UNPKG

@upbond/auth-spa-js

Version:

Auth SDK for Single Page Applications using Authorization Code Grant Flow with PKCE

github.com/upbond/upbond-auth-spa-js

upbond/auth-spa-js

402 lines (366 loc) 11 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
/** * @ignore */ export interface BaseLoginOptions { /** * - `'page'`: displays the UI with a full page view * - `'popup'`: displays the UI with a popup window * - `'touch'`: displays the UI in a way that leverages a touch interface * - `'wap'`: displays the UI with a "feature phone" type interface */ display?: 'page' | 'popup' | 'touch' | 'wap'; /** * - `'none'`: do not prompt user for login or consent on reauthentication * - `'login'`: prompt user for reauthentication * - `'consent'`: prompt user for consent before processing request * - `'select_account'`: prompt user to select an account */ prompt?: 'none' | 'login' | 'consent' | 'select_account'; /** * Maximum allowable elasped time (in seconds) since authentication. * If the last time the user authenticated is greater than this value, * the user must be reauthenticated. */ max_age?: string | number; /** * The space-separated list of language tags, ordered by preference. * For example: `'fr-CA fr en'`. */ ui_locales?: string; /** * Previously issued ID Token. */ id_token_hint?: string; /** * The user's email address or other identifier. When your app knows * which user is trying to authenticate, you can provide this parameter * to pre-fill the email box or select the right session for sign-in. * * This currently only affects the classic Lock experience. */ login_hint?: string; acr_values?: string; /** * The default scope to be used on authentication requests. * The defaultScope defined in the AuthClient is included * along with this scope */ scope?: string; /** * The default audience to be used for requesting API access. */ audience?: string; /** * The name of the connection configured for your application. * If null, it will redirect to the Auth Login Page and show * the Login Widget. */ connection?: string; /** * If you need to send custom parameters to the Authorization Server, * make sure to use the original parameter name. */ [key: string]: any; } interface AdvancedOptions { /** * The default scope to be included with all requests. * If not provided, 'openid profile email' is used. This can be set to `null` in order to effectively remove the default scopes. * * Note: The `openid` scope is **always applied** regardless of this setting. */ defaultScope?: string; } export interface AuthClientOptions extends BaseLoginOptions { /** * Your Auth account domain such as `'example.auth.com'`, * `'example.eu.auth.com'` or , `'example.mycompany.com'` * (when using [custom domains](https://auth.com/docs/custom-domains)) */ /** * The issuer to be used for validation of JWTs, optionally defaults to the domain above */ issuer?: string; /** * The Client ID found on your Application settings page */ client_id: string; /** * The default URL where Auth will redirect your browser to with * the authentication result. It must be whitelisted in * the "Allowed Callback URLs" field in your Auth Application's * settings. If not provided here, it should be provided in the other * methods that provide authentication. */ redirect_uri?: string; /** * The value in seconds used to account for clock skew in JWT expirations. * Typically, this value is no more than a minute or two at maximum. * Defaults to 60s. */ leeway?: number; /** * The location to use when storing cache data. Valid values are `memory` or `localstorage`. * The default setting is `memory`. */ cacheLocation?: CacheLocation; /** * If true, refresh tokens are used to fetch new access tokens from the Auth server. If false, the legacy technique of using a hidden iframe and the `authorization_code` grant with `prompt=none` is used. * The default setting is `false`. * * **Note**: Use of refresh tokens must be enabled by an administrator on your Auth client application. */ useRefreshTokens?: boolean; /** * A maximum number of seconds to wait before declaring background calls to /authorize as failed for timeout * Defaults to 60s. */ authorizeTimeoutInSeconds?: number; /** * Internal property to send information about the client to the authorization server. * @internal */ authClient?: { name: string; version: string }; /** * Changes to recommended defaults, like defaultScope */ advancedOptions?: AdvancedOptions; } /** * The possible locations where tokens can be stored */ export type CacheLocation = 'memory' | 'localstorage'; /** * @ignore */ export interface AuthorizeOptions extends BaseLoginOptions { response_type: string; response_mode: string; redirect_uri: string; nonce: string; state: string; scope: string; code_challenge: string; code_challenge_method: string; } export interface RedirectLoginOptions extends BaseLoginOptions { /** * The URL where Auth will redirect your browser to with * the authentication result. It must be whitelisted in * the "Allowed Callback URLs" field in your Auth Application's * settings. */ redirect_uri?: string; /** * Used to store state before doing the redirect */ appState?: any; /** * Used to add to the URL fragment before redirecting */ fragment?: string; } export interface RedirectLoginResult { /** * State stored when the redirect request was made */ appState?: any; } export interface PopupLoginOptions extends BaseLoginOptions { } export interface PopupConfigOptions { /** * The number of seconds to wait for a popup response before * throwing a timeout error. Defaults to 60s */ timeoutInSeconds?: number; /** * Accepts an already-created popup window to use. If not specified, the SDK * will create its own. This may be useful for platforms like iOS that have * security restrictions around when popups can be invoked (e.g. from a user click event) */ popup?: any; } export interface GetUserOptions { /** * The scope that was used in the authentication request */ scope: string; /** * The audience that was used in the authentication request */ audience: string; } export interface GetIdTokenClaimsOptions { /** * The scope that was used in the authentication request */ scope: string; /** * The audience that was used in the authentication request */ audience: string; } /* * TODO: Remove this on the next major */ export type getIdTokenClaimsOptions = GetIdTokenClaimsOptions; export interface GetTokenSilentlyOptions { /** * When `true`, ignores the cache and always sends a * request to Auth. */ ignoreCache?: boolean; /** * There's no actual redirect when getting a token silently, * but, according to the spec, a `redirect_uri` param is required. * Auth uses this parameter to validate that the current `origin` * matches the `redirect_uri` `origin` when sending the response. * It must be whitelisted in the "Allowed Web Origins" in your * Auth Application's settings. */ redirect_uri?: string; /** * The scope that was used in the authentication request */ scope?: string; /** * The audience that was used in the authentication request */ audience?: string; /** A maximum number of seconds to wait before declaring the background /authorize call as failed for timeout * Defaults to 60s. */ timeoutInSeconds?: number; /** * If you need to send custom parameters to the Authorization Server, * make sure to use the original parameter name. */ [key: string]: any; } export interface GetTokenWithPopupOptions extends PopupLoginOptions { } export interface LogoutOptions { /** * The URL where Auth will redirect your browser to after the logout. * * **Note**: If the `client_id` parameter is included, the * `returnTo` URL that is provided must be listed in the * Application's "Allowed Logout URLs" in the Auth dashboard. * However, if the `client_id` parameter is not included, the * `returnTo` URL must be listed in the "Allowed Logout URLs" at * the account level in the Auth dashboard. * * [Read more about how redirecting after logout works](https://auth.com/docs/logout/guides/redirect-users-after-logout) */ returnTo?: string; /** * The `client_id` of your application. * * If this property is not set, then the `client_id` that was used during initialization of the SDK is sent to the logout endpoint. * * If this property is set to `null`, then no client ID value is sent to the logout endpoint. * * [Read more about how redirecting after logout works](https://auth.com/docs/logout/guides/redirect-users-after-logout) */ client_id?: string; /** * When supported by the upstream identity provider, * forces the user to logout of their identity provider * and from Auth. * This option cannot be specified along with the `localOnly` option. * [Read more about how federated logout works at Auth](https://auth.com/docs/logout/guides/logout-idps) */ federated?: boolean; /** * When `true`, this skips the request to the logout endpoint on the authorization server, * effectively performing a "local" logout of the application. No redirect should take place, * you should update local logged in state. * This option cannot be specified along with the `federated` option. */ localOnly?: boolean; } /** * @ignore */ export interface AuthenticationResult { state: string; code?: string; error?: string; error_description?: string; } /** * @ignore */ export interface TokenEndpointOptions { baseUrl: string; client_id: string; grant_type: string; timeout?: number; [key: string]: any; } /** * @ignore */ export interface OAuthTokenOptions extends TokenEndpointOptions { code_verifier: string; code: string; redirect_uri: string; } /** * @ignore */ export interface RefreshTokenOptions extends TokenEndpointOptions { refresh_token: string; } /** * @ignore */ export interface JWTVerifyOptions { iss: string; aud: string; id_token: string; nonce?: string; leeway?: number; max_age?: number; } /** * @ignore */ export interface IdToken { __raw: string; name?: string; given_name?: string; family_name?: string; middle_name?: string; nickname?: string; preferred_username?: string; profile?: string; picture?: string; website?: string; email?: string; email_verified?: boolean; gender?: string; birthdate?: string; zoneinfo?: string; locale?: string; phone_number?: string; phone_number_verified?: boolean; address?: string; updated_at?: string; iss?: string; aud?: string; exp?: number; nbf?: number; iat?: number; jti?: string; azp?: string; nonce?: string; auth_time?: string; at_hash?: string; c_hash?: string; acr?: string; amr?: string; sub_jwk?: string; cnf?: string; sid?: string; [key: string]: any; }