@xh/hoist 71.0.0-SNAPSHOT.1735047359409 → 71.0.0-SNAPSHOT.1735061018823
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md
CHANGED
|
@@ -12,6 +12,8 @@
|
|
|
12
12
|
* Support for "global" views.
|
|
13
13
|
* New `SessionStorageService` and associated persistence provider provides support for saving
|
|
14
14
|
tab local data across reloads.
|
|
15
|
+
* Added support for `AuthZeroClientConfig.audience` to support improved configuration of Auth0 OAuth
|
|
16
|
+
clients requesting access tokens, covering cases when third-party cookies are blocked.
|
|
15
17
|
|
|
16
18
|
### ⚙️ Technical
|
|
17
19
|
|
|
@@ -1,9 +1,22 @@
|
|
|
1
|
-
import { Auth0ClientOptions } from '@auth0/auth0-spa-js';
|
|
1
|
+
import type { Auth0ClientOptions } from '@auth0/auth0-spa-js';
|
|
2
2
|
import { Token, TokenMap } from '@xh/hoist/security/Token';
|
|
3
3
|
import { BaseOAuthClient, BaseOAuthClientConfig } from '../BaseOAuthClient';
|
|
4
4
|
export interface AuthZeroClientConfig extends BaseOAuthClientConfig<AuthZeroTokenSpec> {
|
|
5
|
-
/** Domain of your app registered with Auth0
|
|
5
|
+
/** Domain of your app registered with Auth0. */
|
|
6
6
|
domain: string;
|
|
7
|
+
/**
|
|
8
|
+
* Audience to pass to interactive login and ID token requests.
|
|
9
|
+
*
|
|
10
|
+
* If you are also requesting an *access* token for a single audience, pass that value here to
|
|
11
|
+
* ensure that the initial login/token request returns a ready-to-use access token (and refresh
|
|
12
|
+
* token) with a single request to the Auth0 API, instead of requiring two.
|
|
13
|
+
*
|
|
14
|
+
* This also avoids issues with browsers that block third party cookies when running on
|
|
15
|
+
* localhost or with an Auth0 domain that does not match the app's own domain. In those cases,
|
|
16
|
+
* Auth0 must use refresh tokens to obtain access tokens, and a single audience allows that
|
|
17
|
+
* exchange to work without extra user interaction that this class does not currently support.
|
|
18
|
+
*/
|
|
19
|
+
audience?: string;
|
|
7
20
|
/**
|
|
8
21
|
* Additional options for the Auth0Client ctor. Will be deep merged with defaults, with options
|
|
9
22
|
* supplied here taking precedence. Use with care, as overriding defaults may have unintended
|
|
@@ -16,9 +29,7 @@ export interface AuthZeroTokenSpec {
|
|
|
16
29
|
scopes: string[];
|
|
17
30
|
/**
|
|
18
31
|
* Audience (i.e. API) identifier for AccessToken. Must be registered with Auth0.
|
|
19
|
-
*
|
|
20
|
-
* Note that this is required to ensure that issued token is a JWT and not
|
|
21
|
-
* an opaque string.
|
|
32
|
+
* Note that this is required to ensure that issued token is a JWT and not an opaque string.
|
|
22
33
|
*/
|
|
23
34
|
audience: string;
|
|
24
35
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@xh/hoist",
|
|
3
|
-
"version": "71.0.0-SNAPSHOT.
|
|
3
|
+
"version": "71.0.0-SNAPSHOT.1735061018823",
|
|
4
4
|
"description": "Hoist add-on for building and deploying React Applications.",
|
|
5
5
|
"repository": "github:xh/hoist-react",
|
|
6
6
|
"homepage": "https://xh.io",
|
|
@@ -4,7 +4,8 @@
|
|
|
4
4
|
*
|
|
5
5
|
* Copyright © 2024 Extremely Heavy Industries Inc.
|
|
6
6
|
*/
|
|
7
|
-
import {
|
|
7
|
+
import type {Auth0ClientOptions} from '@auth0/auth0-spa-js';
|
|
8
|
+
import {Auth0Client} from '@auth0/auth0-spa-js';
|
|
8
9
|
import {XH} from '@xh/hoist/core';
|
|
9
10
|
import {never, wait} from '@xh/hoist/promise';
|
|
10
11
|
import {Token, TokenMap} from '@xh/hoist/security/Token';
|
|
@@ -14,9 +15,23 @@ import {flatMap, union} from 'lodash';
|
|
|
14
15
|
import {BaseOAuthClient, BaseOAuthClientConfig} from '../BaseOAuthClient';
|
|
15
16
|
|
|
16
17
|
export interface AuthZeroClientConfig extends BaseOAuthClientConfig<AuthZeroTokenSpec> {
|
|
17
|
-
/** Domain of your app registered with Auth0
|
|
18
|
+
/** Domain of your app registered with Auth0. */
|
|
18
19
|
domain: string;
|
|
19
20
|
|
|
21
|
+
/**
|
|
22
|
+
* Audience to pass to interactive login and ID token requests.
|
|
23
|
+
*
|
|
24
|
+
* If you are also requesting an *access* token for a single audience, pass that value here to
|
|
25
|
+
* ensure that the initial login/token request returns a ready-to-use access token (and refresh
|
|
26
|
+
* token) with a single request to the Auth0 API, instead of requiring two.
|
|
27
|
+
*
|
|
28
|
+
* This also avoids issues with browsers that block third party cookies when running on
|
|
29
|
+
* localhost or with an Auth0 domain that does not match the app's own domain. In those cases,
|
|
30
|
+
* Auth0 must use refresh tokens to obtain access tokens, and a single audience allows that
|
|
31
|
+
* exchange to work without extra user interaction that this class does not currently support.
|
|
32
|
+
*/
|
|
33
|
+
audience?: string;
|
|
34
|
+
|
|
20
35
|
/**
|
|
21
36
|
* Additional options for the Auth0Client ctor. Will be deep merged with defaults, with options
|
|
22
37
|
* supplied here taking precedence. Use with care, as overriding defaults may have unintended
|
|
@@ -31,9 +46,7 @@ export interface AuthZeroTokenSpec {
|
|
|
31
46
|
|
|
32
47
|
/**
|
|
33
48
|
* Audience (i.e. API) identifier for AccessToken. Must be registered with Auth0.
|
|
34
|
-
*
|
|
35
|
-
* Note that this is required to ensure that issued token is a JWT and not
|
|
36
|
-
* an opaque string.
|
|
49
|
+
* Note that this is required to ensure that issued token is a JWT and not an opaque string.
|
|
37
50
|
*/
|
|
38
51
|
audience: string;
|
|
39
52
|
}
|
|
@@ -95,7 +108,9 @@ export class AuthZeroClient extends BaseOAuthClient<AuthZeroClientConfig, AuthZe
|
|
|
95
108
|
|
|
96
109
|
protected override async doLoginPopupAsync(): Promise<void> {
|
|
97
110
|
try {
|
|
98
|
-
await this.client.loginWithPopup({
|
|
111
|
+
await this.client.loginWithPopup({
|
|
112
|
+
authorizationParams: {scope: this.loginScope}
|
|
113
|
+
});
|
|
99
114
|
await this.noteUserAuthenticatedAsync();
|
|
100
115
|
} catch (e) {
|
|
101
116
|
const msg = e.message?.toLowerCase();
|
|
@@ -167,25 +182,27 @@ export class AuthZeroClient extends BaseOAuthClient<AuthZeroClientConfig, AuthZe
|
|
|
167
182
|
// Private implementation
|
|
168
183
|
//------------------------
|
|
169
184
|
private createClient(): Auth0Client {
|
|
170
|
-
const {clientId, domain, authZeroClientOptions} = this.config;
|
|
185
|
+
const {clientId, domain, audience, authZeroClientOptions} = this.config;
|
|
171
186
|
throwIf(!domain, 'Missing Auth0 "domain". Please review your config.');
|
|
172
187
|
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
},
|
|
184
|
-
cacheLocation: 'localstorage'
|
|
188
|
+
const mergedConfig = mergeDeep(
|
|
189
|
+
{
|
|
190
|
+
clientId,
|
|
191
|
+
domain,
|
|
192
|
+
useRefreshTokens: true,
|
|
193
|
+
useRefreshTokensFallback: true,
|
|
194
|
+
authorizationParams: {
|
|
195
|
+
scope: this.loginScope,
|
|
196
|
+
redirect_uri: this.redirectUrl,
|
|
197
|
+
audience
|
|
185
198
|
},
|
|
186
|
-
|
|
187
|
-
|
|
199
|
+
cacheLocation: 'localstorage'
|
|
200
|
+
},
|
|
201
|
+
authZeroClientOptions
|
|
188
202
|
);
|
|
203
|
+
|
|
204
|
+
this.logDebug(`Creating Auth0Client with merged config`, mergedConfig);
|
|
205
|
+
return new Auth0Client(mergedConfig);
|
|
189
206
|
}
|
|
190
207
|
|
|
191
208
|
private get loginScope(): string {
|