@entrustcorp/idaas-auth-js
Version:
IDaaS Authentication SDK for SPA applications
529 lines (504 loc) • 18.2 kB
TypeScript
/**
* The configurable options when requesting an authentication challenge.
*/
export declare interface AuthenticationRequestParams extends BaseLoginOptions {
/**
* The user ID of the user to request the challenge for.
*/
userId?: string;
/**
* The preferred method of authentication.
*/
preferredAuthenticationMethod?: IdaasAuthenticationMethod;
/**
* Determines if the preferred authentication method must be used.
*/
strict?: boolean;
/**
* Options available during TOKENPUSH authentication
*/
tokenPushOptions?: TokenPushOptions;
/**
* Options available during FACE authentication
*/
faceBiometricOptions?: FaceBiometricOptions;
/**
* The transaction details of the request.
*/
transactionDetails?: TransactionDetail[];
}
export declare interface AuthenticationResponse {
token?: string;
/**
* A flag indicating if authentication has been completed.
*/
authenticationCompleted?: boolean;
/**
* The second factor authenticator that will be used.
*/
secondFactorMethod?: IdaasAuthenticationMethod;
/**
* The method of authentication that will be used.
*/
method?: IdaasAuthenticationMethod;
/**
* A flag indicating if `pollAuth` should be called.
*/
pollForCompletion?: boolean;
/**
* The user ID of the authenticated user.
*/
userId?: string;
/**
* Parameters required for completing the `GRID` authentication method.
*/
gridChallenge?: GridChallenge;
/**
* Parameters required for completing the `KBA` authentication method.
*/
kbaChallenge?: KbaChallenge;
/**
* Parameters required for completing the `FACE` authentication method.
*
* TODO: onfido SDK integration, not necessary when complete. Required for WEB bio auth
*/
faceChallenge?: FaceChallenge;
/**
* Parameters defining the behaviour of the `TEMP_ACCESS_CODE` authentication method.
*/
tempAccessCodeChallenge?: TempAccessCodeChallenge;
/**
* Push authentication mutual challenge for token or Face Biometric.
*/
pushMutualChallenge?: string;
/**
* The PublicKeyCredentialRequestOptions to be passed in the publicKey field to the navigator.credential.get() call.
*/
publicKeyCredentialRequestOptions?: PublicKeyCredentialRequestOptions;
}
/**
* The configurable options when submitting a response to an authentication challenge.
*/
export declare interface AuthenticationSubmissionParams {
/**
* The user's response to the authentication challenge.
*/
response?: string;
/**
* The user's answers to the KBA challenge questions.
* Answers must be in the order of the questions returned when requesting the challenge.
*/
kbaChallengeAnswers?: string[];
/**
* The credential returned from navigator.credentials.get(credentialRequestOptions).
*/
credential?: Credential;
}
/**
* The configurable options for the `login` and `requestChallenge` methods.
*/
declare interface BaseLoginOptions {
/**
* The audience to be used for requesting API access. This defaults to the `globalAudience` set in your `IdaasClientOptions` if not set.
*/
audience?: string;
/**
* The scope to be used on this authentication request.
*
* This defaults to the `globalScope` in your `IdaasClientOptions` if not set. If you are setting extra scopes and require `profile` and `email` to be included then you must include them in the provided scope.
*
* Note: The `openid` scope is always applied regardless of this setting.
*/
scope?: string;
/**
* Determines whether the token obtained from this login request can use refresh tokens. This defaults to the `globalUseRefreshToken` set in your `IdaasClientOptions` if not set.
*
* Note: Use of refresh tokens must be enabled on your IDaaS client application.
*/
useRefreshToken?: boolean;
/**
* Specifies the maximum age of a token, this value does not change on token refresh.
*/
maxAge?: number;
}
/**
* The configurable options when requesting a FACE authentication challenge.
*/
declare interface FaceBiometricOptions extends MutualChallenge {
}
/**
* Parameters returned to initialize a Face Biometric authenticator.
*/
export declare type FaceChallenge = {
/**
* Which device to use for registration and authentication.
*/
device?: 'WEB' | 'MOBILE';
/**
* The ID of the Face Biometric to get.
*/
id?: string;
/**
* QR Code to use to launch the mobile flow.
*/
qrCode?: string;
/**
* The SDK token generated for the user.
*/
sdkToken?: string;
/**
* Workflow run ID to use for the user.
*/
workflowRunId?: string;
};
/**
* The configurable options for a fallback login.
*/
declare interface FallbackAuthorizationOptions {
/**
* The URI to be redirected to after a successful login. The default value is the current page.
* This URI must be included in the `Login Redirect URI(s)` field in your IDaaS client application settings.
*/
redirectUri?: string;
/**
* Determines whether the token obtained from this login request can use refresh tokens. This defaults to the `globalUseRefreshToken` set in your `IdaasClientOptions` if not set.
*
* Note: Use of refresh tokens must be enabled on your IDaaS client application.
*/
useRefreshToken?: boolean;
/**
* Determines the method of login that will be used to authenticate the user.
* The default setting is `false`.
*/
popup?: boolean;
/**
* Determines the strength/quality of the method used to authenticate the user.
*/
acrValues?: string[];
}
/**
* If the authentication challenge is of type FIDO, the FIDOChallenge will contain the FIDO challenge parameters that must be passed to the FIDO token to complete authentication.
*/
export declare type FIDOChallenge = {
/**
* The list of IDs of the FIDO tokens registered for the user. Each value is base-64 encoded.
*/
allowCredentials?: Array<(string)>;
/**
* A random challenge. It is a base-64 encoded value.
*/
challenge: string;
/**
* The number of seconds that the client will wait for the FIDO token to respond.
*/
timeout: number;
};
/**
* The configurable options when requesting an AccessToken.
*/
export declare interface GetAccessTokenOptions {
/**
* The audience the token must have. This defaults to the `globalAudience` in your `IdaasClientOptions` if not set.
*/
audience?: string;
/**
* The scope(s) the token must have. This defaults to the `globalScope` in your `IdaasClientOptions` if not set.
*/
scope?: string;
/**
* The acr value(s) that are acceptable for this token to have, the returned token's acr claim will be one of these values.
*/
acrValues?: string[];
/**
* The values that will be used to attempt a login if the requested token is not found.
*/
fallbackAuthorizationOptions?: FallbackAuthorizationOptions;
}
/**
* If the authentication challenge is of type grid, the GridChallenge object will contain the grid challenge that the end user must answer.
*/
export declare type GridChallenge = {
/**
* The grid challenge specifies a list of grid cells that the user must answer in their challenge.
*/
challenge: Array<GridChallengeCell>;
/**
* The grid details.
*/
gridInfo: Array<GridInfo>;
/**
* The numCharsPerCell value specifies the number of characters expected in the response for each cell as defined by current settings.
*/
numCharsPerCell: number;
/**
* The serial numbers of the grids that can be used to answer this challenge.
* @deprecated
*/
serialNumbers: Array<(string)>;
};
/**
* A GridChallengeCell specifies one cell in a grid by its row and column coordinates. Normally a grid challenge cell is displayed using letters for the column and numbers for the row. For example, a cell with the value 0,0 will be displayed as A1.
*/
declare type GridChallengeCell = {
/**
* The column within the grid starting at 0.
*/
column: number;
/**
* The row within the grid starting at 0.
*/
row: number;
};
/**
* Details about the grid.
*/
declare type GridInfo = {
/**
* The expiry date of the grid. Null value indicates the grid will never expire.
*/
expiryDate?: string;
/**
* The serial number of the grid that can be used to answer this challenge.
*/
serialNumber: string;
};
export declare type IdaasAuthenticationMethod = "PASSWORD" | "KBA" | "TEMP_ACCESS_CODE" | "OTP" | "GRID" | "TOKEN" | "TOKENPUSH" | "FIDO" | "SMARTCREDENTIALPUSH" | "PASSWORD_AND_SECONDFACTOR" | "PASSKEY" | "FACE";
export declare class IdaasClient {
private readonly storageManager;
private readonly issuerUrl;
private readonly clientId;
private readonly globalScope;
private readonly globalAudience;
private readonly globalUseRefreshToken;
private authenticationTransaction?;
private config?;
constructor({ issuerUrl, clientId, globalAudience, globalScope, globalUseRefreshToken, storageType, }: IdaasClientOptions);
/**
* Perform the authorization code flow by authenticating the user to obtain an access token and optionally refresh and
* ID tokens.
*
* If using redirect (i.e. popup=false), your application must also be configured to call handleRedirect at the redirectUri
* to complete the flow.
* */
login({ audience, scope, redirectUri, useRefreshToken, popup, acrValues, maxAge, }?: OidcLoginOptions): Promise<string | null>;
/**
* Perform the authorization code flow using a new popup window at the OpenID Provider (OP) to authenticate the user.
*/
private loginWithPopup;
/**
* Perform the authorization code flow by redirecting to the OpenID Provider (OP) to authenticate the user and then redirect
* with the necessary state and code.
*/
private loginWithRedirect;
/**
* Handle the callback to the login redirectUri post-authorize and pass the received code to the token endpoint to get
* the access token, ID token, and optionally refresh token (optional). Additionally, validate the ID token claims.
*/
handleRedirect(): Promise<null>;
/**
* Fetch the user information stored in the id_token
* @returns returns the decodedIdToken containing the user info.
*/
getIdTokenClaims(): UserClaims | null;
isAuthenticated(): boolean;
/**
* Clear the application session and navigate to the OpenID Provider's (OP) endsession endpoint.
*/
logout({ redirectUri }?: LogoutOptions): Promise<void>;
/**
* Removes tokens from storage that have surpassed their max_age, and tokens that are expired and not refreshable.
*/
private removeUnusableTokens;
/**
* Returns an access token with the required scopes and audience that is unexpired or refreshable.
* The `fallbackAuthorizationOptions` parameter determines the result if there are no access tokens with the required scopes and audience that are unexpired or refreshable.
*/
getAccessToken({ audience, scope, acrValues, fallbackAuthorizationOptions, }?: GetAccessTokenOptions): Promise<string | null>;
private parseAndSaveTokenResponse;
/**
* Get the user claims from the OpenId Provider using the userinfo endpoint.
*
* @param accessToken when provided its scopes will be used to determine the claims returned from the userinfo endpoint.
* If not provided, the access token with the default scopes and audience will be used if available.
*/
getUserInfo(accessToken?: string): Promise<UserClaims | null>;
private parseRedirect;
private parseLoginRedirect;
private validateAuthorizeResponse;
private requestAndValidateTokens;
private requestTokenUsingRefreshToken;
/**
* Generate the authorization url by generating searchParams. codeVerifier will need to be stored for use after redirect.
*/
private generateAuthorizationUrl;
/**
* Generate the endsession url with the required query params to log out the user from the OpenID Provider
*/
private generateLogoutUrl;
private getConfig;
private initializeAuthenticationTransaction;
requestChallenge(options?: AuthenticationRequestParams): Promise<AuthenticationResponse>;
authenticatePassword: ({ options, password, }: {
options: AuthenticationRequestParams;
password: string;
}) => Promise<AuthenticationResponse>;
pollAuth(): Promise<AuthenticationResponse>;
cancelAuth(): Promise<void>;
submitChallenge(options?: AuthenticationSubmissionParams): Promise<AuthenticationResponse>;
private handleAuthenticationTransactionSuccess;
}
/**
* The configurable options of the IdaasClient.
*/
export declare interface IdaasClientOptions {
/**
* The issuer to be used for validation of JWTs and for fetching API endpoints, typically `https://{yourIdaasDomain}.region.trustedauth.com/api/oidc`.
*/
issuerUrl: string;
/**
* The Client ID found on your IDaaS Application settings page.
*/
clientId: string;
/**
* The storage mechanism to use for ID and access tokens.
*
* @default "memory"
*/
storageType?: "memory" | "localstorage";
/**
* The global scope to be used.
*
* This defaults to `openid profile email` if not set. If you are setting extra scopes and require `profile` and `email` to be included then you must include them in the provided scope.
*
* Note: The `openid` scope is always applied regardless of this setting.
*/
globalScope?: string;
/**
* The global audience to be used for requesting API access.
*/
globalAudience?: string;
/**
* If true, refresh tokens are used to fetch new access tokens from the IDaaS server.
* The default setting is `false`.
*
* Note: Use of refresh tokens must be enabled on your IDaaS client application. Tokens using refresh tokens will have the `offline_access` scope applied.
*/
globalUseRefreshToken?: boolean;
}
/**
* Knowledge-based authenticator required for authentication to Identity as a Service
*/
export declare type KbaChallenge = {
id?: string;
userQuestions: Array<UserQuestion>;
};
/**
* The configurable options for the Logout method.
*/
export declare interface LogoutOptions {
/**
* The URI to be redirected to after a successful logout. This URI must be included in the `Logout Redirect URI(s)` field in your IDaaS client application settings.
*/
redirectUri?: string;
}
declare interface MutualChallenge {
/**
* Determines if the user must answer a mutual challenge for the TOKENPUSH and FACE authenticators.
*/
mutualChallengeEnabled?: boolean;
}
/**
* The configurable options specific to the OIDC `login` method.
*/
export declare interface OidcLoginOptions extends BaseLoginOptions {
/**
* The URI to be redirected to after a successful login. The default value is the current page.
* This URI must be included in the `Login Redirect URI(s)` field in your IDaaS client application settings.
*/
redirectUri?: string;
/**
* Determines the method of login that will be used to authenticate the user.
* The default setting is `false`.
*/
popup?: boolean;
/**
* Determines the strength/quality of the method used to authenticate the user.
*/
acrValues?: string[];
}
/**
* Information about the temporary access code settings.
*/
export declare type TempAccessCodeChallenge = {
/**
* An optional admin contact value (like an admin email address or phone number) to be displayed in the admin contact message.
*/
adminContact?: string;
/**
* Indicates if the admin contact message should be displayed for this challenge.
*/
enableAdminContact?: boolean;
};
/**
* The configurable options when requesting a TOKENPUSH authentication challenge.
*/
declare interface TokenPushOptions extends MutualChallenge {
}
/**
* Transaction detail item and its value used with push authenticators and with offline transaction verification.
*/
declare type TransactionDetail = {
/**
* The transaction detail name.
*/
detail?: string;
usage?: Array<('RBA' | 'TVS')>;
/**
* The transaction detail value.
*/
value?: string;
};
/**
* The standard user claims of OIDC.
*/
export declare interface UserClaims {
sub?: string;
name?: string;
given_name?: string;
family_name?: string;
middle_name?: string;
nickname?: string;
preferred_username?: string;
profile?: string;
picture?: string;
website?: string;
email?: string;
email_verified?: boolean;
gender?: string;
birthdate?: string;
zoneinfo?: string;
locale?: string;
phone_number?: string;
phone_number_verified?: boolean;
address?: string;
updated_at?: number;
[propName: string]: unknown;
}
/**
* A KBA question/answer stored for a user.
*/
declare type UserQuestion = {
/**
* The question's answer.
*/
answer?: string;
/**
* The UUID of the KBA question/answer.
*/
id?: string;
/**
* The question.
*/
question?: string;
};
export { }