auth0
Version:
Auth0 Node.js SDK for the Management API v2.
281 lines (280 loc) • 13.9 kB
JavaScript
"use strict";
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.OAuth = exports.TOKEN_URL = exports.TOKEN_FOR_CONNECTION_REQUESTED_TOKEN_TYPE = exports.TOKEN_FOR_CONNECTION_TOKEN_TYPE = exports.TOKEN_FOR_CONNECTION_GRANT_TYPE = exports.SUBJECT_TOKEN_TYPES = void 0;
const runtime_js_1 = require("../lib/runtime.js");
const base_auth_api_js_1 = require("./base-auth-api.js");
const id_token_validator_js_1 = require("./id-token-validator.js");
const utils_js_1 = require("../utils.js");
var SUBJECT_TOKEN_TYPES;
(function (SUBJECT_TOKEN_TYPES) {
/**
* Constant representing the subject type for a refresh token.
* This is used in OAuth 2.0 token exchange to specify that the token being exchanged is a refresh token.
*
* @see {@link https://tools.ietf.org/html/rfc8693#section-3.1 RFC 8693 Section 3.1}
*/
SUBJECT_TOKEN_TYPES["REFRESH_TOKEN"] = "urn:ietf:params:oauth:token-type:refresh_token";
/**
* Constant representing the subject type for a access token.
* This is used in OAuth 2.0 token exchange to specify that the token being exchanged is an access token.
*
* @see {@link https://tools.ietf.org/html/rfc8693#section-3.1 RFC 8693 Section 3.1}
*/
SUBJECT_TOKEN_TYPES["ACCESS_TOKEN"] = "urn:ietf:params:oauth:token-type:access_token";
})(SUBJECT_TOKEN_TYPES || (exports.SUBJECT_TOKEN_TYPES = SUBJECT_TOKEN_TYPES = {}));
exports.TOKEN_FOR_CONNECTION_GRANT_TYPE = "urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token";
/**
* @deprecated Use {@link SUBJECT_TOKEN_TYPES.REFRESH_TOKEN} instead.
*/
exports.TOKEN_FOR_CONNECTION_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:refresh_token";
exports.TOKEN_FOR_CONNECTION_REQUESTED_TOKEN_TYPE = "http://auth0.com/oauth/token-type/federated-connection-access-token";
exports.TOKEN_URL = "/oauth/token";
/**
* OAuth 2.0 flows.
*/
class OAuth extends base_auth_api_js_1.BaseAuthAPI {
constructor(options) {
super(Object.assign(Object.assign({}, options), { domain: options.useMTLS ? `${utils_js_1.mtlsPrefix}.${options.domain}` : options.domain }));
this.idTokenValidator = new id_token_validator_js_1.IDTokenValidator(options);
}
/**
* This is the flow that regular web apps use to access an API.
*
* Use this endpoint to exchange an Authorization Code for a Token.
*
* See: https://auth0.com/docs/api/authentication#authorization-code-flow44
*
* @example
* ```js
* const auth0 = new AuthenticationApi({
* domain: 'my-domain.auth0.com',
* clientId: 'myClientId',
* clientSecret: 'myClientSecret'
* });
*
* await auth0.oauth.authorizationCodeGrant({ code: 'mycode' });
* ```
*/
authorizationCodeGrant(bodyParameters_1) {
return __awaiter(this, arguments, void 0, function* (bodyParameters, options = {}) {
(0, runtime_js_1.validateRequiredRequestParams)(bodyParameters, ["code"]);
return (0, base_auth_api_js_1.grant)("authorization_code", yield this.addClientAuthentication(bodyParameters), options, this.clientId, this.idTokenValidator, this.request.bind(this));
});
}
/**
* PKCE was originally designed to protect the authorization code flow in mobile apps,
* but its ability to prevent authorization code injection makes it useful for every type of OAuth client,
* even web apps that use client authentication.
*
* See: https://auth0.com/docs/api/authentication#authorization-code-flow-with-pkce45
*
* @example
* ```js
* const auth0 = new AuthenticationApi({
* domain: 'my-domain.auth0.com',
* clientId: 'myClientId',
* clientSecret: 'myClientSecret'
* });
*
* await auth0.oauth.authorizationCodeGrantWithPKCE({
* code: 'mycode',
* code_verifier: 'mycodeverifier'
* });
* ```
*/
authorizationCodeGrantWithPKCE(bodyParameters_1) {
return __awaiter(this, arguments, void 0, function* (bodyParameters, options = {}) {
(0, runtime_js_1.validateRequiredRequestParams)(bodyParameters, ["code", "code_verifier"]);
return (0, base_auth_api_js_1.grant)("authorization_code", yield this.addClientAuthentication(bodyParameters), options, this.clientId, this.idTokenValidator, this.request.bind(this));
});
}
/**
* This is the OAuth 2.0 grant that server processes use to access an API.
*
* Use this endpoint to directly request an Access Token by using the Client's credentials
* (a Client ID and a Client Secret or a Client Assertion).
*
* See: https://auth0.com/docs/api/authentication#client-credentials-flow
*
* @example
* ```js
* const auth0 = new AuthenticationApi({
* domain: 'my-domain.auth0.com',
* clientId: 'myClientId',
* clientSecret: 'myClientSecret'
* });
*
* await auth0.oauth.clientCredentialsGrant({ audience: 'myaudience' });
* ```
*/
clientCredentialsGrant(bodyParameters_1) {
return __awaiter(this, arguments, void 0, function* (bodyParameters, options = {}) {
(0, runtime_js_1.validateRequiredRequestParams)(bodyParameters, ["audience"]);
return (0, base_auth_api_js_1.grant)("client_credentials", yield this.addClientAuthentication(bodyParameters), options, this.clientId, this.idTokenValidator, this.request.bind(this));
});
}
/**
* This is the OAuth 2.0 extension that allows to initiate an OAuth flow from the backchannel instead of by building a URL.
*
*
* See: https://www.rfc-editor.org/rfc/rfc9126.html
*
* @example
* ```js
* const auth0 = new AuthenticationApi({
* domain: 'my-domain.auth0.com',
* clientId: 'myClientId',
* clientSecret: 'myClientSecret'
* });
*
* await auth0.oauth.pushedAuthorization({ response_type: 'id_token', redirect_uri: 'http://localhost' });
* ```
*/
pushedAuthorization(bodyParameters_1) {
return __awaiter(this, arguments, void 0, function* (bodyParameters, options = {}) {
(0, runtime_js_1.validateRequiredRequestParams)(bodyParameters, ["client_id", "response_type", "redirect_uri"]);
const bodyParametersWithClientAuthentication = yield this.addClientAuthentication(bodyParameters);
const response = yield this.request({
path: "/oauth/par",
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
},
body: new URLSearchParams(Object.assign({ client_id: this.clientId }, bodyParametersWithClientAuthentication)),
}, options.initOverrides);
return runtime_js_1.JSONApiResponse.fromResponse(response);
});
}
/**
* This information is typically received from a highly trusted public client like a SPA*.
* (<strong>*Note:</string> For single-page applications and native/mobile apps, we recommend using web flows instead.)
*
* See: https://auth0.com/docs/api/authentication#resource-owner-password
*
* @example
* ```js
* const auth0 = new AuthenticationApi({
* domain: 'my-domain.auth0.com',
* clientId: 'myClientId'
* clientSecret: 'myClientSecret'
* });
*
* await auth0.oauth.passwordGrant({
* username: 'myusername@example.com',
* password: 'mypassword'
* },
* { initOverrides: { headers: { 'auth0-forwarded-for': 'END.USER.IP.123' } } }
* );
* ```
*
* Set the'auth0-forwarded-for' header to the end-user IP as a string value if you want
* brute-force protection to work in server-side scenarios.
*
* See https://auth0.com/docs/get-started/authentication-and-authorization-flow/avoid-common-issues-with-resource-owner-password-flow-and-attack-protection
*
*/
passwordGrant(bodyParameters_1) {
return __awaiter(this, arguments, void 0, function* (bodyParameters, options = {}) {
(0, runtime_js_1.validateRequiredRequestParams)(bodyParameters, ["username", "password"]);
return (0, base_auth_api_js_1.grant)(bodyParameters.realm ? "http://auth0.com/oauth/grant-type/password-realm" : "password", yield this.addClientAuthentication(bodyParameters), options, this.clientId, this.idTokenValidator, this.request.bind(this));
});
}
/**
* Use this endpoint to refresh an Access Token using the Refresh Token you got during authorization.
*
* See: https://auth0.com/docs/api/authentication#refresh-token
*
* @example
* ```js
* const auth0 = new AuthenticationApi({
* domain: 'my-domain.auth0.com',
* clientId: 'myClientId'
* clientSecret: 'myClientSecret'
* });
*
* await auth0.oauth.refreshTokenGrant({ refresh_token: 'myrefreshtoken' })
* ```
*/
refreshTokenGrant(bodyParameters_1) {
return __awaiter(this, arguments, void 0, function* (bodyParameters, options = {}) {
(0, runtime_js_1.validateRequiredRequestParams)(bodyParameters, ["refresh_token"]);
return (0, base_auth_api_js_1.grant)("refresh_token", yield this.addClientAuthentication(bodyParameters), options, this.clientId, this.idTokenValidator, this.request.bind(this));
});
}
/**
* Use this endpoint to invalidate a Refresh Token if it has been compromised.
*
* The behaviour of this endpoint depends on the state of the <a href="https://auth0.com/docs/secure/tokens/refresh-tokens/revoke-refresh-tokens#refresh-tokens-and-grants">Refresh Token Revocation Deletes Grant</a> toggle.
* If this toggle is enabled, then each revocation request invalidates not only the specific token, but all other tokens based on the same authorization grant.
* This means that all Refresh Tokens that have been issued for the same user, application, and audience will be revoked.
* If this toggle is disabled, then only the refresh token is revoked, while the grant is left intact.
*
* See: https://auth0.com/docs/api/authentication#revoke-refresh-token
*
* @example
* ```js
* const auth0 = new AuthenticationApi({
* domain: 'my-domain.auth0.com',
* clientId: 'myClientId'
* clientSecret: 'myClientSecret'
* });
*
* await auth0.oauth.revokeRefreshToken({ token: 'myrefreshtoken' })
* ```
*/
revokeRefreshToken(bodyParameters_1) {
return __awaiter(this, arguments, void 0, function* (bodyParameters, options = {}) {
(0, runtime_js_1.validateRequiredRequestParams)(bodyParameters, ["token"]);
const response = yield this.request({
path: "/oauth/revoke",
method: "POST",
headers: {
"Content-Type": "application/json",
},
body: yield this.addClientAuthentication(Object.assign({ client_id: this.clientId }, bodyParameters)),
}, options.initOverrides);
return runtime_js_1.VoidApiResponse.fromResponse(response);
});
}
/**
* Exchanges a subject token for an access token for the connection.
*
* The request body includes:
* - client_id (and client_secret/client_assertion via addClientAuthentication)
* - grant_type set to `urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token`
* - subject_token: the token to exchange
* - subject_token_type: the type of token being exchanged. Defaults to refresh tokens (`urn:ietf:params:oauth:token-type:refresh_token`).
* - requested_token_type (`http://auth0.com/oauth/token-type/federated-connection-access-token`) indicating that a federated connection access token is desired
* - connection name and an optional `login_hint` if provided
*
* @param bodyParameters - The options to retrieve a token for a connection.
* @returns A promise with the token response data.
* @throws An error if the exchange fails.
*/
tokenForConnection(bodyParameters_1) {
return __awaiter(this, arguments, void 0, function* (bodyParameters, options = {}) {
(0, runtime_js_1.validateRequiredRequestParams)(bodyParameters, ["connection", "subject_token"]);
const body = Object.assign(Object.assign({ subject_token_type: SUBJECT_TOKEN_TYPES.REFRESH_TOKEN }, bodyParameters), { grant_type: exports.TOKEN_FOR_CONNECTION_GRANT_TYPE, requested_token_type: exports.TOKEN_FOR_CONNECTION_REQUESTED_TOKEN_TYPE });
yield this.addClientAuthentication(body);
const response = yield this.request({
path: exports.TOKEN_URL,
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
},
body: new URLSearchParams(body),
}, options.initOverrides);
return runtime_js_1.JSONApiResponse.fromResponse(response);
});
}
}
exports.OAuth = OAuth;