@okta/okta-auth-js 7.7.0 → 7.7.1

package/CHANGELOG.md

@@ -1,13 +1,26 @@
 # Changelog
 
-## 7.6.0
+# 7.7.1
+
+- [#1529](https://github.com/okta/okta-auth-js/pull/1529) fix: persist `extraParams` passed to `/authorize` and include them during token refresh
+
+## 7.7.0
 
 ### Features
 
 - [#1495](https://github.com/okta/okta-auth-js/pull/1495) add: DPoP support
+
+### Fixes
+
+- [#1508](https://github.com/okta/okta-auth-js/pull/1508) IDX: add condition to compare stateHandles when loading saved idxResponse only when useGenericRemediator option is false or undefined
+
+
+## 7.6.0
+
+### Features
+
 - [#1507](https://github.com/okta/okta-auth-js/pull/1507) add: new method `getOrRenewAccessToken`
 - [#1505](https://github.com/okta/okta-auth-js/pull/1505) add: support of `revokeSessions` param for `OktaPassword` authenticator (can be used in `reset-authenticator` remediation)
-- [#1508](https://github.com/okta/okta-auth-js/pull/1508) IDX: add condition to compare stateHandles when loading saved idxResponse only when useGenericRemediator option is false or undefined
 - [#1512](https://github.com/okta/okta-auth-js/pull/1512) add: new service `RenewOnTabActivation`
 
 ### Bug Fix

package/cjs/http/OktaUserAgent.js

@@ -20,7 +20,7 @@ var _features = require("../features");
 class OktaUserAgent {
   constructor() {
     // add base sdk env
-    this.environments = [`okta-auth-js/${"7.7.0"}`];
+    this.environments = [`okta-auth-js/${"7.7.1"}`];
     this.maybeAddNodeEnvironment();
   }
   addEnvironment(env) {
@@ -32,7 +32,7 @@ class OktaUserAgent {
     };
   }
   getVersion() {
-    return "7.7.0";
+    return "7.7.1";
   }
   maybeAddNodeEnvironment() {
     if ((0, _features.isBrowser)() || !process || !process.versions) {

package/cjs/oidc/endpoints/token.js

@@ -133,8 +133,12 @@ async function postRefreshToken(sdk, options, refreshToken) {
     // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
     return name + '=' + encodeURIComponent(value);
   }).join('&');
+  let url = refreshToken.tokenUrl;
+  if (options.extraParams && Object.keys(options.extraParams).length >= 1) {
+    url += (0, _util.toQueryString)(options.extraParams);
+  }
   const params = {
-    url: refreshToken.tokenUrl,
+    url,
     data,
     dpopKeyPair: options?.dpopKeyPair
   };

package/cjs/oidc/endpoints/token.js.map

@@ -1 +1 @@
-{"version":3,"file":"token.js","names":["validateOptions","options","clientId","AuthSdkError","redirectUri","authorizationCode","interactionCode","codeVerifier","getPostData","sdk","params","removeNils","code","clientSecret","toQueryString","slice","makeTokenRequest","url","data","nonce","dpopKeyPair","method","headers","dpop","proof","generateDPoPForTokenRequest","keyPair","DPoP","resp","httpRequest","args","err","isDPoPNonceError","dpopNonce","AuthApiError","errorSummary","undefined","postToTokenEndpoint","urls","tokenUrl","postRefreshToken","refreshToken","Object","entries","client_id","grant_type","scope","scopes","join","refresh_token","map","name","value","encodeURIComponent"],"sources":["../../../../lib/oidc/endpoints/token.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * \n * See the License for the specific language governing permissions and limitations under the License.\n */\n\n\nimport { AuthSdkError, AuthApiError } from '../../errors';\nimport { CustomUrls, OAuthParams, OAuthResponse, RefreshToken, TokenParams } from '../types';\nimport { removeNils, toQueryString } from '../../util';\nimport { httpRequest, OktaAuthHttpInterface } from '../../http';\nimport { generateDPoPForTokenRequest, isDPoPNonceError } from '../dpop';\n\nexport interface TokenEndpointParams extends TokenParams {\n  dpopKeyPair?: CryptoKeyPair;\n}\n\ninterface TokenRequestParams {\n  url: string;\n  data: any;\n  dpopKeyPair?: CryptoKeyPair;\n  nonce?: string;\n}\n\nfunction validateOptions(options: TokenEndpointParams) {\n  // Quick validation\n  if (!options.clientId) {\n    throw new AuthSdkError('A clientId must be specified in the OktaAuth constructor to get a token');\n  }\n\n  if (!options.redirectUri) {\n    throw new AuthSdkError('The redirectUri passed to /authorize must also be passed to /token');\n  }\n\n  if (!options.authorizationCode && !options.interactionCode) {\n    throw new AuthSdkError('An authorization code (returned from /authorize) must be passed to /token');\n  }\n\n  if (!options.codeVerifier) {\n    throw new AuthSdkError('The \"codeVerifier\" (generated and saved by your app) must be passed to /token');\n  }\n}\n\nfunction getPostData(sdk, options: TokenParams): string {\n  // Convert Token params to OAuth params, sent to the /token endpoint\n  var params: OAuthParams = removeNils({\n    'client_id': options.clientId,\n    'redirect_uri': options.redirectUri,\n    'grant_type': options.interactionCode ? 'interaction_code' : 'authorization_code',\n    'code_verifier': options.codeVerifier\n  });\n\n  if (options.interactionCode) {\n    params['interaction_code'] = options.interactionCode;\n  } else if (options.authorizationCode) {\n    params.code = options.authorizationCode;\n  }\n\n  const { clientSecret } = sdk.options;\n  if (clientSecret) {\n    params['client_secret'] = clientSecret;\n  }\n\n  // Encode as URL string\n  return toQueryString(params).slice(1);\n}\n\n/* eslint complexity: [2, 10] */\nasync function makeTokenRequest (sdk, { url, data, nonce, dpopKeyPair }: TokenRequestParams): Promise<OAuthResponse> {\n  const method = 'POST';\n  const headers: any = {\n    'Content-Type': 'application/x-www-form-urlencoded',\n  };\n\n  if (sdk.options.dpop) {\n    if (!dpopKeyPair) {\n      throw new AuthSdkError('DPoP is configured but no key pair was provided');\n    }\n\n    const proof = await generateDPoPForTokenRequest({ url, method, nonce, keyPair: dpopKeyPair });\n    headers.DPoP = proof;\n  }\n\n  try {\n    const resp = await httpRequest(sdk, {\n      url,\n      method,\n      args: data,\n      headers\n    });\n    return resp;\n  }\n  catch (err) {\n    if (isDPoPNonceError(err) && !nonce) {\n      const dpopNonce = err.resp?.headers['dpop-nonce'];\n      if (!dpopNonce) {\n        // throws error is dpop-nonce header cannot be found, prevents infinite loop\n        throw new AuthApiError(\n          {errorSummary: 'No `dpop-nonce` header found when required'},\n          err.resp ?? undefined    // yay ts\n        );\n      }\n      return makeTokenRequest(sdk, { url, data, dpopKeyPair, nonce: dpopNonce });\n    }\n    throw err;\n  }\n}\n\n// exchange authorization code for an access token\nexport async function postToTokenEndpoint(sdk, options: TokenEndpointParams, urls: CustomUrls): Promise<OAuthResponse> {\n  validateOptions(options);\n  var data = getPostData(sdk, options);\n\n  const params: TokenRequestParams = {\n    url: urls.tokenUrl!,\n    data,\n    dpopKeyPair: options?.dpopKeyPair\n  };\n\n  return makeTokenRequest(sdk, params);\n}\n\nexport async function postRefreshToken(\n  sdk: OktaAuthHttpInterface,\n  options: TokenEndpointParams,\n  refreshToken: RefreshToken\n): Promise<OAuthResponse> {\n  const data = Object.entries({\n    client_id: options.clientId, // eslint-disable-line camelcase\n    grant_type: 'refresh_token', // eslint-disable-line camelcase\n    scope: refreshToken.scopes.join(' '),\n    refresh_token: refreshToken.refreshToken, // eslint-disable-line camelcase\n  }).map(function ([name, value]) {\n    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n    return name + '=' + encodeURIComponent(value!);\n  }).join('&');\n\n  const params: TokenRequestParams = {\n    url: refreshToken.tokenUrl,\n    data,\n    dpopKeyPair: options?.dpopKeyPair\n  };\n\n  return makeTokenRequest(sdk, params);\n}\n"],"mappings":";;;;AAaA;AAEA;AACA;AACA;AAjBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAoBA,SAASA,eAAe,CAACC,OAA4B,EAAE;EACrD;EACA,IAAI,CAACA,OAAO,CAACC,QAAQ,EAAE;IACrB,MAAM,IAAIC,oBAAY,CAAC,yEAAyE,CAAC;EACnG;EAEA,IAAI,CAACF,OAAO,CAACG,WAAW,EAAE;IACxB,MAAM,IAAID,oBAAY,CAAC,oEAAoE,CAAC;EAC9F;EAEA,IAAI,CAACF,OAAO,CAACI,iBAAiB,IAAI,CAACJ,OAAO,CAACK,eAAe,EAAE;IAC1D,MAAM,IAAIH,oBAAY,CAAC,2EAA2E,CAAC;EACrG;EAEA,IAAI,CAACF,OAAO,CAACM,YAAY,EAAE;IACzB,MAAM,IAAIJ,oBAAY,CAAC,+EAA+E,CAAC;EACzG;AACF;AAEA,SAASK,WAAW,CAACC,GAAG,EAAER,OAAoB,EAAU;EACtD;EACA,IAAIS,MAAmB,GAAG,IAAAC,gBAAU,EAAC;IACnC,WAAW,EAAEV,OAAO,CAACC,QAAQ;IAC7B,cAAc,EAAED,OAAO,CAACG,WAAW;IACnC,YAAY,EAAEH,OAAO,CAACK,eAAe,GAAG,kBAAkB,GAAG,oBAAoB;IACjF,eAAe,EAAEL,OAAO,CAACM;EAC3B,CAAC,CAAC;EAEF,IAAIN,OAAO,CAACK,eAAe,EAAE;IAC3BI,MAAM,CAAC,kBAAkB,CAAC,GAAGT,OAAO,CAACK,eAAe;EACtD,CAAC,MAAM,IAAIL,OAAO,CAACI,iBAAiB,EAAE;IACpCK,MAAM,CAACE,IAAI,GAAGX,OAAO,CAACI,iBAAiB;EACzC;EAEA,MAAM;IAAEQ;EAAa,CAAC,GAAGJ,GAAG,CAACR,OAAO;EACpC,IAAIY,YAAY,EAAE;IAChBH,MAAM,CAAC,eAAe,CAAC,GAAGG,YAAY;EACxC;;EAEA;EACA,OAAO,IAAAC,mBAAa,EAACJ,MAAM,CAAC,CAACK,KAAK,CAAC,CAAC,CAAC;AACvC;;AAEA;AACA,eAAeC,gBAAgB,CAAEP,GAAG,EAAE;EAAEQ,GAAG;EAAEC,IAAI;EAAEC,KAAK;EAAEC;AAAgC,CAAC,EAA0B;EACnH,MAAMC,MAAM,GAAG,MAAM;EACrB,MAAMC,OAAY,GAAG;IACnB,cAAc,EAAE;EAClB,CAAC;EAED,IAAIb,GAAG,CAACR,OAAO,CAACsB,IAAI,EAAE;IACpB,IAAI,CAACH,WAAW,EAAE;MAChB,MAAM,IAAIjB,oBAAY,CAAC,iDAAiD,CAAC;IAC3E;IAEA,MAAMqB,KAAK,GAAG,MAAM,IAAAC,iCAA2B,EAAC;MAAER,GAAG;MAAEI,MAAM;MAAEF,KAAK;MAAEO,OAAO,EAAEN;IAAY,CAAC,CAAC;IAC7FE,OAAO,CAACK,IAAI,GAAGH,KAAK;EACtB;EAEA,IAAI;IACF,MAAMI,IAAI,GAAG,MAAM,IAAAC,iBAAW,EAACpB,GAAG,EAAE;MAClCQ,GAAG;MACHI,MAAM;MACNS,IAAI,EAAEZ,IAAI;MACVI;IACF,CAAC,CAAC;IACF,OAAOM,IAAI;EACb,CAAC,CACD,OAAOG,GAAG,EAAE;IACV,IAAI,IAAAC,sBAAgB,EAACD,GAAG,CAAC,IAAI,CAACZ,KAAK,EAAE;MACnC,MAAMc,SAAS,GAAGF,GAAG,CAACH,IAAI,EAAEN,OAAO,CAAC,YAAY,CAAC;MACjD,IAAI,CAACW,SAAS,EAAE;QACd;QACA,MAAM,IAAIC,oBAAY,CACpB;UAACC,YAAY,EAAE;QAA4C,CAAC,EAC5DJ,GAAG,CAACH,IAAI,IAAIQ,SAAS,CAAI;QAAA,CAC1B;MACH;;MACA,OAAOpB,gBAAgB,CAACP,GAAG,EAAE;QAAEQ,GAAG;QAAEC,IAAI;QAAEE,WAAW;QAAED,KAAK,EAAEc;MAAU,CAAC,CAAC;IAC5E;IACA,MAAMF,GAAG;EACX;AACF;;AAEA;AACO,eAAeM,mBAAmB,CAAC5B,GAAG,EAAER,OAA4B,EAAEqC,IAAgB,EAA0B;EACrHtC,eAAe,CAACC,OAAO,CAAC;EACxB,IAAIiB,IAAI,GAAGV,WAAW,CAACC,GAAG,EAAER,OAAO,CAAC;EAEpC,MAAMS,MAA0B,GAAG;IACjCO,GAAG,EAAEqB,IAAI,CAACC,QAAS;IACnBrB,IAAI;IACJE,WAAW,EAAEnB,OAAO,EAAEmB;EACxB,CAAC;EAED,OAAOJ,gBAAgB,CAACP,GAAG,EAAEC,MAAM,CAAC;AACtC;AAEO,eAAe8B,gBAAgB,CACpC/B,GAA0B,EAC1BR,OAA4B,EAC5BwC,YAA0B,EACF;EACxB,MAAMvB,IAAI,GAAGwB,MAAM,CAACC,OAAO,CAAC;IAC1BC,SAAS,EAAE3C,OAAO,CAACC,QAAQ;IAAE;IAC7B2C,UAAU,EAAE,eAAe;IAAE;IAC7BC,KAAK,EAAEL,YAAY,CAACM,MAAM,CAACC,IAAI,CAAC,GAAG,CAAC;IACpCC,aAAa,EAAER,YAAY,CAACA,YAAY,CAAE;EAC5C,CAAC,CAAC,CAACS,GAAG,CAAC,UAAU,CAACC,IAAI,EAAEC,KAAK,CAAC,EAAE;IAC9B;IACA,OAAOD,IAAI,GAAG,GAAG,GAAGE,kBAAkB,CAACD,KAAK,CAAE;EAChD,CAAC,CAAC,CAACJ,IAAI,CAAC,GAAG,CAAC;EAEZ,MAAMtC,MAA0B,GAAG;IACjCO,GAAG,EAAEwB,YAAY,CAACF,QAAQ;IAC1BrB,IAAI;IACJE,WAAW,EAAEnB,OAAO,EAAEmB;EACxB,CAAC;EAED,OAAOJ,gBAAgB,CAACP,GAAG,EAAEC,MAAM,CAAC;AACtC"}
+{"version":3,"file":"token.js","names":["validateOptions","options","clientId","AuthSdkError","redirectUri","authorizationCode","interactionCode","codeVerifier","getPostData","sdk","params","removeNils","code","clientSecret","toQueryString","slice","makeTokenRequest","url","data","nonce","dpopKeyPair","method","headers","dpop","proof","generateDPoPForTokenRequest","keyPair","DPoP","resp","httpRequest","args","err","isDPoPNonceError","dpopNonce","AuthApiError","errorSummary","undefined","postToTokenEndpoint","urls","tokenUrl","postRefreshToken","refreshToken","Object","entries","client_id","grant_type","scope","scopes","join","refresh_token","map","name","value","encodeURIComponent","extraParams","keys","length"],"sources":["../../../../lib/oidc/endpoints/token.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * \n * See the License for the specific language governing permissions and limitations under the License.\n */\n\n\nimport { AuthSdkError, AuthApiError } from '../../errors';\nimport { CustomUrls, OAuthParams, OAuthResponse, RefreshToken, TokenParams } from '../types';\nimport { removeNils, toQueryString } from '../../util';\nimport { httpRequest, OktaAuthHttpInterface } from '../../http';\nimport { generateDPoPForTokenRequest, isDPoPNonceError } from '../dpop';\n\nexport interface TokenEndpointParams extends TokenParams {\n  dpopKeyPair?: CryptoKeyPair;\n}\n\ninterface TokenRequestParams {\n  url: string;\n  data: any;\n  dpopKeyPair?: CryptoKeyPair;\n  nonce?: string;\n}\n\nfunction validateOptions(options: TokenEndpointParams) {\n  // Quick validation\n  if (!options.clientId) {\n    throw new AuthSdkError('A clientId must be specified in the OktaAuth constructor to get a token');\n  }\n\n  if (!options.redirectUri) {\n    throw new AuthSdkError('The redirectUri passed to /authorize must also be passed to /token');\n  }\n\n  if (!options.authorizationCode && !options.interactionCode) {\n    throw new AuthSdkError('An authorization code (returned from /authorize) must be passed to /token');\n  }\n\n  if (!options.codeVerifier) {\n    throw new AuthSdkError('The \"codeVerifier\" (generated and saved by your app) must be passed to /token');\n  }\n}\n\nfunction getPostData(sdk, options: TokenParams): string {\n  // Convert Token params to OAuth params, sent to the /token endpoint\n  var params: OAuthParams = removeNils({\n    'client_id': options.clientId,\n    'redirect_uri': options.redirectUri,\n    'grant_type': options.interactionCode ? 'interaction_code' : 'authorization_code',\n    'code_verifier': options.codeVerifier\n  });\n\n  if (options.interactionCode) {\n    params['interaction_code'] = options.interactionCode;\n  } else if (options.authorizationCode) {\n    params.code = options.authorizationCode;\n  }\n\n  const { clientSecret } = sdk.options;\n  if (clientSecret) {\n    params['client_secret'] = clientSecret;\n  }\n\n  // Encode as URL string\n  return toQueryString(params).slice(1);\n}\n\n/* eslint complexity: [2, 10] */\nasync function makeTokenRequest (sdk, { url, data, nonce, dpopKeyPair }: TokenRequestParams): Promise<OAuthResponse> {\n  const method = 'POST';\n  const headers: any = {\n    'Content-Type': 'application/x-www-form-urlencoded',\n  };\n\n  if (sdk.options.dpop) {\n    if (!dpopKeyPair) {\n      throw new AuthSdkError('DPoP is configured but no key pair was provided');\n    }\n\n    const proof = await generateDPoPForTokenRequest({ url, method, nonce, keyPair: dpopKeyPair });\n    headers.DPoP = proof;\n  }\n\n  try {\n    const resp = await httpRequest(sdk, {\n      url,\n      method,\n      args: data,\n      headers\n    });\n    return resp;\n  }\n  catch (err) {\n    if (isDPoPNonceError(err) && !nonce) {\n      const dpopNonce = err.resp?.headers['dpop-nonce'];\n      if (!dpopNonce) {\n        // throws error is dpop-nonce header cannot be found, prevents infinite loop\n        throw new AuthApiError(\n          {errorSummary: 'No `dpop-nonce` header found when required'},\n          err.resp ?? undefined    // yay ts\n        );\n      }\n      return makeTokenRequest(sdk, { url, data, dpopKeyPair, nonce: dpopNonce });\n    }\n    throw err;\n  }\n}\n\n// exchange authorization code for an access token\nexport async function postToTokenEndpoint(sdk, options: TokenEndpointParams, urls: CustomUrls): Promise<OAuthResponse> {\n  validateOptions(options);\n  var data = getPostData(sdk, options);\n\n  const params: TokenRequestParams = {\n    url: urls.tokenUrl!,\n    data,\n    dpopKeyPair: options?.dpopKeyPair\n  };\n\n  return makeTokenRequest(sdk, params);\n}\n\nexport async function postRefreshToken(\n  sdk: OktaAuthHttpInterface,\n  options: TokenEndpointParams,\n  refreshToken: RefreshToken\n): Promise<OAuthResponse> {\n  const data = Object.entries({\n    client_id: options.clientId, // eslint-disable-line camelcase\n    grant_type: 'refresh_token', // eslint-disable-line camelcase\n    scope: refreshToken.scopes.join(' '),\n    refresh_token: refreshToken.refreshToken, // eslint-disable-line camelcase\n  }).map(function ([name, value]) {\n    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n    return name + '=' + encodeURIComponent(value!);\n  }).join('&');\n\n  let url = refreshToken.tokenUrl;\n  if (options.extraParams && Object.keys(options.extraParams).length >= 1) {\n    url += toQueryString(options.extraParams);\n  }\n\n  const params: TokenRequestParams = {\n    url,\n    data,\n    dpopKeyPair: options?.dpopKeyPair\n  };\n\n  return makeTokenRequest(sdk, params);\n}\n"],"mappings":";;;;AAaA;AAEA;AACA;AACA;AAjBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAoBA,SAASA,eAAe,CAACC,OAA4B,EAAE;EACrD;EACA,IAAI,CAACA,OAAO,CAACC,QAAQ,EAAE;IACrB,MAAM,IAAIC,oBAAY,CAAC,yEAAyE,CAAC;EACnG;EAEA,IAAI,CAACF,OAAO,CAACG,WAAW,EAAE;IACxB,MAAM,IAAID,oBAAY,CAAC,oEAAoE,CAAC;EAC9F;EAEA,IAAI,CAACF,OAAO,CAACI,iBAAiB,IAAI,CAACJ,OAAO,CAACK,eAAe,EAAE;IAC1D,MAAM,IAAIH,oBAAY,CAAC,2EAA2E,CAAC;EACrG;EAEA,IAAI,CAACF,OAAO,CAACM,YAAY,EAAE;IACzB,MAAM,IAAIJ,oBAAY,CAAC,+EAA+E,CAAC;EACzG;AACF;AAEA,SAASK,WAAW,CAACC,GAAG,EAAER,OAAoB,EAAU;EACtD;EACA,IAAIS,MAAmB,GAAG,IAAAC,gBAAU,EAAC;IACnC,WAAW,EAAEV,OAAO,CAACC,QAAQ;IAC7B,cAAc,EAAED,OAAO,CAACG,WAAW;IACnC,YAAY,EAAEH,OAAO,CAACK,eAAe,GAAG,kBAAkB,GAAG,oBAAoB;IACjF,eAAe,EAAEL,OAAO,CAACM;EAC3B,CAAC,CAAC;EAEF,IAAIN,OAAO,CAACK,eAAe,EAAE;IAC3BI,MAAM,CAAC,kBAAkB,CAAC,GAAGT,OAAO,CAACK,eAAe;EACtD,CAAC,MAAM,IAAIL,OAAO,CAACI,iBAAiB,EAAE;IACpCK,MAAM,CAACE,IAAI,GAAGX,OAAO,CAACI,iBAAiB;EACzC;EAEA,MAAM;IAAEQ;EAAa,CAAC,GAAGJ,GAAG,CAACR,OAAO;EACpC,IAAIY,YAAY,EAAE;IAChBH,MAAM,CAAC,eAAe,CAAC,GAAGG,YAAY;EACxC;;EAEA;EACA,OAAO,IAAAC,mBAAa,EAACJ,MAAM,CAAC,CAACK,KAAK,CAAC,CAAC,CAAC;AACvC;;AAEA;AACA,eAAeC,gBAAgB,CAAEP,GAAG,EAAE;EAAEQ,GAAG;EAAEC,IAAI;EAAEC,KAAK;EAAEC;AAAgC,CAAC,EAA0B;EACnH,MAAMC,MAAM,GAAG,MAAM;EACrB,MAAMC,OAAY,GAAG;IACnB,cAAc,EAAE;EAClB,CAAC;EAED,IAAIb,GAAG,CAACR,OAAO,CAACsB,IAAI,EAAE;IACpB,IAAI,CAACH,WAAW,EAAE;MAChB,MAAM,IAAIjB,oBAAY,CAAC,iDAAiD,CAAC;IAC3E;IAEA,MAAMqB,KAAK,GAAG,MAAM,IAAAC,iCAA2B,EAAC;MAAER,GAAG;MAAEI,MAAM;MAAEF,KAAK;MAAEO,OAAO,EAAEN;IAAY,CAAC,CAAC;IAC7FE,OAAO,CAACK,IAAI,GAAGH,KAAK;EACtB;EAEA,IAAI;IACF,MAAMI,IAAI,GAAG,MAAM,IAAAC,iBAAW,EAACpB,GAAG,EAAE;MAClCQ,GAAG;MACHI,MAAM;MACNS,IAAI,EAAEZ,IAAI;MACVI;IACF,CAAC,CAAC;IACF,OAAOM,IAAI;EACb,CAAC,CACD,OAAOG,GAAG,EAAE;IACV,IAAI,IAAAC,sBAAgB,EAACD,GAAG,CAAC,IAAI,CAACZ,KAAK,EAAE;MACnC,MAAMc,SAAS,GAAGF,GAAG,CAACH,IAAI,EAAEN,OAAO,CAAC,YAAY,CAAC;MACjD,IAAI,CAACW,SAAS,EAAE;QACd;QACA,MAAM,IAAIC,oBAAY,CACpB;UAACC,YAAY,EAAE;QAA4C,CAAC,EAC5DJ,GAAG,CAACH,IAAI,IAAIQ,SAAS,CAAI;QAAA,CAC1B;MACH;;MACA,OAAOpB,gBAAgB,CAACP,GAAG,EAAE;QAAEQ,GAAG;QAAEC,IAAI;QAAEE,WAAW;QAAED,KAAK,EAAEc;MAAU,CAAC,CAAC;IAC5E;IACA,MAAMF,GAAG;EACX;AACF;;AAEA;AACO,eAAeM,mBAAmB,CAAC5B,GAAG,EAAER,OAA4B,EAAEqC,IAAgB,EAA0B;EACrHtC,eAAe,CAACC,OAAO,CAAC;EACxB,IAAIiB,IAAI,GAAGV,WAAW,CAACC,GAAG,EAAER,OAAO,CAAC;EAEpC,MAAMS,MAA0B,GAAG;IACjCO,GAAG,EAAEqB,IAAI,CAACC,QAAS;IACnBrB,IAAI;IACJE,WAAW,EAAEnB,OAAO,EAAEmB;EACxB,CAAC;EAED,OAAOJ,gBAAgB,CAACP,GAAG,EAAEC,MAAM,CAAC;AACtC;AAEO,eAAe8B,gBAAgB,CACpC/B,GAA0B,EAC1BR,OAA4B,EAC5BwC,YAA0B,EACF;EACxB,MAAMvB,IAAI,GAAGwB,MAAM,CAACC,OAAO,CAAC;IAC1BC,SAAS,EAAE3C,OAAO,CAACC,QAAQ;IAAE;IAC7B2C,UAAU,EAAE,eAAe;IAAE;IAC7BC,KAAK,EAAEL,YAAY,CAACM,MAAM,CAACC,IAAI,CAAC,GAAG,CAAC;IACpCC,aAAa,EAAER,YAAY,CAACA,YAAY,CAAE;EAC5C,CAAC,CAAC,CAACS,GAAG,CAAC,UAAU,CAACC,IAAI,EAAEC,KAAK,CAAC,EAAE;IAC9B;IACA,OAAOD,IAAI,GAAG,GAAG,GAAGE,kBAAkB,CAACD,KAAK,CAAE;EAChD,CAAC,CAAC,CAACJ,IAAI,CAAC,GAAG,CAAC;EAEZ,IAAI/B,GAAG,GAAGwB,YAAY,CAACF,QAAQ;EAC/B,IAAItC,OAAO,CAACqD,WAAW,IAAIZ,MAAM,CAACa,IAAI,CAACtD,OAAO,CAACqD,WAAW,CAAC,CAACE,MAAM,IAAI,CAAC,EAAE;IACvEvC,GAAG,IAAI,IAAAH,mBAAa,EAACb,OAAO,CAACqD,WAAW,CAAC;EAC3C;EAEA,MAAM5C,MAA0B,GAAG;IACjCO,GAAG;IACHC,IAAI;IACJE,WAAW,EAAEnB,OAAO,EAAEmB;EACxB,CAAC;EAED,OAAOJ,gBAAgB,CAACP,GAAG,EAAEC,MAAM,CAAC;AACtC"}

package/cjs/oidc/exchangeCodeForTokens.js

@@ -37,7 +37,8 @@ async function exchangeCodeForTokens(sdk, tokenParams, urls) {
     state,
     acrValues,
     dpop,
-    dpopPairId
+    dpopPairId,
+    extraParams
   } = tokenParams;
 
   // postToTokenEndpoint() params
@@ -64,7 +65,8 @@ async function exchangeCodeForTokens(sdk, tokenParams, urls) {
     scopes,
     responseType,
     ignoreSignature,
-    acrValues
+    acrValues,
+    extraParams
   };
   try {
     if (dpop) {

package/cjs/oidc/exchangeCodeForTokens.js.map

@@ -1 +1 @@
-{"version":3,"file":"exchangeCodeForTokens.js","names":["exchangeCodeForTokens","sdk","tokenParams","urls","getOAuthUrls","Object","assign","getDefaultTokenParams","clone","authorizationCode","interactionCode","codeVerifier","clientId","redirectUri","scopes","ignoreSignature","state","acrValues","dpop","dpopPairId","getTokenOptions","responseType","indexOf","push","handleResponseOptions","keyPair","findKeyPair","dpopKeyPair","keyPairId","createDPoPKeyPair","oauthResponse","postToTokenEndpoint","tokenResponse","handleOAuthResponse","code","transactionManager","clear"],"sources":["../../../lib/oidc/exchangeCodeForTokens.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n/* eslint-disable max-len */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { CustomUrls, OAuthResponse, OAuthResponseType, OktaAuthOAuthInterface, TokenParams, TokenResponse } from './types';\nimport { getOAuthUrls, getDefaultTokenParams } from './util';\nimport { clone } from '../util';\nimport { postToTokenEndpoint, TokenEndpointParams } from './endpoints/token';\nimport { handleOAuthResponse } from './handleOAuthResponse';\nimport { createDPoPKeyPair, findKeyPair } from './dpop';\n\n// codeVerifier is required. May pass either an authorizationCode or interactionCode\nexport async function exchangeCodeForTokens(sdk: OktaAuthOAuthInterface, tokenParams: TokenParams, urls?: CustomUrls): Promise<TokenResponse> {\n  urls = urls || getOAuthUrls(sdk, tokenParams);\n  // build params using defaults + options\n  tokenParams = Object.assign({}, getDefaultTokenParams(sdk), clone(tokenParams));\n\n  const {\n    authorizationCode,\n    interactionCode,\n    codeVerifier,\n    clientId,\n    redirectUri,\n    scopes,\n    ignoreSignature,\n    state,\n    acrValues,\n    dpop,\n    dpopPairId,\n  } = tokenParams;\n\n  // postToTokenEndpoint() params\n  const getTokenOptions: TokenEndpointParams = {\n    clientId,\n    redirectUri,\n    authorizationCode,\n    interactionCode,\n    codeVerifier,\n    dpop,\n  };\n\n  // `handleOAuthResponse` hanadles responses from both `/authorize` and `/token` endpoints\n  // Here we modify the response from `/token` so that it more closely matches a response from `/authorize`\n  // `responseType` is used to validate that the expected tokens were returned\n  const responseType: OAuthResponseType[] = ['token']; // an accessToken will always be returned\n  if (scopes!.indexOf('openid') !== -1) {\n    responseType.push('id_token'); // an idToken will be returned if \"openid\" is in the scopes\n  }\n  // handleOAuthResponse() params\n  const handleResponseOptions: TokenParams = {\n    clientId,\n    redirectUri,\n    scopes,\n    responseType,\n    ignoreSignature,\n    acrValues,\n  };\n\n  try {\n    if (dpop) {\n      // token refresh, KP should already exist\n      if (dpopPairId) {\n        const keyPair = await findKeyPair(dpopPairId);\n        getTokenOptions.dpopKeyPair = keyPair;\n        handleResponseOptions.dpop = dpop;\n        handleResponseOptions.dpopPairId = dpopPairId;\n      }\n      else {\n        const { keyPair, keyPairId } = await createDPoPKeyPair();\n        getTokenOptions.dpopKeyPair = keyPair;\n        handleResponseOptions.dpop = dpop;\n        handleResponseOptions.dpopPairId = keyPairId;\n      }\n    }\n\n    const oauthResponse: OAuthResponse = await postToTokenEndpoint(sdk, getTokenOptions, urls);\n\n    const tokenResponse: TokenResponse = await handleOAuthResponse(sdk, handleResponseOptions, oauthResponse, urls!);\n    tokenResponse.code = authorizationCode;\n    tokenResponse.state = state!;\n    return tokenResponse;\n  }\n  finally {\n    sdk.transactionManager.clear();\n  }\n}\n"],"mappings":";;;AAeA;AACA;AACA;AACA;AACA;AAnBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAQA;AACO,eAAeA,qBAAqB,CAACC,GAA2B,EAAEC,WAAwB,EAAEC,IAAiB,EAA0B;EAC5IA,IAAI,GAAGA,IAAI,IAAI,IAAAC,kBAAY,EAACH,GAAG,EAAEC,WAAW,CAAC;EAC7C;EACAA,WAAW,GAAGG,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAE,IAAAC,2BAAqB,EAACN,GAAG,CAAC,EAAE,IAAAO,YAAK,EAACN,WAAW,CAAC,CAAC;EAE/E,MAAM;IACJO,iBAAiB;IACjBC,eAAe;IACfC,YAAY;IACZC,QAAQ;IACRC,WAAW;IACXC,MAAM;IACNC,eAAe;IACfC,KAAK;IACLC,SAAS;IACTC,IAAI;IACJC;EACF,CAAC,GAAGjB,WAAW;;EAEf;EACA,MAAMkB,eAAoC,GAAG;IAC3CR,QAAQ;IACRC,WAAW;IACXJ,iBAAiB;IACjBC,eAAe;IACfC,YAAY;IACZO;EACF,CAAC;;EAED;EACA;EACA;EACA,MAAMG,YAAiC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;EACrD,IAAIP,MAAM,CAAEQ,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE;IACpCD,YAAY,CAACE,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;EACjC;EACA;EACA,MAAMC,qBAAkC,GAAG;IACzCZ,QAAQ;IACRC,WAAW;IACXC,MAAM;IACNO,YAAY;IACZN,eAAe;IACfE;EACF,CAAC;EAED,IAAI;IACF,IAAIC,IAAI,EAAE;MACR;MACA,IAAIC,UAAU,EAAE;QACd,MAAMM,OAAO,GAAG,MAAM,IAAAC,iBAAW,EAACP,UAAU,CAAC;QAC7CC,eAAe,CAACO,WAAW,GAAGF,OAAO;QACrCD,qBAAqB,CAACN,IAAI,GAAGA,IAAI;QACjCM,qBAAqB,CAACL,UAAU,GAAGA,UAAU;MAC/C,CAAC,MACI;QACH,MAAM;UAAEM,OAAO;UAAEG;QAAU,CAAC,GAAG,MAAM,IAAAC,uBAAiB,GAAE;QACxDT,eAAe,CAACO,WAAW,GAAGF,OAAO;QACrCD,qBAAqB,CAACN,IAAI,GAAGA,IAAI;QACjCM,qBAAqB,CAACL,UAAU,GAAGS,SAAS;MAC9C;IACF;IAEA,MAAME,aAA4B,GAAG,MAAM,IAAAC,0BAAmB,EAAC9B,GAAG,EAAEmB,eAAe,EAAEjB,IAAI,CAAC;IAE1F,MAAM6B,aAA4B,GAAG,MAAM,IAAAC,wCAAmB,EAAChC,GAAG,EAAEuB,qBAAqB,EAAEM,aAAa,EAAE3B,IAAI,CAAE;IAChH6B,aAAa,CAACE,IAAI,GAAGzB,iBAAiB;IACtCuB,aAAa,CAAChB,KAAK,GAAGA,KAAM;IAC5B,OAAOgB,aAAa;EACtB,CAAC,SACO;IACN/B,GAAG,CAACkC,kBAAkB,CAACC,KAAK,EAAE;EAChC;AACF"}
+{"version":3,"file":"exchangeCodeForTokens.js","names":["exchangeCodeForTokens","sdk","tokenParams","urls","getOAuthUrls","Object","assign","getDefaultTokenParams","clone","authorizationCode","interactionCode","codeVerifier","clientId","redirectUri","scopes","ignoreSignature","state","acrValues","dpop","dpopPairId","extraParams","getTokenOptions","responseType","indexOf","push","handleResponseOptions","keyPair","findKeyPair","dpopKeyPair","keyPairId","createDPoPKeyPair","oauthResponse","postToTokenEndpoint","tokenResponse","handleOAuthResponse","code","transactionManager","clear"],"sources":["../../../lib/oidc/exchangeCodeForTokens.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n/* eslint-disable max-len */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { CustomUrls, OAuthResponse, OAuthResponseType, OktaAuthOAuthInterface, TokenParams, TokenResponse } from './types';\nimport { getOAuthUrls, getDefaultTokenParams } from './util';\nimport { clone } from '../util';\nimport { postToTokenEndpoint, TokenEndpointParams } from './endpoints/token';\nimport { handleOAuthResponse } from './handleOAuthResponse';\nimport { createDPoPKeyPair, findKeyPair } from './dpop';\n\n// codeVerifier is required. May pass either an authorizationCode or interactionCode\nexport async function exchangeCodeForTokens(sdk: OktaAuthOAuthInterface, tokenParams: TokenParams, urls?: CustomUrls): Promise<TokenResponse> {\n  urls = urls || getOAuthUrls(sdk, tokenParams);\n  // build params using defaults + options\n  tokenParams = Object.assign({}, getDefaultTokenParams(sdk), clone(tokenParams));\n\n  const {\n    authorizationCode,\n    interactionCode,\n    codeVerifier,\n    clientId,\n    redirectUri,\n    scopes,\n    ignoreSignature,\n    state,\n    acrValues,\n    dpop,\n    dpopPairId,\n    extraParams\n  } = tokenParams;\n\n  // postToTokenEndpoint() params\n  const getTokenOptions: TokenEndpointParams = {\n    clientId,\n    redirectUri,\n    authorizationCode,\n    interactionCode,\n    codeVerifier,\n    dpop,\n  };\n\n  // `handleOAuthResponse` hanadles responses from both `/authorize` and `/token` endpoints\n  // Here we modify the response from `/token` so that it more closely matches a response from `/authorize`\n  // `responseType` is used to validate that the expected tokens were returned\n  const responseType: OAuthResponseType[] = ['token']; // an accessToken will always be returned\n  if (scopes!.indexOf('openid') !== -1) {\n    responseType.push('id_token'); // an idToken will be returned if \"openid\" is in the scopes\n  }\n  // handleOAuthResponse() params\n  const handleResponseOptions: TokenParams = {\n    clientId,\n    redirectUri,\n    scopes,\n    responseType,\n    ignoreSignature,\n    acrValues,\n    extraParams\n  };\n\n  try {\n    if (dpop) {\n      // token refresh, KP should already exist\n      if (dpopPairId) {\n        const keyPair = await findKeyPair(dpopPairId);\n        getTokenOptions.dpopKeyPair = keyPair;\n        handleResponseOptions.dpop = dpop;\n        handleResponseOptions.dpopPairId = dpopPairId;\n      }\n      else {\n        const { keyPair, keyPairId } = await createDPoPKeyPair();\n        getTokenOptions.dpopKeyPair = keyPair;\n        handleResponseOptions.dpop = dpop;\n        handleResponseOptions.dpopPairId = keyPairId;\n      }\n    }\n\n    const oauthResponse: OAuthResponse = await postToTokenEndpoint(sdk, getTokenOptions, urls);\n\n    const tokenResponse: TokenResponse = await handleOAuthResponse(sdk, handleResponseOptions, oauthResponse, urls!);\n    tokenResponse.code = authorizationCode;\n    tokenResponse.state = state!;\n    return tokenResponse;\n  }\n  finally {\n    sdk.transactionManager.clear();\n  }\n}\n"],"mappings":";;;AAeA;AACA;AACA;AACA;AACA;AAnBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAQA;AACO,eAAeA,qBAAqB,CAACC,GAA2B,EAAEC,WAAwB,EAAEC,IAAiB,EAA0B;EAC5IA,IAAI,GAAGA,IAAI,IAAI,IAAAC,kBAAY,EAACH,GAAG,EAAEC,WAAW,CAAC;EAC7C;EACAA,WAAW,GAAGG,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAE,IAAAC,2BAAqB,EAACN,GAAG,CAAC,EAAE,IAAAO,YAAK,EAACN,WAAW,CAAC,CAAC;EAE/E,MAAM;IACJO,iBAAiB;IACjBC,eAAe;IACfC,YAAY;IACZC,QAAQ;IACRC,WAAW;IACXC,MAAM;IACNC,eAAe;IACfC,KAAK;IACLC,SAAS;IACTC,IAAI;IACJC,UAAU;IACVC;EACF,CAAC,GAAGlB,WAAW;;EAEf;EACA,MAAMmB,eAAoC,GAAG;IAC3CT,QAAQ;IACRC,WAAW;IACXJ,iBAAiB;IACjBC,eAAe;IACfC,YAAY;IACZO;EACF,CAAC;;EAED;EACA;EACA;EACA,MAAMI,YAAiC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;EACrD,IAAIR,MAAM,CAAES,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE;IACpCD,YAAY,CAACE,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;EACjC;EACA;EACA,MAAMC,qBAAkC,GAAG;IACzCb,QAAQ;IACRC,WAAW;IACXC,MAAM;IACNQ,YAAY;IACZP,eAAe;IACfE,SAAS;IACTG;EACF,CAAC;EAED,IAAI;IACF,IAAIF,IAAI,EAAE;MACR;MACA,IAAIC,UAAU,EAAE;QACd,MAAMO,OAAO,GAAG,MAAM,IAAAC,iBAAW,EAACR,UAAU,CAAC;QAC7CE,eAAe,CAACO,WAAW,GAAGF,OAAO;QACrCD,qBAAqB,CAACP,IAAI,GAAGA,IAAI;QACjCO,qBAAqB,CAACN,UAAU,GAAGA,UAAU;MAC/C,CAAC,MACI;QACH,MAAM;UAAEO,OAAO;UAAEG;QAAU,CAAC,GAAG,MAAM,IAAAC,uBAAiB,GAAE;QACxDT,eAAe,CAACO,WAAW,GAAGF,OAAO;QACrCD,qBAAqB,CAACP,IAAI,GAAGA,IAAI;QACjCO,qBAAqB,CAACN,UAAU,GAAGU,SAAS;MAC9C;IACF;IAEA,MAAME,aAA4B,GAAG,MAAM,IAAAC,0BAAmB,EAAC/B,GAAG,EAAEoB,eAAe,EAAElB,IAAI,CAAC;IAE1F,MAAM8B,aAA4B,GAAG,MAAM,IAAAC,wCAAmB,EAACjC,GAAG,EAAEwB,qBAAqB,EAAEM,aAAa,EAAE5B,IAAI,CAAE;IAChH8B,aAAa,CAACE,IAAI,GAAG1B,iBAAiB;IACtCwB,aAAa,CAACjB,KAAK,GAAGA,KAAM;IAC5B,OAAOiB,aAAa;EACtB,CAAC,SACO;IACNhC,GAAG,CAACmC,kBAAkB,CAACC,KAAK,EAAE;EAChC;AACF"}

package/cjs/oidc/handleOAuthResponse.js

@@ -84,6 +84,9 @@ async function handleOAuthResponse(sdk, tokenParams, res, urls) {
     if (tokenParams.dpopPairId) {
       tokenDict.accessToken.dpopPairId = tokenParams.dpopPairId;
     }
+    if (tokenParams.extraParams) {
+      tokenDict.accessToken.extraParams = tokenParams.extraParams;
+    }
   }
   if (refreshToken) {
     tokenDict.refreshToken = {
@@ -99,6 +102,9 @@ async function handleOAuthResponse(sdk, tokenParams, res, urls) {
     if (tokenParams.dpopPairId) {
       tokenDict.refreshToken.dpopPairId = tokenParams.dpopPairId;
     }
+    if (tokenParams.extraParams) {
+      tokenDict.refreshToken.extraParams = tokenParams.extraParams;
+    }
   }
   if (idToken) {
     const idJwt = sdk.token.decode(idToken);
@@ -112,6 +118,9 @@ async function handleOAuthResponse(sdk, tokenParams, res, urls) {
       issuer: urls.issuer,
       clientId: clientId
     };
+    if (tokenParams.extraParams) {
+      idTokenObj.extraParams = tokenParams.extraParams;
+    }
     const validationParams = {
       clientId: clientId,
       issuer: urls.issuer,

package/cjs/oidc/handleOAuthResponse.js.map

@@ -1 +1 @@
-{"version":3,"file":"handleOAuthResponse.js","names":["validateResponse","res","oauthParams","OAuthError","state","AuthSdkError","dpop","token_type","handleOAuthResponse","sdk","tokenParams","urls","pkce","options","code","interaction_code","token","exchangeCodeForTokens","Object","assign","authorizationCode","interactionCode","getDefaultTokenParams","getOAuthUrls","responseType","Array","isArray","scopes","scope","split","clone","clientId","tokenDict","expiresIn","expires_in","tokenType","accessToken","access_token","idToken","id_token","refreshToken","refresh_token","now","Math","floor","Date","accessJwt","decode","claims","payload","expiresAt","Number","authorizeUrl","userinfoUrl","dpopPairId","tokenUrl","issuer","idJwt","idTokenObj","exp","iat","validationParams","nonce","acrValues","ignoreSignature","undefined","verifyToken","indexOf","tokens"],"sources":["../../../lib/oidc/handleOAuthResponse.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n\n/* eslint-disable complexity, max-statements */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { clone } from '../util';\nimport {\n  getOAuthUrls,\n} from './util/oauth';\nimport { AuthSdkError, OAuthError } from '../errors';\nimport {\n  OktaAuthOAuthInterface,\n  TokenVerifyParams,\n  IDToken,\n  OAuthResponse,\n  TokenParams,\n  TokenResponse,\n  CustomUrls,\n  Tokens,\n} from './types';\nimport { verifyToken } from './verifyToken';\nimport { getDefaultTokenParams } from './util';\n\nfunction validateResponse(res: OAuthResponse, oauthParams: TokenParams) {\n  if (res['error'] && res['error_description']) {\n    throw new OAuthError(res['error'], res['error_description']);\n  }\n\n  if (res.state !== oauthParams.state) {\n    throw new AuthSdkError('OAuth flow response state doesn\\'t match request state');\n  }\n\n  // https://datatracker.ietf.org/doc/html/rfc9449#token-response\n  // \"A token_type of DPoP MUST be included in the access token response to signal to the client\"\n  if (oauthParams.dpop && res.token_type !== 'DPoP') {\n    throw new AuthSdkError('Unable to parse OAuth flow response: DPoP was configured but \"token_type\" was not DPoP');\n  }\n}\n\nexport async function handleOAuthResponse(\n  sdk: OktaAuthOAuthInterface,\n  tokenParams: TokenParams,\n  res: OAuthResponse,\n  urls?: CustomUrls\n): Promise<TokenResponse> {\n  const pkce = sdk.options.pkce !== false;\n\n  // The result contains an authorization_code and PKCE is enabled \n  // `exchangeCodeForTokens` will call /token then call `handleOauthResponse` recursively with the result\n  if (pkce && (res.code || res.interaction_code)) {\n    return sdk.token.exchangeCodeForTokens(Object.assign({}, tokenParams, {\n      authorizationCode: res.code,\n      interactionCode: res.interaction_code\n    }), urls);\n  }\n\n  tokenParams = tokenParams || getDefaultTokenParams(sdk);\n  urls = urls || getOAuthUrls(sdk, tokenParams);\n\n  let responseType = tokenParams.responseType || [];\n  if (!Array.isArray(responseType) && responseType !== 'none') {\n    responseType = [responseType];\n  }\n\n  let scopes;\n  if (res.scope) {\n    scopes = res.scope.split(' ');\n  } else {\n    scopes = clone(tokenParams.scopes);\n  }\n  const clientId = tokenParams.clientId || sdk.options.clientId;\n\n  // Handling the result from implicit flow or PKCE token exchange\n  validateResponse(res, tokenParams);\n\n  const tokenDict = {} as Tokens;\n  const expiresIn = res.expires_in;\n  const tokenType = res.token_type;\n  const accessToken = res.access_token;\n  const idToken = res.id_token;\n  const refreshToken = res.refresh_token;\n  const now = Math.floor(Date.now()/1000);\n\n  if (accessToken) {\n    const accessJwt = sdk.token.decode(accessToken);\n    tokenDict.accessToken = {\n      accessToken: accessToken,\n      claims: accessJwt.payload,\n      expiresAt: Number(expiresIn) + now,\n      tokenType: tokenType!,\n      scopes: scopes,\n      authorizeUrl: urls.authorizeUrl!,\n      userinfoUrl: urls.userinfoUrl!\n    };\n\n    if (tokenParams.dpopPairId) {\n      tokenDict.accessToken.dpopPairId = tokenParams.dpopPairId;\n    }\n  }\n\n  if (refreshToken) {\n    tokenDict.refreshToken = {\n      refreshToken: refreshToken,\n      // should not be used, this is the accessToken expire time\n      // TODO: remove \"expiresAt\" in the next major version OKTA-407224\n      expiresAt: Number(expiresIn) + now, \n      scopes: scopes,\n      tokenUrl: urls.tokenUrl!,\n      authorizeUrl: urls.authorizeUrl!,\n      issuer: urls.issuer!,\n    };\n\n    if (tokenParams.dpopPairId) {\n      tokenDict.refreshToken.dpopPairId = tokenParams.dpopPairId;\n    }\n  }\n\n  if (idToken) {\n    const idJwt = sdk.token.decode(idToken);\n    const idTokenObj: IDToken = {\n      idToken: idToken,\n      claims: idJwt.payload,\n      expiresAt: idJwt.payload.exp! - idJwt.payload.iat! + now, // adjusting expiresAt to be in local time\n      scopes: scopes,\n      authorizeUrl: urls.authorizeUrl!,\n      issuer: urls.issuer!,\n      clientId: clientId!\n    };\n\n    const validationParams: TokenVerifyParams = {\n      clientId: clientId!,\n      issuer: urls.issuer!,\n      nonce: tokenParams.nonce,\n      accessToken: accessToken,\n      acrValues: tokenParams.acrValues\n    };\n\n    if (tokenParams.ignoreSignature !== undefined) {\n      validationParams.ignoreSignature = tokenParams.ignoreSignature;\n    }\n\n    await verifyToken(sdk, idTokenObj, validationParams);\n    tokenDict.idToken = idTokenObj;\n  }\n\n  // Validate received tokens against requested response types \n  if (responseType.indexOf('token') !== -1 && !tokenDict.accessToken) {\n    // eslint-disable-next-line max-len\n    throw new AuthSdkError('Unable to parse OAuth flow response: response type \"token\" was requested but \"access_token\" was not returned.');\n  }\n  if (responseType.indexOf('id_token') !== -1 && !tokenDict.idToken) {\n    // eslint-disable-next-line max-len\n    throw new AuthSdkError('Unable to parse OAuth flow response: response type \"id_token\" was requested but \"id_token\" was not returned.');\n  }\n\n  return {\n    tokens: tokenDict,\n    state: res.state!,\n    code: res.code,\n    responseType\n  };\n  \n}"],"mappings":";;;AAeA;AACA;AAGA;AAWA;AACA;AA/BA;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAmBA,SAASA,gBAAgB,CAACC,GAAkB,EAAEC,WAAwB,EAAE;EACtE,IAAID,GAAG,CAAC,OAAO,CAAC,IAAIA,GAAG,CAAC,mBAAmB,CAAC,EAAE;IAC5C,MAAM,IAAIE,kBAAU,CAACF,GAAG,CAAC,OAAO,CAAC,EAAEA,GAAG,CAAC,mBAAmB,CAAC,CAAC;EAC9D;EAEA,IAAIA,GAAG,CAACG,KAAK,KAAKF,WAAW,CAACE,KAAK,EAAE;IACnC,MAAM,IAAIC,oBAAY,CAAC,wDAAwD,CAAC;EAClF;;EAEA;EACA;EACA,IAAIH,WAAW,CAACI,IAAI,IAAIL,GAAG,CAACM,UAAU,KAAK,MAAM,EAAE;IACjD,MAAM,IAAIF,oBAAY,CAAC,wFAAwF,CAAC;EAClH;AACF;AAEO,eAAeG,mBAAmB,CACvCC,GAA2B,EAC3BC,WAAwB,EACxBT,GAAkB,EAClBU,IAAiB,EACO;EACxB,MAAMC,IAAI,GAAGH,GAAG,CAACI,OAAO,CAACD,IAAI,KAAK,KAAK;;EAEvC;EACA;EACA,IAAIA,IAAI,KAAKX,GAAG,CAACa,IAAI,IAAIb,GAAG,CAACc,gBAAgB,CAAC,EAAE;IAC9C,OAAON,GAAG,CAACO,KAAK,CAACC,qBAAqB,CAACC,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAET,WAAW,EAAE;MACpEU,iBAAiB,EAAEnB,GAAG,CAACa,IAAI;MAC3BO,eAAe,EAAEpB,GAAG,CAACc;IACvB,CAAC,CAAC,EAAEJ,IAAI,CAAC;EACX;EAEAD,WAAW,GAAGA,WAAW,IAAI,IAAAY,4BAAqB,EAACb,GAAG,CAAC;EACvDE,IAAI,GAAGA,IAAI,IAAI,IAAAY,mBAAY,EAACd,GAAG,EAAEC,WAAW,CAAC;EAE7C,IAAIc,YAAY,GAAGd,WAAW,CAACc,YAAY,IAAI,EAAE;EACjD,IAAI,CAACC,KAAK,CAACC,OAAO,CAACF,YAAY,CAAC,IAAIA,YAAY,KAAK,MAAM,EAAE;IAC3DA,YAAY,GAAG,CAACA,YAAY,CAAC;EAC/B;EAEA,IAAIG,MAAM;EACV,IAAI1B,GAAG,CAAC2B,KAAK,EAAE;IACbD,MAAM,GAAG1B,GAAG,CAAC2B,KAAK,CAACC,KAAK,CAAC,GAAG,CAAC;EAC/B,CAAC,MAAM;IACLF,MAAM,GAAG,IAAAG,WAAK,EAACpB,WAAW,CAACiB,MAAM,CAAC;EACpC;EACA,MAAMI,QAAQ,GAAGrB,WAAW,CAACqB,QAAQ,IAAItB,GAAG,CAACI,OAAO,CAACkB,QAAQ;;EAE7D;EACA/B,gBAAgB,CAACC,GAAG,EAAES,WAAW,CAAC;EAElC,MAAMsB,SAAS,GAAG,CAAC,CAAW;EAC9B,MAAMC,SAAS,GAAGhC,GAAG,CAACiC,UAAU;EAChC,MAAMC,SAAS,GAAGlC,GAAG,CAACM,UAAU;EAChC,MAAM6B,WAAW,GAAGnC,GAAG,CAACoC,YAAY;EACpC,MAAMC,OAAO,GAAGrC,GAAG,CAACsC,QAAQ;EAC5B,MAAMC,YAAY,GAAGvC,GAAG,CAACwC,aAAa;EACtC,MAAMC,GAAG,GAAGC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACH,GAAG,EAAE,GAAC,IAAI,CAAC;EAEvC,IAAIN,WAAW,EAAE;IACf,MAAMU,SAAS,GAAGrC,GAAG,CAACO,KAAK,CAAC+B,MAAM,CAACX,WAAW,CAAC;IAC/CJ,SAAS,CAACI,WAAW,GAAG;MACtBA,WAAW,EAAEA,WAAW;MACxBY,MAAM,EAAEF,SAAS,CAACG,OAAO;MACzBC,SAAS,EAAEC,MAAM,CAAClB,SAAS,CAAC,GAAGS,GAAG;MAClCP,SAAS,EAAEA,SAAU;MACrBR,MAAM,EAAEA,MAAM;MACdyB,YAAY,EAAEzC,IAAI,CAACyC,YAAa;MAChCC,WAAW,EAAE1C,IAAI,CAAC0C;IACpB,CAAC;IAED,IAAI3C,WAAW,CAAC4C,UAAU,EAAE;MAC1BtB,SAAS,CAACI,WAAW,CAACkB,UAAU,GAAG5C,WAAW,CAAC4C,UAAU;IAC3D;EACF;EAEA,IAAId,YAAY,EAAE;IAChBR,SAAS,CAACQ,YAAY,GAAG;MACvBA,YAAY,EAAEA,YAAY;MAC1B;MACA;MACAU,SAAS,EAAEC,MAAM,CAAClB,SAAS,CAAC,GAAGS,GAAG;MAClCf,MAAM,EAAEA,MAAM;MACd4B,QAAQ,EAAE5C,IAAI,CAAC4C,QAAS;MACxBH,YAAY,EAAEzC,IAAI,CAACyC,YAAa;MAChCI,MAAM,EAAE7C,IAAI,CAAC6C;IACf,CAAC;IAED,IAAI9C,WAAW,CAAC4C,UAAU,EAAE;MAC1BtB,SAAS,CAACQ,YAAY,CAACc,UAAU,GAAG5C,WAAW,CAAC4C,UAAU;IAC5D;EACF;EAEA,IAAIhB,OAAO,EAAE;IACX,MAAMmB,KAAK,GAAGhD,GAAG,CAACO,KAAK,CAAC+B,MAAM,CAACT,OAAO,CAAC;IACvC,MAAMoB,UAAmB,GAAG;MAC1BpB,OAAO,EAAEA,OAAO;MAChBU,MAAM,EAAES,KAAK,CAACR,OAAO;MACrBC,SAAS,EAAEO,KAAK,CAACR,OAAO,CAACU,GAAG,GAAIF,KAAK,CAACR,OAAO,CAACW,GAAI,GAAGlB,GAAG;MAAE;MAC1Df,MAAM,EAAEA,MAAM;MACdyB,YAAY,EAAEzC,IAAI,CAACyC,YAAa;MAChCI,MAAM,EAAE7C,IAAI,CAAC6C,MAAO;MACpBzB,QAAQ,EAAEA;IACZ,CAAC;IAED,MAAM8B,gBAAmC,GAAG;MAC1C9B,QAAQ,EAAEA,QAAS;MACnByB,MAAM,EAAE7C,IAAI,CAAC6C,MAAO;MACpBM,KAAK,EAAEpD,WAAW,CAACoD,KAAK;MACxB1B,WAAW,EAAEA,WAAW;MACxB2B,SAAS,EAAErD,WAAW,CAACqD;IACzB,CAAC;IAED,IAAIrD,WAAW,CAACsD,eAAe,KAAKC,SAAS,EAAE;MAC7CJ,gBAAgB,CAACG,eAAe,GAAGtD,WAAW,CAACsD,eAAe;IAChE;IAEA,MAAM,IAAAE,wBAAW,EAACzD,GAAG,EAAEiD,UAAU,EAAEG,gBAAgB,CAAC;IACpD7B,SAAS,CAACM,OAAO,GAAGoB,UAAU;EAChC;;EAEA;EACA,IAAIlC,YAAY,CAAC2C,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAACnC,SAAS,CAACI,WAAW,EAAE;IAClE;IACA,MAAM,IAAI/B,oBAAY,CAAC,+GAA+G,CAAC;EACzI;EACA,IAAImB,YAAY,CAAC2C,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,IAAI,CAACnC,SAAS,CAACM,OAAO,EAAE;IACjE;IACA,MAAM,IAAIjC,oBAAY,CAAC,8GAA8G,CAAC;EACxI;EAEA,OAAO;IACL+D,MAAM,EAAEpC,SAAS;IACjB5B,KAAK,EAAEH,GAAG,CAACG,KAAM;IACjBU,IAAI,EAAEb,GAAG,CAACa,IAAI;IACdU;EACF,CAAC;AAEH"}
+{"version":3,"file":"handleOAuthResponse.js","names":["validateResponse","res","oauthParams","OAuthError","state","AuthSdkError","dpop","token_type","handleOAuthResponse","sdk","tokenParams","urls","pkce","options","code","interaction_code","token","exchangeCodeForTokens","Object","assign","authorizationCode","interactionCode","getDefaultTokenParams","getOAuthUrls","responseType","Array","isArray","scopes","scope","split","clone","clientId","tokenDict","expiresIn","expires_in","tokenType","accessToken","access_token","idToken","id_token","refreshToken","refresh_token","now","Math","floor","Date","accessJwt","decode","claims","payload","expiresAt","Number","authorizeUrl","userinfoUrl","dpopPairId","extraParams","tokenUrl","issuer","idJwt","idTokenObj","exp","iat","validationParams","nonce","acrValues","ignoreSignature","undefined","verifyToken","indexOf","tokens"],"sources":["../../../lib/oidc/handleOAuthResponse.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\n\n/* eslint-disable complexity, max-statements */\n/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { clone } from '../util';\nimport {\n  getOAuthUrls,\n} from './util/oauth';\nimport { AuthSdkError, OAuthError } from '../errors';\nimport {\n  OktaAuthOAuthInterface,\n  TokenVerifyParams,\n  IDToken,\n  OAuthResponse,\n  TokenParams,\n  TokenResponse,\n  CustomUrls,\n  Tokens,\n} from './types';\nimport { verifyToken } from './verifyToken';\nimport { getDefaultTokenParams } from './util';\n\nfunction validateResponse(res: OAuthResponse, oauthParams: TokenParams) {\n  if (res['error'] && res['error_description']) {\n    throw new OAuthError(res['error'], res['error_description']);\n  }\n\n  if (res.state !== oauthParams.state) {\n    throw new AuthSdkError('OAuth flow response state doesn\\'t match request state');\n  }\n\n  // https://datatracker.ietf.org/doc/html/rfc9449#token-response\n  // \"A token_type of DPoP MUST be included in the access token response to signal to the client\"\n  if (oauthParams.dpop && res.token_type !== 'DPoP') {\n    throw new AuthSdkError('Unable to parse OAuth flow response: DPoP was configured but \"token_type\" was not DPoP');\n  }\n}\n\nexport async function handleOAuthResponse(\n  sdk: OktaAuthOAuthInterface,\n  tokenParams: TokenParams,\n  res: OAuthResponse,\n  urls?: CustomUrls\n): Promise<TokenResponse> {\n  const pkce = sdk.options.pkce !== false;\n\n\n  // The result contains an authorization_code and PKCE is enabled \n  // `exchangeCodeForTokens` will call /token then call `handleOauthResponse` recursively with the result\n  if (pkce && (res.code || res.interaction_code)) {\n    return sdk.token.exchangeCodeForTokens(Object.assign({}, tokenParams, {\n      authorizationCode: res.code,\n      interactionCode: res.interaction_code\n    }), urls);\n  }\n\n  tokenParams = tokenParams || getDefaultTokenParams(sdk);\n  urls = urls || getOAuthUrls(sdk, tokenParams);\n\n  let responseType = tokenParams.responseType || [];\n  if (!Array.isArray(responseType) && responseType !== 'none') {\n    responseType = [responseType];\n  }\n\n  let scopes;\n  if (res.scope) {\n    scopes = res.scope.split(' ');\n  } else {\n    scopes = clone(tokenParams.scopes);\n  }\n  const clientId = tokenParams.clientId || sdk.options.clientId;\n\n  // Handling the result from implicit flow or PKCE token exchange\n  validateResponse(res, tokenParams);\n\n  const tokenDict = {} as Tokens;\n  const expiresIn = res.expires_in;\n  const tokenType = res.token_type;\n  const accessToken = res.access_token;\n  const idToken = res.id_token;\n  const refreshToken = res.refresh_token;\n  const now = Math.floor(Date.now()/1000);\n\n  if (accessToken) {\n    const accessJwt = sdk.token.decode(accessToken);\n    tokenDict.accessToken = {\n      accessToken: accessToken,\n      claims: accessJwt.payload,\n      expiresAt: Number(expiresIn) + now,\n      tokenType: tokenType!,\n      scopes: scopes,\n      authorizeUrl: urls.authorizeUrl!,\n      userinfoUrl: urls.userinfoUrl!\n    };\n\n    if (tokenParams.dpopPairId) {\n      tokenDict.accessToken.dpopPairId = tokenParams.dpopPairId;\n    }\n\n    if (tokenParams.extraParams) {\n      tokenDict.accessToken.extraParams = tokenParams.extraParams;\n    }\n  }\n\n  if (refreshToken) {\n    tokenDict.refreshToken = {\n      refreshToken: refreshToken,\n      // should not be used, this is the accessToken expire time\n      // TODO: remove \"expiresAt\" in the next major version OKTA-407224\n      expiresAt: Number(expiresIn) + now, \n      scopes: scopes,\n      tokenUrl: urls.tokenUrl!,\n      authorizeUrl: urls.authorizeUrl!,\n      issuer: urls.issuer!,\n    };\n\n    if (tokenParams.dpopPairId) {\n      tokenDict.refreshToken.dpopPairId = tokenParams.dpopPairId;\n    }\n\n    if (tokenParams.extraParams) {\n      tokenDict.refreshToken.extraParams = tokenParams.extraParams;\n    }\n  }\n\n  if (idToken) {\n    const idJwt = sdk.token.decode(idToken);\n    const idTokenObj: IDToken = {\n      idToken: idToken,\n      claims: idJwt.payload,\n      expiresAt: idJwt.payload.exp! - idJwt.payload.iat! + now, // adjusting expiresAt to be in local time\n      scopes: scopes,\n      authorizeUrl: urls.authorizeUrl!,\n      issuer: urls.issuer!,\n      clientId: clientId!\n    };\n\n    if (tokenParams.extraParams) {\n      idTokenObj.extraParams = tokenParams.extraParams;\n    }\n\n    const validationParams: TokenVerifyParams = {\n      clientId: clientId!,\n      issuer: urls.issuer!,\n      nonce: tokenParams.nonce,\n      accessToken: accessToken,\n      acrValues: tokenParams.acrValues\n    };\n\n    if (tokenParams.ignoreSignature !== undefined) {\n      validationParams.ignoreSignature = tokenParams.ignoreSignature;\n    }\n\n    await verifyToken(sdk, idTokenObj, validationParams);\n    tokenDict.idToken = idTokenObj;\n  }\n\n  // Validate received tokens against requested response types \n  if (responseType.indexOf('token') !== -1 && !tokenDict.accessToken) {\n    // eslint-disable-next-line max-len\n    throw new AuthSdkError('Unable to parse OAuth flow response: response type \"token\" was requested but \"access_token\" was not returned.');\n  }\n  if (responseType.indexOf('id_token') !== -1 && !tokenDict.idToken) {\n    // eslint-disable-next-line max-len\n    throw new AuthSdkError('Unable to parse OAuth flow response: response type \"id_token\" was requested but \"id_token\" was not returned.');\n  }\n\n  return {\n    tokens: tokenDict,\n    state: res.state!,\n    code: res.code,\n    responseType\n  };\n  \n}"],"mappings":";;;AAeA;AACA;AAGA;AAWA;AACA;AA/BA;;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAmBA,SAASA,gBAAgB,CAACC,GAAkB,EAAEC,WAAwB,EAAE;EACtE,IAAID,GAAG,CAAC,OAAO,CAAC,IAAIA,GAAG,CAAC,mBAAmB,CAAC,EAAE;IAC5C,MAAM,IAAIE,kBAAU,CAACF,GAAG,CAAC,OAAO,CAAC,EAAEA,GAAG,CAAC,mBAAmB,CAAC,CAAC;EAC9D;EAEA,IAAIA,GAAG,CAACG,KAAK,KAAKF,WAAW,CAACE,KAAK,EAAE;IACnC,MAAM,IAAIC,oBAAY,CAAC,wDAAwD,CAAC;EAClF;;EAEA;EACA;EACA,IAAIH,WAAW,CAACI,IAAI,IAAIL,GAAG,CAACM,UAAU,KAAK,MAAM,EAAE;IACjD,MAAM,IAAIF,oBAAY,CAAC,wFAAwF,CAAC;EAClH;AACF;AAEO,eAAeG,mBAAmB,CACvCC,GAA2B,EAC3BC,WAAwB,EACxBT,GAAkB,EAClBU,IAAiB,EACO;EACxB,MAAMC,IAAI,GAAGH,GAAG,CAACI,OAAO,CAACD,IAAI,KAAK,KAAK;;EAGvC;EACA;EACA,IAAIA,IAAI,KAAKX,GAAG,CAACa,IAAI,IAAIb,GAAG,CAACc,gBAAgB,CAAC,EAAE;IAC9C,OAAON,GAAG,CAACO,KAAK,CAACC,qBAAqB,CAACC,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAET,WAAW,EAAE;MACpEU,iBAAiB,EAAEnB,GAAG,CAACa,IAAI;MAC3BO,eAAe,EAAEpB,GAAG,CAACc;IACvB,CAAC,CAAC,EAAEJ,IAAI,CAAC;EACX;EAEAD,WAAW,GAAGA,WAAW,IAAI,IAAAY,4BAAqB,EAACb,GAAG,CAAC;EACvDE,IAAI,GAAGA,IAAI,IAAI,IAAAY,mBAAY,EAACd,GAAG,EAAEC,WAAW,CAAC;EAE7C,IAAIc,YAAY,GAAGd,WAAW,CAACc,YAAY,IAAI,EAAE;EACjD,IAAI,CAACC,KAAK,CAACC,OAAO,CAACF,YAAY,CAAC,IAAIA,YAAY,KAAK,MAAM,EAAE;IAC3DA,YAAY,GAAG,CAACA,YAAY,CAAC;EAC/B;EAEA,IAAIG,MAAM;EACV,IAAI1B,GAAG,CAAC2B,KAAK,EAAE;IACbD,MAAM,GAAG1B,GAAG,CAAC2B,KAAK,CAACC,KAAK,CAAC,GAAG,CAAC;EAC/B,CAAC,MAAM;IACLF,MAAM,GAAG,IAAAG,WAAK,EAACpB,WAAW,CAACiB,MAAM,CAAC;EACpC;EACA,MAAMI,QAAQ,GAAGrB,WAAW,CAACqB,QAAQ,IAAItB,GAAG,CAACI,OAAO,CAACkB,QAAQ;;EAE7D;EACA/B,gBAAgB,CAACC,GAAG,EAAES,WAAW,CAAC;EAElC,MAAMsB,SAAS,GAAG,CAAC,CAAW;EAC9B,MAAMC,SAAS,GAAGhC,GAAG,CAACiC,UAAU;EAChC,MAAMC,SAAS,GAAGlC,GAAG,CAACM,UAAU;EAChC,MAAM6B,WAAW,GAAGnC,GAAG,CAACoC,YAAY;EACpC,MAAMC,OAAO,GAAGrC,GAAG,CAACsC,QAAQ;EAC5B,MAAMC,YAAY,GAAGvC,GAAG,CAACwC,aAAa;EACtC,MAAMC,GAAG,GAAGC,IAAI,CAACC,KAAK,CAACC,IAAI,CAACH,GAAG,EAAE,GAAC,IAAI,CAAC;EAEvC,IAAIN,WAAW,EAAE;IACf,MAAMU,SAAS,GAAGrC,GAAG,CAACO,KAAK,CAAC+B,MAAM,CAACX,WAAW,CAAC;IAC/CJ,SAAS,CAACI,WAAW,GAAG;MACtBA,WAAW,EAAEA,WAAW;MACxBY,MAAM,EAAEF,SAAS,CAACG,OAAO;MACzBC,SAAS,EAAEC,MAAM,CAAClB,SAAS,CAAC,GAAGS,GAAG;MAClCP,SAAS,EAAEA,SAAU;MACrBR,MAAM,EAAEA,MAAM;MACdyB,YAAY,EAAEzC,IAAI,CAACyC,YAAa;MAChCC,WAAW,EAAE1C,IAAI,CAAC0C;IACpB,CAAC;IAED,IAAI3C,WAAW,CAAC4C,UAAU,EAAE;MAC1BtB,SAAS,CAACI,WAAW,CAACkB,UAAU,GAAG5C,WAAW,CAAC4C,UAAU;IAC3D;IAEA,IAAI5C,WAAW,CAAC6C,WAAW,EAAE;MAC3BvB,SAAS,CAACI,WAAW,CAACmB,WAAW,GAAG7C,WAAW,CAAC6C,WAAW;IAC7D;EACF;EAEA,IAAIf,YAAY,EAAE;IAChBR,SAAS,CAACQ,YAAY,GAAG;MACvBA,YAAY,EAAEA,YAAY;MAC1B;MACA;MACAU,SAAS,EAAEC,MAAM,CAAClB,SAAS,CAAC,GAAGS,GAAG;MAClCf,MAAM,EAAEA,MAAM;MACd6B,QAAQ,EAAE7C,IAAI,CAAC6C,QAAS;MACxBJ,YAAY,EAAEzC,IAAI,CAACyC,YAAa;MAChCK,MAAM,EAAE9C,IAAI,CAAC8C;IACf,CAAC;IAED,IAAI/C,WAAW,CAAC4C,UAAU,EAAE;MAC1BtB,SAAS,CAACQ,YAAY,CAACc,UAAU,GAAG5C,WAAW,CAAC4C,UAAU;IAC5D;IAEA,IAAI5C,WAAW,CAAC6C,WAAW,EAAE;MAC3BvB,SAAS,CAACQ,YAAY,CAACe,WAAW,GAAG7C,WAAW,CAAC6C,WAAW;IAC9D;EACF;EAEA,IAAIjB,OAAO,EAAE;IACX,MAAMoB,KAAK,GAAGjD,GAAG,CAACO,KAAK,CAAC+B,MAAM,CAACT,OAAO,CAAC;IACvC,MAAMqB,UAAmB,GAAG;MAC1BrB,OAAO,EAAEA,OAAO;MAChBU,MAAM,EAAEU,KAAK,CAACT,OAAO;MACrBC,SAAS,EAAEQ,KAAK,CAACT,OAAO,CAACW,GAAG,GAAIF,KAAK,CAACT,OAAO,CAACY,GAAI,GAAGnB,GAAG;MAAE;MAC1Df,MAAM,EAAEA,MAAM;MACdyB,YAAY,EAAEzC,IAAI,CAACyC,YAAa;MAChCK,MAAM,EAAE9C,IAAI,CAAC8C,MAAO;MACpB1B,QAAQ,EAAEA;IACZ,CAAC;IAED,IAAIrB,WAAW,CAAC6C,WAAW,EAAE;MAC3BI,UAAU,CAACJ,WAAW,GAAG7C,WAAW,CAAC6C,WAAW;IAClD;IAEA,MAAMO,gBAAmC,GAAG;MAC1C/B,QAAQ,EAAEA,QAAS;MACnB0B,MAAM,EAAE9C,IAAI,CAAC8C,MAAO;MACpBM,KAAK,EAAErD,WAAW,CAACqD,KAAK;MACxB3B,WAAW,EAAEA,WAAW;MACxB4B,SAAS,EAAEtD,WAAW,CAACsD;IACzB,CAAC;IAED,IAAItD,WAAW,CAACuD,eAAe,KAAKC,SAAS,EAAE;MAC7CJ,gBAAgB,CAACG,eAAe,GAAGvD,WAAW,CAACuD,eAAe;IAChE;IAEA,MAAM,IAAAE,wBAAW,EAAC1D,GAAG,EAAEkD,UAAU,EAAEG,gBAAgB,CAAC;IACpD9B,SAAS,CAACM,OAAO,GAAGqB,UAAU;EAChC;;EAEA;EACA,IAAInC,YAAY,CAAC4C,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAACpC,SAAS,CAACI,WAAW,EAAE;IAClE;IACA,MAAM,IAAI/B,oBAAY,CAAC,+GAA+G,CAAC;EACzI;EACA,IAAImB,YAAY,CAAC4C,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,IAAI,CAACpC,SAAS,CAACM,OAAO,EAAE;IACjE;IACA,MAAM,IAAIjC,oBAAY,CAAC,8GAA8G,CAAC;EACxI;EAEA,OAAO;IACLgE,MAAM,EAAErC,SAAS;IACjB5B,KAAK,EAAEH,GAAG,CAACG,KAAM;IACjBU,IAAI,EAAEb,GAAG,CAACa,IAAI;IACdU;EACF,CAAC;AAEH"}

package/cjs/oidc/renewToken.js

@@ -58,7 +58,8 @@ async function renewToken(sdk, token) {
     authorizeUrl,
     userinfoUrl,
     issuer,
-    dpopPairId
+    dpopPairId,
+    extraParams
   } = token;
   return (0, _getWithoutPrompt.getWithoutPrompt)(sdk, {
     responseType,
@@ -66,7 +67,8 @@ async function renewToken(sdk, token) {
     authorizeUrl,
     userinfoUrl,
     issuer,
-    dpopPairId
+    dpopPairId,
+    extraParams
   }).then(function (res) {
     return getSingleToken(token, res.tokens);
   });

package/cjs/oidc/renewToken.js.map

@@ -1 +1 @@
-{"version":3,"file":"renewToken.js","names":["throwInvalidTokenError","AuthSdkError","getSingleToken","originalToken","tokens","isIDToken","idToken","isAccessToken","accessToken","renewToken","sdk","token","tokenManager","getTokensSync","refreshToken","renewTokensWithRefresh","scopes","responseType","options","pkce","authorizeUrl","userinfoUrl","issuer","dpopPairId","getWithoutPrompt","then","res"],"sources":["../../../lib/oidc/renewToken.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError } from '../errors';\nimport { OktaAuthOAuthInterface, Token, Tokens, isAccessToken, AccessToken, IDToken, isIDToken } from './types';\nimport { getWithoutPrompt } from './getWithoutPrompt';\nimport { renewTokensWithRefresh } from './renewTokensWithRefresh';\n\nfunction throwInvalidTokenError() {\n  throw new AuthSdkError(\n    'Renew must be passed a token with an array of scopes and an accessToken or idToken'\n  );\n}\n\n// Multiple tokens may have come back. Return only the token which was requested.\nfunction getSingleToken(originalToken: Token, tokens: Tokens) {\n  if (isIDToken(originalToken)) {\n    return tokens.idToken;\n  }\n  if (isAccessToken(originalToken)) {\n    return tokens.accessToken;\n  }\n  throwInvalidTokenError();\n}\n\n// If we have a refresh token, renew using that, otherwise getWithoutPrompt\nexport async function renewToken(sdk: OktaAuthOAuthInterface, token: Token): Promise<Token | undefined> {\n  if (!isIDToken(token) && !isAccessToken(token)) {\n    throwInvalidTokenError();\n  }\n\n  let tokens = sdk.tokenManager.getTokensSync();\n  if (tokens.refreshToken) {\n    tokens = await renewTokensWithRefresh(sdk, {\n      scopes: token.scopes,\n    }, tokens.refreshToken);\n    return getSingleToken(token, tokens);\n  }\n\n  var responseType;\n  if (sdk.options.pkce) {\n    responseType = 'code';\n  } else if (isAccessToken(token)) {\n    responseType = 'token';\n  } else {\n    responseType = 'id_token';\n  }\n\n  const { scopes, authorizeUrl, userinfoUrl, issuer, dpopPairId } = token as (AccessToken & IDToken);\n  return getWithoutPrompt(sdk, {\n    responseType,\n    scopes,\n    authorizeUrl,\n    userinfoUrl,\n    issuer,\n    dpopPairId\n  })\n    .then(function (res) {\n      return getSingleToken(token, res.tokens);\n    });\n}\n"],"mappings":";;;AAYA;AACA;AACA;AACA;AAfA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAMA,SAASA,sBAAsB,GAAG;EAChC,MAAM,IAAIC,oBAAY,CACpB,oFAAoF,CACrF;AACH;;AAEA;AACA,SAASC,cAAc,CAACC,aAAoB,EAAEC,MAAc,EAAE;EAC5D,IAAI,IAAAC,gBAAS,EAACF,aAAa,CAAC,EAAE;IAC5B,OAAOC,MAAM,CAACE,OAAO;EACvB;EACA,IAAI,IAAAC,oBAAa,EAACJ,aAAa,CAAC,EAAE;IAChC,OAAOC,MAAM,CAACI,WAAW;EAC3B;EACAR,sBAAsB,EAAE;AAC1B;;AAEA;AACO,eAAeS,UAAU,CAACC,GAA2B,EAAEC,KAAY,EAA8B;EACtG,IAAI,CAAC,IAAAN,gBAAS,EAACM,KAAK,CAAC,IAAI,CAAC,IAAAJ,oBAAa,EAACI,KAAK,CAAC,EAAE;IAC9CX,sBAAsB,EAAE;EAC1B;EAEA,IAAII,MAAM,GAAGM,GAAG,CAACE,YAAY,CAACC,aAAa,EAAE;EAC7C,IAAIT,MAAM,CAACU,YAAY,EAAE;IACvBV,MAAM,GAAG,MAAM,IAAAW,8CAAsB,EAACL,GAAG,EAAE;MACzCM,MAAM,EAAEL,KAAK,CAACK;IAChB,CAAC,EAAEZ,MAAM,CAACU,YAAY,CAAC;IACvB,OAAOZ,cAAc,CAACS,KAAK,EAAEP,MAAM,CAAC;EACtC;EAEA,IAAIa,YAAY;EAChB,IAAIP,GAAG,CAACQ,OAAO,CAACC,IAAI,EAAE;IACpBF,YAAY,GAAG,MAAM;EACvB,CAAC,MAAM,IAAI,IAAAV,oBAAa,EAACI,KAAK,CAAC,EAAE;IAC/BM,YAAY,GAAG,OAAO;EACxB,CAAC,MAAM;IACLA,YAAY,GAAG,UAAU;EAC3B;EAEA,MAAM;IAAED,MAAM;IAAEI,YAAY;IAAEC,WAAW;IAAEC,MAAM;IAAEC;EAAW,CAAC,GAAGZ,KAAgC;EAClG,OAAO,IAAAa,kCAAgB,EAACd,GAAG,EAAE;IAC3BO,YAAY;IACZD,MAAM;IACNI,YAAY;IACZC,WAAW;IACXC,MAAM;IACNC;EACF,CAAC,CAAC,CACCE,IAAI,CAAC,UAAUC,GAAG,EAAE;IACnB,OAAOxB,cAAc,CAACS,KAAK,EAAEe,GAAG,CAACtB,MAAM,CAAC;EAC1C,CAAC,CAAC;AACN"}
+{"version":3,"file":"renewToken.js","names":["throwInvalidTokenError","AuthSdkError","getSingleToken","originalToken","tokens","isIDToken","idToken","isAccessToken","accessToken","renewToken","sdk","token","tokenManager","getTokensSync","refreshToken","renewTokensWithRefresh","scopes","responseType","options","pkce","authorizeUrl","userinfoUrl","issuer","dpopPairId","extraParams","getWithoutPrompt","then","res"],"sources":["../../../lib/oidc/renewToken.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError } from '../errors';\nimport { OktaAuthOAuthInterface, Token, Tokens, isAccessToken, AccessToken, IDToken, isIDToken } from './types';\nimport { getWithoutPrompt } from './getWithoutPrompt';\nimport { renewTokensWithRefresh } from './renewTokensWithRefresh';\n\nfunction throwInvalidTokenError() {\n  throw new AuthSdkError(\n    'Renew must be passed a token with an array of scopes and an accessToken or idToken'\n  );\n}\n\n// Multiple tokens may have come back. Return only the token which was requested.\nfunction getSingleToken(originalToken: Token, tokens: Tokens) {\n  if (isIDToken(originalToken)) {\n    return tokens.idToken;\n  }\n  if (isAccessToken(originalToken)) {\n    return tokens.accessToken;\n  }\n  throwInvalidTokenError();\n}\n\n// If we have a refresh token, renew using that, otherwise getWithoutPrompt\nexport async function renewToken(sdk: OktaAuthOAuthInterface, token: Token): Promise<Token | undefined> {\n  if (!isIDToken(token) && !isAccessToken(token)) {\n    throwInvalidTokenError();\n  }\n\n  let tokens = sdk.tokenManager.getTokensSync();\n  if (tokens.refreshToken) {\n    tokens = await renewTokensWithRefresh(sdk, {\n      scopes: token.scopes,\n    }, tokens.refreshToken);\n    return getSingleToken(token, tokens);\n  }\n\n  var responseType;\n  if (sdk.options.pkce) {\n    responseType = 'code';\n  } else if (isAccessToken(token)) {\n    responseType = 'token';\n  } else {\n    responseType = 'id_token';\n  }\n\n  const { scopes, authorizeUrl, userinfoUrl, issuer, dpopPairId, extraParams } = token as (AccessToken & IDToken);\n  return getWithoutPrompt(sdk, {\n    responseType,\n    scopes,\n    authorizeUrl,\n    userinfoUrl,\n    issuer,\n    dpopPairId,\n    extraParams\n  })\n    .then(function (res) {\n      return getSingleToken(token, res.tokens);\n    });\n}\n"],"mappings":";;;AAYA;AACA;AACA;AACA;AAfA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAMA,SAASA,sBAAsB,GAAG;EAChC,MAAM,IAAIC,oBAAY,CACpB,oFAAoF,CACrF;AACH;;AAEA;AACA,SAASC,cAAc,CAACC,aAAoB,EAAEC,MAAc,EAAE;EAC5D,IAAI,IAAAC,gBAAS,EAACF,aAAa,CAAC,EAAE;IAC5B,OAAOC,MAAM,CAACE,OAAO;EACvB;EACA,IAAI,IAAAC,oBAAa,EAACJ,aAAa,CAAC,EAAE;IAChC,OAAOC,MAAM,CAACI,WAAW;EAC3B;EACAR,sBAAsB,EAAE;AAC1B;;AAEA;AACO,eAAeS,UAAU,CAACC,GAA2B,EAAEC,KAAY,EAA8B;EACtG,IAAI,CAAC,IAAAN,gBAAS,EAACM,KAAK,CAAC,IAAI,CAAC,IAAAJ,oBAAa,EAACI,KAAK,CAAC,EAAE;IAC9CX,sBAAsB,EAAE;EAC1B;EAEA,IAAII,MAAM,GAAGM,GAAG,CAACE,YAAY,CAACC,aAAa,EAAE;EAC7C,IAAIT,MAAM,CAACU,YAAY,EAAE;IACvBV,MAAM,GAAG,MAAM,IAAAW,8CAAsB,EAACL,GAAG,EAAE;MACzCM,MAAM,EAAEL,KAAK,CAACK;IAChB,CAAC,EAAEZ,MAAM,CAACU,YAAY,CAAC;IACvB,OAAOZ,cAAc,CAACS,KAAK,EAAEP,MAAM,CAAC;EACtC;EAEA,IAAIa,YAAY;EAChB,IAAIP,GAAG,CAACQ,OAAO,CAACC,IAAI,EAAE;IACpBF,YAAY,GAAG,MAAM;EACvB,CAAC,MAAM,IAAI,IAAAV,oBAAa,EAACI,KAAK,CAAC,EAAE;IAC/BM,YAAY,GAAG,OAAO;EACxB,CAAC,MAAM;IACLA,YAAY,GAAG,UAAU;EAC3B;EAEA,MAAM;IAAED,MAAM;IAAEI,YAAY;IAAEC,WAAW;IAAEC,MAAM;IAAEC,UAAU;IAAEC;EAAY,CAAC,GAAGb,KAAgC;EAC/G,OAAO,IAAAc,kCAAgB,EAACf,GAAG,EAAE;IAC3BO,YAAY;IACZD,MAAM;IACNI,YAAY;IACZC,WAAW;IACXC,MAAM;IACNC,UAAU;IACVC;EACF,CAAC,CAAC,CACCE,IAAI,CAAC,UAAUC,GAAG,EAAE;IACnB,OAAOzB,cAAc,CAACS,KAAK,EAAEgB,GAAG,CAACvB,MAAM,CAAC;EAC1C,CAAC,CAAC;AACN"}

package/cjs/oidc/renewTokens.js

@@ -41,6 +41,7 @@ async function renewTokens(sdk, options) {
   const userinfoUrl = accessToken.userinfoUrl || sdk.options.userinfoUrl;
   const issuer = idToken.issuer || sdk.options.issuer;
   const dpopPairId = accessToken?.dpopPairId;
+  const extraParams = accessToken?.extraParams || idToken?.extraParams;
 
   // Get tokens using the SSO cookie
   options = Object.assign({
@@ -48,7 +49,8 @@ async function renewTokens(sdk, options) {
     authorizeUrl,
     userinfoUrl,
     issuer,
-    dpopPairId
+    dpopPairId,
+    extraParams
   }, options);
   if (sdk.options.pkce) {
     options.responseType = 'code';

package/cjs/oidc/renewTokens.js.map

@@ -1 +1 @@
-{"version":3,"file":"renewTokens.js","names":["renewTokens","sdk","options","tokens","tokenManager","getTokensSync","refreshToken","renewTokensWithRefresh","accessToken","idToken","AuthSdkError","scopes","authorizeUrl","userinfoUrl","issuer","dpopPairId","Object","assign","pkce","responseType","getDefaultTokenParams","getWithoutPrompt","then","res"],"sources":["../../../lib/oidc/renewTokens.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError } from '../errors';\nimport { RenewTokensParams, Tokens } from './types';\nimport { getWithoutPrompt } from './getWithoutPrompt';\nimport { renewTokensWithRefresh } from './renewTokensWithRefresh';\nimport { getDefaultTokenParams } from './util';\n\n// If we have a refresh token, renew using that, otherwise getWithoutPrompt\n// eslint-disable-next-line complexity\nexport async function renewTokens(sdk, options?: RenewTokensParams): Promise<Tokens> {\n  const tokens = options?.tokens ?? sdk.tokenManager.getTokensSync();\n  if (tokens.refreshToken) {\n    return renewTokensWithRefresh(sdk, options || {}, tokens.refreshToken);\n  }\n\n  if (!tokens.accessToken && !tokens.idToken) {\n    throw new AuthSdkError('renewTokens() was called but there is no existing token');\n  }\n\n  const accessToken = tokens.accessToken || {};\n  const idToken = tokens.idToken || {};\n  const scopes = accessToken.scopes || idToken.scopes;\n  if (!scopes) {\n    throw new AuthSdkError('renewTokens: invalid tokens: could not read scopes');\n  }\n  const authorizeUrl = accessToken.authorizeUrl || idToken.authorizeUrl;\n  if (!authorizeUrl) {\n    throw new AuthSdkError('renewTokens: invalid tokens: could not read authorizeUrl');\n  }\n  const userinfoUrl = accessToken.userinfoUrl || sdk.options.userinfoUrl;\n  const issuer = idToken.issuer || sdk.options.issuer;\n  const dpopPairId = accessToken?.dpopPairId;\n\n  // Get tokens using the SSO cookie\n  options = Object.assign({\n    scopes,\n    authorizeUrl,\n    userinfoUrl,\n    issuer,\n    dpopPairId\n  }, options);\n\n  if (sdk.options.pkce) {\n    options.responseType = 'code';\n  } else {\n    const { responseType } = getDefaultTokenParams(sdk);\n    options.responseType = responseType;\n  }\n\n  return getWithoutPrompt(sdk, options)\n    .then(res => res.tokens);\n    \n}\n"],"mappings":";;;AAYA;AAEA;AACA;AACA;AAhBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAOA;AACA;AACO,eAAeA,WAAW,CAACC,GAAG,EAAEC,OAA2B,EAAmB;EACnF,MAAMC,MAAM,GAAGD,OAAO,EAAEC,MAAM,IAAIF,GAAG,CAACG,YAAY,CAACC,aAAa,EAAE;EAClE,IAAIF,MAAM,CAACG,YAAY,EAAE;IACvB,OAAO,IAAAC,8CAAsB,EAACN,GAAG,EAAEC,OAAO,IAAI,CAAC,CAAC,EAAEC,MAAM,CAACG,YAAY,CAAC;EACxE;EAEA,IAAI,CAACH,MAAM,CAACK,WAAW,IAAI,CAACL,MAAM,CAACM,OAAO,EAAE;IAC1C,MAAM,IAAIC,oBAAY,CAAC,yDAAyD,CAAC;EACnF;EAEA,MAAMF,WAAW,GAAGL,MAAM,CAACK,WAAW,IAAI,CAAC,CAAC;EAC5C,MAAMC,OAAO,GAAGN,MAAM,CAACM,OAAO,IAAI,CAAC,CAAC;EACpC,MAAME,MAAM,GAAGH,WAAW,CAACG,MAAM,IAAIF,OAAO,CAACE,MAAM;EACnD,IAAI,CAACA,MAAM,EAAE;IACX,MAAM,IAAID,oBAAY,CAAC,oDAAoD,CAAC;EAC9E;EACA,MAAME,YAAY,GAAGJ,WAAW,CAACI,YAAY,IAAIH,OAAO,CAACG,YAAY;EACrE,IAAI,CAACA,YAAY,EAAE;IACjB,MAAM,IAAIF,oBAAY,CAAC,0DAA0D,CAAC;EACpF;EACA,MAAMG,WAAW,GAAGL,WAAW,CAACK,WAAW,IAAIZ,GAAG,CAACC,OAAO,CAACW,WAAW;EACtE,MAAMC,MAAM,GAAGL,OAAO,CAACK,MAAM,IAAIb,GAAG,CAACC,OAAO,CAACY,MAAM;EACnD,MAAMC,UAAU,GAAGP,WAAW,EAAEO,UAAU;;EAE1C;EACAb,OAAO,GAAGc,MAAM,CAACC,MAAM,CAAC;IACtBN,MAAM;IACNC,YAAY;IACZC,WAAW;IACXC,MAAM;IACNC;EACF,CAAC,EAAEb,OAAO,CAAC;EAEX,IAAID,GAAG,CAACC,OAAO,CAACgB,IAAI,EAAE;IACpBhB,OAAO,CAACiB,YAAY,GAAG,MAAM;EAC/B,CAAC,MAAM;IACL,MAAM;MAAEA;IAAa,CAAC,GAAG,IAAAC,2BAAqB,EAACnB,GAAG,CAAC;IACnDC,OAAO,CAACiB,YAAY,GAAGA,YAAY;EACrC;EAEA,OAAO,IAAAE,kCAAgB,EAACpB,GAAG,EAAEC,OAAO,CAAC,CAClCoB,IAAI,CAACC,GAAG,IAAIA,GAAG,CAACpB,MAAM,CAAC;AAE5B"}
+{"version":3,"file":"renewTokens.js","names":["renewTokens","sdk","options","tokens","tokenManager","getTokensSync","refreshToken","renewTokensWithRefresh","accessToken","idToken","AuthSdkError","scopes","authorizeUrl","userinfoUrl","issuer","dpopPairId","extraParams","Object","assign","pkce","responseType","getDefaultTokenParams","getWithoutPrompt","then","res"],"sources":["../../../lib/oidc/renewTokens.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError } from '../errors';\nimport { RenewTokensParams, Tokens } from './types';\nimport { getWithoutPrompt } from './getWithoutPrompt';\nimport { renewTokensWithRefresh } from './renewTokensWithRefresh';\nimport { getDefaultTokenParams } from './util';\n\n// If we have a refresh token, renew using that, otherwise getWithoutPrompt\n// eslint-disable-next-line complexity\nexport async function renewTokens(sdk, options?: RenewTokensParams): Promise<Tokens> {\n  const tokens = options?.tokens ?? sdk.tokenManager.getTokensSync();\n  if (tokens.refreshToken) {\n    return renewTokensWithRefresh(sdk, options || {}, tokens.refreshToken);\n  }\n\n  if (!tokens.accessToken && !tokens.idToken) {\n    throw new AuthSdkError('renewTokens() was called but there is no existing token');\n  }\n\n  const accessToken = tokens.accessToken || {};\n  const idToken = tokens.idToken || {};\n  const scopes = accessToken.scopes || idToken.scopes;\n  if (!scopes) {\n    throw new AuthSdkError('renewTokens: invalid tokens: could not read scopes');\n  }\n  const authorizeUrl = accessToken.authorizeUrl || idToken.authorizeUrl;\n  if (!authorizeUrl) {\n    throw new AuthSdkError('renewTokens: invalid tokens: could not read authorizeUrl');\n  }\n  const userinfoUrl = accessToken.userinfoUrl || sdk.options.userinfoUrl;\n  const issuer = idToken.issuer || sdk.options.issuer;\n  const dpopPairId = accessToken?.dpopPairId;\n  const extraParams = accessToken?.extraParams || idToken?.extraParams;\n\n  // Get tokens using the SSO cookie\n  options = Object.assign({\n    scopes,\n    authorizeUrl,\n    userinfoUrl,\n    issuer,\n    dpopPairId,\n    extraParams\n  }, options);\n\n  if (sdk.options.pkce) {\n    options.responseType = 'code';\n  } else {\n    const { responseType } = getDefaultTokenParams(sdk);\n    options.responseType = responseType;\n  }\n\n  return getWithoutPrompt(sdk, options)\n    .then(res => res.tokens);\n    \n}\n"],"mappings":";;;AAYA;AAEA;AACA;AACA;AAhBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAOA;AACA;AACO,eAAeA,WAAW,CAACC,GAAG,EAAEC,OAA2B,EAAmB;EACnF,MAAMC,MAAM,GAAGD,OAAO,EAAEC,MAAM,IAAIF,GAAG,CAACG,YAAY,CAACC,aAAa,EAAE;EAClE,IAAIF,MAAM,CAACG,YAAY,EAAE;IACvB,OAAO,IAAAC,8CAAsB,EAACN,GAAG,EAAEC,OAAO,IAAI,CAAC,CAAC,EAAEC,MAAM,CAACG,YAAY,CAAC;EACxE;EAEA,IAAI,CAACH,MAAM,CAACK,WAAW,IAAI,CAACL,MAAM,CAACM,OAAO,EAAE;IAC1C,MAAM,IAAIC,oBAAY,CAAC,yDAAyD,CAAC;EACnF;EAEA,MAAMF,WAAW,GAAGL,MAAM,CAACK,WAAW,IAAI,CAAC,CAAC;EAC5C,MAAMC,OAAO,GAAGN,MAAM,CAACM,OAAO,IAAI,CAAC,CAAC;EACpC,MAAME,MAAM,GAAGH,WAAW,CAACG,MAAM,IAAIF,OAAO,CAACE,MAAM;EACnD,IAAI,CAACA,MAAM,EAAE;IACX,MAAM,IAAID,oBAAY,CAAC,oDAAoD,CAAC;EAC9E;EACA,MAAME,YAAY,GAAGJ,WAAW,CAACI,YAAY,IAAIH,OAAO,CAACG,YAAY;EACrE,IAAI,CAACA,YAAY,EAAE;IACjB,MAAM,IAAIF,oBAAY,CAAC,0DAA0D,CAAC;EACpF;EACA,MAAMG,WAAW,GAAGL,WAAW,CAACK,WAAW,IAAIZ,GAAG,CAACC,OAAO,CAACW,WAAW;EACtE,MAAMC,MAAM,GAAGL,OAAO,CAACK,MAAM,IAAIb,GAAG,CAACC,OAAO,CAACY,MAAM;EACnD,MAAMC,UAAU,GAAGP,WAAW,EAAEO,UAAU;EAC1C,MAAMC,WAAW,GAAGR,WAAW,EAAEQ,WAAW,IAAIP,OAAO,EAAEO,WAAW;;EAEpE;EACAd,OAAO,GAAGe,MAAM,CAACC,MAAM,CAAC;IACtBP,MAAM;IACNC,YAAY;IACZC,WAAW;IACXC,MAAM;IACNC,UAAU;IACVC;EACF,CAAC,EAAEd,OAAO,CAAC;EAEX,IAAID,GAAG,CAACC,OAAO,CAACiB,IAAI,EAAE;IACpBjB,OAAO,CAACkB,YAAY,GAAG,MAAM;EAC/B,CAAC,MAAM;IACL,MAAM;MAAEA;IAAa,CAAC,GAAG,IAAAC,2BAAqB,EAACpB,GAAG,CAAC;IACnDC,OAAO,CAACkB,YAAY,GAAGA,YAAY;EACrC;EAEA,OAAO,IAAAE,kCAAgB,EAACrB,GAAG,EAAEC,OAAO,CAAC,CAClCqB,IAAI,CAACC,GAAG,IAAIA,GAAG,CAACrB,MAAM,CAAC;AAE5B"}

package/cjs/oidc/renewTokensWithRefresh.js

@@ -21,6 +21,7 @@ var _errors2 = require("./util/errors");
  *
  */
 
+/* eslint complexity:[0,8] */
 async function renewTokensWithRefresh(sdk, tokenParams, refreshTokenObject) {
   const {
     clientId,
@@ -33,6 +34,9 @@ async function renewTokensWithRefresh(sdk, tokenParams, refreshTokenObject) {
     const renewTokenParams = Object.assign({}, tokenParams, {
       clientId
     });
+    if (refreshTokenObject.extraParams) {
+      renewTokenParams.extraParams = refreshTokenObject.extraParams;
+    }
     const endpointParams = {
       ...renewTokenParams
     };

package/cjs/oidc/renewTokensWithRefresh.js.map

@@ -1 +1 @@
-{"version":3,"file":"renewTokensWithRefresh.js","names":["renewTokensWithRefresh","sdk","tokenParams","refreshTokenObject","clientId","dpop","options","AuthSdkError","renewTokenParams","Object","assign","endpointParams","keyPair","findKeyPair","dpopPairId","dpopKeyPair","tokenResponse","postRefreshToken","urls","getOAuthUrls","tokens","handleOAuthResponse","refreshToken","isSameRefreshToken","tokenManager","updateRefreshToken","err","isRefreshTokenInvalidError","removeRefreshToken"],"sources":["../../../lib/oidc/renewTokensWithRefresh.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError } from '../errors';\nimport { getOAuthUrls } from './util/oauth';\nimport { isSameRefreshToken } from './util/refreshToken';\nimport { OktaAuthOAuthInterface, TokenParams, RefreshToken, Tokens } from './types';\nimport { handleOAuthResponse } from './handleOAuthResponse';\nimport { TokenEndpointParams, postRefreshToken } from './endpoints/token';\nimport { findKeyPair } from './dpop';\nimport { isRefreshTokenInvalidError } from './util/errors';\n\nexport async function renewTokensWithRefresh(\n  sdk: OktaAuthOAuthInterface,\n  tokenParams: TokenParams,\n  refreshTokenObject: RefreshToken\n): Promise<Tokens> {\n  const { clientId, dpop } = sdk.options;\n  if (!clientId) {\n    throw new AuthSdkError('A clientId must be specified in the OktaAuth constructor to renew tokens');\n  }\n\n  try {\n    const renewTokenParams: TokenParams = Object.assign({}, tokenParams, { clientId });\n    const endpointParams: TokenEndpointParams = {...renewTokenParams};\n\n    if (dpop) {\n      const keyPair = await findKeyPair(refreshTokenObject?.dpopPairId);    // will throw if KP cannot be found\n      endpointParams.dpopKeyPair = keyPair;\n      renewTokenParams.dpop = dpop;\n      renewTokenParams.dpopPairId = refreshTokenObject.dpopPairId;\n    }\n\n    const tokenResponse = await postRefreshToken(sdk, endpointParams, refreshTokenObject);\n    const urls = getOAuthUrls(sdk, tokenParams);\n    const { tokens } = await handleOAuthResponse(sdk, renewTokenParams, tokenResponse, urls);\n\n    // Support rotating refresh tokens\n    const { refreshToken } = tokens;\n    if (refreshToken && !isSameRefreshToken(refreshToken, refreshTokenObject)) {\n      sdk.tokenManager.updateRefreshToken(refreshToken);\n    }\n\n    return tokens;\n  }\n  catch (err) {\n    if (isRefreshTokenInvalidError(err)) {\n      // if the refresh token is invalid, remove it from storage\n      sdk.tokenManager.removeRefreshToken();\n    }\n    throw err;\n  }\n}\n"],"mappings":";;;AAYA;AACA;AACA;AAEA;AACA;AACA;AACA;AAnBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAUO,eAAeA,sBAAsB,CAC1CC,GAA2B,EAC3BC,WAAwB,EACxBC,kBAAgC,EACf;EACjB,MAAM;IAAEC,QAAQ;IAAEC;EAAK,CAAC,GAAGJ,GAAG,CAACK,OAAO;EACtC,IAAI,CAACF,QAAQ,EAAE;IACb,MAAM,IAAIG,oBAAY,CAAC,0EAA0E,CAAC;EACpG;EAEA,IAAI;IACF,MAAMC,gBAA6B,GAAGC,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAER,WAAW,EAAE;MAAEE;IAAS,CAAC,CAAC;IAClF,MAAMO,cAAmC,GAAG;MAAC,GAAGH;IAAgB,CAAC;IAEjE,IAAIH,IAAI,EAAE;MACR,MAAMO,OAAO,GAAG,MAAM,IAAAC,iBAAW,EAACV,kBAAkB,EAAEW,UAAU,CAAC,CAAC,CAAI;MACtEH,cAAc,CAACI,WAAW,GAAGH,OAAO;MACpCJ,gBAAgB,CAACH,IAAI,GAAGA,IAAI;MAC5BG,gBAAgB,CAACM,UAAU,GAAGX,kBAAkB,CAACW,UAAU;IAC7D;IAEA,MAAME,aAAa,GAAG,MAAM,IAAAC,uBAAgB,EAAChB,GAAG,EAAEU,cAAc,EAAER,kBAAkB,CAAC;IACrF,MAAMe,IAAI,GAAG,IAAAC,mBAAY,EAAClB,GAAG,EAAEC,WAAW,CAAC;IAC3C,MAAM;MAAEkB;IAAO,CAAC,GAAG,MAAM,IAAAC,wCAAmB,EAACpB,GAAG,EAAEO,gBAAgB,EAAEQ,aAAa,EAAEE,IAAI,CAAC;;IAExF;IACA,MAAM;MAAEI;IAAa,CAAC,GAAGF,MAAM;IAC/B,IAAIE,YAAY,IAAI,CAAC,IAAAC,gCAAkB,EAACD,YAAY,EAAEnB,kBAAkB,CAAC,EAAE;MACzEF,GAAG,CAACuB,YAAY,CAACC,kBAAkB,CAACH,YAAY,CAAC;IACnD;IAEA,OAAOF,MAAM;EACf,CAAC,CACD,OAAOM,GAAG,EAAE;IACV,IAAI,IAAAC,mCAA0B,EAACD,GAAG,CAAC,EAAE;MACnC;MACAzB,GAAG,CAACuB,YAAY,CAACI,kBAAkB,EAAE;IACvC;IACA,MAAMF,GAAG;EACX;AACF"}
+{"version":3,"file":"renewTokensWithRefresh.js","names":["renewTokensWithRefresh","sdk","tokenParams","refreshTokenObject","clientId","dpop","options","AuthSdkError","renewTokenParams","Object","assign","extraParams","endpointParams","keyPair","findKeyPair","dpopPairId","dpopKeyPair","tokenResponse","postRefreshToken","urls","getOAuthUrls","tokens","handleOAuthResponse","refreshToken","isSameRefreshToken","tokenManager","updateRefreshToken","err","isRefreshTokenInvalidError","removeRefreshToken"],"sources":["../../../lib/oidc/renewTokensWithRefresh.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n *\n */\nimport { AuthSdkError } from '../errors';\nimport { getOAuthUrls } from './util/oauth';\nimport { isSameRefreshToken } from './util/refreshToken';\nimport { OktaAuthOAuthInterface, TokenParams, RefreshToken, Tokens } from './types';\nimport { handleOAuthResponse } from './handleOAuthResponse';\nimport { TokenEndpointParams, postRefreshToken } from './endpoints/token';\nimport { findKeyPair } from './dpop';\nimport { isRefreshTokenInvalidError } from './util/errors';\n\n/* eslint complexity:[0,8] */\nexport async function renewTokensWithRefresh(\n  sdk: OktaAuthOAuthInterface,\n  tokenParams: TokenParams,\n  refreshTokenObject: RefreshToken\n): Promise<Tokens> {\n  const { clientId, dpop } = sdk.options;\n  if (!clientId) {\n    throw new AuthSdkError('A clientId must be specified in the OktaAuth constructor to renew tokens');\n  }\n\n  try {\n    const renewTokenParams: TokenParams = Object.assign({}, tokenParams, { clientId });\n\n    if (refreshTokenObject.extraParams) {\n      renewTokenParams.extraParams = refreshTokenObject.extraParams;\n    }\n\n    const endpointParams: TokenEndpointParams = {...renewTokenParams};\n\n    if (dpop) {\n      const keyPair = await findKeyPair(refreshTokenObject?.dpopPairId);    // will throw if KP cannot be found\n      endpointParams.dpopKeyPair = keyPair;\n      renewTokenParams.dpop = dpop;\n      renewTokenParams.dpopPairId = refreshTokenObject.dpopPairId;\n    }\n\n    const tokenResponse = await postRefreshToken(sdk, endpointParams, refreshTokenObject);\n    const urls = getOAuthUrls(sdk, tokenParams);\n    const { tokens } = await handleOAuthResponse(sdk, renewTokenParams, tokenResponse, urls);\n\n    // Support rotating refresh tokens\n    const { refreshToken } = tokens;\n    if (refreshToken && !isSameRefreshToken(refreshToken, refreshTokenObject)) {\n      sdk.tokenManager.updateRefreshToken(refreshToken);\n    }\n\n    return tokens;\n  }\n  catch (err) {\n    if (isRefreshTokenInvalidError(err)) {\n      // if the refresh token is invalid, remove it from storage\n      sdk.tokenManager.removeRefreshToken();\n    }\n    throw err;\n  }\n}\n"],"mappings":";;;AAYA;AACA;AACA;AAEA;AACA;AACA;AACA;AAnBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAUA;AACO,eAAeA,sBAAsB,CAC1CC,GAA2B,EAC3BC,WAAwB,EACxBC,kBAAgC,EACf;EACjB,MAAM;IAAEC,QAAQ;IAAEC;EAAK,CAAC,GAAGJ,GAAG,CAACK,OAAO;EACtC,IAAI,CAACF,QAAQ,EAAE;IACb,MAAM,IAAIG,oBAAY,CAAC,0EAA0E,CAAC;EACpG;EAEA,IAAI;IACF,MAAMC,gBAA6B,GAAGC,MAAM,CAACC,MAAM,CAAC,CAAC,CAAC,EAAER,WAAW,EAAE;MAAEE;IAAS,CAAC,CAAC;IAElF,IAAID,kBAAkB,CAACQ,WAAW,EAAE;MAClCH,gBAAgB,CAACG,WAAW,GAAGR,kBAAkB,CAACQ,WAAW;IAC/D;IAEA,MAAMC,cAAmC,GAAG;MAAC,GAAGJ;IAAgB,CAAC;IAEjE,IAAIH,IAAI,EAAE;MACR,MAAMQ,OAAO,GAAG,MAAM,IAAAC,iBAAW,EAACX,kBAAkB,EAAEY,UAAU,CAAC,CAAC,CAAI;MACtEH,cAAc,CAACI,WAAW,GAAGH,OAAO;MACpCL,gBAAgB,CAACH,IAAI,GAAGA,IAAI;MAC5BG,gBAAgB,CAACO,UAAU,GAAGZ,kBAAkB,CAACY,UAAU;IAC7D;IAEA,MAAME,aAAa,GAAG,MAAM,IAAAC,uBAAgB,EAACjB,GAAG,EAAEW,cAAc,EAAET,kBAAkB,CAAC;IACrF,MAAMgB,IAAI,GAAG,IAAAC,mBAAY,EAACnB,GAAG,EAAEC,WAAW,CAAC;IAC3C,MAAM;MAAEmB;IAAO,CAAC,GAAG,MAAM,IAAAC,wCAAmB,EAACrB,GAAG,EAAEO,gBAAgB,EAAES,aAAa,EAAEE,IAAI,CAAC;;IAExF;IACA,MAAM;MAAEI;IAAa,CAAC,GAAGF,MAAM;IAC/B,IAAIE,YAAY,IAAI,CAAC,IAAAC,gCAAkB,EAACD,YAAY,EAAEpB,kBAAkB,CAAC,EAAE;MACzEF,GAAG,CAACwB,YAAY,CAACC,kBAAkB,CAACH,YAAY,CAAC;IACnD;IAEA,OAAOF,MAAM;EACf,CAAC,CACD,OAAOM,GAAG,EAAE;IACV,IAAI,IAAAC,mCAA0B,EAACD,GAAG,CAAC,EAAE;MACnC;MACA1B,GAAG,CAACwB,YAAY,CAACI,kBAAkB,EAAE;IACvC;IACA,MAAMF,GAAG;EACX;AACF"}

package/cjs/oidc/types/Token.js.map

@@ -1 +1 @@
-{"version":3,"file":"Token.js","names":["TokenKind","isToken","obj","accessToken","idToken","refreshToken","Array","isArray","scopes","isAccessToken","isIDToken","isRefreshToken"],"sources":["../../../../lib/oidc/types/Token.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { UserClaims } from './UserClaims';\n\nexport interface AbstractToken {\n  expiresAt: number;\n  authorizeUrl: string;\n  scopes: string[];\n  pendingRemove?: boolean;\n}\n\nexport interface AccessToken extends AbstractToken {\n  accessToken: string;\n  claims: UserClaims;\n  tokenType: string;\n  userinfoUrl: string;\n  dpopPairId?: string;\n}\n\nexport interface RefreshToken extends AbstractToken {\n  refreshToken: string;\n  tokenUrl: string;\n  issuer: string;\n  dpopPairId?: string;\n}\n\nexport interface IDToken extends AbstractToken {\n  idToken: string;\n  claims: UserClaims;\n  issuer: string;\n  clientId: string;\n}\n\nexport type Token = AccessToken | IDToken | RefreshToken;\nexport type RevocableToken = AccessToken | RefreshToken;\n\nexport type TokenType = 'accessToken' | 'idToken' | 'refreshToken';\nexport enum TokenKind {\n  ACCESS = 'accessToken',\n  ID = 'idToken',\n  REFRESH = 'refreshToken',\n}\n\nexport function isToken(obj: any): obj is Token {\n  if (obj &&\n      (obj.accessToken || obj.idToken || obj.refreshToken) &&\n      Array.isArray(obj.scopes)) {\n    return true;\n  }\n  return false;\n}\n\nexport function isAccessToken(obj: any): obj is AccessToken {\n  return obj && obj.accessToken;\n}\n\nexport function isIDToken(obj: any): obj is IDToken {\n  return obj && obj.idToken;\n}\n\nexport function isRefreshToken(obj: any): obj is RefreshToken {\n  return obj && obj.refreshToken;\n}\n\nexport interface Tokens {\n  accessToken?: AccessToken;\n  idToken?: IDToken;\n  refreshToken?: RefreshToken;\n}\n"],"mappings":";;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,GAVA,IA+CYA,SAAS;AAAA;AAAA,WAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAATA,SAAS;AAAA,GAATA,SAAS,yBAATA,SAAS;AAMd,SAASC,OAAO,CAACC,GAAQ,EAAgB;EAC9C,IAAIA,GAAG,KACFA,GAAG,CAACC,WAAW,IAAID,GAAG,CAACE,OAAO,IAAIF,GAAG,CAACG,YAAY,CAAC,IACpDC,KAAK,CAACC,OAAO,CAACL,GAAG,CAACM,MAAM,CAAC,EAAE;IAC7B,OAAO,IAAI;EACb;EACA,OAAO,KAAK;AACd;AAEO,SAASC,aAAa,CAACP,GAAQ,EAAsB;EAC1D,OAAOA,GAAG,IAAIA,GAAG,CAACC,WAAW;AAC/B;AAEO,SAASO,SAAS,CAACR,GAAQ,EAAkB;EAClD,OAAOA,GAAG,IAAIA,GAAG,CAACE,OAAO;AAC3B;AAEO,SAASO,cAAc,CAACT,GAAQ,EAAuB;EAC5D,OAAOA,GAAG,IAAIA,GAAG,CAACG,YAAY;AAChC"}
+{"version":3,"file":"Token.js","names":["TokenKind","isToken","obj","accessToken","idToken","refreshToken","Array","isArray","scopes","isAccessToken","isIDToken","isRefreshToken"],"sources":["../../../../lib/oidc/types/Token.ts"],"sourcesContent":["/*!\n * Copyright (c) 2015-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { UserClaims } from './UserClaims';\n\nexport interface AbstractToken {\n  expiresAt: number;\n  authorizeUrl: string;\n  scopes: string[];\n  pendingRemove?: boolean;\n  extraParams?: Record<string, string>;\n}\n\nexport interface AccessToken extends AbstractToken {\n  accessToken: string;\n  claims: UserClaims;\n  tokenType: string;\n  userinfoUrl: string;\n  dpopPairId?: string;\n}\n\nexport interface RefreshToken extends AbstractToken {\n  refreshToken: string;\n  tokenUrl: string;\n  issuer: string;\n  dpopPairId?: string;\n}\n\nexport interface IDToken extends AbstractToken {\n  idToken: string;\n  claims: UserClaims;\n  issuer: string;\n  clientId: string;\n}\n\nexport type Token = AccessToken | IDToken | RefreshToken;\nexport type RevocableToken = AccessToken | RefreshToken;\n\nexport type TokenType = 'accessToken' | 'idToken' | 'refreshToken';\nexport enum TokenKind {\n  ACCESS = 'accessToken',\n  ID = 'idToken',\n  REFRESH = 'refreshToken',\n}\n\nexport function isToken(obj: any): obj is Token {\n  if (obj &&\n      (obj.accessToken || obj.idToken || obj.refreshToken) &&\n      Array.isArray(obj.scopes)) {\n    return true;\n  }\n  return false;\n}\n\nexport function isAccessToken(obj: any): obj is AccessToken {\n  return obj && obj.accessToken;\n}\n\nexport function isIDToken(obj: any): obj is IDToken {\n  return obj && obj.idToken;\n}\n\nexport function isRefreshToken(obj: any): obj is RefreshToken {\n  return obj && obj.refreshToken;\n}\n\nexport interface Tokens {\n  accessToken?: AccessToken;\n  idToken?: IDToken;\n  refreshToken?: RefreshToken;\n}\n"],"mappings":";;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,GAVA,IAgDYA,SAAS;AAAA;AAAA,WAATA,SAAS;EAATA,SAAS;EAATA,SAAS;EAATA,SAAS;AAAA,GAATA,SAAS,yBAATA,SAAS;AAMd,SAASC,OAAO,CAACC,GAAQ,EAAgB;EAC9C,IAAIA,GAAG,KACFA,GAAG,CAACC,WAAW,IAAID,GAAG,CAACE,OAAO,IAAIF,GAAG,CAACG,YAAY,CAAC,IACpDC,KAAK,CAACC,OAAO,CAACL,GAAG,CAACM,MAAM,CAAC,EAAE;IAC7B,OAAO,IAAI;EACb;EACA,OAAO,KAAK;AACd;AAEO,SAASC,aAAa,CAACP,GAAQ,EAAsB;EAC1D,OAAOA,GAAG,IAAIA,GAAG,CAACC,WAAW;AAC/B;AAEO,SAASO,SAAS,CAACR,GAAQ,EAAkB;EAClD,OAAOA,GAAG,IAAIA,GAAG,CAACE,OAAO;AAC3B;AAEO,SAASO,cAAc,CAACT,GAAQ,EAAuB;EAC5D,OAAOA,GAAG,IAAIA,GAAG,CAACG,YAAY;AAChC"}

package/cjs/oidc/types/meta.js.map

@@ -1 +1 @@
-{"version":3,"file":"meta.js","names":[],"sources":["../../../../lib/oidc/types/meta.ts"],"sourcesContent":["/*!\n * Copyright (c) 2021-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { CustomUrls, TokenParams } from './options';\n\n// formerly known as \"Redirect OAuth Params\"\nexport interface OAuthTransactionMeta extends\n  Pick<TokenParams,\n    'issuer' |\n    'clientId' |\n    'redirectUri' |\n    'responseType' |\n    'responseMode' |\n    'scopes' |\n    'state' |\n    'pkce' |\n    'ignoreSignature' |\n    'nonce' |\n    'acrValues' |\n    'enrollAmrValues'\n  >\n{\n  urls: CustomUrls;\n  originalUri?: string;\n}\n\nexport interface PKCETransactionMeta extends\n  OAuthTransactionMeta,\n  Pick<TokenParams,\n    'codeChallenge' |\n    'codeChallengeMethod' |\n    'codeVerifier'\n  >\n{}\n\nexport interface TransactionMetaOptions extends\n  Pick<PKCETransactionMeta,\n    'state' |\n    'codeChallenge' |\n    'codeChallengeMethod' |\n    'codeVerifier'\n  >\n{\n  muteWarning?: boolean;\n}\n"],"mappings":""}
+{"version":3,"file":"meta.js","names":[],"sources":["../../../../lib/oidc/types/meta.ts"],"sourcesContent":["/*!\n * Copyright (c) 2021-present, Okta, Inc. and/or its affiliates. All rights reserved.\n * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the \"License.\")\n *\n * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS, WITHOUT\n * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n *\n * See the License for the specific language governing permissions and limitations under the License.\n */\n\nimport { CustomUrls, TokenParams } from './options';\n\n// formerly known as \"Redirect OAuth Params\"\nexport interface OAuthTransactionMeta extends\n  Pick<TokenParams,\n    'issuer' |\n    'clientId' |\n    'redirectUri' |\n    'responseType' |\n    'responseMode' |\n    'scopes' |\n    'state' |\n    'pkce' |\n    'ignoreSignature' |\n    'nonce' |\n    'acrValues' |\n    'enrollAmrValues' |\n    'extraParams'\n  >\n{\n  urls: CustomUrls;\n  originalUri?: string;\n}\n\nexport interface PKCETransactionMeta extends\n  OAuthTransactionMeta,\n  Pick<TokenParams,\n    'codeChallenge' |\n    'codeChallengeMethod' |\n    'codeVerifier'\n  >\n{}\n\nexport interface TransactionMetaOptions extends\n  Pick<PKCETransactionMeta,\n    'state' |\n    'codeChallenge' |\n    'codeChallengeMethod' |\n    'codeVerifier'\n  >\n{\n  muteWarning?: boolean;\n}\n"],"mappings":""}

package/cjs/oidc/util/oauthMeta.js

@@ -18,7 +18,8 @@ function createOAuthMeta(sdk, tokenParams) {
     state: tokenParams.state,
     nonce: tokenParams.nonce,
     ignoreSignature: tokenParams.ignoreSignature,
-    acrValues: tokenParams.acrValues
+    acrValues: tokenParams.acrValues,
+    extraParams: tokenParams.extraParams
   };
   if (tokenParams.pkce === false) {
     // Implicit flow or authorization_code without PKCE

package/cjs/oidc/util/oauthMeta.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauthMeta.js","names":["createOAuthMeta","sdk","tokenParams","issuer","options","urls","getOAuthUrls","oauthMeta","clientId","redirectUri","responseType","responseMode","scopes","state","nonce","ignoreSignature","acrValues","pkce","pkceMeta","codeVerifier","codeChallengeMethod","codeChallenge"],"sources":["../../../../lib/oidc/util/oauthMeta.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\nimport { OAuthTransactionMeta, OktaAuthOAuthInterface, PKCETransactionMeta, TokenParams } from '../types';\nimport { getOAuthUrls } from './oauth';\n\nexport function createOAuthMeta(\n  sdk: OktaAuthOAuthInterface, \n  tokenParams: TokenParams\n): OAuthTransactionMeta | PKCETransactionMeta {\n  const issuer = sdk.options.issuer!;\n  const urls = getOAuthUrls(sdk, tokenParams);\n  const oauthMeta: OAuthTransactionMeta = {\n    issuer,\n    urls,\n    clientId: tokenParams.clientId!,\n    redirectUri: tokenParams.redirectUri!,\n    responseType: tokenParams.responseType!,\n    responseMode: tokenParams.responseMode!,\n    scopes: tokenParams.scopes!,\n    state: tokenParams.state!,\n    nonce: tokenParams.nonce!,\n    ignoreSignature: tokenParams.ignoreSignature!,\n    acrValues: tokenParams.acrValues,\n  };\n\n  if (tokenParams.pkce === false) {\n    // Implicit flow or authorization_code without PKCE\n    return oauthMeta;\n  }\n\n  const pkceMeta: PKCETransactionMeta = {\n    ...oauthMeta,\n    codeVerifier: tokenParams.codeVerifier!,\n    codeChallengeMethod: tokenParams.codeChallengeMethod!,\n    codeChallenge: tokenParams.codeChallenge!,\n  };\n\n  return pkceMeta;\n}\n"],"mappings":";;;AAEA;AAFA;;AAIO,SAASA,eAAe,CAC7BC,GAA2B,EAC3BC,WAAwB,EACoB;EAC5C,MAAMC,MAAM,GAAGF,GAAG,CAACG,OAAO,CAACD,MAAO;EAClC,MAAME,IAAI,GAAG,IAAAC,mBAAY,EAACL,GAAG,EAAEC,WAAW,CAAC;EAC3C,MAAMK,SAA+B,GAAG;IACtCJ,MAAM;IACNE,IAAI;IACJG,QAAQ,EAAEN,WAAW,CAACM,QAAS;IAC/BC,WAAW,EAAEP,WAAW,CAACO,WAAY;IACrCC,YAAY,EAAER,WAAW,CAACQ,YAAa;IACvCC,YAAY,EAAET,WAAW,CAACS,YAAa;IACvCC,MAAM,EAAEV,WAAW,CAACU,MAAO;IAC3BC,KAAK,EAAEX,WAAW,CAACW,KAAM;IACzBC,KAAK,EAAEZ,WAAW,CAACY,KAAM;IACzBC,eAAe,EAAEb,WAAW,CAACa,eAAgB;IAC7CC,SAAS,EAAEd,WAAW,CAACc;EACzB,CAAC;EAED,IAAId,WAAW,CAACe,IAAI,KAAK,KAAK,EAAE;IAC9B;IACA,OAAOV,SAAS;EAClB;EAEA,MAAMW,QAA6B,GAAG;IACpC,GAAGX,SAAS;IACZY,YAAY,EAAEjB,WAAW,CAACiB,YAAa;IACvCC,mBAAmB,EAAElB,WAAW,CAACkB,mBAAoB;IACrDC,aAAa,EAAEnB,WAAW,CAACmB;EAC7B,CAAC;EAED,OAAOH,QAAQ;AACjB"}
+{"version":3,"file":"oauthMeta.js","names":["createOAuthMeta","sdk","tokenParams","issuer","options","urls","getOAuthUrls","oauthMeta","clientId","redirectUri","responseType","responseMode","scopes","state","nonce","ignoreSignature","acrValues","extraParams","pkce","pkceMeta","codeVerifier","codeChallengeMethod","codeChallenge"],"sources":["../../../../lib/oidc/util/oauthMeta.ts"],"sourcesContent":["/* eslint-disable @typescript-eslint/no-non-null-assertion */\nimport { OAuthTransactionMeta, OktaAuthOAuthInterface, PKCETransactionMeta, TokenParams } from '../types';\nimport { getOAuthUrls } from './oauth';\n\nexport function createOAuthMeta(\n  sdk: OktaAuthOAuthInterface, \n  tokenParams: TokenParams\n): OAuthTransactionMeta | PKCETransactionMeta {\n  const issuer = sdk.options.issuer!;\n  const urls = getOAuthUrls(sdk, tokenParams);\n  const oauthMeta: OAuthTransactionMeta = {\n    issuer,\n    urls,\n    clientId: tokenParams.clientId!,\n    redirectUri: tokenParams.redirectUri!,\n    responseType: tokenParams.responseType!,\n    responseMode: tokenParams.responseMode!,\n    scopes: tokenParams.scopes!,\n    state: tokenParams.state!,\n    nonce: tokenParams.nonce!,\n    ignoreSignature: tokenParams.ignoreSignature!,\n    acrValues: tokenParams.acrValues,\n    extraParams: tokenParams.extraParams\n  };\n\n  if (tokenParams.pkce === false) {\n    // Implicit flow or authorization_code without PKCE\n    return oauthMeta;\n  }\n\n  const pkceMeta: PKCETransactionMeta = {\n    ...oauthMeta,\n    codeVerifier: tokenParams.codeVerifier!,\n    codeChallengeMethod: tokenParams.codeChallengeMethod!,\n    codeChallenge: tokenParams.codeChallenge!,\n  };\n\n  return pkceMeta;\n}\n"],"mappings":";;;AAEA;AAFA;;AAIO,SAASA,eAAe,CAC7BC,GAA2B,EAC3BC,WAAwB,EACoB;EAC5C,MAAMC,MAAM,GAAGF,GAAG,CAACG,OAAO,CAACD,MAAO;EAClC,MAAME,IAAI,GAAG,IAAAC,mBAAY,EAACL,GAAG,EAAEC,WAAW,CAAC;EAC3C,MAAMK,SAA+B,GAAG;IACtCJ,MAAM;IACNE,IAAI;IACJG,QAAQ,EAAEN,WAAW,CAACM,QAAS;IAC/BC,WAAW,EAAEP,WAAW,CAACO,WAAY;IACrCC,YAAY,EAAER,WAAW,CAACQ,YAAa;IACvCC,YAAY,EAAET,WAAW,CAACS,YAAa;IACvCC,MAAM,EAAEV,WAAW,CAACU,MAAO;IAC3BC,KAAK,EAAEX,WAAW,CAACW,KAAM;IACzBC,KAAK,EAAEZ,WAAW,CAACY,KAAM;IACzBC,eAAe,EAAEb,WAAW,CAACa,eAAgB;IAC7CC,SAAS,EAAEd,WAAW,CAACc,SAAS;IAChCC,WAAW,EAAEf,WAAW,CAACe;EAC3B,CAAC;EAED,IAAIf,WAAW,CAACgB,IAAI,KAAK,KAAK,EAAE;IAC9B;IACA,OAAOX,SAAS;EAClB;EAEA,MAAMY,QAA6B,GAAG;IACpC,GAAGZ,SAAS;IACZa,YAAY,EAAElB,WAAW,CAACkB,YAAa;IACvCC,mBAAmB,EAAEnB,WAAW,CAACmB,mBAAoB;IACrDC,aAAa,EAAEpB,WAAW,CAACoB;EAC7B,CAAC;EAED,OAAOH,QAAQ;AACjB"}