UNPKG

expo-auth-session

Version:

Expo module for browser-based authentication

docs.expo.dev/versions/latest/sdk/auth-session

expo/expo

255 lines (243 loc) 9.79 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
import invariant from 'invariant'; import { CodeChallengeMethod } from './AuthRequest.types'; import { requestAsync } from './Fetch'; // @needsAudit /** * URL using the `https` scheme with no query or fragment component that the OP asserts as its Issuer Identifier. */ export type Issuer = string; // @needsAudit @docsMissing export type ProviderMetadataEndpoints = { issuer?: Issuer; /** * URL of the OP's OAuth 2.0 Authorization Endpoint. */ authorization_endpoint: string; /** * URL of the OP's OAuth 2.0 Token Endpoint. * This is required unless only the Implicit Flow is used. */ token_endpoint: string; /** * URL of the OP's UserInfo Endpoint. */ userinfo_endpoint?: string; revocation_endpoint?: string; registration_endpoint?: string; end_session_endpoint?: string; introspection_endpoint?: string; device_authorization_endpoint?: string; }; /** * OpenID Providers have metadata describing their configuration. * [ProviderMetadata](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata) */ export type ProviderMetadata = Record<string, string | boolean | string[]> & ProviderMetadataEndpoints & { /** * URL of the OP's JSON Web Key Set [JWK](https://openid.net/specs/openid-connect-discovery-1_0.html#JWK) document. */ jwks_uri?: string; /** * JSON array containing a list of the OAuth 2.0 [RFC6749](https://openid.net/specs/openid-connect-discovery-1_0.html#RFC6749) * scope values that this server supports. */ scopes_supported?: string[]; /** * JSON array containing a list of the OAuth 2.0 `response_type` values that this OP supports. * Dynamic OpenID Providers must support the `code`, `id_token`, and the `token` `id_token` Response Type values */ response_types_supported?: string[]; /** * JSON array containing a list of the OAuth 2.0 `response_mode` values that this OP supports, * as specified in [OAuth 2.0 Multiple Response Type Encoding Practices](https://openid.net/specs/openid-connect-discovery-1_0.html#OAuth.Responses). * If omitted, the default for Dynamic OpenID Providers is `["query", "fragment"]`. */ response_modes_supported?: string[]; /** * JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. * Dynamic OpenID Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant Types. * If omitted, the default value is ["authorization_code", "implicit"]. */ grant_types_supported?: string[]; /** * JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT. * The algorithm RS256 MUST be included. */ id_token_signing_alg_values_supported?: string[]; /** * JSON array containing a list of the Subject Identifier types that this OP supports. * Valid types include `pairwise` and `public`. */ subject_types_supported?: string[]; /** * A list of Client authentication methods supported by this Token Endpoint. * If omitted, the default is `['client_secret_basic']` */ token_endpoint_auth_methods_supported?: ( | 'client_secret_post' | 'client_secret_basic' | 'client_secret_jwt' | 'private_key_jwt' // Allows for extensions | string )[]; /** * a list of the `display` parameter values that the OpenID Provider supports. */ display_values_supported?: string[]; /** * a list of the Claim Types that the OpenID Provider supports. */ claim_types_supported?: string[]; /** * a list of the Claim Names of the Claims that the OpenID Provider may be able to supply values for. * Note that for privacy or other reasons, this might not be an exhaustive list. */ claims_supported?: string[]; /** * URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider. * In particular, if the OpenID Provider does not support Dynamic Client Registration, then information on how to register Clients * needs to be provided in this documentation. */ service_documentation?: string; /** * Languages and scripts supported for values in Claims being returned. */ claims_locales_supported?: string[]; /** * Languages and scripts supported for the user interface, * represented as a JSON array of [BCP47](https://openid.net/specs/openid-connect-discovery-1_0.html#RFC5646) language tag values. */ ui_locales_supported?: string[]; /** * Boolean value specifying whether the OP supports use of the claims parameter, with `true` indicating support. * @default false */ claims_parameter_supported?: boolean; /** * Boolean value specifying whether the OP supports use of the request parameter, with `true` indicating support. * @default false */ request_parameter_supported?: boolean; /** * Whether the OP supports use of the `request_uri` parameter, with `true` indicating support. * @default true */ request_uri_parameter_supported?: boolean; /** * Whether the OP requires any `request_uri` values used to be pre-registered using the `request_uris` registration parameter. * Pre-registration is required when the value is `true`. * @default false */ require_request_uri_registration?: boolean; /** * URL that the OpenID Provider provides to the person registering the Client to read about the OP's requirements on how * the Relying Party can use the data provided by the OP. The registration process SHOULD display this URL to the person * registering the Client if it is given. */ op_policy_uri?: string; /** * URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's terms of service. * The registration process should display this URL to the person registering the Client if it is given. */ op_tos_uri?: string; code_challenge_methods_supported?: CodeChallengeMethod[]; check_session_iframe?: string; backchannel_logout_supported?: boolean; backchannel_logout_session_supported?: boolean; frontchannel_logout_supported?: boolean; frontchannel_logout_session_supported?: boolean; }; // @needsAudit export type DiscoveryDocument = { /** * Used to interact with the resource owner and obtain an authorization grant. * * [Section 3.1](https://tools.ietf.org/html/rfc6749#section-3.1) */ authorizationEndpoint?: string; /** * Used by the client to obtain an access token by presenting its authorization grant or refresh token. * The token endpoint is used with every authorization grant except for the * implicit grant type (since an access token is issued directly). * * [Section 3.2](https://tools.ietf.org/html/rfc6749#section-3.2) */ tokenEndpoint?: string; /** * Used to revoke a token (generally for signing out). The spec requires a revocation endpoint, * but some providers (like Spotify) do not support one. * * [Section 2.1](https://tools.ietf.org/html/rfc7009#section-2.1) */ revocationEndpoint?: string; /** * URL of the OP's UserInfo Endpoint used to return info about the authenticated user. * * [UserInfo](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo) */ userInfoEndpoint?: string; /** * URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP. * * [OPMetadata](https://openid.net/specs/openid-connect-session-1_0-17.html#OPMetadata) */ endSessionEndpoint?: string; /** * URL of the OP's [Dynamic Client Registration](https://openid.net/specs/openid-connect-discovery-1_0.html#OpenID.Registration) Endpoint. */ registrationEndpoint?: string; /** * All metadata about the provider. */ discoveryDocument?: ProviderMetadata; }; // @docsMissing export type IssuerOrDiscovery = Issuer | DiscoveryDocument; /** * Append the well known resources path and OpenID connect discovery document path to a URL * https://tools.ietf.org/html/rfc5785 */ export function issuerWithWellKnownUrl(issuer: Issuer): string { return `${issuer}/.well-known/openid-configuration`; } // @needsAudit /** * Fetch a `DiscoveryDocument` from a well-known resource provider that supports auto discovery. * @param issuer An `Issuer` URL to fetch from. * @return Returns a discovery document that can be used for authentication. */ export async function fetchDiscoveryAsync(issuer: Issuer): Promise<DiscoveryDocument> { const json = await requestAsync<ProviderMetadata>(issuerWithWellKnownUrl(issuer), { dataType: 'json', method: 'GET', }); return { discoveryDocument: json, authorizationEndpoint: json.authorization_endpoint, tokenEndpoint: json.token_endpoint, revocationEndpoint: json.revocation_endpoint, userInfoEndpoint: json.userinfo_endpoint, endSessionEndpoint: json.end_session_endpoint, registrationEndpoint: json.registration_endpoint, }; } // @needsAudit /** * Utility method for resolving the discovery document from an issuer or object. * * @param issuerOrDiscovery */ export async function resolveDiscoveryAsync( issuerOrDiscovery: IssuerOrDiscovery ): Promise<DiscoveryDocument> { invariant( issuerOrDiscovery && !['number', 'boolean'].includes(typeof issuerOrDiscovery), 'Expected a valid discovery object or issuer URL' ); if (typeof issuerOrDiscovery === 'string') { return await fetchDiscoveryAsync(issuerOrDiscovery); } return issuerOrDiscovery; }