oidc-spa 8.2.3 → 8.2.5

package/src/core/createOidc.ts

@@ -45,7 +45,6 @@ import { getIsOnline } from "../tools/getIsOnline";
 import { isKeycloak } from "../keycloak/isKeycloak";
 import { INFINITY_TIME } from "../tools/INFINITY_TIME";
 import { prShouldLoadApp } from "./prShouldLoadApp";
-import { getBASE_URL } from "./BASE_URL";
 import { getIsLikelyDevServer } from "../tools/isLikelyDevServer";
 import { createObjectThatThrowsIfAccessed } from "../tools/createObjectThatThrowsIfAccessed";
 import {
@@ -53,6 +52,7 @@ import {
     notifyNewInstanceThatCantUseIframes
 } from "./instancesThatCantUseIframes";
 import { getDesiredPostLoginRedirectUrl } from "./desiredPostLoginRedirectUrl";
+import { getHomeAndRedirectUri } from "./homeAndRedirectUri";
 
 // NOTE: Replaced at build time
 const VERSION = "{{OIDC_SPA_VERSION}}";
@@ -405,33 +405,7 @@ export async function createOidc_nonMemoized<
         return extraTokenParamsOrGetter;
     })();
 
-    const homeUrlAndRedirectUri = toFullyQualifiedUrl({
-        urlish: (() => {
-            if (BASE_URL_params !== undefined) {
-                return BASE_URL_params;
-            }
-
-            const BASE_URL = getBASE_URL();
-
-            if (BASE_URL === undefined) {
-                throw new Error(
-                    [
-                        "oidc-spa: If you do not use the oidc-spa Vite plugin",
-                        "you must provide the BASE_URL to the earlyInit() examples:",
-                        "oidcSpaEarlyInit({ BASE_URL: import.meta.env.BASE_URL })",
-                        "oidcSpaEarlyInit({ BASE_URL: '/' })",
-                        "",
-                        "You can also pass this parameter to createOidc({ BASE_URL: '...' })",
-                        "or bootstrapOidc({ BASE_URL: '...' })"
-                    ].join("\n")
-                );
-            }
-
-            return BASE_URL;
-        })(),
-        doAssertNoQueryParams: true,
-        doOutputWithTrailingSlash: true
-    });
+    const { homeUrlAndRedirectUri } = getHomeAndRedirectUri({ BASE_URL_params });
 
     log?.(
         `Calling createOidc v${VERSION} ${JSON.stringify(
@@ -439,7 +413,7 @@ export async function createOidc_nonMemoized<
                 issuerUri,
                 clientId,
                 scopes,
-                oidcRedirectUri: homeUrlAndRedirectUri
+                validRedirectUri: homeUrlAndRedirectUri
             },
             null,
             2
@@ -1066,7 +1040,8 @@ export async function createOidc_nonMemoized<
     const oidc_common: Oidc.Common = {
         params: {
             issuerUri,
-            clientId
+            clientId,
+            validRedirectUri: homeUrlAndRedirectUri
         }
     };
 

package/src/core/homeAndRedirectUri.ts

@@ -0,0 +1,36 @@
+import { toFullyQualifiedUrl } from "../tools/toFullyQualifiedUrl";
+import { getBASE_URL } from "./BASE_URL";
+
+export function getHomeAndRedirectUri(params: { BASE_URL_params: string | undefined }) {
+    const { BASE_URL_params } = params;
+
+    const homeUrlAndRedirectUri = toFullyQualifiedUrl({
+        urlish: (() => {
+            if (BASE_URL_params !== undefined) {
+                return BASE_URL_params;
+            }
+
+            const BASE_URL = getBASE_URL();
+
+            if (BASE_URL === undefined) {
+                throw new Error(
+                    [
+                        "oidc-spa: If you do not use the oidc-spa Vite plugin",
+                        "you must provide the BASE_URL to the earlyInit() examples:",
+                        "oidcSpaEarlyInit({ BASE_URL: import.meta.env.BASE_URL })",
+                        "oidcSpaEarlyInit({ BASE_URL: '/' })",
+                        "",
+                        "You can also pass this parameter to createOidc({ BASE_URL: '...' })",
+                        "or bootstrapOidc({ BASE_URL: '...' })"
+                    ].join("\n")
+                );
+            }
+
+            return BASE_URL;
+        })(),
+        doAssertNoQueryParams: true,
+        doOutputWithTrailingSlash: true
+    });
+
+    return { homeUrlAndRedirectUri };
+}

package/src/keycloak/keycloak-js/Keycloak.ts

@@ -21,6 +21,7 @@ import { type KeycloakUtils, createKeycloakUtils } from "../keycloakUtils";
 import { workerTimers } from "../../vendor/frontend/worker-timers";
 import { type StatefulEvt, createStatefulEvt } from "../../tools/StatefulEvt";
 import { readExpirationTimeInJwt } from "../../tools/readExpirationTimeInJwt";
+import { getHomeAndRedirectUri } from "../../core/homeAndRedirectUri";
 
 type ConstructorParams = KeycloakServerConfig & {
     /**
@@ -934,11 +935,21 @@ export class Keycloak {
     createAccountUrl(options?: KeycloakAccountOptions & { locale?: string }): string {
         const { locale, redirectUri } = options ?? {};
 
-        const { keycloakUtils } = this.#state;
+        const { keycloakUtils, constructorParams } = this.#state;
 
         return keycloakUtils.getAccountUrl({
             clientId: this.clientId,
-            backToAppFromAccountUrl: redirectUri ?? location.href,
+            validRedirectUri: (() => {
+                if (redirectUri !== undefined) {
+                    return redirectUri;
+                }
+
+                const { homeUrlAndRedirectUri } = getHomeAndRedirectUri({
+                    BASE_URL_params: constructorParams.BASE_URL
+                });
+
+                return homeUrlAndRedirectUri;
+            })(),
             locale
         });
     }

package/src/keycloak/keycloakUtils.ts

@@ -1,5 +1,6 @@
 import { toFullyQualifiedUrl } from "../tools/toFullyQualifiedUrl";
 import { type KeycloakIssuerUriParsed, parseKeycloakIssuerUri } from "./keycloakIssuerUriParsed";
+import { assert } from "../tools/tsafe/assert";
 
 export type KeycloakUtils = {
     issuerUriParsed: KeycloakIssuerUriParsed;
@@ -7,7 +8,9 @@ export type KeycloakUtils = {
     adminConsoleUrl_master: string;
     getAccountUrl: (params: {
         clientId: string;
-        backToAppFromAccountUrl: string;
+        validRedirectUri?: string;
+        /** @deprecated: Use validRedirectUri */
+        backToAppFromAccountUrl?: string;
         locale?: string;
     }) => string;
     fetchUserProfile: (params: { accessToken: string }) => Promise<KeycloakProfile>;
@@ -49,17 +52,46 @@ export function createKeycloakUtils(params: { issuerUri: string }): KeycloakUtil
         issuerUriParsed,
         adminConsoleUrl: getAdminConsoleUrl(issuerUriParsed.realm),
         adminConsoleUrl_master: getAdminConsoleUrl("master"),
-        getAccountUrl: ({ clientId, backToAppFromAccountUrl, locale }) => {
+        getAccountUrl: ({ clientId, locale, ...rest }) => {
+            const validRedirectUri = (() => {
+                const { validRedirectUri, backToAppFromAccountUrl } = rest;
+
+                if (validRedirectUri !== undefined) {
+                    assert(
+                        backToAppFromAccountUrl === undefined,
+                        "getAccountUrl: backToAppFromAccountUrl is deprecated"
+                    );
+                    return validRedirectUri;
+                }
+
+                assert(
+                    backToAppFromAccountUrl !== undefined,
+                    "getAccountUrl: Must provide validRedirectUri"
+                );
+
+                return backToAppFromAccountUrl;
+            })();
+
             const accountUrlObj = new URL(
                 `${keycloakServerUrl}/realms/${issuerUriParsed.realm}/account`
             );
             accountUrlObj.searchParams.set("referrer", clientId);
             accountUrlObj.searchParams.set(
                 "referrer_uri",
-                toFullyQualifiedUrl({
-                    urlish: backToAppFromAccountUrl,
-                    doAssertNoQueryParams: false
-                })
+                (() => {
+                    try {
+                        return toFullyQualifiedUrl({
+                            urlish: validRedirectUri,
+                            doAssertNoQueryParams: true,
+                            doOutputWithTrailingSlash: true
+                        });
+                    } catch {
+                        return toFullyQualifiedUrl({
+                            urlish: validRedirectUri,
+                            doAssertNoQueryParams: false
+                        });
+                    }
+                })()
             );
             if (locale !== undefined) {
                 accountUrlObj.searchParams.set("kc_locale", locale);

package/src/mock/oidc.ts

@@ -96,7 +96,8 @@ export async function createMockOidc<
     const common: Oidc.Common = {
         params: {
             clientId: mockedParams.clientId ?? "mymockclient",
-            issuerUri: mockedParams.issuerUri ?? "https://my-mock-oidc-server.net/realms/mymockrealm"
+            issuerUri: mockedParams.issuerUri ?? "https://my-mock-oidc-server.net/realms/mymockrealm",
+            validRedirectUri: homeUrl
         }
     };
 

package/src/react-spa/apiBuilder.ts

@@ -10,7 +10,7 @@ export type OidcSpaApiBuilder<
         | "withAutoLogin"
         | "withExpectedDecodedIdTokenShape"
         | "withAccessTokenValidation"
-        | "finalize" = never
+        | "createUtils" = never
 > = Omit<
     {
         withAutoLogin: () => OidcSpaApiBuilder<true, DecodedIdToken, ExcludedMethod | "withAutoLogin">;
@@ -26,7 +26,7 @@ export type OidcSpaApiBuilder<
             ExcludedMethod | "withExpectedDecodedIdTokenShape"
         >;
 
-        finalize: () => OidcSpaApi<AutoLogin, DecodedIdToken>;
+        createUtils: () => OidcSpaApi<AutoLogin, DecodedIdToken>;
     },
     ExcludedMethod
 >;
@@ -54,7 +54,7 @@ function createOidcSpaApiBuilder<
                 decodedIdTokenSchema,
                 decodedIdToken_mock: decodedIdToken_mock
             }),
-        finalize: () =>
+        createUtils: () =>
             createOidcSpaApi<AutoLogin, DecodedIdToken>({
                 autoLogin: params.autoLogin,
                 decodedIdTokenSchema: params.decodedIdTokenSchema,

package/src/react-spa/createOidcSpaApi.tsx

@@ -226,6 +226,7 @@ export function createOidcSpaApi<
                 initializationError: oidcCore.initializationError,
                 issuerUri: oidcCore.params.issuerUri,
                 clientId: oidcCore.params.clientId,
+                validRedirectUri: oidcCore.params.validRedirectUri,
                 autoLogoutState: { shouldDisplayWarning: false },
                 login: params =>
                     oidcCore.login({
@@ -251,7 +252,8 @@ export function createOidcSpaApi<
                 return evtAutoLogoutState.current;
             },
             issuerUri: oidcCore.params.issuerUri,
-            clientId: oidcCore.params.clientId
+            clientId: oidcCore.params.clientId,
+            validRedirectUri: oidcCore.params.validRedirectUri
         });
     }
 

package/src/react-spa/types.tsx

@@ -31,6 +31,7 @@ export namespace UseOidc {
         type Common = {
             issuerUri: string;
             clientId: string;
+            validRedirectUri: string;
         };
 
         export type NotLoggedIn = Common & {

package/src/tanstack-start/react/apiBuilder.ts

@@ -14,7 +14,7 @@ export type OidcSpaApiBuilder<
         | "withAutoLogin"
         | "withExpectedDecodedIdTokenShape"
         | "withAccessTokenValidation"
-        | "finalize" = never
+        | "createUtils" = never
 > = Omit<
     {
         withAutoLogin: () => OidcSpaApiBuilder<
@@ -61,7 +61,7 @@ export type OidcSpaApiBuilder<
                 ExcludedMethod | "withAccessTokenValidation"
             >;
         };
-        finalize: () => OidcSpaApi<AutoLogin, DecodedIdToken, AccessTokenClaims>;
+        createUtils: () => OidcSpaApi<AutoLogin, DecodedIdToken, AccessTokenClaims>;
     },
     ExcludedMethod
 >;
@@ -127,7 +127,7 @@ function createOidcSpaApiBuilder<
                     }
                 })()
             }),
-        finalize: () =>
+        createUtils: () =>
             createOidcSpaApi<AutoLogin, DecodedIdToken, AccessTokenClaims>({
                 autoLogin: params.autoLogin,
                 decodedIdTokenSchema: params.decodedIdTokenSchema,

package/src/tanstack-start/react/createOidcSpaApi.tsx

@@ -216,6 +216,7 @@ export function createOidcSpaApi<
                 initializationError: oidcCore.initializationError,
                 issuerUri: oidcCore.params.issuerUri,
                 clientId: oidcCore.params.clientId,
+                validRedirectUri: oidcCore.params.validRedirectUri,
                 autoLogoutState: { shouldDisplayWarning: false },
                 login: params =>
                     oidcCore.login({
@@ -241,7 +242,8 @@ export function createOidcSpaApi<
                 return evtAutoLogoutState.current;
             },
             issuerUri: oidcCore.params.issuerUri,
-            clientId: oidcCore.params.clientId
+            clientId: oidcCore.params.clientId,
+            validRedirectUri: oidcCore.params.validRedirectUri
         });
     }
 

package/src/tanstack-start/react/types.tsx

@@ -45,6 +45,7 @@ export namespace CreateOidcComponent {
         type Common = {
             issuerUri: string;
             clientId: string;
+            validRedirectUri: string;
         };
 
         export type NotLoggedIn = Common & {

package/src/tools/parseKeycloakIssuerUri.ts

@@ -44,6 +44,11 @@ export function parseKeycloakIssuerUri(issuerUri: string):
         kcHttpRelativePath: keycloakUtils.issuerUriParsed.kcHttpRelativePath,
         adminConsoleUrl: keycloakUtils.adminConsoleUrl,
         adminConsoleUrl_master: keycloakUtils.adminConsoleUrl_master,
-        getAccountUrl: keycloakUtils.getAccountUrl
+        getAccountUrl: ({ clientId, backToAppFromAccountUrl, locale }) =>
+            keycloakUtils.getAccountUrl({
+                clientId,
+                validRedirectUri: backToAppFromAccountUrl,
+                locale
+            })
     };
 }

package/tools/parseKeycloakIssuerUri.js

@@ -30,7 +30,11 @@ function parseKeycloakIssuerUri(issuerUri) {
         kcHttpRelativePath: keycloakUtils.issuerUriParsed.kcHttpRelativePath,
         adminConsoleUrl: keycloakUtils.adminConsoleUrl,
         adminConsoleUrl_master: keycloakUtils.adminConsoleUrl_master,
-        getAccountUrl: keycloakUtils.getAccountUrl
+        getAccountUrl: ({ clientId, backToAppFromAccountUrl, locale }) => keycloakUtils.getAccountUrl({
+            clientId,
+            validRedirectUri: backToAppFromAccountUrl,
+            locale
+        })
     };
 }
 //# sourceMappingURL=parseKeycloakIssuerUri.js.map

package/tools/parseKeycloakIssuerUri.js.map

@@ -1 +1 @@
-{"version":3,"file":"parseKeycloakIssuerUri.js","sourceRoot":"","sources":["../src/tools/parseKeycloakIssuerUri.ts"],"names":[],"mappings":";;AAmBA,wDA6BC;AAhDD,0CAA8D;AAE9D;;;;;;;;;;;;;;;;KAgBK;AACL,SAAgB,sBAAsB,CAAC,SAAiB;IAepD,IAAI,CAAC,IAAA,qBAAU,EAAC,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;QAC7B,OAAO,SAAS,CAAC;IACrB,CAAC;IAED,MAAM,aAAa,GAAG,IAAA,8BAAmB,EAAC,EAAE,SAAS,EAAE,CAAC,CAAC;IAEzD,OAAO;QACH,MAAM,EAAE,aAAa,CAAC,eAAe,CAAC,MAAM;QAC5C,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC,KAAK;QAC1C,kBAAkB,EAAE,aAAa,CAAC,eAAe,CAAC,kBAAkB;QACpE,eAAe,EAAE,aAAa,CAAC,eAAe;QAC9C,sBAAsB,EAAE,aAAa,CAAC,sBAAsB;QAC5D,aAAa,EAAE,aAAa,CAAC,aAAa;KAC7C,CAAC;AACN,CAAC"}
+{"version":3,"file":"parseKeycloakIssuerUri.js","sourceRoot":"","sources":["../src/tools/parseKeycloakIssuerUri.ts"],"names":[],"mappings":";;AAmBA,wDAkCC;AArDD,0CAA8D;AAE9D;;;;;;;;;;;;;;;;KAgBK;AACL,SAAgB,sBAAsB,CAAC,SAAiB;IAepD,IAAI,CAAC,IAAA,qBAAU,EAAC,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;QAC7B,OAAO,SAAS,CAAC;IACrB,CAAC;IAED,MAAM,aAAa,GAAG,IAAA,8BAAmB,EAAC,EAAE,SAAS,EAAE,CAAC,CAAC;IAEzD,OAAO;QACH,MAAM,EAAE,aAAa,CAAC,eAAe,CAAC,MAAM;QAC5C,KAAK,EAAE,aAAa,CAAC,eAAe,CAAC,KAAK;QAC1C,kBAAkB,EAAE,aAAa,CAAC,eAAe,CAAC,kBAAkB;QACpE,eAAe,EAAE,aAAa,CAAC,eAAe;QAC9C,sBAAsB,EAAE,aAAa,CAAC,sBAAsB;QAC5D,aAAa,EAAE,CAAC,EAAE,QAAQ,EAAE,uBAAuB,EAAE,MAAM,EAAE,EAAE,EAAE,CAC7D,aAAa,CAAC,aAAa,CAAC;YACxB,QAAQ;YACR,gBAAgB,EAAE,uBAAuB;YACzC,MAAM;SACT,CAAC;KACT,CAAC;AACN,CAAC"}