UNPKG

@curity/oauth-assistant

Version:

Curity JS OAuth Assistant

375 lines (283 loc) 13.6 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
# Curity OAuth Assistant ## Add to project Add to your project using npm ``` npm install @curity/oauth-assistant ``` or yarn ``` yarn add @curity/oauth-assistant ``` ## How to use in your project ### Initialize Assistant You need to pass in the settings object in order to initialize Assistant. Here is an example settings object. ``` const settings = { flow_type : "code", // Possible values : (code, implicit, assisted_token) base_url : "http://localhost:8443", client_id : "test_client_id", issuer : "https://localhost:8443/oauth/v2/oauth-anonymous", redirect_uri : "http://localhost:8080/assisted.html", // Basic version of assisted.html is available in example/assisted.html but it can be customized as needed. for_origin : "http://localhost:8080", iframe : { // Optional: Passing in null would take default values targetElement: null, // targetElement querySelector , default: 'body' width : null, // take default value : 400 height : null, // take default value : 700 style : null, // take default value backdrop: { visible : true, // default is true style : null, // take default value backdropClass: "" }, closeButton: { visible: true, // default is true style : null, // style for wrapper div of close button class : "", button : null }, }, "popup": { "width" : null, // take default value : 400 "height": null // take default value : 600 }, allowed_origins: ["http://localhost:8443", "http://localhost:8080"], // default is [window.origin] disable_session_management: false, // Optional: if set to true, session management will be disabled check_session_iframe: null, // Optional url, if not provided then it will be resolved from metadata session_polling_interval: 5, // Optional: polling interval in seconds, default is 5 check_session_iframe_events: { // Optional onStateChanging: () => {}, onStateChanged: () => {}, onLogout: () => {}, onConsent: () => {}, onError: () => {}, onUnchanged: () => {}, }, allowed_jwt_algorithms: ['RS256'], // Optional: algorithms to trust for JWT validation jwt_sig_public_key: { // allowed formats are jwk | jwks_uri | pem | issuer | metadata_url | raw format: 'issuer', // in case of issuer, the issuer value will be taken from jwt payload value: null }, ignore_not_before: false, // Optional: controls whether to skip the validation of the nbf claim when validating the ID Token, default is false ignore_expiration: false, // Optional: controls whether to skip the validation of the exp claim when validating the ID Token, default is false clock_tolerance: 0, // Optional: controls the clock tolerance when validating the ID Token to accomodate drifting clocks, default is 0 debug: false, // Optional: Enabling debug to true will display console logs of assistant, default is false openid_configuration_url: "https://example.com/path/.well-known/openid-configuration", // Optional: set if the OpenID Configuration URL uses different host or base path than the issuer }; ``` More details on settings object is available in the [settings](#settings) section. Import Assistant into your project and initialize it using settings object. ``` import Assistant from "@curity/oauth-assistant"; // OR using require // const Assistant = require("@curity/oauth-assistant"); const assistant = new Assistant(settings); assistant.init() .then(() => { console.log("assistant loaded"); // Start the authorize flow }); ``` ### Available methods ``` 1. authorize(parameters) 2. authorizeFrame(parameters) 3. authorizeHiddenFrame(parameters) 4. authorizeHiddenFallbackToVisible(parameters) 5. authorizePopup(parameters) 6. authorizeHiddenFallbackToPopup(parameters) 7. getToken() 8. getIDToken() 9. revoke() 10. logout(postLogoutRedirectUri, global) 11. getScope() 12. getExpiresIn() 13. getAdditionalFieds() ``` After initializing the Assistant, you can start authorize flow using any of the 4 methods available. To each authorize flow, you can pass in any number of optional parameters like below. ``` const parameters = { scope: "openid", state: "state-value", response_type: "token id_token", ... }; ``` 1. **Login with redirect** ``` assistant.authorize(parameters); ``` 2. **Login with visible iframe** ``` assistant.authorizeFrame(parameters) .then((token) => {}) .catch((err) => {}); ``` 3. **Login with hidden iframe** ``` assistant.authorizeHiddenFrame(parameters) .then((token) => {}) .catch((err) => {}); ``` 4. **Login with hidden iframe (fallback to visible iframe if login is required)** ``` assistant.authorizeHiddenFallbackToVisible(parameters) .then((token) => {}) .catch((err) => {}); ``` 5. **Login with visible popup** ``` assistant.authorizePopup(parameters) .then((token) => {}) .catch((err) => {}); ``` 6. **Login with hidden flow (fallback to visible popup if login is required)** ``` assistant.authorizeHiddenFallbackToPopup(parameters) .then((token) => {}) .catch((err) => {}); ``` Once the authorize flow is complete, you can get the `token`, `id_token` or revoke tokens using the Assistant. **Get Token** ``` assistant.getToken(); ``` **Get ID Token** ``` assistant.getIDToken(); ``` **Revoke Tokens** ``` assistant.revoke() .then(() => {}) .catch((err) => {}); ``` **Refresh Tokens** If the AS issued a refresh token, use it to obtain new tokens. ``` assistant.refresh() .then(() => {}) .catch((err) => {}); ``` **Logout** Logout the user from server and revoke tokens. Default value of `postLogoutRedirectUri` is `window.location.href`. Default value of `global` is `false`, if set to `true` then it will be sent during logout as an extra query parameter, causing logout to happen globally across all logged in clients. ``` assistant.logout(postLogoutRedirectUri, global) .then(() => {}) .catch((err) => {}); ``` **Get scopes** Get the space-delimited list of scope tokens associated with the last authorization response. ```javascript assistant.getScope(); ``` **Get expires in** Get the `expires_in` value associated with the last authorization response. ```javascript assisstant.getExpiresIn(); ``` **Get additional fields** Get a map of any additional fields associated with the last authorization response. Fields other than `access_token`, `scope`, `expires_in` or `id_token`. ```javascript assistant.getAdditionalFields(); ``` ### Settings While initializing Assistant, you need to pass in a settings object which contain some mandatory and optional values. ``` { flow_type : "code", // Possible values : (code, implicit, assisted_token) base_url : "http://localhost:8443", client_id : "test_client_id", issuer : "https://localhost:8443/oauth/v2/oauth-anonymous", redirect_uri : "http://localhost:8080/assisted.html", // Basic version of assisted.html is available in example/assisted.html but it can be customized as needed. for_origin : "http://localhost:8080", iframe : { // Optional: Passing in null would take default values targetElement: null, // targetElement querySelector , default: 'body' width : null, // take default value : 400 height : null, // take default value : 700 style : null, // take default value backdrop: { visible : true, // default is true style : null, // take default value backdropClass: "" } }, "popup": { "width": null, // take default value : 400 "height": null // take default value : 600 }, allowed_origins: ["http://localhost:8443", "http://localhost:8080"], // default is [window.origin] disable_session_management: false, check_session_iframe: null, // Optional url, if not provided then it will be resolved from metadata session_polling_interval: 5, // Optional: polling interval in seconds, default is 5 check_session_iframe_events: { // Optional onStateChanging: () => {}, onStateChanged: () => {}, onLogout: () => {}, onConsent: () => {}, onError: () => {}, onUnchanged: () => {}, }, allowed_jwt_algorithms: ['RS256'], // Optional: algorithms to trust for JWT validation jwt_sig_public_key: { // allowed formats are jwk | jwks_uri | pem | issuer | metadata_url | raw format: 'issuer', // in case of issuer, the issuer value will be taken from jwt payload value: null }, ignore_not_before: true, ignore_expiration: false, clock_tolerance: 10, debug: false, // Enabling debug to true will display console logs of assistant openid_configuration_url: "https://example.com/path/.well-known/openid-configuration", // Set if the OpenID Configuration URL uses different host or base path than the issuer }; ``` All fields marked with `*` are mandatory. * **flow_type*** Flow type determines the authorize flow to be used. It can be any of the three flows (code, implicit, assisted_token). * **base_url*** Base url of Curity Identity server. * **client_id*** App client id * **issuer*** Issuer endpoint * **redirect_uri*** In case of `framed flow`, it will be something like assisted.html which is provided in example, you can provide any redirect uri and handle the response accordingly like it is done in assisted.html, you need to either host assisted.html on your server or implement the same thing in yourself and provide the redirect uri accordingly. In case of `login with redirect`, redirect uri will be probably your host application or wherever you will handle the response. * **iframe** You can optionally customize the iframe `height`, `width`, `style` and `backdrop` as shown in example object above. * **popup** You can optionally customize the popup `height` and `width` as shown in example object above. * **allowed_origins*** Allowed origins: default is [window.origin]. For assisted token flow, this should include the origin of the token server or the origin of where the script is hosted. If the server is behind a reverse proxy, then the proxy's origin should be used. * **disable_session_management** Set to true to disable session management * **check_session_iframe** Url for the check session iframe, default will be resolved from metadata * **session_polling_interval** Polling interval to post message to check session iframe to check for session, default is 5 seconds * **check_session_iframe_events** Callback events which will be called in response to check session iframe polling. 1. `onStateChanging` is called right before the `prompt=none` is sent when session has changed. 2. `onStateChanged` is called right after the `prompt=none` re-authorization is received back to the client. 3. `onLogout` is called when the the prompt returns an error of `login_required`. 4. `onConsent` is called when the the prompt returns an error of `consent_required`. 5. `onError` is called when an error is thrown by IP iframe 6. `onUnchanged` is called whenever the login state does not change. * **allowed_jwt_algorithms** Optional: Algorithms to trust for JWT validation * **jwt_sig_public_key** [More details](https://www.npmjs.com/package/@curity/jwt-validation#allowed-public-key-formats) An optional parameter which specify the format and value of public key to be used to verify the jwt signature. Default format is `issuer`. Allowed formats are `jwk` | `jwks_uri` | `pem` | `issuer` | `metadata_url` | `raw` 1. **jwk** A jwk can directly be passed as an object (and not a string), when format specified is `jwk`. 2. **jwks_uri** A list of jwks can be retrieved from a specified `jwks_uri`. 3. **pem** A pem key string can be provided using public key format `pem`. 4. **issuer** If the format specified is `issuer`, then jwt issuer is used to retrieve metadata which in turn, is resolved to retrieve jwk from corresponding jwks_uri. 5. **metadata_url** If the format specified is `metadata_url`, then jwk is retrieved from corresponding jwks_uri of resolved metadata. 6. **raw** You can provide HMAC secret keys using `raw` format. * **ignore_not_before** Set to true to ignore not before (`nbf`) on ID Token validity check, default is false * **ignore_expiration** Set to true to expiration (`exp`) on ID Token validity check, default is false * **clock_tolerance** Controls the clock skew of the `nbf` and `exp` claim on ID Token validity check * **debug** Debug mode set to true will enable the assistant to display console logs in order to help for debugging. * **openid_configuration_url** URL of the OpenID Configuration well-known endpoint. By default this URL equals to the issuer value plus the path `/.well-known/openid-configuration` Follow https://curity.io/resources/learn/test-using-oauth-assistant/ to try out the OAuth Assistant using the example app