UNPKG

auth0

Version:

Auth0 Node.js SDK for the Management API v2.

github.com/auth0/node-auth0

auth0/node-auth0

136 lines (135 loc) 6.2 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
"use strict"; // Wednesday, 8 January, 2025 // Client Initiated Backchannel Authentication (CIBA) var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } return new (P || (P = Promise))(function (resolve, reject) { function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } step((generator = generator.apply(thisArg, _arguments || [])).next()); }); }; var __rest = (this && this.__rest) || function (s, e) { var t = {}; for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0) t[p] = s[p]; if (s != null && typeof Object.getOwnPropertySymbols === "function") for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) { if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i])) t[p[i]] = s[p[i]]; } return t; }; Object.defineProperty(exports, "__esModule", { value: true }); exports.Backchannel = void 0; // CIBA is an OpenID Foundation standard for a decoupled authentication flow. It enables // solution developers to build authentication flows where the user logging in does not do so // directly on the device that receives the ID or access tokens (the “Consumption Device”), but // instead on a separate “Authorization Device”. const models_js_1 = require("../lib/models.js"); const base_auth_api_js_1 = require("./base-auth-api.js"); /** * Generates the login hint for the user. * * @param {string} userId - The user ID. * @param {string} domain - The tenant domain. * @returns {string} - The login hint as a JSON string. */ const getLoginHint = (userId, domain) => { // remove trailing '/' from domain, added later for uniformity const trimmedDomain = domain.endsWith("/") ? domain.slice(0, -1) : domain; const loginHint = { format: "iss_sub", iss: `https://${trimmedDomain}/`, sub: `${userId}`, }; return JSON.stringify(loginHint); }; const CIBA_GRANT_TYPE = "urn:openid:params:grant-type:ciba"; const CIBA_AUTHORIZE_URL = "/bc-authorize"; const CIBA_TOKEN_URL = "/oauth/token"; /** * Class implementing the backchannel authentication flow. */ class Backchannel extends base_auth_api_js_1.BaseAuthAPI { /** * Initiates a CIBA authorization request. * * @param {AuthorizeOptions} options - The options for the request. * @returns {Promise<AuthorizeResponse>} - The authorization response. * * @throws {Error} - If the request fails. */ authorize(_a) { return __awaiter(this, void 0, void 0, function* () { var { userId } = _a, options = __rest(_a, ["userId"]); const body = Object.assign(Object.assign({}, options), { login_hint: getLoginHint(userId, this.domain), client_id: this.clientId }); // The correct parameter is `requested_expiry`, but we also accept the deprecated `request_expiry` for backwards compatibility const requestedExpiry = options.requested_expiry || options.request_expiry; if (requestedExpiry) { body.requested_expiry = requestedExpiry; } yield this.addClientAuthentication(body); const response = yield this.request.bind(this)({ path: CIBA_AUTHORIZE_URL, method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: new URLSearchParams(body), }, {}); const r = yield models_js_1.JSONApiResponse.fromResponse(response); return r.data; }); } /** * Handles the backchannel grant flow for authentication. Client can poll this method at regular intervals to check if the backchannel auth request has been approved. * * @param {string} auth_req_id - The authorization request ID. This value is returned from the call to /bc-authorize. Once you have exchanged an auth_req_id for an ID and access token, it is no longer usable. * @returns {Promise<TokenResponse>} - A promise that resolves to the token response. * * @throws {Error} - Throws an error if the request fails. * * If the authorizing user has not yet approved or rejected the request, you will receive a response like this: * ```json * { * "error": "authorization_pending", * "error_description": "The end-user authorization is pending" * } * ``` * * If the authorizing user rejects the request, you will receive a response like this: * ```json * { * "error": "access_denied", * "error_description": "The end-user denied the authorization request or it has been expired" * } * ``` * * If you are polling too quickly (faster than the interval value returned from /bc-authorize), you will receive a response like this: * ```json * { * "error": "slow_down", * "error_description": "You are polling faster than allowed. Try again in 10 seconds." * } * ``` */ backchannelGrant(_a) { return __awaiter(this, arguments, void 0, function* ({ auth_req_id }) { const body = { client_id: this.clientId, auth_req_id, grant_type: CIBA_GRANT_TYPE, }; yield this.addClientAuthentication(body); const response = yield this.request.bind(this)({ path: CIBA_TOKEN_URL, method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded" }, body: new URLSearchParams(body), }, {}); const r = yield models_js_1.JSONApiResponse.fromResponse(response); return r.data; }); } } exports.Backchannel = Backchannel;