@okta/okta-auth-js 7.5.1 → 7.7.0

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## 7.6.0
+
+### Features
+
+- [#1495](https://github.com/okta/okta-auth-js/pull/1495) add: DPoP support
+- [#1507](https://github.com/okta/okta-auth-js/pull/1507) add: new method `getOrRenewAccessToken`
+- [#1505](https://github.com/okta/okta-auth-js/pull/1505) add: support of `revokeSessions` param for `OktaPassword` authenticator (can be used in `reset-authenticator` remediation)
+- [#1508](https://github.com/okta/okta-auth-js/pull/1508) IDX: add condition to compare stateHandles when loading saved idxResponse only when useGenericRemediator option is false or undefined
+- [#1512](https://github.com/okta/okta-auth-js/pull/1512) add: new service `RenewOnTabActivation`
+
+### Bug Fix
+
+- [#1513](https://github.com/okta/okta-auth-js/pull/1513) fix: restricts `issuer` "-admin" validation to `.okta` domain
+
 ## 7.5.1
 
 ### Bug Fix

package/README.md

@@ -36,6 +36,12 @@ You can learn more on the [Okta + JavaScript][lang-landing] page in our document
 
 This library uses semantic versioning and follows Okta's [library version policy](https://developer.okta.com/code/library-versions/).
 
+> :warning: :warning: :warning: :warning: :warning: :warning: :warning: :warning: :warning:<br>
+#### :warning: Bulletin Board :warning:
+* Review [Future of autoRenew](./docs/autoRenew-notice.md) <br>
+* Review [End of Third-Party Cookies](https://developer.okta.com/blog/2024/02/29/third-party-cookies) <br>
+> :warning: :warning: :warning: :warning: :warning: :warning: :warning: :warning::warning:<br>
+
 ## Release Status
 
 :heavy_check_mark: The current stable major version series is: `7.x`
@@ -43,7 +49,7 @@ This library uses semantic versioning and follows Okta's [library version policy
 | Version   | Status                           |
 | -------   | -------------------------------- |
 | `7.x`     | :heavy_check_mark: Stable        |
-| `6.x`     | :warning: Retiring on 2023-09-30 |
+| `6.x`     | :x: Retired                      |
 | `5.x`     | :x: Retired                      |
 | `4.x`     | :x: Retired                      |
 | `3.x`     | :x: Retired                      |
@@ -96,7 +102,7 @@ require('@okta/okta-auth-js/polyfill');
 The built polyfill bundle is also available on our global CDN. Include the following script in your HTML file to load before any other scripts:
 
 ```html
-<script src="https://global.oktacdn.com/okta-auth-js/7.4.1/okta-auth-js.polyfill.js" type="text/javascript"></script>
+<script src="https://global.oktacdn.com/okta-auth-js/7.5.1/okta-auth-js.polyfill.js" type="text/javascript" integrity="sha384-EBFsuVdi4TGp/DwS7b+t+wA8zmWK10omkX05ZjJWQhzWuW31t7FWEGOnHQeIr8+L" crossorigin="anonymous"></script>
 ```
 
 > :warning: The version shown in this sample may be older than the current version. We recommend using the highest version available
@@ -171,7 +177,7 @@ If you are using the JS on a web page from the browser, you can copy the `node_m
 The built library bundle is also available on our global CDN. Include the following script in your HTML file to load before your application script:
 
 ```html
-<script src="https://global.oktacdn.com/okta-auth-js/7.4.1/okta-auth-js.min.js" type="text/javascript"></script>
+<script src="https://global.oktacdn.com/okta-auth-js/7.5.1/okta-auth-js.min.js" type="text/javascript" integrity="sha384-6epSwnIDkI5zFNEVNjEYy3A7aSZ+C7ehmEyG8zDJZfP9Bmnxc51TK8du+2me4pjb" crossorigin="anonymous"></script>
 ```
 
 > :warning: The version shown in this sample may be older than the current version. We recommend using the highest version available
@@ -342,7 +348,7 @@ Most applications will handle an OAuth callback using a special route/page, sepa
       **It’s important that no other app logic runs until the async parseFromUrl / token manager logic is complete**
 3. After this, continue normal app logic
 
-```
+```javascript
 
 async function main() {
   // create OktaAuth instance
@@ -393,6 +399,105 @@ Additionally, if using hash routing, we recommend using PKCE and responseMode "q
    2. Add tokens to the  `TokenManager`: [tokenManager.setTokens](#tokenmanagersettokenstokens)
 6. Read saved route and redirect to it: [getOriginalUri](#getoriginaluristate)
 
+### Enabling DPoP
+<sub><sup>*Reference: DPoP (Demonstrating Proof-of-Possession) - [RFC9449](https://datatracker.ietf.org/doc/html/rfc9449)*</sub></sup>
+
+#### Requirements
+* `DPoP` must be enabled in your Okta application ([Guide: Configure DPoP](https://developer.okta.com/docs/guides/dpop/main/))
+* Only supported on web (browser)
+* `https` is required. A [secure context](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts) is required for `WebCrypto.subtle`
+* Targeted browsers must support `IndexedDB` ([MDN](https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API), [caniuse](https://caniuse.com/indexeddb))
+* :warning: IE11 (and lower) is not supported!
+
+#### Configuration
+```javascript
+const config = {
+  // other configurations
+  pkce: true,     // required
+  dpop: true,
+};
+
+const authClient = new OktaAuth(config);
+```
+
+#### Providing DPoP Proof to Resource Requests
+<sub><sup>*Reference: **The DPoP Authentication Scheme** ([RFC9449](https://datatracker.ietf.org/doc/html/rfc9449#name-the-dpop-authentication-sch))*</sub></sup>
+
+##### DPoP-Protected Resource Request ([link](https://datatracker.ietf.org/doc/html/rfc9449#name-dpop-protected-resource-req))
+```
+GET /protectedresource HTTP/1.1
+Host: resource.example.org
+Authorization: DPoP Kz~8mXK1EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO.gxU
+DPoP: eyJ0eXAiOiJkcG9wK2p3dCIsIm...
+```
+
+##### Fetching DPoP-Protected Resource
+```javascript
+async function dpopAuthenticatedFetch (url, options) {
+  const { method } = options;
+  const dpop = await authClient.getDPoPAuthorizationHeaders({ url, method });
+  // dpop = { Authorization: "DPoP token****", Dpop: "proof****" }
+  const headers = new Headers({...options.headers, ...dpop});
+  return fetch(url, {...options, headers });
+}
+```
+
+#### Handling `use_dpop_nonce`
+<sub><sup>*Reference: **Resource Server-Provided Nonce** ([RFC9449](https://datatracker.ietf.org/doc/html/rfc9449#name-resource-server-provided-no))*</sub></sup>
+
+> Resource servers can also choose to provide a nonce value to be included in DPoP proofs sent to them. They provide the nonce using the DPoP-Nonce header in the same way that authorization servers do...
+
+##### Resource Server Response
+```
+HTTP/1.1 401 Unauthorized
+WWW-Authenticate: DPoP error="use_dpop_nonce", \
+   error_description="Resource server requires nonce in DPoP proof"
+DPoP-Nonce: eyJ7S_zG.eyJH0-Z.HX4w-7v
+```
+##### Handling Response
+```javascript
+async function dpopAuthenticatedFetch (url, options) {
+  // ...previous example...
+  const resp = await fetch(url, {...options, headers });
+  // resp = HTTP/1.1 401 Unauthorized...
+
+  if (!resp.ok) {
+    const nonce = authClient.parseUseDPoPNonceError(resp.headers);
+    if (nonce) {
+      const retryDpop = await authClient.getDPoPAuthorizationHeaders({ url, method, nonce });
+      const retryHeaders = new Headers({...options.headers, ...retryDpop});
+      return fetch(url, {...options, headers: retryHeaders });
+    }
+  }
+
+  return resp;
+}
+```
+
+#### Ensure browser can support DPoP (*Recommended*)
+DPoP requires certain browser features. A user using a browser without the required features will unable to complete a request for tokens. It's recommended to verify browser support during application bootstrapping.
+
+```javascript
+// App.tsx
+useEffect(() => {
+  if (!authClient.features.isDPoPSupported()) {
+    // user will be unable to request tokens
+    navigate('/unsupported-error-page');
+  }
+}, []);
+```
+
+#### Clear DPoP Storage (*Recommended*)
+DPoP requires the generation of a `CryptoKeyPair` which needs to be persisted in storage. Methods like `signOut()` or `revokeAccessToken()` will clear the key pair, however users don't always explicitly logout. It's therefore good practice to clear storage before login to flush any orphaned key pairs generated from previously requested tokens.
+
+```javascript
+async function login (options) {
+  await authClient.clearDPoPStorage();      // clear possibly orphaned key pairs
+
+  return authClient.signInWithRedirect(options);
+}
+```
+
 ## Configuration reference
 
 Whether you are using this SDK to implement an OIDC flow or for communicating with the [Authentication API](https://developer.okta.com/docs/api/resources/authn), the only required configuration option is `issuer`, which is the URL to an Okta [Authorization Server](https://developer.okta.com/docs/guides/customize-authz-server/overview/)
@@ -464,6 +569,13 @@ A client-provided string that will be passed to the server endpoint and returned
 
 Default value is `true` which enables the [PKCE OAuth Flow](#pkce-oauth-20-flow). To use the [Implicit Flow](#implicit-oauth-20-flow) or [Authorization Code Flow](#authorization-code-flow-for-web-and-native-client-types), set `pkce` to `false`.
 
+#### `dpop`
+
+Default value is `false`. Set to `true` to enable `DPoP` (Demonstrating Proof-of-Possession ([RFC9449](https://datatracker.ietf.org/doc/html/rfc9449)))
+
+See Guide: [Enabling DPoP](#enabling-dpop)
+
+
 #### responseMode
 
 When requesting tokens using [token.getWithRedirect](#tokengetwithredirectoptions) values will be returned as parameters appended to the [redirectUri](#configuration-options).
@@ -843,6 +955,8 @@ services: {
   autoRenew: true,
   autoRemove: true,
   syncStorage: true,
+  renewOnTabActivation: true,
+  tabInactivityDuration: 1800   // seconds
 }
 ```
 
@@ -866,6 +980,15 @@ Automatically syncs tokens across browser tabs when it's supported in browser (b
 
 This is accomplished by selecting a single tab to handle the network requests to refresh the tokens and broadcasting to the other tabs. This is done to avoid all tabs sending refresh requests simultaneously, which can cause rate limiting/throttling issues.
 
+#### `renewOnTabActivation`
+> NOTE: This service requires `autoRenew: true`
+
+When enabled (`{ autoRenew: true, renewOnTabActivation: true }`), this service binds a handler to the [Page Visibility API](https://developer.mozilla.org/en-US/docs/Web/API/Page_Visibility_API) which attempts a token renew (if needed) when the tab becomes active after a (configurable) inactivity period
+
+#### `tabInactivityDuration`
+The amount of time, in seconds, a tab needs to be inactive for the `RenewOnTabActivation` service to attempt a token renew. Defaults to `1800` (30 mins)
+
+
 ## API Reference
 <!-- no toc -->
 * [start](#start)
@@ -886,6 +1009,7 @@ This is accomplished by selecting a single tab to handle the network requests to
 * [getUser](#getuser)
 * [getIdToken](#getidtoken)
 * [getAccessToken](#getaccesstoken)
+* [getOrRenewAccessToken](#getorrenewaccesstoken)
 * [storeTokensFromRedirect](#storetokensfromredirect)
 * [setOriginalUri](#setoriginaluriuri)
 * [getOriginalUri](#getoriginaluristate)
@@ -897,6 +1021,9 @@ This is accomplished by selecting a single tab to handle the network requests to
 * [tx.resume](#txresume)
 * [tx.exists](#txexists)
 * [transaction.status](#transactionstatus)
+* [getDPoPAuthorizationHeaders](#getdpopauthorizationheaders)
+* [parseUseDPoPNonceError](#parseusedpopnonceerror)
+* [clearDPoPStorage](#cleardpopstorage)
 * [session](#session)
   * [session.setCookieAndRedirect](#sessionsetcookieandredirectsessiontoken-redirecturi)
   * [session.exists](#sessionexists)
@@ -1154,6 +1281,10 @@ Returns the id token string retrieved from [authState](#authstatemanager) if it
 
 Returns the access token string retrieved from [authState](#authstatemanager) if it exists.
 
+### `getOrRenewAccessToken()`
+
+Returns the access token string if it exists. Returns `null` if the access token doesn't exist or a renewal cannot be completed
+
 ### `storeTokensFromRedirect()`
 
 > :hourglass: async
@@ -1248,6 +1379,39 @@ See [authn API](docs/authn.md#txexists).
 
 See [authn API](docs/authn.md#transactionstatus).
 
+### `getDPoPAuthorizationHeaders(params)`
+
+> :link: web browser only <br>
+> :hourglass: async <br>
+
+Requires [dpop](#dpop) set to `true`. Returns `Authorization` and `Dpop` header values to build a DPoP protected-request.
+
+Params: `url` and (http) `method` are required.
+*  `accessToken` is optional, but will be read from `tokenStorage` if not provided
+*  `nonce` is optional, may be provided via `use_dpop_nonce` pattern from Resource Server ([more info](#handling-use_dpop_nonce))
+
+### `parseUseDPoPNonceError(headers)`
+
+> :link: web browser only <br>
+
+Utility to extract and parse the `WWW-Authenticate` and `DPoP-Nonce` headers from a network response from a DPoP-protected request. Should the response be in the following format, the `nonce` value will be returned. Otherwise returns `null`
+
+```
+HTTP/1.1 401 Unauthorized
+WWW-Authenticate: DPoP error="use_dpop_nonce", \
+   error_description="Resource server requires nonce in DPoP proof"
+DPoP-Nonce: eyJ7S_zG.eyJH0-Z.HX4w-7v
+```
+
+### `clearDPoPStorage(clearAll=false)`
+
+> :link: web browser only <br>
+> :hourglass: async <br>
+
+Clears storage location of `CryptoKeyPair`s generated and used by DPoP. Pass `true` to remove all key pairs as it's possible for orphaned key pairs to exist. If `clearAll` is `false`, the key pair bound to the current `accessToken` in tokenStorage will be removed.
+
+It's recommended to call this function during user login. [See Example](#clear-dpop-storage-recommended)
+
 ### `session`
 
 #### `session.setCookieAndRedirect(sessionToken, redirectUri)`

package/cjs/base/types.js.map

@@ -1 +1 @@
-{"version":3,"file":"types.js","names":[],"sources":["../../../lib/base/types.ts"],"sourcesContent":["/*!\n * Copyright (c) 2021-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport * as constants from '../constants';\n\nexport declare class EventEmitter {\n  on   (event: string, callback: (...args: any[]) => any, ctx?: any): EventEmitter;\n  once (event: string, callback: (...args: any[]) => any, ctx?: any): EventEmitter;\n  emit (event: string, ...args: any[]): EventEmitter;\n  off  (event: string, callback?: (...args: any[]) => any): EventEmitter;\n}\n\nexport interface FeaturesAPI {\n  isLocalhost(): boolean;\n  isHTTPS(): boolean;\n  isPopupPostMessageSupported(): boolean;\n  hasTextEncoder(): boolean;\n  isTokenVerifySupported(): boolean;\n  isPKCESupported(): boolean;\n  isIE11OrLess(): boolean;\n}\n\n\n// options that can be passed to AuthJS\nexport interface OktaAuthBaseOptions {\n  devMode?: boolean;\n}\n\n// a class that constructs options\nexport interface OktaAuthOptionsConstructor<O extends OktaAuthBaseOptions = OktaAuthBaseOptions> {\n  new(args: any): O;\n}\n\n// a \"base\" instance of AuthJS\nexport interface OktaAuthBaseInterface<O extends OktaAuthBaseOptions = OktaAuthBaseOptions> {\n  options: O;\n  emitter: EventEmitter;\n  features: FeaturesAPI;\n}\n\n// a constructor that returns an instance of AuthJS\nexport interface OktaAuthConstructor\n<\n  I extends OktaAuthBaseInterface = OktaAuthBaseInterface\n> \n{\n  new(...args: any[]): I;\n  features: FeaturesAPI; // static class member\n  constants: typeof constants;\n}\n"],"mappings":""}
+{"version":3,"file":"types.js","names":[],"sources":["../../../lib/base/types.ts"],"sourcesContent":["/*!\n * Copyright (c) 2021-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport * as constants from '../constants';\n\nexport declare class EventEmitter {\n  on   (event: string, callback: (...args: any[]) => any, ctx?: any): EventEmitter;\n  once (event: string, callback: (...args: any[]) => any, ctx?: any): EventEmitter;\n  emit (event: string, ...args: any[]): EventEmitter;\n  off  (event: string, callback?: (...args: any[]) => any): EventEmitter;\n}\n\nexport interface FeaturesAPI {\n  isLocalhost(): boolean;\n  isHTTPS(): boolean;\n  isPopupPostMessageSupported(): boolean;\n  hasTextEncoder(): boolean;\n  isTokenVerifySupported(): boolean;\n  isPKCESupported(): boolean;\n  isIE11OrLess(): boolean;\n  isDPoPSupported(): boolean;\n}\n\n\n// options that can be passed to AuthJS\nexport interface OktaAuthBaseOptions {\n  devMode?: boolean;\n}\n\n// a class that constructs options\nexport interface OktaAuthOptionsConstructor<O extends OktaAuthBaseOptions = OktaAuthBaseOptions> {\n  new(args: any): O;\n}\n\n// a \"base\" instance of AuthJS\nexport interface OktaAuthBaseInterface<O extends OktaAuthBaseOptions = OktaAuthBaseOptions> {\n  options: O;\n  emitter: EventEmitter;\n  features: FeaturesAPI;\n}\n\n// a constructor that returns an instance of AuthJS\nexport interface OktaAuthConstructor\n<\n  I extends OktaAuthBaseInterface = OktaAuthBaseInterface\n> \n{\n  new(...args: any[]): I;\n  features: FeaturesAPI; // static class member\n  constants: typeof constants;\n}\n"],"mappings":""}

package/cjs/core/ServiceManager/browser.js

@@ -20,6 +20,7 @@ var _util = require("../../util");
 const AUTO_RENEW = 'autoRenew';
 const SYNC_STORAGE = 'syncStorage';
 const LEADER_ELECTION = 'leaderElection';
+const RENEW_ON_TAB_ACTIVATION = 'renewOnTabActivation';
 class ServiceManager {
   constructor(sdk, options = {}) {
     this.sdk = sdk;
@@ -120,6 +121,11 @@ class ServiceManager {
           ...this.options
         });
         break;
+      case RENEW_ON_TAB_ACTIVATION:
+        service = new _services.RenewOnTabActivationService(tokenManager, {
+          ...this.options
+        });
+        break;
       default:
         throw new Error(`Unknown service ${name}`);
     }
@@ -127,10 +133,12 @@ class ServiceManager {
   }
 }
 exports.ServiceManager = ServiceManager;
-(0, _defineProperty2.default)(ServiceManager, "knownServices", [AUTO_RENEW, SYNC_STORAGE, LEADER_ELECTION]);
+(0, _defineProperty2.default)(ServiceManager, "knownServices", [AUTO_RENEW, SYNC_STORAGE, LEADER_ELECTION, RENEW_ON_TAB_ACTIVATION]);
 (0, _defineProperty2.default)(ServiceManager, "defaultOptions", {
   autoRenew: true,
   autoRemove: true,
-  syncStorage: true
+  syncStorage: true,
+  renewOnTabActivation: true,
+  tabInactivityDuration: 1800 // 30 mins in seconds
 });
 //# sourceMappingURL=browser.js.map

package/cjs/core/ServiceManager/browser.js.map

@@ -1 +1 @@
-{"version":3,"file":"browser.js","names":["AUTO_RENEW","SYNC_STORAGE","LEADER_ELECTION","ServiceManager","constructor","sdk","options","onLeader","bind","autoRenew","autoRemove","syncStorage","tokenManager","getOptions","electionChannelName","broadcastChannelName","Object","assign","defaultOptions","clientId","syncChannelName","removeNils","started","services","Map","knownServices","forEach","name","svc","createService","set","startServices","isLeader","getService","isLeaderRequired","values","some","srv","canStart","requiresLeadership","start","stop","stopServices","get","entries","canStartService","isStarted","service","LeaderElectionService","AutoRenewService","SyncStorageService","Error"],"sources":["../../../../lib/core/ServiceManager/browser.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * \n * See the License for the specific language governing permissions and limitations under the License.\n */\n\n\nimport {\n  OAuthTransactionMeta,\n  OAuthStorageManagerInterface,\n} from '../../oidc';\n\nimport {\n  ServiceManagerInterface,\n  ServiceInterface,\n  ServiceManagerOptions,\n  OktaAuthCoreInterface,\n  OktaAuthCoreOptions\n} from '../types';\nimport { AutoRenewService, SyncStorageService, LeaderElectionService } from '../../services';\nimport { removeNils } from '../../util';\n\nconst AUTO_RENEW = 'autoRenew';\nconst SYNC_STORAGE = 'syncStorage';\nconst LEADER_ELECTION = 'leaderElection';\n\nexport class ServiceManager\n<\n  M extends OAuthTransactionMeta,\n  S extends OAuthStorageManagerInterface<M>,\n  O extends OktaAuthCoreOptions\n>\nimplements ServiceManagerInterface \n{\n  private sdk: OktaAuthCoreInterface<M, S, O>;\n  private options: ServiceManagerOptions;\n  private services: Map<string, ServiceInterface>;\n  private started: boolean;\n\n  private static knownServices = [AUTO_RENEW, SYNC_STORAGE, LEADER_ELECTION];\n\n  private static defaultOptions = {\n    autoRenew: true,\n    autoRemove: true,\n    syncStorage: true\n  };\n\n  constructor(sdk: OktaAuthCoreInterface<M, S, O>, options: ServiceManagerOptions = {}) {\n    this.sdk = sdk;\n    this.onLeader = this.onLeader.bind(this);\n\n    // TODO: backwards compatibility, remove in next major version - OKTA-473815\n    const { autoRenew, autoRemove, syncStorage } = sdk.tokenManager.getOptions();\n    options.electionChannelName = options.electionChannelName || options.broadcastChannelName;\n    this.options = Object.assign({}, \n      ServiceManager.defaultOptions,\n      { autoRenew, autoRemove, syncStorage }, \n      {\n        electionChannelName: `${sdk.options.clientId}-election`,\n        syncChannelName: `${sdk.options.clientId}-sync`,\n      },\n      removeNils(options)\n    );\n\n    this.started = false;\n    this.services = new Map();\n\n    ServiceManager.knownServices.forEach(name => {\n      const svc = this.createService(name);\n      if (svc) {\n        this.services.set(name, svc);\n      }\n    });\n  }\n\n  private async onLeader() {\n    if (this.started) {\n      // Start services that requires leadership\n      await this.startServices();\n    }\n  }\n\n  isLeader() {\n    return (this.getService(LEADER_ELECTION) as LeaderElectionService)?.isLeader();\n  }\n\n  isLeaderRequired() {\n    return [...this.services.values()].some(srv => srv.canStart() && srv.requiresLeadership());\n  }\n\n  async start() {\n    if (this.started) {\n      return;     // noop if services have already started\n    }\n    await this.startServices();\n    this.started = true;\n  }\n  \n  async stop() {\n    await this.stopServices();\n    this.started = false;\n  }\n\n  getService(name: string): ServiceInterface | undefined {\n    return this.services.get(name);\n  }\n\n  private async startServices() {\n    for (const [name, srv] of this.services.entries()) {\n      if (this.canStartService(name, srv)) {\n        await srv.start();\n      }\n    }\n  }\n\n  private async stopServices() {\n    for (const srv of this.services.values()) {\n      await srv.stop();\n    }\n  }\n\n  // eslint-disable-next-line complexity\n  private canStartService(name: string, srv: ServiceInterface): boolean {\n    let canStart = srv.canStart() && !srv.isStarted();\n    // only start election if a leader is required\n    if (name === LEADER_ELECTION) {\n      canStart &&= this.isLeaderRequired();\n    } else if (srv.requiresLeadership()) {\n      canStart &&= this.isLeader();\n    }\n    return canStart;\n  }\n\n  private createService(name: string): ServiceInterface {\n    const tokenManager = this.sdk.tokenManager;\n\n    let service: ServiceInterface;\n    switch (name) {\n      case LEADER_ELECTION:\n        service = new LeaderElectionService({...this.options, onLeader: this.onLeader});\n        break;\n      case AUTO_RENEW:\n        service = new AutoRenewService(tokenManager, {...this.options});\n        break;\n      case SYNC_STORAGE:\n        service = new SyncStorageService(tokenManager, {...this.options});\n        break;\n      default:\n        throw new Error(`Unknown service ${name}`);\n    }\n    return service;\n  }\n\n}\n"],"mappings":";;;;;AAyBA;AACA;AA1BA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAkBA,MAAMA,UAAU,GAAG,WAAW;AAC9B,MAAMC,YAAY,GAAG,aAAa;AAClC,MAAMC,eAAe,GAAG,gBAAgB;AAEjC,MAAMC,cAAc,CAO3B;EAcEC,WAAW,CAACC,GAAmC,EAAEC,OAA8B,GAAG,CAAC,CAAC,EAAE;IACpF,IAAI,CAACD,GAAG,GAAGA,GAAG;IACd,IAAI,CAACE,QAAQ,GAAG,IAAI,CAACA,QAAQ,CAACC,IAAI,CAAC,IAAI,CAAC;;IAExC;IACA,MAAM;MAAEC,SAAS;MAAEC,UAAU;MAAEC;IAAY,CAAC,GAAGN,GAAG,CAACO,YAAY,CAACC,UAAU,EAAE;IAC5EP,OAAO,CAACQ,mBAAmB,GAAGR,OAAO,CAACQ,mBAAmB,IAAIR,OAAO,CAACS,oBAAoB;IACzF,IAAI,CAACT,OAAO,GAAGU,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAC7Bd,cAAc,CAACe,cAAc,EAC7B;MAAET,SAAS;MAAEC,UAAU;MAAEC;IAAY,CAAC,EACtC;MACEG,mBAAmB,EAAG,GAAET,GAAG,CAACC,OAAO,CAACa,QAAS,WAAU;MACvDC,eAAe,EAAG,GAAEf,GAAG,CAACC,OAAO,CAACa,QAAS;IAC3C,CAAC,EACD,IAAAE,gBAAU,EAACf,OAAO,CAAC,CACpB;IAED,IAAI,CAACgB,OAAO,GAAG,KAAK;IACpB,IAAI,CAACC,QAAQ,GAAG,IAAIC,GAAG,EAAE;IAEzBrB,cAAc,CAACsB,aAAa,CAACC,OAAO,CAACC,IAAI,IAAI;MAC3C,MAAMC,GAAG,GAAG,IAAI,CAACC,aAAa,CAACF,IAAI,CAAC;MACpC,IAAIC,GAAG,EAAE;QACP,IAAI,CAACL,QAAQ,CAACO,GAAG,CAACH,IAAI,EAAEC,GAAG,CAAC;MAC9B;IACF,CAAC,CAAC;EACJ;EAEA,MAAcrB,QAAQ,GAAG;IACvB,IAAI,IAAI,CAACe,OAAO,EAAE;MAChB;MACA,MAAM,IAAI,CAACS,aAAa,EAAE;IAC5B;EACF;EAEAC,QAAQ,GAAG;IACT,OAAQ,IAAI,CAACC,UAAU,CAAC/B,eAAe,CAAC,EAA4B8B,QAAQ,EAAE;EAChF;EAEAE,gBAAgB,GAAG;IACjB,OAAO,CAAC,GAAG,IAAI,CAACX,QAAQ,CAACY,MAAM,EAAE,CAAC,CAACC,IAAI,CAACC,GAAG,IAAIA,GAAG,CAACC,QAAQ,EAAE,IAAID,GAAG,CAACE,kBAAkB,EAAE,CAAC;EAC5F;EAEA,MAAMC,KAAK,GAAG;IACZ,IAAI,IAAI,CAAClB,OAAO,EAAE;MAChB,OAAO,CAAK;IACd;;IACA,MAAM,IAAI,CAACS,aAAa,EAAE;IAC1B,IAAI,CAACT,OAAO,GAAG,IAAI;EACrB;EAEA,MAAMmB,IAAI,GAAG;IACX,MAAM,IAAI,CAACC,YAAY,EAAE;IACzB,IAAI,CAACpB,OAAO,GAAG,KAAK;EACtB;EAEAW,UAAU,CAACN,IAAY,EAAgC;IACrD,OAAO,IAAI,CAACJ,QAAQ,CAACoB,GAAG,CAAChB,IAAI,CAAC;EAChC;EAEA,MAAcI,aAAa,GAAG;IAC5B,KAAK,MAAM,CAACJ,IAAI,EAAEU,GAAG,CAAC,IAAI,IAAI,CAACd,QAAQ,CAACqB,OAAO,EAAE,EAAE;MACjD,IAAI,IAAI,CAACC,eAAe,CAAClB,IAAI,EAAEU,GAAG,CAAC,EAAE;QACnC,MAAMA,GAAG,CAACG,KAAK,EAAE;MACnB;IACF;EACF;EAEA,MAAcE,YAAY,GAAG;IAC3B,KAAK,MAAML,GAAG,IAAI,IAAI,CAACd,QAAQ,CAACY,MAAM,EAAE,EAAE;MACxC,MAAME,GAAG,CAACI,IAAI,EAAE;IAClB;EACF;;EAEA;EACQI,eAAe,CAAClB,IAAY,EAAEU,GAAqB,EAAW;IACpE,IAAIC,QAAQ,GAAGD,GAAG,CAACC,QAAQ,EAAE,IAAI,CAACD,GAAG,CAACS,SAAS,EAAE;IACjD;IACA,IAAInB,IAAI,KAAKzB,eAAe,EAAE;MAC5BoC,QAAQ,KAAK,IAAI,CAACJ,gBAAgB,EAAE;IACtC,CAAC,MAAM,IAAIG,GAAG,CAACE,kBAAkB,EAAE,EAAE;MACnCD,QAAQ,KAAK,IAAI,CAACN,QAAQ,EAAE;IAC9B;IACA,OAAOM,QAAQ;EACjB;EAEQT,aAAa,CAACF,IAAY,EAAoB;IACpD,MAAMf,YAAY,GAAG,IAAI,CAACP,GAAG,CAACO,YAAY;IAE1C,IAAImC,OAAyB;IAC7B,QAAQpB,IAAI;MACV,KAAKzB,eAAe;QAClB6C,OAAO,GAAG,IAAIC,+BAAqB,CAAC;UAAC,GAAG,IAAI,CAAC1C,OAAO;UAAEC,QAAQ,EAAE,IAAI,CAACA;QAAQ,CAAC,CAAC;QAC/E;MACF,KAAKP,UAAU;QACb+C,OAAO,GAAG,IAAIE,0BAAgB,CAACrC,YAAY,EAAE;UAAC,GAAG,IAAI,CAACN;QAAO,CAAC,CAAC;QAC/D;MACF,KAAKL,YAAY;QACf8C,OAAO,GAAG,IAAIG,4BAAkB,CAACtC,YAAY,EAAE;UAAC,GAAG,IAAI,CAACN;QAAO,CAAC,CAAC;QACjE;MACF;QACE,MAAM,IAAI6C,KAAK,CAAE,mBAAkBxB,IAAK,EAAC,CAAC;IAAC;IAE/C,OAAOoB,OAAO;EAChB;AAEF;AAAC;AAAA,8BA/HY5C,cAAc,mBAaM,CAACH,UAAU,EAAEC,YAAY,EAAEC,eAAe,CAAC;AAAA,8BAb/DC,cAAc,oBAeO;EAC9BM,SAAS,EAAE,IAAI;EACfC,UAAU,EAAE,IAAI;EAChBC,WAAW,EAAE;AACf,CAAC"}
+{"version":3,"file":"browser.js","names":["AUTO_RENEW","SYNC_STORAGE","LEADER_ELECTION","RENEW_ON_TAB_ACTIVATION","ServiceManager","constructor","sdk","options","onLeader","bind","autoRenew","autoRemove","syncStorage","tokenManager","getOptions","electionChannelName","broadcastChannelName","Object","assign","defaultOptions","clientId","syncChannelName","removeNils","started","services","Map","knownServices","forEach","name","svc","createService","set","startServices","isLeader","getService","isLeaderRequired","values","some","srv","canStart","requiresLeadership","start","stop","stopServices","get","entries","canStartService","isStarted","service","LeaderElectionService","AutoRenewService","SyncStorageService","RenewOnTabActivationService","Error","renewOnTabActivation","tabInactivityDuration"],"sources":["../../../../lib/core/ServiceManager/browser.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * \n * See the License for the specific language governing permissions and limitations under the License.\n */\n\n\nimport {\n  OAuthTransactionMeta,\n  OAuthStorageManagerInterface,\n} from '../../oidc';\n\nimport {\n  ServiceManagerInterface,\n  ServiceInterface,\n  ServiceManagerOptions,\n  OktaAuthCoreInterface,\n  OktaAuthCoreOptions\n} from '../types';\nimport { AutoRenewService,\n  SyncStorageService,\n  LeaderElectionService,\n  RenewOnTabActivationService\n} from '../../services';\nimport { removeNils } from '../../util';\n\nconst AUTO_RENEW = 'autoRenew';\nconst SYNC_STORAGE = 'syncStorage';\nconst LEADER_ELECTION = 'leaderElection';\nconst RENEW_ON_TAB_ACTIVATION = 'renewOnTabActivation';\n\nexport class ServiceManager\n<\n  M extends OAuthTransactionMeta,\n  S extends OAuthStorageManagerInterface<M>,\n  O extends OktaAuthCoreOptions\n>\nimplements ServiceManagerInterface \n{\n  private sdk: OktaAuthCoreInterface<M, S, O>;\n  private options: ServiceManagerOptions;\n  private services: Map<string, ServiceInterface>;\n  private started: boolean;\n\n  private static knownServices = [AUTO_RENEW, SYNC_STORAGE, LEADER_ELECTION, RENEW_ON_TAB_ACTIVATION];\n\n  private static defaultOptions: ServiceManagerOptions = {\n    autoRenew: true,\n    autoRemove: true,\n    syncStorage: true,\n    renewOnTabActivation: true,\n    tabInactivityDuration: 1800,    // 30 mins in seconds\n  };\n\n  constructor(sdk: OktaAuthCoreInterface<M, S, O>, options: ServiceManagerOptions = {}) {\n    this.sdk = sdk;\n    this.onLeader = this.onLeader.bind(this);\n\n    // TODO: backwards compatibility, remove in next major version - OKTA-473815\n    const { autoRenew, autoRemove, syncStorage } = sdk.tokenManager.getOptions();\n    options.electionChannelName = options.electionChannelName || options.broadcastChannelName;\n    this.options = Object.assign({}, \n      ServiceManager.defaultOptions,\n      { autoRenew, autoRemove, syncStorage }, \n      {\n        electionChannelName: `${sdk.options.clientId}-election`,\n        syncChannelName: `${sdk.options.clientId}-sync`,\n      },\n      removeNils(options)\n    );\n\n    this.started = false;\n    this.services = new Map();\n\n    ServiceManager.knownServices.forEach(name => {\n      const svc = this.createService(name);\n      if (svc) {\n        this.services.set(name, svc);\n      }\n    });\n  }\n\n  private async onLeader() {\n    if (this.started) {\n      // Start services that requires leadership\n      await this.startServices();\n    }\n  }\n\n  isLeader() {\n    return (this.getService(LEADER_ELECTION) as LeaderElectionService)?.isLeader();\n  }\n\n  isLeaderRequired() {\n    return [...this.services.values()].some(srv => srv.canStart() && srv.requiresLeadership());\n  }\n\n  async start() {\n    if (this.started) {\n      return;     // noop if services have already started\n    }\n    await this.startServices();\n    this.started = true;\n  }\n  \n  async stop() {\n    await this.stopServices();\n    this.started = false;\n  }\n\n  getService(name: string): ServiceInterface | undefined {\n    return this.services.get(name);\n  }\n\n  private async startServices() {\n    for (const [name, srv] of this.services.entries()) {\n      if (this.canStartService(name, srv)) {\n        await srv.start();\n      }\n    }\n  }\n\n  private async stopServices() {\n    for (const srv of this.services.values()) {\n      await srv.stop();\n    }\n  }\n\n  // eslint-disable-next-line complexity\n  private canStartService(name: string, srv: ServiceInterface): boolean {\n    let canStart = srv.canStart() && !srv.isStarted();\n    // only start election if a leader is required\n    if (name === LEADER_ELECTION) {\n      canStart &&= this.isLeaderRequired();\n    } else if (srv.requiresLeadership()) {\n      canStart &&= this.isLeader();\n    }\n    return canStart;\n  }\n\n  private createService(name: string): ServiceInterface {\n    const tokenManager = this.sdk.tokenManager;\n\n    let service: ServiceInterface;\n    switch (name) {\n      case LEADER_ELECTION:\n        service = new LeaderElectionService({...this.options, onLeader: this.onLeader});\n        break;\n      case AUTO_RENEW:\n        service = new AutoRenewService(tokenManager, {...this.options});\n        break;\n      case SYNC_STORAGE:\n        service = new SyncStorageService(tokenManager, {...this.options});\n        break;\n      case RENEW_ON_TAB_ACTIVATION:\n        service = new RenewOnTabActivationService(tokenManager, {...this.options});\n        break;\n      default:\n        throw new Error(`Unknown service ${name}`);\n    }\n    return service;\n  }\n\n}\n"],"mappings":";;;;;AAyBA;AAKA;AA9BA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAsBA,MAAMA,UAAU,GAAG,WAAW;AAC9B,MAAMC,YAAY,GAAG,aAAa;AAClC,MAAMC,eAAe,GAAG,gBAAgB;AACxC,MAAMC,uBAAuB,GAAG,sBAAsB;AAE/C,MAAMC,cAAc,CAO3B;EAgBEC,WAAW,CAACC,GAAmC,EAAEC,OAA8B,GAAG,CAAC,CAAC,EAAE;IACpF,IAAI,CAACD,GAAG,GAAGA,GAAG;IACd,IAAI,CAACE,QAAQ,GAAG,IAAI,CAACA,QAAQ,CAACC,IAAI,CAAC,IAAI,CAAC;;IAExC;IACA,MAAM;MAAEC,SAAS;MAAEC,UAAU;MAAEC;IAAY,CAAC,GAAGN,GAAG,CAACO,YAAY,CAACC,UAAU,EAAE;IAC5EP,OAAO,CAACQ,mBAAmB,GAAGR,OAAO,CAACQ,mBAAmB,IAAIR,OAAO,CAACS,oBAAoB;IACzF,IAAI,CAACT,OAAO,GAAGU,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAC7Bd,cAAc,CAACe,cAAc,EAC7B;MAAET,SAAS;MAAEC,UAAU;MAAEC;IAAY,CAAC,EACtC;MACEG,mBAAmB,EAAG,GAAET,GAAG,CAACC,OAAO,CAACa,QAAS,WAAU;MACvDC,eAAe,EAAG,GAAEf,GAAG,CAACC,OAAO,CAACa,QAAS;IAC3C,CAAC,EACD,IAAAE,gBAAU,EAACf,OAAO,CAAC,CACpB;IAED,IAAI,CAACgB,OAAO,GAAG,KAAK;IACpB,IAAI,CAACC,QAAQ,GAAG,IAAIC,GAAG,EAAE;IAEzBrB,cAAc,CAACsB,aAAa,CAACC,OAAO,CAACC,IAAI,IAAI;MAC3C,MAAMC,GAAG,GAAG,IAAI,CAACC,aAAa,CAACF,IAAI,CAAC;MACpC,IAAIC,GAAG,EAAE;QACP,IAAI,CAACL,QAAQ,CAACO,GAAG,CAACH,IAAI,EAAEC,GAAG,CAAC;MAC9B;IACF,CAAC,CAAC;EACJ;EAEA,MAAcrB,QAAQ,GAAG;IACvB,IAAI,IAAI,CAACe,OAAO,EAAE;MAChB;MACA,MAAM,IAAI,CAACS,aAAa,EAAE;IAC5B;EACF;EAEAC,QAAQ,GAAG;IACT,OAAQ,IAAI,CAACC,UAAU,CAAChC,eAAe,CAAC,EAA4B+B,QAAQ,EAAE;EAChF;EAEAE,gBAAgB,GAAG;IACjB,OAAO,CAAC,GAAG,IAAI,CAACX,QAAQ,CAACY,MAAM,EAAE,CAAC,CAACC,IAAI,CAACC,GAAG,IAAIA,GAAG,CAACC,QAAQ,EAAE,IAAID,GAAG,CAACE,kBAAkB,EAAE,CAAC;EAC5F;EAEA,MAAMC,KAAK,GAAG;IACZ,IAAI,IAAI,CAAClB,OAAO,EAAE;MAChB,OAAO,CAAK;IACd;;IACA,MAAM,IAAI,CAACS,aAAa,EAAE;IAC1B,IAAI,CAACT,OAAO,GAAG,IAAI;EACrB;EAEA,MAAMmB,IAAI,GAAG;IACX,MAAM,IAAI,CAACC,YAAY,EAAE;IACzB,IAAI,CAACpB,OAAO,GAAG,KAAK;EACtB;EAEAW,UAAU,CAACN,IAAY,EAAgC;IACrD,OAAO,IAAI,CAACJ,QAAQ,CAACoB,GAAG,CAAChB,IAAI,CAAC;EAChC;EAEA,MAAcI,aAAa,GAAG;IAC5B,KAAK,MAAM,CAACJ,IAAI,EAAEU,GAAG,CAAC,IAAI,IAAI,CAACd,QAAQ,CAACqB,OAAO,EAAE,EAAE;MACjD,IAAI,IAAI,CAACC,eAAe,CAAClB,IAAI,EAAEU,GAAG,CAAC,EAAE;QACnC,MAAMA,GAAG,CAACG,KAAK,EAAE;MACnB;IACF;EACF;EAEA,MAAcE,YAAY,GAAG;IAC3B,KAAK,MAAML,GAAG,IAAI,IAAI,CAACd,QAAQ,CAACY,MAAM,EAAE,EAAE;MACxC,MAAME,GAAG,CAACI,IAAI,EAAE;IAClB;EACF;;EAEA;EACQI,eAAe,CAAClB,IAAY,EAAEU,GAAqB,EAAW;IACpE,IAAIC,QAAQ,GAAGD,GAAG,CAACC,QAAQ,EAAE,IAAI,CAACD,GAAG,CAACS,SAAS,EAAE;IACjD;IACA,IAAInB,IAAI,KAAK1B,eAAe,EAAE;MAC5BqC,QAAQ,KAAK,IAAI,CAACJ,gBAAgB,EAAE;IACtC,CAAC,MAAM,IAAIG,GAAG,CAACE,kBAAkB,EAAE,EAAE;MACnCD,QAAQ,KAAK,IAAI,CAACN,QAAQ,EAAE;IAC9B;IACA,OAAOM,QAAQ;EACjB;EAEQT,aAAa,CAACF,IAAY,EAAoB;IACpD,MAAMf,YAAY,GAAG,IAAI,CAACP,GAAG,CAACO,YAAY;IAE1C,IAAImC,OAAyB;IAC7B,QAAQpB,IAAI;MACV,KAAK1B,eAAe;QAClB8C,OAAO,GAAG,IAAIC,+BAAqB,CAAC;UAAC,GAAG,IAAI,CAAC1C,OAAO;UAAEC,QAAQ,EAAE,IAAI,CAACA;QAAQ,CAAC,CAAC;QAC/E;MACF,KAAKR,UAAU;QACbgD,OAAO,GAAG,IAAIE,0BAAgB,CAACrC,YAAY,EAAE;UAAC,GAAG,IAAI,CAACN;QAAO,CAAC,CAAC;QAC/D;MACF,KAAKN,YAAY;QACf+C,OAAO,GAAG,IAAIG,4BAAkB,CAACtC,YAAY,EAAE;UAAC,GAAG,IAAI,CAACN;QAAO,CAAC,CAAC;QACjE;MACF,KAAKJ,uBAAuB;QAC1B6C,OAAO,GAAG,IAAII,qCAA2B,CAACvC,YAAY,EAAE;UAAC,GAAG,IAAI,CAACN;QAAO,CAAC,CAAC;QAC1E;MACF;QACE,MAAM,IAAI8C,KAAK,CAAE,mBAAkBzB,IAAK,EAAC,CAAC;IAAC;IAE/C,OAAOoB,OAAO;EAChB;AAEF;AAAC;AAAA,8BApIY5C,cAAc,mBAaM,CAACJ,UAAU,EAAEC,YAAY,EAAEC,eAAe,EAAEC,uBAAuB,CAAC;AAAA,8BAbxFC,cAAc,oBAe8B;EACrDM,SAAS,EAAE,IAAI;EACfC,UAAU,EAAE,IAAI;EAChBC,WAAW,EAAE,IAAI;EACjB0C,oBAAoB,EAAE,IAAI;EAC1BC,qBAAqB,EAAE,IAAI,CAAK;AAClC,CAAC"}

package/cjs/core/types/Service.js.map

@@ -1 +1 @@
-{"version":3,"file":"Service.js","names":[],"sources":["../../../../lib/core/types/Service.ts"],"sourcesContent":["// only add methods needed internally\nexport interface ServiceInterface {\n  start(): Promise<void>;\n  stop(): Promise<void>;\n  isStarted(): boolean;\n  canStart(): boolean;\n  requiresLeadership(): boolean;\n}\n\nexport interface ServiceManagerInterface {\n  isLeaderRequired(): boolean;\n  isLeader(): boolean;\n  start(): Promise<void>;\n  stop(): Promise<void>;\n  getService(name: string): ServiceInterface | undefined;\n}\n\nexport interface AutoRenewServiceOptions {\n  autoRenew?: boolean;\n  autoRemove?: boolean;\n}\n\nexport interface SyncStorageServiceOptions {\n  syncStorage?: boolean;\n  syncChannelName?: string;\n}\n\nexport interface LeaderElectionServiceOptions {\n  electionChannelName?: string;\n  // TODO: remove in next major version - OKTA-473815\n  broadcastChannelName?: string;\n}\n\nexport type ServiceManagerOptions = AutoRenewServiceOptions &\n  SyncStorageServiceOptions & LeaderElectionServiceOptions;\n"],"mappings":""}
+{"version":3,"file":"Service.js","names":[],"sources":["../../../../lib/core/types/Service.ts"],"sourcesContent":["// only add methods needed internally\nexport interface ServiceInterface {\n  start(): Promise<void>;\n  stop(): Promise<void>;\n  isStarted(): boolean;\n  canStart(): boolean;\n  requiresLeadership(): boolean;\n}\n\nexport interface ServiceManagerInterface {\n  isLeaderRequired(): boolean;\n  isLeader(): boolean;\n  start(): Promise<void>;\n  stop(): Promise<void>;\n  getService(name: string): ServiceInterface | undefined;\n}\n\nexport interface AutoRenewServiceOptions {\n  autoRenew?: boolean;\n  autoRemove?: boolean;\n}\n\nexport interface SyncStorageServiceOptions {\n  syncStorage?: boolean;\n  syncChannelName?: string;\n}\n\nexport interface LeaderElectionServiceOptions {\n  electionChannelName?: string;\n  // TODO: remove in next major version - OKTA-473815\n  broadcastChannelName?: string;\n}\n\ntype seconds = number;\n\nexport interface RenewOnTabActivationServiceOptions {\n  renewOnTabActivation?: boolean;\n  tabInactivityDuration?: seconds;\n}\n\nexport type ServiceManagerOptions =\n  AutoRenewServiceOptions &\n  SyncStorageServiceOptions &\n  LeaderElectionServiceOptions &\n  RenewOnTabActivationServiceOptions;\n"],"mappings":""}

package/cjs/errors/OAuthError.js

@@ -2,6 +2,7 @@
 
 var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
 exports.default = void 0;
+var _defineProperty2 = _interopRequireDefault(require("@babel/runtime/helpers/defineProperty"));
 var _CustomError = _interopRequireDefault(require("./CustomError"));
 /* eslint-disable camelcase */
 /*!
@@ -19,8 +20,9 @@ var _CustomError = _interopRequireDefault(require("./CustomError"));
 class OAuthError extends _CustomError.default {
   // for widget / idx-js backward compatibility
 
-  constructor(errorCode, summary) {
+  constructor(errorCode, summary, resp) {
     super(summary);
+    (0, _defineProperty2.default)(this, "resp", null);
     this.name = 'OAuthError';
     this.errorCode = errorCode;
     this.errorSummary = summary;
@@ -28,6 +30,12 @@ class OAuthError extends _CustomError.default {
     // for widget / idx-js backward compatibility
     this.error = errorCode;
     this.error_description = summary;
+
+    // an OAuth error (should) always result from a network request
+    // therefore include that in error for potential error handling
+    if (resp) {
+      this.resp = resp;
+    }
   }
 }
 exports.default = OAuthError;

package/cjs/errors/OAuthError.js.map

@@ -1 +1 @@
-{"version":3,"file":"OAuthError.js","names":["OAuthError","CustomError","constructor","errorCode","summary","name","errorSummary","error","error_description"],"sources":["../../../lib/errors/OAuthError.ts"],"sourcesContent":["/* eslint-disable camelcase */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport CustomError from './CustomError';\n\nexport default class OAuthError extends CustomError {\n  errorCode: string;\n  errorSummary: string;\n\n  // for widget / idx-js backward compatibility\n  error: string;\n  error_description: string;\n\n  constructor(errorCode: string, summary: string) {\n    super(summary);\n\n    this.name = 'OAuthError';\n    this.errorCode = errorCode;\n    this.errorSummary = summary;\n\n    // for widget / idx-js backward compatibility\n    this.error = errorCode;\n    this.error_description = summary;\n  }\n}\n\n"],"mappings":";;;;AAaA;AAbA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAIe,MAAMA,UAAU,SAASC,oBAAW,CAAC;EAIlD;;EAIAC,WAAW,CAACC,SAAiB,EAAEC,OAAe,EAAE;IAC9C,KAAK,CAACA,OAAO,CAAC;IAEd,IAAI,CAACC,IAAI,GAAG,YAAY;IACxB,IAAI,CAACF,SAAS,GAAGA,SAAS;IAC1B,IAAI,CAACG,YAAY,GAAGF,OAAO;;IAE3B;IACA,IAAI,CAACG,KAAK,GAAGJ,SAAS;IACtB,IAAI,CAACK,iBAAiB,GAAGJ,OAAO;EAClC;AACF;AAAC;AAAA"}
+{"version":3,"file":"OAuthError.js","names":["OAuthError","CustomError","constructor","errorCode","summary","resp","name","errorSummary","error","error_description"],"sources":["../../../lib/errors/OAuthError.ts"],"sourcesContent":["/* eslint-disable camelcase */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport CustomError from './CustomError';\nimport type { HttpResponse } from '../http';\n\nexport default class OAuthError extends CustomError {\n  errorCode: string;\n  errorSummary: string;\n\n  // for widget / idx-js backward compatibility\n  error: string;\n  error_description: string;\n\n  resp: HttpResponse | null = null;\n\n  constructor(errorCode: string, summary: string, resp?: HttpResponse) {\n    super(summary);\n\n    this.name = 'OAuthError';\n    this.errorCode = errorCode;\n    this.errorSummary = summary;\n\n    // for widget / idx-js backward compatibility\n    this.error = errorCode;\n    this.error_description = summary;\n\n    // an OAuth error (should) always result from a network request\n    // therefore include that in error for potential error handling\n    if (resp) {\n      this.resp = resp;\n    }\n  }\n}\n\n"],"mappings":";;;;;AAaA;AAbA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAKe,MAAMA,UAAU,SAASC,oBAAW,CAAC;EAIlD;;EAMAC,WAAW,CAACC,SAAiB,EAAEC,OAAe,EAAEC,IAAmB,EAAE;IACnE,KAAK,CAACD,OAAO,CAAC;IAAC,4CAHW,IAAI;IAK9B,IAAI,CAACE,IAAI,GAAG,YAAY;IACxB,IAAI,CAACH,SAAS,GAAGA,SAAS;IAC1B,IAAI,CAACI,YAAY,GAAGH,OAAO;;IAE3B;IACA,IAAI,CAACI,KAAK,GAAGL,SAAS;IACtB,IAAI,CAACM,iBAAiB,GAAGL,OAAO;;IAEhC;IACA;IACA,IAAIC,IAAI,EAAE;MACR,IAAI,CAACA,IAAI,GAAGA,IAAI;IAClB;EACF;AACF;AAAC;AAAA"}

package/cjs/errors/WWWAuthError.js

@@ -0,0 +1,98 @@
+"use strict";
+
+var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
+exports.default = void 0;
+var _defineProperty2 = _interopRequireDefault(require("@babel/runtime/helpers/defineProperty"));
+var _CustomError = _interopRequireDefault(require("./CustomError"));
+var _util = require("../util");
+/*!
+ * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.
+ * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
+ *
+ * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *
+ * See the License for the specific language governing permissions and limitations under the License.
+ */
+
+// Error thrown after an unsuccessful network request which requires an Authorization header 
+// and returns a 4XX error with a www-authenticate header. The header value is parsed to construct 
+// an error instance, which contains key/value pairs parsed out
+class WWWAuthError extends _CustomError.default {
+  constructor(scheme, parameters, resp) {
+    // defaults to unknown error. `error` being returned in the www-authenticate header is expected
+    // but cannot be guaranteed. Throwing an error within a error constructor seems awkward
+    super(parameters.error ?? WWWAuthError.UNKNOWN_ERROR);
+    (0, _defineProperty2.default)(this, "name", 'WWWAuthError');
+    (0, _defineProperty2.default)(this, "resp", null);
+    this.scheme = scheme;
+    this.parameters = parameters;
+    if (resp) {
+      this.resp = resp;
+    }
+  }
+
+  // convenience references
+  get error() {
+    return this.parameters.error;
+  }
+  get errorCode() {
+    return this.error;
+  } // parity with other error props
+  // eslint-disable-next-line camelcase
+  get error_description() {
+    return this.parameters.error_description;
+  }
+  // eslint-disable-next-line camelcase
+  get errorDescription() {
+    return this.error_description;
+  }
+  get errorSummary() {
+    return this.errorDescription;
+  } // parity with other error props
+  get realm() {
+    return this.parameters.realm;
+  }
+
+  // parses the www-authenticate header for releveant
+  static parseHeader(header) {
+    // header cannot be empty string
+    if (!header) {
+      return null;
+    }
+
+    // example string: Bearer error="invalid_token", error_description="The access token is invalid"
+    // regex will match on `error="invalid_token", error_description="The access token is invalid"`
+    // see unit test for more examples of possible www-authenticate values
+    // eslint-disable-next-line max-len
+    const regex = /(?:,|, )?([a-zA-Z0-9!#$%&'*+\-.^_`|~]+)=(?:"([a-zA-Z0-9!#$%&'*+\-.,^_`|~ /:]+)"|([a-zA-Z0-9!#$%&'*+\-.^_`|~/:]+))/g;
+    const firstSpace = header.indexOf(' ');
+    const scheme = header.slice(0, firstSpace);
+    const remaining = header.slice(firstSpace + 1);
+    const params = {};
+
+    // Reference: foo="hello", bar="bye"
+    // i=0, match=[foo="hello1", foo, hello]
+    // i=1, match=[bar="bye", bar, bye]
+    let match;
+    while ((match = regex.exec(remaining)) !== null) {
+      params[match[1]] = match[2] ?? match[3];
+    }
+    return new WWWAuthError(scheme, params);
+  }
+
+  // finds the value of the `www-authenticate` header. HeadersInit allows for a few different
+  // representations of headers with different access patterns (.get vs [key])
+  static getWWWAuthenticateHeader(headers = {}) {
+    if ((0, _util.isFunction)(headers?.get)) {
+      return headers.get('WWW-Authenticate');
+    }
+    return headers['www-authenticate'] ?? headers['WWW-Authenticate'];
+  }
+}
+exports.default = WWWAuthError;
+(0, _defineProperty2.default)(WWWAuthError, "UNKNOWN_ERROR", 'UNKNOWN_WWW_AUTH_ERROR');
+module.exports = exports.default;
+//# sourceMappingURL=WWWAuthError.js.map

package/cjs/errors/WWWAuthError.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"WWWAuthError.js","names":["WWWAuthError","CustomError","constructor","scheme","parameters","resp","error","UNKNOWN_ERROR","errorCode","error_description","errorDescription","errorSummary","realm","parseHeader","header","regex","firstSpace","indexOf","slice","remaining","params","match","exec","getWWWAuthenticateHeader","headers","isFunction","get"],"sources":["../../../lib/errors/WWWAuthError.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\n\nimport type { HttpResponse } from '../http';\nimport CustomError from './CustomError';\nimport { isFunction } from '../util';\n\n// Error thrown after an unsuccessful network request which requires an Authorization header \n// and returns a 4XX error with a www-authenticate header. The header value is parsed to construct \n// an error instance, which contains key/value pairs parsed out\nexport default class WWWAuthError extends CustomError {\n  static UNKNOWN_ERROR = 'UNKNOWN_WWW_AUTH_ERROR';\n\n  scheme: string;\n  parameters: Record<string, string>;\n  name = 'WWWAuthError';\n\n  resp: HttpResponse | null = null;\n\n  constructor(scheme: string, parameters: Record<string, string>, resp?: HttpResponse) {\n    // defaults to unknown error. `error` being returned in the www-authenticate header is expected\n    // but cannot be guaranteed. Throwing an error within a error constructor seems awkward\n    super(parameters.error ?? WWWAuthError.UNKNOWN_ERROR);\n    this.scheme = scheme;\n    this.parameters = parameters;\n\n    if (resp) {\n      this.resp = resp;\n    }\n  }\n\n  // convenience references\n  get error (): string { return this.parameters.error; }\n  get errorCode (): string { return this.error; }                 // parity with other error props\n  // eslint-disable-next-line camelcase\n  get error_description (): string { return this.parameters.error_description; }\n  // eslint-disable-next-line camelcase\n  get errorDescription (): string { return this.error_description; }\n  get errorSummary (): string { return this.errorDescription; }   // parity with other error props\n  get realm (): string { return this.parameters.realm; }\n\n  // parses the www-authenticate header for releveant\n  static parseHeader (header: string): WWWAuthError | null {\n    // header cannot be empty string\n    if (!header) {\n      return null;\n    }\n\n    // example string: Bearer error=\"invalid_token\", error_description=\"The access token is invalid\"\n    // regex will match on `error=\"invalid_token\", error_description=\"The access token is invalid\"`\n    // see unit test for more examples of possible www-authenticate values\n    // eslint-disable-next-line max-len\n    const regex = /(?:,|, )?([a-zA-Z0-9!#$%&'*+\\-.^_`|~]+)=(?:\"([a-zA-Z0-9!#$%&'*+\\-.,^_`|~ /:]+)\"|([a-zA-Z0-9!#$%&'*+\\-.^_`|~/:]+))/g;\n    const firstSpace = header.indexOf(' ');\n    const scheme = header.slice(0, firstSpace);\n    const remaining = header.slice(firstSpace + 1);\n    const params = {};\n\n    // Reference: foo=\"hello\", bar=\"bye\"\n    // i=0, match=[foo=\"hello1\", foo, hello]\n    // i=1, match=[bar=\"bye\", bar, bye]\n    let match;\n    while ((match = regex.exec(remaining)) !== null) {\n      params[match[1]] = (match[2] ?? match[3]);\n    }\n\n    return new WWWAuthError(scheme, params);\n  }\n\n  // finds the value of the `www-authenticate` header. HeadersInit allows for a few different\n  // representations of headers with different access patterns (.get vs [key])\n  static getWWWAuthenticateHeader (headers: HeadersInit = {}): string | null {\n    if (isFunction((headers as Headers)?.get)) {\n      return (headers as Headers).get('WWW-Authenticate');\n    }\n    return headers['www-authenticate'] ?? headers['WWW-Authenticate'];\n  }\n}\n"],"mappings":";;;;;AAcA;AACA;AAfA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAOA;AACA;AACA;AACe,MAAMA,YAAY,SAASC,oBAAW,CAAC;EASpDC,WAAW,CAACC,MAAc,EAAEC,UAAkC,EAAEC,IAAmB,EAAE;IACnF;IACA;IACA,KAAK,CAACD,UAAU,CAACE,KAAK,IAAIN,YAAY,CAACO,aAAa,CAAC;IAAC,4CAPjD,cAAc;IAAA,4CAEO,IAAI;IAM9B,IAAI,CAACJ,MAAM,GAAGA,MAAM;IACpB,IAAI,CAACC,UAAU,GAAGA,UAAU;IAE5B,IAAIC,IAAI,EAAE;MACR,IAAI,CAACA,IAAI,GAAGA,IAAI;IAClB;EACF;;EAEA;EACA,IAAIC,KAAK,GAAY;IAAE,OAAO,IAAI,CAACF,UAAU,CAACE,KAAK;EAAE;EACrD,IAAIE,SAAS,GAAY;IAAE,OAAO,IAAI,CAACF,KAAK;EAAE,CAAC,CAAiB;EAChE;EACA,IAAIG,iBAAiB,GAAY;IAAE,OAAO,IAAI,CAACL,UAAU,CAACK,iBAAiB;EAAE;EAC7E;EACA,IAAIC,gBAAgB,GAAY;IAAE,OAAO,IAAI,CAACD,iBAAiB;EAAE;EACjE,IAAIE,YAAY,GAAY;IAAE,OAAO,IAAI,CAACD,gBAAgB;EAAE,CAAC,CAAG;EAChE,IAAIE,KAAK,GAAY;IAAE,OAAO,IAAI,CAACR,UAAU,CAACQ,KAAK;EAAE;;EAErD;EACA,OAAOC,WAAW,CAAEC,MAAc,EAAuB;IACvD;IACA,IAAI,CAACA,MAAM,EAAE;MACX,OAAO,IAAI;IACb;;IAEA;IACA;IACA;IACA;IACA,MAAMC,KAAK,GAAG,oHAAoH;IAClI,MAAMC,UAAU,GAAGF,MAAM,CAACG,OAAO,CAAC,GAAG,CAAC;IACtC,MAAMd,MAAM,GAAGW,MAAM,CAACI,KAAK,CAAC,CAAC,EAAEF,UAAU,CAAC;IAC1C,MAAMG,SAAS,GAAGL,MAAM,CAACI,KAAK,CAACF,UAAU,GAAG,CAAC,CAAC;IAC9C,MAAMI,MAAM,GAAG,CAAC,CAAC;;IAEjB;IACA;IACA;IACA,IAAIC,KAAK;IACT,OAAO,CAACA,KAAK,GAAGN,KAAK,CAACO,IAAI,CAACH,SAAS,CAAC,MAAM,IAAI,EAAE;MAC/CC,MAAM,CAACC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAIA,KAAK,CAAC,CAAC,CAAC,IAAIA,KAAK,CAAC,CAAC,CAAE;IAC3C;IAEA,OAAO,IAAIrB,YAAY,CAACG,MAAM,EAAEiB,MAAM,CAAC;EACzC;;EAEA;EACA;EACA,OAAOG,wBAAwB,CAAEC,OAAoB,GAAG,CAAC,CAAC,EAAiB;IACzE,IAAI,IAAAC,gBAAU,EAAED,OAAO,EAAcE,GAAG,CAAC,EAAE;MACzC,OAAQF,OAAO,CAAaE,GAAG,CAAC,kBAAkB,CAAC;IACrD;IACA,OAAOF,OAAO,CAAC,kBAAkB,CAAC,IAAIA,OAAO,CAAC,kBAAkB,CAAC;EACnE;AACF;AAAC;AAAA,8BAnEoBxB,YAAY,mBACR,wBAAwB;AAAA"}

package/cjs/errors/index.js

@@ -4,10 +4,12 @@ var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefau
 var _exportNames = {
   isAuthApiError: true,
   isOAuthError: true,
+  isWWWAuthError: true,
   AuthApiError: true,
   AuthPollStopError: true,
   AuthSdkError: true,
-  OAuthError: true
+  OAuthError: true,
+  WWWAuthError: true
 };
 Object.defineProperty(exports, "AuthApiError", {
   enumerable: true,
@@ -33,12 +35,20 @@ Object.defineProperty(exports, "OAuthError", {
     return _OAuthError.default;
   }
 });
+Object.defineProperty(exports, "WWWAuthError", {
+  enumerable: true,
+  get: function () {
+    return _WWWAuthError.default;
+  }
+});
 exports.isAuthApiError = isAuthApiError;
 exports.isOAuthError = isOAuthError;
+exports.isWWWAuthError = isWWWAuthError;
 var _AuthApiError = _interopRequireDefault(require("./AuthApiError"));
 var _AuthPollStopError = _interopRequireDefault(require("./AuthPollStopError"));
 var _AuthSdkError = _interopRequireDefault(require("./AuthSdkError"));
 var _OAuthError = _interopRequireDefault(require("./OAuthError"));
+var _WWWAuthError = _interopRequireDefault(require("./WWWAuthError"));
 var _types = require("./types");
 Object.keys(_types).forEach(function (key) {
   if (key === "default" || key === "__esModule") return;
@@ -69,4 +79,7 @@ function isAuthApiError(obj) {
 function isOAuthError(obj) {
   return obj instanceof _OAuthError.default;
 }
+function isWWWAuthError(obj) {
+  return obj instanceof _WWWAuthError.default;
+}
 //# sourceMappingURL=index.js.map

package/cjs/errors/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","names":["isAuthApiError","obj","AuthApiError","isOAuthError","OAuthError"],"sources":["../../../lib/errors/index.ts"],"sourcesContent":["\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport AuthApiError from './AuthApiError';\nimport AuthPollStopError from './AuthPollStopError';\nimport AuthSdkError from './AuthSdkError';\nimport OAuthError from './OAuthError';\n\nfunction isAuthApiError(obj: any): obj is AuthApiError {\n  return (obj instanceof AuthApiError);\n}\n\nfunction isOAuthError(obj: any): obj is OAuthError {\n  return (obj instanceof OAuthError);\n}\n\nexport {\n  isAuthApiError,\n  isOAuthError,\n  AuthApiError,\n  AuthPollStopError,\n  AuthSdkError,\n  OAuthError\n};\n\nexport * from './types';\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAaA;AACA;AACA;AACA;AAmBA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AAlCA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAOA,SAASA,cAAc,CAACC,GAAQ,EAAuB;EACrD,OAAQA,GAAG,YAAYC,qBAAY;AACrC;AAEA,SAASC,YAAY,CAACF,GAAQ,EAAqB;EACjD,OAAQA,GAAG,YAAYG,mBAAU;AACnC"}
+{"version":3,"file":"index.js","names":["isAuthApiError","obj","AuthApiError","isOAuthError","OAuthError","isWWWAuthError","WWWAuthError"],"sources":["../../../lib/errors/index.ts"],"sourcesContent":["\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport AuthApiError from './AuthApiError';\nimport AuthPollStopError from './AuthPollStopError';\nimport AuthSdkError from './AuthSdkError';\nimport OAuthError from './OAuthError';\nimport WWWAuthError from './WWWAuthError';\n\nfunction isAuthApiError(obj: any): obj is AuthApiError {\n  return (obj instanceof AuthApiError);\n}\n\nfunction isOAuthError(obj: any): obj is OAuthError {\n  return (obj instanceof OAuthError);\n}\n\nfunction isWWWAuthError(obj: any): obj is WWWAuthError {\n  return (obj instanceof WWWAuthError);\n}\n\nexport {\n  isAuthApiError,\n  isOAuthError,\n  isWWWAuthError,\n  AuthApiError,\n  AuthPollStopError,\n  AuthSdkError,\n  OAuthError,\n  WWWAuthError\n};\n\nexport * from './types';\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAaA;AACA;AACA;AACA;AACA;AAyBA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AAzCA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAQA,SAASA,cAAc,CAACC,GAAQ,EAAuB;EACrD,OAAQA,GAAG,YAAYC,qBAAY;AACrC;AAEA,SAASC,YAAY,CAACF,GAAQ,EAAqB;EACjD,OAAQA,GAAG,YAAYG,mBAAU;AACnC;AAEA,SAASC,cAAc,CAACJ,GAAQ,EAAuB;EACrD,OAAQA,GAAG,YAAYK,qBAAY;AACrC"}

package/cjs/features.js

@@ -3,6 +3,7 @@
 exports.getUserAgent = getUserAgent;
 exports.hasTextEncoder = hasTextEncoder;
 exports.isBrowser = isBrowser;
+exports.isDPoPSupported = isDPoPSupported;
 exports.isFingerprintSupported = isFingerprintSupported;
 exports.isHTTPS = isHTTPS;
 exports.isIE11OrLess = isIE11OrLess;
@@ -55,9 +56,12 @@ function isPopupPostMessageSupported() {
   }
   return false;
 }
-function isTokenVerifySupported() {
+function isWebCryptoSubtleSupported() {
   return typeof _crypto.webcrypto !== 'undefined' && _crypto.webcrypto !== null && typeof _crypto.webcrypto.subtle !== 'undefined' && typeof Uint8Array !== 'undefined';
 }
+function isTokenVerifySupported() {
+  return isWebCryptoSubtleSupported();
+}
 function hasTextEncoder() {
   return typeof TextEncoder !== 'undefined';
 }
@@ -74,4 +78,9 @@ function isLocalhost() {
   // eslint-disable-next-line compat/compat
   return isBrowser() && window.location.hostname === 'localhost';
 }
+
+// For now, DPoP is only supported on browsers
+function isDPoPSupported() {
+  return !isIE11OrLess() && typeof window.indexedDB !== 'undefined' && hasTextEncoder() && isWebCryptoSubtleSupported();
+}
 //# sourceMappingURL=features.js.map