npm - @openeo/js-client - Versions diffs - 2.9.0 → 2.11.0 - Mend

@openeo/js-client 2.9.0 → 2.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/src/authprovider.js CHANGED Viewed

@@ -88,15 +88,23 @@ class AuthProvider {
 	 *
 	 * Returns `null` if no access token has been set yet (i.e. not authenticated any longer).
 	 *
+	 * Checks whether the server supports the JWT conformance class.
+	 *
 	 * @returns {string | null}
 	 */
 	getToken() {
+		//check conformance
+		const isJWT = this.connection.capabilities().hasConformance(
+			"https://api.openeo.org/*/authentication/jwt"
+		);
 		if (typeof this.token === 'string') {
-			return this.getType() + "/" + this.getProviderId() + "/" + this.token;
-		}
-		else {
-			return null;
+			if(isJWT) {
+				return this.token; // JWT since API v1.3.0
+			} else {
+				return this.getType() + "/" + this.getProviderId() + "/" + this.token; // legacy
+			}
 		}
+		return null;
 	}
 	/**
@@ -119,6 +127,16 @@ class AuthProvider {
 		}
 	}
+	/**
+	 * Tries to resume an existing session.
+	 *
+	 * @param  {...any} args
+	 * @returns {boolean} `true` if the session could be resumed, `false` otherwise
+	 */
+	async resume(...args) { // eslint-disable-line no-unused-vars
+		return false;
+	}
 	/**
 	 * Abstract method that extending classes implement the login process with.
 	 *

package/src/connection.js CHANGED Viewed

@@ -745,7 +745,7 @@ class Connection {
 		const response = await this._post('/validation', this._normalizeUserProcess(process).process);
 		if (Array.isArray(response.data.errors)) {
 			const errors = response.data.errors;
-			errors['federation:backends'] = Array.isArray(response.data['federation:missing']) ? response.data['federation:missing'] : [];
+			errors['federation:backends'] = Array.isArray(response.data['federation:backends']) ? response.data['federation:backends'] : [];
 			return errors;
 		}
 		else {

package/src/oidcprovider.js CHANGED Viewed

@@ -53,6 +53,7 @@ class OidcProvider extends AuthProvider {
 		}
 		let providerOptions = provider.getOptions(options);
 		let oidc = new Oidc.UserManager(providerOptions);
+		await oidc.clearStaleState();
 		return await oidc.signinCallback(url);
 	}
@@ -82,10 +83,19 @@ class OidcProvider extends AuthProvider {
 		 */
 		this.clientId = null;
+		/**
+		 * The client secret to use for authentication.
+		 *
+		 * Only used for the `client_credentials` grant type.
+		 *
+		 * @type {string | null}
+		 */
+		this.clientSecret = null;
 		/**
 		 * The grant type (flow) to use for this provider.
 		 *
-		 * Either "authorization_code+pkce" (default) or "implicit"
+		 * Either "authorization_code+pkce" (default), "implicit" or "client_credentials"
 		 *
 		 * @type {string}
 		 */
@@ -127,12 +137,29 @@ class OidcProvider extends AuthProvider {
 		 */
 		this.defaultClients = Array.isArray(options.default_clients) ? options.default_clients : [];
+		/**
+		 * Additional parameters to include in authorization requests.
+		 *
+		 * As defined by the API, these parameters MUST be included when
+		 * requesting the authorization endpoint.
+		 *
+		 * @type {object.<string, *>}
+		 */
+		this.authorizationParameters = Utils.isObject(options.authorization_parameters) ? options.authorization_parameters : {};
 		/**
 		 * The detected default Client.
 		 *
 		 * @type {OidcClient}
 		 */
 		this.defaultClient = this.detectDefaultClient();
+		/**
+		 * The cached OpenID Connect well-known configuration document.
+		 *
+		 * @type {object.<string, *> | null}
+		 */
+		this.wellKnownDocument = null;
 	}
 	/**
@@ -166,7 +193,8 @@ class OidcProvider extends AuthProvider {
 	/**
 	 * Authenticate with OpenID Connect (OIDC).
 	 *
-	 * Supported only in Browser environments.
+	 * Supported in Browser environments for `authorization_code+pkce` and `implicit` grants.
+	 * The `client_credentials` grant is supported in all environments.
 	 *
 	 * @async
 	 * @param {object.<string, *>} [options={}] - Object with authentication options.
@@ -181,6 +209,10 @@ class OidcProvider extends AuthProvider {
 			throw new Error("No Issuer URL available for OpenID Connect");
 		}
+		if (this.grant === 'client_credentials') {
+			return await this.loginClientCredentials();
+		}
 		this.manager = new Oidc.UserManager(this.getOptions(options, requestRefreshToken));
 		this.addListener('UserLoaded', async () => this.setUser(await this.manager.getUser()), 'js-client');
 		this.addListener('AccessTokenExpired', () => this.setUser(null), 'js-client');
@@ -192,12 +224,143 @@ class OidcProvider extends AuthProvider {
 		}
 	}
+	/**
+	 * Authenticate using the OIDC Client Credentials grant.
+	 *
+	 * Requires `clientId` and `clientSecret` to be set.
+	 * This flow does not use the oidc-client library and works in all environments.
+	 *
+	 * @async
+	 * @protected
+	 * @returns {Promise<void>}
+	 * @throws {Error}
+	 */
+	async loginClientCredentials() {
+		if (!this.clientId || !this.clientSecret) {
+			throw new Error("Client ID and Client Secret are required for the client credentials flow");
+		}
+		let tokenEndpoint = await this.getTokenEndpoint();
+		let params = new URLSearchParams();
+		params.append('grant_type', 'client_credentials');
+		params.append('client_id', this.clientId);
+		params.append('client_secret', this.clientSecret);
+		params.append('scope', this.scopes.join(' '));
+		let response = await Environment.axios.post(tokenEndpoint, params.toString(), {
+			headers: { 'Content-Type': 'application/x-www-form-urlencoded' }
+		});
+		let data = response.data;
+		let user = new Oidc.User({
+			access_token: data.access_token,
+			token_type: data.token_type || 'Bearer',
+			scope: data.scope || this.scopes.join(' '),
+			expires_at: data.expires_in ? Math.floor(Date.now() / 1000) + data.expires_in : undefined,
+			profile: {}
+		});
+		this.setUser(user);
+	}
+	/**
+	 * Retrieves the OpenID Connect well-known configuration document.
+	 *
+	 * @async
+	 * @returns {Promise<object.<str, *>> | null} The well-known configuration document, or `null` if the issuer URL is not set.
+	 */
+	async getWellKnownDocument() {
+		if (!this.issuer || typeof this.issuer !== 'string') {
+			return null;
+		}
+		if (this.wellKnownDocument === null) {
+			const authority = this.issuer.replace('/.well-known/openid-configuration', '');
+			const discoveryUrl = authority + '/.well-known/openid-configuration';
+			const response = await Environment.axios.get(discoveryUrl);
+			this.wellKnownDocument = response.data;
+		}
+		return this.wellKnownDocument;
+	}
+	/**
+	 * Discovers the token endpoint from the OpenID Connect issuer.
+	 *
+	 * @async
+	 * @protected
+	 * @returns {Promise<string>} The token endpoint URL.
+	 * @throws {Error}
+	 */
+	async getTokenEndpoint() {
+		const wellKnown = await this.getWellKnownDocument();
+		if (!Utils.isObject(wellKnown) || !wellKnown.token_endpoint) {
+			throw new Error("Unable to discover token endpoint from issuer");
+		}
+		return wellKnown.token_endpoint;
+	}
+	/**
+	 * Checks whether the OpenID Connect provider supports the Client Credentials grant.
+	 *
+	 * @async
+	 * @returns {Promise<boolean|null>} `true` if the Client Credentials grant is supported, `false` otherwise. `null` if unknown.
+	 */
+	async supportsClientCredentials() {
+		try {
+			const wellKnown = await this.getWellKnownDocument();
+			if (!Utils.isObject(wellKnown) || !Array.isArray(wellKnown.grant_types_supported)) {
+				return null;
+			}
+			return wellKnown.grant_types_supported.includes('client_credentials');
+		} catch (error) {
+			return null;
+		}
+	}
+	/**
+	 * Restores a previously established OIDC session from storage.
+	 *
+	 * Not supported for the `client_credentials` grant as credentials
+	 * are not persisted. Use `login()` to re-authenticate instead.
+	 *
+	 * @async
+	 * @param {object.<string, *>} [options={}] - Additional options passed to the OIDC UserManager.
+	 * @returns {Promise<boolean>} `true` if the session could be resumed, `false` otherwise.
+	 * @see https://github.com/IdentityModel/oidc-client-js/wiki#usermanager
+	 */
+	async resume(options = {}) {
+		if (this.grant === 'client_credentials') {
+			return false;
+		}
+		this.manager = new Oidc.UserManager(this.getOptions(options));
+		this.addListener('UserLoaded', async () => this.setUser(await this.manager.getUser()), 'js-client');
+		this.addListener('AccessTokenExpired', () => this.setUser(null), 'js-client');
+		let user = await this.manager.getUser();
+		if (user && user.expired && user.refresh_token) {
+			user = await this.manager.signinSilent();
+		}
+		if (user && !user.expired) {
+			this.setUser(user);
+			return true;
+		}
+		return false;
+	}
 	/**
 	 * Logout from the established session.
 	 *
 	 * @async
 	 */
 	async logout() {
+		if (this.grant === 'client_credentials') {
+			super.logout();
+			this.setUser(null);
+			return;
+		}
 		if (this.manager !== null) {
 			try {
 				if (OidcProvider.uiMethod === 'popup') {
@@ -244,7 +407,8 @@ class OidcProvider extends AuthProvider {
 			scope: scope.join(' '),
 			validateSubOnSilentRenew: true,
 			response_type,
-			response_mode: response_type.includes('code') ? 'query' : 'fragment'
+			response_mode: response_type.includes('code') ? 'query' : 'fragment',
+			extraQueryParams: this.authorizationParameters
 		}, options);
 	}
@@ -261,6 +425,8 @@ class OidcProvider extends AuthProvider {
 				return 'code';
 			case 'implicit':
 				return 'token id_token';
+			case 'client_credentials':
+				return null;
 			default:
 				throw new Error('Grant Type not supported');
 		}
@@ -276,6 +442,7 @@ class OidcProvider extends AuthProvider {
 		switch(grant) {
 			case 'authorization_code+pkce':
 			case 'implicit':
+			case 'client_credentials':
 				this.grant = grant;
 				break;
 			default:
@@ -294,6 +461,17 @@ class OidcProvider extends AuthProvider {
 		this.clientId = clientId;
 	}
+	/**
+	 * Sets the Client Secret for OIDC authentication.
+	 *
+	 * Only used for the `client_credentials` grant type.
+	 *
+	 * @param {string | null} clientSecret
+	 */
+	setClientSecret(clientSecret) {
+		this.clientSecret = clientSecret;
+	}
 	/**
 	 * Sets the OIDC User.
 	 *
@@ -314,12 +492,21 @@ class OidcProvider extends AuthProvider {
 	/**
 	 * Returns a display name for the authenticated user.
 	 *
+	 * For the `client_credentials` grant, returns a name based on the client ID.
+	 *
 	 * @returns {string?} Name of the user or `null`
 	 */
 	getDisplayName() {
 		if (this.user && Utils.isObject(this.user.profile)) {
 			return this.user.profile.name || this.user.profile.preferred_username || this.user.profile.email || null;
 		}
+		if (this.grant === 'client_credentials' && this.clientId) {
+			let id = this.clientId;
+			if (id.length > 15) {
+				id = id.slice(0, 5) + '\u2026' + id.slice(-5);
+			}
+			return `Client ${id}`;
+		}
 		return null;
 	}
@@ -381,7 +568,8 @@ OidcProvider.redirectUrl = Environment.getUrl().split('#')[0].split('?')[0].repl
  */
 OidcProvider.grants = [
 	'authorization_code+pkce',
-	'implicit'
+	'implicit',
+	'client_credentials'
 ];
 module.exports = OidcProvider;

package/src/openeo.js CHANGED Viewed

@@ -109,7 +109,7 @@ class OpenEO {
 	 * @returns {string} Version number (according to SemVer).
 	 */
 	static clientVersion() {
-		return "2.9.0";
+		return "2.11.0";
 	}
 }