@okta/okta-auth-js 7.6.0 → 7.7.1

package/CHANGELOG.md

@@ -1,5 +1,20 @@
 # Changelog
 
+# 7.7.1
+
+- [#1529](https://github.com/okta/okta-auth-js/pull/1529) fix: persist `extraParams` passed to `/authorize` and include them during token refresh
+
+## 7.7.0
+
+### Features
+
+- [#1495](https://github.com/okta/okta-auth-js/pull/1495) add: DPoP support
+
+### Fixes
+
+- [#1508](https://github.com/okta/okta-auth-js/pull/1508) IDX: add condition to compare stateHandles when loading saved idxResponse only when useGenericRemediator option is false or undefined
+
+
 ## 7.6.0
 
 ### Features

package/README.md

@@ -399,6 +399,105 @@ Additionally, if using hash routing, we recommend using PKCE and responseMode "q
    2. Add tokens to the  `TokenManager`: [tokenManager.setTokens](#tokenmanagersettokenstokens)
 6. Read saved route and redirect to it: [getOriginalUri](#getoriginaluristate)
 
+### Enabling DPoP
+<sub><sup>*Reference: DPoP (Demonstrating Proof-of-Possession) - [RFC9449](https://datatracker.ietf.org/doc/html/rfc9449)*</sub></sup>
+
+#### Requirements
+* `DPoP` must be enabled in your Okta application ([Guide: Configure DPoP](https://developer.okta.com/docs/guides/dpop/main/))
+* Only supported on web (browser)
+* `https` is required. A [secure context](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts) is required for `WebCrypto.subtle`
+* Targeted browsers must support `IndexedDB` ([MDN](https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API), [caniuse](https://caniuse.com/indexeddb))
+* :warning: IE11 (and lower) is not supported!
+
+#### Configuration
+```javascript
+const config = {
+  // other configurations
+  pkce: true,     // required
+  dpop: true,
+};
+
+const authClient = new OktaAuth(config);
+```
+
+#### Providing DPoP Proof to Resource Requests
+<sub><sup>*Reference: **The DPoP Authentication Scheme** ([RFC9449](https://datatracker.ietf.org/doc/html/rfc9449#name-the-dpop-authentication-sch))*</sub></sup>
+
+##### DPoP-Protected Resource Request ([link](https://datatracker.ietf.org/doc/html/rfc9449#name-dpop-protected-resource-req))
+```
+GET /protectedresource HTTP/1.1
+Host: resource.example.org
+Authorization: DPoP Kz~8mXK1EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO.gxU
+DPoP: eyJ0eXAiOiJkcG9wK2p3dCIsIm...
+```
+
+##### Fetching DPoP-Protected Resource
+```javascript
+async function dpopAuthenticatedFetch (url, options) {
+  const { method } = options;
+  const dpop = await authClient.getDPoPAuthorizationHeaders({ url, method });
+  // dpop = { Authorization: "DPoP token****", Dpop: "proof****" }
+  const headers = new Headers({...options.headers, ...dpop});
+  return fetch(url, {...options, headers });
+}
+```
+
+#### Handling `use_dpop_nonce`
+<sub><sup>*Reference: **Resource Server-Provided Nonce** ([RFC9449](https://datatracker.ietf.org/doc/html/rfc9449#name-resource-server-provided-no))*</sub></sup>
+
+> Resource servers can also choose to provide a nonce value to be included in DPoP proofs sent to them. They provide the nonce using the DPoP-Nonce header in the same way that authorization servers do...
+
+##### Resource Server Response
+```
+HTTP/1.1 401 Unauthorized
+WWW-Authenticate: DPoP error="use_dpop_nonce", \
+   error_description="Resource server requires nonce in DPoP proof"
+DPoP-Nonce: eyJ7S_zG.eyJH0-Z.HX4w-7v
+```
+##### Handling Response
+```javascript
+async function dpopAuthenticatedFetch (url, options) {
+  // ...previous example...
+  const resp = await fetch(url, {...options, headers });
+  // resp = HTTP/1.1 401 Unauthorized...
+
+  if (!resp.ok) {
+    const nonce = authClient.parseUseDPoPNonceError(resp.headers);
+    if (nonce) {
+      const retryDpop = await authClient.getDPoPAuthorizationHeaders({ url, method, nonce });
+      const retryHeaders = new Headers({...options.headers, ...retryDpop});
+      return fetch(url, {...options, headers: retryHeaders });
+    }
+  }
+
+  return resp;
+}
+```
+
+#### Ensure browser can support DPoP (*Recommended*)
+DPoP requires certain browser features. A user using a browser without the required features will unable to complete a request for tokens. It's recommended to verify browser support during application bootstrapping.
+
+```javascript
+// App.tsx
+useEffect(() => {
+  if (!authClient.features.isDPoPSupported()) {
+    // user will be unable to request tokens
+    navigate('/unsupported-error-page');
+  }
+}, []);
+```
+
+#### Clear DPoP Storage (*Recommended*)
+DPoP requires the generation of a `CryptoKeyPair` which needs to be persisted in storage. Methods like `signOut()` or `revokeAccessToken()` will clear the key pair, however users don't always explicitly logout. It's therefore good practice to clear storage before login to flush any orphaned key pairs generated from previously requested tokens.
+
+```javascript
+async function login (options) {
+  await authClient.clearDPoPStorage();      // clear possibly orphaned key pairs
+
+  return authClient.signInWithRedirect(options);
+}
+```
+
 ## Configuration reference
 
 Whether you are using this SDK to implement an OIDC flow or for communicating with the [Authentication API](https://developer.okta.com/docs/api/resources/authn), the only required configuration option is `issuer`, which is the URL to an Okta [Authorization Server](https://developer.okta.com/docs/guides/customize-authz-server/overview/)
@@ -470,6 +569,13 @@ A client-provided string that will be passed to the server endpoint and returned
 
 Default value is `true` which enables the [PKCE OAuth Flow](#pkce-oauth-20-flow). To use the [Implicit Flow](#implicit-oauth-20-flow) or [Authorization Code Flow](#authorization-code-flow-for-web-and-native-client-types), set `pkce` to `false`.
 
+#### `dpop`
+
+Default value is `false`. Set to `true` to enable `DPoP` (Demonstrating Proof-of-Possession ([RFC9449](https://datatracker.ietf.org/doc/html/rfc9449)))
+
+See Guide: [Enabling DPoP](#enabling-dpop)
+
+
 #### responseMode
 
 When requesting tokens using [token.getWithRedirect](#tokengetwithredirectoptions) values will be returned as parameters appended to the [redirectUri](#configuration-options).
@@ -915,6 +1021,9 @@ The amount of time, in seconds, a tab needs to be inactive for the `RenewOnTabAc
 * [tx.resume](#txresume)
 * [tx.exists](#txexists)
 * [transaction.status](#transactionstatus)
+* [getDPoPAuthorizationHeaders](#getdpopauthorizationheaders)
+* [parseUseDPoPNonceError](#parseusedpopnonceerror)
+* [clearDPoPStorage](#cleardpopstorage)
 * [session](#session)
   * [session.setCookieAndRedirect](#sessionsetcookieandredirectsessiontoken-redirecturi)
   * [session.exists](#sessionexists)
@@ -1270,6 +1379,39 @@ See [authn API](docs/authn.md#txexists).
 
 See [authn API](docs/authn.md#transactionstatus).
 
+### `getDPoPAuthorizationHeaders(params)`
+
+> :link: web browser only <br>
+> :hourglass: async <br>
+
+Requires [dpop](#dpop) set to `true`. Returns `Authorization` and `Dpop` header values to build a DPoP protected-request.
+
+Params: `url` and (http) `method` are required.
+*  `accessToken` is optional, but will be read from `tokenStorage` if not provided
+*  `nonce` is optional, may be provided via `use_dpop_nonce` pattern from Resource Server ([more info](#handling-use_dpop_nonce))
+
+### `parseUseDPoPNonceError(headers)`
+
+> :link: web browser only <br>
+
+Utility to extract and parse the `WWW-Authenticate` and `DPoP-Nonce` headers from a network response from a DPoP-protected request. Should the response be in the following format, the `nonce` value will be returned. Otherwise returns `null`
+
+```
+HTTP/1.1 401 Unauthorized
+WWW-Authenticate: DPoP error="use_dpop_nonce", \
+   error_description="Resource server requires nonce in DPoP proof"
+DPoP-Nonce: eyJ7S_zG.eyJH0-Z.HX4w-7v
+```
+
+### `clearDPoPStorage(clearAll=false)`
+
+> :link: web browser only <br>
+> :hourglass: async <br>
+
+Clears storage location of `CryptoKeyPair`s generated and used by DPoP. Pass `true` to remove all key pairs as it's possible for orphaned key pairs to exist. If `clearAll` is `false`, the key pair bound to the current `accessToken` in tokenStorage will be removed.
+
+It's recommended to call this function during user login. [See Example](#clear-dpop-storage-recommended)
+
 ### `session`
 
 #### `session.setCookieAndRedirect(sessionToken, redirectUri)`

package/cjs/base/types.js.map

@@ -1 +1 @@
-{"version":3,"file":"types.js","names":[],"sources":["../../../lib/base/types.ts"],"sourcesContent":["/*!\n * Copyright (c) 2021-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport * as constants from '../constants';\n\nexport declare class EventEmitter {\n  on   (event: string, callback: (...args: any[]) => any, ctx?: any): EventEmitter;\n  once (event: string, callback: (...args: any[]) => any, ctx?: any): EventEmitter;\n  emit (event: string, ...args: any[]): EventEmitter;\n  off  (event: string, callback?: (...args: any[]) => any): EventEmitter;\n}\n\nexport interface FeaturesAPI {\n  isLocalhost(): boolean;\n  isHTTPS(): boolean;\n  isPopupPostMessageSupported(): boolean;\n  hasTextEncoder(): boolean;\n  isTokenVerifySupported(): boolean;\n  isPKCESupported(): boolean;\n  isIE11OrLess(): boolean;\n}\n\n\n// options that can be passed to AuthJS\nexport interface OktaAuthBaseOptions {\n  devMode?: boolean;\n}\n\n// a class that constructs options\nexport interface OktaAuthOptionsConstructor<O extends OktaAuthBaseOptions = OktaAuthBaseOptions> {\n  new(args: any): O;\n}\n\n// a \"base\" instance of AuthJS\nexport interface OktaAuthBaseInterface<O extends OktaAuthBaseOptions = OktaAuthBaseOptions> {\n  options: O;\n  emitter: EventEmitter;\n  features: FeaturesAPI;\n}\n\n// a constructor that returns an instance of AuthJS\nexport interface OktaAuthConstructor\n<\n  I extends OktaAuthBaseInterface = OktaAuthBaseInterface\n> \n{\n  new(...args: any[]): I;\n  features: FeaturesAPI; // static class member\n  constants: typeof constants;\n}\n"],"mappings":""}
+{"version":3,"file":"types.js","names":[],"sources":["../../../lib/base/types.ts"],"sourcesContent":["/*!\n * Copyright (c) 2021-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport * as constants from '../constants';\n\nexport declare class EventEmitter {\n  on   (event: string, callback: (...args: any[]) => any, ctx?: any): EventEmitter;\n  once (event: string, callback: (...args: any[]) => any, ctx?: any): EventEmitter;\n  emit (event: string, ...args: any[]): EventEmitter;\n  off  (event: string, callback?: (...args: any[]) => any): EventEmitter;\n}\n\nexport interface FeaturesAPI {\n  isLocalhost(): boolean;\n  isHTTPS(): boolean;\n  isPopupPostMessageSupported(): boolean;\n  hasTextEncoder(): boolean;\n  isTokenVerifySupported(): boolean;\n  isPKCESupported(): boolean;\n  isIE11OrLess(): boolean;\n  isDPoPSupported(): boolean;\n}\n\n\n// options that can be passed to AuthJS\nexport interface OktaAuthBaseOptions {\n  devMode?: boolean;\n}\n\n// a class that constructs options\nexport interface OktaAuthOptionsConstructor<O extends OktaAuthBaseOptions = OktaAuthBaseOptions> {\n  new(args: any): O;\n}\n\n// a \"base\" instance of AuthJS\nexport interface OktaAuthBaseInterface<O extends OktaAuthBaseOptions = OktaAuthBaseOptions> {\n  options: O;\n  emitter: EventEmitter;\n  features: FeaturesAPI;\n}\n\n// a constructor that returns an instance of AuthJS\nexport interface OktaAuthConstructor\n<\n  I extends OktaAuthBaseInterface = OktaAuthBaseInterface\n> \n{\n  new(...args: any[]): I;\n  features: FeaturesAPI; // static class member\n  constants: typeof constants;\n}\n"],"mappings":""}

package/cjs/errors/OAuthError.js

@@ -2,6 +2,7 @@
 
 var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
 exports.default = void 0;
+var _defineProperty2 = _interopRequireDefault(require("@babel/runtime/helpers/defineProperty"));
 var _CustomError = _interopRequireDefault(require("./CustomError"));
 /* eslint-disable camelcase */
 /*!
@@ -19,8 +20,9 @@ var _CustomError = _interopRequireDefault(require("./CustomError"));
 class OAuthError extends _CustomError.default {
   // for widget / idx-js backward compatibility
 
-  constructor(errorCode, summary) {
+  constructor(errorCode, summary, resp) {
     super(summary);
+    (0, _defineProperty2.default)(this, "resp", null);
     this.name = 'OAuthError';
     this.errorCode = errorCode;
     this.errorSummary = summary;
@@ -28,6 +30,12 @@ class OAuthError extends _CustomError.default {
     // for widget / idx-js backward compatibility
     this.error = errorCode;
     this.error_description = summary;
+
+    // an OAuth error (should) always result from a network request
+    // therefore include that in error for potential error handling
+    if (resp) {
+      this.resp = resp;
+    }
   }
 }
 exports.default = OAuthError;

package/cjs/errors/OAuthError.js.map

@@ -1 +1 @@
-{"version":3,"file":"OAuthError.js","names":["OAuthError","CustomError","constructor","errorCode","summary","name","errorSummary","error","error_description"],"sources":["../../../lib/errors/OAuthError.ts"],"sourcesContent":["/* eslint-disable camelcase */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport CustomError from './CustomError';\n\nexport default class OAuthError extends CustomError {\n  errorCode: string;\n  errorSummary: string;\n\n  // for widget / idx-js backward compatibility\n  error: string;\n  error_description: string;\n\n  constructor(errorCode: string, summary: string) {\n    super(summary);\n\n    this.name = 'OAuthError';\n    this.errorCode = errorCode;\n    this.errorSummary = summary;\n\n    // for widget / idx-js backward compatibility\n    this.error = errorCode;\n    this.error_description = summary;\n  }\n}\n\n"],"mappings":";;;;AAaA;AAbA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAIe,MAAMA,UAAU,SAASC,oBAAW,CAAC;EAIlD;;EAIAC,WAAW,CAACC,SAAiB,EAAEC,OAAe,EAAE;IAC9C,KAAK,CAACA,OAAO,CAAC;IAEd,IAAI,CAACC,IAAI,GAAG,YAAY;IACxB,IAAI,CAACF,SAAS,GAAGA,SAAS;IAC1B,IAAI,CAACG,YAAY,GAAGF,OAAO;;IAE3B;IACA,IAAI,CAACG,KAAK,GAAGJ,SAAS;IACtB,IAAI,CAACK,iBAAiB,GAAGJ,OAAO;EAClC;AACF;AAAC;AAAA"}
+{"version":3,"file":"OAuthError.js","names":["OAuthError","CustomError","constructor","errorCode","summary","resp","name","errorSummary","error","error_description"],"sources":["../../../lib/errors/OAuthError.ts"],"sourcesContent":["/* eslint-disable camelcase */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport CustomError from './CustomError';\nimport type { HttpResponse } from '../http';\n\nexport default class OAuthError extends CustomError {\n  errorCode: string;\n  errorSummary: string;\n\n  // for widget / idx-js backward compatibility\n  error: string;\n  error_description: string;\n\n  resp: HttpResponse | null = null;\n\n  constructor(errorCode: string, summary: string, resp?: HttpResponse) {\n    super(summary);\n\n    this.name = 'OAuthError';\n    this.errorCode = errorCode;\n    this.errorSummary = summary;\n\n    // for widget / idx-js backward compatibility\n    this.error = errorCode;\n    this.error_description = summary;\n\n    // an OAuth error (should) always result from a network request\n    // therefore include that in error for potential error handling\n    if (resp) {\n      this.resp = resp;\n    }\n  }\n}\n\n"],"mappings":";;;;;AAaA;AAbA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAKe,MAAMA,UAAU,SAASC,oBAAW,CAAC;EAIlD;;EAMAC,WAAW,CAACC,SAAiB,EAAEC,OAAe,EAAEC,IAAmB,EAAE;IACnE,KAAK,CAACD,OAAO,CAAC;IAAC,4CAHW,IAAI;IAK9B,IAAI,CAACE,IAAI,GAAG,YAAY;IACxB,IAAI,CAACH,SAAS,GAAGA,SAAS;IAC1B,IAAI,CAACI,YAAY,GAAGH,OAAO;;IAE3B;IACA,IAAI,CAACI,KAAK,GAAGL,SAAS;IACtB,IAAI,CAACM,iBAAiB,GAAGL,OAAO;;IAEhC;IACA;IACA,IAAIC,IAAI,EAAE;MACR,IAAI,CAACA,IAAI,GAAGA,IAAI;IAClB;EACF;AACF;AAAC;AAAA"}

package/cjs/errors/WWWAuthError.js

@@ -0,0 +1,98 @@
+"use strict";
+
+var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefault");
+exports.default = void 0;
+var _defineProperty2 = _interopRequireDefault(require("@babel/runtime/helpers/defineProperty"));
+var _CustomError = _interopRequireDefault(require("./CustomError"));
+var _util = require("../util");
+/*!
+ * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.
+ * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
+ *
+ * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *
+ * See the License for the specific language governing permissions and limitations under the License.
+ */
+
+// Error thrown after an unsuccessful network request which requires an Authorization header 
+// and returns a 4XX error with a www-authenticate header. The header value is parsed to construct 
+// an error instance, which contains key/value pairs parsed out
+class WWWAuthError extends _CustomError.default {
+  constructor(scheme, parameters, resp) {
+    // defaults to unknown error. `error` being returned in the www-authenticate header is expected
+    // but cannot be guaranteed. Throwing an error within a error constructor seems awkward
+    super(parameters.error ?? WWWAuthError.UNKNOWN_ERROR);
+    (0, _defineProperty2.default)(this, "name", 'WWWAuthError');
+    (0, _defineProperty2.default)(this, "resp", null);
+    this.scheme = scheme;
+    this.parameters = parameters;
+    if (resp) {
+      this.resp = resp;
+    }
+  }
+
+  // convenience references
+  get error() {
+    return this.parameters.error;
+  }
+  get errorCode() {
+    return this.error;
+  } // parity with other error props
+  // eslint-disable-next-line camelcase
+  get error_description() {
+    return this.parameters.error_description;
+  }
+  // eslint-disable-next-line camelcase
+  get errorDescription() {
+    return this.error_description;
+  }
+  get errorSummary() {
+    return this.errorDescription;
+  } // parity with other error props
+  get realm() {
+    return this.parameters.realm;
+  }
+
+  // parses the www-authenticate header for releveant
+  static parseHeader(header) {
+    // header cannot be empty string
+    if (!header) {
+      return null;
+    }
+
+    // example string: Bearer error="invalid_token", error_description="The access token is invalid"
+    // regex will match on `error="invalid_token", error_description="The access token is invalid"`
+    // see unit test for more examples of possible www-authenticate values
+    // eslint-disable-next-line max-len
+    const regex = /(?:,|, )?([a-zA-Z0-9!#$%&'*+\-.^_`|~]+)=(?:"([a-zA-Z0-9!#$%&'*+\-.,^_`|~ /:]+)"|([a-zA-Z0-9!#$%&'*+\-.^_`|~/:]+))/g;
+    const firstSpace = header.indexOf(' ');
+    const scheme = header.slice(0, firstSpace);
+    const remaining = header.slice(firstSpace + 1);
+    const params = {};
+
+    // Reference: foo="hello", bar="bye"
+    // i=0, match=[foo="hello1", foo, hello]
+    // i=1, match=[bar="bye", bar, bye]
+    let match;
+    while ((match = regex.exec(remaining)) !== null) {
+      params[match[1]] = match[2] ?? match[3];
+    }
+    return new WWWAuthError(scheme, params);
+  }
+
+  // finds the value of the `www-authenticate` header. HeadersInit allows for a few different
+  // representations of headers with different access patterns (.get vs [key])
+  static getWWWAuthenticateHeader(headers = {}) {
+    if ((0, _util.isFunction)(headers?.get)) {
+      return headers.get('WWW-Authenticate');
+    }
+    return headers['www-authenticate'] ?? headers['WWW-Authenticate'];
+  }
+}
+exports.default = WWWAuthError;
+(0, _defineProperty2.default)(WWWAuthError, "UNKNOWN_ERROR", 'UNKNOWN_WWW_AUTH_ERROR');
+module.exports = exports.default;
+//# sourceMappingURL=WWWAuthError.js.map

package/cjs/errors/WWWAuthError.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"WWWAuthError.js","names":["WWWAuthError","CustomError","constructor","scheme","parameters","resp","error","UNKNOWN_ERROR","errorCode","error_description","errorDescription","errorSummary","realm","parseHeader","header","regex","firstSpace","indexOf","slice","remaining","params","match","exec","getWWWAuthenticateHeader","headers","isFunction","get"],"sources":["../../../lib/errors/WWWAuthError.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\n\nimport type { HttpResponse } from '../http';\nimport CustomError from './CustomError';\nimport { isFunction } from '../util';\n\n// Error thrown after an unsuccessful network request which requires an Authorization header \n// and returns a 4XX error with a www-authenticate header. The header value is parsed to construct \n// an error instance, which contains key/value pairs parsed out\nexport default class WWWAuthError extends CustomError {\n  static UNKNOWN_ERROR = 'UNKNOWN_WWW_AUTH_ERROR';\n\n  scheme: string;\n  parameters: Record<string, string>;\n  name = 'WWWAuthError';\n\n  resp: HttpResponse | null = null;\n\n  constructor(scheme: string, parameters: Record<string, string>, resp?: HttpResponse) {\n    // defaults to unknown error. `error` being returned in the www-authenticate header is expected\n    // but cannot be guaranteed. Throwing an error within a error constructor seems awkward\n    super(parameters.error ?? WWWAuthError.UNKNOWN_ERROR);\n    this.scheme = scheme;\n    this.parameters = parameters;\n\n    if (resp) {\n      this.resp = resp;\n    }\n  }\n\n  // convenience references\n  get error (): string { return this.parameters.error; }\n  get errorCode (): string { return this.error; }                 // parity with other error props\n  // eslint-disable-next-line camelcase\n  get error_description (): string { return this.parameters.error_description; }\n  // eslint-disable-next-line camelcase\n  get errorDescription (): string { return this.error_description; }\n  get errorSummary (): string { return this.errorDescription; }   // parity with other error props\n  get realm (): string { return this.parameters.realm; }\n\n  // parses the www-authenticate header for releveant\n  static parseHeader (header: string): WWWAuthError | null {\n    // header cannot be empty string\n    if (!header) {\n      return null;\n    }\n\n    // example string: Bearer error=\"invalid_token\", error_description=\"The access token is invalid\"\n    // regex will match on `error=\"invalid_token\", error_description=\"The access token is invalid\"`\n    // see unit test for more examples of possible www-authenticate values\n    // eslint-disable-next-line max-len\n    const regex = /(?:,|, )?([a-zA-Z0-9!#$%&'*+\\-.^_`|~]+)=(?:\"([a-zA-Z0-9!#$%&'*+\\-.,^_`|~ /:]+)\"|([a-zA-Z0-9!#$%&'*+\\-.^_`|~/:]+))/g;\n    const firstSpace = header.indexOf(' ');\n    const scheme = header.slice(0, firstSpace);\n    const remaining = header.slice(firstSpace + 1);\n    const params = {};\n\n    // Reference: foo=\"hello\", bar=\"bye\"\n    // i=0, match=[foo=\"hello1\", foo, hello]\n    // i=1, match=[bar=\"bye\", bar, bye]\n    let match;\n    while ((match = regex.exec(remaining)) !== null) {\n      params[match[1]] = (match[2] ?? match[3]);\n    }\n\n    return new WWWAuthError(scheme, params);\n  }\n\n  // finds the value of the `www-authenticate` header. HeadersInit allows for a few different\n  // representations of headers with different access patterns (.get vs [key])\n  static getWWWAuthenticateHeader (headers: HeadersInit = {}): string | null {\n    if (isFunction((headers as Headers)?.get)) {\n      return (headers as Headers).get('WWW-Authenticate');\n    }\n    return headers['www-authenticate'] ?? headers['WWW-Authenticate'];\n  }\n}\n"],"mappings":";;;;;AAcA;AACA;AAfA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAOA;AACA;AACA;AACe,MAAMA,YAAY,SAASC,oBAAW,CAAC;EASpDC,WAAW,CAACC,MAAc,EAAEC,UAAkC,EAAEC,IAAmB,EAAE;IACnF;IACA;IACA,KAAK,CAACD,UAAU,CAACE,KAAK,IAAIN,YAAY,CAACO,aAAa,CAAC;IAAC,4CAPjD,cAAc;IAAA,4CAEO,IAAI;IAM9B,IAAI,CAACJ,MAAM,GAAGA,MAAM;IACpB,IAAI,CAACC,UAAU,GAAGA,UAAU;IAE5B,IAAIC,IAAI,EAAE;MACR,IAAI,CAACA,IAAI,GAAGA,IAAI;IAClB;EACF;;EAEA;EACA,IAAIC,KAAK,GAAY;IAAE,OAAO,IAAI,CAACF,UAAU,CAACE,KAAK;EAAE;EACrD,IAAIE,SAAS,GAAY;IAAE,OAAO,IAAI,CAACF,KAAK;EAAE,CAAC,CAAiB;EAChE;EACA,IAAIG,iBAAiB,GAAY;IAAE,OAAO,IAAI,CAACL,UAAU,CAACK,iBAAiB;EAAE;EAC7E;EACA,IAAIC,gBAAgB,GAAY;IAAE,OAAO,IAAI,CAACD,iBAAiB;EAAE;EACjE,IAAIE,YAAY,GAAY;IAAE,OAAO,IAAI,CAACD,gBAAgB;EAAE,CAAC,CAAG;EAChE,IAAIE,KAAK,GAAY;IAAE,OAAO,IAAI,CAACR,UAAU,CAACQ,KAAK;EAAE;;EAErD;EACA,OAAOC,WAAW,CAAEC,MAAc,EAAuB;IACvD;IACA,IAAI,CAACA,MAAM,EAAE;MACX,OAAO,IAAI;IACb;;IAEA;IACA;IACA;IACA;IACA,MAAMC,KAAK,GAAG,oHAAoH;IAClI,MAAMC,UAAU,GAAGF,MAAM,CAACG,OAAO,CAAC,GAAG,CAAC;IACtC,MAAMd,MAAM,GAAGW,MAAM,CAACI,KAAK,CAAC,CAAC,EAAEF,UAAU,CAAC;IAC1C,MAAMG,SAAS,GAAGL,MAAM,CAACI,KAAK,CAACF,UAAU,GAAG,CAAC,CAAC;IAC9C,MAAMI,MAAM,GAAG,CAAC,CAAC;;IAEjB;IACA;IACA;IACA,IAAIC,KAAK;IACT,OAAO,CAACA,KAAK,GAAGN,KAAK,CAACO,IAAI,CAACH,SAAS,CAAC,MAAM,IAAI,EAAE;MAC/CC,MAAM,CAACC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAIA,KAAK,CAAC,CAAC,CAAC,IAAIA,KAAK,CAAC,CAAC,CAAE;IAC3C;IAEA,OAAO,IAAIrB,YAAY,CAACG,MAAM,EAAEiB,MAAM,CAAC;EACzC;;EAEA;EACA;EACA,OAAOG,wBAAwB,CAAEC,OAAoB,GAAG,CAAC,CAAC,EAAiB;IACzE,IAAI,IAAAC,gBAAU,EAAED,OAAO,EAAcE,GAAG,CAAC,EAAE;MACzC,OAAQF,OAAO,CAAaE,GAAG,CAAC,kBAAkB,CAAC;IACrD;IACA,OAAOF,OAAO,CAAC,kBAAkB,CAAC,IAAIA,OAAO,CAAC,kBAAkB,CAAC;EACnE;AACF;AAAC;AAAA,8BAnEoBxB,YAAY,mBACR,wBAAwB;AAAA"}

package/cjs/errors/index.js

@@ -4,10 +4,12 @@ var _interopRequireDefault = require("@babel/runtime/helpers/interopRequireDefau
 var _exportNames = {
   isAuthApiError: true,
   isOAuthError: true,
+  isWWWAuthError: true,
   AuthApiError: true,
   AuthPollStopError: true,
   AuthSdkError: true,
-  OAuthError: true
+  OAuthError: true,
+  WWWAuthError: true
 };
 Object.defineProperty(exports, "AuthApiError", {
   enumerable: true,
@@ -33,12 +35,20 @@ Object.defineProperty(exports, "OAuthError", {
     return _OAuthError.default;
   }
 });
+Object.defineProperty(exports, "WWWAuthError", {
+  enumerable: true,
+  get: function () {
+    return _WWWAuthError.default;
+  }
+});
 exports.isAuthApiError = isAuthApiError;
 exports.isOAuthError = isOAuthError;
+exports.isWWWAuthError = isWWWAuthError;
 var _AuthApiError = _interopRequireDefault(require("./AuthApiError"));
 var _AuthPollStopError = _interopRequireDefault(require("./AuthPollStopError"));
 var _AuthSdkError = _interopRequireDefault(require("./AuthSdkError"));
 var _OAuthError = _interopRequireDefault(require("./OAuthError"));
+var _WWWAuthError = _interopRequireDefault(require("./WWWAuthError"));
 var _types = require("./types");
 Object.keys(_types).forEach(function (key) {
   if (key === "default" || key === "__esModule") return;
@@ -69,4 +79,7 @@ function isAuthApiError(obj) {
 function isOAuthError(obj) {
   return obj instanceof _OAuthError.default;
 }
+function isWWWAuthError(obj) {
+  return obj instanceof _WWWAuthError.default;
+}
 //# sourceMappingURL=index.js.map

package/cjs/errors/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","names":["isAuthApiError","obj","AuthApiError","isOAuthError","OAuthError"],"sources":["../../../lib/errors/index.ts"],"sourcesContent":["\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport AuthApiError from './AuthApiError';\nimport AuthPollStopError from './AuthPollStopError';\nimport AuthSdkError from './AuthSdkError';\nimport OAuthError from './OAuthError';\n\nfunction isAuthApiError(obj: any): obj is AuthApiError {\n  return (obj instanceof AuthApiError);\n}\n\nfunction isOAuthError(obj: any): obj is OAuthError {\n  return (obj instanceof OAuthError);\n}\n\nexport {\n  isAuthApiError,\n  isOAuthError,\n  AuthApiError,\n  AuthPollStopError,\n  AuthSdkError,\n  OAuthError\n};\n\nexport * from './types';\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAaA;AACA;AACA;AACA;AAmBA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AAlCA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAOA,SAASA,cAAc,CAACC,GAAQ,EAAuB;EACrD,OAAQA,GAAG,YAAYC,qBAAY;AACrC;AAEA,SAASC,YAAY,CAACF,GAAQ,EAAqB;EACjD,OAAQA,GAAG,YAAYG,mBAAU;AACnC"}
+{"version":3,"file":"index.js","names":["isAuthApiError","obj","AuthApiError","isOAuthError","OAuthError","isWWWAuthError","WWWAuthError"],"sources":["../../../lib/errors/index.ts"],"sourcesContent":["\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport AuthApiError from './AuthApiError';\nimport AuthPollStopError from './AuthPollStopError';\nimport AuthSdkError from './AuthSdkError';\nimport OAuthError from './OAuthError';\nimport WWWAuthError from './WWWAuthError';\n\nfunction isAuthApiError(obj: any): obj is AuthApiError {\n  return (obj instanceof AuthApiError);\n}\n\nfunction isOAuthError(obj: any): obj is OAuthError {\n  return (obj instanceof OAuthError);\n}\n\nfunction isWWWAuthError(obj: any): obj is WWWAuthError {\n  return (obj instanceof WWWAuthError);\n}\n\nexport {\n  isAuthApiError,\n  isOAuthError,\n  isWWWAuthError,\n  AuthApiError,\n  AuthPollStopError,\n  AuthSdkError,\n  OAuthError,\n  WWWAuthError\n};\n\nexport * from './types';\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAaA;AACA;AACA;AACA;AACA;AAyBA;AAAA;EAAA;EAAA;EAAA;EAAA;IAAA;IAAA;MAAA;IAAA;EAAA;AAAA;AAzCA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAQA,SAASA,cAAc,CAACC,GAAQ,EAAuB;EACrD,OAAQA,GAAG,YAAYC,qBAAY;AACrC;AAEA,SAASC,YAAY,CAACF,GAAQ,EAAqB;EACjD,OAAQA,GAAG,YAAYG,mBAAU;AACnC;AAEA,SAASC,cAAc,CAACJ,GAAQ,EAAuB;EACrD,OAAQA,GAAG,YAAYK,qBAAY;AACrC"}

package/cjs/features.js

@@ -3,6 +3,7 @@
 exports.getUserAgent = getUserAgent;
 exports.hasTextEncoder = hasTextEncoder;
 exports.isBrowser = isBrowser;
+exports.isDPoPSupported = isDPoPSupported;
 exports.isFingerprintSupported = isFingerprintSupported;
 exports.isHTTPS = isHTTPS;
 exports.isIE11OrLess = isIE11OrLess;
@@ -55,9 +56,12 @@ function isPopupPostMessageSupported() {
   }
   return false;
 }
-function isTokenVerifySupported() {
+function isWebCryptoSubtleSupported() {
   return typeof _crypto.webcrypto !== 'undefined' && _crypto.webcrypto !== null && typeof _crypto.webcrypto.subtle !== 'undefined' && typeof Uint8Array !== 'undefined';
 }
+function isTokenVerifySupported() {
+  return isWebCryptoSubtleSupported();
+}
 function hasTextEncoder() {
   return typeof TextEncoder !== 'undefined';
 }
@@ -74,4 +78,9 @@ function isLocalhost() {
   // eslint-disable-next-line compat/compat
   return isBrowser() && window.location.hostname === 'localhost';
 }
+
+// For now, DPoP is only supported on browsers
+function isDPoPSupported() {
+  return !isIE11OrLess() && typeof window.indexedDB !== 'undefined' && hasTextEncoder() && isWebCryptoSubtleSupported();
+}
 //# sourceMappingURL=features.js.map

package/cjs/features.js.map

@@ -1 +1 @@
-{"version":3,"file":"features.js","names":["isWindowsPhone","isBrowser","document","window","isIE11OrLess","documentMode","getUserAgent","navigator","userAgent","isFingerprintSupported","agent","test","isPopupPostMessageSupported","isIE8or9","postMessage","isTokenVerifySupported","webcrypto","subtle","Uint8Array","hasTextEncoder","TextEncoder","isPKCESupported","isHTTPS","location","protocol","isLocalhost","hostname"],"sources":["../../lib/features.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\n/* eslint-disable node/no-unsupported-features/node-builtins */\n/* global document, window, TextEncoder, navigator */\n\nimport { webcrypto } from './crypto';\n\nconst isWindowsPhone = /windows phone|iemobile|wpdesktop/i;\t\n\nexport function isBrowser() {\n  return typeof document !== 'undefined' && typeof window !== 'undefined';\n}\n\nexport function isIE11OrLess() {\n  if (!isBrowser()) {\n    return false;\n  }\n  const documentMode = (document as any).documentMode;\n  return !!documentMode && documentMode <= 11;\n}\n\nexport function getUserAgent() {\n  return navigator.userAgent;\n}\n\nexport function isFingerprintSupported() {\n  const agent = getUserAgent();\n  return agent && !isWindowsPhone.test(agent);\t\n}\n\nexport function isPopupPostMessageSupported() {\n  if (!isBrowser()) {\n    return false;\n  }\n  const documentMode = (document as any).documentMode;\n  var isIE8or9 = documentMode && documentMode < 10;\n  if (typeof window.postMessage !== 'undefined' && !isIE8or9) {\n    return true;\n  }\n  return false;\n}\n\nexport function isTokenVerifySupported() {\n  return typeof webcrypto !== 'undefined'\n    && webcrypto !== null\n    && typeof webcrypto.subtle !== 'undefined'\n    && typeof Uint8Array !== 'undefined';\n}\n\nexport function hasTextEncoder() {\n  return typeof TextEncoder !== 'undefined';\n}\n\nexport function isPKCESupported() {\n  return isTokenVerifySupported() && hasTextEncoder();\n}\n\nexport function isHTTPS() {\n  if (!isBrowser()) {\n    return false;\n  }\n  return window.location.protocol === 'https:';\n}\n\nexport function isLocalhost() {\n  // eslint-disable-next-line compat/compat\n  return isBrowser() && window.location.hostname === 'localhost';\n}\n\n"],"mappings":";;;;;;;;;;;;AAeA;AAfA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA;AACA;;AAIA,MAAMA,cAAc,GAAG,mCAAmC;AAEnD,SAASC,SAAS,GAAG;EAC1B,OAAO,OAAOC,QAAQ,KAAK,WAAW,IAAI,OAAOC,MAAM,KAAK,WAAW;AACzE;AAEO,SAASC,YAAY,GAAG;EAC7B,IAAI,CAACH,SAAS,EAAE,EAAE;IAChB,OAAO,KAAK;EACd;EACA,MAAMI,YAAY,GAAIH,QAAQ,CAASG,YAAY;EACnD,OAAO,CAAC,CAACA,YAAY,IAAIA,YAAY,IAAI,EAAE;AAC7C;AAEO,SAASC,YAAY,GAAG;EAC7B,OAAOC,SAAS,CAACC,SAAS;AAC5B;AAEO,SAASC,sBAAsB,GAAG;EACvC,MAAMC,KAAK,GAAGJ,YAAY,EAAE;EAC5B,OAAOI,KAAK,IAAI,CAACV,cAAc,CAACW,IAAI,CAACD,KAAK,CAAC;AAC7C;AAEO,SAASE,2BAA2B,GAAG;EAC5C,IAAI,CAACX,SAAS,EAAE,EAAE;IAChB,OAAO,KAAK;EACd;EACA,MAAMI,YAAY,GAAIH,QAAQ,CAASG,YAAY;EACnD,IAAIQ,QAAQ,GAAGR,YAAY,IAAIA,YAAY,GAAG,EAAE;EAChD,IAAI,OAAOF,MAAM,CAACW,WAAW,KAAK,WAAW,IAAI,CAACD,QAAQ,EAAE;IAC1D,OAAO,IAAI;EACb;EACA,OAAO,KAAK;AACd;AAEO,SAASE,sBAAsB,GAAG;EACvC,OAAO,OAAOC,iBAAS,KAAK,WAAW,IAClCA,iBAAS,KAAK,IAAI,IAClB,OAAOA,iBAAS,CAACC,MAAM,KAAK,WAAW,IACvC,OAAOC,UAAU,KAAK,WAAW;AACxC;AAEO,SAASC,cAAc,GAAG;EAC/B,OAAO,OAAOC,WAAW,KAAK,WAAW;AAC3C;AAEO,SAASC,eAAe,GAAG;EAChC,OAAON,sBAAsB,EAAE,IAAII,cAAc,EAAE;AACrD;AAEO,SAASG,OAAO,GAAG;EACxB,IAAI,CAACrB,SAAS,EAAE,EAAE;IAChB,OAAO,KAAK;EACd;EACA,OAAOE,MAAM,CAACoB,QAAQ,CAACC,QAAQ,KAAK,QAAQ;AAC9C;AAEO,SAASC,WAAW,GAAG;EAC5B;EACA,OAAOxB,SAAS,EAAE,IAAIE,MAAM,CAACoB,QAAQ,CAACG,QAAQ,KAAK,WAAW;AAChE"}
+{"version":3,"file":"features.js","names":["isWindowsPhone","isBrowser","document","window","isIE11OrLess","documentMode","getUserAgent","navigator","userAgent","isFingerprintSupported","agent","test","isPopupPostMessageSupported","isIE8or9","postMessage","isWebCryptoSubtleSupported","webcrypto","subtle","Uint8Array","isTokenVerifySupported","hasTextEncoder","TextEncoder","isPKCESupported","isHTTPS","location","protocol","isLocalhost","hostname","isDPoPSupported","indexedDB"],"sources":["../../lib/features.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\n/* eslint-disable node/no-unsupported-features/node-builtins */\n/* global document, window, TextEncoder, navigator */\n\nimport { webcrypto } from './crypto';\n\nconst isWindowsPhone = /windows phone|iemobile|wpdesktop/i;\t\n\nexport function isBrowser() {\n  return typeof document !== 'undefined' && typeof window !== 'undefined';\n}\n\nexport function isIE11OrLess() {\n  if (!isBrowser()) {\n    return false;\n  }\n  const documentMode = (document as any).documentMode;\n  return !!documentMode && documentMode <= 11;\n}\n\nexport function getUserAgent() {\n  return navigator.userAgent;\n}\n\nexport function isFingerprintSupported() {\n  const agent = getUserAgent();\n  return agent && !isWindowsPhone.test(agent);\t\n}\n\nexport function isPopupPostMessageSupported() {\n  if (!isBrowser()) {\n    return false;\n  }\n  const documentMode = (document as any).documentMode;\n  var isIE8or9 = documentMode && documentMode < 10;\n  if (typeof window.postMessage !== 'undefined' && !isIE8or9) {\n    return true;\n  }\n  return false;\n}\n\nfunction isWebCryptoSubtleSupported () {\n  return typeof webcrypto !== 'undefined'\n    && webcrypto !== null\n    && typeof webcrypto.subtle !== 'undefined'\n    && typeof Uint8Array !== 'undefined';\n}\n\nexport function isTokenVerifySupported() {\n  return isWebCryptoSubtleSupported();\n}\n\nexport function hasTextEncoder() {\n  return typeof TextEncoder !== 'undefined';\n}\n\nexport function isPKCESupported() {\n  return isTokenVerifySupported() && hasTextEncoder();\n}\n\nexport function isHTTPS() {\n  if (!isBrowser()) {\n    return false;\n  }\n  return window.location.protocol === 'https:';\n}\n\nexport function isLocalhost() {\n  // eslint-disable-next-line compat/compat\n  return isBrowser() && window.location.hostname === 'localhost';\n}\n\n// For now, DPoP is only supported on browsers\nexport function isDPoPSupported () {\n  return !isIE11OrLess() &&\n    typeof window.indexedDB !== 'undefined' &&\n    hasTextEncoder() &&\n    isWebCryptoSubtleSupported();\n}\n"],"mappings":";;;;;;;;;;;;;AAeA;AAfA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEA;AACA;;AAIA,MAAMA,cAAc,GAAG,mCAAmC;AAEnD,SAASC,SAAS,GAAG;EAC1B,OAAO,OAAOC,QAAQ,KAAK,WAAW,IAAI,OAAOC,MAAM,KAAK,WAAW;AACzE;AAEO,SAASC,YAAY,GAAG;EAC7B,IAAI,CAACH,SAAS,EAAE,EAAE;IAChB,OAAO,KAAK;EACd;EACA,MAAMI,YAAY,GAAIH,QAAQ,CAASG,YAAY;EACnD,OAAO,CAAC,CAACA,YAAY,IAAIA,YAAY,IAAI,EAAE;AAC7C;AAEO,SAASC,YAAY,GAAG;EAC7B,OAAOC,SAAS,CAACC,SAAS;AAC5B;AAEO,SAASC,sBAAsB,GAAG;EACvC,MAAMC,KAAK,GAAGJ,YAAY,EAAE;EAC5B,OAAOI,KAAK,IAAI,CAACV,cAAc,CAACW,IAAI,CAACD,KAAK,CAAC;AAC7C;AAEO,SAASE,2BAA2B,GAAG;EAC5C,IAAI,CAACX,SAAS,EAAE,EAAE;IAChB,OAAO,KAAK;EACd;EACA,MAAMI,YAAY,GAAIH,QAAQ,CAASG,YAAY;EACnD,IAAIQ,QAAQ,GAAGR,YAAY,IAAIA,YAAY,GAAG,EAAE;EAChD,IAAI,OAAOF,MAAM,CAACW,WAAW,KAAK,WAAW,IAAI,CAACD,QAAQ,EAAE;IAC1D,OAAO,IAAI;EACb;EACA,OAAO,KAAK;AACd;AAEA,SAASE,0BAA0B,GAAI;EACrC,OAAO,OAAOC,iBAAS,KAAK,WAAW,IAClCA,iBAAS,KAAK,IAAI,IAClB,OAAOA,iBAAS,CAACC,MAAM,KAAK,WAAW,IACvC,OAAOC,UAAU,KAAK,WAAW;AACxC;AAEO,SAASC,sBAAsB,GAAG;EACvC,OAAOJ,0BAA0B,EAAE;AACrC;AAEO,SAASK,cAAc,GAAG;EAC/B,OAAO,OAAOC,WAAW,KAAK,WAAW;AAC3C;AAEO,SAASC,eAAe,GAAG;EAChC,OAAOH,sBAAsB,EAAE,IAAIC,cAAc,EAAE;AACrD;AAEO,SAASG,OAAO,GAAG;EACxB,IAAI,CAACtB,SAAS,EAAE,EAAE;IAChB,OAAO,KAAK;EACd;EACA,OAAOE,MAAM,CAACqB,QAAQ,CAACC,QAAQ,KAAK,QAAQ;AAC9C;AAEO,SAASC,WAAW,GAAG;EAC5B;EACA,OAAOzB,SAAS,EAAE,IAAIE,MAAM,CAACqB,QAAQ,CAACG,QAAQ,KAAK,WAAW;AAChE;;AAEA;AACO,SAASC,eAAe,GAAI;EACjC,OAAO,CAACxB,YAAY,EAAE,IACpB,OAAOD,MAAM,CAAC0B,SAAS,KAAK,WAAW,IACvCT,cAAc,EAAE,IAChBL,0BAA0B,EAAE;AAChC"}

package/cjs/http/OktaUserAgent.js

@@ -20,7 +20,7 @@ var _features = require("../features");
 class OktaUserAgent {
   constructor() {
     // add base sdk env
-    this.environments = [`okta-auth-js/${"7.6.0"}`];
+    this.environments = [`okta-auth-js/${"7.7.1"}`];
     this.maybeAddNodeEnvironment();
   }
   addEnvironment(env) {
@@ -32,7 +32,7 @@ class OktaUserAgent {
     };
   }
   getVersion() {
-    return "7.6.0";
+    return "7.7.1";
   }
   maybeAddNodeEnvironment() {
     if ((0, _features.isBrowser)() || !process || !process.versions) {

package/cjs/http/request.js

@@ -22,16 +22,6 @@ var _errors = require("../errors");
 
 /* eslint-disable complexity */
 
-const parseInsufficientAuthenticationError = header => {
-  if (!header) {
-    throw new _errors.AuthSdkError('Missing header string');
-  }
-  return header.split(',').map(part => part.trim()).map(part => part.split('=')).reduce((acc, curr) => {
-    // unwrap quotes from value
-    acc[curr[0]] = curr[1].replace(/^"(.*)"$/, '$1');
-    return acc;
-  }, {});
-};
 const formatError = (sdk, error) => {
   if (error instanceof Error) {
     // fetch() can throw exceptions
@@ -58,27 +48,29 @@ const formatError = (sdk, error) => {
   if (sdk.options.transformErrorXHR) {
     resp = sdk.options.transformErrorXHR((0, _util.clone)(resp));
   }
+
+  // 
+  const wwwAuthHeader = _errors.WWWAuthError.getWWWAuthenticateHeader(resp?.headers) ?? '';
   if (serverErr.error && serverErr.error_description) {
-    err = new _errors.OAuthError(serverErr.error, serverErr.error_description);
+    err = new _errors.OAuthError(serverErr.error, serverErr.error_description, resp);
   } else {
-    err = new _errors.AuthApiError(serverErr, resp);
+    err = new _errors.AuthApiError(serverErr, resp, {
+      wwwAuthHeader
+    });
   }
-  if (resp?.status === 403 && !!resp?.headers?.['www-authenticate']) {
-    const {
-      error,
+  if (wwwAuthHeader && resp?.status >= 400 && resp?.status < 500) {
+    const wwwAuthErr = _errors.WWWAuthError.parseHeader(wwwAuthHeader);
+    // check for 403 to avoid breaking change
+    if (resp.status === 403 && wwwAuthErr?.error === 'insufficient_authentication_context') {
       // eslint-disable-next-line camelcase
-      error_description,
-      // eslint-disable-next-line camelcase
-      max_age,
-      // eslint-disable-next-line camelcase
-      acr_values
-    } = parseInsufficientAuthenticationError(resp?.headers?.['www-authenticate']);
-    if (error === 'insufficient_authentication_context') {
+      const {
+        max_age,
+        acr_values
+      } = wwwAuthErr.parameters;
       err = new _errors.AuthApiError({
-        errorSummary: error,
-        // eslint-disable-next-line camelcase
+        errorSummary: wwwAuthErr.error,
         errorCauses: [{
-          errorSummary: error_description
+          errorSummary: wwwAuthErr.errorDescription
         }]
       }, resp, {
         // eslint-disable-next-line camelcase
@@ -88,8 +80,15 @@ const formatError = (sdk, error) => {
           acr_values
         })
       });
+    } else if (wwwAuthErr?.scheme === 'DPoP') {
+      err = wwwAuthErr;
     }
+    // else {
+    //   // WWWAuthError.parseHeader may return null, only overwrite if !null
+    //   err = wwwAuthErr ?? err;
+    // }
   }
+
   return err;
 };
 function httpRequest(sdk, options) {