@okta/okta-auth-js 7.5.1 → 7.7.0

package/cjs/oidc/options/OAuthOptionsConstructor.js.map

@@ -1 +1 @@
-{"version":3,"file":"OAuthOptionsConstructor.js","names":["assertValidConfig","args","scopes","Array","isArray","AuthSdkError","issuer","isUrlRegex","RegExp","test","indexOf","createOAuthOptionsConstructor","HttpOptionsConstructor","createHttpOptionsConstructor","OAuthOptionsConstructor","constructor","options","removeTrailingSlash","tokenUrl","authorizeUrl","userinfoUrl","revokeUrl","logoutUrl","pkce","clientId","redirectUri","isBrowser","toAbsoluteUrl","window","location","origin","responseType","responseMode","state","ignoreSignature","codeChallenge","codeChallengeMethod","acrValues","maxAge","tokenManager","postLogoutRedirectUri","restoreOriginalUri","transactionManager","enableSharedStorage","clientSecret","setLocation","ignoreLifetime","maxClockSkew","DEFAULT_MAX_CLOCK_SKEW"],"sources":["../../../../lib/oidc/options/OAuthOptionsConstructor.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * \n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { DEFAULT_MAX_CLOCK_SKEW } from '../../constants';\nimport { removeTrailingSlash, toAbsoluteUrl } from '../../util/url';\nimport { isBrowser } from '../../features';\nimport { createHttpOptionsConstructor } from '../../http/options';\nimport {\n  OAuthResponseMode,\n  OAuthResponseType,\n  OktaAuthOAuthInterface,\n  OktaAuthOAuthOptions,\n  SetLocationFunction,\n  TokenManagerOptions,\n  TransactionManagerOptions\n} from '../types';\nimport { enableSharedStorage } from './node';\nimport AuthSdkError from '../../errors/AuthSdkError';\n\nfunction assertValidConfig(args) {\n  args = args || {};\n\n  var scopes = args.scopes;\n  if (scopes && !Array.isArray(scopes)) {\n    throw new AuthSdkError('scopes must be a array of strings. ' +\n      'Required usage: new OktaAuth({scopes: [\"openid\", \"email\"]})');\n  }\n\n  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n  var issuer = args.issuer!;\n  if (!issuer) {\n    throw new AuthSdkError('No issuer passed to constructor. ' + \n      'Required usage: new OktaAuth({issuer: \"https://{yourOktaDomain}.com/oauth2/{authServerId}\"})');\n  }\n\n  var isUrlRegex = new RegExp('^http?s?://.+');\n  if (!isUrlRegex.test(issuer)) {\n    throw new AuthSdkError('Issuer must be a valid URL. ' + \n      'Required usage: new OktaAuth({issuer: \"https://{yourOktaDomain}.com/oauth2/{authServerId}\"})');\n  }\n\n  if (issuer.indexOf('-admin.') !== -1) {\n    throw new AuthSdkError('Issuer URL passed to constructor contains \"-admin\" in subdomain. ' +\n      'Required usage: new OktaAuth({issuer: \"https://{yourOktaDomain}.com})');\n  }\n}\n\nexport function createOAuthOptionsConstructor() {\n  const HttpOptionsConstructor = createHttpOptionsConstructor();\n  return class OAuthOptionsConstructor\n    extends HttpOptionsConstructor\n    implements Required<OktaAuthOAuthOptions>\n  {\n    // CustomUrls\n    issuer: string;\n    authorizeUrl: string;\n    userinfoUrl: string;\n    tokenUrl: string;\n    revokeUrl: string;\n    logoutUrl: string;\n    \n    // TokenParams\n    pkce: boolean;\n    clientId: string;\n    redirectUri: string;\n    responseType: OAuthResponseType | OAuthResponseType[];\n    responseMode: OAuthResponseMode;\n    state: string;\n    scopes: string[];\n    ignoreSignature: boolean;\n    codeChallenge: string;\n    codeChallengeMethod: string;\n    acrValues: string;\n    maxAge: string | number;\n\n    // Additional options\n    tokenManager: TokenManagerOptions;\n    postLogoutRedirectUri: string;\n    restoreOriginalUri: (oktaAuth: OktaAuthOAuthInterface, originalUri?: string) => Promise<void>;\n    transactionManager: TransactionManagerOptions;\n\n    // For server-side web applications ONLY!\n    clientSecret: string;\n    setLocation: SetLocationFunction;\n\n    // Workaround for bad client time/clock\n    ignoreLifetime: boolean;\n    maxClockSkew: number;\n\n\n    // eslint-disable-next-line max-statements\n    constructor(options: any) {\n      super(options);\n      \n      assertValidConfig(options);\n      \n      this.issuer = removeTrailingSlash(options.issuer);\n      this.tokenUrl = removeTrailingSlash(options.tokenUrl);\n      this.authorizeUrl = removeTrailingSlash(options.authorizeUrl);\n      this.userinfoUrl = removeTrailingSlash(options.userinfoUrl);\n      this.revokeUrl = removeTrailingSlash(options.revokeUrl);\n      this.logoutUrl = removeTrailingSlash(options.logoutUrl);\n\n      this.pkce = options.pkce === false ? false : true; // PKCE defaults to true\n      this.clientId = options.clientId;\n      this.redirectUri = options.redirectUri;\n      if (isBrowser()) {\n        this.redirectUri = toAbsoluteUrl(options.redirectUri, window.location.origin); // allow relative URIs\n      }\n      this.responseType = options.responseType;\n      this.responseMode = options.responseMode;\n      this.state = options.state;\n      this.scopes = options.scopes;\n      // Give the developer the ability to disable token signature validation.\n      this.ignoreSignature = !!options.ignoreSignature;\n      this.codeChallenge = options.codeChallenge;\n      this.codeChallengeMethod = options.codeChallengeMethod;\n      this.acrValues = options.acrValues;\n      this.maxAge = options.maxAge;\n\n      this.tokenManager = options.tokenManager;\n      this.postLogoutRedirectUri = options.postLogoutRedirectUri;\n      this.restoreOriginalUri = options.restoreOriginalUri;\n      this.transactionManager = { enableSharedStorage, ...options.transactionManager };\n      \n      this.clientSecret = options.clientSecret;\n      this.setLocation = options.setLocation;\n      \n      // As some end user's devices can have their date \n      // and time incorrectly set, allow for the disabling\n      // of the jwt liftetime validation\n      this.ignoreLifetime = !!options.ignoreLifetime;\n\n      // Digital clocks will drift over time, so the server\n      // can misalign with the time reported by the browser.\n      // The maxClockSkew allows relaxing the time-based\n      // validation of tokens (in seconds, not milliseconds).\n      // It currently defaults to 300, because 5 min is the\n      // default maximum tolerance allowed by Kerberos.\n      // (https://technet.microsoft.com/en-us/library/cc976357.aspx)\n      if (!options.maxClockSkew && options.maxClockSkew !== 0) {\n        this.maxClockSkew = DEFAULT_MAX_CLOCK_SKEW;\n      } else {\n        this.maxClockSkew = options.maxClockSkew;\n      }\n\n    }\n  };\n}\n"],"mappings":";;;;AAYA;AACA;AACA;AACA;AAUA;AACA;AA1BA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAkBA,SAASA,iBAAiB,CAACC,IAAI,EAAE;EAC/BA,IAAI,GAAGA,IAAI,IAAI,CAAC,CAAC;EAEjB,IAAIC,MAAM,GAAGD,IAAI,CAACC,MAAM;EACxB,IAAIA,MAAM,IAAI,CAACC,KAAK,CAACC,OAAO,CAACF,MAAM,CAAC,EAAE;IACpC,MAAM,IAAIG,qBAAY,CAAC,qCAAqC,GAC1D,6DAA6D,CAAC;EAClE;;EAEA;EACA,IAAIC,MAAM,GAAGL,IAAI,CAACK,MAAO;EACzB,IAAI,CAACA,MAAM,EAAE;IACX,MAAM,IAAID,qBAAY,CAAC,mCAAmC,GACxD,8FAA8F,CAAC;EACnG;EAEA,IAAIE,UAAU,GAAG,IAAIC,MAAM,CAAC,eAAe,CAAC;EAC5C,IAAI,CAACD,UAAU,CAACE,IAAI,CAACH,MAAM,CAAC,EAAE;IAC5B,MAAM,IAAID,qBAAY,CAAC,8BAA8B,GACnD,8FAA8F,CAAC;EACnG;EAEA,IAAIC,MAAM,CAACI,OAAO,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE;IACpC,MAAM,IAAIL,qBAAY,CAAC,mEAAmE,GACxF,uEAAuE,CAAC;EAC5E;AACF;AAEO,SAASM,6BAA6B,GAAG;EAC9C,MAAMC,sBAAsB,GAAG,IAAAC,qCAA4B,GAAE;EAC7D,OAAO,MAAMC,uBAAuB,SAC1BF,sBAAsB,CAEhC;IACE;;IAQA;;IAcA;;IAMA;;IAIA;;IAKA;IACAG,WAAW,CAACC,OAAY,EAAE;MACxB,KAAK,CAACA,OAAO,CAAC;MAEdhB,iBAAiB,CAACgB,OAAO,CAAC;MAE1B,IAAI,CAACV,MAAM,GAAG,IAAAW,wBAAmB,EAACD,OAAO,CAACV,MAAM,CAAC;MACjD,IAAI,CAACY,QAAQ,GAAG,IAAAD,wBAAmB,EAACD,OAAO,CAACE,QAAQ,CAAC;MACrD,IAAI,CAACC,YAAY,GAAG,IAAAF,wBAAmB,EAACD,OAAO,CAACG,YAAY,CAAC;MAC7D,IAAI,CAACC,WAAW,GAAG,IAAAH,wBAAmB,EAACD,OAAO,CAACI,WAAW,CAAC;MAC3D,IAAI,CAACC,SAAS,GAAG,IAAAJ,wBAAmB,EAACD,OAAO,CAACK,SAAS,CAAC;MACvD,IAAI,CAACC,SAAS,GAAG,IAAAL,wBAAmB,EAACD,OAAO,CAACM,SAAS,CAAC;MAEvD,IAAI,CAACC,IAAI,GAAGP,OAAO,CAACO,IAAI,KAAK,KAAK,GAAG,KAAK,GAAG,IAAI,CAAC,CAAC;MACnD,IAAI,CAACC,QAAQ,GAAGR,OAAO,CAACQ,QAAQ;MAChC,IAAI,CAACC,WAAW,GAAGT,OAAO,CAACS,WAAW;MACtC,IAAI,IAAAC,mBAAS,GAAE,EAAE;QACf,IAAI,CAACD,WAAW,GAAG,IAAAE,kBAAa,EAACX,OAAO,CAACS,WAAW,EAAEG,MAAM,CAACC,QAAQ,CAACC,MAAM,CAAC,CAAC,CAAC;MACjF;;MACA,IAAI,CAACC,YAAY,GAAGf,OAAO,CAACe,YAAY;MACxC,IAAI,CAACC,YAAY,GAAGhB,OAAO,CAACgB,YAAY;MACxC,IAAI,CAACC,KAAK,GAAGjB,OAAO,CAACiB,KAAK;MAC1B,IAAI,CAAC/B,MAAM,GAAGc,OAAO,CAACd,MAAM;MAC5B;MACA,IAAI,CAACgC,eAAe,GAAG,CAAC,CAAClB,OAAO,CAACkB,eAAe;MAChD,IAAI,CAACC,aAAa,GAAGnB,OAAO,CAACmB,aAAa;MAC1C,IAAI,CAACC,mBAAmB,GAAGpB,OAAO,CAACoB,mBAAmB;MACtD,IAAI,CAACC,SAAS,GAAGrB,OAAO,CAACqB,SAAS;MAClC,IAAI,CAACC,MAAM,GAAGtB,OAAO,CAACsB,MAAM;MAE5B,IAAI,CAACC,YAAY,GAAGvB,OAAO,CAACuB,YAAY;MACxC,IAAI,CAACC,qBAAqB,GAAGxB,OAAO,CAACwB,qBAAqB;MAC1D,IAAI,CAACC,kBAAkB,GAAGzB,OAAO,CAACyB,kBAAkB;MACpD,IAAI,CAACC,kBAAkB,GAAG;QAAEC,mBAAmB,EAAnBA,yBAAmB;QAAE,GAAG3B,OAAO,CAAC0B;MAAmB,CAAC;MAEhF,IAAI,CAACE,YAAY,GAAG5B,OAAO,CAAC4B,YAAY;MACxC,IAAI,CAACC,WAAW,GAAG7B,OAAO,CAAC6B,WAAW;;MAEtC;MACA;MACA;MACA,IAAI,CAACC,cAAc,GAAG,CAAC,CAAC9B,OAAO,CAAC8B,cAAc;;MAE9C;MACA;MACA;MACA;MACA;MACA;MACA;MACA,IAAI,CAAC9B,OAAO,CAAC+B,YAAY,IAAI/B,OAAO,CAAC+B,YAAY,KAAK,CAAC,EAAE;QACvD,IAAI,CAACA,YAAY,GAAGC,iCAAsB;MAC5C,CAAC,MAAM;QACL,IAAI,CAACD,YAAY,GAAG/B,OAAO,CAAC+B,YAAY;MAC1C;IAEF;EACF,CAAC;AACH"}
+{"version":3,"file":"OAuthOptionsConstructor.js","names":["assertValidConfig","args","scopes","Array","isArray","AuthSdkError","issuer","isUrlRegex","RegExp","test","indexOf","createOAuthOptionsConstructor","HttpOptionsConstructor","createHttpOptionsConstructor","OAuthOptionsConstructor","constructor","options","removeTrailingSlash","tokenUrl","authorizeUrl","userinfoUrl","revokeUrl","logoutUrl","pkce","clientId","redirectUri","isBrowser","toAbsoluteUrl","window","location","origin","responseType","responseMode","state","ignoreSignature","codeChallenge","codeChallengeMethod","acrValues","maxAge","dpop","tokenManager","postLogoutRedirectUri","restoreOriginalUri","transactionManager","enableSharedStorage","clientSecret","setLocation","ignoreLifetime","maxClockSkew","DEFAULT_MAX_CLOCK_SKEW"],"sources":["../../../../lib/oidc/options/OAuthOptionsConstructor.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * \n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { DEFAULT_MAX_CLOCK_SKEW } from '../../constants';\nimport { removeTrailingSlash, toAbsoluteUrl } from '../../util/url';\nimport { isBrowser } from '../../features';\nimport { createHttpOptionsConstructor } from '../../http/options';\nimport {\n  OAuthResponseMode,\n  OAuthResponseType,\n  OktaAuthOAuthInterface,\n  OktaAuthOAuthOptions,\n  SetLocationFunction,\n  TokenManagerOptions,\n  TransactionManagerOptions\n} from '../types';\nimport { enableSharedStorage } from './node';\nimport AuthSdkError from '../../errors/AuthSdkError';\n\nfunction assertValidConfig(args) {\n  args = args || {};\n\n  var scopes = args.scopes;\n  if (scopes && !Array.isArray(scopes)) {\n    throw new AuthSdkError('scopes must be a array of strings. ' +\n      'Required usage: new OktaAuth({scopes: [\"openid\", \"email\"]})');\n  }\n\n  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n  var issuer = args.issuer!;\n  if (!issuer) {\n    throw new AuthSdkError('No issuer passed to constructor. ' + \n      'Required usage: new OktaAuth({issuer: \"https://{yourOktaDomain}.com/oauth2/{authServerId}\"})');\n  }\n\n  var isUrlRegex = new RegExp('^http?s?://.+');\n  if (!isUrlRegex.test(issuer)) {\n    throw new AuthSdkError('Issuer must be a valid URL. ' + \n      'Required usage: new OktaAuth({issuer: \"https://{yourOktaDomain}.com/oauth2/{authServerId}\"})');\n  }\n\n  if (issuer.indexOf('-admin.okta') !== -1) {\n    throw new AuthSdkError('Issuer URL passed to constructor contains \"-admin\" in subdomain. ' +\n      'Required usage: new OktaAuth({issuer: \"https://{yourOktaDomain}.com})');\n  }\n}\n\nexport function createOAuthOptionsConstructor() {\n  const HttpOptionsConstructor = createHttpOptionsConstructor();\n  return class OAuthOptionsConstructor\n    extends HttpOptionsConstructor\n    implements Required<OktaAuthOAuthOptions>\n  {\n    // CustomUrls\n    issuer: string;\n    authorizeUrl: string;\n    userinfoUrl: string;\n    tokenUrl: string;\n    revokeUrl: string;\n    logoutUrl: string;\n    \n    // TokenParams\n    pkce: boolean;\n    clientId: string;\n    redirectUri: string;\n    responseType: OAuthResponseType | OAuthResponseType[];\n    responseMode: OAuthResponseMode;\n    state: string;\n    scopes: string[];\n    ignoreSignature: boolean;\n    codeChallenge: string;\n    codeChallengeMethod: string;\n    acrValues: string;\n    maxAge: string | number;\n    dpop: boolean;\n\n    // Additional options\n    tokenManager: TokenManagerOptions;\n    postLogoutRedirectUri: string;\n    restoreOriginalUri: (oktaAuth: OktaAuthOAuthInterface, originalUri?: string) => Promise<void>;\n    transactionManager: TransactionManagerOptions;\n\n    // For server-side web applications ONLY!\n    clientSecret: string;\n    setLocation: SetLocationFunction;\n\n    // Workaround for bad client time/clock\n    ignoreLifetime: boolean;\n    maxClockSkew: number;\n\n\n    // eslint-disable-next-line max-statements\n    constructor(options: any) {\n      super(options);\n      \n      assertValidConfig(options);\n      \n      this.issuer = removeTrailingSlash(options.issuer);\n      this.tokenUrl = removeTrailingSlash(options.tokenUrl);\n      this.authorizeUrl = removeTrailingSlash(options.authorizeUrl);\n      this.userinfoUrl = removeTrailingSlash(options.userinfoUrl);\n      this.revokeUrl = removeTrailingSlash(options.revokeUrl);\n      this.logoutUrl = removeTrailingSlash(options.logoutUrl);\n\n      this.pkce = options.pkce === false ? false : true; // PKCE defaults to true\n      this.clientId = options.clientId;\n      this.redirectUri = options.redirectUri;\n      if (isBrowser()) {\n        this.redirectUri = toAbsoluteUrl(options.redirectUri, window.location.origin); // allow relative URIs\n      }\n      this.responseType = options.responseType;\n      this.responseMode = options.responseMode;\n      this.state = options.state;\n      this.scopes = options.scopes;\n      // Give the developer the ability to disable token signature validation.\n      this.ignoreSignature = !!options.ignoreSignature;\n      this.codeChallenge = options.codeChallenge;\n      this.codeChallengeMethod = options.codeChallengeMethod;\n      this.acrValues = options.acrValues;\n      this.maxAge = options.maxAge;\n      this.dpop = options.dpop === true; // dpop defaults to false\n\n      this.tokenManager = options.tokenManager;\n      this.postLogoutRedirectUri = options.postLogoutRedirectUri;\n      this.restoreOriginalUri = options.restoreOriginalUri;\n      this.transactionManager = { enableSharedStorage, ...options.transactionManager };\n      \n      this.clientSecret = options.clientSecret;\n      this.setLocation = options.setLocation;\n      \n      // As some end user's devices can have their date \n      // and time incorrectly set, allow for the disabling\n      // of the jwt liftetime validation\n      this.ignoreLifetime = !!options.ignoreLifetime;\n\n      // Digital clocks will drift over time, so the server\n      // can misalign with the time reported by the browser.\n      // The maxClockSkew allows relaxing the time-based\n      // validation of tokens (in seconds, not milliseconds).\n      // It currently defaults to 300, because 5 min is the\n      // default maximum tolerance allowed by Kerberos.\n      // (https://technet.microsoft.com/en-us/library/cc976357.aspx)\n      if (!options.maxClockSkew && options.maxClockSkew !== 0) {\n        this.maxClockSkew = DEFAULT_MAX_CLOCK_SKEW;\n      } else {\n        this.maxClockSkew = options.maxClockSkew;\n      }\n\n    }\n  };\n}\n"],"mappings":";;;;AAYA;AACA;AACA;AACA;AAUA;AACA;AA1BA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAkBA,SAASA,iBAAiB,CAACC,IAAI,EAAE;EAC/BA,IAAI,GAAGA,IAAI,IAAI,CAAC,CAAC;EAEjB,IAAIC,MAAM,GAAGD,IAAI,CAACC,MAAM;EACxB,IAAIA,MAAM,IAAI,CAACC,KAAK,CAACC,OAAO,CAACF,MAAM,CAAC,EAAE;IACpC,MAAM,IAAIG,qBAAY,CAAC,qCAAqC,GAC1D,6DAA6D,CAAC;EAClE;;EAEA;EACA,IAAIC,MAAM,GAAGL,IAAI,CAACK,MAAO;EACzB,IAAI,CAACA,MAAM,EAAE;IACX,MAAM,IAAID,qBAAY,CAAC,mCAAmC,GACxD,8FAA8F,CAAC;EACnG;EAEA,IAAIE,UAAU,GAAG,IAAIC,MAAM,CAAC,eAAe,CAAC;EAC5C,IAAI,CAACD,UAAU,CAACE,IAAI,CAACH,MAAM,CAAC,EAAE;IAC5B,MAAM,IAAID,qBAAY,CAAC,8BAA8B,GACnD,8FAA8F,CAAC;EACnG;EAEA,IAAIC,MAAM,CAACI,OAAO,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,EAAE;IACxC,MAAM,IAAIL,qBAAY,CAAC,mEAAmE,GACxF,uEAAuE,CAAC;EAC5E;AACF;AAEO,SAASM,6BAA6B,GAAG;EAC9C,MAAMC,sBAAsB,GAAG,IAAAC,qCAA4B,GAAE;EAC7D,OAAO,MAAMC,uBAAuB,SAC1BF,sBAAsB,CAEhC;IACE;;IAQA;;IAeA;;IAMA;;IAIA;;IAKA;IACAG,WAAW,CAACC,OAAY,EAAE;MACxB,KAAK,CAACA,OAAO,CAAC;MAEdhB,iBAAiB,CAACgB,OAAO,CAAC;MAE1B,IAAI,CAACV,MAAM,GAAG,IAAAW,wBAAmB,EAACD,OAAO,CAACV,MAAM,CAAC;MACjD,IAAI,CAACY,QAAQ,GAAG,IAAAD,wBAAmB,EAACD,OAAO,CAACE,QAAQ,CAAC;MACrD,IAAI,CAACC,YAAY,GAAG,IAAAF,wBAAmB,EAACD,OAAO,CAACG,YAAY,CAAC;MAC7D,IAAI,CAACC,WAAW,GAAG,IAAAH,wBAAmB,EAACD,OAAO,CAACI,WAAW,CAAC;MAC3D,IAAI,CAACC,SAAS,GAAG,IAAAJ,wBAAmB,EAACD,OAAO,CAACK,SAAS,CAAC;MACvD,IAAI,CAACC,SAAS,GAAG,IAAAL,wBAAmB,EAACD,OAAO,CAACM,SAAS,CAAC;MAEvD,IAAI,CAACC,IAAI,GAAGP,OAAO,CAACO,IAAI,KAAK,KAAK,GAAG,KAAK,GAAG,IAAI,CAAC,CAAC;MACnD,IAAI,CAACC,QAAQ,GAAGR,OAAO,CAACQ,QAAQ;MAChC,IAAI,CAACC,WAAW,GAAGT,OAAO,CAACS,WAAW;MACtC,IAAI,IAAAC,mBAAS,GAAE,EAAE;QACf,IAAI,CAACD,WAAW,GAAG,IAAAE,kBAAa,EAACX,OAAO,CAACS,WAAW,EAAEG,MAAM,CAACC,QAAQ,CAACC,MAAM,CAAC,CAAC,CAAC;MACjF;;MACA,IAAI,CAACC,YAAY,GAAGf,OAAO,CAACe,YAAY;MACxC,IAAI,CAACC,YAAY,GAAGhB,OAAO,CAACgB,YAAY;MACxC,IAAI,CAACC,KAAK,GAAGjB,OAAO,CAACiB,KAAK;MAC1B,IAAI,CAAC/B,MAAM,GAAGc,OAAO,CAACd,MAAM;MAC5B;MACA,IAAI,CAACgC,eAAe,GAAG,CAAC,CAAClB,OAAO,CAACkB,eAAe;MAChD,IAAI,CAACC,aAAa,GAAGnB,OAAO,CAACmB,aAAa;MAC1C,IAAI,CAACC,mBAAmB,GAAGpB,OAAO,CAACoB,mBAAmB;MACtD,IAAI,CAACC,SAAS,GAAGrB,OAAO,CAACqB,SAAS;MAClC,IAAI,CAACC,MAAM,GAAGtB,OAAO,CAACsB,MAAM;MAC5B,IAAI,CAACC,IAAI,GAAGvB,OAAO,CAACuB,IAAI,KAAK,IAAI,CAAC,CAAC;;MAEnC,IAAI,CAACC,YAAY,GAAGxB,OAAO,CAACwB,YAAY;MACxC,IAAI,CAACC,qBAAqB,GAAGzB,OAAO,CAACyB,qBAAqB;MAC1D,IAAI,CAACC,kBAAkB,GAAG1B,OAAO,CAAC0B,kBAAkB;MACpD,IAAI,CAACC,kBAAkB,GAAG;QAAEC,mBAAmB,EAAnBA,yBAAmB;QAAE,GAAG5B,OAAO,CAAC2B;MAAmB,CAAC;MAEhF,IAAI,CAACE,YAAY,GAAG7B,OAAO,CAAC6B,YAAY;MACxC,IAAI,CAACC,WAAW,GAAG9B,OAAO,CAAC8B,WAAW;;MAEtC;MACA;MACA;MACA,IAAI,CAACC,cAAc,GAAG,CAAC,CAAC/B,OAAO,CAAC+B,cAAc;;MAE9C;MACA;MACA;MACA;MACA;MACA;MACA;MACA,IAAI,CAAC/B,OAAO,CAACgC,YAAY,IAAIhC,OAAO,CAACgC,YAAY,KAAK,CAAC,EAAE;QACvD,IAAI,CAACA,YAAY,GAAGC,iCAAsB;MAC5C,CAAC,MAAM;QACL,IAAI,CAACD,YAAY,GAAGhC,OAAO,CAACgC,YAAY;MAC1C;IAEF;EACF,CAAC;AACH"}

package/cjs/oidc/renewToken.js

@@ -57,14 +57,16 @@ async function renewToken(sdk, token) {
     scopes,
     authorizeUrl,
     userinfoUrl,
-    issuer
+    issuer,
+    dpopPairId
   } = token;
   return (0, _getWithoutPrompt.getWithoutPrompt)(sdk, {
     responseType,
     scopes,
     authorizeUrl,
     userinfoUrl,
-    issuer
+    issuer,
+    dpopPairId
   }).then(function (res) {
     return getSingleToken(token, res.tokens);
   });

package/cjs/oidc/renewToken.js.map

@@ -1 +1 @@
-{"version":3,"file":"renewToken.js","names":["throwInvalidTokenError","AuthSdkError","getSingleToken","originalToken","tokens","isIDToken","idToken","isAccessToken","accessToken","renewToken","sdk","token","tokenManager","getTokensSync","refreshToken","renewTokensWithRefresh","scopes","responseType","options","pkce","authorizeUrl","userinfoUrl","issuer","getWithoutPrompt","then","res"],"sources":["../../../lib/oidc/renewToken.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError } from '../errors';\nimport { OktaAuthOAuthInterface, Token, Tokens, isAccessToken, AccessToken, IDToken, isIDToken } from './types';\nimport { getWithoutPrompt } from './getWithoutPrompt';\nimport { renewTokensWithRefresh } from './renewTokensWithRefresh';\n\nfunction throwInvalidTokenError() {\n  throw new AuthSdkError(\n    'Renew must be passed a token with an array of scopes and an accessToken or idToken'\n  );\n}\n\n// Multiple tokens may have come back. Return only the token which was requested.\nfunction getSingleToken(originalToken: Token, tokens: Tokens) {\n  if (isIDToken(originalToken)) {\n    return tokens.idToken;\n  }\n  if (isAccessToken(originalToken)) {\n    return tokens.accessToken;\n  }\n  throwInvalidTokenError();\n}\n\n// If we have a refresh token, renew using that, otherwise getWithoutPrompt\nexport async function renewToken(sdk: OktaAuthOAuthInterface, token: Token): Promise<Token | undefined> {\n  if (!isIDToken(token) && !isAccessToken(token)) {\n    throwInvalidTokenError();\n  }\n\n  let tokens = sdk.tokenManager.getTokensSync();\n  if (tokens.refreshToken) {\n    tokens = await renewTokensWithRefresh(sdk, {\n      scopes: token.scopes,\n    }, tokens.refreshToken);\n    return getSingleToken(token, tokens);\n  }\n\n  var responseType;\n  if (sdk.options.pkce) {\n    responseType = 'code';\n  } else if (isAccessToken(token)) {\n    responseType = 'token';\n  } else {\n    responseType = 'id_token';\n  }\n\n  const { scopes, authorizeUrl, userinfoUrl, issuer } = token as (AccessToken & IDToken);\n  return getWithoutPrompt(sdk, {\n    responseType,\n    scopes,\n    authorizeUrl,\n    userinfoUrl,\n    issuer\n  })\n    .then(function (res) {\n      return getSingleToken(token, res.tokens);\n    });\n}\n"],"mappings":";;;AAYA;AACA;AACA;AACA;AAfA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAMA,SAASA,sBAAsB,GAAG;EAChC,MAAM,IAAIC,oBAAY,CACpB,oFAAoF,CACrF;AACH;;AAEA;AACA,SAASC,cAAc,CAACC,aAAoB,EAAEC,MAAc,EAAE;EAC5D,IAAI,IAAAC,gBAAS,EAACF,aAAa,CAAC,EAAE;IAC5B,OAAOC,MAAM,CAACE,OAAO;EACvB;EACA,IAAI,IAAAC,oBAAa,EAACJ,aAAa,CAAC,EAAE;IAChC,OAAOC,MAAM,CAACI,WAAW;EAC3B;EACAR,sBAAsB,EAAE;AAC1B;;AAEA;AACO,eAAeS,UAAU,CAACC,GAA2B,EAAEC,KAAY,EAA8B;EACtG,IAAI,CAAC,IAAAN,gBAAS,EAACM,KAAK,CAAC,IAAI,CAAC,IAAAJ,oBAAa,EAACI,KAAK,CAAC,EAAE;IAC9CX,sBAAsB,EAAE;EAC1B;EAEA,IAAII,MAAM,GAAGM,GAAG,CAACE,YAAY,CAACC,aAAa,EAAE;EAC7C,IAAIT,MAAM,CAACU,YAAY,EAAE;IACvBV,MAAM,GAAG,MAAM,IAAAW,8CAAsB,EAACL,GAAG,EAAE;MACzCM,MAAM,EAAEL,KAAK,CAACK;IAChB,CAAC,EAAEZ,MAAM,CAACU,YAAY,CAAC;IACvB,OAAOZ,cAAc,CAACS,KAAK,EAAEP,MAAM,CAAC;EACtC;EAEA,IAAIa,YAAY;EAChB,IAAIP,GAAG,CAACQ,OAAO,CAACC,IAAI,EAAE;IACpBF,YAAY,GAAG,MAAM;EACvB,CAAC,MAAM,IAAI,IAAAV,oBAAa,EAACI,KAAK,CAAC,EAAE;IAC/BM,YAAY,GAAG,OAAO;EACxB,CAAC,MAAM;IACLA,YAAY,GAAG,UAAU;EAC3B;EAEA,MAAM;IAAED,MAAM;IAAEI,YAAY;IAAEC,WAAW;IAAEC;EAAO,CAAC,GAAGX,KAAgC;EACtF,OAAO,IAAAY,kCAAgB,EAACb,GAAG,EAAE;IAC3BO,YAAY;IACZD,MAAM;IACNI,YAAY;IACZC,WAAW;IACXC;EACF,CAAC,CAAC,CACCE,IAAI,CAAC,UAAUC,GAAG,EAAE;IACnB,OAAOvB,cAAc,CAACS,KAAK,EAAEc,GAAG,CAACrB,MAAM,CAAC;EAC1C,CAAC,CAAC;AACN"}
+{"version":3,"file":"renewToken.js","names":["throwInvalidTokenError","AuthSdkError","getSingleToken","originalToken","tokens","isIDToken","idToken","isAccessToken","accessToken","renewToken","sdk","token","tokenManager","getTokensSync","refreshToken","renewTokensWithRefresh","scopes","responseType","options","pkce","authorizeUrl","userinfoUrl","issuer","dpopPairId","getWithoutPrompt","then","res"],"sources":["../../../lib/oidc/renewToken.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError } from '../errors';\nimport { OktaAuthOAuthInterface, Token, Tokens, isAccessToken, AccessToken, IDToken, isIDToken } from './types';\nimport { getWithoutPrompt } from './getWithoutPrompt';\nimport { renewTokensWithRefresh } from './renewTokensWithRefresh';\n\nfunction throwInvalidTokenError() {\n  throw new AuthSdkError(\n    'Renew must be passed a token with an array of scopes and an accessToken or idToken'\n  );\n}\n\n// Multiple tokens may have come back. Return only the token which was requested.\nfunction getSingleToken(originalToken: Token, tokens: Tokens) {\n  if (isIDToken(originalToken)) {\n    return tokens.idToken;\n  }\n  if (isAccessToken(originalToken)) {\n    return tokens.accessToken;\n  }\n  throwInvalidTokenError();\n}\n\n// If we have a refresh token, renew using that, otherwise getWithoutPrompt\nexport async function renewToken(sdk: OktaAuthOAuthInterface, token: Token): Promise<Token | undefined> {\n  if (!isIDToken(token) && !isAccessToken(token)) {\n    throwInvalidTokenError();\n  }\n\n  let tokens = sdk.tokenManager.getTokensSync();\n  if (tokens.refreshToken) {\n    tokens = await renewTokensWithRefresh(sdk, {\n      scopes: token.scopes,\n    }, tokens.refreshToken);\n    return getSingleToken(token, tokens);\n  }\n\n  var responseType;\n  if (sdk.options.pkce) {\n    responseType = 'code';\n  } else if (isAccessToken(token)) {\n    responseType = 'token';\n  } else {\n    responseType = 'id_token';\n  }\n\n  const { scopes, authorizeUrl, userinfoUrl, issuer, dpopPairId } = token as (AccessToken & IDToken);\n  return getWithoutPrompt(sdk, {\n    responseType,\n    scopes,\n    authorizeUrl,\n    userinfoUrl,\n    issuer,\n    dpopPairId\n  })\n    .then(function (res) {\n      return getSingleToken(token, res.tokens);\n    });\n}\n"],"mappings":";;;AAYA;AACA;AACA;AACA;AAfA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAMA,SAASA,sBAAsB,GAAG;EAChC,MAAM,IAAIC,oBAAY,CACpB,oFAAoF,CACrF;AACH;;AAEA;AACA,SAASC,cAAc,CAACC,aAAoB,EAAEC,MAAc,EAAE;EAC5D,IAAI,IAAAC,gBAAS,EAACF,aAAa,CAAC,EAAE;IAC5B,OAAOC,MAAM,CAACE,OAAO;EACvB;EACA,IAAI,IAAAC,oBAAa,EAACJ,aAAa,CAAC,EAAE;IAChC,OAAOC,MAAM,CAACI,WAAW;EAC3B;EACAR,sBAAsB,EAAE;AAC1B;;AAEA;AACO,eAAeS,UAAU,CAACC,GAA2B,EAAEC,KAAY,EAA8B;EACtG,IAAI,CAAC,IAAAN,gBAAS,EAACM,KAAK,CAAC,IAAI,CAAC,IAAAJ,oBAAa,EAACI,KAAK,CAAC,EAAE;IAC9CX,sBAAsB,EAAE;EAC1B;EAEA,IAAII,MAAM,GAAGM,GAAG,CAACE,YAAY,CAACC,aAAa,EAAE;EAC7C,IAAIT,MAAM,CAACU,YAAY,EAAE;IACvBV,MAAM,GAAG,MAAM,IAAAW,8CAAsB,EAACL,GAAG,EAAE;MACzCM,MAAM,EAAEL,KAAK,CAACK;IAChB,CAAC,EAAEZ,MAAM,CAACU,YAAY,CAAC;IACvB,OAAOZ,cAAc,CAACS,KAAK,EAAEP,MAAM,CAAC;EACtC;EAEA,IAAIa,YAAY;EAChB,IAAIP,GAAG,CAACQ,OAAO,CAACC,IAAI,EAAE;IACpBF,YAAY,GAAG,MAAM;EACvB,CAAC,MAAM,IAAI,IAAAV,oBAAa,EAACI,KAAK,CAAC,EAAE;IAC/BM,YAAY,GAAG,OAAO;EACxB,CAAC,MAAM;IACLA,YAAY,GAAG,UAAU;EAC3B;EAEA,MAAM;IAAED,MAAM;IAAEI,YAAY;IAAEC,WAAW;IAAEC,MAAM;IAAEC;EAAW,CAAC,GAAGZ,KAAgC;EAClG,OAAO,IAAAa,kCAAgB,EAACd,GAAG,EAAE;IAC3BO,YAAY;IACZD,MAAM;IACNI,YAAY;IACZC,WAAW;IACXC,MAAM;IACNC;EACF,CAAC,CAAC,CACCE,IAAI,CAAC,UAAUC,GAAG,EAAE;IACnB,OAAOxB,cAAc,CAACS,KAAK,EAAEe,GAAG,CAACtB,MAAM,CAAC;EAC1C,CAAC,CAAC;AACN"}

package/cjs/oidc/renewTokens.js

@@ -40,13 +40,15 @@ async function renewTokens(sdk, options) {
   }
   const userinfoUrl = accessToken.userinfoUrl || sdk.options.userinfoUrl;
   const issuer = idToken.issuer || sdk.options.issuer;
+  const dpopPairId = accessToken?.dpopPairId;
 
   // Get tokens using the SSO cookie
   options = Object.assign({
     scopes,
     authorizeUrl,
     userinfoUrl,
-    issuer
+    issuer,
+    dpopPairId
   }, options);
   if (sdk.options.pkce) {
     options.responseType = 'code';

package/cjs/oidc/renewTokens.js.map

@@ -1 +1 @@
-{"version":3,"file":"renewTokens.js","names":["renewTokens","sdk","options","tokens","tokenManager","getTokensSync","refreshToken","renewTokensWithRefresh","accessToken","idToken","AuthSdkError","scopes","authorizeUrl","userinfoUrl","issuer","Object","assign","pkce","responseType","getDefaultTokenParams","getWithoutPrompt","then","res"],"sources":["../../../lib/oidc/renewTokens.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError } from '../errors';\nimport { RenewTokensParams, Tokens } from './types';\nimport { getWithoutPrompt } from './getWithoutPrompt';\nimport { renewTokensWithRefresh } from './renewTokensWithRefresh';\nimport { getDefaultTokenParams } from './util';\n\n// If we have a refresh token, renew using that, otherwise getWithoutPrompt\n// eslint-disable-next-line complexity\nexport async function renewTokens(sdk, options?: RenewTokensParams): Promise<Tokens> {\n  const tokens = options?.tokens ?? sdk.tokenManager.getTokensSync();\n  if (tokens.refreshToken) {\n    return renewTokensWithRefresh(sdk, options || {}, tokens.refreshToken);\n  }\n\n  if (!tokens.accessToken && !tokens.idToken) {\n    throw new AuthSdkError('renewTokens() was called but there is no existing token');\n  }\n\n  const accessToken = tokens.accessToken || {};\n  const idToken = tokens.idToken || {};\n  const scopes = accessToken.scopes || idToken.scopes;\n  if (!scopes) {\n    throw new AuthSdkError('renewTokens: invalid tokens: could not read scopes');\n  }\n  const authorizeUrl = accessToken.authorizeUrl || idToken.authorizeUrl;\n  if (!authorizeUrl) {\n    throw new AuthSdkError('renewTokens: invalid tokens: could not read authorizeUrl');\n  }\n  const userinfoUrl = accessToken.userinfoUrl || sdk.options.userinfoUrl;\n  const issuer = idToken.issuer || sdk.options.issuer;\n\n  // Get tokens using the SSO cookie\n  options = Object.assign({\n    scopes,\n    authorizeUrl,\n    userinfoUrl,\n    issuer\n  }, options);\n\n  if (sdk.options.pkce) {\n    options.responseType = 'code';\n  } else {\n    const { responseType } = getDefaultTokenParams(sdk);\n    options.responseType = responseType;\n  }\n\n  return getWithoutPrompt(sdk, options)\n    .then(res => res.tokens);\n    \n}\n"],"mappings":";;;AAYA;AAEA;AACA;AACA;AAhBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAOA;AACA;AACO,eAAeA,WAAW,CAACC,GAAG,EAAEC,OAA2B,EAAmB;EACnF,MAAMC,MAAM,GAAGD,OAAO,EAAEC,MAAM,IAAIF,GAAG,CAACG,YAAY,CAACC,aAAa,EAAE;EAClE,IAAIF,MAAM,CAACG,YAAY,EAAE;IACvB,OAAO,IAAAC,8CAAsB,EAACN,GAAG,EAAEC,OAAO,IAAI,CAAC,CAAC,EAAEC,MAAM,CAACG,YAAY,CAAC;EACxE;EAEA,IAAI,CAACH,MAAM,CAACK,WAAW,IAAI,CAACL,MAAM,CAACM,OAAO,EAAE;IAC1C,MAAM,IAAIC,oBAAY,CAAC,yDAAyD,CAAC;EACnF;EAEA,MAAMF,WAAW,GAAGL,MAAM,CAACK,WAAW,IAAI,CAAC,CAAC;EAC5C,MAAMC,OAAO,GAAGN,MAAM,CAACM,OAAO,IAAI,CAAC,CAAC;EACpC,MAAME,MAAM,GAAGH,WAAW,CAACG,MAAM,IAAIF,OAAO,CAACE,MAAM;EACnD,IAAI,CAACA,MAAM,EAAE;IACX,MAAM,IAAID,oBAAY,CAAC,oDAAoD,CAAC;EAC9E;EACA,MAAME,YAAY,GAAGJ,WAAW,CAACI,YAAY,IAAIH,OAAO,CAACG,YAAY;EACrE,IAAI,CAACA,YAAY,EAAE;IACjB,MAAM,IAAIF,oBAAY,CAAC,0DAA0D,CAAC;EACpF;EACA,MAAMG,WAAW,GAAGL,WAAW,CAACK,WAAW,IAAIZ,GAAG,CAACC,OAAO,CAACW,WAAW;EACtE,MAAMC,MAAM,GAAGL,OAAO,CAACK,MAAM,IAAIb,GAAG,CAACC,OAAO,CAACY,MAAM;;EAEnD;EACAZ,OAAO,GAAGa,MAAM,CAACC,MAAM,CAAC;IACtBL,MAAM;IACNC,YAAY;IACZC,WAAW;IACXC;EACF,CAAC,EAAEZ,OAAO,CAAC;EAEX,IAAID,GAAG,CAACC,OAAO,CAACe,IAAI,EAAE;IACpBf,OAAO,CAACgB,YAAY,GAAG,MAAM;EAC/B,CAAC,MAAM;IACL,MAAM;MAAEA;IAAa,CAAC,GAAG,IAAAC,2BAAqB,EAAClB,GAAG,CAAC;IACnDC,OAAO,CAACgB,YAAY,GAAGA,YAAY;EACrC;EAEA,OAAO,IAAAE,kCAAgB,EAACnB,GAAG,EAAEC,OAAO,CAAC,CAClCmB,IAAI,CAACC,GAAG,IAAIA,GAAG,CAACnB,MAAM,CAAC;AAE5B"}
+{"version":3,"file":"renewTokens.js","names":["renewTokens","sdk","options","tokens","tokenManager","getTokensSync","refreshToken","renewTokensWithRefresh","accessToken","idToken","AuthSdkError","scopes","authorizeUrl","userinfoUrl","issuer","dpopPairId","Object","assign","pkce","responseType","getDefaultTokenParams","getWithoutPrompt","then","res"],"sources":["../../../lib/oidc/renewTokens.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError } from '../errors';\nimport { RenewTokensParams, Tokens } from './types';\nimport { getWithoutPrompt } from './getWithoutPrompt';\nimport { renewTokensWithRefresh } from './renewTokensWithRefresh';\nimport { getDefaultTokenParams } from './util';\n\n// If we have a refresh token, renew using that, otherwise getWithoutPrompt\n// eslint-disable-next-line complexity\nexport async function renewTokens(sdk, options?: RenewTokensParams): Promise<Tokens> {\n  const tokens = options?.tokens ?? sdk.tokenManager.getTokensSync();\n  if (tokens.refreshToken) {\n    return renewTokensWithRefresh(sdk, options || {}, tokens.refreshToken);\n  }\n\n  if (!tokens.accessToken && !tokens.idToken) {\n    throw new AuthSdkError('renewTokens() was called but there is no existing token');\n  }\n\n  const accessToken = tokens.accessToken || {};\n  const idToken = tokens.idToken || {};\n  const scopes = accessToken.scopes || idToken.scopes;\n  if (!scopes) {\n    throw new AuthSdkError('renewTokens: invalid tokens: could not read scopes');\n  }\n  const authorizeUrl = accessToken.authorizeUrl || idToken.authorizeUrl;\n  if (!authorizeUrl) {\n    throw new AuthSdkError('renewTokens: invalid tokens: could not read authorizeUrl');\n  }\n  const userinfoUrl = accessToken.userinfoUrl || sdk.options.userinfoUrl;\n  const issuer = idToken.issuer || sdk.options.issuer;\n  const dpopPairId = accessToken?.dpopPairId;\n\n  // Get tokens using the SSO cookie\n  options = Object.assign({\n    scopes,\n    authorizeUrl,\n    userinfoUrl,\n    issuer,\n    dpopPairId\n  }, options);\n\n  if (sdk.options.pkce) {\n    options.responseType = 'code';\n  } else {\n    const { responseType } = getDefaultTokenParams(sdk);\n    options.responseType = responseType;\n  }\n\n  return getWithoutPrompt(sdk, options)\n    .then(res => res.tokens);\n    \n}\n"],"mappings":";;;AAYA;AAEA;AACA;AACA;AAhBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAOA;AACA;AACO,eAAeA,WAAW,CAACC,GAAG,EAAEC,OAA2B,EAAmB;EACnF,MAAMC,MAAM,GAAGD,OAAO,EAAEC,MAAM,IAAIF,GAAG,CAACG,YAAY,CAACC,aAAa,EAAE;EAClE,IAAIF,MAAM,CAACG,YAAY,EAAE;IACvB,OAAO,IAAAC,8CAAsB,EAACN,GAAG,EAAEC,OAAO,IAAI,CAAC,CAAC,EAAEC,MAAM,CAACG,YAAY,CAAC;EACxE;EAEA,IAAI,CAACH,MAAM,CAACK,WAAW,IAAI,CAACL,MAAM,CAACM,OAAO,EAAE;IAC1C,MAAM,IAAIC,oBAAY,CAAC,yDAAyD,CAAC;EACnF;EAEA,MAAMF,WAAW,GAAGL,MAAM,CAACK,WAAW,IAAI,CAAC,CAAC;EAC5C,MAAMC,OAAO,GAAGN,MAAM,CAACM,OAAO,IAAI,CAAC,CAAC;EACpC,MAAME,MAAM,GAAGH,WAAW,CAACG,MAAM,IAAIF,OAAO,CAACE,MAAM;EACnD,IAAI,CAACA,MAAM,EAAE;IACX,MAAM,IAAID,oBAAY,CAAC,oDAAoD,CAAC;EAC9E;EACA,MAAME,YAAY,GAAGJ,WAAW,CAACI,YAAY,IAAIH,OAAO,CAACG,YAAY;EACrE,IAAI,CAACA,YAAY,EAAE;IACjB,MAAM,IAAIF,oBAAY,CAAC,0DAA0D,CAAC;EACpF;EACA,MAAMG,WAAW,GAAGL,WAAW,CAACK,WAAW,IAAIZ,GAAG,CAACC,OAAO,CAACW,WAAW;EACtE,MAAMC,MAAM,GAAGL,OAAO,CAACK,MAAM,IAAIb,GAAG,CAACC,OAAO,CAACY,MAAM;EACnD,MAAMC,UAAU,GAAGP,WAAW,EAAEO,UAAU;;EAE1C;EACAb,OAAO,GAAGc,MAAM,CAACC,MAAM,CAAC;IACtBN,MAAM;IACNC,YAAY;IACZC,WAAW;IACXC,MAAM;IACNC;EACF,CAAC,EAAEb,OAAO,CAAC;EAEX,IAAID,GAAG,CAACC,OAAO,CAACgB,IAAI,EAAE;IACpBhB,OAAO,CAACiB,YAAY,GAAG,MAAM;EAC/B,CAAC,MAAM;IACL,MAAM;MAAEA;IAAa,CAAC,GAAG,IAAAC,2BAAqB,EAACnB,GAAG,CAAC;IACnDC,OAAO,CAACiB,YAAY,GAAGA,YAAY;EACrC;EAEA,OAAO,IAAAE,kCAAgB,EAACpB,GAAG,EAAEC,OAAO,CAAC,CAClCoB,IAAI,CAACC,GAAG,IAAIA,GAAG,CAACpB,MAAM,CAAC;AAE5B"}

package/cjs/oidc/renewTokensWithRefresh.js

@@ -6,6 +6,7 @@ var _oauth = require("./util/oauth");
 var _refreshToken = require("./util/refreshToken");
 var _handleOAuthResponse = require("./handleOAuthResponse");
 var _token = require("./endpoints/token");
+var _dpop = require("./dpop");
 var _errors2 = require("./util/errors");
 /*!
  * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.
@@ -22,7 +23,8 @@ var _errors2 = require("./util/errors");
 
 async function renewTokensWithRefresh(sdk, tokenParams, refreshTokenObject) {
   const {
-    clientId
+    clientId,
+    dpop
   } = sdk.options;
   if (!clientId) {
     throw new _errors.AuthSdkError('A clientId must be specified in the OktaAuth constructor to renew tokens');
@@ -31,7 +33,16 @@ async function renewTokensWithRefresh(sdk, tokenParams, refreshTokenObject) {
     const renewTokenParams = Object.assign({}, tokenParams, {
       clientId
     });
-    const tokenResponse = await (0, _token.postRefreshToken)(sdk, renewTokenParams, refreshTokenObject);
+    const endpointParams = {
+      ...renewTokenParams
+    };
+    if (dpop) {
+      const keyPair = await (0, _dpop.findKeyPair)(refreshTokenObject?.dpopPairId); // will throw if KP cannot be found
+      endpointParams.dpopKeyPair = keyPair;
+      renewTokenParams.dpop = dpop;
+      renewTokenParams.dpopPairId = refreshTokenObject.dpopPairId;
+    }
+    const tokenResponse = await (0, _token.postRefreshToken)(sdk, endpointParams, refreshTokenObject);
     const urls = (0, _oauth.getOAuthUrls)(sdk, tokenParams);
     const {
       tokens

package/cjs/oidc/renewTokensWithRefresh.js.map

@@ -1 +1 @@
-{"version":3,"file":"renewTokensWithRefresh.js","names":["renewTokensWithRefresh","sdk","tokenParams","refreshTokenObject","clientId","options","AuthSdkError","renewTokenParams","Object","assign","tokenResponse","postRefreshToken","urls","getOAuthUrls","tokens","handleOAuthResponse","refreshToken","isSameRefreshToken","tokenManager","updateRefreshToken","err","isRefreshTokenInvalidError","removeRefreshToken"],"sources":["../../../lib/oidc/renewTokensWithRefresh.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError } from '../errors';\nimport { getOAuthUrls } from './util/oauth';\nimport { isSameRefreshToken } from './util/refreshToken';\nimport { OktaAuthOAuthInterface, TokenParams, RefreshToken, Tokens } from './types';\nimport { handleOAuthResponse } from './handleOAuthResponse';\nimport { postRefreshToken } from './endpoints/token';\nimport { isRefreshTokenInvalidError } from './util/errors';\n\nexport async function renewTokensWithRefresh(\n  sdk: OktaAuthOAuthInterface,\n  tokenParams: TokenParams,\n  refreshTokenObject: RefreshToken\n): Promise<Tokens> {\n  const { clientId } = sdk.options;\n  if (!clientId) {\n    throw new AuthSdkError('A clientId must be specified in the OktaAuth constructor to renew tokens');\n  }\n\n  try {\n    const renewTokenParams: TokenParams = Object.assign({}, tokenParams, {\n      clientId,\n    });\n    const tokenResponse = await postRefreshToken(sdk, renewTokenParams, refreshTokenObject);\n    const urls = getOAuthUrls(sdk, tokenParams);\n    const { tokens } = await handleOAuthResponse(sdk, renewTokenParams, tokenResponse, urls);\n\n    // Support rotating refresh tokens\n    const { refreshToken } = tokens;\n    if (refreshToken && !isSameRefreshToken(refreshToken, refreshTokenObject)) {\n      sdk.tokenManager.updateRefreshToken(refreshToken);\n    }\n\n    return tokens;\n  }\n  catch (err) {\n    if (isRefreshTokenInvalidError(err)) {\n      // if the refresh token is invalid, remove it from storage\n      sdk.tokenManager.removeRefreshToken();\n    }\n    throw err;\n  }\n}\n"],"mappings":";;;AAYA;AACA;AACA;AAEA;AACA;AACA;AAlBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AASO,eAAeA,sBAAsB,CAC1CC,GAA2B,EAC3BC,WAAwB,EACxBC,kBAAgC,EACf;EACjB,MAAM;IAAEC;EAAS,CAAC,GAAGH,GAAG,CAACI,OAAO;EAChC,IAAI,CAACD,QAAQ,EAAE;IACb,MAAM,IAAIE,oBAAY,CAAC,0EAA0E,CAAC;EACpG;EAEA,IAAI;IACF,MAAMC,gBAA6B,GAAGC,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAEP,WAAW,EAAE;MACnEE;IACF,CAAC,CAAC;IACF,MAAMM,aAAa,GAAG,MAAM,IAAAC,uBAAgB,EAACV,GAAG,EAAEM,gBAAgB,EAAEJ,kBAAkB,CAAC;IACvF,MAAMS,IAAI,GAAG,IAAAC,mBAAY,EAACZ,GAAG,EAAEC,WAAW,CAAC;IAC3C,MAAM;MAAEY;IAAO,CAAC,GAAG,MAAM,IAAAC,wCAAmB,EAACd,GAAG,EAAEM,gBAAgB,EAAEG,aAAa,EAAEE,IAAI,CAAC;;IAExF;IACA,MAAM;MAAEI;IAAa,CAAC,GAAGF,MAAM;IAC/B,IAAIE,YAAY,IAAI,CAAC,IAAAC,gCAAkB,EAACD,YAAY,EAAEb,kBAAkB,CAAC,EAAE;MACzEF,GAAG,CAACiB,YAAY,CAACC,kBAAkB,CAACH,YAAY,CAAC;IACnD;IAEA,OAAOF,MAAM;EACf,CAAC,CACD,OAAOM,GAAG,EAAE;IACV,IAAI,IAAAC,mCAA0B,EAACD,GAAG,CAAC,EAAE;MACnC;MACAnB,GAAG,CAACiB,YAAY,CAACI,kBAAkB,EAAE;IACvC;IACA,MAAMF,GAAG;EACX;AACF"}
+{"version":3,"file":"renewTokensWithRefresh.js","names":["renewTokensWithRefresh","sdk","tokenParams","refreshTokenObject","clientId","dpop","options","AuthSdkError","renewTokenParams","Object","assign","endpointParams","keyPair","findKeyPair","dpopPairId","dpopKeyPair","tokenResponse","postRefreshToken","urls","getOAuthUrls","tokens","handleOAuthResponse","refreshToken","isSameRefreshToken","tokenManager","updateRefreshToken","err","isRefreshTokenInvalidError","removeRefreshToken"],"sources":["../../../lib/oidc/renewTokensWithRefresh.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError } from '../errors';\nimport { getOAuthUrls } from './util/oauth';\nimport { isSameRefreshToken } from './util/refreshToken';\nimport { OktaAuthOAuthInterface, TokenParams, RefreshToken, Tokens } from './types';\nimport { handleOAuthResponse } from './handleOAuthResponse';\nimport { TokenEndpointParams, postRefreshToken } from './endpoints/token';\nimport { findKeyPair } from './dpop';\nimport { isRefreshTokenInvalidError } from './util/errors';\n\nexport async function renewTokensWithRefresh(\n  sdk: OktaAuthOAuthInterface,\n  tokenParams: TokenParams,\n  refreshTokenObject: RefreshToken\n): Promise<Tokens> {\n  const { clientId, dpop } = sdk.options;\n  if (!clientId) {\n    throw new AuthSdkError('A clientId must be specified in the OktaAuth constructor to renew tokens');\n  }\n\n  try {\n    const renewTokenParams: TokenParams = Object.assign({}, tokenParams, { clientId });\n    const endpointParams: TokenEndpointParams = {...renewTokenParams};\n\n    if (dpop) {\n      const keyPair = await findKeyPair(refreshTokenObject?.dpopPairId);    // will throw if KP cannot be found\n      endpointParams.dpopKeyPair = keyPair;\n      renewTokenParams.dpop = dpop;\n      renewTokenParams.dpopPairId = refreshTokenObject.dpopPairId;\n    }\n\n    const tokenResponse = await postRefreshToken(sdk, endpointParams, refreshTokenObject);\n    const urls = getOAuthUrls(sdk, tokenParams);\n    const { tokens } = await handleOAuthResponse(sdk, renewTokenParams, tokenResponse, urls);\n\n    // Support rotating refresh tokens\n    const { refreshToken } = tokens;\n    if (refreshToken && !isSameRefreshToken(refreshToken, refreshTokenObject)) {\n      sdk.tokenManager.updateRefreshToken(refreshToken);\n    }\n\n    return tokens;\n  }\n  catch (err) {\n    if (isRefreshTokenInvalidError(err)) {\n      // if the refresh token is invalid, remove it from storage\n      sdk.tokenManager.removeRefreshToken();\n    }\n    throw err;\n  }\n}\n"],"mappings":";;;AAYA;AACA;AACA;AAEA;AACA;AACA;AACA;AAnBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAUO,eAAeA,sBAAsB,CAC1CC,GAA2B,EAC3BC,WAAwB,EACxBC,kBAAgC,EACf;EACjB,MAAM;IAAEC,QAAQ;IAAEC;EAAK,CAAC,GAAGJ,GAAG,CAACK,OAAO;EACtC,IAAI,CAACF,QAAQ,EAAE;IACb,MAAM,IAAIG,oBAAY,CAAC,0EAA0E,CAAC;EACpG;EAEA,IAAI;IACF,MAAMC,gBAA6B,GAAGC,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAER,WAAW,EAAE;MAAEE;IAAS,CAAC,CAAC;IAClF,MAAMO,cAAmC,GAAG;MAAC,GAAGH;IAAgB,CAAC;IAEjE,IAAIH,IAAI,EAAE;MACR,MAAMO,OAAO,GAAG,MAAM,IAAAC,iBAAW,EAACV,kBAAkB,EAAEW,UAAU,CAAC,CAAC,CAAI;MACtEH,cAAc,CAACI,WAAW,GAAGH,OAAO;MACpCJ,gBAAgB,CAACH,IAAI,GAAGA,IAAI;MAC5BG,gBAAgB,CAACM,UAAU,GAAGX,kBAAkB,CAACW,UAAU;IAC7D;IAEA,MAAME,aAAa,GAAG,MAAM,IAAAC,uBAAgB,EAAChB,GAAG,EAAEU,cAAc,EAAER,kBAAkB,CAAC;IACrF,MAAMe,IAAI,GAAG,IAAAC,mBAAY,EAAClB,GAAG,EAAEC,WAAW,CAAC;IAC3C,MAAM;MAAEkB;IAAO,CAAC,GAAG,MAAM,IAAAC,wCAAmB,EAACpB,GAAG,EAAEO,gBAAgB,EAAEQ,aAAa,EAAEE,IAAI,CAAC;;IAExF;IACA,MAAM;MAAEI;IAAa,CAAC,GAAGF,MAAM;IAC/B,IAAIE,YAAY,IAAI,CAAC,IAAAC,gCAAkB,EAACD,YAAY,EAAEnB,kBAAkB,CAAC,EAAE;MACzEF,GAAG,CAACuB,YAAY,CAACC,kBAAkB,CAACH,YAAY,CAAC;IACnD;IAEA,OAAOF,MAAM;EACf,CAAC,CACD,OAAOM,GAAG,EAAE;IACV,IAAI,IAAAC,mCAA0B,EAACD,GAAG,CAAC,EAAE;MACnC;MACAzB,GAAG,CAACuB,YAAY,CAACI,kBAAkB,EAAE;IACvC;IACA,MAAMF,GAAG;EACX;AACF"}

package/cjs/oidc/types/Token.js.map

@@ -1 +1 @@
-{"version":3,"file":"Token.js","names":["TokenKind","isToken","obj","accessToken","idToken","refreshToken","Array","isArray","scopes","isAccessToken","isIDToken","isRefreshToken"],"sources":["../../../../lib/oidc/types/Token.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { UserClaims } from './UserClaims';\n\nexport interface AbstractToken {\n  expiresAt: number;\n  authorizeUrl: string;\n  scopes: string[];\n  pendingRemove?: boolean;\n}\n\nexport interface AccessToken extends AbstractToken {\n  accessToken: string;\n  claims: UserClaims;\n  tokenType: string;\n  userinfoUrl: string;\n}\n\nexport interface RefreshToken extends AbstractToken {\n  refreshToken: string;\n  tokenUrl: string;\n  issuer: string;\n}\n\nexport interface IDToken extends AbstractToken {\n  idToken: string;\n  claims: UserClaims;\n  issuer: string;\n  clientId: string;\n}\n\nexport type Token = AccessToken | IDToken | RefreshToken;\nexport type RevocableToken = AccessToken | RefreshToken;\n\nexport type TokenType = 'accessToken' | 'idToken' | 'refreshToken';\nexport enum TokenKind {\n  ACCESS = 'accessToken',\n  ID = 'idToken',\n  REFRESH = 'refreshToken',\n}\n\nexport function isToken(obj: any): obj is Token {\n  if (obj &&\n      (obj.accessToken || obj.idToken || obj.refreshToken) &&\n      Array.isArray(obj.scopes)) {\n    return true;\n  }\n  return false;\n}\n\nexport function isAccessToken(obj: any): obj is AccessToken {\n  return obj && obj.accessToken;\n}\n\nexport function isIDToken(obj: any): obj is IDToken {\n  return obj && obj.idToken;\n}\n\nexport function isRefreshToken(obj: any): obj is RefreshToken {\n  return obj && obj.refreshToken;\n}\n\nexport interface Tokens {\n  accessToken?: AccessToken;\n  idToken?: IDToken;\n  refreshToken?: RefreshToken;\n}\n"],"mappings":";;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,GAVA,IA6CYA,SAAS;AAAA;AAAA,WAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAATA,SAAS;AAAA,GAATA,SAAS,yBAATA,SAAS;AAMd,SAASC,OAAO,CAACC,GAAQ,EAAgB;EAC9C,IAAIA,GAAG,KACFA,GAAG,CAACC,WAAW,IAAID,GAAG,CAACE,OAAO,IAAIF,GAAG,CAACG,YAAY,CAAC,IACpDC,KAAK,CAACC,OAAO,CAACL,GAAG,CAACM,MAAM,CAAC,EAAE;IAC7B,OAAO,IAAI;EACb;EACA,OAAO,KAAK;AACd;AAEO,SAASC,aAAa,CAACP,GAAQ,EAAsB;EAC1D,OAAOA,GAAG,IAAIA,GAAG,CAACC,WAAW;AAC/B;AAEO,SAASO,SAAS,CAACR,GAAQ,EAAkB;EAClD,OAAOA,GAAG,IAAIA,GAAG,CAACE,OAAO;AAC3B;AAEO,SAASO,cAAc,CAACT,GAAQ,EAAuB;EAC5D,OAAOA,GAAG,IAAIA,GAAG,CAACG,YAAY;AAChC"}
+{"version":3,"file":"Token.js","names":["TokenKind","isToken","obj","accessToken","idToken","refreshToken","Array","isArray","scopes","isAccessToken","isIDToken","isRefreshToken"],"sources":["../../../../lib/oidc/types/Token.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { UserClaims } from './UserClaims';\n\nexport interface AbstractToken {\n  expiresAt: number;\n  authorizeUrl: string;\n  scopes: string[];\n  pendingRemove?: boolean;\n}\n\nexport interface AccessToken extends AbstractToken {\n  accessToken: string;\n  claims: UserClaims;\n  tokenType: string;\n  userinfoUrl: string;\n  dpopPairId?: string;\n}\n\nexport interface RefreshToken extends AbstractToken {\n  refreshToken: string;\n  tokenUrl: string;\n  issuer: string;\n  dpopPairId?: string;\n}\n\nexport interface IDToken extends AbstractToken {\n  idToken: string;\n  claims: UserClaims;\n  issuer: string;\n  clientId: string;\n}\n\nexport type Token = AccessToken | IDToken | RefreshToken;\nexport type RevocableToken = AccessToken | RefreshToken;\n\nexport type TokenType = 'accessToken' | 'idToken' | 'refreshToken';\nexport enum TokenKind {\n  ACCESS = 'accessToken',\n  ID = 'idToken',\n  REFRESH = 'refreshToken',\n}\n\nexport function isToken(obj: any): obj is Token {\n  if (obj &&\n      (obj.accessToken || obj.idToken || obj.refreshToken) &&\n      Array.isArray(obj.scopes)) {\n    return true;\n  }\n  return false;\n}\n\nexport function isAccessToken(obj: any): obj is AccessToken {\n  return obj && obj.accessToken;\n}\n\nexport function isIDToken(obj: any): obj is IDToken {\n  return obj && obj.idToken;\n}\n\nexport function isRefreshToken(obj: any): obj is RefreshToken {\n  return obj && obj.refreshToken;\n}\n\nexport interface Tokens {\n  accessToken?: AccessToken;\n  idToken?: IDToken;\n  refreshToken?: RefreshToken;\n}\n"],"mappings":";;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,GAVA,IA+CYA,SAAS;AAAA;AAAA,WAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAATA,SAAS;AAAA,GAATA,SAAS,yBAATA,SAAS;AAMd,SAASC,OAAO,CAACC,GAAQ,EAAgB;EAC9C,IAAIA,GAAG,KACFA,GAAG,CAACC,WAAW,IAAID,GAAG,CAACE,OAAO,IAAIF,GAAG,CAACG,YAAY,CAAC,IACpDC,KAAK,CAACC,OAAO,CAACL,GAAG,CAACM,MAAM,CAAC,EAAE;IAC7B,OAAO,IAAI;EACb;EACA,OAAO,KAAK;AACd;AAEO,SAASC,aAAa,CAACP,GAAQ,EAAsB;EAC1D,OAAOA,GAAG,IAAIA,GAAG,CAACC,WAAW;AAC/B;AAEO,SAASO,SAAS,CAACR,GAAQ,EAAkB;EAClD,OAAOA,GAAG,IAAIA,GAAG,CAACE,OAAO;AAC3B;AAEO,SAASO,cAAc,CAACT,GAAQ,EAAuB;EAC5D,OAAOA,GAAG,IAAIA,GAAG,CAACG,YAAY;AAChC"}

package/cjs/oidc/types/api.js.map

@@ -1 +1 @@
-{"version":3,"file":"api.js","names":[],"sources":["../../../../lib/oidc/types/api.ts"],"sourcesContent":["/*!\n * Copyright (c) 2021-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { JWTObject } from './JWT';\nimport { OAuthTransactionMeta, PKCETransactionMeta } from './meta';\nimport { CustomUrls, OktaAuthOAuthOptions, SigninWithRedirectOptions, TokenParams, RenewTokensParams } from './options';\nimport { OAuthResponseType } from './proto';\nimport { OAuthStorageManagerInterface } from './storage';\nimport { AccessToken, IDToken, RefreshToken, RevocableToken, Token, Tokens, TokenKind } from './Token';\nimport { TokenManagerInterface } from './TokenManager';\nimport { CustomUserClaims, UserClaims } from './UserClaims';\nimport { TransactionManagerInterface } from './TransactionManager';\nimport { OktaAuthSessionInterface } from '../../session/types';\nimport { Endpoints } from './endpoints';\n\nexport interface PopupParams {\n  popupTitle?: string;\n  popupWindow?: Window;\n}\n\nexport interface TokenResponse {\n  tokens: Tokens;\n  state: string;\n  code?: string;\n  responseType?: OAuthResponseType | OAuthResponseType[] | 'none';\n}\n\nexport interface ParseFromUrlOptions {\n  url?: string;\n  responseMode?: string;\n}\n\nexport type ParseFromUrlFunction = (options?: string | ParseFromUrlOptions) => Promise<TokenResponse>;\n\nexport interface ParseFromUrlInterface extends ParseFromUrlFunction {\n  _getDocument: () => Document;\n  _getLocation: () => Location;\n  _getHistory: () => History;\n}\n\nexport type GetWithRedirectFunction = (params?: TokenParams) => Promise<void>;\n\nexport type SetLocationFunction = (loc: string) => void;\n\nexport interface BaseTokenAPI {\n  decode(token: string): JWTObject;\n  prepareTokenParams(params?: TokenParams): Promise<TokenParams>;\n  exchangeCodeForTokens(params: TokenParams, urls?: CustomUrls): Promise<TokenResponse>;\n}\n\nexport interface TokenAPI extends BaseTokenAPI {\n  getUserInfo<S extends CustomUserClaims = CustomUserClaims>(\n    accessToken?: AccessToken,\n    idToken?: IDToken\n  ): Promise<UserClaims<S>>;\n  getWithRedirect: GetWithRedirectFunction;\n  parseFromUrl: ParseFromUrlInterface;\n  getWithoutPrompt(params?: TokenParams): Promise<TokenResponse>;\n  getWithPopup(params?: TokenParams): Promise<TokenResponse>;\n  revoke(token: RevocableToken): Promise<object>;\n  renew(token: Token): Promise<Token | undefined>;\n  renewTokens(options?: RenewTokensParams): Promise<Tokens>;\n  renewTokensWithRefresh(tokenParams: TokenParams, refreshTokenObject: RefreshToken): Promise<Tokens>;\n  verify(token: IDToken, params?: object): Promise<IDToken>;\n  isLoginRedirect(): boolean;\n  introspect(kind: TokenKind, token?: Token): any;  // TODO: make real return type\n}\n\nexport interface TokenVerifyParams {\n  clientId: string;\n  issuer: string;\n  ignoreSignature?: boolean;\n  nonce?: string;\n  accessToken?: string; // raw access token string\n  acrValues?: string;\n}\n\nexport interface IDTokenAPI {\n  authorize: {\n    _getLocationHref: () => string;\n  };\n}\n\nexport interface PkceAPI {\n  DEFAULT_CODE_CHALLENGE_METHOD: string;\n  generateVerifier(prefix: string): string;\n  computeChallenge(str: string): PromiseLike<any>;\n}\n\nexport interface IsAuthenticatedOptions {\n  onExpiredToken?: 'renew' | 'remove' | 'none';\n}\n\nexport interface SignoutRedirectUrlOptions {\n  postLogoutRedirectUri?: string | null;\n  idToken?: IDToken;\n  state?: string;\n}\n\nexport interface SignoutOptions extends SignoutRedirectUrlOptions {\n  revokeAccessToken?: boolean;\n  revokeRefreshToken?: boolean;\n  accessToken?: AccessToken;\n  refreshToken?: RefreshToken;\n  clearTokensBeforeRedirect?: boolean;\n}\n\nexport interface OriginalUriApi {\n  getOriginalUri(state?: string): string | undefined;\n  setOriginalUri(originalUri: string, state?: string): void;\n  removeOriginalUri(state?: string): void;\n}\n\nexport interface MinimalOktaOAuthInterface\n<\n  M extends OAuthTransactionMeta = PKCETransactionMeta,\n  S extends OAuthStorageManagerInterface<M> = OAuthStorageManagerInterface<M>,\n  O extends OktaAuthOAuthOptions = OktaAuthOAuthOptions,\n  TM extends TransactionManagerInterface = TransactionManagerInterface\n> \n  extends OktaAuthSessionInterface<S, O>\n{\n  token: BaseTokenAPI;\n  transactionManager: TM;\n\n  isPKCE(): boolean;\n  isLoginRedirect(): boolean;\n  isAuthorizationCodeFlow(): boolean;\n}\n\nexport interface OktaAuthOAuthInterface\n<\n  M extends OAuthTransactionMeta = PKCETransactionMeta,\n  S extends OAuthStorageManagerInterface<M> = OAuthStorageManagerInterface<M>,\n  O extends OktaAuthOAuthOptions = OktaAuthOAuthOptions,\n  TM extends TransactionManagerInterface = TransactionManagerInterface\n> \n  extends OktaAuthSessionInterface<S, O>,\n  OriginalUriApi\n{\n  token: TokenAPI;\n  tokenManager: TokenManagerInterface;\n  pkce: PkceAPI;\n  transactionManager: TM;\n  endpoints: Endpoints;\n  \n  isPKCE(): boolean;\n  getIdToken(): string | undefined;\n  getAccessToken(): string | undefined;\n  getRefreshToken(): string | undefined;\n\n  isAuthenticated(options?: IsAuthenticatedOptions): Promise<boolean>;\n  signOut(opts?: SignoutOptions): Promise<boolean>;\n  isLoginRedirect(): boolean;\n  isAuthorizationCodeFlow(): boolean;\n  storeTokensFromRedirect(): Promise<void>;\n  getUser<T extends CustomUserClaims = CustomUserClaims>(): Promise<UserClaims<T>>;\n  signInWithRedirect(opts?: SigninWithRedirectOptions): Promise<void>;\n  \n  revokeAccessToken(accessToken?: AccessToken): Promise<unknown>;\n  revokeRefreshToken(refreshToken?: RefreshToken): Promise<unknown>;\n}\n"],"mappings":""}
+{"version":3,"file":"api.js","names":[],"sources":["../../../../lib/oidc/types/api.ts"],"sourcesContent":["/*!\n * Copyright (c) 2021-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { JWTObject } from './JWT';\nimport { OAuthTransactionMeta, PKCETransactionMeta } from './meta';\nimport { CustomUrls, OktaAuthOAuthOptions, SigninWithRedirectOptions, TokenParams, RenewTokensParams } from './options';\nimport { OAuthResponseType } from './proto';\nimport { OAuthStorageManagerInterface } from './storage';\nimport { AccessToken, IDToken, RefreshToken, RevocableToken, Token, Tokens, TokenKind } from './Token';\nimport { TokenManagerInterface } from './TokenManager';\nimport { CustomUserClaims, UserClaims } from './UserClaims';\nimport { TransactionManagerInterface } from './TransactionManager';\nimport { OktaAuthSessionInterface } from '../../session/types';\nimport { Endpoints } from './endpoints';\n\nexport interface PopupParams {\n  popupTitle?: string;\n  popupWindow?: Window;\n}\n\nexport interface TokenResponse {\n  tokens: Tokens;\n  state: string;\n  code?: string;\n  responseType?: OAuthResponseType | OAuthResponseType[] | 'none';\n}\n\nexport interface ParseFromUrlOptions {\n  url?: string;\n  responseMode?: string;\n}\n\nexport type ParseFromUrlFunction = (options?: string | ParseFromUrlOptions) => Promise<TokenResponse>;\n\nexport interface ParseFromUrlInterface extends ParseFromUrlFunction {\n  _getDocument: () => Document;\n  _getLocation: () => Location;\n  _getHistory: () => History;\n}\n\nexport type GetWithRedirectFunction = (params?: TokenParams) => Promise<void>;\n\nexport type SetLocationFunction = (loc: string) => void;\n\nexport interface BaseTokenAPI {\n  decode(token: string): JWTObject;\n  prepareTokenParams(params?: TokenParams): Promise<TokenParams>;\n  exchangeCodeForTokens(params: TokenParams, urls?: CustomUrls): Promise<TokenResponse>;\n}\n\nexport interface TokenAPI extends BaseTokenAPI {\n  getUserInfo<S extends CustomUserClaims = CustomUserClaims>(\n    accessToken?: AccessToken,\n    idToken?: IDToken\n  ): Promise<UserClaims<S>>;\n  getWithRedirect: GetWithRedirectFunction;\n  parseFromUrl: ParseFromUrlInterface;\n  getWithoutPrompt(params?: TokenParams): Promise<TokenResponse>;\n  getWithPopup(params?: TokenParams): Promise<TokenResponse>;\n  revoke(token: RevocableToken): Promise<object>;\n  renew(token: Token): Promise<Token | undefined>;\n  renewTokens(options?: RenewTokensParams): Promise<Tokens>;\n  renewTokensWithRefresh(tokenParams: TokenParams, refreshTokenObject: RefreshToken): Promise<Tokens>;\n  verify(token: IDToken, params?: object): Promise<IDToken>;\n  isLoginRedirect(): boolean;\n  introspect(kind: TokenKind, token?: Token): any;  // TODO: make real return type\n}\n\nexport interface TokenVerifyParams {\n  clientId: string;\n  issuer: string;\n  ignoreSignature?: boolean;\n  nonce?: string;\n  accessToken?: string; // raw access token string\n  acrValues?: string;\n}\n\nexport interface IDTokenAPI {\n  authorize: {\n    _getLocationHref: () => string;\n  };\n}\n\nexport interface PkceAPI {\n  DEFAULT_CODE_CHALLENGE_METHOD: string;\n  generateVerifier(prefix: string): string;\n  computeChallenge(str: string): PromiseLike<any>;\n}\n\nexport interface IsAuthenticatedOptions {\n  onExpiredToken?: 'renew' | 'remove' | 'none';\n}\n\nexport interface SignoutRedirectUrlOptions {\n  postLogoutRedirectUri?: string | null;\n  idToken?: IDToken;\n  state?: string;\n}\n\nexport interface SignoutOptions extends SignoutRedirectUrlOptions {\n  revokeAccessToken?: boolean;\n  revokeRefreshToken?: boolean;\n  accessToken?: AccessToken;\n  refreshToken?: RefreshToken;\n  clearTokensBeforeRedirect?: boolean;\n}\n\nexport interface OriginalUriApi {\n  getOriginalUri(state?: string): string | undefined;\n  setOriginalUri(originalUri: string, state?: string): void;\n  removeOriginalUri(state?: string): void;\n}\n\nexport interface DPoPRequest {\n  url: string;\n  method: string;\n  nonce?: string;\n  accessToken?: AccessToken;\n}\n\nexport interface DPoPHeaders {\n  Authorization: string;\n  Dpop: string;\n}\n\nexport interface MinimalOktaOAuthInterface\n<\n  M extends OAuthTransactionMeta = PKCETransactionMeta,\n  S extends OAuthStorageManagerInterface<M> = OAuthStorageManagerInterface<M>,\n  O extends OktaAuthOAuthOptions = OktaAuthOAuthOptions,\n  TM extends TransactionManagerInterface = TransactionManagerInterface\n> \n  extends OktaAuthSessionInterface<S, O>\n{\n  token: BaseTokenAPI;\n  transactionManager: TM;\n\n  isPKCE(): boolean;\n  isLoginRedirect(): boolean;\n  isAuthorizationCodeFlow(): boolean;\n}\n\nexport interface OktaAuthOAuthInterface\n<\n  M extends OAuthTransactionMeta = PKCETransactionMeta,\n  S extends OAuthStorageManagerInterface<M> = OAuthStorageManagerInterface<M>,\n  O extends OktaAuthOAuthOptions = OktaAuthOAuthOptions,\n  TM extends TransactionManagerInterface = TransactionManagerInterface\n> \n  extends OktaAuthSessionInterface<S, O>,\n  OriginalUriApi\n{\n  token: TokenAPI;\n  tokenManager: TokenManagerInterface;\n  pkce: PkceAPI;\n  transactionManager: TM;\n  endpoints: Endpoints;\n  \n  isPKCE(): boolean;\n  getIdToken(): string | undefined;\n  getAccessToken(): string | undefined;\n  getRefreshToken(): string | undefined;\n  getOrRenewAccessToken(): Promise<string | null>;\n\n  isAuthenticated(options?: IsAuthenticatedOptions): Promise<boolean>;\n  signOut(opts?: SignoutOptions): Promise<boolean>;\n  isLoginRedirect(): boolean;\n  isAuthorizationCodeFlow(): boolean;\n  storeTokensFromRedirect(): Promise<void>;\n  getUser<T extends CustomUserClaims = CustomUserClaims>(): Promise<UserClaims<T>>;\n  signInWithRedirect(opts?: SigninWithRedirectOptions): Promise<void>;\n  \n  revokeAccessToken(accessToken?: AccessToken): Promise<unknown>;\n  revokeRefreshToken(refreshToken?: RefreshToken): Promise<unknown>;\n\n  getDPoPAuthorizationHeaders(params: DPoPRequest): Promise<DPoPHeaders>;\n  clearDPoPStorage(clearAll: boolean): Promise<void>;\n  parseUseDPoPNonceError(headers: HeadersInit): string | null;\n}\n"],"mappings":""}

package/cjs/oidc/types/options.js.map

@@ -1 +1 @@
-{"version":3,"file":"options.js","names":[],"sources":["../../../../lib/oidc/types/options.ts"],"sourcesContent":["/*!\n * Copyright (c) 2021-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { OktaAuthOptionsConstructor } from '../../base/types';\nimport { OktaAuthHttpOptions } from '../../http/types';\nimport { SimpleStorage } from '../../storage/types';\nimport { OktaAuthOAuthInterface, SetLocationFunction } from './api';\nimport { OAuthResponseMode, OAuthResponseType } from './proto';\nimport { Tokens } from './Token';\nimport { TransactionManagerOptions } from './Transaction';\n\nexport interface CustomUrls {\n  issuer?: string;\n  authorizeUrl?: string;\n  userinfoUrl?: string;\n  tokenUrl?: string;\n  revokeUrl?: string;\n  logoutUrl?: string;\n}\n\nexport interface TokenParams extends CustomUrls {\n  pkce?: boolean;\n  clientId?: string;\n  redirectUri?: string;\n  responseType?: OAuthResponseType | OAuthResponseType[] | 'none';\n  responseMode?: OAuthResponseMode;\n  state?: string;\n  nonce?: string;\n  scopes?: string[];\n  enrollAmrValues?: string | string[];\n  display?: string;\n  ignoreSignature?: boolean;\n  codeVerifier?: string;\n  authorizationCode?: string;\n  codeChallenge?: string;\n  codeChallengeMethod?: string;\n  interactionCode?: string;\n  idp?: string;\n  idpScope?: string | string[];\n  loginHint?: string;\n  maxAge?: string | number;\n  acrValues?: string;\n  prompt?: string;\n  sessionToken?: string;\n  timeout?: number;\n  extraParams?: { [propName: string]: string }; // custom authorize query params\n  // TODO: remove in the next major version\n  popupTitle?: string;\n}\n\nexport interface TokenManagerOptions {\n  autoRenew?: boolean;\n  autoRemove?: boolean;\n  clearPendingRemoveTokens?: boolean;\n  secure?: boolean;\n  storage?: string | SimpleStorage;\n  storageKey?: string;\n  expireEarlySeconds?: number;\n  syncStorage?: boolean;\n}\n\nexport interface EnrollAuthenticatorOptions extends TokenParams {\n  enrollAmrValues: string | string[];\n  acrValues: string;\n}\n\nexport interface SigninWithRedirectOptions extends TokenParams {\n  originalUri?: string;\n}\n\nexport interface RenewTokensParams extends TokenParams {\n  tokens?: Tokens\n}\n\nexport interface OktaAuthOAuthOptions extends\n  OktaAuthHttpOptions,\n  CustomUrls,\n  Pick<TokenParams,\n    'issuer' |\n    'clientId' |\n    'redirectUri' |\n    'responseType' |\n    'responseMode' |\n    'scopes' |\n    'state' |\n    'pkce' |\n    'ignoreSignature' |\n    'codeChallenge' |\n    'codeChallengeMethod' |\n    'maxAge' |\n    'acrValues'\n  >\n{\n  ignoreLifetime?: boolean;\n  tokenManager?: TokenManagerOptions;\n  postLogoutRedirectUri?: string;\n  maxClockSkew?: number;\n  restoreOriginalUri?: (oktaAuth: OktaAuthOAuthInterface, originalUri?: string) => Promise<void>;\n\n  transactionManager?: TransactionManagerOptions;\n\n  // For server-side web applications ONLY!\n  clientSecret?: string;\n  setLocation?: SetLocationFunction;\n}\n\nexport type OktaAuthOauthOptionsConstructor = OktaAuthOptionsConstructor<OktaAuthOAuthOptions>;\n"],"mappings":""}
+{"version":3,"file":"options.js","names":[],"sources":["../../../../lib/oidc/types/options.ts"],"sourcesContent":["/*!\n * Copyright (c) 2021-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { OktaAuthOptionsConstructor } from '../../base/types';\nimport { OktaAuthHttpOptions } from '../../http/types';\nimport { SimpleStorage } from '../../storage/types';\nimport { OktaAuthOAuthInterface, SetLocationFunction } from './api';\nimport { OAuthResponseMode, OAuthResponseType } from './proto';\nimport { Tokens } from './Token';\nimport { TransactionManagerOptions } from './Transaction';\n\nexport interface CustomUrls {\n  issuer?: string;\n  authorizeUrl?: string;\n  userinfoUrl?: string;\n  tokenUrl?: string;\n  revokeUrl?: string;\n  logoutUrl?: string;\n}\n\nexport interface TokenParams extends CustomUrls {\n  pkce?: boolean;\n  clientId?: string;\n  redirectUri?: string;\n  responseType?: OAuthResponseType | OAuthResponseType[] | 'none';\n  responseMode?: OAuthResponseMode;\n  state?: string;\n  nonce?: string;\n  scopes?: string[];\n  enrollAmrValues?: string | string[];\n  display?: string;\n  ignoreSignature?: boolean;\n  codeVerifier?: string;\n  authorizationCode?: string;\n  codeChallenge?: string;\n  codeChallengeMethod?: string;\n  interactionCode?: string;\n  idp?: string;\n  idpScope?: string | string[];\n  loginHint?: string;\n  maxAge?: string | number;\n  acrValues?: string;\n  prompt?: string;\n  sessionToken?: string;\n  timeout?: number;\n  extraParams?: { [propName: string]: string }; // custom authorize query params\n  // TODO: remove in the next major version\n  popupTitle?: string;\n  dpop?: boolean;\n  dpopPairId?: string;\n}\n\nexport interface TokenManagerOptions {\n  autoRenew?: boolean;\n  autoRemove?: boolean;\n  clearPendingRemoveTokens?: boolean;\n  secure?: boolean;\n  storage?: string | SimpleStorage;\n  storageKey?: string;\n  expireEarlySeconds?: number;\n  syncStorage?: boolean;\n}\n\nexport interface EnrollAuthenticatorOptions extends TokenParams {\n  enrollAmrValues: string | string[];\n  acrValues: string;\n}\n\nexport interface SigninWithRedirectOptions extends TokenParams {\n  originalUri?: string;\n}\n\nexport interface RenewTokensParams extends TokenParams {\n  tokens?: Tokens\n}\n\nexport interface OktaAuthOAuthOptions extends\n  OktaAuthHttpOptions,\n  CustomUrls,\n  Pick<TokenParams,\n    'issuer' |\n    'clientId' |\n    'redirectUri' |\n    'responseType' |\n    'responseMode' |\n    'scopes' |\n    'state' |\n    'pkce' |\n    'ignoreSignature' |\n    'codeChallenge' |\n    'codeChallengeMethod' |\n    'maxAge' |\n    'acrValues'\n  >\n{\n  ignoreLifetime?: boolean;\n  tokenManager?: TokenManagerOptions;\n  postLogoutRedirectUri?: string;\n  maxClockSkew?: number;\n  restoreOriginalUri?: (oktaAuth: OktaAuthOAuthInterface, originalUri?: string) => Promise<void>;\n  dpop?: boolean;\n\n  transactionManager?: TransactionManagerOptions;\n\n  // For server-side web applications ONLY!\n  clientSecret?: string;\n  setLocation?: SetLocationFunction;\n}\n\nexport type OktaAuthOauthOptionsConstructor = OktaAuthOptionsConstructor<OktaAuthOAuthOptions>;\n"],"mappings":""}

package/cjs/oidc/util/defaultTokenParams.js

@@ -29,7 +29,8 @@ function getDefaultTokenParams(sdk) {
     acrValues,
     maxAge,
     state,
-    ignoreSignature
+    ignoreSignature,
+    dpop
   } = sdk.options;
   const defaultRedirectUri = (0, _features.isBrowser)() ? window.location.href : undefined;
   return (0, _util.removeNils)({
@@ -43,7 +44,8 @@ function getDefaultTokenParams(sdk) {
     scopes: scopes || ['openid', 'email'],
     acrValues,
     maxAge,
-    ignoreSignature
+    ignoreSignature,
+    dpop
   });
 }
 //# sourceMappingURL=defaultTokenParams.js.map

package/cjs/oidc/util/defaultTokenParams.js.map

@@ -1 +1 @@
-{"version":3,"file":"defaultTokenParams.js","names":["getDefaultTokenParams","sdk","pkce","clientId","redirectUri","responseType","responseMode","scopes","acrValues","maxAge","state","ignoreSignature","options","defaultRedirectUri","isBrowser","window","location","href","undefined","removeNils","generateState","nonce","generateNonce"],"sources":["../../../../lib/oidc/util/defaultTokenParams.ts"],"sourcesContent":["\n/* global window */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { generateNonce, generateState } from './oauth';\nimport { OktaAuthOAuthInterface, TokenParams } from '../types';\nimport { isBrowser } from '../../features';\nimport { removeNils } from '../../util';\n\nexport function getDefaultTokenParams(sdk: OktaAuthOAuthInterface): TokenParams {\n  const {\n    pkce,\n    clientId,\n    redirectUri,\n    responseType,\n    responseMode,\n    scopes,\n    acrValues,\n    maxAge,\n    state,\n    ignoreSignature\n  } = sdk.options;\n  const defaultRedirectUri = isBrowser() ? window.location.href : undefined;\n  return removeNils({\n    pkce,\n    clientId,\n    redirectUri: redirectUri || defaultRedirectUri,\n    responseType: responseType || ['token', 'id_token'],\n    responseMode,\n    state: state || generateState(),\n    nonce: generateNonce(),\n    scopes: scopes || ['openid', 'email'],\n    acrValues,\n    maxAge,\n    ignoreSignature\n  });\n}"],"mappings":";;;AAcA;AAEA;AACA;AAhBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAMO,SAASA,qBAAqB,CAACC,GAA2B,EAAe;EAC9E,MAAM;IACJC,IAAI;IACJC,QAAQ;IACRC,WAAW;IACXC,YAAY;IACZC,YAAY;IACZC,MAAM;IACNC,SAAS;IACTC,MAAM;IACNC,KAAK;IACLC;EACF,CAAC,GAAGV,GAAG,CAACW,OAAO;EACf,MAAMC,kBAAkB,GAAG,IAAAC,mBAAS,GAAE,GAAGC,MAAM,CAACC,QAAQ,CAACC,IAAI,GAAGC,SAAS;EACzE,OAAO,IAAAC,gBAAU,EAAC;IAChBjB,IAAI;IACJC,QAAQ;IACRC,WAAW,EAAEA,WAAW,IAAIS,kBAAkB;IAC9CR,YAAY,EAAEA,YAAY,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC;IACnDC,YAAY;IACZI,KAAK,EAAEA,KAAK,IAAI,IAAAU,oBAAa,GAAE;IAC/BC,KAAK,EAAE,IAAAC,oBAAa,GAAE;IACtBf,MAAM,EAAEA,MAAM,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC;IACrCC,SAAS;IACTC,MAAM;IACNE;EACF,CAAC,CAAC;AACJ"}
+{"version":3,"file":"defaultTokenParams.js","names":["getDefaultTokenParams","sdk","pkce","clientId","redirectUri","responseType","responseMode","scopes","acrValues","maxAge","state","ignoreSignature","dpop","options","defaultRedirectUri","isBrowser","window","location","href","undefined","removeNils","generateState","nonce","generateNonce"],"sources":["../../../../lib/oidc/util/defaultTokenParams.ts"],"sourcesContent":["\n/* global window */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { generateNonce, generateState } from './oauth';\nimport { OktaAuthOAuthInterface, TokenParams } from '../types';\nimport { isBrowser } from '../../features';\nimport { removeNils } from '../../util';\n\nexport function getDefaultTokenParams(sdk: OktaAuthOAuthInterface): TokenParams {\n  const {\n    pkce,\n    clientId,\n    redirectUri,\n    responseType,\n    responseMode,\n    scopes,\n    acrValues,\n    maxAge,\n    state,\n    ignoreSignature,\n    dpop\n  } = sdk.options;\n  const defaultRedirectUri = isBrowser() ? window.location.href : undefined;\n  return removeNils({\n    pkce,\n    clientId,\n    redirectUri: redirectUri || defaultRedirectUri,\n    responseType: responseType || ['token', 'id_token'],\n    responseMode,\n    state: state || generateState(),\n    nonce: generateNonce(),\n    scopes: scopes || ['openid', 'email'],\n    acrValues,\n    maxAge,\n    ignoreSignature,\n    dpop,\n  });\n}"],"mappings":";;;AAcA;AAEA;AACA;AAhBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAMO,SAASA,qBAAqB,CAACC,GAA2B,EAAe;EAC9E,MAAM;IACJC,IAAI;IACJC,QAAQ;IACRC,WAAW;IACXC,YAAY;IACZC,YAAY;IACZC,MAAM;IACNC,SAAS;IACTC,MAAM;IACNC,KAAK;IACLC,eAAe;IACfC;EACF,CAAC,GAAGX,GAAG,CAACY,OAAO;EACf,MAAMC,kBAAkB,GAAG,IAAAC,mBAAS,GAAE,GAAGC,MAAM,CAACC,QAAQ,CAACC,IAAI,GAAGC,SAAS;EACzE,OAAO,IAAAC,gBAAU,EAAC;IAChBlB,IAAI;IACJC,QAAQ;IACRC,WAAW,EAAEA,WAAW,IAAIU,kBAAkB;IAC9CT,YAAY,EAAEA,YAAY,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC;IACnDC,YAAY;IACZI,KAAK,EAAEA,KAAK,IAAI,IAAAW,oBAAa,GAAE;IAC/BC,KAAK,EAAE,IAAAC,oBAAa,GAAE;IACtBhB,MAAM,EAAEA,MAAM,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC;IACrCC,SAAS;IACTC,MAAM;IACNE,eAAe;IACfC;EACF,CAAC,CAAC;AACJ"}

package/cjs/oidc/util/prepareTokenParams.js

@@ -86,6 +86,9 @@ async function prepareTokenParams(sdk, tokenParams = {}) {
     ...defaults,
     ...tokenParams
   };
+  if (tokenParams.dpop && !sdk.features.isDPoPSupported()) {
+    throw new _errors.AuthSdkError('DPoP has been configured, but is not supported by browser');
+  }
   if (tokenParams.pkce === false) {
     // Implicit flow or authorization_code without PKCE
     return tokenParams;

package/cjs/oidc/util/prepareTokenParams.js.map

@@ -1 +1 @@
-{"version":3,"file":"prepareTokenParams.js","names":["assertPKCESupport","sdk","features","isPKCESupported","errorMessage","isHTTPS","hasTextEncoder","AuthSdkError","validateCodeChallengeMethod","codeChallengeMethod","options","DEFAULT_CODE_CHALLENGE_METHOD","wellKnownResponse","getWellKnown","methods","indexOf","preparePKCE","tokenParams","codeVerifier","codeChallenge","PKCE","generateVerifier","computeChallenge","responseType","prepareTokenParams","defaults","getDefaultTokenParams","pkce"],"sources":["../../../../lib/oidc/util/prepareTokenParams.ts"],"sourcesContent":["/* eslint-disable complexity */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { getWellKnown } from '../endpoints/well-known';\nimport { AuthSdkError } from '../../errors';\nimport { OktaAuthOAuthInterface, TokenParams } from '../types';\nimport { getDefaultTokenParams } from './defaultTokenParams';\nimport { DEFAULT_CODE_CHALLENGE_METHOD } from '../../constants';\nimport PKCE from './pkce';\nimport { OktaAuthBaseInterface } from '../../base/types';\n\nexport function assertPKCESupport(sdk: OktaAuthBaseInterface) {\n  if (!sdk.features.isPKCESupported()) {\n    var errorMessage = 'PKCE requires a modern browser with encryption support running in a secure context.';\n    if (!sdk.features.isHTTPS()) {\n      // eslint-disable-next-line max-len\n      errorMessage += '\\nThe current page is not being served with HTTPS protocol. PKCE requires secure HTTPS protocol.';\n    }\n    if (!sdk.features.hasTextEncoder()) {\n      // eslint-disable-next-line max-len\n      errorMessage += '\\n\"TextEncoder\" is not defined. To use PKCE, you may need to include a polyfill/shim for this browser.';\n    }\n    throw new AuthSdkError(errorMessage);\n  }\n}\n\nexport async function validateCodeChallengeMethod(sdk: OktaAuthOAuthInterface, codeChallengeMethod?: string) {\n  // set default code challenge method, if none provided\n  codeChallengeMethod = codeChallengeMethod || sdk.options.codeChallengeMethod || DEFAULT_CODE_CHALLENGE_METHOD;\n\n  // validate against .well-known/openid-configuration\n  const wellKnownResponse = await getWellKnown(sdk);\n  var methods = wellKnownResponse['code_challenge_methods_supported'] || [];\n  if (methods.indexOf(codeChallengeMethod) === -1) {\n    throw new AuthSdkError('Invalid code_challenge_method');\n  }\n  return codeChallengeMethod;\n}\n\nexport async function preparePKCE(\n  sdk: OktaAuthOAuthInterface, \n  tokenParams: TokenParams\n): Promise<TokenParams> {\n  let {\n    codeVerifier,\n    codeChallenge,\n    codeChallengeMethod\n  } = tokenParams;\n\n  // PKCE calculations can be avoided by passing a codeChallenge\n  codeChallenge = codeChallenge || sdk.options.codeChallenge;\n  if (!codeChallenge) {\n    assertPKCESupport(sdk);\n    codeVerifier = codeVerifier || PKCE.generateVerifier();\n    codeChallenge = await PKCE.computeChallenge(codeVerifier);\n  }\n  codeChallengeMethod = await validateCodeChallengeMethod(sdk, codeChallengeMethod);\n\n  // Clone/copy the params. Set PKCE values\n  tokenParams = {\n    ...tokenParams,\n    responseType: 'code', // responseType is forced\n    codeVerifier,\n    codeChallenge,\n    codeChallengeMethod\n  };\n\n  return tokenParams;\n}\n\n// Prepares params for a call to /authorize or /token\nexport async function prepareTokenParams(\n  sdk: OktaAuthOAuthInterface,\n  tokenParams: TokenParams = {}\n): Promise<TokenParams> {\n  // build params using defaults + options\n  const defaults = getDefaultTokenParams(sdk);\n  tokenParams = { ...defaults, ...tokenParams };\n\n  if (tokenParams.pkce === false) {\n    // Implicit flow or authorization_code without PKCE\n    return tokenParams;\n  }\n\n  return preparePKCE(sdk, tokenParams);\n}"],"mappings":";;;;;;;AAaA;AACA;AAEA;AACA;AACA;AAlBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AASO,SAASA,iBAAiB,CAACC,GAA0B,EAAE;EAC5D,IAAI,CAACA,GAAG,CAACC,QAAQ,CAACC,eAAe,EAAE,EAAE;IACnC,IAAIC,YAAY,GAAG,qFAAqF;IACxG,IAAI,CAACH,GAAG,CAACC,QAAQ,CAACG,OAAO,EAAE,EAAE;MAC3B;MACAD,YAAY,IAAI,kGAAkG;IACpH;IACA,IAAI,CAACH,GAAG,CAACC,QAAQ,CAACI,cAAc,EAAE,EAAE;MAClC;MACAF,YAAY,IAAI,wGAAwG;IAC1H;IACA,MAAM,IAAIG,oBAAY,CAACH,YAAY,CAAC;EACtC;AACF;AAEO,eAAeI,2BAA2B,CAACP,GAA2B,EAAEQ,mBAA4B,EAAE;EAC3G;EACAA,mBAAmB,GAAGA,mBAAmB,IAAIR,GAAG,CAACS,OAAO,CAACD,mBAAmB,IAAIE,wCAA6B;;EAE7G;EACA,MAAMC,iBAAiB,GAAG,MAAM,IAAAC,uBAAY,EAACZ,GAAG,CAAC;EACjD,IAAIa,OAAO,GAAGF,iBAAiB,CAAC,kCAAkC,CAAC,IAAI,EAAE;EACzE,IAAIE,OAAO,CAACC,OAAO,CAACN,mBAAmB,CAAC,KAAK,CAAC,CAAC,EAAE;IAC/C,MAAM,IAAIF,oBAAY,CAAC,+BAA+B,CAAC;EACzD;EACA,OAAOE,mBAAmB;AAC5B;AAEO,eAAeO,WAAW,CAC/Bf,GAA2B,EAC3BgB,WAAwB,EACF;EACtB,IAAI;IACFC,YAAY;IACZC,aAAa;IACbV;EACF,CAAC,GAAGQ,WAAW;;EAEf;EACAE,aAAa,GAAGA,aAAa,IAAIlB,GAAG,CAACS,OAAO,CAACS,aAAa;EAC1D,IAAI,CAACA,aAAa,EAAE;IAClBnB,iBAAiB,CAACC,GAAG,CAAC;IACtBiB,YAAY,GAAGA,YAAY,IAAIE,aAAI,CAACC,gBAAgB,EAAE;IACtDF,aAAa,GAAG,MAAMC,aAAI,CAACE,gBAAgB,CAACJ,YAAY,CAAC;EAC3D;EACAT,mBAAmB,GAAG,MAAMD,2BAA2B,CAACP,GAAG,EAAEQ,mBAAmB,CAAC;;EAEjF;EACAQ,WAAW,GAAG;IACZ,GAAGA,WAAW;IACdM,YAAY,EAAE,MAAM;IAAE;IACtBL,YAAY;IACZC,aAAa;IACbV;EACF,CAAC;EAED,OAAOQ,WAAW;AACpB;;AAEA;AACO,eAAeO,kBAAkB,CACtCvB,GAA2B,EAC3BgB,WAAwB,GAAG,CAAC,CAAC,EACP;EACtB;EACA,MAAMQ,QAAQ,GAAG,IAAAC,yCAAqB,EAACzB,GAAG,CAAC;EAC3CgB,WAAW,GAAG;IAAE,GAAGQ,QAAQ;IAAE,GAAGR;EAAY,CAAC;EAE7C,IAAIA,WAAW,CAACU,IAAI,KAAK,KAAK,EAAE;IAC9B;IACA,OAAOV,WAAW;EACpB;EAEA,OAAOD,WAAW,CAACf,GAAG,EAAEgB,WAAW,CAAC;AACtC"}
+{"version":3,"file":"prepareTokenParams.js","names":["assertPKCESupport","sdk","features","isPKCESupported","errorMessage","isHTTPS","hasTextEncoder","AuthSdkError","validateCodeChallengeMethod","codeChallengeMethod","options","DEFAULT_CODE_CHALLENGE_METHOD","wellKnownResponse","getWellKnown","methods","indexOf","preparePKCE","tokenParams","codeVerifier","codeChallenge","PKCE","generateVerifier","computeChallenge","responseType","prepareTokenParams","defaults","getDefaultTokenParams","dpop","isDPoPSupported","pkce"],"sources":["../../../../lib/oidc/util/prepareTokenParams.ts"],"sourcesContent":["/* eslint-disable complexity */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { getWellKnown } from '../endpoints/well-known';\nimport { AuthSdkError } from '../../errors';\nimport { OktaAuthOAuthInterface, TokenParams } from '../types';\nimport { getDefaultTokenParams } from './defaultTokenParams';\nimport { DEFAULT_CODE_CHALLENGE_METHOD } from '../../constants';\nimport PKCE from './pkce';\nimport { OktaAuthBaseInterface } from '../../base/types';\n\nexport function assertPKCESupport(sdk: OktaAuthBaseInterface) {\n  if (!sdk.features.isPKCESupported()) {\n    var errorMessage = 'PKCE requires a modern browser with encryption support running in a secure context.';\n    if (!sdk.features.isHTTPS()) {\n      // eslint-disable-next-line max-len\n      errorMessage += '\\nThe current page is not being served with HTTPS protocol. PKCE requires secure HTTPS protocol.';\n    }\n    if (!sdk.features.hasTextEncoder()) {\n      // eslint-disable-next-line max-len\n      errorMessage += '\\n\"TextEncoder\" is not defined. To use PKCE, you may need to include a polyfill/shim for this browser.';\n    }\n    throw new AuthSdkError(errorMessage);\n  }\n}\n\nexport async function validateCodeChallengeMethod(sdk: OktaAuthOAuthInterface, codeChallengeMethod?: string) {\n  // set default code challenge method, if none provided\n  codeChallengeMethod = codeChallengeMethod || sdk.options.codeChallengeMethod || DEFAULT_CODE_CHALLENGE_METHOD;\n\n  // validate against .well-known/openid-configuration\n  const wellKnownResponse = await getWellKnown(sdk);\n  var methods = wellKnownResponse['code_challenge_methods_supported'] || [];\n  if (methods.indexOf(codeChallengeMethod) === -1) {\n    throw new AuthSdkError('Invalid code_challenge_method');\n  }\n  return codeChallengeMethod;\n}\n\nexport async function preparePKCE(\n  sdk: OktaAuthOAuthInterface, \n  tokenParams: TokenParams\n): Promise<TokenParams> {\n  let {\n    codeVerifier,\n    codeChallenge,\n    codeChallengeMethod\n  } = tokenParams;\n\n  // PKCE calculations can be avoided by passing a codeChallenge\n  codeChallenge = codeChallenge || sdk.options.codeChallenge;\n  if (!codeChallenge) {\n    assertPKCESupport(sdk);\n    codeVerifier = codeVerifier || PKCE.generateVerifier();\n    codeChallenge = await PKCE.computeChallenge(codeVerifier);\n  }\n  codeChallengeMethod = await validateCodeChallengeMethod(sdk, codeChallengeMethod);\n\n  // Clone/copy the params. Set PKCE values\n  tokenParams = {\n    ...tokenParams,\n    responseType: 'code', // responseType is forced\n    codeVerifier,\n    codeChallenge,\n    codeChallengeMethod\n  };\n\n  return tokenParams;\n}\n\n// Prepares params for a call to /authorize or /token\nexport async function prepareTokenParams(\n  sdk: OktaAuthOAuthInterface,\n  tokenParams: TokenParams = {}\n): Promise<TokenParams> {\n  // build params using defaults + options\n  const defaults = getDefaultTokenParams(sdk);\n  tokenParams = { ...defaults, ...tokenParams };\n\n  if (tokenParams.dpop && !sdk.features.isDPoPSupported()) {\n    throw new AuthSdkError('DPoP has been configured, but is not supported by browser');\n  }\n\n  if (tokenParams.pkce === false) {\n    // Implicit flow or authorization_code without PKCE\n    return tokenParams;\n  }\n\n  return preparePKCE(sdk, tokenParams);\n}"],"mappings":";;;;;;;AAaA;AACA;AAEA;AACA;AACA;AAlBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AASO,SAASA,iBAAiB,CAACC,GAA0B,EAAE;EAC5D,IAAI,CAACA,GAAG,CAACC,QAAQ,CAACC,eAAe,EAAE,EAAE;IACnC,IAAIC,YAAY,GAAG,qFAAqF;IACxG,IAAI,CAACH,GAAG,CAACC,QAAQ,CAACG,OAAO,EAAE,EAAE;MAC3B;MACAD,YAAY,IAAI,kGAAkG;IACpH;IACA,IAAI,CAACH,GAAG,CAACC,QAAQ,CAACI,cAAc,EAAE,EAAE;MAClC;MACAF,YAAY,IAAI,wGAAwG;IAC1H;IACA,MAAM,IAAIG,oBAAY,CAACH,YAAY,CAAC;EACtC;AACF;AAEO,eAAeI,2BAA2B,CAACP,GAA2B,EAAEQ,mBAA4B,EAAE;EAC3G;EACAA,mBAAmB,GAAGA,mBAAmB,IAAIR,GAAG,CAACS,OAAO,CAACD,mBAAmB,IAAIE,wCAA6B;;EAE7G;EACA,MAAMC,iBAAiB,GAAG,MAAM,IAAAC,uBAAY,EAACZ,GAAG,CAAC;EACjD,IAAIa,OAAO,GAAGF,iBAAiB,CAAC,kCAAkC,CAAC,IAAI,EAAE;EACzE,IAAIE,OAAO,CAACC,OAAO,CAACN,mBAAmB,CAAC,KAAK,CAAC,CAAC,EAAE;IAC/C,MAAM,IAAIF,oBAAY,CAAC,+BAA+B,CAAC;EACzD;EACA,OAAOE,mBAAmB;AAC5B;AAEO,eAAeO,WAAW,CAC/Bf,GAA2B,EAC3BgB,WAAwB,EACF;EACtB,IAAI;IACFC,YAAY;IACZC,aAAa;IACbV;EACF,CAAC,GAAGQ,WAAW;;EAEf;EACAE,aAAa,GAAGA,aAAa,IAAIlB,GAAG,CAACS,OAAO,CAACS,aAAa;EAC1D,IAAI,CAACA,aAAa,EAAE;IAClBnB,iBAAiB,CAACC,GAAG,CAAC;IACtBiB,YAAY,GAAGA,YAAY,IAAIE,aAAI,CAACC,gBAAgB,EAAE;IACtDF,aAAa,GAAG,MAAMC,aAAI,CAACE,gBAAgB,CAACJ,YAAY,CAAC;EAC3D;EACAT,mBAAmB,GAAG,MAAMD,2BAA2B,CAACP,GAAG,EAAEQ,mBAAmB,CAAC;;EAEjF;EACAQ,WAAW,GAAG;IACZ,GAAGA,WAAW;IACdM,YAAY,EAAE,MAAM;IAAE;IACtBL,YAAY;IACZC,aAAa;IACbV;EACF,CAAC;EAED,OAAOQ,WAAW;AACpB;;AAEA;AACO,eAAeO,kBAAkB,CACtCvB,GAA2B,EAC3BgB,WAAwB,GAAG,CAAC,CAAC,EACP;EACtB;EACA,MAAMQ,QAAQ,GAAG,IAAAC,yCAAqB,EAACzB,GAAG,CAAC;EAC3CgB,WAAW,GAAG;IAAE,GAAGQ,QAAQ;IAAE,GAAGR;EAAY,CAAC;EAE7C,IAAIA,WAAW,CAACU,IAAI,IAAI,CAAC1B,GAAG,CAACC,QAAQ,CAAC0B,eAAe,EAAE,EAAE;IACvD,MAAM,IAAIrB,oBAAY,CAAC,2DAA2D,CAAC;EACrF;EAEA,IAAIU,WAAW,CAACY,IAAI,KAAK,KAAK,EAAE;IAC9B;IACA,OAAOZ,WAAW;EACpB;EAEA,OAAOD,WAAW,CAACf,GAAG,EAAEgB,WAAW,CAAC;AACtC"}

package/cjs/services/RenewOnTabActivationService.js

@@ -0,0 +1,64 @@
+"use strict";
+
+var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
+exports.RenewOnTabActivationService = void 0;
+var _defineProperty2 = _interopRequireDefault(require("@babel/runtime/helpers/defineProperty"));
+var _features = require("../features");
+const getNow = () => Math.floor(Date.now() / 1000);
+class RenewOnTabActivationService {
+  constructor(tokenManager, options = {}) {
+    (0, _defineProperty2.default)(this, "started", false);
+    (0, _defineProperty2.default)(this, "lastHidden", -1);
+    this.tokenManager = tokenManager;
+    this.options = options;
+    // store this context for event handler
+    this.onPageVisbilityChange = this._onPageVisbilityChange.bind(this);
+  }
+
+  // do not use directly, use `onPageVisbilityChange` (with binded this context)
+  /* eslint complexity: [0, 10] */
+  _onPageVisbilityChange() {
+    if (document.hidden) {
+      this.lastHidden = getNow();
+    }
+    // renew will only attempt if tab was inactive for duration
+    else if (this.lastHidden > 0 && getNow() - this.lastHidden >= this.options.tabInactivityDuration) {
+      const {
+        accessToken,
+        idToken
+      } = this.tokenManager.getTokensSync();
+      if (!!accessToken && this.tokenManager.hasExpired(accessToken)) {
+        const key = this.tokenManager.getStorageKeyByType('accessToken');
+        // Renew errors will emit an "error" event
+        this.tokenManager.renew(key).catch(() => {});
+      } else if (!!idToken && this.tokenManager.hasExpired(idToken)) {
+        const key = this.tokenManager.getStorageKeyByType('idToken');
+        // Renew errors will emit an "error" event
+        this.tokenManager.renew(key).catch(() => {});
+      }
+    }
+  }
+  async start() {
+    if (this.canStart() && !!document) {
+      document.addEventListener('visibilitychange', this.onPageVisbilityChange);
+      this.started = true;
+    }
+  }
+  async stop() {
+    if (document) {
+      document.removeEventListener('visibilitychange', this.onPageVisbilityChange);
+      this.started = false;
+    }
+  }
+  canStart() {
+    return (0, _features.isBrowser)() && !!this.options.autoRenew && !!this.options.renewOnTabActivation && !this.started;
+  }
+  requiresLeadership() {
+    return false;
+  }
+  isStarted() {
+    return this.started;
+  }
+}
+exports.RenewOnTabActivationService = RenewOnTabActivationService;
+//# sourceMappingURL=RenewOnTabActivationService.js.map

package/cjs/services/RenewOnTabActivationService.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"RenewOnTabActivationService.js","names":["getNow","Math","floor","Date","now","RenewOnTabActivationService","constructor","tokenManager","options","onPageVisbilityChange","_onPageVisbilityChange","bind","document","hidden","lastHidden","tabInactivityDuration","accessToken","idToken","getTokensSync","hasExpired","key","getStorageKeyByType","renew","catch","start","canStart","addEventListener","started","stop","removeEventListener","isBrowser","autoRenew","renewOnTabActivation","requiresLeadership","isStarted"],"sources":["../../../lib/services/RenewOnTabActivationService.ts"],"sourcesContent":["import { ServiceInterface, ServiceManagerOptions } from '../core/types';\nimport { TokenManagerInterface } from '../oidc/types';\nimport { isBrowser } from '../features';\n\nconst getNow = () => Math.floor(Date.now() / 1000);\n\nexport class RenewOnTabActivationService implements ServiceInterface {\n  private tokenManager: TokenManagerInterface;\n  private started = false;\n  private options: ServiceManagerOptions;\n  private lastHidden = -1;\n  onPageVisbilityChange: () => void;\n\n  constructor(tokenManager: TokenManagerInterface, options: ServiceManagerOptions = {}) {\n    this.tokenManager = tokenManager;\n    this.options = options;\n    // store this context for event handler\n    this.onPageVisbilityChange = this._onPageVisbilityChange.bind(this);\n  }\n\n  // do not use directly, use `onPageVisbilityChange` (with binded this context)\n  /* eslint complexity: [0, 10] */\n  private _onPageVisbilityChange () {\n    if (document.hidden) {\n      this.lastHidden = getNow();\n    }\n    // renew will only attempt if tab was inactive for duration\n    else if (this.lastHidden > 0 && (getNow() - this.lastHidden >= this.options.tabInactivityDuration!)) {\n      const { accessToken, idToken } = this.tokenManager.getTokensSync();\n      if (!!accessToken && this.tokenManager.hasExpired(accessToken)) {\n        const key = this.tokenManager.getStorageKeyByType('accessToken');\n        // Renew errors will emit an \"error\" event\n        this.tokenManager.renew(key).catch(() => {});\n      }\n      else if (!!idToken && this.tokenManager.hasExpired(idToken)) {\n        const key = this.tokenManager.getStorageKeyByType('idToken');\n        // Renew errors will emit an \"error\" event\n        this.tokenManager.renew(key).catch(() => {});\n      }\n    }\n  }\n\n  async start () {\n    if (this.canStart() && !!document) {\n      document.addEventListener('visibilitychange', this.onPageVisbilityChange);\n      this.started = true;\n    }\n  }\n\n  async stop () {\n    if (document) {\n      document.removeEventListener('visibilitychange', this.onPageVisbilityChange);\n      this.started = false;\n    }\n  }\n\n  canStart(): boolean {\n    return isBrowser() &&\n    !!this.options.autoRenew &&\n    !!this.options.renewOnTabActivation &&\n    !this.started;\n  }\n\n  requiresLeadership(): boolean {\n    return false;\n  }\n\n  isStarted(): boolean {\n    return this.started;\n  }\n}\n"],"mappings":";;;;;AAEA;AAEA,MAAMA,MAAM,GAAG,MAAMC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACC,GAAG,EAAE,GAAG,IAAI,CAAC;AAE3C,MAAMC,2BAA2B,CAA6B;EAOnEC,WAAW,CAACC,YAAmC,EAAEC,OAA8B,GAAG,CAAC,CAAC,EAAE;IAAA,+CALpE,KAAK;IAAA,kDAEF,CAAC,CAAC;IAIrB,IAAI,CAACD,YAAY,GAAGA,YAAY;IAChC,IAAI,CAACC,OAAO,GAAGA,OAAO;IACtB;IACA,IAAI,CAACC,qBAAqB,GAAG,IAAI,CAACC,sBAAsB,CAACC,IAAI,CAAC,IAAI,CAAC;EACrE;;EAEA;EACA;EACQD,sBAAsB,GAAI;IAChC,IAAIE,QAAQ,CAACC,MAAM,EAAE;MACnB,IAAI,CAACC,UAAU,GAAGd,MAAM,EAAE;IAC5B;IACA;IAAA,KACK,IAAI,IAAI,CAACc,UAAU,GAAG,CAAC,IAAKd,MAAM,EAAE,GAAG,IAAI,CAACc,UAAU,IAAI,IAAI,CAACN,OAAO,CAACO,qBAAuB,EAAE;MACnG,MAAM;QAAEC,WAAW;QAAEC;MAAQ,CAAC,GAAG,IAAI,CAACV,YAAY,CAACW,aAAa,EAAE;MAClE,IAAI,CAAC,CAACF,WAAW,IAAI,IAAI,CAACT,YAAY,CAACY,UAAU,CAACH,WAAW,CAAC,EAAE;QAC9D,MAAMI,GAAG,GAAG,IAAI,CAACb,YAAY,CAACc,mBAAmB,CAAC,aAAa,CAAC;QAChE;QACA,IAAI,CAACd,YAAY,CAACe,KAAK,CAACF,GAAG,CAAC,CAACG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;MAC9C,CAAC,MACI,IAAI,CAAC,CAACN,OAAO,IAAI,IAAI,CAACV,YAAY,CAACY,UAAU,CAACF,OAAO,CAAC,EAAE;QAC3D,MAAMG,GAAG,GAAG,IAAI,CAACb,YAAY,CAACc,mBAAmB,CAAC,SAAS,CAAC;QAC5D;QACA,IAAI,CAACd,YAAY,CAACe,KAAK,CAACF,GAAG,CAAC,CAACG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;MAC9C;IACF;EACF;EAEA,MAAMC,KAAK,GAAI;IACb,IAAI,IAAI,CAACC,QAAQ,EAAE,IAAI,CAAC,CAACb,QAAQ,EAAE;MACjCA,QAAQ,CAACc,gBAAgB,CAAC,kBAAkB,EAAE,IAAI,CAACjB,qBAAqB,CAAC;MACzE,IAAI,CAACkB,OAAO,GAAG,IAAI;IACrB;EACF;EAEA,MAAMC,IAAI,GAAI;IACZ,IAAIhB,QAAQ,EAAE;MACZA,QAAQ,CAACiB,mBAAmB,CAAC,kBAAkB,EAAE,IAAI,CAACpB,qBAAqB,CAAC;MAC5E,IAAI,CAACkB,OAAO,GAAG,KAAK;IACtB;EACF;EAEAF,QAAQ,GAAY;IAClB,OAAO,IAAAK,mBAAS,GAAE,IAClB,CAAC,CAAC,IAAI,CAACtB,OAAO,CAACuB,SAAS,IACxB,CAAC,CAAC,IAAI,CAACvB,OAAO,CAACwB,oBAAoB,IACnC,CAAC,IAAI,CAACL,OAAO;EACf;EAEAM,kBAAkB,GAAY;IAC5B,OAAO,KAAK;EACd;EAEAC,SAAS,GAAY;IACnB,OAAO,IAAI,CAACP,OAAO;EACrB;AACF;AAAC"}

package/cjs/services/index.js

@@ -33,4 +33,15 @@ Object.keys(_LeaderElectionService).forEach(function (key) {
     }
   });
 });
+var _RenewOnTabActivationService = require("./RenewOnTabActivationService");
+Object.keys(_RenewOnTabActivationService).forEach(function (key) {
+  if (key === "default" || key === "__esModule") return;
+  if (key in exports && exports[key] === _RenewOnTabActivationService[key]) return;
+  Object.defineProperty(exports, key, {
+    enumerable: true,
+    get: function () {
+      return _RenewOnTabActivationService[key];
+    }
+  });
+});
 //# sourceMappingURL=index.js.map

package/cjs/services/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","names":[],"sources":["../../../lib/services/index.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * \n * See the License for the specific language governing permissions and limitations under the License.\n */\n\n\nexport * from './AutoRenewService';\nexport * from './SyncStorageService';\nexport * from './LeaderElectionService';\n"],"mappings":";;AAaA;AAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA"}
+{"version":3,"file":"index.js","names":[],"sources":["../../../lib/services/index.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * \n * See the License for the specific language governing permissions and limitations under the License.\n */\n\n\nexport * from './AutoRenewService';\nexport * from './SyncStorageService';\nexport * from './LeaderElectionService';\nexport * from './RenewOnTabActivationService';\n"],"mappings":";;AAaA;AAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AACA;AAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA"}