UNPKG

@entrustcorp/idaas-auth-js

Version:
529 lines (504 loc) 18.2 kB
/** * The configurable options when requesting an authentication challenge. */ export declare interface AuthenticationRequestParams extends BaseLoginOptions { /** * The user ID of the user to request the challenge for. */ userId?: string; /** * The preferred method of authentication. */ preferredAuthenticationMethod?: IdaasAuthenticationMethod; /** * Determines if the preferred authentication method must be used. */ strict?: boolean; /** * Options available during TOKENPUSH authentication */ tokenPushOptions?: TokenPushOptions; /** * Options available during FACE authentication */ faceBiometricOptions?: FaceBiometricOptions; /** * The transaction details of the request. */ transactionDetails?: TransactionDetail[]; } export declare interface AuthenticationResponse { token?: string; /** * A flag indicating if authentication has been completed. */ authenticationCompleted?: boolean; /** * The second factor authenticator that will be used. */ secondFactorMethod?: IdaasAuthenticationMethod; /** * The method of authentication that will be used. */ method?: IdaasAuthenticationMethod; /** * A flag indicating if `pollAuth` should be called. */ pollForCompletion?: boolean; /** * The user ID of the authenticated user. */ userId?: string; /** * Parameters required for completing the `GRID` authentication method. */ gridChallenge?: GridChallenge; /** * Parameters required for completing the `KBA` authentication method. */ kbaChallenge?: KbaChallenge; /** * Parameters required for completing the `FACE` authentication method. * * TODO: onfido SDK integration, not necessary when complete. Required for WEB bio auth */ faceChallenge?: FaceChallenge; /** * Parameters defining the behaviour of the `TEMP_ACCESS_CODE` authentication method. */ tempAccessCodeChallenge?: TempAccessCodeChallenge; /** * Push authentication mutual challenge for token or Face Biometric. */ pushMutualChallenge?: string; /** * The PublicKeyCredentialRequestOptions to be passed in the publicKey field to the navigator.credential.get() call. */ publicKeyCredentialRequestOptions?: PublicKeyCredentialRequestOptions; } /** * The configurable options when submitting a response to an authentication challenge. */ export declare interface AuthenticationSubmissionParams { /** * The user's response to the authentication challenge. */ response?: string; /** * The user's answers to the KBA challenge questions. * Answers must be in the order of the questions returned when requesting the challenge. */ kbaChallengeAnswers?: string[]; /** * The credential returned from navigator.credentials.get(credentialRequestOptions). */ credential?: Credential; } /** * The configurable options for the `login` and `requestChallenge` methods. */ declare interface BaseLoginOptions { /** * The audience to be used for requesting API access. This defaults to the `globalAudience` set in your `IdaasClientOptions` if not set. */ audience?: string; /** * The scope to be used on this authentication request. * * This defaults to the `globalScope` in your `IdaasClientOptions` if not set. If you are setting extra scopes and require `profile` and `email` to be included then you must include them in the provided scope. * * Note: The `openid` scope is always applied regardless of this setting. */ scope?: string; /** * Determines whether the token obtained from this login request can use refresh tokens. This defaults to the `globalUseRefreshToken` set in your `IdaasClientOptions` if not set. * * Note: Use of refresh tokens must be enabled on your IDaaS client application. */ useRefreshToken?: boolean; /** * Specifies the maximum age of a token, this value does not change on token refresh. */ maxAge?: number; } /** * The configurable options when requesting a FACE authentication challenge. */ declare interface FaceBiometricOptions extends MutualChallenge { } /** * Parameters returned to initialize a Face Biometric authenticator. */ export declare type FaceChallenge = { /** * Which device to use for registration and authentication. */ device?: 'WEB' | 'MOBILE'; /** * The ID of the Face Biometric to get. */ id?: string; /** * QR Code to use to launch the mobile flow. */ qrCode?: string; /** * The SDK token generated for the user. */ sdkToken?: string; /** * Workflow run ID to use for the user. */ workflowRunId?: string; }; /** * The configurable options for a fallback login. */ declare interface FallbackAuthorizationOptions { /** * The URI to be redirected to after a successful login. The default value is the current page. * This URI must be included in the `Login Redirect URI(s)` field in your IDaaS client application settings. */ redirectUri?: string; /** * Determines whether the token obtained from this login request can use refresh tokens. This defaults to the `globalUseRefreshToken` set in your `IdaasClientOptions` if not set. * * Note: Use of refresh tokens must be enabled on your IDaaS client application. */ useRefreshToken?: boolean; /** * Determines the method of login that will be used to authenticate the user. * The default setting is `false`. */ popup?: boolean; /** * Determines the strength/quality of the method used to authenticate the user. */ acrValues?: string[]; } /** * If the authentication challenge is of type FIDO, the FIDOChallenge will contain the FIDO challenge parameters that must be passed to the FIDO token to complete authentication. */ export declare type FIDOChallenge = { /** * The list of IDs of the FIDO tokens registered for the user. Each value is base-64 encoded. */ allowCredentials?: Array<(string)>; /** * A random challenge. It is a base-64 encoded value. */ challenge: string; /** * The number of seconds that the client will wait for the FIDO token to respond. */ timeout: number; }; /** * The configurable options when requesting an AccessToken. */ export declare interface GetAccessTokenOptions { /** * The audience the token must have. This defaults to the `globalAudience` in your `IdaasClientOptions` if not set. */ audience?: string; /** * The scope(s) the token must have. This defaults to the `globalScope` in your `IdaasClientOptions` if not set. */ scope?: string; /** * The acr value(s) that are acceptable for this token to have, the returned token's acr claim will be one of these values. */ acrValues?: string[]; /** * The values that will be used to attempt a login if the requested token is not found. */ fallbackAuthorizationOptions?: FallbackAuthorizationOptions; } /** * If the authentication challenge is of type grid, the GridChallenge object will contain the grid challenge that the end user must answer. */ export declare type GridChallenge = { /** * The grid challenge specifies a list of grid cells that the user must answer in their challenge. */ challenge: Array<GridChallengeCell>; /** * The grid details. */ gridInfo: Array<GridInfo>; /** * The numCharsPerCell value specifies the number of characters expected in the response for each cell as defined by current settings. */ numCharsPerCell: number; /** * The serial numbers of the grids that can be used to answer this challenge. * @deprecated */ serialNumbers: Array<(string)>; }; /** * A GridChallengeCell specifies one cell in a grid by its row and column coordinates. Normally a grid challenge cell is displayed using letters for the column and numbers for the row. For example, a cell with the value 0,0 will be displayed as A1. */ declare type GridChallengeCell = { /** * The column within the grid starting at 0. */ column: number; /** * The row within the grid starting at 0. */ row: number; }; /** * Details about the grid. */ declare type GridInfo = { /** * The expiry date of the grid. Null value indicates the grid will never expire. */ expiryDate?: string; /** * The serial number of the grid that can be used to answer this challenge. */ serialNumber: string; }; export declare type IdaasAuthenticationMethod = "PASSWORD" | "KBA" | "TEMP_ACCESS_CODE" | "OTP" | "GRID" | "TOKEN" | "TOKENPUSH" | "FIDO" | "SMARTCREDENTIALPUSH" | "PASSWORD_AND_SECONDFACTOR" | "PASSKEY" | "FACE"; export declare class IdaasClient { private readonly storageManager; private readonly issuerUrl; private readonly clientId; private readonly globalScope; private readonly globalAudience; private readonly globalUseRefreshToken; private authenticationTransaction?; private config?; constructor({ issuerUrl, clientId, globalAudience, globalScope, globalUseRefreshToken, storageType, }: IdaasClientOptions); /** * Perform the authorization code flow by authenticating the user to obtain an access token and optionally refresh and * ID tokens. * * If using redirect (i.e. popup=false), your application must also be configured to call handleRedirect at the redirectUri * to complete the flow. * */ login({ audience, scope, redirectUri, useRefreshToken, popup, acrValues, maxAge, }?: OidcLoginOptions): Promise<string | null>; /** * Perform the authorization code flow using a new popup window at the OpenID Provider (OP) to authenticate the user. */ private loginWithPopup; /** * Perform the authorization code flow by redirecting to the OpenID Provider (OP) to authenticate the user and then redirect * with the necessary state and code. */ private loginWithRedirect; /** * Handle the callback to the login redirectUri post-authorize and pass the received code to the token endpoint to get * the access token, ID token, and optionally refresh token (optional). Additionally, validate the ID token claims. */ handleRedirect(): Promise<null>; /** * Fetch the user information stored in the id_token * @returns returns the decodedIdToken containing the user info. */ getIdTokenClaims(): UserClaims | null; isAuthenticated(): boolean; /** * Clear the application session and navigate to the OpenID Provider's (OP) endsession endpoint. */ logout({ redirectUri }?: LogoutOptions): Promise<void>; /** * Removes tokens from storage that have surpassed their max_age, and tokens that are expired and not refreshable. */ private removeUnusableTokens; /** * Returns an access token with the required scopes and audience that is unexpired or refreshable. * The `fallbackAuthorizationOptions` parameter determines the result if there are no access tokens with the required scopes and audience that are unexpired or refreshable. */ getAccessToken({ audience, scope, acrValues, fallbackAuthorizationOptions, }?: GetAccessTokenOptions): Promise<string | null>; private parseAndSaveTokenResponse; /** * Get the user claims from the OpenId Provider using the userinfo endpoint. * * @param accessToken when provided its scopes will be used to determine the claims returned from the userinfo endpoint. * If not provided, the access token with the default scopes and audience will be used if available. */ getUserInfo(accessToken?: string): Promise<UserClaims | null>; private parseRedirect; private parseLoginRedirect; private validateAuthorizeResponse; private requestAndValidateTokens; private requestTokenUsingRefreshToken; /** * Generate the authorization url by generating searchParams. codeVerifier will need to be stored for use after redirect. */ private generateAuthorizationUrl; /** * Generate the endsession url with the required query params to log out the user from the OpenID Provider */ private generateLogoutUrl; private getConfig; private initializeAuthenticationTransaction; requestChallenge(options?: AuthenticationRequestParams): Promise<AuthenticationResponse>; authenticatePassword: ({ options, password, }: { options: AuthenticationRequestParams; password: string; }) => Promise<AuthenticationResponse>; pollAuth(): Promise<AuthenticationResponse>; cancelAuth(): Promise<void>; submitChallenge(options?: AuthenticationSubmissionParams): Promise<AuthenticationResponse>; private handleAuthenticationTransactionSuccess; } /** * The configurable options of the IdaasClient. */ export declare interface IdaasClientOptions { /** * The issuer to be used for validation of JWTs and for fetching API endpoints, typically `https://{yourIdaasDomain}.region.trustedauth.com/api/oidc`. */ issuerUrl: string; /** * The Client ID found on your IDaaS Application settings page. */ clientId: string; /** * The storage mechanism to use for ID and access tokens. * * @default "memory" */ storageType?: "memory" | "localstorage"; /** * The global scope to be used. * * This defaults to `openid profile email` if not set. If you are setting extra scopes and require `profile` and `email` to be included then you must include them in the provided scope. * * Note: The `openid` scope is always applied regardless of this setting. */ globalScope?: string; /** * The global audience to be used for requesting API access. */ globalAudience?: string; /** * If true, refresh tokens are used to fetch new access tokens from the IDaaS server. * The default setting is `false`. * * Note: Use of refresh tokens must be enabled on your IDaaS client application. Tokens using refresh tokens will have the `offline_access` scope applied. */ globalUseRefreshToken?: boolean; } /** * Knowledge-based authenticator required for authentication to Identity as a Service */ export declare type KbaChallenge = { id?: string; userQuestions: Array<UserQuestion>; }; /** * The configurable options for the Logout method. */ export declare interface LogoutOptions { /** * The URI to be redirected to after a successful logout. This URI must be included in the `Logout Redirect URI(s)` field in your IDaaS client application settings. */ redirectUri?: string; } declare interface MutualChallenge { /** * Determines if the user must answer a mutual challenge for the TOKENPUSH and FACE authenticators. */ mutualChallengeEnabled?: boolean; } /** * The configurable options specific to the OIDC `login` method. */ export declare interface OidcLoginOptions extends BaseLoginOptions { /** * The URI to be redirected to after a successful login. The default value is the current page. * This URI must be included in the `Login Redirect URI(s)` field in your IDaaS client application settings. */ redirectUri?: string; /** * Determines the method of login that will be used to authenticate the user. * The default setting is `false`. */ popup?: boolean; /** * Determines the strength/quality of the method used to authenticate the user. */ acrValues?: string[]; } /** * Information about the temporary access code settings. */ export declare type TempAccessCodeChallenge = { /** * An optional admin contact value (like an admin email address or phone number) to be displayed in the admin contact message. */ adminContact?: string; /** * Indicates if the admin contact message should be displayed for this challenge. */ enableAdminContact?: boolean; }; /** * The configurable options when requesting a TOKENPUSH authentication challenge. */ declare interface TokenPushOptions extends MutualChallenge { } /** * Transaction detail item and its value used with push authenticators and with offline transaction verification. */ declare type TransactionDetail = { /** * The transaction detail name. */ detail?: string; usage?: Array<('RBA' | 'TVS')>; /** * The transaction detail value. */ value?: string; }; /** * The standard user claims of OIDC. */ export declare interface UserClaims { sub?: string; name?: string; given_name?: string; family_name?: string; middle_name?: string; nickname?: string; preferred_username?: string; profile?: string; picture?: string; website?: string; email?: string; email_verified?: boolean; gender?: string; birthdate?: string; zoneinfo?: string; locale?: string; phone_number?: string; phone_number_verified?: boolean; address?: string; updated_at?: number; [propName: string]: unknown; } /** * A KBA question/answer stored for a user. */ declare type UserQuestion = { /** * The question's answer. */ answer?: string; /** * The UUID of the KBA question/answer. */ id?: string; /** * The question. */ question?: string; }; export { }