@okta/okta-auth-js 7.5.1 → 7.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +14 -0
- package/README.md +168 -4
- package/cjs/base/types.js.map +1 -1
- package/cjs/core/ServiceManager/browser.js +10 -2
- package/cjs/core/ServiceManager/browser.js.map +1 -1
- package/cjs/core/types/Service.js.map +1 -1
- package/cjs/errors/OAuthError.js +9 -1
- package/cjs/errors/OAuthError.js.map +1 -1
- package/cjs/errors/WWWAuthError.js +98 -0
- package/cjs/errors/WWWAuthError.js.map +1 -0
- package/cjs/errors/index.js +14 -1
- package/cjs/errors/index.js.map +1 -1
- package/cjs/features.js +10 -1
- package/cjs/features.js.map +1 -1
- package/cjs/http/OktaUserAgent.js +2 -2
- package/cjs/http/request.js +24 -25
- package/cjs/http/request.js.map +1 -1
- package/cjs/idx/IdxTransactionManager.js +5 -0
- package/cjs/idx/IdxTransactionManager.js.map +1 -1
- package/cjs/idx/authenticator/Authenticator.js.map +1 -1
- package/cjs/idx/authenticator/OktaPassword.js +16 -4
- package/cjs/idx/authenticator/OktaPassword.js.map +1 -1
- package/cjs/idx/run.js +6 -3
- package/cjs/idx/run.js.map +1 -1
- package/cjs/idx/types/idx-js.js.map +1 -1
- package/cjs/idx/types/options.js.map +1 -1
- package/cjs/oidc/TokenManager.js +17 -1
- package/cjs/oidc/TokenManager.js.map +1 -1
- package/cjs/oidc/dpop.js +231 -0
- package/cjs/oidc/dpop.js.map +1 -0
- package/cjs/oidc/endpoints/token.js +77 -27
- package/cjs/oidc/endpoints/token.js.map +1 -1
- package/cjs/oidc/exchangeCodeForTokens.js +51 -28
- package/cjs/oidc/exchangeCodeForTokens.js.map +1 -1
- package/cjs/oidc/getUserInfo.js +32 -17
- package/cjs/oidc/getUserInfo.js.map +1 -1
- package/cjs/oidc/handleOAuthResponse.js +12 -0
- package/cjs/oidc/handleOAuthResponse.js.map +1 -1
- package/cjs/oidc/mixin/index.js +79 -2
- package/cjs/oidc/mixin/index.js.map +1 -1
- package/cjs/oidc/options/OAuthOptionsConstructor.js +3 -1
- package/cjs/oidc/options/OAuthOptionsConstructor.js.map +1 -1
- package/cjs/oidc/renewToken.js +4 -2
- package/cjs/oidc/renewToken.js.map +1 -1
- package/cjs/oidc/renewTokens.js +3 -1
- package/cjs/oidc/renewTokens.js.map +1 -1
- package/cjs/oidc/renewTokensWithRefresh.js +13 -2
- package/cjs/oidc/renewTokensWithRefresh.js.map +1 -1
- package/cjs/oidc/types/Token.js.map +1 -1
- package/cjs/oidc/types/api.js.map +1 -1
- package/cjs/oidc/types/options.js.map +1 -1
- package/cjs/oidc/util/defaultTokenParams.js +4 -2
- package/cjs/oidc/util/defaultTokenParams.js.map +1 -1
- package/cjs/oidc/util/prepareTokenParams.js +3 -0
- package/cjs/oidc/util/prepareTokenParams.js.map +1 -1
- package/cjs/services/RenewOnTabActivationService.js +64 -0
- package/cjs/services/RenewOnTabActivationService.js.map +1 -0
- package/cjs/services/index.js +11 -0
- package/cjs/services/index.js.map +1 -1
- package/dist/okta-auth-js.authn.min.analyzer.html +2 -2
- package/dist/okta-auth-js.authn.min.js +1 -1
- package/dist/okta-auth-js.authn.min.js.map +1 -1
- package/dist/okta-auth-js.core.min.analyzer.html +2 -2
- package/dist/okta-auth-js.core.min.js +1 -1
- package/dist/okta-auth-js.core.min.js.map +1 -1
- package/dist/okta-auth-js.idx.min.analyzer.html +2 -2
- package/dist/okta-auth-js.idx.min.js +1 -1
- package/dist/okta-auth-js.idx.min.js.map +1 -1
- package/dist/okta-auth-js.min.analyzer.html +2 -2
- package/dist/okta-auth-js.min.js +1 -1
- package/dist/okta-auth-js.min.js.map +1 -1
- package/dist/okta-auth-js.myaccount.min.analyzer.html +2 -2
- package/dist/okta-auth-js.myaccount.min.js +1 -1
- package/dist/okta-auth-js.myaccount.min.js.map +1 -1
- package/esm/browser/authn/api.js +1 -0
- package/esm/browser/authn/api.js.map +1 -1
- package/esm/browser/authn/util/link2fn.js +1 -0
- package/esm/browser/authn/util/link2fn.js.map +1 -1
- package/esm/browser/authn/util/poll.js +1 -0
- package/esm/browser/authn/util/poll.js.map +1 -1
- package/esm/browser/browser/fingerprint.js +1 -0
- package/esm/browser/browser/fingerprint.js.map +1 -1
- package/esm/browser/core/AuthStateManager.js +1 -0
- package/esm/browser/core/AuthStateManager.js.map +1 -1
- package/esm/browser/core/ServiceManager/browser.js +9 -2
- package/esm/browser/core/ServiceManager/browser.js.map +1 -1
- package/esm/browser/core/options.js +1 -0
- package/esm/browser/core/options.js.map +1 -1
- package/esm/browser/crypto/base64.js +1 -0
- package/esm/browser/crypto/base64.js.map +1 -1
- package/esm/browser/errors/OAuthError.js +5 -1
- package/esm/browser/errors/OAuthError.js.map +1 -1
- package/esm/browser/errors/WWWAuthError.js +61 -0
- package/esm/browser/errors/WWWAuthError.js.map +1 -0
- package/esm/browser/errors/index.js +6 -1
- package/esm/browser/errors/index.js.map +1 -1
- package/esm/browser/exports/exports/authn.js +2 -1
- package/esm/browser/exports/exports/authn.js.map +1 -1
- package/esm/browser/exports/exports/core.js +2 -1
- package/esm/browser/exports/exports/core.js.map +1 -1
- package/esm/browser/exports/exports/default.js +2 -1
- package/esm/browser/exports/exports/default.js.map +1 -1
- package/esm/browser/exports/exports/idx.js +2 -1
- package/esm/browser/exports/exports/idx.js.map +1 -1
- package/esm/browser/exports/exports/myaccount.js +2 -1
- package/esm/browser/exports/exports/myaccount.js.map +1 -1
- package/esm/browser/features.js +12 -2
- package/esm/browser/features.js.map +1 -1
- package/esm/browser/http/OktaUserAgent.js +2 -2
- package/esm/browser/http/options.js +1 -0
- package/esm/browser/http/options.js.map +1 -1
- package/esm/browser/http/request.js +14 -25
- package/esm/browser/http/request.js.map +1 -1
- package/esm/browser/idx/IdxTransactionManager.js +4 -1
- package/esm/browser/idx/IdxTransactionManager.js.map +1 -1
- package/esm/browser/idx/authenticator/Authenticator.js.map +1 -1
- package/esm/browser/idx/authenticator/OktaPassword.js +17 -4
- package/esm/browser/idx/authenticator/OktaPassword.js.map +1 -1
- package/esm/browser/idx/cancel.js +1 -0
- package/esm/browser/idx/cancel.js.map +1 -1
- package/esm/browser/idx/factory/api.js +1 -0
- package/esm/browser/idx/factory/api.js.map +1 -1
- package/esm/browser/idx/flow/AccountUnlockFlow.js +1 -0
- package/esm/browser/idx/flow/AccountUnlockFlow.js.map +1 -1
- package/esm/browser/idx/flow/AuthenticationFlow.js +1 -0
- package/esm/browser/idx/flow/AuthenticationFlow.js.map +1 -1
- package/esm/browser/idx/flow/PasswordRecoveryFlow.js +1 -0
- package/esm/browser/idx/flow/PasswordRecoveryFlow.js.map +1 -1
- package/esm/browser/idx/flow/RegistrationFlow.js +1 -0
- package/esm/browser/idx/flow/RegistrationFlow.js.map +1 -1
- package/esm/browser/idx/handleInteractionCodeRedirect.js +1 -0
- package/esm/browser/idx/handleInteractionCodeRedirect.js.map +1 -1
- package/esm/browser/idx/idxState/v1/generateIdxAction.js +1 -0
- package/esm/browser/idx/idxState/v1/generateIdxAction.js.map +1 -1
- package/esm/browser/idx/idxState/v1/idxResponseParser.js +1 -0
- package/esm/browser/idx/idxState/v1/idxResponseParser.js.map +1 -1
- package/esm/browser/idx/interact.js +1 -0
- package/esm/browser/idx/interact.js.map +1 -1
- package/esm/browser/idx/proceed.js +1 -0
- package/esm/browser/idx/proceed.js.map +1 -1
- package/esm/browser/idx/recoverPassword.js +1 -0
- package/esm/browser/idx/recoverPassword.js.map +1 -1
- package/esm/browser/idx/register.js +1 -0
- package/esm/browser/idx/register.js.map +1 -1
- package/esm/browser/idx/remediate.js +1 -0
- package/esm/browser/idx/remediate.js.map +1 -1
- package/esm/browser/idx/remediators/GenericRemediator/util.js +2 -0
- package/esm/browser/idx/remediators/GenericRemediator/util.js.map +1 -1
- package/esm/browser/idx/run.js +3 -3
- package/esm/browser/idx/run.js.map +1 -1
- package/esm/browser/idx/transactionMeta.js +1 -0
- package/esm/browser/idx/transactionMeta.js.map +1 -1
- package/esm/browser/idx/types/idx-js.js.map +1 -1
- package/esm/browser/idx/unlockAccount.js +1 -0
- package/esm/browser/idx/unlockAccount.js.map +1 -1
- package/esm/browser/myaccount/request.js +1 -0
- package/esm/browser/myaccount/request.js.map +1 -1
- package/esm/browser/oidc/TokenManager.js +13 -1
- package/esm/browser/oidc/TokenManager.js.map +1 -1
- package/esm/browser/oidc/decodeToken.js +1 -0
- package/esm/browser/oidc/decodeToken.js.map +1 -1
- package/esm/browser/oidc/dpop.js +160 -0
- package/esm/browser/oidc/dpop.js.map +1 -0
- package/esm/browser/oidc/endpoints/authorize.js +1 -0
- package/esm/browser/oidc/endpoints/authorize.js.map +1 -1
- package/esm/browser/oidc/endpoints/token.js +57 -24
- package/esm/browser/oidc/endpoints/token.js.map +1 -1
- package/esm/browser/oidc/endpoints/well-known.js +1 -0
- package/esm/browser/oidc/endpoints/well-known.js.map +1 -1
- package/esm/browser/oidc/enrollAuthenticator.js +1 -0
- package/esm/browser/oidc/enrollAuthenticator.js.map +1 -1
- package/esm/browser/oidc/exchangeCodeForTokens.js +40 -25
- package/esm/browser/oidc/exchangeCodeForTokens.js.map +1 -1
- package/esm/browser/oidc/factory/api.js +1 -0
- package/esm/browser/oidc/factory/api.js.map +1 -1
- package/esm/browser/oidc/factory/baseApi.js +1 -0
- package/esm/browser/oidc/factory/baseApi.js.map +1 -1
- package/esm/browser/oidc/getToken.js +1 -0
- package/esm/browser/oidc/getToken.js.map +1 -1
- package/esm/browser/oidc/getUserInfo.js +22 -18
- package/esm/browser/oidc/getUserInfo.js.map +1 -1
- package/esm/browser/oidc/getWithPopup.js +1 -0
- package/esm/browser/oidc/getWithPopup.js.map +1 -1
- package/esm/browser/oidc/getWithRedirect.js +1 -0
- package/esm/browser/oidc/getWithRedirect.js.map +1 -1
- package/esm/browser/oidc/getWithoutPrompt.js +1 -0
- package/esm/browser/oidc/getWithoutPrompt.js.map +1 -1
- package/esm/browser/oidc/handleOAuthResponse.js +10 -0
- package/esm/browser/oidc/handleOAuthResponse.js.map +1 -1
- package/esm/browser/oidc/introspect.js +1 -0
- package/esm/browser/oidc/introspect.js.map +1 -1
- package/esm/browser/oidc/mixin/index.js +78 -2
- package/esm/browser/oidc/mixin/index.js.map +1 -1
- package/esm/browser/oidc/mixin/minimal.js +1 -0
- package/esm/browser/oidc/mixin/minimal.js.map +1 -1
- package/esm/browser/oidc/options/OAuthOptionsConstructor.js +2 -1
- package/esm/browser/oidc/options/OAuthOptionsConstructor.js.map +1 -1
- package/esm/browser/oidc/parseFromUrl.js +1 -0
- package/esm/browser/oidc/parseFromUrl.js.map +1 -1
- package/esm/browser/oidc/renewToken.js +4 -2
- package/esm/browser/oidc/renewToken.js.map +1 -1
- package/esm/browser/oidc/renewTokens.js +4 -1
- package/esm/browser/oidc/renewTokens.js.map +1 -1
- package/esm/browser/oidc/renewTokensWithRefresh.js +12 -5
- package/esm/browser/oidc/renewTokensWithRefresh.js.map +1 -1
- package/esm/browser/oidc/revokeToken.js +1 -0
- package/esm/browser/oidc/revokeToken.js.map +1 -1
- package/esm/browser/oidc/storage.js +1 -0
- package/esm/browser/oidc/storage.js.map +1 -1
- package/esm/browser/oidc/types/Token.js.map +1 -1
- package/esm/browser/oidc/util/browser.js +1 -0
- package/esm/browser/oidc/util/browser.js.map +1 -1
- package/esm/browser/oidc/util/defaultTokenParams.js +3 -2
- package/esm/browser/oidc/util/defaultTokenParams.js.map +1 -1
- package/esm/browser/oidc/util/prepareEnrollAuthenticatorParams.js +1 -0
- package/esm/browser/oidc/util/prepareEnrollAuthenticatorParams.js.map +1 -1
- package/esm/browser/oidc/util/prepareTokenParams.js +4 -0
- package/esm/browser/oidc/util/prepareTokenParams.js.map +1 -1
- package/esm/browser/oidc/util/validateToken.js +1 -0
- package/esm/browser/oidc/util/validateToken.js.map +1 -1
- package/esm/browser/oidc/verifyToken.js +1 -0
- package/esm/browser/oidc/verifyToken.js.map +1 -1
- package/esm/browser/package.json +1 -1
- package/esm/browser/services/AutoRenewService.js +1 -0
- package/esm/browser/services/AutoRenewService.js.map +1 -1
- package/esm/browser/services/RenewOnTabActivationService.js +67 -0
- package/esm/browser/services/RenewOnTabActivationService.js.map +1 -0
- package/esm/browser/services/SyncStorageService.js +1 -0
- package/esm/browser/services/SyncStorageService.js.map +1 -1
- package/esm/browser/session/api.js +1 -0
- package/esm/browser/session/api.js.map +1 -1
- package/esm/node/authn/api.js +1 -0
- package/esm/node/authn/api.js.map +1 -1
- package/esm/node/authn/util/link2fn.js +1 -0
- package/esm/node/authn/util/link2fn.js.map +1 -1
- package/esm/node/authn/util/poll.js +1 -0
- package/esm/node/authn/util/poll.js.map +1 -1
- package/esm/node/browser/fingerprint.js +1 -0
- package/esm/node/browser/fingerprint.js.map +1 -1
- package/esm/node/core/AuthStateManager.js +1 -0
- package/esm/node/core/AuthStateManager.js.map +1 -1
- package/esm/node/core/options.js +1 -0
- package/esm/node/core/options.js.map +1 -1
- package/esm/node/crypto/base64.js +1 -0
- package/esm/node/crypto/base64.js.map +1 -1
- package/esm/node/errors/OAuthError.js +5 -1
- package/esm/node/errors/OAuthError.js.map +1 -1
- package/esm/node/errors/WWWAuthError.js +61 -0
- package/esm/node/errors/WWWAuthError.js.map +1 -0
- package/esm/node/errors/index.js +6 -1
- package/esm/node/errors/index.js.map +1 -1
- package/esm/node/exports/exports/authn.js +2 -1
- package/esm/node/exports/exports/authn.js.map +1 -1
- package/esm/node/exports/exports/core.js +2 -1
- package/esm/node/exports/exports/core.js.map +1 -1
- package/esm/node/exports/exports/default.js +2 -1
- package/esm/node/exports/exports/default.js.map +1 -1
- package/esm/node/exports/exports/idx.js +2 -1
- package/esm/node/exports/exports/idx.js.map +1 -1
- package/esm/node/exports/exports/myaccount.js +2 -1
- package/esm/node/exports/exports/myaccount.js.map +1 -1
- package/esm/node/features.js +12 -2
- package/esm/node/features.js.map +1 -1
- package/esm/node/http/OktaUserAgent.js +2 -2
- package/esm/node/http/options.js +1 -0
- package/esm/node/http/options.js.map +1 -1
- package/esm/node/http/request.js +14 -25
- package/esm/node/http/request.js.map +1 -1
- package/esm/node/idx/IdxTransactionManager.js +4 -1
- package/esm/node/idx/IdxTransactionManager.js.map +1 -1
- package/esm/node/idx/authenticator/Authenticator.js.map +1 -1
- package/esm/node/idx/authenticator/OktaPassword.js +17 -4
- package/esm/node/idx/authenticator/OktaPassword.js.map +1 -1
- package/esm/node/idx/cancel.js +1 -0
- package/esm/node/idx/cancel.js.map +1 -1
- package/esm/node/idx/factory/api.js +1 -0
- package/esm/node/idx/factory/api.js.map +1 -1
- package/esm/node/idx/flow/AccountUnlockFlow.js +1 -0
- package/esm/node/idx/flow/AccountUnlockFlow.js.map +1 -1
- package/esm/node/idx/flow/AuthenticationFlow.js +1 -0
- package/esm/node/idx/flow/AuthenticationFlow.js.map +1 -1
- package/esm/node/idx/flow/PasswordRecoveryFlow.js +1 -0
- package/esm/node/idx/flow/PasswordRecoveryFlow.js.map +1 -1
- package/esm/node/idx/flow/RegistrationFlow.js +1 -0
- package/esm/node/idx/flow/RegistrationFlow.js.map +1 -1
- package/esm/node/idx/handleInteractionCodeRedirect.js +1 -0
- package/esm/node/idx/handleInteractionCodeRedirect.js.map +1 -1
- package/esm/node/idx/idxState/v1/generateIdxAction.js +1 -0
- package/esm/node/idx/idxState/v1/generateIdxAction.js.map +1 -1
- package/esm/node/idx/idxState/v1/idxResponseParser.js +1 -0
- package/esm/node/idx/idxState/v1/idxResponseParser.js.map +1 -1
- package/esm/node/idx/interact.js +1 -0
- package/esm/node/idx/interact.js.map +1 -1
- package/esm/node/idx/proceed.js +1 -0
- package/esm/node/idx/proceed.js.map +1 -1
- package/esm/node/idx/recoverPassword.js +1 -0
- package/esm/node/idx/recoverPassword.js.map +1 -1
- package/esm/node/idx/register.js +1 -0
- package/esm/node/idx/register.js.map +1 -1
- package/esm/node/idx/remediate.js +1 -0
- package/esm/node/idx/remediate.js.map +1 -1
- package/esm/node/idx/remediators/GenericRemediator/util.js +2 -0
- package/esm/node/idx/remediators/GenericRemediator/util.js.map +1 -1
- package/esm/node/idx/run.js +3 -3
- package/esm/node/idx/run.js.map +1 -1
- package/esm/node/idx/transactionMeta.js +1 -0
- package/esm/node/idx/transactionMeta.js.map +1 -1
- package/esm/node/idx/types/idx-js.js.map +1 -1
- package/esm/node/idx/unlockAccount.js +1 -0
- package/esm/node/idx/unlockAccount.js.map +1 -1
- package/esm/node/myaccount/request.js +1 -0
- package/esm/node/myaccount/request.js.map +1 -1
- package/esm/node/oidc/TokenManager.js +13 -1
- package/esm/node/oidc/TokenManager.js.map +1 -1
- package/esm/node/oidc/decodeToken.js +1 -0
- package/esm/node/oidc/decodeToken.js.map +1 -1
- package/esm/node/oidc/dpop.js +160 -0
- package/esm/node/oidc/dpop.js.map +1 -0
- package/esm/node/oidc/endpoints/authorize.js +1 -0
- package/esm/node/oidc/endpoints/authorize.js.map +1 -1
- package/esm/node/oidc/endpoints/token.js +57 -24
- package/esm/node/oidc/endpoints/token.js.map +1 -1
- package/esm/node/oidc/endpoints/well-known.js +1 -0
- package/esm/node/oidc/endpoints/well-known.js.map +1 -1
- package/esm/node/oidc/enrollAuthenticator.js +1 -0
- package/esm/node/oidc/enrollAuthenticator.js.map +1 -1
- package/esm/node/oidc/exchangeCodeForTokens.js +40 -25
- package/esm/node/oidc/exchangeCodeForTokens.js.map +1 -1
- package/esm/node/oidc/factory/api.js +1 -0
- package/esm/node/oidc/factory/api.js.map +1 -1
- package/esm/node/oidc/factory/baseApi.js +1 -0
- package/esm/node/oidc/factory/baseApi.js.map +1 -1
- package/esm/node/oidc/getToken.js +1 -0
- package/esm/node/oidc/getToken.js.map +1 -1
- package/esm/node/oidc/getUserInfo.js +22 -18
- package/esm/node/oidc/getUserInfo.js.map +1 -1
- package/esm/node/oidc/getWithPopup.js +1 -0
- package/esm/node/oidc/getWithPopup.js.map +1 -1
- package/esm/node/oidc/getWithRedirect.js +1 -0
- package/esm/node/oidc/getWithRedirect.js.map +1 -1
- package/esm/node/oidc/getWithoutPrompt.js +1 -0
- package/esm/node/oidc/getWithoutPrompt.js.map +1 -1
- package/esm/node/oidc/handleOAuthResponse.js +10 -0
- package/esm/node/oidc/handleOAuthResponse.js.map +1 -1
- package/esm/node/oidc/introspect.js +1 -0
- package/esm/node/oidc/introspect.js.map +1 -1
- package/esm/node/oidc/mixin/index.js +78 -2
- package/esm/node/oidc/mixin/index.js.map +1 -1
- package/esm/node/oidc/mixin/minimal.js +1 -0
- package/esm/node/oidc/mixin/minimal.js.map +1 -1
- package/esm/node/oidc/options/OAuthOptionsConstructor.js +2 -1
- package/esm/node/oidc/options/OAuthOptionsConstructor.js.map +1 -1
- package/esm/node/oidc/parseFromUrl.js +1 -0
- package/esm/node/oidc/parseFromUrl.js.map +1 -1
- package/esm/node/oidc/renewToken.js +4 -2
- package/esm/node/oidc/renewToken.js.map +1 -1
- package/esm/node/oidc/renewTokens.js +4 -1
- package/esm/node/oidc/renewTokens.js.map +1 -1
- package/esm/node/oidc/renewTokensWithRefresh.js +12 -5
- package/esm/node/oidc/renewTokensWithRefresh.js.map +1 -1
- package/esm/node/oidc/revokeToken.js +1 -0
- package/esm/node/oidc/revokeToken.js.map +1 -1
- package/esm/node/oidc/storage.js +1 -0
- package/esm/node/oidc/storage.js.map +1 -1
- package/esm/node/oidc/types/Token.js.map +1 -1
- package/esm/node/oidc/util/browser.js +1 -0
- package/esm/node/oidc/util/browser.js.map +1 -1
- package/esm/node/oidc/util/defaultTokenParams.js +3 -2
- package/esm/node/oidc/util/defaultTokenParams.js.map +1 -1
- package/esm/node/oidc/util/prepareEnrollAuthenticatorParams.js +1 -0
- package/esm/node/oidc/util/prepareEnrollAuthenticatorParams.js.map +1 -1
- package/esm/node/oidc/util/prepareTokenParams.js +4 -0
- package/esm/node/oidc/util/prepareTokenParams.js.map +1 -1
- package/esm/node/oidc/util/validateToken.js +1 -0
- package/esm/node/oidc/util/validateToken.js.map +1 -1
- package/esm/node/oidc/verifyToken.js +1 -0
- package/esm/node/oidc/verifyToken.js.map +1 -1
- package/esm/node/package.json +1 -1
- package/esm/node/server/serverStorage.js +1 -0
- package/esm/node/server/serverStorage.js.map +1 -1
- package/esm/node/session/api.js +1 -0
- package/esm/node/session/api.js.map +1 -1
- package/esm/node/storage/options/StorageOptionsConstructor.js +1 -0
- package/esm/node/storage/options/StorageOptionsConstructor.js.map +1 -1
- package/package.json +5 -6
- package/types/lib/base/types.d.ts +1 -0
- package/types/lib/core/options.d.ts +1 -0
- package/types/lib/core/types/Service.d.ts +7 -1
- package/types/lib/errors/OAuthError.d.ts +3 -1
- package/types/lib/errors/WWWAuthError.d.ts +29 -0
- package/types/lib/errors/index.d.ts +3 -1
- package/types/lib/features.d.ts +1 -0
- package/types/lib/idx/authenticator/Authenticator.d.ts +1 -1
- package/types/lib/idx/authenticator/OktaPassword.d.ts +2 -1
- package/types/lib/idx/options.d.ts +1 -0
- package/types/lib/idx/types/idx-js.d.ts +1 -0
- package/types/lib/idx/types/options.d.ts +1 -0
- package/types/lib/oidc/dpop.d.ts +35 -0
- package/types/lib/oidc/endpoints/token.d.ts +5 -2
- package/types/lib/oidc/options/OAuthOptionsConstructor.d.ts +1 -0
- package/types/lib/oidc/types/Token.d.ts +2 -0
- package/types/lib/oidc/types/api.d.ts +14 -0
- package/types/lib/oidc/types/options.d.ts +3 -0
- package/types/lib/services/RenewOnTabActivationService.d.ts +16 -0
- package/types/lib/services/index.d.ts +1 -0
- package/umd/authn.js +1 -1
- package/umd/authn.js.map +1 -1
- package/umd/core.js +1 -1
- package/umd/core.js.map +1 -1
- package/umd/default.js +1 -1
- package/umd/default.js.map +1 -1
- package/umd/idx.js +1 -1
- package/umd/idx.js.map +1 -1
- package/umd/myaccount.js +1 -1
- package/umd/myaccount.js.map +1 -1
|
@@ -5,6 +5,7 @@ var _util = require("./util");
|
|
|
5
5
|
var _util2 = require("../util");
|
|
6
6
|
var _token = require("./endpoints/token");
|
|
7
7
|
var _handleOAuthResponse = require("./handleOAuthResponse");
|
|
8
|
+
var _dpop = require("./dpop");
|
|
8
9
|
/* eslint-disable @typescript-eslint/no-non-null-assertion */
|
|
9
10
|
/* eslint-disable max-len */
|
|
10
11
|
/*!
|
|
@@ -21,7 +22,7 @@ var _handleOAuthResponse = require("./handleOAuthResponse");
|
|
|
21
22
|
*/
|
|
22
23
|
|
|
23
24
|
// codeVerifier is required. May pass either an authorizationCode or interactionCode
|
|
24
|
-
function exchangeCodeForTokens(sdk, tokenParams, urls) {
|
|
25
|
+
async function exchangeCodeForTokens(sdk, tokenParams, urls) {
|
|
25
26
|
urls = urls || (0, _util.getOAuthUrls)(sdk, tokenParams);
|
|
26
27
|
// build params using defaults + options
|
|
27
28
|
tokenParams = Object.assign({}, (0, _util.getDefaultTokenParams)(sdk), (0, _util2.clone)(tokenParams));
|
|
@@ -34,40 +35,62 @@ function exchangeCodeForTokens(sdk, tokenParams, urls) {
|
|
|
34
35
|
scopes,
|
|
35
36
|
ignoreSignature,
|
|
36
37
|
state,
|
|
37
|
-
acrValues
|
|
38
|
+
acrValues,
|
|
39
|
+
dpop,
|
|
40
|
+
dpopPairId
|
|
38
41
|
} = tokenParams;
|
|
39
|
-
|
|
42
|
+
|
|
43
|
+
// postToTokenEndpoint() params
|
|
44
|
+
const getTokenOptions = {
|
|
40
45
|
clientId,
|
|
41
46
|
redirectUri,
|
|
42
47
|
authorizationCode,
|
|
43
48
|
interactionCode,
|
|
44
|
-
codeVerifier
|
|
49
|
+
codeVerifier,
|
|
50
|
+
dpop
|
|
45
51
|
};
|
|
46
|
-
return (0, _token.postToTokenEndpoint)(sdk, getTokenOptions, urls).then(response => {
|
|
47
|
-
// `handleOAuthResponse` hanadles responses from both `/authorize` and `/token` endpoints
|
|
48
|
-
// Here we modify the response from `/token` so that it more closely matches a response from `/authorize`
|
|
49
|
-
// `responseType` is used to validate that the expected tokens were returned
|
|
50
|
-
const responseType = ['token']; // an accessToken will always be returned
|
|
51
|
-
if (scopes.indexOf('openid') !== -1) {
|
|
52
|
-
responseType.push('id_token'); // an idToken will be returned if "openid" is in the scopes
|
|
53
|
-
}
|
|
54
52
|
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
53
|
+
// `handleOAuthResponse` hanadles responses from both `/authorize` and `/token` endpoints
|
|
54
|
+
// Here we modify the response from `/token` so that it more closely matches a response from `/authorize`
|
|
55
|
+
// `responseType` is used to validate that the expected tokens were returned
|
|
56
|
+
const responseType = ['token']; // an accessToken will always be returned
|
|
57
|
+
if (scopes.indexOf('openid') !== -1) {
|
|
58
|
+
responseType.push('id_token'); // an idToken will be returned if "openid" is in the scopes
|
|
59
|
+
}
|
|
60
|
+
// handleOAuthResponse() params
|
|
61
|
+
const handleResponseOptions = {
|
|
62
|
+
clientId,
|
|
63
|
+
redirectUri,
|
|
64
|
+
scopes,
|
|
65
|
+
responseType,
|
|
66
|
+
ignoreSignature,
|
|
67
|
+
acrValues
|
|
68
|
+
};
|
|
69
|
+
try {
|
|
70
|
+
if (dpop) {
|
|
71
|
+
// token refresh, KP should already exist
|
|
72
|
+
if (dpopPairId) {
|
|
73
|
+
const keyPair = await (0, _dpop.findKeyPair)(dpopPairId);
|
|
74
|
+
getTokenOptions.dpopKeyPair = keyPair;
|
|
75
|
+
handleResponseOptions.dpop = dpop;
|
|
76
|
+
handleResponseOptions.dpopPairId = dpopPairId;
|
|
77
|
+
} else {
|
|
78
|
+
const {
|
|
79
|
+
keyPair,
|
|
80
|
+
keyPairId
|
|
81
|
+
} = await (0, _dpop.createDPoPKeyPair)();
|
|
82
|
+
getTokenOptions.dpopKeyPair = keyPair;
|
|
83
|
+
handleResponseOptions.dpop = dpop;
|
|
84
|
+
handleResponseOptions.dpopPairId = keyPairId;
|
|
85
|
+
}
|
|
86
|
+
}
|
|
87
|
+
const oauthResponse = await (0, _token.postToTokenEndpoint)(sdk, getTokenOptions, urls);
|
|
88
|
+
const tokenResponse = await (0, _handleOAuthResponse.handleOAuthResponse)(sdk, handleResponseOptions, oauthResponse, urls);
|
|
89
|
+
tokenResponse.code = authorizationCode;
|
|
90
|
+
tokenResponse.state = state;
|
|
91
|
+
return tokenResponse;
|
|
92
|
+
} finally {
|
|
70
93
|
sdk.transactionManager.clear();
|
|
71
|
-
}
|
|
94
|
+
}
|
|
72
95
|
}
|
|
73
96
|
//# sourceMappingURL=exchangeCodeForTokens.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"exchangeCodeForTokens.js","names":["exchangeCodeForTokens","sdk","tokenParams","urls","getOAuthUrls","Object","assign","getDefaultTokenParams","clone","authorizationCode","interactionCode","codeVerifier","clientId","redirectUri","scopes","ignoreSignature","state","acrValues","
|
|
1
|
+
{"version":3,"file":"exchangeCodeForTokens.js","names":["exchangeCodeForTokens","sdk","tokenParams","urls","getOAuthUrls","Object","assign","getDefaultTokenParams","clone","authorizationCode","interactionCode","codeVerifier","clientId","redirectUri","scopes","ignoreSignature","state","acrValues","dpop","dpopPairId","getTokenOptions","responseType","indexOf","push","handleResponseOptions","keyPair","findKeyPair","dpopKeyPair","keyPairId","createDPoPKeyPair","oauthResponse","postToTokenEndpoint","tokenResponse","handleOAuthResponse","code","transactionManager","clear"],"sources":["../../../lib/oidc/exchangeCodeForTokens.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n/* eslint-disable max-len */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { CustomUrls, OAuthResponse, OAuthResponseType, OktaAuthOAuthInterface, TokenParams, TokenResponse } from './types';\nimport { getOAuthUrls, getDefaultTokenParams } from './util';\nimport { clone } from '../util';\nimport { postToTokenEndpoint, TokenEndpointParams } from './endpoints/token';\nimport { handleOAuthResponse } from './handleOAuthResponse';\nimport { createDPoPKeyPair, findKeyPair } from './dpop';\n\n// codeVerifier is required. May pass either an authorizationCode or interactionCode\nexport async function exchangeCodeForTokens(sdk: OktaAuthOAuthInterface, tokenParams: TokenParams, urls?: CustomUrls): Promise<TokenResponse> {\n urls = urls || getOAuthUrls(sdk, tokenParams);\n // build params using defaults + options\n tokenParams = Object.assign({}, getDefaultTokenParams(sdk), clone(tokenParams));\n\n const {\n authorizationCode,\n interactionCode,\n codeVerifier,\n clientId,\n redirectUri,\n scopes,\n ignoreSignature,\n state,\n acrValues,\n dpop,\n dpopPairId,\n } = tokenParams;\n\n // postToTokenEndpoint() params\n const getTokenOptions: TokenEndpointParams = {\n clientId,\n redirectUri,\n authorizationCode,\n interactionCode,\n codeVerifier,\n dpop,\n };\n\n // `handleOAuthResponse` hanadles responses from both `/authorize` and `/token` endpoints\n // Here we modify the response from `/token` so that it more closely matches a response from `/authorize`\n // `responseType` is used to validate that the expected tokens were returned\n const responseType: OAuthResponseType[] = ['token']; // an accessToken will always be returned\n if (scopes!.indexOf('openid') !== -1) {\n responseType.push('id_token'); // an idToken will be returned if \"openid\" is in the scopes\n }\n // handleOAuthResponse() params\n const handleResponseOptions: TokenParams = {\n clientId,\n redirectUri,\n scopes,\n responseType,\n ignoreSignature,\n acrValues,\n };\n\n try {\n if (dpop) {\n // token refresh, KP should already exist\n if (dpopPairId) {\n const keyPair = await findKeyPair(dpopPairId);\n getTokenOptions.dpopKeyPair = keyPair;\n handleResponseOptions.dpop = dpop;\n handleResponseOptions.dpopPairId = dpopPairId;\n }\n else {\n const { keyPair, keyPairId } = await createDPoPKeyPair();\n getTokenOptions.dpopKeyPair = keyPair;\n handleResponseOptions.dpop = dpop;\n handleResponseOptions.dpopPairId = keyPairId;\n }\n }\n\n const oauthResponse: OAuthResponse = await postToTokenEndpoint(sdk, getTokenOptions, urls);\n\n const tokenResponse: TokenResponse = await handleOAuthResponse(sdk, handleResponseOptions, oauthResponse, urls!);\n tokenResponse.code = authorizationCode;\n tokenResponse.state = state!;\n return tokenResponse;\n }\n finally {\n sdk.transactionManager.clear();\n }\n}\n"],"mappings":";;;AAeA;AACA;AACA;AACA;AACA;AAnBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAQA;AACO,eAAeA,qBAAqB,CAACC,GAA2B,EAAEC,WAAwB,EAAEC,IAAiB,EAA0B;EAC5IA,IAAI,GAAGA,IAAI,IAAI,IAAAC,kBAAY,EAACH,GAAG,EAAEC,WAAW,CAAC;EAC7C;EACAA,WAAW,GAAGG,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAE,IAAAC,2BAAqB,EAACN,GAAG,CAAC,EAAE,IAAAO,YAAK,EAACN,WAAW,CAAC,CAAC;EAE/E,MAAM;IACJO,iBAAiB;IACjBC,eAAe;IACfC,YAAY;IACZC,QAAQ;IACRC,WAAW;IACXC,MAAM;IACNC,eAAe;IACfC,KAAK;IACLC,SAAS;IACTC,IAAI;IACJC;EACF,CAAC,GAAGjB,WAAW;;EAEf;EACA,MAAMkB,eAAoC,GAAG;IAC3CR,QAAQ;IACRC,WAAW;IACXJ,iBAAiB;IACjBC,eAAe;IACfC,YAAY;IACZO;EACF,CAAC;;EAED;EACA;EACA;EACA,MAAMG,YAAiC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;EACrD,IAAIP,MAAM,CAAEQ,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE;IACpCD,YAAY,CAACE,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;EACjC;EACA;EACA,MAAMC,qBAAkC,GAAG;IACzCZ,QAAQ;IACRC,WAAW;IACXC,MAAM;IACNO,YAAY;IACZN,eAAe;IACfE;EACF,CAAC;EAED,IAAI;IACF,IAAIC,IAAI,EAAE;MACR;MACA,IAAIC,UAAU,EAAE;QACd,MAAMM,OAAO,GAAG,MAAM,IAAAC,iBAAW,EAACP,UAAU,CAAC;QAC7CC,eAAe,CAACO,WAAW,GAAGF,OAAO;QACrCD,qBAAqB,CAACN,IAAI,GAAGA,IAAI;QACjCM,qBAAqB,CAACL,UAAU,GAAGA,UAAU;MAC/C,CAAC,MACI;QACH,MAAM;UAAEM,OAAO;UAAEG;QAAU,CAAC,GAAG,MAAM,IAAAC,uBAAiB,GAAE;QACxDT,eAAe,CAACO,WAAW,GAAGF,OAAO;QACrCD,qBAAqB,CAACN,IAAI,GAAGA,IAAI;QACjCM,qBAAqB,CAACL,UAAU,GAAGS,SAAS;MAC9C;IACF;IAEA,MAAME,aAA4B,GAAG,MAAM,IAAAC,0BAAmB,EAAC9B,GAAG,EAAEmB,eAAe,EAAEjB,IAAI,CAAC;IAE1F,MAAM6B,aAA4B,GAAG,MAAM,IAAAC,wCAAmB,EAAChC,GAAG,EAAEuB,qBAAqB,EAAEM,aAAa,EAAE3B,IAAI,CAAE;IAChH6B,aAAa,CAACE,IAAI,GAAGzB,iBAAiB;IACtCuB,aAAa,CAAChB,KAAK,GAAGA,KAAM;IAC5B,OAAOgB,aAAa;EACtB,CAAC,SACO;IACN/B,GAAG,CAACkC,kBAAkB,CAACC,KAAK,EAAE;EAChC;AACF"}
|
package/cjs/oidc/getUserInfo.js
CHANGED
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
|
|
3
3
|
exports.getUserInfo = getUserInfo;
|
|
4
|
-
var _util = require("../util");
|
|
5
4
|
var _errors = require("../errors");
|
|
6
5
|
var _http = require("../http");
|
|
7
6
|
var _types = require("./types");
|
|
@@ -33,32 +32,48 @@ async function getUserInfo(sdk, accessTokenObject, idTokenObject) {
|
|
|
33
32
|
if (!idTokenObject || !(0, _types.isIDToken)(idTokenObject)) {
|
|
34
33
|
return Promise.reject(new _errors.AuthSdkError('getUserInfo requires an ID token object'));
|
|
35
34
|
}
|
|
36
|
-
|
|
35
|
+
const options = {
|
|
37
36
|
url: accessTokenObject.userinfoUrl,
|
|
38
37
|
method: 'GET',
|
|
39
38
|
accessToken: accessTokenObject.accessToken
|
|
40
|
-
}
|
|
39
|
+
};
|
|
40
|
+
if (sdk.options.dpop) {
|
|
41
|
+
const headers = await sdk.getDPoPAuthorizationHeaders({
|
|
42
|
+
...options,
|
|
43
|
+
accessToken: accessTokenObject
|
|
44
|
+
});
|
|
45
|
+
options.headers = headers;
|
|
46
|
+
delete options.accessToken; // unset to prevent overriding Auth header with Bearer Token
|
|
47
|
+
}
|
|
48
|
+
|
|
49
|
+
return (0, _http.httpRequest)(sdk, options).then(userInfo => {
|
|
41
50
|
// Only return the userinfo response if subjects match to mitigate token substitution attacks
|
|
42
51
|
if (userInfo.sub === idTokenObject.claims.sub) {
|
|
43
52
|
return userInfo;
|
|
44
53
|
}
|
|
45
54
|
return Promise.reject(new _errors.AuthSdkError('getUserInfo request was rejected due to token mismatch'));
|
|
46
55
|
}).catch(function (err) {
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
56
|
+
// throw OAuthError to avoid breaking change (when dpop is not being used)
|
|
57
|
+
if (err instanceof _errors.WWWAuthError && !sdk.options.dpop) {
|
|
58
|
+
const {
|
|
59
|
+
error,
|
|
60
|
+
errorDescription
|
|
61
|
+
} = err;
|
|
62
|
+
throw new _errors.OAuthError(error, errorDescription);
|
|
63
|
+
}
|
|
64
|
+
|
|
65
|
+
// throw OAuthError to avoid breaking change (when dpop is not being used)
|
|
66
|
+
if (!sdk.options.dpop) {
|
|
67
|
+
let e = err;
|
|
68
|
+
if (err instanceof _errors.AuthApiError && err?.meta?.wwwAuthHeader) {
|
|
69
|
+
e = _errors.WWWAuthError.parseHeader(err.meta.wwwAuthHeader);
|
|
53
70
|
}
|
|
54
|
-
if (
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
err = new _errors.OAuthError(error, errorDescription);
|
|
61
|
-
}
|
|
71
|
+
if (e instanceof _errors.WWWAuthError) {
|
|
72
|
+
const {
|
|
73
|
+
error,
|
|
74
|
+
errorDescription
|
|
75
|
+
} = e;
|
|
76
|
+
throw new _errors.OAuthError(error, errorDescription);
|
|
62
77
|
}
|
|
63
78
|
}
|
|
64
79
|
throw err;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"getUserInfo.js","names":["getUserInfo","sdk","accessTokenObject","idTokenObject","tokenManager","getTokens","accessToken","idToken","isAccessToken","Promise","reject","AuthSdkError","isIDToken","
|
|
1
|
+
{"version":3,"file":"getUserInfo.js","names":["getUserInfo","sdk","accessTokenObject","idTokenObject","tokenManager","getTokens","accessToken","idToken","isAccessToken","Promise","reject","AuthSdkError","isIDToken","options","url","userinfoUrl","method","dpop","headers","getDPoPAuthorizationHeaders","httpRequest","then","userInfo","sub","claims","catch","err","WWWAuthError","error","errorDescription","OAuthError","e","AuthApiError","meta","wwwAuthHeader","parseHeader"],"sources":["../../../lib/oidc/getUserInfo.ts"],"sourcesContent":["/* eslint-disable complexity */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError, OAuthError, WWWAuthError, AuthApiError } from '../errors';\nimport { httpRequest } from '../http';\nimport { AccessToken, IDToken, UserClaims, isAccessToken, isIDToken, CustomUserClaims } from './types';\n\nexport async function getUserInfo<T extends CustomUserClaims = CustomUserClaims>(\n sdk, accessTokenObject: AccessToken,\n idTokenObject: IDToken\n): Promise<UserClaims<T>> {\n // If token objects were not passed, attempt to read from the TokenManager\n if (!accessTokenObject) {\n accessTokenObject = (await sdk.tokenManager.getTokens()).accessToken as AccessToken;\n }\n if (!idTokenObject) {\n idTokenObject = (await sdk.tokenManager.getTokens()).idToken as IDToken;\n }\n\n if (!accessTokenObject || !isAccessToken(accessTokenObject)) {\n return Promise.reject(new AuthSdkError('getUserInfo requires an access token object'));\n }\n\n if (!idTokenObject || !isIDToken(idTokenObject)) {\n return Promise.reject(new AuthSdkError('getUserInfo requires an ID token object'));\n }\n\n const options: any = {\n url: accessTokenObject.userinfoUrl,\n method: 'GET',\n accessToken: accessTokenObject.accessToken\n };\n\n if (sdk.options.dpop) {\n const headers = await sdk.getDPoPAuthorizationHeaders({...options, accessToken: accessTokenObject });\n options.headers = headers;\n delete options.accessToken; // unset to prevent overriding Auth header with Bearer Token\n }\n\n return httpRequest(sdk, options)\n .then(userInfo => {\n // Only return the userinfo response if subjects match to mitigate token substitution attacks\n if (userInfo.sub === idTokenObject.claims.sub) {\n return userInfo;\n }\n return Promise.reject(new AuthSdkError('getUserInfo request was rejected due to token mismatch'));\n })\n .catch(function (err) {\n // throw OAuthError to avoid breaking change (when dpop is not being used)\n if (err instanceof WWWAuthError && !sdk.options.dpop) {\n const { error, errorDescription } = err;\n throw new OAuthError(error, errorDescription);\n }\n\n // throw OAuthError to avoid breaking change (when dpop is not being used)\n if (!sdk.options.dpop) {\n let e = err;\n if (err instanceof AuthApiError && err?.meta?.wwwAuthHeader) {\n e = WWWAuthError.parseHeader(err.meta.wwwAuthHeader as string);\n }\n\n if (e instanceof WWWAuthError) {\n const { error, errorDescription } = e;\n throw new OAuthError(error, errorDescription);\n }\n }\n\n throw err;\n });\n}\n"],"mappings":";;;AAaA;AACA;AACA;AAfA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAKO,eAAeA,WAAW,CAC/BC,GAAG,EAAEC,iBAA8B,EACnCC,aAAsB,EACE;EACxB;EACA,IAAI,CAACD,iBAAiB,EAAE;IACtBA,iBAAiB,GAAG,CAAC,MAAMD,GAAG,CAACG,YAAY,CAACC,SAAS,EAAE,EAAEC,WAA0B;EACrF;EACA,IAAI,CAACH,aAAa,EAAE;IAClBA,aAAa,GAAG,CAAC,MAAMF,GAAG,CAACG,YAAY,CAACC,SAAS,EAAE,EAAEE,OAAkB;EACzE;EAEA,IAAI,CAACL,iBAAiB,IAAI,CAAC,IAAAM,oBAAa,EAACN,iBAAiB,CAAC,EAAE;IAC3D,OAAOO,OAAO,CAACC,MAAM,CAAC,IAAIC,oBAAY,CAAC,6CAA6C,CAAC,CAAC;EACxF;EAEA,IAAI,CAACR,aAAa,IAAI,CAAC,IAAAS,gBAAS,EAACT,aAAa,CAAC,EAAE;IAC/C,OAAOM,OAAO,CAACC,MAAM,CAAC,IAAIC,oBAAY,CAAC,yCAAyC,CAAC,CAAC;EACpF;EAEA,MAAME,OAAY,GAAG;IACnBC,GAAG,EAAEZ,iBAAiB,CAACa,WAAW;IAClCC,MAAM,EAAE,KAAK;IACbV,WAAW,EAAEJ,iBAAiB,CAACI;EACjC,CAAC;EAED,IAAIL,GAAG,CAACY,OAAO,CAACI,IAAI,EAAE;IACpB,MAAMC,OAAO,GAAG,MAAMjB,GAAG,CAACkB,2BAA2B,CAAC;MAAC,GAAGN,OAAO;MAAEP,WAAW,EAAEJ;IAAkB,CAAC,CAAC;IACpGW,OAAO,CAACK,OAAO,GAAGA,OAAO;IACzB,OAAOL,OAAO,CAACP,WAAW,CAAC,CAAM;EACnC;;EAEA,OAAO,IAAAc,iBAAW,EAACnB,GAAG,EAAEY,OAAO,CAAC,CAC7BQ,IAAI,CAACC,QAAQ,IAAI;IAChB;IACA,IAAIA,QAAQ,CAACC,GAAG,KAAKpB,aAAa,CAACqB,MAAM,CAACD,GAAG,EAAE;MAC7C,OAAOD,QAAQ;IACjB;IACA,OAAOb,OAAO,CAACC,MAAM,CAAC,IAAIC,oBAAY,CAAC,wDAAwD,CAAC,CAAC;EACnG,CAAC,CAAC,CACDc,KAAK,CAAC,UAAUC,GAAG,EAAE;IACpB;IACA,IAAIA,GAAG,YAAYC,oBAAY,IAAI,CAAC1B,GAAG,CAACY,OAAO,CAACI,IAAI,EAAE;MACpD,MAAM;QAAEW,KAAK;QAAEC;MAAiB,CAAC,GAAGH,GAAG;MACvC,MAAM,IAAII,kBAAU,CAACF,KAAK,EAAEC,gBAAgB,CAAC;IAC/C;;IAEA;IACA,IAAI,CAAC5B,GAAG,CAACY,OAAO,CAACI,IAAI,EAAE;MACrB,IAAIc,CAAC,GAAGL,GAAG;MACX,IAAIA,GAAG,YAAYM,oBAAY,IAAIN,GAAG,EAAEO,IAAI,EAAEC,aAAa,EAAE;QAC3DH,CAAC,GAAGJ,oBAAY,CAACQ,WAAW,CAACT,GAAG,CAACO,IAAI,CAACC,aAAa,CAAW;MAChE;MAEA,IAAIH,CAAC,YAAYJ,oBAAY,EAAE;QAC7B,MAAM;UAAEC,KAAK;UAAEC;QAAiB,CAAC,GAAGE,CAAC;QACrC,MAAM,IAAID,kBAAU,CAACF,KAAK,EAAEC,gBAAgB,CAAC;MAC/C;IACF;IAEA,MAAMH,GAAG;EACX,CAAC,CAAC;AACN"}
|
|
@@ -29,6 +29,12 @@ function validateResponse(res, oauthParams) {
|
|
|
29
29
|
if (res.state !== oauthParams.state) {
|
|
30
30
|
throw new _errors.AuthSdkError('OAuth flow response state doesn\'t match request state');
|
|
31
31
|
}
|
|
32
|
+
|
|
33
|
+
// https://datatracker.ietf.org/doc/html/rfc9449#token-response
|
|
34
|
+
// "A token_type of DPoP MUST be included in the access token response to signal to the client"
|
|
35
|
+
if (oauthParams.dpop && res.token_type !== 'DPoP') {
|
|
36
|
+
throw new _errors.AuthSdkError('Unable to parse OAuth flow response: DPoP was configured but "token_type" was not DPoP');
|
|
37
|
+
}
|
|
32
38
|
}
|
|
33
39
|
async function handleOAuthResponse(sdk, tokenParams, res, urls) {
|
|
34
40
|
const pkce = sdk.options.pkce !== false;
|
|
@@ -75,6 +81,9 @@ async function handleOAuthResponse(sdk, tokenParams, res, urls) {
|
|
|
75
81
|
authorizeUrl: urls.authorizeUrl,
|
|
76
82
|
userinfoUrl: urls.userinfoUrl
|
|
77
83
|
};
|
|
84
|
+
if (tokenParams.dpopPairId) {
|
|
85
|
+
tokenDict.accessToken.dpopPairId = tokenParams.dpopPairId;
|
|
86
|
+
}
|
|
78
87
|
}
|
|
79
88
|
if (refreshToken) {
|
|
80
89
|
tokenDict.refreshToken = {
|
|
@@ -87,6 +96,9 @@ async function handleOAuthResponse(sdk, tokenParams, res, urls) {
|
|
|
87
96
|
authorizeUrl: urls.authorizeUrl,
|
|
88
97
|
issuer: urls.issuer
|
|
89
98
|
};
|
|
99
|
+
if (tokenParams.dpopPairId) {
|
|
100
|
+
tokenDict.refreshToken.dpopPairId = tokenParams.dpopPairId;
|
|
101
|
+
}
|
|
90
102
|
}
|
|
91
103
|
if (idToken) {
|
|
92
104
|
const idJwt = sdk.token.decode(idToken);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"handleOAuthResponse.js","names":["validateResponse","res","oauthParams","OAuthError","state","AuthSdkError","handleOAuthResponse","sdk","tokenParams","urls","pkce","options","code","interaction_code","token","exchangeCodeForTokens","Object","assign","authorizationCode","interactionCode","getDefaultTokenParams","getOAuthUrls","responseType","Array","isArray","scopes","scope","split","clone","clientId","tokenDict","expiresIn","expires_in","tokenType","token_type","accessToken","access_token","idToken","id_token","refreshToken","refresh_token","now","Math","floor","Date","accessJwt","decode","claims","payload","expiresAt","Number","authorizeUrl","userinfoUrl","tokenUrl","issuer","idJwt","idTokenObj","exp","iat","validationParams","nonce","acrValues","ignoreSignature","undefined","verifyToken","indexOf","tokens"],"sources":["../../../lib/oidc/handleOAuthResponse.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n\n/* eslint-disable complexity, max-statements */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { clone } from '../util';\nimport {\n getOAuthUrls,\n} from './util/oauth';\nimport { AuthSdkError, OAuthError } from '../errors';\nimport {\n OktaAuthOAuthInterface,\n TokenVerifyParams,\n IDToken,\n OAuthResponse,\n TokenParams,\n TokenResponse,\n CustomUrls,\n Tokens,\n} from './types';\nimport { verifyToken } from './verifyToken';\nimport { getDefaultTokenParams } from './util';\n\nfunction validateResponse(res: OAuthResponse, oauthParams: TokenParams) {\n if (res['error'] && res['error_description']) {\n throw new OAuthError(res['error'], res['error_description']);\n }\n\n if (res.state !== oauthParams.state) {\n throw new AuthSdkError('OAuth flow response state doesn\\'t match request state');\n }\n}\n\nexport async function handleOAuthResponse(\n sdk: OktaAuthOAuthInterface,\n tokenParams: TokenParams,\n res: OAuthResponse,\n urls?: CustomUrls\n): Promise<TokenResponse> {\n const pkce = sdk.options.pkce !== false;\n\n // The result contains an authorization_code and PKCE is enabled \n // `exchangeCodeForTokens` will call /token then call `handleOauthResponse` recursively with the result\n if (pkce && (res.code || res.interaction_code)) {\n return sdk.token.exchangeCodeForTokens(Object.assign({}, tokenParams, {\n authorizationCode: res.code,\n interactionCode: res.interaction_code\n }), urls);\n }\n\n tokenParams = tokenParams || getDefaultTokenParams(sdk);\n urls = urls || getOAuthUrls(sdk, tokenParams);\n\n let responseType = tokenParams.responseType || [];\n if (!Array.isArray(responseType) && responseType !== 'none') {\n responseType = [responseType];\n }\n\n let scopes;\n if (res.scope) {\n scopes = res.scope.split(' ');\n } else {\n scopes = clone(tokenParams.scopes);\n }\n const clientId = tokenParams.clientId || sdk.options.clientId;\n\n // Handling the result from implicit flow or PKCE token exchange\n validateResponse(res, tokenParams);\n\n const tokenDict = {} as Tokens;\n const expiresIn = res.expires_in;\n const tokenType = res.token_type;\n const accessToken = res.access_token;\n const idToken = res.id_token;\n const refreshToken = res.refresh_token;\n const now = Math.floor(Date.now()/1000);\n\n if (accessToken) {\n const accessJwt = sdk.token.decode(accessToken);\n tokenDict.accessToken = {\n accessToken: accessToken,\n claims: accessJwt.payload,\n expiresAt: Number(expiresIn) + now,\n tokenType: tokenType!,\n scopes: scopes,\n authorizeUrl: urls.authorizeUrl!,\n userinfoUrl: urls.userinfoUrl!\n };\n }\n\n if (refreshToken) {\n tokenDict.refreshToken = {\n refreshToken: refreshToken,\n // should not be used, this is the accessToken expire time\n // TODO: remove \"expiresAt\" in the next major version OKTA-407224\n expiresAt: Number(expiresIn) + now, \n scopes: scopes,\n tokenUrl: urls.tokenUrl!,\n authorizeUrl: urls.authorizeUrl!,\n issuer: urls.issuer!,\n };\n }\n\n if (idToken) {\n const idJwt = sdk.token.decode(idToken);\n const idTokenObj: IDToken = {\n idToken: idToken,\n claims: idJwt.payload,\n expiresAt: idJwt.payload.exp! - idJwt.payload.iat! + now, // adjusting expiresAt to be in local time\n scopes: scopes,\n authorizeUrl: urls.authorizeUrl!,\n issuer: urls.issuer!,\n clientId: clientId!\n };\n\n const validationParams: TokenVerifyParams = {\n clientId: clientId!,\n issuer: urls.issuer!,\n nonce: tokenParams.nonce,\n accessToken: accessToken,\n acrValues: tokenParams.acrValues\n };\n\n if (tokenParams.ignoreSignature !== undefined) {\n validationParams.ignoreSignature = tokenParams.ignoreSignature;\n }\n\n await verifyToken(sdk, idTokenObj, validationParams);\n tokenDict.idToken = idTokenObj;\n }\n\n // Validate received tokens against requested response types \n if (responseType.indexOf('token') !== -1 && !tokenDict.accessToken) {\n // eslint-disable-next-line max-len\n throw new AuthSdkError('Unable to parse OAuth flow response: response type \"token\" was requested but \"access_token\" was not returned.');\n }\n if (responseType.indexOf('id_token') !== -1 && !tokenDict.idToken) {\n // eslint-disable-next-line max-len\n throw new AuthSdkError('Unable to parse OAuth flow response: response type \"id_token\" was requested but \"id_token\" was not returned.');\n }\n\n return {\n tokens: tokenDict,\n state: res.state!,\n code: res.code,\n responseType\n };\n \n}"],"mappings":";;;AAeA;AACA;AAGA;AAWA;AACA;AA/BA;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAmBA,SAASA,gBAAgB,CAACC,GAAkB,EAAEC,WAAwB,EAAE;EACtE,IAAID,GAAG,CAAC,OAAO,CAAC,IAAIA,GAAG,CAAC,mBAAmB,CAAC,EAAE;IAC5C,MAAM,IAAIE,kBAAU,CAACF,GAAG,CAAC,OAAO,CAAC,EAAEA,GAAG,CAAC,mBAAmB,CAAC,CAAC;EAC9D;EAEA,IAAIA,GAAG,CAACG,KAAK,KAAKF,WAAW,CAACE,KAAK,EAAE;IACnC,MAAM,IAAIC,oBAAY,CAAC,wDAAwD,CAAC;EAClF;AACF;AAEO,eAAeC,mBAAmB,CACvCC,GAA2B,EAC3BC,WAAwB,EACxBP,GAAkB,EAClBQ,IAAiB,EACO;EACxB,MAAMC,IAAI,GAAGH,GAAG,CAACI,OAAO,CAACD,IAAI,KAAK,KAAK;;EAEvC;EACA;EACA,IAAIA,IAAI,KAAKT,GAAG,CAACW,IAAI,IAAIX,GAAG,CAACY,gBAAgB,CAAC,EAAE;IAC9C,OAAON,GAAG,CAACO,KAAK,CAACC,qBAAqB,CAACC,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAET,WAAW,EAAE;MACpEU,iBAAiB,EAAEjB,GAAG,CAACW,IAAI;MAC3BO,eAAe,EAAElB,GAAG,CAACY;IACvB,CAAC,CAAC,EAAEJ,IAAI,CAAC;EACX;EAEAD,WAAW,GAAGA,WAAW,IAAI,IAAAY,4BAAqB,EAACb,GAAG,CAAC;EACvDE,IAAI,GAAGA,IAAI,IAAI,IAAAY,mBAAY,EAACd,GAAG,EAAEC,WAAW,CAAC;EAE7C,IAAIc,YAAY,GAAGd,WAAW,CAACc,YAAY,IAAI,EAAE;EACjD,IAAI,CAACC,KAAK,CAACC,OAAO,CAACF,YAAY,CAAC,IAAIA,YAAY,KAAK,MAAM,EAAE;IAC3DA,YAAY,GAAG,CAACA,YAAY,CAAC;EAC/B;EAEA,IAAIG,MAAM;EACV,IAAIxB,GAAG,CAACyB,KAAK,EAAE;IACbD,MAAM,GAAGxB,GAAG,CAACyB,KAAK,CAACC,KAAK,CAAC,GAAG,CAAC;EAC/B,CAAC,MAAM;IACLF,MAAM,GAAG,IAAAG,WAAK,EAACpB,WAAW,CAACiB,MAAM,CAAC;EACpC;EACA,MAAMI,QAAQ,GAAGrB,WAAW,CAACqB,QAAQ,IAAItB,GAAG,CAACI,OAAO,CAACkB,QAAQ;;EAE7D;EACA7B,gBAAgB,CAACC,GAAG,EAAEO,WAAW,CAAC;EAElC,MAAMsB,SAAS,GAAG,CAAC,CAAW;EAC9B,MAAMC,SAAS,GAAG9B,GAAG,CAAC+B,UAAU;EAChC,MAAMC,SAAS,GAAGhC,GAAG,CAACiC,UAAU;EAChC,MAAMC,WAAW,GAAGlC,GAAG,CAACmC,YAAY;EACpC,MAAMC,OAAO,GAAGpC,GAAG,CAACqC,QAAQ;EAC5B,MAAMC,YAAY,GAAGtC,GAAG,CAACuC,aAAa;EACtC,MAAMC,GAAG,GAAGC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACH,GAAG,EAAE,GAAC,IAAI,CAAC;EAEvC,IAAIN,WAAW,EAAE;IACf,MAAMU,SAAS,GAAGtC,GAAG,CAACO,KAAK,CAACgC,MAAM,CAACX,WAAW,CAAC;IAC/CL,SAAS,CAACK,WAAW,GAAG;MACtBA,WAAW,EAAEA,WAAW;MACxBY,MAAM,EAAEF,SAAS,CAACG,OAAO;MACzBC,SAAS,EAAEC,MAAM,CAACnB,SAAS,CAAC,GAAGU,GAAG;MAClCR,SAAS,EAAEA,SAAU;MACrBR,MAAM,EAAEA,MAAM;MACd0B,YAAY,EAAE1C,IAAI,CAAC0C,YAAa;MAChCC,WAAW,EAAE3C,IAAI,CAAC2C;IACpB,CAAC;EACH;EAEA,IAAIb,YAAY,EAAE;IAChBT,SAAS,CAACS,YAAY,GAAG;MACvBA,YAAY,EAAEA,YAAY;MAC1B;MACA;MACAU,SAAS,EAAEC,MAAM,CAACnB,SAAS,CAAC,GAAGU,GAAG;MAClChB,MAAM,EAAEA,MAAM;MACd4B,QAAQ,EAAE5C,IAAI,CAAC4C,QAAS;MACxBF,YAAY,EAAE1C,IAAI,CAAC0C,YAAa;MAChCG,MAAM,EAAE7C,IAAI,CAAC6C;IACf,CAAC;EACH;EAEA,IAAIjB,OAAO,EAAE;IACX,MAAMkB,KAAK,GAAGhD,GAAG,CAACO,KAAK,CAACgC,MAAM,CAACT,OAAO,CAAC;IACvC,MAAMmB,UAAmB,GAAG;MAC1BnB,OAAO,EAAEA,OAAO;MAChBU,MAAM,EAAEQ,KAAK,CAACP,OAAO;MACrBC,SAAS,EAAEM,KAAK,CAACP,OAAO,CAACS,GAAG,GAAIF,KAAK,CAACP,OAAO,CAACU,GAAI,GAAGjB,GAAG;MAAE;MAC1DhB,MAAM,EAAEA,MAAM;MACd0B,YAAY,EAAE1C,IAAI,CAAC0C,YAAa;MAChCG,MAAM,EAAE7C,IAAI,CAAC6C,MAAO;MACpBzB,QAAQ,EAAEA;IACZ,CAAC;IAED,MAAM8B,gBAAmC,GAAG;MAC1C9B,QAAQ,EAAEA,QAAS;MACnByB,MAAM,EAAE7C,IAAI,CAAC6C,MAAO;MACpBM,KAAK,EAAEpD,WAAW,CAACoD,KAAK;MACxBzB,WAAW,EAAEA,WAAW;MACxB0B,SAAS,EAAErD,WAAW,CAACqD;IACzB,CAAC;IAED,IAAIrD,WAAW,CAACsD,eAAe,KAAKC,SAAS,EAAE;MAC7CJ,gBAAgB,CAACG,eAAe,GAAGtD,WAAW,CAACsD,eAAe;IAChE;IAEA,MAAM,IAAAE,wBAAW,EAACzD,GAAG,EAAEiD,UAAU,EAAEG,gBAAgB,CAAC;IACpD7B,SAAS,CAACO,OAAO,GAAGmB,UAAU;EAChC;;EAEA;EACA,IAAIlC,YAAY,CAAC2C,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAACnC,SAAS,CAACK,WAAW,EAAE;IAClE;IACA,MAAM,IAAI9B,oBAAY,CAAC,+GAA+G,CAAC;EACzI;EACA,IAAIiB,YAAY,CAAC2C,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,IAAI,CAACnC,SAAS,CAACO,OAAO,EAAE;IACjE;IACA,MAAM,IAAIhC,oBAAY,CAAC,8GAA8G,CAAC;EACxI;EAEA,OAAO;IACL6D,MAAM,EAAEpC,SAAS;IACjB1B,KAAK,EAAEH,GAAG,CAACG,KAAM;IACjBQ,IAAI,EAAEX,GAAG,CAACW,IAAI;IACdU;EACF,CAAC;AAEH"}
|
|
1
|
+
{"version":3,"file":"handleOAuthResponse.js","names":["validateResponse","res","oauthParams","OAuthError","state","AuthSdkError","dpop","token_type","handleOAuthResponse","sdk","tokenParams","urls","pkce","options","code","interaction_code","token","exchangeCodeForTokens","Object","assign","authorizationCode","interactionCode","getDefaultTokenParams","getOAuthUrls","responseType","Array","isArray","scopes","scope","split","clone","clientId","tokenDict","expiresIn","expires_in","tokenType","accessToken","access_token","idToken","id_token","refreshToken","refresh_token","now","Math","floor","Date","accessJwt","decode","claims","payload","expiresAt","Number","authorizeUrl","userinfoUrl","dpopPairId","tokenUrl","issuer","idJwt","idTokenObj","exp","iat","validationParams","nonce","acrValues","ignoreSignature","undefined","verifyToken","indexOf","tokens"],"sources":["../../../lib/oidc/handleOAuthResponse.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n\n/* eslint-disable complexity, max-statements */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { clone } from '../util';\nimport {\n getOAuthUrls,\n} from './util/oauth';\nimport { AuthSdkError, OAuthError } from '../errors';\nimport {\n OktaAuthOAuthInterface,\n TokenVerifyParams,\n IDToken,\n OAuthResponse,\n TokenParams,\n TokenResponse,\n CustomUrls,\n Tokens,\n} from './types';\nimport { verifyToken } from './verifyToken';\nimport { getDefaultTokenParams } from './util';\n\nfunction validateResponse(res: OAuthResponse, oauthParams: TokenParams) {\n if (res['error'] && res['error_description']) {\n throw new OAuthError(res['error'], res['error_description']);\n }\n\n if (res.state !== oauthParams.state) {\n throw new AuthSdkError('OAuth flow response state doesn\\'t match request state');\n }\n\n // https://datatracker.ietf.org/doc/html/rfc9449#token-response\n // \"A token_type of DPoP MUST be included in the access token response to signal to the client\"\n if (oauthParams.dpop && res.token_type !== 'DPoP') {\n throw new AuthSdkError('Unable to parse OAuth flow response: DPoP was configured but \"token_type\" was not DPoP');\n }\n}\n\nexport async function handleOAuthResponse(\n sdk: OktaAuthOAuthInterface,\n tokenParams: TokenParams,\n res: OAuthResponse,\n urls?: CustomUrls\n): Promise<TokenResponse> {\n const pkce = sdk.options.pkce !== false;\n\n // The result contains an authorization_code and PKCE is enabled \n // `exchangeCodeForTokens` will call /token then call `handleOauthResponse` recursively with the result\n if (pkce && (res.code || res.interaction_code)) {\n return sdk.token.exchangeCodeForTokens(Object.assign({}, tokenParams, {\n authorizationCode: res.code,\n interactionCode: res.interaction_code\n }), urls);\n }\n\n tokenParams = tokenParams || getDefaultTokenParams(sdk);\n urls = urls || getOAuthUrls(sdk, tokenParams);\n\n let responseType = tokenParams.responseType || [];\n if (!Array.isArray(responseType) && responseType !== 'none') {\n responseType = [responseType];\n }\n\n let scopes;\n if (res.scope) {\n scopes = res.scope.split(' ');\n } else {\n scopes = clone(tokenParams.scopes);\n }\n const clientId = tokenParams.clientId || sdk.options.clientId;\n\n // Handling the result from implicit flow or PKCE token exchange\n validateResponse(res, tokenParams);\n\n const tokenDict = {} as Tokens;\n const expiresIn = res.expires_in;\n const tokenType = res.token_type;\n const accessToken = res.access_token;\n const idToken = res.id_token;\n const refreshToken = res.refresh_token;\n const now = Math.floor(Date.now()/1000);\n\n if (accessToken) {\n const accessJwt = sdk.token.decode(accessToken);\n tokenDict.accessToken = {\n accessToken: accessToken,\n claims: accessJwt.payload,\n expiresAt: Number(expiresIn) + now,\n tokenType: tokenType!,\n scopes: scopes,\n authorizeUrl: urls.authorizeUrl!,\n userinfoUrl: urls.userinfoUrl!\n };\n\n if (tokenParams.dpopPairId) {\n tokenDict.accessToken.dpopPairId = tokenParams.dpopPairId;\n }\n }\n\n if (refreshToken) {\n tokenDict.refreshToken = {\n refreshToken: refreshToken,\n // should not be used, this is the accessToken expire time\n // TODO: remove \"expiresAt\" in the next major version OKTA-407224\n expiresAt: Number(expiresIn) + now, \n scopes: scopes,\n tokenUrl: urls.tokenUrl!,\n authorizeUrl: urls.authorizeUrl!,\n issuer: urls.issuer!,\n };\n\n if (tokenParams.dpopPairId) {\n tokenDict.refreshToken.dpopPairId = tokenParams.dpopPairId;\n }\n }\n\n if (idToken) {\n const idJwt = sdk.token.decode(idToken);\n const idTokenObj: IDToken = {\n idToken: idToken,\n claims: idJwt.payload,\n expiresAt: idJwt.payload.exp! - idJwt.payload.iat! + now, // adjusting expiresAt to be in local time\n scopes: scopes,\n authorizeUrl: urls.authorizeUrl!,\n issuer: urls.issuer!,\n clientId: clientId!\n };\n\n const validationParams: TokenVerifyParams = {\n clientId: clientId!,\n issuer: urls.issuer!,\n nonce: tokenParams.nonce,\n accessToken: accessToken,\n acrValues: tokenParams.acrValues\n };\n\n if (tokenParams.ignoreSignature !== undefined) {\n validationParams.ignoreSignature = tokenParams.ignoreSignature;\n }\n\n await verifyToken(sdk, idTokenObj, validationParams);\n tokenDict.idToken = idTokenObj;\n }\n\n // Validate received tokens against requested response types \n if (responseType.indexOf('token') !== -1 && !tokenDict.accessToken) {\n // eslint-disable-next-line max-len\n throw new AuthSdkError('Unable to parse OAuth flow response: response type \"token\" was requested but \"access_token\" was not returned.');\n }\n if (responseType.indexOf('id_token') !== -1 && !tokenDict.idToken) {\n // eslint-disable-next-line max-len\n throw new AuthSdkError('Unable to parse OAuth flow response: response type \"id_token\" was requested but \"id_token\" was not returned.');\n }\n\n return {\n tokens: tokenDict,\n state: res.state!,\n code: res.code,\n responseType\n };\n \n}"],"mappings":";;;AAeA;AACA;AAGA;AAWA;AACA;AA/BA;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAmBA,SAASA,gBAAgB,CAACC,GAAkB,EAAEC,WAAwB,EAAE;EACtE,IAAID,GAAG,CAAC,OAAO,CAAC,IAAIA,GAAG,CAAC,mBAAmB,CAAC,EAAE;IAC5C,MAAM,IAAIE,kBAAU,CAACF,GAAG,CAAC,OAAO,CAAC,EAAEA,GAAG,CAAC,mBAAmB,CAAC,CAAC;EAC9D;EAEA,IAAIA,GAAG,CAACG,KAAK,KAAKF,WAAW,CAACE,KAAK,EAAE;IACnC,MAAM,IAAIC,oBAAY,CAAC,wDAAwD,CAAC;EAClF;;EAEA;EACA;EACA,IAAIH,WAAW,CAACI,IAAI,IAAIL,GAAG,CAACM,UAAU,KAAK,MAAM,EAAE;IACjD,MAAM,IAAIF,oBAAY,CAAC,wFAAwF,CAAC;EAClH;AACF;AAEO,eAAeG,mBAAmB,CACvCC,GAA2B,EAC3BC,WAAwB,EACxBT,GAAkB,EAClBU,IAAiB,EACO;EACxB,MAAMC,IAAI,GAAGH,GAAG,CAACI,OAAO,CAACD,IAAI,KAAK,KAAK;;EAEvC;EACA;EACA,IAAIA,IAAI,KAAKX,GAAG,CAACa,IAAI,IAAIb,GAAG,CAACc,gBAAgB,CAAC,EAAE;IAC9C,OAAON,GAAG,CAACO,KAAK,CAACC,qBAAqB,CAACC,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAET,WAAW,EAAE;MACpEU,iBAAiB,EAAEnB,GAAG,CAACa,IAAI;MAC3BO,eAAe,EAAEpB,GAAG,CAACc;IACvB,CAAC,CAAC,EAAEJ,IAAI,CAAC;EACX;EAEAD,WAAW,GAAGA,WAAW,IAAI,IAAAY,4BAAqB,EAACb,GAAG,CAAC;EACvDE,IAAI,GAAGA,IAAI,IAAI,IAAAY,mBAAY,EAACd,GAAG,EAAEC,WAAW,CAAC;EAE7C,IAAIc,YAAY,GAAGd,WAAW,CAACc,YAAY,IAAI,EAAE;EACjD,IAAI,CAACC,KAAK,CAACC,OAAO,CAACF,YAAY,CAAC,IAAIA,YAAY,KAAK,MAAM,EAAE;IAC3DA,YAAY,GAAG,CAACA,YAAY,CAAC;EAC/B;EAEA,IAAIG,MAAM;EACV,IAAI1B,GAAG,CAAC2B,KAAK,EAAE;IACbD,MAAM,GAAG1B,GAAG,CAAC2B,KAAK,CAACC,KAAK,CAAC,GAAG,CAAC;EAC/B,CAAC,MAAM;IACLF,MAAM,GAAG,IAAAG,WAAK,EAACpB,WAAW,CAACiB,MAAM,CAAC;EACpC;EACA,MAAMI,QAAQ,GAAGrB,WAAW,CAACqB,QAAQ,IAAItB,GAAG,CAACI,OAAO,CAACkB,QAAQ;;EAE7D;EACA/B,gBAAgB,CAACC,GAAG,EAAES,WAAW,CAAC;EAElC,MAAMsB,SAAS,GAAG,CAAC,CAAW;EAC9B,MAAMC,SAAS,GAAGhC,GAAG,CAACiC,UAAU;EAChC,MAAMC,SAAS,GAAGlC,GAAG,CAACM,UAAU;EAChC,MAAM6B,WAAW,GAAGnC,GAAG,CAACoC,YAAY;EACpC,MAAMC,OAAO,GAAGrC,GAAG,CAACsC,QAAQ;EAC5B,MAAMC,YAAY,GAAGvC,GAAG,CAACwC,aAAa;EACtC,MAAMC,GAAG,GAAGC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACH,GAAG,EAAE,GAAC,IAAI,CAAC;EAEvC,IAAIN,WAAW,EAAE;IACf,MAAMU,SAAS,GAAGrC,GAAG,CAACO,KAAK,CAAC+B,MAAM,CAACX,WAAW,CAAC;IAC/CJ,SAAS,CAACI,WAAW,GAAG;MACtBA,WAAW,EAAEA,WAAW;MACxBY,MAAM,EAAEF,SAAS,CAACG,OAAO;MACzBC,SAAS,EAAEC,MAAM,CAAClB,SAAS,CAAC,GAAGS,GAAG;MAClCP,SAAS,EAAEA,SAAU;MACrBR,MAAM,EAAEA,MAAM;MACdyB,YAAY,EAAEzC,IAAI,CAACyC,YAAa;MAChCC,WAAW,EAAE1C,IAAI,CAAC0C;IACpB,CAAC;IAED,IAAI3C,WAAW,CAAC4C,UAAU,EAAE;MAC1BtB,SAAS,CAACI,WAAW,CAACkB,UAAU,GAAG5C,WAAW,CAAC4C,UAAU;IAC3D;EACF;EAEA,IAAId,YAAY,EAAE;IAChBR,SAAS,CAACQ,YAAY,GAAG;MACvBA,YAAY,EAAEA,YAAY;MAC1B;MACA;MACAU,SAAS,EAAEC,MAAM,CAAClB,SAAS,CAAC,GAAGS,GAAG;MAClCf,MAAM,EAAEA,MAAM;MACd4B,QAAQ,EAAE5C,IAAI,CAAC4C,QAAS;MACxBH,YAAY,EAAEzC,IAAI,CAACyC,YAAa;MAChCI,MAAM,EAAE7C,IAAI,CAAC6C;IACf,CAAC;IAED,IAAI9C,WAAW,CAAC4C,UAAU,EAAE;MAC1BtB,SAAS,CAACQ,YAAY,CAACc,UAAU,GAAG5C,WAAW,CAAC4C,UAAU;IAC5D;EACF;EAEA,IAAIhB,OAAO,EAAE;IACX,MAAMmB,KAAK,GAAGhD,GAAG,CAACO,KAAK,CAAC+B,MAAM,CAACT,OAAO,CAAC;IACvC,MAAMoB,UAAmB,GAAG;MAC1BpB,OAAO,EAAEA,OAAO;MAChBU,MAAM,EAAES,KAAK,CAACR,OAAO;MACrBC,SAAS,EAAEO,KAAK,CAACR,OAAO,CAACU,GAAG,GAAIF,KAAK,CAACR,OAAO,CAACW,GAAI,GAAGlB,GAAG;MAAE;MAC1Df,MAAM,EAAEA,MAAM;MACdyB,YAAY,EAAEzC,IAAI,CAACyC,YAAa;MAChCI,MAAM,EAAE7C,IAAI,CAAC6C,MAAO;MACpBzB,QAAQ,EAAEA;IACZ,CAAC;IAED,MAAM8B,gBAAmC,GAAG;MAC1C9B,QAAQ,EAAEA,QAAS;MACnByB,MAAM,EAAE7C,IAAI,CAAC6C,MAAO;MACpBM,KAAK,EAAEpD,WAAW,CAACoD,KAAK;MACxB1B,WAAW,EAAEA,WAAW;MACxB2B,SAAS,EAAErD,WAAW,CAACqD;IACzB,CAAC;IAED,IAAIrD,WAAW,CAACsD,eAAe,KAAKC,SAAS,EAAE;MAC7CJ,gBAAgB,CAACG,eAAe,GAAGtD,WAAW,CAACsD,eAAe;IAChE;IAEA,MAAM,IAAAE,wBAAW,EAACzD,GAAG,EAAEiD,UAAU,EAAEG,gBAAgB,CAAC;IACpD7B,SAAS,CAACM,OAAO,GAAGoB,UAAU;EAChC;;EAEA;EACA,IAAIlC,YAAY,CAAC2C,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAACnC,SAAS,CAACI,WAAW,EAAE;IAClE;IACA,MAAM,IAAI/B,oBAAY,CAAC,+GAA+G,CAAC;EACzI;EACA,IAAImB,YAAY,CAAC2C,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,IAAI,CAACnC,SAAS,CAACM,OAAO,EAAE;IACjE;IACA,MAAM,IAAIjC,oBAAY,CAAC,8GAA8G,CAAC;EACxI;EAEA,OAAO;IACL+D,MAAM,EAAEpC,SAAS;IACjB5B,KAAK,EAAEH,GAAG,CAACG,KAAM;IACjBU,IAAI,EAAEb,GAAG,CAACa,IAAI;IACdU;EACF,CAAC;AAEH"}
|
package/cjs/oidc/mixin/index.js
CHANGED
|
@@ -10,6 +10,8 @@ var _pkce = _interopRequireDefault(require("../util/pkce"));
|
|
|
10
10
|
var _api = require("../factory/api");
|
|
11
11
|
var _TokenManager = require("../TokenManager");
|
|
12
12
|
var _util2 = require("../util");
|
|
13
|
+
var _dpop = require("../dpop");
|
|
14
|
+
var _errors = require("../../errors");
|
|
13
15
|
var _node = require("./node");
|
|
14
16
|
function _getRequireWildcardCache(nodeInterop) { if (typeof WeakMap !== "function") return null; var cacheBabelInterop = new WeakMap(); var cacheNodeInterop = new WeakMap(); return (_getRequireWildcardCache = function (nodeInterop) { return nodeInterop ? cacheNodeInterop : cacheBabelInterop; })(nodeInterop); }
|
|
15
17
|
function _interopRequireWildcard(obj, nodeInterop) { if (!nodeInterop && obj && obj.__esModule) { return obj; } if (obj === null || typeof obj !== "object" && typeof obj !== "function") { return { default: obj }; } var cache = _getRequireWildcardCache(nodeInterop); if (cache && cache.has(obj)) { return cache.get(obj); } var newObj = {}; var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor; for (var key in obj) { if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) { var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null; if (desc && (desc.get || desc.set)) { Object.defineProperty(newObj, key, desc); } else { newObj[key] = obj[key]; } } } newObj.default = obj; if (cache) { cache.set(obj, newObj); } return newObj; }
|
|
@@ -138,6 +140,22 @@ function mixinOAuth(Base, TransactionManagerConstructor) {
|
|
|
138
140
|
} = this.tokenManager.getTokensSync();
|
|
139
141
|
return refreshToken ? refreshToken.refreshToken : undefined;
|
|
140
142
|
}
|
|
143
|
+
async getOrRenewAccessToken() {
|
|
144
|
+
const {
|
|
145
|
+
accessToken
|
|
146
|
+
} = this.tokenManager.getTokensSync();
|
|
147
|
+
if (accessToken && !this.tokenManager.hasExpired(accessToken)) {
|
|
148
|
+
return accessToken.accessToken;
|
|
149
|
+
}
|
|
150
|
+
try {
|
|
151
|
+
const key = this.tokenManager.getStorageKeyByType('accessToken');
|
|
152
|
+
const token = await this.tokenManager.renew(key ?? 'accessToken');
|
|
153
|
+
return token?.accessToken ?? null;
|
|
154
|
+
} catch (err) {
|
|
155
|
+
this.emitter.emit('error', err);
|
|
156
|
+
return null;
|
|
157
|
+
}
|
|
158
|
+
}
|
|
141
159
|
|
|
142
160
|
/**
|
|
143
161
|
* Store parsed tokens from redirect url
|
|
@@ -176,9 +194,13 @@ function mixinOAuth(Base, TransactionManagerConstructor) {
|
|
|
176
194
|
// Revokes the access token for the application session
|
|
177
195
|
async revokeAccessToken(accessToken) {
|
|
178
196
|
if (!accessToken) {
|
|
179
|
-
|
|
197
|
+
const tokens = await this.tokenManager.getTokens();
|
|
198
|
+
accessToken = tokens.accessToken;
|
|
180
199
|
const accessTokenKey = this.tokenManager.getStorageKeyByType('accessToken');
|
|
181
200
|
this.tokenManager.remove(accessTokenKey);
|
|
201
|
+
if (this.options.dpop) {
|
|
202
|
+
await (0, _dpop.clearDPoPKeyPairAfterRevoke)('access', tokens);
|
|
203
|
+
}
|
|
182
204
|
}
|
|
183
205
|
// Access token may have been removed. In this case, we will silently succeed.
|
|
184
206
|
if (!accessToken) {
|
|
@@ -190,9 +212,13 @@ function mixinOAuth(Base, TransactionManagerConstructor) {
|
|
|
190
212
|
// Revokes the refresh token for the application session
|
|
191
213
|
async revokeRefreshToken(refreshToken) {
|
|
192
214
|
if (!refreshToken) {
|
|
193
|
-
|
|
215
|
+
const tokens = await this.tokenManager.getTokens();
|
|
216
|
+
refreshToken = tokens.refreshToken;
|
|
194
217
|
const refreshTokenKey = this.tokenManager.getStorageKeyByType('refreshToken');
|
|
195
218
|
this.tokenManager.remove(refreshTokenKey);
|
|
219
|
+
if (this.options.dpop) {
|
|
220
|
+
await (0, _dpop.clearDPoPKeyPairAfterRevoke)('refresh', tokens);
|
|
221
|
+
}
|
|
196
222
|
}
|
|
197
223
|
// Refresh token may have been removed. In this case, we will silently succeed.
|
|
198
224
|
if (!refreshToken) {
|
|
@@ -261,6 +287,10 @@ function mixinOAuth(Base, TransactionManagerConstructor) {
|
|
|
261
287
|
if (revokeAccessToken && accessToken) {
|
|
262
288
|
await this.revokeAccessToken(accessToken);
|
|
263
289
|
}
|
|
290
|
+
const dpopPairId = accessToken?.dpopPairId ?? refreshToken?.dpopPairId;
|
|
291
|
+
if (this.options.dpop && dpopPairId) {
|
|
292
|
+
await (0, _dpop.clearDPoPKeyPair)(dpopPairId);
|
|
293
|
+
}
|
|
264
294
|
const logoutUri = this.getSignOutRedirectUrl({
|
|
265
295
|
...options,
|
|
266
296
|
postLogoutRedirectUri
|
|
@@ -293,6 +323,53 @@ function mixinOAuth(Base, TransactionManagerConstructor) {
|
|
|
293
323
|
return true;
|
|
294
324
|
}
|
|
295
325
|
}
|
|
326
|
+
async getDPoPAuthorizationHeaders(params) {
|
|
327
|
+
if (!this.options.dpop) {
|
|
328
|
+
throw new _errors.AuthSdkError('DPoP is not configured for this client instance');
|
|
329
|
+
}
|
|
330
|
+
let {
|
|
331
|
+
accessToken
|
|
332
|
+
} = params;
|
|
333
|
+
if (!accessToken) {
|
|
334
|
+
accessToken = this.tokenManager.getTokensSync().accessToken;
|
|
335
|
+
}
|
|
336
|
+
if (!accessToken) {
|
|
337
|
+
throw new _errors.AuthSdkError('AccessToken is required to generate a DPoP Proof');
|
|
338
|
+
}
|
|
339
|
+
const keyPair = await (0, _dpop.findKeyPair)(accessToken?.dpopPairId);
|
|
340
|
+
const proof = await (0, _dpop.generateDPoPProof)({
|
|
341
|
+
...params,
|
|
342
|
+
keyPair,
|
|
343
|
+
accessToken: accessToken.accessToken
|
|
344
|
+
});
|
|
345
|
+
return {
|
|
346
|
+
Authorization: `DPoP ${accessToken.accessToken}`,
|
|
347
|
+
Dpop: proof
|
|
348
|
+
};
|
|
349
|
+
}
|
|
350
|
+
async clearDPoPStorage(clearAll = false) {
|
|
351
|
+
if (clearAll) {
|
|
352
|
+
return (0, _dpop.clearAllDPoPKeyPairs)();
|
|
353
|
+
}
|
|
354
|
+
const tokens = await this.tokenManager.getTokens();
|
|
355
|
+
const keyPair = tokens.accessToken?.dpopPairId || tokens.refreshToken?.dpopPairId;
|
|
356
|
+
if (keyPair) {
|
|
357
|
+
await (0, _dpop.clearDPoPKeyPair)(keyPair);
|
|
358
|
+
}
|
|
359
|
+
}
|
|
360
|
+
parseUseDPoPNonceError(headers) {
|
|
361
|
+
const wwwAuth = _errors.WWWAuthError.getWWWAuthenticateHeader(headers);
|
|
362
|
+
const wwwErr = _errors.WWWAuthError.parseHeader(wwwAuth ?? '');
|
|
363
|
+
if ((0, _dpop.isDPoPNonceError)(wwwErr)) {
|
|
364
|
+
let nonce = null;
|
|
365
|
+
if ((0, _util.isFunction)(headers?.get)) {
|
|
366
|
+
nonce = headers.get('DPoP-Nonce');
|
|
367
|
+
}
|
|
368
|
+
nonce = nonce ?? headers['dpop-nonce'] ?? headers['DPoP-Nonce'];
|
|
369
|
+
return nonce;
|
|
370
|
+
}
|
|
371
|
+
return null;
|
|
372
|
+
}
|
|
296
373
|
}, (0, _defineProperty2.default)(_class, "crypto", crypto), _class;
|
|
297
374
|
}
|
|
298
375
|
//# sourceMappingURL=index.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","names":["mixinOAuth","Base","TransactionManagerConstructor","WithOriginalUri","provideOriginalUri","OktaAuthOAuth","constructor","args","transactionManager","Object","assign","storageManager","options","pkce","DEFAULT_CODE_CHALLENGE_METHOD","PKCE","generateVerifier","computeChallenge","_pending","handleLogin","_tokenQueue","PromiseQueue","token","createTokenAPI","tokenManager","TokenManager","endpoints","createEndpoints","clearStorage","clear","isAuthenticated","autoRenew","autoRemove","getOptions","shouldRenew","onExpiredToken","shouldRemove","accessToken","getTokensSync","hasExpired","undefined","renew","remove","idToken","signInWithRedirect","opts","originalUri","additionalParams","setOriginalUri","params","scopes","getWithRedirect","getUser","getUserInfo","getIdToken","getAccessToken","getRefreshToken","refreshToken","storeTokensFromRedirect","tokens","responseType","parseFromUrl","setTokens","isLoginRedirect","isPKCE","hasResponseType","isAuthorizationCodeFlow","invokeApiMethod","getTokens","httpRequest","revokeAccessToken","accessTokenKey","getStorageKeyByType","Promise","resolve","revoke","revokeRefreshToken","refreshTokenKey","getSignOutRedirectUrl","postLogoutRedirectUri","state","logoutUrl","getOAuthUrls","idTokenHint","logoutUri","encodeURIComponent","signOut","defaultUri","window","location","origin","currentUri","href","sessionClosed","closeSession","redirectUri","URL","searchParams","append","clearTokensBeforeRedirect","addPendingRemoveFlags","crypto"],"sources":["../../../../lib/oidc/mixin/index.ts"],"sourcesContent":["import { httpRequest, RequestOptions } from '../../http';\nimport { OktaAuthConstructor } from '../../base/types';\nimport { \n PromiseQueue,\n} from '../../util';\nimport { CryptoAPI } from '../../crypto/types';\nimport * as crypto from '../../crypto';\nimport {\n AccessToken,\n CustomUserClaims,\n IDToken,\n IsAuthenticatedOptions,\n OAuthResponseType,\n OAuthStorageManagerInterface,\n OAuthTransactionMeta,\n OktaAuthOAuthInterface,\n OktaAuthOAuthOptions,\n PkceAPI,\n PKCETransactionMeta,\n RefreshToken,\n SigninWithRedirectOptions,\n SignoutOptions,\n SignoutRedirectUrlOptions,\n TokenAPI,\n TransactionManagerInterface,\n TransactionManagerConstructor,\n UserClaims,\n Endpoints,\n} from '../types';\nimport PKCE from '../util/pkce';\nimport { createEndpoints, createTokenAPI } from '../factory/api';\nimport { TokenManager } from '../TokenManager';\nimport { getOAuthUrls, isLoginRedirect, hasResponseType } from '../util';\n\nimport { OktaAuthSessionInterface } from '../../session/types';\nimport { provideOriginalUri } from './node';\nexport function mixinOAuth\n<\n M extends OAuthTransactionMeta = PKCETransactionMeta,\n S extends OAuthStorageManagerInterface<M> = OAuthStorageManagerInterface<M>,\n O extends OktaAuthOAuthOptions = OktaAuthOAuthOptions,\n TM extends TransactionManagerInterface = TransactionManagerInterface,\n TBase extends OktaAuthConstructor<OktaAuthSessionInterface<S, O>>\n = OktaAuthConstructor<OktaAuthSessionInterface<S, O>>\n>\n(\n Base: TBase,\n TransactionManagerConstructor: TransactionManagerConstructor<TM>,\n): TBase & OktaAuthConstructor<OktaAuthOAuthInterface<M, S, O, TM>>\n{\n const WithOriginalUri = provideOriginalUri(Base);\n return class OktaAuthOAuth extends WithOriginalUri\n implements OktaAuthOAuthInterface<M, S, O, TM>\n {\n static crypto: CryptoAPI = crypto;\n token: TokenAPI;\n tokenManager: TokenManager;\n transactionManager: TM;\n pkce: PkceAPI;\n endpoints: Endpoints;\n\n _pending: { handleLogin: boolean };\n _tokenQueue: PromiseQueue;\n \n constructor(...args: any[]) {\n super(...args);\n\n this.transactionManager = new TransactionManagerConstructor(Object.assign({\n storageManager: this.storageManager,\n }, this.options.transactionManager));\n \n this.pkce = {\n DEFAULT_CODE_CHALLENGE_METHOD: PKCE.DEFAULT_CODE_CHALLENGE_METHOD,\n generateVerifier: PKCE.generateVerifier,\n computeChallenge: PKCE.computeChallenge\n };\n \n this._pending = { handleLogin: false };\n\n this._tokenQueue = new PromiseQueue();\n\n this.token = createTokenAPI(this, this._tokenQueue);\n\n // TokenManager\n this.tokenManager = new TokenManager(this, this.options.tokenManager);\n\n this.endpoints = createEndpoints(this);\n }\n\n // inherited from subclass\n clearStorage(): void {\n super.clearStorage();\n \n // Clear all local tokens\n this.tokenManager.clear();\n }\n\n // Returns true if both accessToken and idToken are not expired\n // If `autoRenew` option is set, will attempt to renew expired tokens before returning.\n // eslint-disable-next-line complexity\n async isAuthenticated(options: IsAuthenticatedOptions = {}): Promise<boolean> {\n // TODO: remove dependency on tokenManager options in next major version - OKTA-473815\n const { autoRenew, autoRemove } = this.tokenManager.getOptions();\n\n const shouldRenew = options.onExpiredToken ? options.onExpiredToken === 'renew' : autoRenew;\n const shouldRemove = options.onExpiredToken ? options.onExpiredToken === 'remove' : autoRemove;\n\n let { accessToken } = this.tokenManager.getTokensSync();\n if (accessToken && this.tokenManager.hasExpired(accessToken)) {\n accessToken = undefined;\n if (shouldRenew) {\n try {\n accessToken = await this.tokenManager.renew('accessToken') as AccessToken;\n } catch {\n // Renew errors will emit an \"error\" event \n }\n } else if (shouldRemove) {\n this.tokenManager.remove('accessToken');\n }\n }\n\n let { idToken } = this.tokenManager.getTokensSync();\n if (idToken && this.tokenManager.hasExpired(idToken)) {\n idToken = undefined;\n if (shouldRenew) {\n try {\n idToken = await this.tokenManager.renew('idToken') as IDToken;\n } catch {\n // Renew errors will emit an \"error\" event \n }\n } else if (shouldRemove) {\n this.tokenManager.remove('idToken');\n }\n }\n\n return !!(accessToken && idToken);\n }\n\n\n async signInWithRedirect(opts: SigninWithRedirectOptions = {}) {\n const { originalUri, ...additionalParams } = opts;\n if(this._pending.handleLogin) { \n // Don't trigger second round\n return;\n }\n\n this._pending.handleLogin = true;\n try {\n // Trigger default signIn redirect flow\n if (originalUri) {\n this.setOriginalUri(originalUri);\n }\n const params = Object.assign({\n // TODO: remove this line when default scopes are changed OKTA-343294\n scopes: this.options.scopes || ['openid', 'email', 'profile']\n }, additionalParams);\n await this.token.getWithRedirect(params);\n } finally {\n this._pending.handleLogin = false;\n }\n }\n\n async getUser<T extends CustomUserClaims = CustomUserClaims>(): Promise<UserClaims<T>> {\n const { idToken, accessToken } = this.tokenManager.getTokensSync();\n return this.token.getUserInfo(accessToken, idToken);\n }\n \n getIdToken(): string | undefined {\n const { idToken } = this.tokenManager.getTokensSync();\n return idToken ? idToken.idToken : undefined;\n }\n \n getAccessToken(): string | undefined {\n const { accessToken } = this.tokenManager.getTokensSync();\n return accessToken ? accessToken.accessToken : undefined;\n }\n \n getRefreshToken(): string | undefined {\n const { refreshToken } = this.tokenManager.getTokensSync();\n return refreshToken ? refreshToken.refreshToken : undefined;\n }\n \n /**\n * Store parsed tokens from redirect url\n */\n async storeTokensFromRedirect(): Promise<void> {\n const { tokens, responseType } = await this.token.parseFromUrl();\n if (responseType !== 'none') {\n this.tokenManager.setTokens(tokens);\n }\n }\n \n isLoginRedirect(): boolean {\n return isLoginRedirect(this);\n }\n\n isPKCE(): boolean {\n return !!this.options.pkce;\n }\n\n hasResponseType(responseType: OAuthResponseType): boolean {\n return hasResponseType(responseType, this.options);\n }\n \n isAuthorizationCodeFlow(): boolean {\n return this.hasResponseType('code');\n }\n\n // Escape hatch method to make arbitrary OKTA API call\n async invokeApiMethod(options: RequestOptions): Promise<unknown> {\n if (!options.accessToken) {\n const accessToken = (await this.tokenManager.getTokens()).accessToken as AccessToken;\n options.accessToken = accessToken?.accessToken;\n }\n return httpRequest(this, options);\n }\n \n // Revokes the access token for the application session\n async revokeAccessToken(accessToken?: AccessToken): Promise<unknown> {\n if (!accessToken) {\n accessToken = (await this.tokenManager.getTokens()).accessToken as AccessToken;\n const accessTokenKey = this.tokenManager.getStorageKeyByType('accessToken');\n this.tokenManager.remove(accessTokenKey);\n }\n // Access token may have been removed. In this case, we will silently succeed.\n if (!accessToken) {\n return Promise.resolve(null);\n }\n return this.token.revoke(accessToken);\n }\n\n // Revokes the refresh token for the application session\n async revokeRefreshToken(refreshToken?: RefreshToken): Promise<unknown> {\n if (!refreshToken) {\n refreshToken = (await this.tokenManager.getTokens()).refreshToken as RefreshToken;\n const refreshTokenKey = this.tokenManager.getStorageKeyByType('refreshToken');\n this.tokenManager.remove(refreshTokenKey);\n }\n // Refresh token may have been removed. In this case, we will silently succeed.\n if (!refreshToken) {\n return Promise.resolve(null);\n }\n return this.token.revoke(refreshToken);\n }\n\n getSignOutRedirectUrl(options: SignoutRedirectUrlOptions = {}) {\n let {\n idToken,\n postLogoutRedirectUri,\n state,\n } = options;\n if (!idToken) {\n idToken = this.tokenManager.getTokensSync().idToken as IDToken;\n }\n if (!idToken) {\n return '';\n }\n if (postLogoutRedirectUri === undefined) {\n postLogoutRedirectUri = this.options.postLogoutRedirectUri;\n }\n\n const logoutUrl = getOAuthUrls(this).logoutUrl;\n const idTokenHint = idToken.idToken; // a string\n let logoutUri = logoutUrl + '?id_token_hint=' + encodeURIComponent(idTokenHint);\n if (postLogoutRedirectUri) {\n logoutUri += '&post_logout_redirect_uri=' + encodeURIComponent(postLogoutRedirectUri);\n } \n // State allows option parameters to be passed to logout redirect uri\n if (state) {\n logoutUri += '&state=' + encodeURIComponent(state);\n }\n\n return logoutUri;\n }\n\n // Revokes refreshToken or accessToken, clears all local tokens, then redirects to Okta to end the SSO session.\n // eslint-disable-next-line complexity, max-statements\n async signOut(options?: SignoutOptions): Promise<boolean> {\n options = Object.assign({}, options);\n \n // postLogoutRedirectUri must be whitelisted in Okta Admin UI\n const defaultUri = window.location.origin;\n const currentUri = window.location.href;\n // Fix for issue/1410 - allow for no postLogoutRedirectUri to be passed, resulting in /logout default behavior\n // \"If no Okta session exists, this endpoint has no effect and the browser is redirected immediately to the\n // Okta sign-in page or the post_logout_redirect_uri (if specified).\"\n // - https://developer.okta.com/docs/reference/api/oidc/#logout\n const postLogoutRedirectUri = options.postLogoutRedirectUri === null ? null :\n (options.postLogoutRedirectUri\n || this.options.postLogoutRedirectUri\n || defaultUri);\n const state = options?.state;\n \n \n let accessToken = options.accessToken;\n let refreshToken = options.refreshToken;\n const revokeAccessToken = options.revokeAccessToken !== false;\n const revokeRefreshToken = options.revokeRefreshToken !== false;\n \n if (revokeRefreshToken && typeof refreshToken === 'undefined') {\n refreshToken = this.tokenManager.getTokensSync().refreshToken as RefreshToken;\n }\n\n if (revokeAccessToken && typeof accessToken === 'undefined') {\n accessToken = this.tokenManager.getTokensSync().accessToken as AccessToken;\n }\n \n if (!options.idToken) {\n options.idToken = this.tokenManager.getTokensSync().idToken as IDToken;\n }\n\n if (revokeRefreshToken && refreshToken) {\n await this.revokeRefreshToken(refreshToken);\n }\n\n if (revokeAccessToken && accessToken) {\n await this.revokeAccessToken(accessToken);\n }\n\n const logoutUri = this.getSignOutRedirectUrl({ ...options, postLogoutRedirectUri });\n // No logoutUri? This can happen if the storage was cleared.\n // Fallback to XHR signOut, then simulate a redirect to the post logout uri\n if (!logoutUri) {\n // local tokens are cleared once session is closed\n const sessionClosed = await this.closeSession(); // can throw if the user cannot be signed out\n const redirectUri = new URL(postLogoutRedirectUri || defaultUri); // during fallback, redirectUri cannot be null\n if (state) {\n redirectUri.searchParams.append('state', state);\n }\n if (postLogoutRedirectUri === currentUri) {\n // window.location.reload(); // force a hard reload if URI is not changing\n window.location.href = redirectUri.href;\n } else {\n window.location.assign(redirectUri.href);\n }\n return sessionClosed;\n } else {\n if (options.clearTokensBeforeRedirect) {\n // Clear all local tokens\n this.tokenManager.clear();\n } else {\n this.tokenManager.addPendingRemoveFlags();\n }\n // Flow ends with logout redirect\n window.location.assign(logoutUri);\n return true;\n }\n }\n\n };\n\n}\n"],"mappings":";;;;;AAAA;AAEA;AAIA;AAuBA;AACA;AACA;AACA;AAGA;AAA4C;AAAA;AACrC,SAASA,UAAU,CAUxBC,IAAW,EACXC,6BAAgE,EAElE;EAAA;EACE,MAAMC,eAAe,GAAG,IAAAC,wBAAkB,EAACH,IAAI,CAAC;EAChD,gBAAO,MAAMI,aAAa,SAASF,eAAe,CAElD;IAWEG,WAAW,CAAC,GAAGC,IAAW,EAAE;MAC1B,KAAK,CAAC,GAAGA,IAAI,CAAC;MAEd,IAAI,CAACC,kBAAkB,GAAG,IAAIN,6BAA6B,CAACO,MAAM,CAACC,MAAM,CAAC;QACxEC,cAAc,EAAE,IAAI,CAACA;MACvB,CAAC,EAAE,IAAI,CAACC,OAAO,CAACJ,kBAAkB,CAAC,CAAC;MAEpC,IAAI,CAACK,IAAI,GAAG;QACVC,6BAA6B,EAAEC,aAAI,CAACD,6BAA6B;QACjEE,gBAAgB,EAAED,aAAI,CAACC,gBAAgB;QACvCC,gBAAgB,EAAEF,aAAI,CAACE;MACzB,CAAC;MAED,IAAI,CAACC,QAAQ,GAAG;QAAEC,WAAW,EAAE;MAAM,CAAC;MAEtC,IAAI,CAACC,WAAW,GAAG,IAAIC,kBAAY,EAAE;MAErC,IAAI,CAACC,KAAK,GAAG,IAAAC,mBAAc,EAAC,IAAI,EAAE,IAAI,CAACH,WAAW,CAAC;;MAEnD;MACA,IAAI,CAACI,YAAY,GAAG,IAAIC,0BAAY,CAAC,IAAI,EAAE,IAAI,CAACb,OAAO,CAACY,YAAY,CAAC;MAErE,IAAI,CAACE,SAAS,GAAG,IAAAC,oBAAe,EAAC,IAAI,CAAC;IACxC;;IAEA;IACAC,YAAY,GAAS;MACnB,KAAK,CAACA,YAAY,EAAE;;MAEpB;MACA,IAAI,CAACJ,YAAY,CAACK,KAAK,EAAE;IAC3B;;IAEA;IACA;IACA;IACA,MAAMC,eAAe,CAAClB,OAA+B,GAAG,CAAC,CAAC,EAAoB;MAC5E;MACA,MAAM;QAAEmB,SAAS;QAAEC;MAAW,CAAC,GAAG,IAAI,CAACR,YAAY,CAACS,UAAU,EAAE;MAEhE,MAAMC,WAAW,GAAGtB,OAAO,CAACuB,cAAc,GAAGvB,OAAO,CAACuB,cAAc,KAAK,OAAO,GAAGJ,SAAS;MAC3F,MAAMK,YAAY,GAAGxB,OAAO,CAACuB,cAAc,GAAGvB,OAAO,CAACuB,cAAc,KAAK,QAAQ,GAAGH,UAAU;MAE9F,IAAI;QAAEK;MAAY,CAAC,GAAG,IAAI,CAACb,YAAY,CAACc,aAAa,EAAE;MACvD,IAAID,WAAW,IAAI,IAAI,CAACb,YAAY,CAACe,UAAU,CAACF,WAAW,CAAC,EAAE;QAC5DA,WAAW,GAAGG,SAAS;QACvB,IAAIN,WAAW,EAAE;UACf,IAAI;YACFG,WAAW,GAAG,MAAM,IAAI,CAACb,YAAY,CAACiB,KAAK,CAAC,aAAa,CAAgB;UAC3E,CAAC,CAAC,MAAM;YACN;UACF;QACF,CAAC,MAAM,IAAIL,YAAY,EAAE;UACvB,IAAI,CAACZ,YAAY,CAACkB,MAAM,CAAC,aAAa,CAAC;QACzC;MACF;MAEA,IAAI;QAAEC;MAAQ,CAAC,GAAG,IAAI,CAACnB,YAAY,CAACc,aAAa,EAAE;MACnD,IAAIK,OAAO,IAAI,IAAI,CAACnB,YAAY,CAACe,UAAU,CAACI,OAAO,CAAC,EAAE;QACpDA,OAAO,GAAGH,SAAS;QACnB,IAAIN,WAAW,EAAE;UACf,IAAI;YACFS,OAAO,GAAG,MAAM,IAAI,CAACnB,YAAY,CAACiB,KAAK,CAAC,SAAS,CAAY;UAC/D,CAAC,CAAC,MAAM;YACN;UACF;QACF,CAAC,MAAM,IAAIL,YAAY,EAAE;UACvB,IAAI,CAACZ,YAAY,CAACkB,MAAM,CAAC,SAAS,CAAC;QACrC;MACF;MAEA,OAAO,CAAC,EAAEL,WAAW,IAAIM,OAAO,CAAC;IACnC;IAGA,MAAMC,kBAAkB,CAACC,IAA+B,GAAG,CAAC,CAAC,EAAE;MAC7D,MAAM;QAAEC,WAAW;QAAE,GAAGC;MAAiB,CAAC,GAAGF,IAAI;MACjD,IAAG,IAAI,CAAC3B,QAAQ,CAACC,WAAW,EAAE;QAC5B;QACA;MACF;MAEA,IAAI,CAACD,QAAQ,CAACC,WAAW,GAAG,IAAI;MAChC,IAAI;QACF;QACA,IAAI2B,WAAW,EAAE;UACf,IAAI,CAACE,cAAc,CAACF,WAAW,CAAC;QAClC;QACA,MAAMG,MAAM,GAAGxC,MAAM,CAACC,MAAM,CAAC;UAC3B;UACAwC,MAAM,EAAE,IAAI,CAACtC,OAAO,CAACsC,MAAM,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS;QAC9D,CAAC,EAAEH,gBAAgB,CAAC;QACpB,MAAM,IAAI,CAACzB,KAAK,CAAC6B,eAAe,CAACF,MAAM,CAAC;MAC1C,CAAC,SAAS;QACR,IAAI,CAAC/B,QAAQ,CAACC,WAAW,GAAG,KAAK;MACnC;IACF;IAEA,MAAMiC,OAAO,GAA0E;MACrF,MAAM;QAAET,OAAO;QAAEN;MAAY,CAAC,GAAG,IAAI,CAACb,YAAY,CAACc,aAAa,EAAE;MAClE,OAAO,IAAI,CAAChB,KAAK,CAAC+B,WAAW,CAAChB,WAAW,EAAEM,OAAO,CAAC;IACrD;IAEAW,UAAU,GAAuB;MAC/B,MAAM;QAAEX;MAAQ,CAAC,GAAG,IAAI,CAACnB,YAAY,CAACc,aAAa,EAAE;MACrD,OAAOK,OAAO,GAAGA,OAAO,CAACA,OAAO,GAAGH,SAAS;IAC9C;IAEAe,cAAc,GAAuB;MACnC,MAAM;QAAElB;MAAY,CAAC,GAAG,IAAI,CAACb,YAAY,CAACc,aAAa,EAAE;MACzD,OAAOD,WAAW,GAAGA,WAAW,CAACA,WAAW,GAAGG,SAAS;IAC1D;IAEAgB,eAAe,GAAuB;MACpC,MAAM;QAAEC;MAAa,CAAC,GAAG,IAAI,CAACjC,YAAY,CAACc,aAAa,EAAE;MAC1D,OAAOmB,YAAY,GAAGA,YAAY,CAACA,YAAY,GAAGjB,SAAS;IAC7D;;IAEA;AACJ;AACA;IACI,MAAMkB,uBAAuB,GAAkB;MAC7C,MAAM;QAAEC,MAAM;QAAEC;MAAa,CAAC,GAAG,MAAM,IAAI,CAACtC,KAAK,CAACuC,YAAY,EAAE;MAChE,IAAID,YAAY,KAAK,MAAM,EAAE;QAC3B,IAAI,CAACpC,YAAY,CAACsC,SAAS,CAACH,MAAM,CAAC;MACrC;IACF;IAEAI,eAAe,GAAY;MACzB,OAAO,IAAAA,sBAAe,EAAC,IAAI,CAAC;IAC9B;IAEAC,MAAM,GAAY;MAChB,OAAO,CAAC,CAAC,IAAI,CAACpD,OAAO,CAACC,IAAI;IAC5B;IAEAoD,eAAe,CAACL,YAA+B,EAAW;MACxD,OAAO,IAAAK,sBAAe,EAACL,YAAY,EAAE,IAAI,CAAChD,OAAO,CAAC;IACpD;IAEAsD,uBAAuB,GAAY;MACjC,OAAO,IAAI,CAACD,eAAe,CAAC,MAAM,CAAC;IACrC;;IAEA;IACA,MAAME,eAAe,CAACvD,OAAuB,EAAoB;MAC/D,IAAI,CAACA,OAAO,CAACyB,WAAW,EAAE;QACxB,MAAMA,WAAW,GAAG,CAAC,MAAM,IAAI,CAACb,YAAY,CAAC4C,SAAS,EAAE,EAAE/B,WAA0B;QACpFzB,OAAO,CAACyB,WAAW,GAAGA,WAAW,EAAEA,WAAW;MAChD;MACA,OAAO,IAAAgC,iBAAW,EAAC,IAAI,EAAEzD,OAAO,CAAC;IACnC;;IAEA;IACA,MAAM0D,iBAAiB,CAACjC,WAAyB,EAAoB;MACnE,IAAI,CAACA,WAAW,EAAE;QAChBA,WAAW,GAAG,CAAC,MAAM,IAAI,CAACb,YAAY,CAAC4C,SAAS,EAAE,EAAE/B,WAA0B;QAC9E,MAAMkC,cAAc,GAAG,IAAI,CAAC/C,YAAY,CAACgD,mBAAmB,CAAC,aAAa,CAAC;QAC3E,IAAI,CAAChD,YAAY,CAACkB,MAAM,CAAC6B,cAAc,CAAC;MAC1C;MACA;MACA,IAAI,CAAClC,WAAW,EAAE;QAChB,OAAOoC,OAAO,CAACC,OAAO,CAAC,IAAI,CAAC;MAC9B;MACA,OAAO,IAAI,CAACpD,KAAK,CAACqD,MAAM,CAACtC,WAAW,CAAC;IACvC;;IAEA;IACA,MAAMuC,kBAAkB,CAACnB,YAA2B,EAAoB;MACtE,IAAI,CAACA,YAAY,EAAE;QACjBA,YAAY,GAAG,CAAC,MAAM,IAAI,CAACjC,YAAY,CAAC4C,SAAS,EAAE,EAAEX,YAA4B;QACjF,MAAMoB,eAAe,GAAG,IAAI,CAACrD,YAAY,CAACgD,mBAAmB,CAAC,cAAc,CAAC;QAC7E,IAAI,CAAChD,YAAY,CAACkB,MAAM,CAACmC,eAAe,CAAC;MAC3C;MACA;MACA,IAAI,CAACpB,YAAY,EAAE;QACjB,OAAOgB,OAAO,CAACC,OAAO,CAAC,IAAI,CAAC;MAC9B;MACA,OAAO,IAAI,CAACpD,KAAK,CAACqD,MAAM,CAAClB,YAAY,CAAC;IACxC;IAEAqB,qBAAqB,CAAClE,OAAkC,GAAG,CAAC,CAAC,EAAE;MAC7D,IAAI;QACF+B,OAAO;QACPoC,qBAAqB;QACrBC;MACF,CAAC,GAAGpE,OAAO;MACX,IAAI,CAAC+B,OAAO,EAAE;QACZA,OAAO,GAAG,IAAI,CAACnB,YAAY,CAACc,aAAa,EAAE,CAACK,OAAkB;MAChE;MACA,IAAI,CAACA,OAAO,EAAE;QACZ,OAAO,EAAE;MACX;MACA,IAAIoC,qBAAqB,KAAKvC,SAAS,EAAE;QACvCuC,qBAAqB,GAAG,IAAI,CAACnE,OAAO,CAACmE,qBAAqB;MAC5D;MAEA,MAAME,SAAS,GAAG,IAAAC,mBAAY,EAAC,IAAI,CAAC,CAACD,SAAS;MAC9C,MAAME,WAAW,GAAGxC,OAAO,CAACA,OAAO,CAAC,CAAC;MACrC,IAAIyC,SAAS,GAAGH,SAAS,GAAG,iBAAiB,GAAGI,kBAAkB,CAACF,WAAW,CAAC;MAC/E,IAAIJ,qBAAqB,EAAE;QACzBK,SAAS,IAAI,4BAA4B,GAAGC,kBAAkB,CAACN,qBAAqB,CAAC;MACvF;MACA;MACA,IAAIC,KAAK,EAAE;QACTI,SAAS,IAAI,SAAS,GAAGC,kBAAkB,CAACL,KAAK,CAAC;MACpD;MAEA,OAAOI,SAAS;IAClB;;IAEA;IACA;IACA,MAAME,OAAO,CAAC1E,OAAwB,EAAoB;MACxDA,OAAO,GAAGH,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAEE,OAAO,CAAC;;MAEpC;MACA,MAAM2E,UAAU,GAAGC,MAAM,CAACC,QAAQ,CAACC,MAAM;MACzC,MAAMC,UAAU,GAAGH,MAAM,CAACC,QAAQ,CAACG,IAAI;MACvC;MACA;MACA;MACA;MACA,MAAMb,qBAAqB,GAAGnE,OAAO,CAACmE,qBAAqB,KAAK,IAAI,GAAG,IAAI,GACxEnE,OAAO,CAACmE,qBAAqB,IAC3B,IAAI,CAACnE,OAAO,CAACmE,qBAAqB,IAClCQ,UAAW;MAChB,MAAMP,KAAK,GAAGpE,OAAO,EAAEoE,KAAK;MAG5B,IAAI3C,WAAW,GAAGzB,OAAO,CAACyB,WAAW;MACrC,IAAIoB,YAAY,GAAG7C,OAAO,CAAC6C,YAAY;MACvC,MAAMa,iBAAiB,GAAG1D,OAAO,CAAC0D,iBAAiB,KAAK,KAAK;MAC7D,MAAMM,kBAAkB,GAAGhE,OAAO,CAACgE,kBAAkB,KAAK,KAAK;MAE/D,IAAIA,kBAAkB,IAAI,OAAOnB,YAAY,KAAK,WAAW,EAAE;QAC7DA,YAAY,GAAG,IAAI,CAACjC,YAAY,CAACc,aAAa,EAAE,CAACmB,YAA4B;MAC/E;MAEA,IAAIa,iBAAiB,IAAI,OAAOjC,WAAW,KAAK,WAAW,EAAE;QAC3DA,WAAW,GAAG,IAAI,CAACb,YAAY,CAACc,aAAa,EAAE,CAACD,WAA0B;MAC5E;MAEA,IAAI,CAACzB,OAAO,CAAC+B,OAAO,EAAE;QACpB/B,OAAO,CAAC+B,OAAO,GAAG,IAAI,CAACnB,YAAY,CAACc,aAAa,EAAE,CAACK,OAAkB;MACxE;MAEA,IAAIiC,kBAAkB,IAAInB,YAAY,EAAE;QACtC,MAAM,IAAI,CAACmB,kBAAkB,CAACnB,YAAY,CAAC;MAC7C;MAEA,IAAIa,iBAAiB,IAAIjC,WAAW,EAAE;QACpC,MAAM,IAAI,CAACiC,iBAAiB,CAACjC,WAAW,CAAC;MAC3C;MAEA,MAAM+C,SAAS,GAAG,IAAI,CAACN,qBAAqB,CAAC;QAAE,GAAGlE,OAAO;QAAEmE;MAAsB,CAAC,CAAC;MACnF;MACA;MACA,IAAI,CAACK,SAAS,EAAE;QACd;QACA,MAAMS,aAAa,GAAG,MAAM,IAAI,CAACC,YAAY,EAAE,CAAC,CAAG;QACnD,MAAMC,WAAW,GAAG,IAAIC,GAAG,CAACjB,qBAAqB,IAAIQ,UAAU,CAAC,CAAC,CAAC;QAClE,IAAIP,KAAK,EAAE;UACTe,WAAW,CAACE,YAAY,CAACC,MAAM,CAAC,OAAO,EAAElB,KAAK,CAAC;QACjD;QACA,IAAID,qBAAqB,KAAKY,UAAU,EAAE;UACxC;UACAH,MAAM,CAACC,QAAQ,CAACG,IAAI,GAAGG,WAAW,CAACH,IAAI;QACzC,CAAC,MAAM;UACLJ,MAAM,CAACC,QAAQ,CAAC/E,MAAM,CAACqF,WAAW,CAACH,IAAI,CAAC;QAC1C;QACA,OAAOC,aAAa;MACtB,CAAC,MAAM;QACL,IAAIjF,OAAO,CAACuF,yBAAyB,EAAE;UACrC;UACA,IAAI,CAAC3E,YAAY,CAACK,KAAK,EAAE;QAC3B,CAAC,MAAM;UACL,IAAI,CAACL,YAAY,CAAC4E,qBAAqB,EAAE;QAC3C;QACA;QACAZ,MAAM,CAACC,QAAQ,CAAC/E,MAAM,CAAC0E,SAAS,CAAC;QACjC,OAAO,IAAI;MACb;IACF;EAEF,CAAC,kDAvS4BiB,MAAM;AAySrC"}
|
|
1
|
+
{"version":3,"file":"index.js","names":["mixinOAuth","Base","TransactionManagerConstructor","WithOriginalUri","provideOriginalUri","OktaAuthOAuth","constructor","args","transactionManager","Object","assign","storageManager","options","pkce","DEFAULT_CODE_CHALLENGE_METHOD","PKCE","generateVerifier","computeChallenge","_pending","handleLogin","_tokenQueue","PromiseQueue","token","createTokenAPI","tokenManager","TokenManager","endpoints","createEndpoints","clearStorage","clear","isAuthenticated","autoRenew","autoRemove","getOptions","shouldRenew","onExpiredToken","shouldRemove","accessToken","getTokensSync","hasExpired","undefined","renew","remove","idToken","signInWithRedirect","opts","originalUri","additionalParams","setOriginalUri","params","scopes","getWithRedirect","getUser","getUserInfo","getIdToken","getAccessToken","getRefreshToken","refreshToken","getOrRenewAccessToken","key","getStorageKeyByType","err","emitter","emit","storeTokensFromRedirect","tokens","responseType","parseFromUrl","setTokens","isLoginRedirect","isPKCE","hasResponseType","isAuthorizationCodeFlow","invokeApiMethod","getTokens","httpRequest","revokeAccessToken","accessTokenKey","dpop","clearDPoPKeyPairAfterRevoke","Promise","resolve","revoke","revokeRefreshToken","refreshTokenKey","getSignOutRedirectUrl","postLogoutRedirectUri","state","logoutUrl","getOAuthUrls","idTokenHint","logoutUri","encodeURIComponent","signOut","defaultUri","window","location","origin","currentUri","href","dpopPairId","clearDPoPKeyPair","sessionClosed","closeSession","redirectUri","URL","searchParams","append","clearTokensBeforeRedirect","addPendingRemoveFlags","getDPoPAuthorizationHeaders","AuthSdkError","keyPair","findKeyPair","proof","generateDPoPProof","Authorization","Dpop","clearDPoPStorage","clearAll","clearAllDPoPKeyPairs","parseUseDPoPNonceError","headers","wwwAuth","WWWAuthError","getWWWAuthenticateHeader","wwwErr","parseHeader","isDPoPNonceError","nonce","isFunction","get","crypto"],"sources":["../../../../lib/oidc/mixin/index.ts"],"sourcesContent":["import { httpRequest, RequestOptions } from '../../http';\nimport { OktaAuthConstructor } from '../../base/types';\nimport { \n PromiseQueue,\n isFunction\n} from '../../util';\nimport { CryptoAPI } from '../../crypto/types';\nimport * as crypto from '../../crypto';\nimport {\n AccessToken,\n CustomUserClaims,\n IDToken,\n IsAuthenticatedOptions,\n OAuthResponseType,\n OAuthStorageManagerInterface,\n OAuthTransactionMeta,\n OktaAuthOAuthInterface,\n OktaAuthOAuthOptions,\n PkceAPI,\n PKCETransactionMeta,\n RefreshToken,\n SigninWithRedirectOptions,\n SignoutOptions,\n SignoutRedirectUrlOptions,\n TokenAPI,\n TransactionManagerInterface,\n TransactionManagerConstructor,\n UserClaims,\n Endpoints,\n DPoPRequest,\n DPoPHeaders\n} from '../types';\nimport PKCE from '../util/pkce';\nimport { createEndpoints, createTokenAPI } from '../factory/api';\nimport { TokenManager } from '../TokenManager';\nimport { getOAuthUrls, isLoginRedirect, hasResponseType } from '../util';\nimport { \n generateDPoPProof,\n clearDPoPKeyPair,\n clearAllDPoPKeyPairs,\n clearDPoPKeyPairAfterRevoke,\n findKeyPair,\n isDPoPNonceError\n} from '../dpop';\nimport { AuthSdkError, WWWAuthError } from '../../errors';\n\nimport { OktaAuthSessionInterface } from '../../session/types';\nimport { provideOriginalUri } from './node';\nexport function mixinOAuth\n<\n M extends OAuthTransactionMeta = PKCETransactionMeta,\n S extends OAuthStorageManagerInterface<M> = OAuthStorageManagerInterface<M>,\n O extends OktaAuthOAuthOptions = OktaAuthOAuthOptions,\n TM extends TransactionManagerInterface = TransactionManagerInterface,\n TBase extends OktaAuthConstructor<OktaAuthSessionInterface<S, O>>\n = OktaAuthConstructor<OktaAuthSessionInterface<S, O>>\n>\n(\n Base: TBase,\n TransactionManagerConstructor: TransactionManagerConstructor<TM>,\n): TBase & OktaAuthConstructor<OktaAuthOAuthInterface<M, S, O, TM>>\n{\n const WithOriginalUri = provideOriginalUri(Base);\n return class OktaAuthOAuth extends WithOriginalUri\n implements OktaAuthOAuthInterface<M, S, O, TM>\n {\n static crypto: CryptoAPI = crypto;\n token: TokenAPI;\n tokenManager: TokenManager;\n transactionManager: TM;\n pkce: PkceAPI;\n endpoints: Endpoints;\n\n _pending: { handleLogin: boolean };\n _tokenQueue: PromiseQueue;\n \n constructor(...args: any[]) {\n super(...args);\n\n this.transactionManager = new TransactionManagerConstructor(Object.assign({\n storageManager: this.storageManager,\n }, this.options.transactionManager));\n \n this.pkce = {\n DEFAULT_CODE_CHALLENGE_METHOD: PKCE.DEFAULT_CODE_CHALLENGE_METHOD,\n generateVerifier: PKCE.generateVerifier,\n computeChallenge: PKCE.computeChallenge\n };\n \n this._pending = { handleLogin: false };\n\n this._tokenQueue = new PromiseQueue();\n\n this.token = createTokenAPI(this, this._tokenQueue);\n\n // TokenManager\n this.tokenManager = new TokenManager(this, this.options.tokenManager);\n\n this.endpoints = createEndpoints(this);\n }\n\n // inherited from subclass\n clearStorage(): void {\n super.clearStorage();\n \n // Clear all local tokens\n this.tokenManager.clear();\n }\n\n // Returns true if both accessToken and idToken are not expired\n // If `autoRenew` option is set, will attempt to renew expired tokens before returning.\n // eslint-disable-next-line complexity\n async isAuthenticated(options: IsAuthenticatedOptions = {}): Promise<boolean> {\n // TODO: remove dependency on tokenManager options in next major version - OKTA-473815\n const { autoRenew, autoRemove } = this.tokenManager.getOptions();\n\n const shouldRenew = options.onExpiredToken ? options.onExpiredToken === 'renew' : autoRenew;\n const shouldRemove = options.onExpiredToken ? options.onExpiredToken === 'remove' : autoRemove;\n\n let { accessToken } = this.tokenManager.getTokensSync();\n if (accessToken && this.tokenManager.hasExpired(accessToken)) {\n accessToken = undefined;\n if (shouldRenew) {\n try {\n accessToken = await this.tokenManager.renew('accessToken') as AccessToken;\n } catch {\n // Renew errors will emit an \"error\" event \n }\n } else if (shouldRemove) {\n this.tokenManager.remove('accessToken');\n }\n }\n\n let { idToken } = this.tokenManager.getTokensSync();\n if (idToken && this.tokenManager.hasExpired(idToken)) {\n idToken = undefined;\n if (shouldRenew) {\n try {\n idToken = await this.tokenManager.renew('idToken') as IDToken;\n } catch {\n // Renew errors will emit an \"error\" event \n }\n } else if (shouldRemove) {\n this.tokenManager.remove('idToken');\n }\n }\n\n return !!(accessToken && idToken);\n }\n\n\n async signInWithRedirect(opts: SigninWithRedirectOptions = {}) {\n const { originalUri, ...additionalParams } = opts;\n if(this._pending.handleLogin) { \n // Don't trigger second round\n return;\n }\n\n this._pending.handleLogin = true;\n try {\n // Trigger default signIn redirect flow\n if (originalUri) {\n this.setOriginalUri(originalUri);\n }\n const params = Object.assign({\n // TODO: remove this line when default scopes are changed OKTA-343294\n scopes: this.options.scopes || ['openid', 'email', 'profile']\n }, additionalParams);\n await this.token.getWithRedirect(params);\n } finally {\n this._pending.handleLogin = false;\n }\n }\n\n async getUser<T extends CustomUserClaims = CustomUserClaims>(): Promise<UserClaims<T>> {\n const { idToken, accessToken } = this.tokenManager.getTokensSync();\n return this.token.getUserInfo(accessToken, idToken);\n }\n \n getIdToken(): string | undefined {\n const { idToken } = this.tokenManager.getTokensSync();\n return idToken ? idToken.idToken : undefined;\n }\n \n getAccessToken(): string | undefined {\n const { accessToken } = this.tokenManager.getTokensSync();\n return accessToken ? accessToken.accessToken : undefined;\n }\n \n getRefreshToken(): string | undefined {\n const { refreshToken } = this.tokenManager.getTokensSync();\n return refreshToken ? refreshToken.refreshToken : undefined;\n }\n\n async getOrRenewAccessToken(): Promise<string | null> {\n const { accessToken } = this.tokenManager.getTokensSync();\n if (accessToken && !this.tokenManager.hasExpired(accessToken)) {\n return accessToken.accessToken;\n }\n try {\n const key = this.tokenManager.getStorageKeyByType('accessToken');\n const token = await this.tokenManager.renew(key ?? 'accessToken');\n return (token as AccessToken)?.accessToken ?? null;\n }\n catch (err) {\n this.emitter.emit('error', err);\n return null;\n }\n }\n \n /**\n * Store parsed tokens from redirect url\n */\n async storeTokensFromRedirect(): Promise<void> {\n const { tokens, responseType } = await this.token.parseFromUrl();\n if (responseType !== 'none') {\n this.tokenManager.setTokens(tokens);\n }\n }\n \n isLoginRedirect(): boolean {\n return isLoginRedirect(this);\n }\n\n isPKCE(): boolean {\n return !!this.options.pkce;\n }\n\n hasResponseType(responseType: OAuthResponseType): boolean {\n return hasResponseType(responseType, this.options);\n }\n \n isAuthorizationCodeFlow(): boolean {\n return this.hasResponseType('code');\n }\n\n // Escape hatch method to make arbitrary OKTA API call\n async invokeApiMethod(options: RequestOptions): Promise<unknown> {\n if (!options.accessToken) {\n const accessToken = (await this.tokenManager.getTokens()).accessToken as AccessToken;\n options.accessToken = accessToken?.accessToken;\n }\n return httpRequest(this, options);\n }\n \n // Revokes the access token for the application session\n async revokeAccessToken(accessToken?: AccessToken): Promise<unknown> {\n if (!accessToken) {\n const tokens = await this.tokenManager.getTokens();\n accessToken = tokens.accessToken;\n const accessTokenKey = this.tokenManager.getStorageKeyByType('accessToken');\n this.tokenManager.remove(accessTokenKey);\n\n if (this.options.dpop) {\n await clearDPoPKeyPairAfterRevoke('access', tokens);\n }\n }\n // Access token may have been removed. In this case, we will silently succeed.\n if (!accessToken) {\n return Promise.resolve(null);\n }\n return this.token.revoke(accessToken);\n }\n\n // Revokes the refresh token for the application session\n async revokeRefreshToken(refreshToken?: RefreshToken): Promise<unknown> {\n if (!refreshToken) {\n const tokens = await this.tokenManager.getTokens();\n refreshToken = tokens.refreshToken;\n const refreshTokenKey = this.tokenManager.getStorageKeyByType('refreshToken');\n this.tokenManager.remove(refreshTokenKey);\n\n if (this.options.dpop) {\n await clearDPoPKeyPairAfterRevoke('refresh', tokens);\n }\n }\n // Refresh token may have been removed. In this case, we will silently succeed.\n if (!refreshToken) {\n return Promise.resolve(null);\n }\n return this.token.revoke(refreshToken);\n }\n\n getSignOutRedirectUrl(options: SignoutRedirectUrlOptions = {}) {\n let {\n idToken,\n postLogoutRedirectUri,\n state,\n } = options;\n if (!idToken) {\n idToken = this.tokenManager.getTokensSync().idToken as IDToken;\n }\n if (!idToken) {\n return '';\n }\n if (postLogoutRedirectUri === undefined) {\n postLogoutRedirectUri = this.options.postLogoutRedirectUri;\n }\n\n const logoutUrl = getOAuthUrls(this).logoutUrl;\n const idTokenHint = idToken.idToken; // a string\n let logoutUri = logoutUrl + '?id_token_hint=' + encodeURIComponent(idTokenHint);\n if (postLogoutRedirectUri) {\n logoutUri += '&post_logout_redirect_uri=' + encodeURIComponent(postLogoutRedirectUri);\n } \n // State allows option parameters to be passed to logout redirect uri\n if (state) {\n logoutUri += '&state=' + encodeURIComponent(state);\n }\n\n return logoutUri;\n }\n\n // Revokes refreshToken or accessToken, clears all local tokens, then redirects to Okta to end the SSO session.\n // eslint-disable-next-line complexity, max-statements\n async signOut(options?: SignoutOptions): Promise<boolean> {\n options = Object.assign({}, options);\n \n // postLogoutRedirectUri must be whitelisted in Okta Admin UI\n const defaultUri = window.location.origin;\n const currentUri = window.location.href;\n // Fix for issue/1410 - allow for no postLogoutRedirectUri to be passed, resulting in /logout default behavior\n // \"If no Okta session exists, this endpoint has no effect and the browser is redirected immediately to the\n // Okta sign-in page or the post_logout_redirect_uri (if specified).\"\n // - https://developer.okta.com/docs/reference/api/oidc/#logout\n const postLogoutRedirectUri = options.postLogoutRedirectUri === null ? null :\n (options.postLogoutRedirectUri\n || this.options.postLogoutRedirectUri\n || defaultUri);\n const state = options?.state;\n \n \n let accessToken = options.accessToken;\n let refreshToken = options.refreshToken;\n const revokeAccessToken = options.revokeAccessToken !== false;\n const revokeRefreshToken = options.revokeRefreshToken !== false;\n \n if (revokeRefreshToken && typeof refreshToken === 'undefined') {\n refreshToken = this.tokenManager.getTokensSync().refreshToken as RefreshToken;\n }\n\n if (revokeAccessToken && typeof accessToken === 'undefined') {\n accessToken = this.tokenManager.getTokensSync().accessToken as AccessToken;\n }\n \n if (!options.idToken) {\n options.idToken = this.tokenManager.getTokensSync().idToken as IDToken;\n }\n\n if (revokeRefreshToken && refreshToken) {\n await this.revokeRefreshToken(refreshToken);\n }\n\n if (revokeAccessToken && accessToken) {\n await this.revokeAccessToken(accessToken);\n }\n\n const dpopPairId = accessToken?.dpopPairId ?? refreshToken?.dpopPairId;\n if (this.options.dpop && dpopPairId) {\n await clearDPoPKeyPair(dpopPairId);\n }\n\n const logoutUri = this.getSignOutRedirectUrl({ ...options, postLogoutRedirectUri });\n // No logoutUri? This can happen if the storage was cleared.\n // Fallback to XHR signOut, then simulate a redirect to the post logout uri\n if (!logoutUri) {\n // local tokens are cleared once session is closed\n const sessionClosed = await this.closeSession(); // can throw if the user cannot be signed out\n const redirectUri = new URL(postLogoutRedirectUri || defaultUri); // during fallback, redirectUri cannot be null\n if (state) {\n redirectUri.searchParams.append('state', state);\n }\n if (postLogoutRedirectUri === currentUri) {\n // window.location.reload(); // force a hard reload if URI is not changing\n window.location.href = redirectUri.href;\n } else {\n window.location.assign(redirectUri.href);\n }\n return sessionClosed;\n } else {\n if (options.clearTokensBeforeRedirect) {\n // Clear all local tokens\n this.tokenManager.clear();\n } else {\n this.tokenManager.addPendingRemoveFlags();\n }\n // Flow ends with logout redirect\n window.location.assign(logoutUri);\n return true;\n }\n }\n\n async getDPoPAuthorizationHeaders (params: DPoPRequest): Promise<DPoPHeaders> {\n if (!this.options.dpop) {\n throw new AuthSdkError('DPoP is not configured for this client instance');\n }\n\n let { accessToken } = params;\n if (!accessToken) {\n accessToken = (this.tokenManager.getTokensSync()).accessToken;\n }\n\n if (!accessToken) {\n throw new AuthSdkError('AccessToken is required to generate a DPoP Proof');\n }\n\n const keyPair = await findKeyPair(accessToken?.dpopPairId);\n const proof = await generateDPoPProof({...params, keyPair, accessToken: accessToken.accessToken});\n return {\n Authorization: `DPoP ${accessToken.accessToken}`,\n Dpop: proof\n };\n }\n\n async clearDPoPStorage (clearAll=false): Promise<void> {\n if (clearAll) {\n return clearAllDPoPKeyPairs();\n }\n\n const tokens = await this.tokenManager.getTokens();\n const keyPair = tokens.accessToken?.dpopPairId || tokens.refreshToken?.dpopPairId;\n\n if (keyPair) {\n await clearDPoPKeyPair(keyPair);\n }\n }\n\n parseUseDPoPNonceError (headers: HeadersInit): string | null {\n const wwwAuth = WWWAuthError.getWWWAuthenticateHeader(headers);\n const wwwErr = WWWAuthError.parseHeader(wwwAuth ?? '');\n if (isDPoPNonceError(wwwErr)) {\n let nonce: string | null = null;\n if (isFunction((headers as Headers)?.get)) {\n nonce = (headers as Headers).get('DPoP-Nonce');\n }\n nonce = nonce ?? headers['dpop-nonce'] ?? headers['DPoP-Nonce'];\n return nonce;\n }\n\n return null;\n }\n };\n\n}\n"],"mappings":";;;;;AAAA;AAEA;AAKA;AAyBA;AACA;AACA;AACA;AACA;AAQA;AAGA;AAA4C;AAAA;AACrC,SAASA,UAAU,CAUxBC,IAAW,EACXC,6BAAgE,EAElE;EAAA;EACE,MAAMC,eAAe,GAAG,IAAAC,wBAAkB,EAACH,IAAI,CAAC;EAChD,gBAAO,MAAMI,aAAa,SAASF,eAAe,CAElD;IAWEG,WAAW,CAAC,GAAGC,IAAW,EAAE;MAC1B,KAAK,CAAC,GAAGA,IAAI,CAAC;MAEd,IAAI,CAACC,kBAAkB,GAAG,IAAIN,6BAA6B,CAACO,MAAM,CAACC,MAAM,CAAC;QACxEC,cAAc,EAAE,IAAI,CAACA;MACvB,CAAC,EAAE,IAAI,CAACC,OAAO,CAACJ,kBAAkB,CAAC,CAAC;MAEpC,IAAI,CAACK,IAAI,GAAG;QACVC,6BAA6B,EAAEC,aAAI,CAACD,6BAA6B;QACjEE,gBAAgB,EAAED,aAAI,CAACC,gBAAgB;QACvCC,gBAAgB,EAAEF,aAAI,CAACE;MACzB,CAAC;MAED,IAAI,CAACC,QAAQ,GAAG;QAAEC,WAAW,EAAE;MAAM,CAAC;MAEtC,IAAI,CAACC,WAAW,GAAG,IAAIC,kBAAY,EAAE;MAErC,IAAI,CAACC,KAAK,GAAG,IAAAC,mBAAc,EAAC,IAAI,EAAE,IAAI,CAACH,WAAW,CAAC;;MAEnD;MACA,IAAI,CAACI,YAAY,GAAG,IAAIC,0BAAY,CAAC,IAAI,EAAE,IAAI,CAACb,OAAO,CAACY,YAAY,CAAC;MAErE,IAAI,CAACE,SAAS,GAAG,IAAAC,oBAAe,EAAC,IAAI,CAAC;IACxC;;IAEA;IACAC,YAAY,GAAS;MACnB,KAAK,CAACA,YAAY,EAAE;;MAEpB;MACA,IAAI,CAACJ,YAAY,CAACK,KAAK,EAAE;IAC3B;;IAEA;IACA;IACA;IACA,MAAMC,eAAe,CAAClB,OAA+B,GAAG,CAAC,CAAC,EAAoB;MAC5E;MACA,MAAM;QAAEmB,SAAS;QAAEC;MAAW,CAAC,GAAG,IAAI,CAACR,YAAY,CAACS,UAAU,EAAE;MAEhE,MAAMC,WAAW,GAAGtB,OAAO,CAACuB,cAAc,GAAGvB,OAAO,CAACuB,cAAc,KAAK,OAAO,GAAGJ,SAAS;MAC3F,MAAMK,YAAY,GAAGxB,OAAO,CAACuB,cAAc,GAAGvB,OAAO,CAACuB,cAAc,KAAK,QAAQ,GAAGH,UAAU;MAE9F,IAAI;QAAEK;MAAY,CAAC,GAAG,IAAI,CAACb,YAAY,CAACc,aAAa,EAAE;MACvD,IAAID,WAAW,IAAI,IAAI,CAACb,YAAY,CAACe,UAAU,CAACF,WAAW,CAAC,EAAE;QAC5DA,WAAW,GAAGG,SAAS;QACvB,IAAIN,WAAW,EAAE;UACf,IAAI;YACFG,WAAW,GAAG,MAAM,IAAI,CAACb,YAAY,CAACiB,KAAK,CAAC,aAAa,CAAgB;UAC3E,CAAC,CAAC,MAAM;YACN;UACF;QACF,CAAC,MAAM,IAAIL,YAAY,EAAE;UACvB,IAAI,CAACZ,YAAY,CAACkB,MAAM,CAAC,aAAa,CAAC;QACzC;MACF;MAEA,IAAI;QAAEC;MAAQ,CAAC,GAAG,IAAI,CAACnB,YAAY,CAACc,aAAa,EAAE;MACnD,IAAIK,OAAO,IAAI,IAAI,CAACnB,YAAY,CAACe,UAAU,CAACI,OAAO,CAAC,EAAE;QACpDA,OAAO,GAAGH,SAAS;QACnB,IAAIN,WAAW,EAAE;UACf,IAAI;YACFS,OAAO,GAAG,MAAM,IAAI,CAACnB,YAAY,CAACiB,KAAK,CAAC,SAAS,CAAY;UAC/D,CAAC,CAAC,MAAM;YACN;UACF;QACF,CAAC,MAAM,IAAIL,YAAY,EAAE;UACvB,IAAI,CAACZ,YAAY,CAACkB,MAAM,CAAC,SAAS,CAAC;QACrC;MACF;MAEA,OAAO,CAAC,EAAEL,WAAW,IAAIM,OAAO,CAAC;IACnC;IAGA,MAAMC,kBAAkB,CAACC,IAA+B,GAAG,CAAC,CAAC,EAAE;MAC7D,MAAM;QAAEC,WAAW;QAAE,GAAGC;MAAiB,CAAC,GAAGF,IAAI;MACjD,IAAG,IAAI,CAAC3B,QAAQ,CAACC,WAAW,EAAE;QAC5B;QACA;MACF;MAEA,IAAI,CAACD,QAAQ,CAACC,WAAW,GAAG,IAAI;MAChC,IAAI;QACF;QACA,IAAI2B,WAAW,EAAE;UACf,IAAI,CAACE,cAAc,CAACF,WAAW,CAAC;QAClC;QACA,MAAMG,MAAM,GAAGxC,MAAM,CAACC,MAAM,CAAC;UAC3B;UACAwC,MAAM,EAAE,IAAI,CAACtC,OAAO,CAACsC,MAAM,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS;QAC9D,CAAC,EAAEH,gBAAgB,CAAC;QACpB,MAAM,IAAI,CAACzB,KAAK,CAAC6B,eAAe,CAACF,MAAM,CAAC;MAC1C,CAAC,SAAS;QACR,IAAI,CAAC/B,QAAQ,CAACC,WAAW,GAAG,KAAK;MACnC;IACF;IAEA,MAAMiC,OAAO,GAA0E;MACrF,MAAM;QAAET,OAAO;QAAEN;MAAY,CAAC,GAAG,IAAI,CAACb,YAAY,CAACc,aAAa,EAAE;MAClE,OAAO,IAAI,CAAChB,KAAK,CAAC+B,WAAW,CAAChB,WAAW,EAAEM,OAAO,CAAC;IACrD;IAEAW,UAAU,GAAuB;MAC/B,MAAM;QAAEX;MAAQ,CAAC,GAAG,IAAI,CAACnB,YAAY,CAACc,aAAa,EAAE;MACrD,OAAOK,OAAO,GAAGA,OAAO,CAACA,OAAO,GAAGH,SAAS;IAC9C;IAEAe,cAAc,GAAuB;MACnC,MAAM;QAAElB;MAAY,CAAC,GAAG,IAAI,CAACb,YAAY,CAACc,aAAa,EAAE;MACzD,OAAOD,WAAW,GAAGA,WAAW,CAACA,WAAW,GAAGG,SAAS;IAC1D;IAEAgB,eAAe,GAAuB;MACpC,MAAM;QAAEC;MAAa,CAAC,GAAG,IAAI,CAACjC,YAAY,CAACc,aAAa,EAAE;MAC1D,OAAOmB,YAAY,GAAGA,YAAY,CAACA,YAAY,GAAGjB,SAAS;IAC7D;IAEA,MAAMkB,qBAAqB,GAA2B;MACpD,MAAM;QAAErB;MAAY,CAAC,GAAG,IAAI,CAACb,YAAY,CAACc,aAAa,EAAE;MACzD,IAAID,WAAW,IAAI,CAAC,IAAI,CAACb,YAAY,CAACe,UAAU,CAACF,WAAW,CAAC,EAAE;QAC7D,OAAOA,WAAW,CAACA,WAAW;MAChC;MACA,IAAI;QACF,MAAMsB,GAAG,GAAG,IAAI,CAACnC,YAAY,CAACoC,mBAAmB,CAAC,aAAa,CAAC;QAChE,MAAMtC,KAAK,GAAG,MAAM,IAAI,CAACE,YAAY,CAACiB,KAAK,CAACkB,GAAG,IAAI,aAAa,CAAC;QACjE,OAAQrC,KAAK,EAAkBe,WAAW,IAAI,IAAI;MACpD,CAAC,CACD,OAAOwB,GAAG,EAAE;QACV,IAAI,CAACC,OAAO,CAACC,IAAI,CAAC,OAAO,EAAEF,GAAG,CAAC;QAC/B,OAAO,IAAI;MACb;IACF;;IAEA;AACJ;AACA;IACI,MAAMG,uBAAuB,GAAkB;MAC7C,MAAM;QAAEC,MAAM;QAAEC;MAAa,CAAC,GAAG,MAAM,IAAI,CAAC5C,KAAK,CAAC6C,YAAY,EAAE;MAChE,IAAID,YAAY,KAAK,MAAM,EAAE;QAC3B,IAAI,CAAC1C,YAAY,CAAC4C,SAAS,CAACH,MAAM,CAAC;MACrC;IACF;IAEAI,eAAe,GAAY;MACzB,OAAO,IAAAA,sBAAe,EAAC,IAAI,CAAC;IAC9B;IAEAC,MAAM,GAAY;MAChB,OAAO,CAAC,CAAC,IAAI,CAAC1D,OAAO,CAACC,IAAI;IAC5B;IAEA0D,eAAe,CAACL,YAA+B,EAAW;MACxD,OAAO,IAAAK,sBAAe,EAACL,YAAY,EAAE,IAAI,CAACtD,OAAO,CAAC;IACpD;IAEA4D,uBAAuB,GAAY;MACjC,OAAO,IAAI,CAACD,eAAe,CAAC,MAAM,CAAC;IACrC;;IAEA;IACA,MAAME,eAAe,CAAC7D,OAAuB,EAAoB;MAC/D,IAAI,CAACA,OAAO,CAACyB,WAAW,EAAE;QACxB,MAAMA,WAAW,GAAG,CAAC,MAAM,IAAI,CAACb,YAAY,CAACkD,SAAS,EAAE,EAAErC,WAA0B;QACpFzB,OAAO,CAACyB,WAAW,GAAGA,WAAW,EAAEA,WAAW;MAChD;MACA,OAAO,IAAAsC,iBAAW,EAAC,IAAI,EAAE/D,OAAO,CAAC;IACnC;;IAEA;IACA,MAAMgE,iBAAiB,CAACvC,WAAyB,EAAoB;MACnE,IAAI,CAACA,WAAW,EAAE;QAChB,MAAM4B,MAAM,GAAG,MAAM,IAAI,CAACzC,YAAY,CAACkD,SAAS,EAAE;QAClDrC,WAAW,GAAG4B,MAAM,CAAC5B,WAAW;QAChC,MAAMwC,cAAc,GAAG,IAAI,CAACrD,YAAY,CAACoC,mBAAmB,CAAC,aAAa,CAAC;QAC3E,IAAI,CAACpC,YAAY,CAACkB,MAAM,CAACmC,cAAc,CAAC;QAExC,IAAI,IAAI,CAACjE,OAAO,CAACkE,IAAI,EAAE;UACrB,MAAM,IAAAC,iCAA2B,EAAC,QAAQ,EAAEd,MAAM,CAAC;QACrD;MACF;MACA;MACA,IAAI,CAAC5B,WAAW,EAAE;QAChB,OAAO2C,OAAO,CAACC,OAAO,CAAC,IAAI,CAAC;MAC9B;MACA,OAAO,IAAI,CAAC3D,KAAK,CAAC4D,MAAM,CAAC7C,WAAW,CAAC;IACvC;;IAEA;IACA,MAAM8C,kBAAkB,CAAC1B,YAA2B,EAAoB;MACtE,IAAI,CAACA,YAAY,EAAE;QACjB,MAAMQ,MAAM,GAAG,MAAM,IAAI,CAACzC,YAAY,CAACkD,SAAS,EAAE;QAClDjB,YAAY,GAAGQ,MAAM,CAACR,YAAY;QAClC,MAAM2B,eAAe,GAAG,IAAI,CAAC5D,YAAY,CAACoC,mBAAmB,CAAC,cAAc,CAAC;QAC7E,IAAI,CAACpC,YAAY,CAACkB,MAAM,CAAC0C,eAAe,CAAC;QAEzC,IAAI,IAAI,CAACxE,OAAO,CAACkE,IAAI,EAAE;UACrB,MAAM,IAAAC,iCAA2B,EAAC,SAAS,EAAEd,MAAM,CAAC;QACtD;MACF;MACA;MACA,IAAI,CAACR,YAAY,EAAE;QACjB,OAAOuB,OAAO,CAACC,OAAO,CAAC,IAAI,CAAC;MAC9B;MACA,OAAO,IAAI,CAAC3D,KAAK,CAAC4D,MAAM,CAACzB,YAAY,CAAC;IACxC;IAEA4B,qBAAqB,CAACzE,OAAkC,GAAG,CAAC,CAAC,EAAE;MAC7D,IAAI;QACF+B,OAAO;QACP2C,qBAAqB;QACrBC;MACF,CAAC,GAAG3E,OAAO;MACX,IAAI,CAAC+B,OAAO,EAAE;QACZA,OAAO,GAAG,IAAI,CAACnB,YAAY,CAACc,aAAa,EAAE,CAACK,OAAkB;MAChE;MACA,IAAI,CAACA,OAAO,EAAE;QACZ,OAAO,EAAE;MACX;MACA,IAAI2C,qBAAqB,KAAK9C,SAAS,EAAE;QACvC8C,qBAAqB,GAAG,IAAI,CAAC1E,OAAO,CAAC0E,qBAAqB;MAC5D;MAEA,MAAME,SAAS,GAAG,IAAAC,mBAAY,EAAC,IAAI,CAAC,CAACD,SAAS;MAC9C,MAAME,WAAW,GAAG/C,OAAO,CAACA,OAAO,CAAC,CAAC;MACrC,IAAIgD,SAAS,GAAGH,SAAS,GAAG,iBAAiB,GAAGI,kBAAkB,CAACF,WAAW,CAAC;MAC/E,IAAIJ,qBAAqB,EAAE;QACzBK,SAAS,IAAI,4BAA4B,GAAGC,kBAAkB,CAACN,qBAAqB,CAAC;MACvF;MACA;MACA,IAAIC,KAAK,EAAE;QACTI,SAAS,IAAI,SAAS,GAAGC,kBAAkB,CAACL,KAAK,CAAC;MACpD;MAEA,OAAOI,SAAS;IAClB;;IAEA;IACA;IACA,MAAME,OAAO,CAACjF,OAAwB,EAAoB;MACxDA,OAAO,GAAGH,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAEE,OAAO,CAAC;;MAEpC;MACA,MAAMkF,UAAU,GAAGC,MAAM,CAACC,QAAQ,CAACC,MAAM;MACzC,MAAMC,UAAU,GAAGH,MAAM,CAACC,QAAQ,CAACG,IAAI;MACvC;MACA;MACA;MACA;MACA,MAAMb,qBAAqB,GAAG1E,OAAO,CAAC0E,qBAAqB,KAAK,IAAI,GAAG,IAAI,GACxE1E,OAAO,CAAC0E,qBAAqB,IAC3B,IAAI,CAAC1E,OAAO,CAAC0E,qBAAqB,IAClCQ,UAAW;MAChB,MAAMP,KAAK,GAAG3E,OAAO,EAAE2E,KAAK;MAG5B,IAAIlD,WAAW,GAAGzB,OAAO,CAACyB,WAAW;MACrC,IAAIoB,YAAY,GAAG7C,OAAO,CAAC6C,YAAY;MACvC,MAAMmB,iBAAiB,GAAGhE,OAAO,CAACgE,iBAAiB,KAAK,KAAK;MAC7D,MAAMO,kBAAkB,GAAGvE,OAAO,CAACuE,kBAAkB,KAAK,KAAK;MAE/D,IAAIA,kBAAkB,IAAI,OAAO1B,YAAY,KAAK,WAAW,EAAE;QAC7DA,YAAY,GAAG,IAAI,CAACjC,YAAY,CAACc,aAAa,EAAE,CAACmB,YAA4B;MAC/E;MAEA,IAAImB,iBAAiB,IAAI,OAAOvC,WAAW,KAAK,WAAW,EAAE;QAC3DA,WAAW,GAAG,IAAI,CAACb,YAAY,CAACc,aAAa,EAAE,CAACD,WAA0B;MAC5E;MAEA,IAAI,CAACzB,OAAO,CAAC+B,OAAO,EAAE;QACpB/B,OAAO,CAAC+B,OAAO,GAAG,IAAI,CAACnB,YAAY,CAACc,aAAa,EAAE,CAACK,OAAkB;MACxE;MAEA,IAAIwC,kBAAkB,IAAI1B,YAAY,EAAE;QACtC,MAAM,IAAI,CAAC0B,kBAAkB,CAAC1B,YAAY,CAAC;MAC7C;MAEA,IAAImB,iBAAiB,IAAIvC,WAAW,EAAE;QACpC,MAAM,IAAI,CAACuC,iBAAiB,CAACvC,WAAW,CAAC;MAC3C;MAEA,MAAM+D,UAAU,GAAG/D,WAAW,EAAE+D,UAAU,IAAI3C,YAAY,EAAE2C,UAAU;MACtE,IAAI,IAAI,CAACxF,OAAO,CAACkE,IAAI,IAAIsB,UAAU,EAAE;QACnC,MAAM,IAAAC,sBAAgB,EAACD,UAAU,CAAC;MACpC;MAEA,MAAMT,SAAS,GAAG,IAAI,CAACN,qBAAqB,CAAC;QAAE,GAAGzE,OAAO;QAAE0E;MAAsB,CAAC,CAAC;MACnF;MACA;MACA,IAAI,CAACK,SAAS,EAAE;QACd;QACA,MAAMW,aAAa,GAAG,MAAM,IAAI,CAACC,YAAY,EAAE,CAAC,CAAG;QACnD,MAAMC,WAAW,GAAG,IAAIC,GAAG,CAACnB,qBAAqB,IAAIQ,UAAU,CAAC,CAAC,CAAC;QAClE,IAAIP,KAAK,EAAE;UACTiB,WAAW,CAACE,YAAY,CAACC,MAAM,CAAC,OAAO,EAAEpB,KAAK,CAAC;QACjD;QACA,IAAID,qBAAqB,KAAKY,UAAU,EAAE;UACxC;UACAH,MAAM,CAACC,QAAQ,CAACG,IAAI,GAAGK,WAAW,CAACL,IAAI;QACzC,CAAC,MAAM;UACLJ,MAAM,CAACC,QAAQ,CAACtF,MAAM,CAAC8F,WAAW,CAACL,IAAI,CAAC;QAC1C;QACA,OAAOG,aAAa;MACtB,CAAC,MAAM;QACL,IAAI1F,OAAO,CAACgG,yBAAyB,EAAE;UACrC;UACA,IAAI,CAACpF,YAAY,CAACK,KAAK,EAAE;QAC3B,CAAC,MAAM;UACL,IAAI,CAACL,YAAY,CAACqF,qBAAqB,EAAE;QAC3C;QACA;QACAd,MAAM,CAACC,QAAQ,CAACtF,MAAM,CAACiF,SAAS,CAAC;QACjC,OAAO,IAAI;MACb;IACF;IAEA,MAAMmB,2BAA2B,CAAE7D,MAAmB,EAAwB;MAC5E,IAAI,CAAC,IAAI,CAACrC,OAAO,CAACkE,IAAI,EAAE;QACtB,MAAM,IAAIiC,oBAAY,CAAC,iDAAiD,CAAC;MAC3E;MAEA,IAAI;QAAE1E;MAAY,CAAC,GAAGY,MAAM;MAC5B,IAAI,CAACZ,WAAW,EAAE;QAChBA,WAAW,GAAI,IAAI,CAACb,YAAY,CAACc,aAAa,EAAE,CAAED,WAAW;MAC/D;MAEA,IAAI,CAACA,WAAW,EAAE;QAChB,MAAM,IAAI0E,oBAAY,CAAC,kDAAkD,CAAC;MAC5E;MAEA,MAAMC,OAAO,GAAG,MAAM,IAAAC,iBAAW,EAAC5E,WAAW,EAAE+D,UAAU,CAAC;MAC1D,MAAMc,KAAK,GAAG,MAAM,IAAAC,uBAAiB,EAAC;QAAC,GAAGlE,MAAM;QAAE+D,OAAO;QAAE3E,WAAW,EAAEA,WAAW,CAACA;MAAW,CAAC,CAAC;MACjG,OAAO;QACL+E,aAAa,EAAG,QAAO/E,WAAW,CAACA,WAAY,EAAC;QAChDgF,IAAI,EAAEH;MACR,CAAC;IACH;IAEA,MAAMI,gBAAgB,CAAEC,QAAQ,GAAC,KAAK,EAAiB;MACrD,IAAIA,QAAQ,EAAE;QACZ,OAAO,IAAAC,0BAAoB,GAAE;MAC/B;MAEA,MAAMvD,MAAM,GAAG,MAAM,IAAI,CAACzC,YAAY,CAACkD,SAAS,EAAE;MAClD,MAAMsC,OAAO,GAAG/C,MAAM,CAAC5B,WAAW,EAAE+D,UAAU,IAAInC,MAAM,CAACR,YAAY,EAAE2C,UAAU;MAEjF,IAAIY,OAAO,EAAE;QACX,MAAM,IAAAX,sBAAgB,EAACW,OAAO,CAAC;MACjC;IACF;IAEAS,sBAAsB,CAAEC,OAAoB,EAAiB;MAC3D,MAAMC,OAAO,GAAGC,oBAAY,CAACC,wBAAwB,CAACH,OAAO,CAAC;MAC9D,MAAMI,MAAM,GAAGF,oBAAY,CAACG,WAAW,CAACJ,OAAO,IAAI,EAAE,CAAC;MACtD,IAAI,IAAAK,sBAAgB,EAACF,MAAM,CAAC,EAAE;QAC5B,IAAIG,KAAoB,GAAG,IAAI;QAC/B,IAAI,IAAAC,gBAAU,EAAER,OAAO,EAAcS,GAAG,CAAC,EAAE;UACzCF,KAAK,GAAIP,OAAO,CAAaS,GAAG,CAAC,YAAY,CAAC;QAChD;QACAF,KAAK,GAAGA,KAAK,IAAIP,OAAO,CAAC,YAAY,CAAC,IAAIA,OAAO,CAAC,YAAY,CAAC;QAC/D,OAAOO,KAAK;MACd;MAEA,OAAO,IAAI;IACb;EACF,CAAC,kDAvX4BG,MAAM;AAyXrC"}
|
|
@@ -36,7 +36,7 @@ function assertValidConfig(args) {
|
|
|
36
36
|
if (!isUrlRegex.test(issuer)) {
|
|
37
37
|
throw new _AuthSdkError.default('Issuer must be a valid URL. ' + 'Required usage: new OktaAuth({issuer: "https://{yourOktaDomain}.com/oauth2/{authServerId}"})');
|
|
38
38
|
}
|
|
39
|
-
if (issuer.indexOf('-admin.') !== -1) {
|
|
39
|
+
if (issuer.indexOf('-admin.okta') !== -1) {
|
|
40
40
|
throw new _AuthSdkError.default('Issuer URL passed to constructor contains "-admin" in subdomain. ' + 'Required usage: new OktaAuth({issuer: "https://{yourOktaDomain}.com})');
|
|
41
41
|
}
|
|
42
42
|
}
|
|
@@ -80,6 +80,8 @@ function createOAuthOptionsConstructor() {
|
|
|
80
80
|
this.codeChallengeMethod = options.codeChallengeMethod;
|
|
81
81
|
this.acrValues = options.acrValues;
|
|
82
82
|
this.maxAge = options.maxAge;
|
|
83
|
+
this.dpop = options.dpop === true; // dpop defaults to false
|
|
84
|
+
|
|
83
85
|
this.tokenManager = options.tokenManager;
|
|
84
86
|
this.postLogoutRedirectUri = options.postLogoutRedirectUri;
|
|
85
87
|
this.restoreOriginalUri = options.restoreOriginalUri;
|