokenParams.clientId || sdk.options.clientId;\n\n  // Handling the result from implicit flow or PKCE token exchange\n  validateResponse(res, tokenParams);\n\n  if (tokenParams.dpop) {\n    const { allowBearerTokens } = sdk.options?.dpopOptions ?? { allowBearerTokens: false };\n\n    // https://datatracker.ietf.org/doc/html/rfc9449#token-response\n    // \"A token_type of DPoP MUST be included in the access token response to signal to the client\"\n    if (!allowBearerTokens && res.token_type !== 'DPoP') {\n      throw new AuthSdkError('Unable to parse OAuth flow response: DPoP was configured but \"token_type\" was not DPoP');\n    }\n  }\n\n  const tokenDict = {} as Tokens;\n  const expiresIn = res.expires_in;\n  const tokenType = res.token_type;\n  const accessToken = res.access_token;\n  const idToken = res.id_token;\n  const refreshToken = res.refresh_token;\n  const now = Math.floor(Date.now()/1000);\n\n  if (accessToken) {\n    const accessJwt = sdk.token.decode(accessToken);\n    tokenDict.accessToken = {\n      accessToken: accessToken,\n      claims: accessJwt.payload,\n      expiresAt: Number(expiresIn) + now,\n      tokenType: tokenType!,\n      scopes: scopes,\n      authorizeUrl: urls.authorizeUrl!,\n      userinfoUrl: urls.userinfoUrl!\n    };\n\n    if (tokenParams.dpopPairId) {\n      tokenDict.accessToken.dpopPairId = tokenParams.dpopPairId;\n    }\n\n    if (tokenParams.extraParams) {\n      tokenDict.accessToken.extraParams = tokenParams.extraParams;\n    }\n  }\n\n  if (refreshToken) {\n    tokenDict.refreshToken = {\n      refreshToken: refreshToken,\n      // should not be used, this is the accessToken expire time\n      // TODO: remove \"expiresAt\" in the next major version OKTA-407224\n      expiresAt: Number(expiresIn) + now, \n      scopes: scopes,\n      tokenUrl: urls.tokenUrl!,\n      authorizeUrl: urls.authorizeUrl!,\n      issuer: urls.issuer!,\n    };\n\n    if (tokenParams.dpopPairId) {\n      tokenDict.refreshToken.dpopPairId = tokenParams.dpopPairId;\n    }\n\n    if (tokenParams.extraParams) {\n      tokenDict.refreshToken.extraParams = tokenParams.extraParams;\n    }\n  }\n\n  if (idToken) {\n    const idJwt = sdk.token.decode(idToken);\n    const idTokenObj: IDToken = {\n      idToken: idToken,\n      claims: idJwt.payload,\n      expiresAt: idJwt.payload.exp! - idJwt.payload.iat! + now, // adjusting expiresAt to be in local time\n      scopes: scopes,\n      authorizeUrl: urls.authorizeUrl!,\n      issuer: urls.issuer!,\n      clientId: clientId!\n    };\n\n    if (tokenParams.extraParams) {\n      idTokenObj.extraParams = tokenParams.extraParams;\n    }\n\n    const validationParams: TokenVerifyParams = {\n      clientId: clientId!,\n      issuer: urls.issuer!,\n      nonce: tokenParams.nonce,\n      accessToken: accessToken,\n      acrValues: tokenParams.acrValues\n    };\n\n    if (tokenParams.ignoreSignature !== undefined) {\n      validationParams.ignoreSignature = tokenParams.ignoreSignature;\n    }\n\n    await verifyToken(sdk, idTokenObj, validationParams);\n    tokenDict.idToken = idTokenObj;\n  }\n\n  // Validate received tokens against requested response types \n  if (responseType.indexOf('token') !== -1 && !tokenDict.accessToken) {\n    // eslint-disable-next-line max-len\n    throw new AuthSdkError('Unable to parse OAuth flow response: response type \"token\" was requested but \"access_token\" was not returned.');\n  }\n  if (responseType.indexOf('id_token') !== -1 && !tokenDict.idToken) {\n    // eslint-disable-next-line max-len\n    throw new AuthSdkError('Unable to parse OAuth flow response: response type \"id_token\" was requested but \"id_token\" was not returned.');\n  }\n\n  return {\n    tokens: tokenDict,\n    state: res.state!,\n    code: res.code,\n    responseType\n  };\n  \n}"],"mappings":";;;AAeA;AACA;AAGA;AAWA;AACA;AA/BA;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAmBA,SAASA,gBAAgB,CAACC,GAAkB,EAAEC,WAAwB,EAAE;EACtE,IAAID,GAAG,CAAC,OAAO,CAAC,IAAIA,GAAG,CAAC,mBAAmB,CAAC,EAAE;IAC5C,MAAM,IAAIE,kBAAU,CAACF,GAAG,CAAC,OAAO,CAAC,EAAEA,GAAG,CAAC,mBAAmB,CAAC,CAAC;EAC9D;EAEA,IAAIA,GAAG,CAACG,KAAK,KAAKF,WAAW,CAACE,KAAK,EAAE;IACnC,MAAM,IAAIC,oBAAY,CAAC,wDAAwD,CAAC;EAClF;AACF;AAEO,eAAeC,mBAAmB,CACvCC,GAA2B,EAC3BC,WAAwB,EACxBP,GAAkB,EAClBQ,IAAiB,EACO;EACxB,MAAMC,IAAI,GAAGH,GAAG,CAACI,OAAO,CAACD,IAAI,KAAK,KAAK;;EAEvC;EACA;EACA,IAAIA,IAAI,KAAKT,GAAG,CAACW,IAAI,IAAIX,GAAG,CAACY,gBAAgB,CAAC,EAAE;IAC9C,OAAON,GAAG,CAACO,KAAK,CAACC,qBAAqB,CAACC,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAET,WAAW,EAAE;MACpEU,iBAAiB,EAAEjB,GAAG,CAACW,IAAI;MAC3BO,eAAe,EAAElB,GAAG,CAACY;IACvB,CAAC,CAAC,EAAEJ,IAAI,CAAC;EACX;EAEAD,WAAW,GAAGA,WAAW,IAAI,IAAAY,4BAAqB,EAACb,GAAG,CAAC;EACvDE,IAAI,GAAGA,IAAI,IAAI,IAAAY,mBAAY,EAACd,GAAG,EAAEC,WAAW,CAAC;EAE7C,IAAIc,YAAY,GAAGd,WAAW,CAACc,YAAY,IAAI,EAAE;EACjD,IAAI,CAACC,KAAK,CAACC,OAAO,CAACF,YAAY,CAAC,IAAIA,YAAY,KAAK,MAAM,EAAE;IAC3DA,YAAY,GAAG,CAACA,YAAY,CAAC;EAC/B;EAEA,IAAIG,MAAM;EACV,IAAIxB,GAAG,CAACyB,KAAK,EAAE;IACbD,MAAM,GAAGxB,GAAG,CAACyB,KAAK,CAACC,KAAK,CAAC,GAAG,CAAC;EAC/B,CAAC,MAAM;IACLF,MAAM,GAAG,IAAAG,WAAK,EAACpB,WAAW,CAACiB,MAAM,CAAC;EACpC;EACA,MAAMI,QAAQ,GAAGrB,WAAW,CAACqB,QAAQ,IAAItB,GAAG,CAACI,OAAO,CAACkB,QAAQ;;EAE7D;EACA7B,gBAAgB,CAACC,GAAG,EAAEO,WAAW,CAAC;EAElC,IAAIA,WAAW,CAACsB,IAAI,EAAE;IACpB,MAAM;MAAEC;IAAkB,CAAC,GAAGxB,GAAG,CAACI,OAAO,EAAEqB,WAAW,IAAI;MAAED,iBAAiB,EAAE;IAAM,CAAC;;IAEtF;IACA;IACA,IAAI,CAACA,iBAAiB,IAAI9B,GAAG,CAACgC,UAAU,KAAK,MAAM,EAAE;MACnD,MAAM,IAAI5B,oBAAY,CAAC,wFAAwF,CAAC;IAClH;EACF;EAEA,MAAM6B,SAAS,GAAG,CAAC,CAAW;EAC9B,MAAMC,SAAS,GAAGlC,GAAG,CAACmC,UAAU;EAChC,MAAMC,SAAS,GAAGpC,GAAG,CAACgC,UAAU;EAChC,MAAMK,WAAW,GAAGrC,GAAG,CAACsC,YAAY;EACpC,MAAMC,OAAO,GAAGvC,GAAG,CAACwC,QAAQ;EAC5B,MAAMC,YAAY,GAAGzC,GAAG,CAAC0C,aAAa;EACtC,MAAMC,GAAG,GAAGC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACH,GAAG,EAAE,GAAC,IAAI,CAAC;EAEvC,IAAIN,WAAW,EAAE;IACf,MAAMU,SAAS,GAAGzC,GAAG,CAACO,KAAK,CAACmC,MAAM,CAACX,WAAW,CAAC;IAC/CJ,SAAS,CAACI,WAAW,GAAG;MACtBA,WAAW,EAAEA,WAAW;MACxBY,MAAM,EAAEF,SAAS,CAACG,OAAO;MACzBC,SAAS,EAAEC,MAAM,CAAClB,SAAS,CAAC,GAAGS,GAAG;MAClCP,SAAS,EAAEA,SAAU;MACrBZ,MAAM,EAAEA,MAAM;MACd6B,YAAY,EAAE7C,IAAI,CAAC6C,YAAa;MAChCC,WAAW,EAAE9C,IAAI,CAAC8C;IACpB,CAAC;IAED,IAAI/C,WAAW,CAACgD,UAAU,EAAE;MAC1BtB,SAAS,CAACI,WAAW,CAACkB,UAAU,GAAGhD,WAAW,CAACgD,UAAU;IAC3D;IAEA,IAAIhD,WAAW,CAACiD,WAAW,EAAE;MAC3BvB,SAAS,CAACI,WAAW,CAACmB,WAAW,GAAGjD,WAAW,CAACiD,WAAW;IAC7D;EACF;EAEA,IAAIf,YAAY,EAAE;IAChBR,SAAS,CAACQ,YAAY,GAAG;MACvBA,YAAY,EAAEA,YAAY;MAC1B;MACA;MACAU,SAAS,EAAEC,MAAM,CAAClB,SAAS,CAAC,GAAGS,GAAG;MAClCnB,MAAM,EAAEA,MAAM;MACdiC,QAAQ,EAAEjD,IAAI,CAACiD,QAAS;MACxBJ,YAAY,EAAE7C,IAAI,CAAC6C,YAAa;MAChCK,MAAM,EAAElD,IAAI,CAACkD;IACf,CAAC;IAED,IAAInD,WAAW,CAACgD,UAAU,EAAE;MAC1BtB,SAAS,CAACQ,YAAY,CAACc,UAAU,GAAGhD,WAAW,CAACgD,UAAU;IAC5D;IAEA,IAAIhD,WAAW,CAACiD,WAAW,EAAE;MAC3BvB,SAAS,CAACQ,YAAY,CAACe,WAAW,GAAGjD,WAAW,CAACiD,WAAW;IAC9D;EACF;EAEA,IAAIjB,OAAO,EAAE;IACX,MAAMoB,KAAK,GAAGrD,GAAG,CAACO,KAAK,CAACmC,MAAM,CAACT,OAAO,CAAC;IACvC,MAAMqB,UAAmB,GAAG;MAC1BrB,OAAO,EAAEA,OAAO;MAChBU,MAAM,EAAEU,KAAK,CAACT,OAAO;MACrBC,SAAS,EAAEQ,KAAK,CAACT,OAAO,CAACW,GAAG,GAAIF,KAAK,CAACT,OAAO,CAACY,GAAI,GAAGnB,GAAG;MAAE;MAC1DnB,MAAM,EAAEA,MAAM;MACd6B,YAAY,EAAE7C,IAAI,CAAC6C,YAAa;MAChCK,MAAM,EAAElD,IAAI,CAACkD,MAAO;MACpB9B,QAAQ,EAAEA;IACZ,CAAC;IAED,IAAIrB,WAAW,CAACiD,WAAW,EAAE;MAC3BI,UAAU,CAACJ,WAAW,GAAGjD,WAAW,CAACiD,WAAW;IAClD;IAEA,MAAMO,gBAAmC,GAAG;MAC1CnC,QAAQ,EAAEA,QAAS;MACnB8B,MAAM,EAAElD,IAAI,CAACkD,MAAO;MACpBM,KAAK,EAAEzD,WAAW,CAACyD,KAAK;MACxB3B,WAAW,EAAEA,WAAW;MACxB4B,SAAS,EAAE1D,WAAW,CAAC0D;IACzB,CAAC;IAED,IAAI1D,WAAW,CAAC2D,eAAe,KAAKC,SAAS,EAAE;MAC7CJ,gBAAgB,CAACG,eAAe,GAAG3D,WAAW,CAAC2D,eAAe;IAChE;IAEA,MAAM,IAAAE,wBAAW,EAAC9D,GAAG,EAAEsD,UAAU,EAAEG,gBAAgB,CAAC;IACpD9B,SAAS,CAACM,OAAO,GAAGqB,UAAU;EAChC;;EAEA;EACA,IAAIvC,YAAY,CAACgD,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAACpC,SAAS,CAACI,WAAW,EAAE;IAClE;IACA,MAAM,IAAIjC,oBAAY,CAAC,+GAA+G,CAAC;EACzI;EACA,IAAIiB,YAAY,CAACgD,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,IAAI,CAACpC,SAAS,CAACM,OAAO,EAAE;IACjE;IACA,MAAM,IAAInC,oBAAY,CAAC,8GAA8G,CAAC;EACxI;EAEA,OAAO;IACLkE,MAAM,EAAErC,SAAS;IACjB9B,KAAK,EAAEH,GAAG,CAACG,KAAM;IACjBQ,IAAI,EAAEX,GAAG,CAACW,IAAI;IACdU;EACF,CAAC;AAEH"}

package/cjs/oidc/options/OAuthOptionsConstructor.js

@@ -81,7 +81,10 @@ function createOAuthOptionsConstructor() {
       this.acrValues = options.acrValues;
       this.maxAge = options.maxAge;
       this.dpop = options.dpop === true; // dpop defaults to false
-
+      this.dpopOptions = {
+        allowBearerTokens: false,
+        ...options.dpopOptions
+      };
       this.tokenManager = options.tokenManager;
       this.postLogoutRedirectUri = options.postLogoutRedirectUri;
       this.restoreOriginalUri = options.restoreOriginalUri;

package/cjs/oidc/options/OAuthOptionsConstructor.js.map

@@ -1 +1 @@
-{"version":3,"file":"OAuthOptionsConstructor.js","names":["assertValidConfig","args","scopes","Array","isArray","AuthSdkError","issuer","isUrlRegex","RegExp","test","indexOf","createOAuthOptionsConstructor","HttpOptionsConstructor","createHttpOptionsConstructor","OAuthOptionsConstructor","constructor","options","removeTrailingSlash","tokenUrl","authorizeUrl","userinfoUrl","revokeUrl","logoutUrl","pkce","clientId","redirectUri","isBrowser","toAbsoluteUrl","window","location","origin","responseType","responseMode","state","ignoreSignature","codeChallenge","codeChallengeMethod","acrValues","maxAge","dpop","tokenManager","postLogoutRedirectUri","restoreOriginalUri","transactionManager","enableSharedStorage","clientSecret","setLocation","ignoreLifetime","maxClockSkew","DEFAULT_MAX_CLOCK_SKEW"],"sources":["../../../../lib/oidc/options/OAuthOptionsConstructor.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * \n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { DEFAULT_MAX_CLOCK_SKEW } from '../../constants';\nimport { removeTrailingSlash, toAbsoluteUrl } from '../../util/url';\nimport { isBrowser } from '../../features';\nimport { createHttpOptionsConstructor } from '../../http/options';\nimport {\n  OAuthResponseMode,\n  OAuthResponseType,\n  OktaAuthOAuthInterface,\n  OktaAuthOAuthOptions,\n  SetLocationFunction,\n  TokenManagerOptions,\n  TransactionManagerOptions\n} from '../types';\nimport { enableSharedStorage } from './node';\nimport AuthSdkError from '../../errors/AuthSdkError';\n\nfunction assertValidConfig(args) {\n  args = args || {};\n\n  var scopes = args.scopes;\n  if (scopes && !Array.isArray(scopes)) {\n    throw new AuthSdkError('scopes must be a array of strings. ' +\n      'Required usage: new OktaAuth({scopes: [\"openid\", \"email\"]})');\n  }\n\n  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n  var issuer = args.issuer!;\n  if (!issuer) {\n    throw new AuthSdkError('No issuer passed to constructor. ' + \n      'Required usage: new OktaAuth({issuer: \"https://{yourOktaDomain}.com/oauth2/{authServerId}\"})');\n  }\n\n  var isUrlRegex = new RegExp('^http?s?://.+');\n  if (!isUrlRegex.test(issuer)) {\n    throw new AuthSdkError('Issuer must be a valid URL. ' + \n      'Required usage: new OktaAuth({issuer: \"https://{yourOktaDomain}.com/oauth2/{authServerId}\"})');\n  }\n\n  if (issuer.indexOf('-admin.okta') !== -1) {\n    throw new AuthSdkError('Issuer URL passed to constructor contains \"-admin\" in subdomain. ' +\n      'Required usage: new OktaAuth({issuer: \"https://{yourOktaDomain}.com})');\n  }\n}\n\nexport function createOAuthOptionsConstructor() {\n  const HttpOptionsConstructor = createHttpOptionsConstructor();\n  return class OAuthOptionsConstructor\n    extends HttpOptionsConstructor\n    implements Required<OktaAuthOAuthOptions>\n  {\n    // CustomUrls\n    issuer: string;\n    authorizeUrl: string;\n    userinfoUrl: string;\n    tokenUrl: string;\n    revokeUrl: string;\n    logoutUrl: string;\n    \n    // TokenParams\n    pkce: boolean;\n    clientId: string;\n    redirectUri: string;\n    responseType: OAuthResponseType | OAuthResponseType[];\n    responseMode: OAuthResponseMode;\n    state: string;\n    scopes: string[];\n    ignoreSignature: boolean;\n    codeChallenge: string;\n    codeChallengeMethod: string;\n    acrValues: string;\n    maxAge: string | number;\n    dpop: boolean;\n\n    // Additional options\n    tokenManager: TokenManagerOptions;\n    postLogoutRedirectUri: string;\n    restoreOriginalUri: (oktaAuth: OktaAuthOAuthInterface, originalUri?: string) => Promise<void>;\n    transactionManager: TransactionManagerOptions;\n\n    // For server-side web applications ONLY!\n    clientSecret: string;\n    setLocation: SetLocationFunction;\n\n    // Workaround for bad client time/clock\n    ignoreLifetime: boolean;\n    maxClockSkew: number;\n\n\n    // eslint-disable-next-line max-statements\n    constructor(options: any) {\n      super(options);\n      \n      assertValidConfig(options);\n      \n      this.issuer = removeTrailingSlash(options.issuer);\n      this.tokenUrl = removeTrailingSlash(options.tokenUrl);\n      this.authorizeUrl = removeTrailingSlash(options.authorizeUrl);\n      this.userinfoUrl = removeTrailingSlash(options.userinfoUrl);\n      this.revokeUrl = removeTrailingSlash(options.revokeUrl);\n      this.logoutUrl = removeTrailingSlash(options.logoutUrl);\n\n      this.pkce = options.pkce === false ? false : true; // PKCE defaults to true\n      this.clientId = options.clientId;\n      this.redirectUri = options.redirectUri;\n      if (isBrowser()) {\n        this.redirectUri = toAbsoluteUrl(options.redirectUri, window.location.origin); // allow relative URIs\n      }\n      this.responseType = options.responseType;\n      this.responseMode = options.responseMode;\n      this.state = options.state;\n      this.scopes = options.scopes;\n      // Give the developer the ability to disable token signature validation.\n      this.ignoreSignature = !!options.ignoreSignature;\n      this.codeChallenge = options.codeChallenge;\n      this.codeChallengeMethod = options.codeChallengeMethod;\n      this.acrValues = options.acrValues;\n      this.maxAge = options.maxAge;\n      this.dpop = options.dpop === true; // dpop defaults to false\n\n      this.tokenManager = options.tokenManager;\n      this.postLogoutRedirectUri = options.postLogoutRedirectUri;\n      this.restoreOriginalUri = options.restoreOriginalUri;\n      this.transactionManager = { enableSharedStorage, ...options.transactionManager };\n      \n      this.clientSecret = options.clientSecret;\n      this.setLocation = options.setLocation;\n      \n      // As some end user's devices can have their date \n      // and time incorrectly set, allow for the disabling\n      // of the jwt liftetime validation\n      this.ignoreLifetime = !!options.ignoreLifetime;\n\n      // Digital clocks will drift over time, so the server\n      // can misalign with the time reported by the browser.\n      // The maxClockSkew allows relaxing the time-based\n      // validation of tokens (in seconds, not milliseconds).\n      // It currently defaults to 300, because 5 min is the\n      // default maximum tolerance allowed by Kerberos.\n      // (https://technet.microsoft.com/en-us/library/cc976357.aspx)\n      if (!options.maxClockSkew && options.maxClockSkew !== 0) {\n        this.maxClockSkew = DEFAULT_MAX_CLOCK_SKEW;\n      } else {\n        this.maxClockSkew = options.maxClockSkew;\n      }\n\n    }\n  };\n}\n"],"mappings":";;;;AAYA;AACA;AACA;AACA;AAUA;AACA;AA1BA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAkBA,SAASA,iBAAiB,CAACC,IAAI,EAAE;EAC/BA,IAAI,GAAGA,IAAI,IAAI,CAAC,CAAC;EAEjB,IAAIC,MAAM,GAAGD,IAAI,CAACC,MAAM;EACxB,IAAIA,MAAM,IAAI,CAACC,KAAK,CAACC,OAAO,CAACF,MAAM,CAAC,EAAE;IACpC,MAAM,IAAIG,qBAAY,CAAC,qCAAqC,GAC1D,6DAA6D,CAAC;EAClE;;EAEA;EACA,IAAIC,MAAM,GAAGL,IAAI,CAACK,MAAO;EACzB,IAAI,CAACA,MAAM,EAAE;IACX,MAAM,IAAID,qBAAY,CAAC,mCAAmC,GACxD,8FAA8F,CAAC;EACnG;EAEA,IAAIE,UAAU,GAAG,IAAIC,MAAM,CAAC,eAAe,CAAC;EAC5C,IAAI,CAACD,UAAU,CAACE,IAAI,CAACH,MAAM,CAAC,EAAE;IAC5B,MAAM,IAAID,qBAAY,CAAC,8BAA8B,GACnD,8FAA8F,CAAC;EACnG;EAEA,IAAIC,MAAM,CAACI,OAAO,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE;IACxC,MAAM,IAAIL,qBAAY,CAAC,mEAAmE,GACxF,uEAAuE,CAAC;EAC5E;AACF;AAEO,SAASM,6BAA6B,GAAG;EAC9C,MAAMC,sBAAsB,GAAG,IAAAC,qCAA4B,GAAE;EAC7D,OAAO,MAAMC,uBAAuB,SAC1BF,sBAAsB,CAEhC;IACE;;IAQA;;IAeA;;IAMA;;IAIA;;IAKA;IACAG,WAAW,CAACC,OAAY,EAAE;MACxB,KAAK,CAACA,OAAO,CAAC;MAEdhB,iBAAiB,CAACgB,OAAO,CAAC;MAE1B,IAAI,CAACV,MAAM,GAAG,IAAAW,wBAAmB,EAACD,OAAO,CAACV,MAAM,CAAC;MACjD,IAAI,CAACY,QAAQ,GAAG,IAAAD,wBAAmB,EAACD,OAAO,CAACE,QAAQ,CAAC;MACrD,IAAI,CAACC,YAAY,GAAG,IAAAF,wBAAmB,EAACD,OAAO,CAACG,YAAY,CAAC;MAC7D,IAAI,CAACC,WAAW,GAAG,IAAAH,wBAAmB,EAACD,OAAO,CAACI,WAAW,CAAC;MAC3D,IAAI,CAACC,SAAS,GAAG,IAAAJ,wBAAmB,EAACD,OAAO,CAACK,SAAS,CAAC;MACvD,IAAI,CAACC,SAAS,GAAG,IAAAL,wBAAmB,EAACD,OAAO,CAACM,SAAS,CAAC;MAEvD,IAAI,CAACC,IAAI,GAAGP,OAAO,CAACO,IAAI,KAAK,KAAK,GAAG,KAAK,GAAG,IAAI,CAAC,CAAC;MACnD,IAAI,CAACC,QAAQ,GAAGR,OAAO,CAACQ,QAAQ;MAChC,IAAI,CAACC,WAAW,GAAGT,OAAO,CAACS,WAAW;MACtC,IAAI,IAAAC,mBAAS,GAAE,EAAE;QACf,IAAI,CAACD,WAAW,GAAG,IAAAE,kBAAa,EAACX,OAAO,CAACS,WAAW,EAAEG,MAAM,CAACC,QAAQ,CAACC,MAAM,CAAC,CAAC,CAAC;MACjF;;MACA,IAAI,CAACC,YAAY,GAAGf,OAAO,CAACe,YAAY;MACxC,IAAI,CAACC,YAAY,GAAGhB,OAAO,CAACgB,YAAY;MACxC,IAAI,CAACC,KAAK,GAAGjB,OAAO,CAACiB,KAAK;MAC1B,IAAI,CAAC/B,MAAM,GAAGc,OAAO,CAACd,MAAM;MAC5B;MACA,IAAI,CAACgC,eAAe,GAAG,CAAC,CAAClB,OAAO,CAACkB,eAAe;MAChD,IAAI,CAACC,aAAa,GAAGnB,OAAO,CAACmB,aAAa;MAC1C,IAAI,CAACC,mBAAmB,GAAGpB,OAAO,CAACoB,mBAAmB;MACtD,IAAI,CAACC,SAAS,GAAGrB,OAAO,CAACqB,SAAS;MAClC,IAAI,CAACC,MAAM,GAAGtB,OAAO,CAACsB,MAAM;MAC5B,IAAI,CAACC,IAAI,GAAGvB,OAAO,CAACuB,IAAI,KAAK,IAAI,CAAC,CAAC;;MAEnC,IAAI,CAACC,YAAY,GAAGxB,OAAO,CAACwB,YAAY;MACxC,IAAI,CAACC,qBAAqB,GAAGzB,OAAO,CAACyB,qBAAqB;MAC1D,IAAI,CAACC,kBAAkB,GAAG1B,OAAO,CAAC0B,kBAAkB;MACpD,IAAI,CAACC,kBAAkB,GAAG;QAAEC,mBAAmB,EAAnBA,yBAAmB;QAAE,GAAG5B,OAAO,CAAC2B;MAAmB,CAAC;MAEhF,IAAI,CAACE,YAAY,GAAG7B,OAAO,CAAC6B,YAAY;MACxC,IAAI,CAACC,WAAW,GAAG9B,OAAO,CAAC8B,WAAW;;MAEtC;MACA;MACA;MACA,IAAI,CAACC,cAAc,GAAG,CAAC,CAAC/B,OAAO,CAAC+B,cAAc;;MAE9C;MACA;MACA;MACA;MACA;MACA;MACA;MACA,IAAI,CAAC/B,OAAO,CAACgC,YAAY,IAAIhC,OAAO,CAACgC,YAAY,KAAK,CAAC,EAAE;QACvD,IAAI,CAACA,YAAY,GAAGC,iCAAsB;MAC5C,CAAC,MAAM;QACL,IAAI,CAACD,YAAY,GAAGhC,OAAO,CAACgC,YAAY;MAC1C;IAEF;EACF,CAAC;AACH"}
+{"version":3,"file":"OAuthOptionsConstructor.js","names":["assertValidConfig","args","scopes","Array","isArray","AuthSdkError","issuer","isUrlRegex","RegExp","test","indexOf","createOAuthOptionsConstructor","HttpOptionsConstructor","createHttpOptionsConstructor","OAuthOptionsConstructor","constructor","options","removeTrailingSlash","tokenUrl","authorizeUrl","userinfoUrl","revokeUrl","logoutUrl","pkce","clientId","redirectUri","isBrowser","toAbsoluteUrl","window","location","origin","responseType","responseMode","state","ignoreSignature","codeChallenge","codeChallengeMethod","acrValues","maxAge","dpop","dpopOptions","allowBearerTokens","tokenManager","postLogoutRedirectUri","restoreOriginalUri","transactionManager","enableSharedStorage","clientSecret","setLocation","ignoreLifetime","maxClockSkew","DEFAULT_MAX_CLOCK_SKEW"],"sources":["../../../../lib/oidc/options/OAuthOptionsConstructor.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * \n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { DEFAULT_MAX_CLOCK_SKEW } from '../../constants';\nimport { removeTrailingSlash, toAbsoluteUrl } from '../../util/url';\nimport { isBrowser } from '../../features';\nimport { createHttpOptionsConstructor } from '../../http/options';\nimport {\n  OAuthResponseMode,\n  OAuthResponseType,\n  OktaAuthOAuthInterface,\n  OktaAuthOAuthOptions,\n  SetLocationFunction,\n  TokenManagerOptions,\n  TransactionManagerOptions,\n  DPoPOptions\n} from '../types';\nimport { enableSharedStorage } from './node';\nimport AuthSdkError from '../../errors/AuthSdkError';\n\nfunction assertValidConfig(args) {\n  args = args || {};\n\n  var scopes = args.scopes;\n  if (scopes && !Array.isArray(scopes)) {\n    throw new AuthSdkError('scopes must be a array of strings. ' +\n      'Required usage: new OktaAuth({scopes: [\"openid\", \"email\"]})');\n  }\n\n  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n  var issuer = args.issuer!;\n  if (!issuer) {\n    throw new AuthSdkError('No issuer passed to constructor. ' + \n      'Required usage: new OktaAuth({issuer: \"https://{yourOktaDomain}.com/oauth2/{authServerId}\"})');\n  }\n\n  var isUrlRegex = new RegExp('^http?s?://.+');\n  if (!isUrlRegex.test(issuer)) {\n    throw new AuthSdkError('Issuer must be a valid URL. ' + \n      'Required usage: new OktaAuth({issuer: \"https://{yourOktaDomain}.com/oauth2/{authServerId}\"})');\n  }\n\n  if (issuer.indexOf('-admin.okta') !== -1) {\n    throw new AuthSdkError('Issuer URL passed to constructor contains \"-admin\" in subdomain. ' +\n      'Required usage: new OktaAuth({issuer: \"https://{yourOktaDomain}.com})');\n  }\n}\n\nexport function createOAuthOptionsConstructor() {\n  const HttpOptionsConstructor = createHttpOptionsConstructor();\n  return class OAuthOptionsConstructor\n    extends HttpOptionsConstructor\n    implements Required<OktaAuthOAuthOptions>\n  {\n    // CustomUrls\n    issuer: string;\n    authorizeUrl: string;\n    userinfoUrl: string;\n    tokenUrl: string;\n    revokeUrl: string;\n    logoutUrl: string;\n    \n    // TokenParams\n    pkce: boolean;\n    clientId: string;\n    redirectUri: string;\n    responseType: OAuthResponseType | OAuthResponseType[];\n    responseMode: OAuthResponseMode;\n    state: string;\n    scopes: string[];\n    ignoreSignature: boolean;\n    codeChallenge: string;\n    codeChallengeMethod: string;\n    acrValues: string;\n    maxAge: string | number;\n    dpop: boolean;\n    dpopOptions: DPoPOptions;\n\n    // Additional options\n    tokenManager: TokenManagerOptions;\n    postLogoutRedirectUri: string;\n    restoreOriginalUri: (oktaAuth: OktaAuthOAuthInterface, originalUri?: string) => Promise<void>;\n    transactionManager: TransactionManagerOptions;\n\n    // For server-side web applications ONLY!\n    clientSecret: string;\n    setLocation: SetLocationFunction;\n\n    // Workaround for bad client time/clock\n    ignoreLifetime: boolean;\n    maxClockSkew: number;\n\n\n    // eslint-disable-next-line max-statements\n    constructor(options: any) {\n      super(options);\n      \n      assertValidConfig(options);\n      \n      this.issuer = removeTrailingSlash(options.issuer);\n      this.tokenUrl = removeTrailingSlash(options.tokenUrl);\n      this.authorizeUrl = removeTrailingSlash(options.authorizeUrl);\n      this.userinfoUrl = removeTrailingSlash(options.userinfoUrl);\n      this.revokeUrl = removeTrailingSlash(options.revokeUrl);\n      this.logoutUrl = removeTrailingSlash(options.logoutUrl);\n\n      this.pkce = options.pkce === false ? false : true; // PKCE defaults to true\n      this.clientId = options.clientId;\n      this.redirectUri = options.redirectUri;\n      if (isBrowser()) {\n        this.redirectUri = toAbsoluteUrl(options.redirectUri, window.location.origin); // allow relative URIs\n      }\n      this.responseType = options.responseType;\n      this.responseMode = options.responseMode;\n      this.state = options.state;\n      this.scopes = options.scopes;\n      // Give the developer the ability to disable token signature validation.\n      this.ignoreSignature = !!options.ignoreSignature;\n      this.codeChallenge = options.codeChallenge;\n      this.codeChallengeMethod = options.codeChallengeMethod;\n      this.acrValues = options.acrValues;\n      this.maxAge = options.maxAge;\n      this.dpop = options.dpop === true; // dpop defaults to false\n      this.dpopOptions = {\n        allowBearerTokens: false,\n        ...options.dpopOptions,\n      };\n\n      this.tokenManager = options.tokenManager;\n      this.postLogoutRedirectUri = options.postLogoutRedirectUri;\n      this.restoreOriginalUri = options.restoreOriginalUri;\n      this.transactionManager = { enableSharedStorage, ...options.transactionManager };\n      \n      this.clientSecret = options.clientSecret;\n      this.setLocation = options.setLocation;\n      \n      // As some end user's devices can have their date \n      // and time incorrectly set, allow for the disabling\n      // of the jwt liftetime validation\n      this.ignoreLifetime = !!options.ignoreLifetime;\n\n      // Digital clocks will drift over time, so the server\n      // can misalign with the time reported by the browser.\n      // The maxClockSkew allows relaxing the time-based\n      // validation of tokens (in seconds, not milliseconds).\n      // It currently defaults to 300, because 5 min is the\n      // default maximum tolerance allowed by Kerberos.\n      // (https://technet.microsoft.com/en-us/library/cc976357.aspx)\n      if (!options.maxClockSkew && options.maxClockSkew !== 0) {\n        this.maxClockSkew = DEFAULT_MAX_CLOCK_SKEW;\n      } else {\n        this.maxClockSkew = options.maxClockSkew;\n      }\n\n    }\n  };\n}\n"],"mappings":";;;;AAYA;AACA;AACA;AACA;AAWA;AACA;AA3BA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAmBA,SAASA,iBAAiB,CAACC,IAAI,EAAE;EAC/BA,IAAI,GAAGA,IAAI,IAAI,CAAC,CAAC;EAEjB,IAAIC,MAAM,GAAGD,IAAI,CAACC,MAAM;EACxB,IAAIA,MAAM,IAAI,CAACC,KAAK,CAACC,OAAO,CAACF,MAAM,CAAC,EAAE;IACpC,MAAM,IAAIG,qBAAY,CAAC,qCAAqC,GAC1D,6DAA6D,CAAC;EAClE;;EAEA;EACA,IAAIC,MAAM,GAAGL,IAAI,CAACK,MAAO;EACzB,IAAI,CAACA,MAAM,EAAE;IACX,MAAM,IAAID,qBAAY,CAAC,mCAAmC,GACxD,8FAA8F,CAAC;EACnG;EAEA,IAAIE,UAAU,GAAG,IAAIC,MAAM,CAAC,eAAe,CAAC;EAC5C,IAAI,CAACD,UAAU,CAACE,IAAI,CAACH,MAAM,CAAC,EAAE;IAC5B,MAAM,IAAID,qBAAY,CAAC,8BAA8B,GACnD,8FAA8F,CAAC;EACnG;EAEA,IAAIC,MAAM,CAACI,OAAO,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE;IACxC,MAAM,IAAIL,qBAAY,CAAC,mEAAmE,GACxF,uEAAuE,CAAC;EAC5E;AACF;AAEO,SAASM,6BAA6B,GAAG;EAC9C,MAAMC,sBAAsB,GAAG,IAAAC,qCAA4B,GAAE;EAC7D,OAAO,MAAMC,uBAAuB,SAC1BF,sBAAsB,CAEhC;IACE;;IAQA;;IAgBA;;IAMA;;IAIA;;IAKA;IACAG,WAAW,CAACC,OAAY,EAAE;MACxB,KAAK,CAACA,OAAO,CAAC;MAEdhB,iBAAiB,CAACgB,OAAO,CAAC;MAE1B,IAAI,CAACV,MAAM,GAAG,IAAAW,wBAAmB,EAACD,OAAO,CAACV,MAAM,CAAC;MACjD,IAAI,CAACY,QAAQ,GAAG,IAAAD,wBAAmB,EAACD,OAAO,CAACE,QAAQ,CAAC;MACrD,IAAI,CAACC,YAAY,GAAG,IAAAF,wBAAmB,EAACD,OAAO,CAACG,YAAY,CAAC;MAC7D,IAAI,CAACC,WAAW,GAAG,IAAAH,wBAAmB,EAACD,OAAO,CAACI,WAAW,CAAC;MAC3D,IAAI,CAACC,SAAS,GAAG,IAAAJ,wBAAmB,EAACD,OAAO,CAACK,SAAS,CAAC;MACvD,IAAI,CAACC,SAAS,GAAG,IAAAL,wBAAmB,EAACD,OAAO,CAACM,SAAS,CAAC;MAEvD,IAAI,CAACC,IAAI,GAAGP,OAAO,CAACO,IAAI,KAAK,KAAK,GAAG,KAAK,GAAG,IAAI,CAAC,CAAC;MACnD,IAAI,CAACC,QAAQ,GAAGR,OAAO,CAACQ,QAAQ;MAChC,IAAI,CAACC,WAAW,GAAGT,OAAO,CAACS,WAAW;MACtC,IAAI,IAAAC,mBAAS,GAAE,EAAE;QACf,IAAI,CAACD,WAAW,GAAG,IAAAE,kBAAa,EAACX,OAAO,CAACS,WAAW,EAAEG,MAAM,CAACC,QAAQ,CAACC,MAAM,CAAC,CAAC,CAAC;MACjF;;MACA,IAAI,CAACC,YAAY,GAAGf,OAAO,CAACe,YAAY;MACxC,IAAI,CAACC,YAAY,GAAGhB,OAAO,CAACgB,YAAY;MACxC,IAAI,CAACC,KAAK,GAAGjB,OAAO,CAACiB,KAAK;MAC1B,IAAI,CAAC/B,MAAM,GAAGc,OAAO,CAACd,MAAM;MAC5B;MACA,IAAI,CAACgC,eAAe,GAAG,CAAC,CAAClB,OAAO,CAACkB,eAAe;MAChD,IAAI,CAACC,aAAa,GAAGnB,OAAO,CAACmB,aAAa;MAC1C,IAAI,CAACC,mBAAmB,GAAGpB,OAAO,CAACoB,mBAAmB;MACtD,IAAI,CAACC,SAAS,GAAGrB,OAAO,CAACqB,SAAS;MAClC,IAAI,CAACC,MAAM,GAAGtB,OAAO,CAACsB,MAAM;MAC5B,IAAI,CAACC,IAAI,GAAGvB,OAAO,CAACuB,IAAI,KAAK,IAAI,CAAC,CAAC;MACnC,IAAI,CAACC,WAAW,GAAG;QACjBC,iBAAiB,EAAE,KAAK;QACxB,GAAGzB,OAAO,CAACwB;MACb,CAAC;MAED,IAAI,CAACE,YAAY,GAAG1B,OAAO,CAAC0B,YAAY;MACxC,IAAI,CAACC,qBAAqB,GAAG3B,OAAO,CAAC2B,qBAAqB;MAC1D,IAAI,CAACC,kBAAkB,GAAG5B,OAAO,CAAC4B,kBAAkB;MACpD,IAAI,CAACC,kBAAkB,GAAG;QAAEC,mBAAmB,EAAnBA,yBAAmB;QAAE,GAAG9B,OAAO,CAAC6B;MAAmB,CAAC;MAEhF,IAAI,CAACE,YAAY,GAAG/B,OAAO,CAAC+B,YAAY;MACxC,IAAI,CAACC,WAAW,GAAGhC,OAAO,CAACgC,WAAW;;MAEtC;MACA;MACA;MACA,IAAI,CAACC,cAAc,GAAG,CAAC,CAACjC,OAAO,CAACiC,cAAc;;MAE9C;MACA;MACA;MACA;MACA;MACA;MACA;MACA,IAAI,CAACjC,OAAO,CAACkC,YAAY,IAAIlC,OAAO,CAACkC,YAAY,KAAK,CAAC,EAAE;QACvD,IAAI,CAACA,YAAY,GAAGC,iCAAsB;MAC5C,CAAC,MAAM;QACL,IAAI,CAACD,YAAY,GAAGlC,OAAO,CAACkC,YAAY;MAC1C;IAEF;EACF,CAAC;AACH"}

package/cjs/oidc/types/options.js.map

@@ -1 +1 @@
-{"version":3,"file":"options.js","names":[],"sources":["../../../../lib/oidc/types/options.ts"],"sourcesContent":["/*!\n * Copyright (c) 2021-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { OktaAuthOptionsConstructor } from '../../base/types';\nimport { OktaAuthHttpOptions } from '../../http/types';\nimport { SimpleStorage } from '../../storage/types';\nimport { OktaAuthOAuthInterface, SetLocationFunction } from './api';\nimport { OAuthResponseMode, OAuthResponseType } from './proto';\nimport { Tokens } from './Token';\nimport { TransactionManagerOptions } from './Transaction';\n\nexport interface CustomUrls {\n  issuer?: string;\n  authorizeUrl?: string;\n  userinfoUrl?: string;\n  tokenUrl?: string;\n  revokeUrl?: string;\n  logoutUrl?: string;\n}\n\nexport interface TokenParams extends CustomUrls {\n  pkce?: boolean;\n  clientId?: string;\n  redirectUri?: string;\n  responseType?: OAuthResponseType | OAuthResponseType[] | 'none';\n  responseMode?: OAuthResponseMode;\n  state?: string;\n  nonce?: string;\n  scopes?: string[];\n  enrollAmrValues?: string | string[];\n  display?: string;\n  ignoreSignature?: boolean;\n  codeVerifier?: string;\n  authorizationCode?: string;\n  codeChallenge?: string;\n  codeChallengeMethod?: string;\n  interactionCode?: string;\n  idp?: string;\n  idpScope?: string | string[];\n  loginHint?: string;\n  maxAge?: string | number;\n  acrValues?: string;\n  prompt?: string;\n  sessionToken?: string;\n  timeout?: number;\n  extraParams?: { [propName: string]: string }; // custom authorize query params\n  // TODO: remove in the next major version\n  popupTitle?: string;\n  dpop?: boolean;\n  dpopPairId?: string;\n}\n\nexport interface TokenManagerOptions {\n  autoRenew?: boolean;\n  autoRemove?: boolean;\n  clearPendingRemoveTokens?: boolean;\n  secure?: boolean;\n  storage?: string | SimpleStorage;\n  storageKey?: string;\n  expireEarlySeconds?: number;\n  syncStorage?: boolean;\n}\n\nexport interface EnrollAuthenticatorOptions extends TokenParams {\n  enrollAmrValues: string | string[];\n  acrValues: string;\n}\n\nexport interface SigninWithRedirectOptions extends TokenParams {\n  originalUri?: string;\n}\n\nexport interface RenewTokensParams extends TokenParams {\n  tokens?: Tokens\n}\n\nexport interface OktaAuthOAuthOptions extends\n  OktaAuthHttpOptions,\n  CustomUrls,\n  Pick<TokenParams,\n    'issuer' |\n    'clientId' |\n    'redirectUri' |\n    'responseType' |\n    'responseMode' |\n    'scopes' |\n    'state' |\n    'pkce' |\n    'ignoreSignature' |\n    'codeChallenge' |\n    'codeChallengeMethod' |\n    'maxAge' |\n    'acrValues'\n  >\n{\n  ignoreLifetime?: boolean;\n  tokenManager?: TokenManagerOptions;\n  postLogoutRedirectUri?: string;\n  maxClockSkew?: number;\n  restoreOriginalUri?: (oktaAuth: OktaAuthOAuthInterface, originalUri?: string) => Promise<void>;\n  dpop?: boolean;\n\n  transactionManager?: TransactionManagerOptions;\n\n  // For server-side web applications ONLY!\n  clientSecret?: string;\n  setLocation?: SetLocationFunction;\n}\n\nexport type OktaAuthOauthOptionsConstructor = OktaAuthOptionsConstructor<OktaAuthOAuthOptions>;\n"],"mappings":""}
+{"version":3,"file":"options.js","names":[],"sources":["../../../../lib/oidc/types/options.ts"],"sourcesContent":["/*!\n * Copyright (c) 2021-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { OktaAuthOptionsConstructor } from '../../base/types';\nimport { OktaAuthHttpOptions } from '../../http/types';\nimport { SimpleStorage } from '../../storage/types';\nimport { OktaAuthOAuthInterface, SetLocationFunction } from './api';\nimport { OAuthResponseMode, OAuthResponseType } from './proto';\nimport { Tokens } from './Token';\nimport { TransactionManagerOptions } from './Transaction';\n\nexport interface CustomUrls {\n  issuer?: string;\n  authorizeUrl?: string;\n  userinfoUrl?: string;\n  tokenUrl?: string;\n  revokeUrl?: string;\n  logoutUrl?: string;\n}\n\nexport interface TokenParams extends CustomUrls {\n  pkce?: boolean;\n  clientId?: string;\n  redirectUri?: string;\n  responseType?: OAuthResponseType | OAuthResponseType[] | 'none';\n  responseMode?: OAuthResponseMode;\n  state?: string;\n  nonce?: string;\n  scopes?: string[];\n  enrollAmrValues?: string | string[];\n  display?: string;\n  ignoreSignature?: boolean;\n  codeVerifier?: string;\n  authorizationCode?: string;\n  codeChallenge?: string;\n  codeChallengeMethod?: string;\n  interactionCode?: string;\n  idp?: string;\n  idpScope?: string | string[];\n  loginHint?: string;\n  maxAge?: string | number;\n  acrValues?: string;\n  prompt?: string;\n  sessionToken?: string;\n  timeout?: number;\n  extraParams?: { [propName: string]: string }; // custom authorize query params\n  // TODO: remove in the next major version\n  popupTitle?: string;\n  dpop?: boolean;\n  dpopPairId?: string;\n}\n\nexport interface TokenManagerOptions {\n  autoRenew?: boolean;\n  autoRemove?: boolean;\n  clearPendingRemoveTokens?: boolean;\n  secure?: boolean;\n  storage?: string | SimpleStorage;\n  storageKey?: string;\n  expireEarlySeconds?: number;\n  syncStorage?: boolean;\n}\n\nexport interface EnrollAuthenticatorOptions extends TokenParams {\n  enrollAmrValues: string | string[];\n  acrValues: string;\n}\n\nexport interface SigninWithRedirectOptions extends TokenParams {\n  originalUri?: string;\n}\n\nexport interface RenewTokensParams extends TokenParams {\n  tokens?: Tokens\n}\n\nexport interface DPoPOptions {\n  allowBearerTokens: boolean;\n}\n\nexport interface OktaAuthOAuthOptions extends\n  OktaAuthHttpOptions,\n  CustomUrls,\n  Pick<TokenParams,\n    'issuer' |\n    'clientId' |\n    'redirectUri' |\n    'responseType' |\n    'responseMode' |\n    'scopes' |\n    'state' |\n    'pkce' |\n    'ignoreSignature' |\n    'codeChallenge' |\n    'codeChallengeMethod' |\n    'maxAge' |\n    'acrValues'\n  >\n{\n  ignoreLifetime?: boolean;\n  tokenManager?: TokenManagerOptions;\n  postLogoutRedirectUri?: string;\n  maxClockSkew?: number;\n  restoreOriginalUri?: (oktaAuth: OktaAuthOAuthInterface, originalUri?: string) => Promise<void>;\n  dpop?: boolean;\n  dpopOptions?: DPoPOptions;\n\n  transactionManager?: TransactionManagerOptions;\n\n  // For server-side web applications ONLY!\n  clientSecret?: string;\n  setLocation?: SetLocationFunction;\n}\n\nexport type OktaAuthOauthOptionsConstructor = OktaAuthOptionsConstructor<OktaAuthOAuthOptions>;\n"],"mappings":""}