piral-oidc 1.0.0-pre.2036 → 1.0.1-beta.5640

package/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2019 - 2021 smapiot
+Copyright (c) 2019 - 2023 smapiot
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md

@@ -1,6 +1,6 @@
-[![Piral Logo](https://github.com/smapiot/piral/raw/master/docs/assets/logo.png)](https://piral.io)
+[![Piral Logo](https://github.com/smapiot/piral/raw/main/docs/assets/logo.png)](https://piral.io)
 
-# [Piral OIDC](https://piral.io) · [![GitHub License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/smapiot/piral/blob/master/LICENSE) [![npm version](https://img.shields.io/npm/v/piral-oidc.svg?style=flat)](https://www.npmjs.com/package/piral-oidc) [![tested with jest](https://img.shields.io/badge/tested_with-jest-99424f.svg)](https://jestjs.io) [![Gitter Chat](https://badges.gitter.im/gitterHQ/gitter.png)](https://gitter.im/piral-io/community)
+# [Piral OIDC](https://piral.io) · [![GitHub License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/smapiot/piral/blob/main/LICENSE) [![npm version](https://img.shields.io/npm/v/piral-oidc.svg?style=flat)](https://www.npmjs.com/package/piral-oidc) [![tested with jest](https://img.shields.io/badge/tested_with-jest-99424f.svg)](https://jestjs.io) [![Gitter Chat](https://badges.gitter.im/gitterHQ/gitter.png)](https://gitter.im/piral-io/community)
 
 This is a plugin that only has a peer dependency to `piral-core`. What `piral-oidc` brings to the table is a direct integration with OpenID Connect identity providers on basis of the oidc-client library that can be used with `piral` or `piral-core`.
 
@@ -8,6 +8,12 @@ The set includes the `getAccessToken` API to retrieve the current user's access
 
 By default, these Pilet API extensions are not integrated in `piral`, so you'd need to add them to your Piral instance.
 
+## Why and When
+
+If you are using authorization with an OpenID Connect provider then `piral-oidc` might be a useful plugin. It uses the `oidc-client` library under the hood and exposes token functionality in common HTTP mechanisms (e.g., using `fetch` or a library such as `axios`). Pilets can get the currently available token via the pilet API.
+
+Alternatives: Use a plugin that is specific to your method of authentication (e.g., `piral-auth` for generic user management, `piral-adal` for Microsoft, `piral-oauth2` for generic OAuth 2, etc.) or just a library.
+
 ## Documentation
 
 The following functions are brought to the Pilet API.
@@ -37,7 +43,7 @@ export async function setup(piral: PiletApi) {
 }
 ```
 
-Note that this value may change if the Piral instance supports an "on the fly" login (i.e., a login without redirect / reloading of the page).
+Note that this value may change if the Piral instance supports an "on the fly" login (i.e., a login without redirect/reloading of the page).
 
 If you need to use claims from the authentication:
 
@@ -46,7 +52,7 @@ import { PiletApi } from '<name-of-piral-instance>';
 
 export async function setup(piral: PiletApi) {
     const userClaims = await piral.getProfile();
-    // consume profile / claims information
+    // consume profile/claims information
 }
 ```
 
@@ -97,15 +103,19 @@ import { setupOidcClient } from 'piral-oidc';
 
 export const client = setupOidcClient({ ... });
 
-// app.ts
+// app.tsx
+import * as React from 'react';
 import { createOidcApi } from 'piral-oidc';
+import { createInstance } from 'piral-core';
 import { client } from './oidc';
+import { render } from 'react-dom';
 
 export function render() {
-  renderInstance({
+  const instance = createInstance({
     // ...
     plugins: [createOidcApi(client)],
   });
+  render(<Piral instance={instance} />, document.querySelector('#app'));
 }
 
 // index.ts
@@ -145,15 +155,19 @@ export const client = setupOidcClient({
     postLogoutUrl: location.origin + '/logout'
 });
 
-// app.ts
+// app.tsx
+import * as React from 'react';
 import { createOidcApi } from 'piral-oidc';
+import { createInstance } from 'piral-core';
 import { client } from './oidc';
+import { render } from 'react-dom';
 
 export function render() {
-  renderInstance({
+  const instance = createInstance({
     // ...
     plugins: [createOidcApi(client)],
   });
+  render(<Piral instance={instance} />, document.querySelector('#app'));
 }
 
 // index.ts

package/esm/OidcError.d.ts

@@ -0,0 +1,13 @@
+import { OidcErrorType, PiralOidcError } from './types';
+/**
+ * A custom error class for oidc errors. It is important to use this class
+ * instead of generic Errors, as some application paths inspect `OidcError['type']`.
+ *
+ * An optional innerError can be supplied in order to not lose visibility on messages provided
+ * by oidc-client.
+ */
+export declare class OidcError extends Error implements PiralOidcError {
+    readonly type: any;
+    readonly innerError: any;
+    constructor(errorType: OidcErrorType, innerError?: Error | string);
+}

package/esm/OidcError.js

@@ -0,0 +1,30 @@
+import { OidcErrorType } from './types';
+const errorMessageMap = {
+    [OidcErrorType.notAuthorized]: 'Not logged in. Please call `login()` to retrieve a token.',
+    [OidcErrorType.silentRenewFailed]: 'Silent renew failed to retrieve access token.',
+    [OidcErrorType.invalidToken]: 'Invalid token during authentication',
+};
+const getErrorMessage = (type, innerError) => {
+    const message = errorMessageMap[type];
+    return message || (innerError ? innerError.toString() : 'an unexpected error has occurred without a message');
+};
+/**
+ * A custom error class for oidc errors. It is important to use this class
+ * instead of generic Errors, as some application paths inspect `OidcError['type']`.
+ *
+ * An optional innerError can be supplied in order to not lose visibility on messages provided
+ * by oidc-client.
+ */
+export class OidcError extends Error {
+    constructor(errorType, innerError) {
+        const message = getErrorMessage(errorType, innerError);
+        super(message);
+        if (Error.captureStackTrace) {
+            Error.captureStackTrace(this, OidcError);
+        }
+        this.name = 'OidcError';
+        this.type = errorType;
+        this.innerError = innerError;
+    }
+}
+//# sourceMappingURL=OidcError.js.map

package/esm/OidcError.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"OidcError.js","sourceRoot":"","sources":["../src/OidcError.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAkB,MAAM,SAAS,CAAC;AAExD,MAAM,eAAe,GAAG;IACtB,CAAC,aAAa,CAAC,aAAa,CAAC,EAAE,2DAA2D;IAC1F,CAAC,aAAa,CAAC,iBAAiB,CAAC,EAAE,+CAA+C;IAClF,CAAC,aAAa,CAAC,YAAY,CAAC,EAAE,qCAAqC;CACpE,CAAC;AAEF,MAAM,eAAe,GAAG,CAAC,IAAmB,EAAE,UAA2B,EAAE,EAAE;IAC3E,MAAM,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACtC,OAAO,OAAO,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,oDAAoD,CAAC,CAAC;AAChH,CAAC,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,OAAO,SAAU,SAAQ,KAAK;IAIlC,YAAY,SAAwB,EAAE,UAA2B;QAC/D,MAAM,OAAO,GAAG,eAAe,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;QACvD,KAAK,CAAC,OAAO,CAAC,CAAC;QAEf,IAAI,KAAK,CAAC,iBAAiB,EAAE;YAC3B,KAAK,CAAC,iBAAiB,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;SAC1C;QAED,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,SAAS,CAAC;QACtB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;CACF"}

package/esm/create.d.ts

@@ -0,0 +1,6 @@
+import { PiralPlugin } from 'piral-core';
+import { PiletOidcApi, OidcClient } from './types';
+/**
+ * Creates new Pilet API extensions for the integration of OpenID Connect.
+ */
+export declare function createOidcApi(client: OidcClient): PiralPlugin<PiletOidcApi>;

package/esm/create.js

@@ -0,0 +1,17 @@
+/**
+ * Creates new Pilet API extensions for the integration of OpenID Connect.
+ */
+export function createOidcApi(client) {
+    return (context) => {
+        context.on('before-fetch', client.extendHeaders);
+        return {
+            getAccessToken() {
+                return client.token();
+            },
+            getProfile() {
+                return client.account();
+            },
+        };
+    };
+}
+//# sourceMappingURL=create.js.map

package/esm/create.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"create.js","sourceRoot":"","sources":["../src/create.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,MAAkB;IAC9C,OAAO,CAAC,OAAO,EAAE,EAAE;QACjB,OAAO,CAAC,EAAE,CAAC,cAAc,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;QAEjD,OAAO;YACL,cAAc;gBACZ,OAAO,MAAM,CAAC,KAAK,EAAE,CAAC;YACxB,CAAC;YAED,UAAU;gBACR,OAAO,MAAM,CAAC,OAAO,EAAE,CAAC;YAC1B,CAAC;SACF,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC"}

package/esm/index.d.ts

@@ -0,0 +1,3 @@
+export * from './create';
+export * from './setup';
+export * from './types';

package/esm/index.js

@@ -0,0 +1,4 @@
+export * from './create';
+export * from './setup';
+export * from './types';
+//# sourceMappingURL=index.js.map

package/esm/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,UAAU,CAAC;AACzB,cAAc,SAAS,CAAC;AACxB,cAAc,SAAS,CAAC"}

package/esm/setup.d.ts

@@ -0,0 +1,6 @@
+import { OidcClient, OidcConfig } from './types';
+/**
+ * Sets up a new client wrapping the oidc-client API.
+ * @param config The configuration for the client.
+ */
+export declare function setupOidcClient(config: OidcConfig): OidcClient;

package/esm/setup.js

@@ -0,0 +1,201 @@
+import { __awaiter } from "tslib";
+import { Log, UserManager } from 'oidc-client';
+import { OidcError } from './OidcError';
+import { LogLevel, OidcErrorType } from './types';
+const logLevelToOidcMap = {
+    [LogLevel.none]: 0,
+    [LogLevel.error]: 1,
+    [LogLevel.warn]: 2,
+    [LogLevel.info]: 3,
+    [LogLevel.debug]: 4,
+};
+function doesWindowLocationMatch(targetUri) {
+    return window.location.pathname === new URL(targetUri).pathname;
+}
+function convertLogLevelToOidcClient(level) {
+    return logLevelToOidcMap[level];
+}
+/**
+ * Sets up a new client wrapping the oidc-client API.
+ * @param config The configuration for the client.
+ */
+export function setupOidcClient(config) {
+    const { clientId, clientSecret, identityProviderUri, redirectUri = `${location.origin}/auth`, signInRedirectParams, postLogoutRedirectUri = location.origin, responseType, responseMode, scopes, restrict = false, parentName, appUri, logLevel, userStore, extraQueryParams, uiLocales, metadata, metadataUrl, monitorSession, } = config;
+    const isMainWindow = () => { var _a; return (parentName ? parentName === ((_a = window.parent) === null || _a === void 0 ? void 0 : _a.name) : window === window.top); };
+    const userManager = new UserManager({
+        authority: identityProviderUri,
+        redirect_uri: redirectUri,
+        silent_redirect_uri: redirectUri,
+        popup_redirect_uri: redirectUri,
+        post_logout_redirect_uri: postLogoutRedirectUri,
+        client_id: clientId,
+        client_secret: clientSecret,
+        response_type: responseType,
+        scope: scopes === null || scopes === void 0 ? void 0 : scopes.join(' '),
+        userStore,
+        extraQueryParams,
+        ui_locales: uiLocales,
+        response_mode: responseMode,
+        metadata,
+        metadataUrl,
+        monitorSession,
+    });
+    if (logLevel !== undefined) {
+        Log.logger = console;
+        Log.level = convertLogLevelToOidcClient(logLevel);
+    }
+    else if (process.env.NODE_ENV === 'development') {
+        Log.logger = console;
+        Log.level = Log.DEBUG;
+    }
+    if (doesWindowLocationMatch(userManager.settings.post_logout_redirect_uri)) {
+        if (isMainWindow()) {
+            userManager.signoutRedirectCallback();
+        }
+        else {
+            userManager.signoutPopupCallback();
+        }
+    }
+    const retrieveToken = () => {
+        return new Promise((res, rej) => {
+            userManager
+                .getUser()
+                .then((user) => {
+                if (!user) {
+                    rej(new OidcError(OidcErrorType.notAuthorized));
+                }
+                else if (user.access_token && user.expires_in > 60) {
+                    res(user.access_token);
+                }
+                else {
+                    return userManager.signinSilent().then((user) => {
+                        if (!user) {
+                            return rej(new OidcError(OidcErrorType.silentRenewFailed));
+                        }
+                        if (!user.access_token) {
+                            return rej(new OidcError(OidcErrorType.invalidToken));
+                        }
+                        return res(user.access_token);
+                    });
+                }
+            })
+                .catch((err) => rej(new OidcError(OidcErrorType.unknown, err)));
+        });
+    };
+    const retrieveProfile = () => {
+        return new Promise((res, rej) => {
+            userManager.getUser().then((user) => {
+                if (!user || user.expires_in <= 0) {
+                    return rej(new OidcError(OidcErrorType.notAuthorized));
+                }
+                else {
+                    return res(user.profile);
+                }
+            }, (err) => rej(new OidcError(OidcErrorType.unknown, err)));
+        });
+    };
+    const handleAuthentication = () => new Promise((resolve, reject) => __awaiter(this, void 0, void 0, function* () {
+        /** The user that is resolved when finishing the callback  */
+        let user;
+        if ((doesWindowLocationMatch(userManager.settings.silent_redirect_uri) ||
+            doesWindowLocationMatch(userManager.settings.popup_redirect_uri)) &&
+            !isMainWindow()) {
+            /*
+             * This is a silent redirect frame. The correct behavior is to notify the parent of the updated user,
+             * and then to do nothing else. Encountering an error here means the background IFrame failed
+             * to update the parent. This is usually due to a timeout from a network error.
+             */
+            try {
+                user = yield userManager.signinSilentCallback();
+            }
+            catch (e) {
+                return reject(new OidcError(OidcErrorType.oidcCallback, e));
+            }
+            return resolve({
+                shouldRender: false,
+                state: user === null || user === void 0 ? void 0 : user.state,
+            });
+        }
+        if (doesWindowLocationMatch(userManager.settings.redirect_uri) && isMainWindow()) {
+            try {
+                user = yield userManager.signinCallback();
+            }
+            catch (e) {
+                /*
+                 * Failing to handle a sign-in callback is non-recoverable. The user is expected to call `logout()`, after
+                 * logging this error to their internal error-handling service. Usually, this is due to a misconfigured auth server.
+                 */
+                return reject(new OidcError(OidcErrorType.oidcCallback, e));
+            }
+            if (appUri) {
+                Log.debug(`Redirecting to ${appUri} due to appUri being configured.`);
+                window.location.href = appUri;
+                return resolve({
+                    shouldRender: false,
+                    state: user === null || user === void 0 ? void 0 : user.state,
+                });
+            }
+            /* If appUri is not configured, we let the user decide what to do after getting a session. */
+            return resolve({
+                shouldRender: true,
+                state: user === null || user === void 0 ? void 0 : user.state,
+            });
+        }
+        /*
+         * The current page is a normal flow, not a callback or signout. We should retrieve the current access_token,
+         * or log the user in if there is no current session.
+         * This branch of code should also tell the user to render the main application.
+         */
+        return retrieveToken()
+            .then((token) => {
+            if (token) {
+                return resolve({ shouldRender: true });
+            }
+            else {
+                /* We should never get into this state, retrieveToken() should reject if there is no token */
+                return reject(new OidcError(OidcErrorType.invalidToken));
+            }
+        })
+            .catch((reason) => __awaiter(this, void 0, void 0, function* () {
+            if (reason.type === OidcErrorType.notAuthorized) {
+                /*
+                 * Expected Error during normal code flow:
+                 * This is the first time logging in since a logout (or ever), instead of asking the user
+                 * to call `login()`, just perform it ourself here.
+                 *
+                 * The resolve shouldn't matter, as `signinRedirect` will redirect the browser location
+                 * to the user's configured redirectUri.
+                 */
+                yield userManager.signinRedirect(signInRedirectParams);
+                return resolve({ shouldRender: false });
+            }
+            /*
+             * Getting here is a non-recoverable error. It is up to the user to determine what to do.
+             * Usually this is a result of failing to reach the authentication server, or a misconfigured
+             * authentication server, or a bad clock skew (commonly caused by docker in windows).
+             */
+            return reject(reason);
+        }));
+    }));
+    return {
+        _: userManager,
+        login() {
+            return userManager.signinRedirect(signInRedirectParams);
+        },
+        logout() {
+            return userManager.signoutRedirect();
+        },
+        revoke() {
+            return userManager.revokeAccessToken();
+        },
+        handleAuthentication,
+        extendHeaders(req) {
+            if (!restrict) {
+                req.setHeaders(retrieveToken().then((token) => token && { Authorization: `Bearer ${token}` }, () => undefined));
+            }
+        },
+        token: retrieveToken,
+        account: retrieveProfile,
+    };
+}
+//# sourceMappingURL=setup.js.map

package/esm/setup.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"setup.js","sourceRoot":"","sources":["../src/setup.ts"],"names":[],"mappings":";AAAA,OAAO,EAAE,GAAG,EAAQ,WAAW,EAAE,MAAM,aAAa,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAwB,QAAQ,EAA0B,aAAa,EAAe,MAAM,SAAS,CAAC;AAE7G,MAAM,iBAAiB,GAAG;IACxB,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;IAClB,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;IACnB,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;IAClB,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;IAClB,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;CACpB,CAAC;AAEF,SAAS,uBAAuB,CAAC,SAAiB;IAChD,OAAO,MAAM,CAAC,QAAQ,CAAC,QAAQ,KAAK,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC;AAClE,CAAC;AAED,SAAS,2BAA2B,CAAC,KAAe;IAClD,OAAO,iBAAiB,CAAC,KAAK,CAAC,CAAC;AAClC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,MAAkB;IAChD,MAAM,EACJ,QAAQ,EACR,YAAY,EACZ,mBAAmB,EACnB,WAAW,GAAG,GAAG,QAAQ,CAAC,MAAM,OAAO,EACvC,oBAAoB,EACpB,qBAAqB,GAAG,QAAQ,CAAC,MAAM,EACvC,YAAY,EACZ,YAAY,EACZ,MAAM,EACN,QAAQ,GAAG,KAAK,EAChB,UAAU,EACV,MAAM,EACN,QAAQ,EACR,SAAS,EACT,gBAAgB,EAChB,SAAS,EACT,QAAQ,EACR,WAAW,EACX,cAAc,GACf,GAAG,MAAM,CAAC;IAEX,MAAM,YAAY,GAAG,GAAG,EAAE,WAAC,OAAA,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU,MAAK,MAAA,MAAM,CAAC,MAAM,0CAAE,IAAI,CAAA,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,GAAG,CAAC,CAAA,EAAA,CAAC;IAErG,MAAM,WAAW,GAAG,IAAI,WAAW,CAAC;QAClC,SAAS,EAAE,mBAAmB;QAC9B,YAAY,EAAE,WAAW;QACzB,mBAAmB,EAAE,WAAW;QAChC,kBAAkB,EAAE,WAAW;QAC/B,wBAAwB,EAAE,qBAAqB;QAC/C,SAAS,EAAE,QAAQ;QACnB,aAAa,EAAE,YAAY;QAC3B,aAAa,EAAE,YAAY;QAC3B,KAAK,EAAE,MAAM,aAAN,MAAM,uBAAN,MAAM,CAAE,IAAI,CAAC,GAAG,CAAC;QACxB,SAAS;QACT,gBAAgB;QAChB,UAAU,EAAE,SAAS;QACrB,aAAa,EAAE,YAAY;QAC3B,QAAQ;QACR,WAAW;QACX,cAAc;KACf,CAAC,CAAC;IAEH,IAAI,QAAQ,KAAK,SAAS,EAAE;QAC1B,GAAG,CAAC,MAAM,GAAG,OAAO,CAAC;QACrB,GAAG,CAAC,KAAK,GAAG,2BAA2B,CAAC,QAAQ,CAAC,CAAC;KACnD;SAAM,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,aAAa,EAAE;QACjD,GAAG,CAAC,MAAM,GAAG,OAAO,CAAC;QACrB,GAAG,CAAC,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC;KACvB;IAED,IAAI,uBAAuB,CAAC,WAAW,CAAC,QAAQ,CAAC,wBAAwB,CAAC,EAAE;QAC1E,IAAI,YAAY,EAAE,EAAE;YAClB,WAAW,CAAC,uBAAuB,EAAE,CAAC;SACvC;aAAM;YACL,WAAW,CAAC,oBAAoB,EAAE,CAAC;SACpC;KACF;IAED,MAAM,aAAa,GAAG,GAAG,EAAE;QACzB,OAAO,IAAI,OAAO,CAAS,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YACtC,WAAW;iBACR,OAAO,EAAE;iBACT,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;gBACb,IAAI,CAAC,IAAI,EAAE;oBACT,GAAG,CAAC,IAAI,SAAS,CAAC,aAAa,CAAC,aAAa,CAAC,CAAC,CAAC;iBACjD;qBAAM,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,UAAU,GAAG,EAAE,EAAE;oBACpD,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;iBACxB;qBAAM;oBACL,OAAO,WAAW,CAAC,YAAY,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;wBAC9C,IAAI,CAAC,IAAI,EAAE;4BACT,OAAO,GAAG,CAAC,IAAI,SAAS,CAAC,aAAa,CAAC,iBAAiB,CAAC,CAAC,CAAC;yBAC5D;wBACD,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE;4BACtB,OAAO,GAAG,CAAC,IAAI,SAAS,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC,CAAC;yBACvD;wBACD,OAAO,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;oBAChC,CAAC,CAAC,CAAC;iBACJ;YACH,CAAC,CAAC;iBACD,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC;QACpE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC;IAEF,MAAM,eAAe,GAAG,GAAG,EAAE;QAC3B,OAAO,IAAI,OAAO,CAAc,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YAC3C,WAAW,CAAC,OAAO,EAAE,CAAC,IAAI,CACxB,CAAC,IAAI,EAAE,EAAE;gBACP,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,IAAI,CAAC,EAAE;oBACjC,OAAO,GAAG,CAAC,IAAI,SAAS,CAAC,aAAa,CAAC,aAAa,CAAC,CAAC,CAAC;iBACxD;qBAAM;oBACL,OAAO,GAAG,CAAC,IAAI,CAAC,OAAsB,CAAC,CAAC;iBACzC;YACH,CAAC,EACD,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CACxD,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC;IAEF,MAAM,oBAAoB,GAAG,GAAkC,EAAE,CAC/D,IAAI,OAAO,CAAC,CAAO,OAAO,EAAE,MAAM,EAAE,EAAE;QACpC,6DAA6D;QAC7D,IAAI,IAAU,CAAC;QACf,IACE,CAAC,uBAAuB,CAAC,WAAW,CAAC,QAAQ,CAAC,mBAAmB,CAAC;YAChE,uBAAuB,CAAC,WAAW,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC;YACnE,CAAC,YAAY,EAAE,EACf;YACA;;;;eAIG;YACH,IAAI;gBACF,IAAI,GAAG,MAAM,WAAW,CAAC,oBAAoB,EAAE,CAAC;aACjD;YAAC,OAAO,CAAC,EAAE;gBACV,OAAO,MAAM,CAAC,IAAI,SAAS,CAAC,aAAa,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC;aAC7D;YACD,OAAO,OAAO,CAAC;gBACb,YAAY,EAAE,KAAK;gBACnB,KAAK,EAAE,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,KAAK;aACnB,CAAC,CAAC;SACJ;QAED,IAAI,uBAAuB,CAAC,WAAW,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,YAAY,EAAE,EAAE;YAChF,IAAI;gBACF,IAAI,GAAG,MAAM,WAAW,CAAC,cAAc,EAAE,CAAC;aAC3C;YAAC,OAAO,CAAC,EAAE;gBACV;;;mBAGG;gBACH,OAAO,MAAM,CAAC,IAAI,SAAS,CAAC,aAAa,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC;aAC7D;YAED,IAAI,MAAM,EAAE;gBACV,GAAG,CAAC,KAAK,CAAC,kBAAkB,MAAM,kCAAkC,CAAC,CAAC;gBACtE,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,MAAM,CAAC;gBAC9B,OAAO,OAAO,CAAC;oBACb,YAAY,EAAE,KAAK;oBACnB,KAAK,EAAE,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,KAAK;iBACnB,CAAC,CAAC;aACJ;YAED,6FAA6F;YAC7F,OAAO,OAAO,CAAC;gBACb,YAAY,EAAE,IAAI;gBAClB,KAAK,EAAE,IAAI,aAAJ,IAAI,uBAAJ,IAAI,CAAE,KAAK;aACnB,CAAC,CAAC;SACJ;QAED;;;;WAIG;QACH,OAAO,aAAa,EAAE;aACnB,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;YACd,IAAI,KAAK,EAAE;gBACT,OAAO,OAAO,CAAC,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC;aACxC;iBAAM;gBACL,6FAA6F;gBAC7F,OAAO,MAAM,CAAC,IAAI,SAAS,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC,CAAC;aAC1D;QACH,CAAC,CAAC;aACD,KAAK,CAAC,CAAO,MAAiB,EAAE,EAAE;YACjC,IAAI,MAAM,CAAC,IAAI,KAAK,aAAa,CAAC,aAAa,EAAE;gBAC/C;;;;;;;mBAOG;gBACH,MAAM,WAAW,CAAC,cAAc,CAAC,oBAAoB,CAAC,CAAC;gBACvD,OAAO,OAAO,CAAC,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,CAAC;aACzC;YAED;;;;eAIG;YACH,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC;QACxB,CAAC,CAAA,CAAC,CAAC;IACP,CAAC,CAAA,CAAC,CAAC;IAEL,OAAO;QACL,CAAC,EAAE,WAAW;QACd,KAAK;YACH,OAAO,WAAW,CAAC,cAAc,CAAC,oBAAoB,CAAC,CAAC;QAC1D,CAAC;QACD,MAAM;YACJ,OAAO,WAAW,CAAC,eAAe,EAAE,CAAC;QACvC,CAAC;QACD,MAAM;YACJ,OAAO,WAAW,CAAC,iBAAiB,EAAE,CAAC;QACzC,CAAC;QACD,oBAAoB;QACpB,aAAa,CAAC,GAAG;YACf,IAAI,CAAC,QAAQ,EAAE;gBACb,GAAG,CAAC,UAAU,CACZ,aAAa,EAAE,CAAC,IAAI,CAClB,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,IAAI,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE,EACxD,GAAG,EAAE,CAAC,SAAS,CAChB,CACF,CAAC;aACH;QACH,CAAC;QACD,KAAK,EAAE,aAAa;QACpB,OAAO,EAAE,eAAe;KACzB,CAAC;AACJ,CAAC"}

package/esm/types.d.ts

@@ -0,0 +1,270 @@
+import type { Profile, StateStore } from 'oidc-client';
+/**
+ * Available configuration options for the OpenID Connect plugin.
+ */
+export interface OidcConfig {
+    /**
+     * The id of the client. Required for the setup of OAuth 2.0.
+     */
+    clientId: string;
+    /**
+     * The client secret.
+     */
+    clientSecret?: string;
+    /**
+     * The name of the parent frame if the app is placed in an
+     * iframe.
+     *
+     * If undefined or an empty string is provided then no iframe
+     * (default behavior) is assumed.
+     *
+     * Note: This is necessary in order to avoid problems with
+     * the silent refresh when being used in an iframe.
+     */
+    parentName?: string;
+    /**
+     * The Uri pointing to the Identity Provider.
+     */
+    identityProviderUri: string;
+    /**
+     * The redirect Uri to use. By default the origin with /auth
+     * is used.
+     */
+    redirectUri?: string;
+    /**
+     * Query params that will be passed to the sign in redirect
+     */
+    signInRedirectParams?: SignInRedirectParams;
+    /**
+     * The Uri to which the Identity provider should redirect
+     * after a logout. By default the origin is used.
+     */
+    postLogoutRedirectUri?: string;
+    /**
+     * The protocol response type to be used. By default, `id_token`
+     * is used.
+     */
+    responseType?: string;
+    /**
+     * The response mode, which is usually already configured well
+     * via the responseType. By default, the responseType `code` will
+     * get `query` and responseType `token` will get `fragment`.
+     */
+    responseMode?: string;
+    /**
+     * The scopes to be used. By default, `openid` is used.
+     */
+    scopes?: Array<string>;
+    /**
+     * Restricts token sharing such that other integrations, e.g., with
+     * fetch would need to be done manually.
+     * Otherwise, the client is responsive to the `before-fetch` event.
+     */
+    restrict?: boolean;
+    /**
+     * If provided, the window will redirect to this Uri after getting
+     * a new session from the redirectUri callback.
+     */
+    appUri?: string;
+    /**
+     * If provided, logging will be enabled for the oidc-client.
+     * Defaults to Log.DEBUG in development NODE_ENV.
+     */
+    logLevel?: LogLevel;
+    /**
+     * The store where user information will be placed after authentication succeeds
+     * This defaults to oidc-client's WebStorageStateStore, using sessionStorage as the internal store
+     */
+    userStore?: OidcStore;
+    /**
+     * Provides some extra query parameters. These are included in the authorization request.
+     */
+    extraQueryParams?: Record<string, any>;
+    /**
+     * Sets the optiopnal ui_locales parameter to set the language of the login page.
+     */
+    uiLocales?: string;
+    /**
+     * Sets the metadata if the OIDC service does not allow querying it for whatever reason.
+     */
+    metadata?: any;
+    /**
+     * Overrides the default metadata URL if the server does not follow the standard paths.
+     */
+    metadataUrl?: string;
+    /**
+     * Determines if the OIDCS session should be automatically monitored.
+     */
+    monitorSession?: boolean;
+}
+/**
+ * The available log levels.
+ */
+export declare enum LogLevel {
+    /**
+     * Logging disabled.
+     */
+    none = "none",
+    /**
+     * Only log on error.
+     */
+    error = "error",
+    /**
+     * Start logging when its at least a warning.
+     */
+    warn = "warn",
+    /**
+     * Already start logging on info level.
+     */
+    info = "info",
+    /**
+     * Log everything - good for debugging purposes.
+     */
+    debug = "debug"
+}
+/**
+ * This interface is used to merge in custom OIDC Claims to the
+ * `getProfile()` call. It can be used as follows below.
+ *
+ * (in this example, `piletApi.getProfile()` will return an object
+ * with the default OIDC claims, and also contain `myCustomClaim`):
+ *
+ * ```
+ * //piral-instance/index.tsx
+ * import 'piral-oidc';
+ *
+ * declare module 'piral-oidc/lib/types' {
+ *   interface PiralCustomOidcProfile {
+ *     myCustomClaim: string;
+ *   }
+ * }
+ * ```
+ */
+export interface PiralCustomOidcProfile {
+}
+/**
+ * The defined OIDC profile.
+ */
+export type OidcProfile = PiralCustomOidcProfile & Profile;
+export interface OidcRequest {
+    /**
+     * Sets the headers of the request.
+     * @param headers Headers or a promise to headers.
+     */
+    setHeaders(headers: any): void;
+}
+export interface OidcClient {
+    /**
+     * The underlying OIDC client.
+     */
+    _: any;
+    /**
+     * Performs a login. Will do nothing when called from a non-top window.
+     */
+    login(): Promise<void>;
+    /**
+     * Performs a logout.
+     */
+    logout(): Promise<void>;
+    /**
+     * Revokes the access token.
+     */
+    revoke(): Promise<void>;
+    /**
+     * Performs a login when the app needs a new token, handles callbacks when on
+     * a callback URL, and redirects into the app route if the client was configured with an `appUri`.
+     *
+     * When this resolves to true, the app-shell should call its `render()` method.
+     * When this resolves to false, do not call `render()`.
+     *
+     * If this rejects, the app-shell should redirect to the login page or handle
+     * an authentication failure manually, it is also advised to log this error to a logging service,
+     * as no users will be be authorized to enter the application.
+     */
+    handleAuthentication(): Promise<AuthenticationResult>;
+    /**
+     * Retrieves the current user profile.
+     */
+    account(): Promise<OidcProfile>;
+    /**
+     * Gets a token.
+     */
+    token(): Promise<string>;
+    /**
+     * Extends the headers of the provided request.
+     */
+    extendHeaders(req: OidcRequest): void;
+}
+export interface PiletOidcApi {
+    /**
+     * Gets the currently valid access token, if any.
+     */
+    getAccessToken(): Promise<string | undefined>;
+    /**
+     * Gets the user's claims from oidc.
+     */
+    getProfile(): Promise<OidcProfile>;
+}
+declare module 'piral-core/lib/types/custom' {
+    interface PiletCustomApi extends PiletOidcApi {
+    }
+}
+/**
+ * The available error types.
+ */
+export declare enum OidcErrorType {
+    /**
+     * This error was thrown at some point during authentication, by the browser or by oidc-client
+     * and we are unable to handle it.
+     */
+    unknown = "unknown",
+    /**
+     * This error happens when the user does not have an access token during Authentication.
+     * It is an expected error, and should be handled during `handleAuthentication()` calls.
+     * If doing manual authentication, prompt the user to `login()` when receiving it.
+     */
+    notAuthorized = "notAuthorized",
+    /**
+     * This error happens when silent renew fails in the background. It is not expected, and
+     * signifies a network error or configuration problem.
+     */
+    silentRenewFailed = "silentRenewFailed",
+    /**
+     * This is an unexpected error that happens when the `token()` call retrieves a User from
+     * the user manager, but it does not have an access_token. This signifies a configuration
+     * error, make sure the correct `scopes` are supplied during configuration.
+     */
+    invalidToken = "invalidToken",
+    /**
+     * This error happened during an Open ID callback. This signifies a network or configuration error
+     * which is non-recoverable. This should be logged to a logging service, and the user should be
+     * prompted to logout().
+     */
+    oidcCallback = "oidcCallback"
+}
+/**
+ * This Error is used for Authentication errors in piral-oidc.
+ */
+export interface PiralOidcError extends Error {
+    type: Readonly<OidcErrorType>;
+}
+export interface SignInRedirectParams {
+    /**
+     * Values used to maintain state between the sign in request and the callback.
+     * These will be available on the result from the handleAuthentication function
+     * successfully authenticates from a callback state.
+     */
+    state?: any;
+}
+/** Result that is returned from the handleAuthentication function */
+export interface AuthenticationResult {
+    /** Whether or not the application should be rendered */
+    shouldRender: boolean;
+    /** The request state that is returned from any callbacks.
+     * This will only be populated if a callback method is called.
+     */
+    state?: any;
+}
+/** An expected interface type for oidc-client to store its user state. */
+export interface OidcStore extends StateStore {
+}