@okta/okta-auth-js
Advanced tools
Comparing version 2.6.1 to 2.6.3
# Changelog | ||
## 2.6.3 | ||
### Other | ||
- [(#235)](https://github.com/okta/okta-auth-js/pull/235) - Option `grantType` has been deprecated and will be removed in 3.0 | ||
## 2.6.2 | ||
### Features | ||
- [(#233)](https://github.com/okta/okta-auth-js/pull/235) - New option `pkce` | ||
### Bug Fixes | ||
- [(#233)](https://github.com/okta/okta-auth-js/pull/233) The default `responseMode` was incorrectly set to `fragment` instead of `query` when the `responseType` was `code`. This regression was introduced in version `2.6.0`. | ||
- [747216b](https://github.com/okta/okta-auth-js/commit/747216ba2d186d17a08b0f0482da7e3e94977e98) fix build process, so that /dist/okta-auth-js.min.js is for browsers (since version 2.2.0, dist/ output was being built for node.js applications, which was not intended) | ||
## 2.6.1 | ||
@@ -4,0 +19,0 @@ |
@@ -14,2 +14,3 @@ var packageJson = require('./package.json'); | ||
'testPathIgnorePatterns': [ | ||
'./test/spec/browser.js', | ||
'./test/spec/fingerprint.js', | ||
@@ -16,0 +17,0 @@ './test/spec/general.js', |
@@ -34,2 +34,4 @@ /*! | ||
var url = builderUtil.getValidUrl(args); | ||
// OKTA-242989: support for grantType will be removed in 3.0 | ||
var usePKCE = args.pkce || args.grantType === 'authorization_code'; | ||
this.options = { | ||
@@ -42,3 +44,3 @@ url: util.removeTrailingSlash(url), | ||
tokenUrl: util.removeTrailingSlash(args.tokenUrl), | ||
grantType: args.grantType, | ||
pkce: usePKCE, | ||
redirectUri: args.redirectUri, | ||
@@ -51,3 +53,3 @@ httpRequestClient: args.httpRequestClient, | ||
if (this.options.grantType === 'authorization_code' && !sdk.features.isPKCESupported()) { | ||
if (this.options.pkce && !sdk.features.isPKCESupported()) { | ||
throw new AuthSdkError('This browser doesn\'t support PKCE'); | ||
@@ -54,0 +56,0 @@ } |
@@ -13,3 +13,3 @@ module.exports = { | ||
"PKCE_STORAGE_NAME": "okta-pkce-storage", | ||
"SDK_VERSION": "2.6.1" | ||
"SDK_VERSION": "2.6.3" | ||
}; |
@@ -88,6 +88,2 @@ /*! | ||
} | ||
if (oauthOptions.grantType !== 'authorization_code') { | ||
throw new AuthSdkError('Expecting "grantType" to equal "authorization_code"'); | ||
} | ||
} | ||
@@ -100,3 +96,3 @@ | ||
'redirect_uri': options.redirectUri, | ||
'grant_type': options.grantType, | ||
'grant_type': 'authorization_code', | ||
'code': options.authorizationCode, | ||
@@ -103,0 +99,0 @@ 'code_verifier': options.codeVerifier |
@@ -24,3 +24,3 @@ /*! | ||
var cookies = require('./browser/browserStorage').storage; | ||
var pkce = require('./pkce'); | ||
var PKCE = require('./pkce'); | ||
@@ -135,6 +135,5 @@ function decodeToken(token) { | ||
// Retrieve saved values and build oauthParams for call to /token | ||
var meta = pkce.loadMeta(sdk); | ||
var meta = PKCE.loadMeta(sdk); | ||
var getTokenParams = { | ||
clientId: oauthParams.clientId, | ||
grantType: 'authorization_code', | ||
authorizationCode: authorizationCode, | ||
@@ -144,3 +143,3 @@ codeVerifier: meta.codeVerifier, | ||
}; | ||
return pkce.getToken(sdk, getTokenParams, urls) | ||
return PKCE.getToken(sdk, getTokenParams, urls) | ||
.then(function(res) { | ||
@@ -151,3 +150,3 @@ validateResponse(res, getTokenParams); | ||
.fin(function() { | ||
pkce.clearMeta(sdk); | ||
PKCE.clearMeta(sdk); | ||
}); | ||
@@ -252,12 +251,8 @@ } | ||
function getDefaultOAuthParams(sdk, oauthOptions) { | ||
oauthOptions = util.clone(oauthOptions) || {}; | ||
var grantType = sdk.options.grantType || 'implicit'; | ||
var responseType = grantType === 'authorization_code' ? 'code' : 'id_token'; | ||
var defaults = { | ||
grantType: grantType, | ||
function getDefaultOAuthParams(sdk) { | ||
return { | ||
pkce: sdk.options.pkce || false, | ||
clientId: sdk.options.clientId, | ||
redirectUri: sdk.options.redirectUri || window.location.href, | ||
responseType: responseType, | ||
responseType: 'id_token', | ||
responseMode: 'okta_post_message', | ||
@@ -269,9 +264,2 @@ state: oauthUtil.generateState(), | ||
}; | ||
util.extend(defaults, oauthOptions); | ||
if (defaults.grantType === 'authorization_code' && !defaults.codeChallengeMethod) { | ||
defaults.codeChallengeMethod = pkce.DEFAULT_CODE_CHALLENGE_METHOD; | ||
} | ||
return defaults; | ||
} | ||
@@ -530,16 +518,19 @@ | ||
function prepareOauthParams(sdk, oauthOptions) { | ||
var oauthParams = getDefaultOAuthParams(sdk, oauthOptions); | ||
// clone and prepare options | ||
oauthOptions = util.clone(oauthOptions) || {}; | ||
var responseType = oauthParams.responseType; | ||
if (typeof responseType === 'string') { | ||
responseType = [responseType]; | ||
// OKTA-242989: support for grantType will be removed in 3.0 | ||
if (oauthOptions.grantType === 'authorization_code') { | ||
oauthOptions.pkce = true; | ||
} | ||
if (oauthParams.grantType !== 'authorization_code') { | ||
if (responseType.includes('code')) { | ||
return Q.reject(new AuthSdkError('When responseType is "code", grantType should be "authorization_code"')); | ||
} | ||
// build params using defaults + options | ||
var oauthParams = getDefaultOAuthParams(sdk); | ||
util.extend(oauthParams, oauthOptions); | ||
if (oauthParams.pkce !== true) { | ||
return Q.resolve(oauthParams); | ||
} | ||
// PKCE flow | ||
if (!sdk.features.isPKCESupported()) { | ||
@@ -549,6 +540,10 @@ return Q.reject(new AuthSdkError('This browser doesn\'t support PKCE')); | ||
if (responseType.length !== 1 || responseType[0] !== 'code') { | ||
return Q.reject(new AuthSdkError('When grantType is "authorization_code", responseType should be "code"')); | ||
// set default code challenge method, if none provided | ||
if (!oauthParams.codeChallengeMethod) { | ||
oauthParams.codeChallengeMethod = PKCE.DEFAULT_CODE_CHALLENGE_METHOD; | ||
} | ||
// responseType is forced | ||
oauthParams.responseType = 'code'; | ||
return oauthUtil.getWellKnown(sdk, null) | ||
@@ -563,3 +558,3 @@ .then(function(res) { | ||
// PKCE authorization_code flow | ||
var codeVerifier = pkce.generateVerifier(oauthParams.codeVerifier); | ||
var codeVerifier = PKCE.generateVerifier(oauthParams.codeVerifier); | ||
@@ -571,9 +566,9 @@ // We will need these values after redirect when we call /token | ||
}; | ||
pkce.saveMeta(sdk, meta); | ||
PKCE.saveMeta(sdk, meta); | ||
return pkce.computeChallenge(codeVerifier); | ||
return PKCE.computeChallenge(codeVerifier); | ||
}) | ||
.then(function(codeChallenge) { | ||
// Clone/copy the params. Set codeChallenge and responseType for authorization_code | ||
// Clone/copy the params. Set codeChallenge | ||
var clonedParams = util.clone(oauthParams) || {}; | ||
@@ -589,7 +584,18 @@ util.extend(clonedParams, oauthParams, { | ||
oauthOptions = util.clone(oauthOptions) || {}; | ||
if (!oauthOptions.responseMode) { | ||
oauthOptions.responseMode = 'fragment'; | ||
} | ||
return prepareOauthParams(sdk, oauthOptions) | ||
.then(function(oauthParams) { | ||
// Dynamically set the responseMode unless the user has provided one | ||
// Server-side flow requires query. Client-side apps usually prefer fragment. | ||
if (!oauthOptions.responseMode) { | ||
if (oauthParams.responseType.includes('code') && !oauthParams.pkce) { | ||
// server-side flows using authorization_code | ||
oauthParams.responseMode = 'query'; | ||
} else { | ||
// general case, client-side flow. | ||
oauthParams.responseMode = 'fragment'; | ||
} | ||
} | ||
var urls = oauthUtil.getOAuthUrls(sdk, oauthParams, options); | ||
@@ -626,3 +632,3 @@ var requestUrl = urls.authorizeUrl + buildAuthorizeParams(oauthParams); | ||
var responseType; | ||
if (sdk.options.grantType === 'authorization_code') { | ||
if (sdk.options.pkce) { | ||
responseType = 'code'; | ||
@@ -629,0 +635,0 @@ } else if (token.accessToken) { |
{ | ||
"name": "@okta/okta-auth-js", | ||
"description": "The Okta Auth SDK", | ||
"version": "2.6.1", | ||
"version": "2.6.3", | ||
"homepage": "https://github.com/okta/okta-auth-js", | ||
@@ -83,5 +83,5 @@ "license": "Apache-2.0", | ||
"okta": { | ||
"commitSha": "ea3f395ba375990bed79421561369904bd4b1333", | ||
"fullVersion": "2.6.1-20190723001632-ea3f395" | ||
"commitSha": "9e5b3a0a6b99de4dd87e12e102fcafdae6e80c9a", | ||
"fullVersion": "2.6.3-20190808234314-9e5b3a0" | ||
} | ||
} |
@@ -70,4 +70,6 @@ [<img src="https://devforum.okta.com/uploads/oktadev/original/1X/bf54a16b5fda189e4ad2706fb57cbb7a1e5b8deb.png" align="right" width="256px"/>](https://devforum.okta.com/) | ||
After installing `@okta/okta-auth-js`, the minified auth client will be installed to `node_modules/@okta/okta-auth-js/dist`. You can copy the `dist` contents to a publicly hosted directory. However, if you're using a bundler like [Webpack](https://webpack.github.io/) or [Browserify](http://browserify.org/), you can simply import the module using CommonJS. | ||
If you are using the JS on a web page from the browser, you can copy the `node_modules/@okta/okta-auth-js/dist` contents to publicly hosted directory, and include a reference to the `okta-auth-js.min.js` file in a `<script>` tag. | ||
However, if you're using a bundler like [Webpack](https://webpack.github.io/) or [Browserify](http://browserify.org/), you can simply import the module using CommonJS. | ||
```javascript | ||
@@ -90,3 +92,3 @@ var OktaAuth = require('@okta/okta-auth-js'); | ||
For an overview of the client's features and authentication flows, check out [our developer docs](https://developer.okta.com/docs/guides/okta_auth_sdk). There, you will learn how to use the Auth SDK on a simple static page to: | ||
For an overview of the client's features and authentication flows, check out [our developer docs](https://developer.okta.com/code/javascript/okta_auth_sdk). There, you will learn how to use the Auth SDK on a simple static page to: | ||
@@ -176,3 +178,3 @@ * Retrieve and store an OpenID Connect (OIDC) token | ||
| `redirectUri` | The url that is redirected to when using `token.getWithRedirect`. This must be pre-registered as part of client registration. If no `redirectUri` is provided, defaults to the current origin. | | ||
| `grantType` | Specify `grantType` for this Application. Supported types are `implicit` and `authorization_code`. Defaults to `implicit` | | ||
| `pkce` | If set to true, the authorization flow will automatically use PKCE. The authorize request will use `response_type=code`, and `grant_type=authorization_code` will be used on the token request. All these details are handled for you, including the creation and verification of code verifiers. | | ||
| `authorizeUrl` | Specify a custom authorizeUrl to perform the OIDC flow. Defaults to the issuer plus "/v1/authorize". | | ||
@@ -213,3 +215,3 @@ | `userinfoUrl` | Specify a custom userinfoUrl. Defaults to the issuer plus "/v1/userinfo". | | ||
To use PKCE flow, set `grantType` to `authorization_code` in your config. | ||
To use PKCE flow, set `pkce` to `true` in your config. | ||
@@ -219,3 +221,3 @@ ```javascript | ||
var config = { | ||
grantType: 'authorization_code', | ||
pkce: true, | ||
@@ -1410,3 +1412,3 @@ // other config | ||
| `responseMode` | Specify how the authorization response should be returned. You will generally not need to set this unless you want to override the default values for `token.getWithRedirect`. See [Parameter Details](https://developer.okta.com/docs/api/resources/oidc#parameter-details) for a list of available modes. | | ||
| `responseType` | Specify the [response type](https://developer.okta.com/docs/api/resources/oidc#request-parameters) for OIDC authentication. The default value is based on the configured `grantType`. If `grantType` is `implicit` (the default setting), `responseType` will have a default value of `id_token`. If `grantType` is `authorization_code`, the default value will be `code`. | | ||
| `responseType` | Specify the [response type](https://developer.okta.com/docs/api/resources/oidc#request-parameters) for OIDC authentication. The default value is `id_token`. If `pkce` is `true`, this option will be ingored. | | ||
| | Use an array if specifying multiple response types - in this case, the response will contain both an ID Token and an Access Token. `responseType: ['id_token', 'token']` | | ||
@@ -1413,0 +1415,0 @@ | `scopes` | Specify what information to make available in the returned `id_token` or `access_token`. For OIDC, you must include `openid` as one of the scopes. Defaults to `['openid', 'email']`. For a list of available scopes, see [Scopes and Claims](https://developer.okta.com/docs/api/resources/oidc#access-token-scopes-and-claims). | |
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is not supported yet
1780
993006
3371