1 | import { ICache } from './cache';
|
2 | export interface AuthorizationParams {
|
3 | /**
|
4 | * - `'page'`: displays the UI with a full page view
|
5 | * - `'popup'`: displays the UI with a popup window
|
6 | * - `'touch'`: displays the UI in a way that leverages a touch interface
|
7 | * - `'wap'`: displays the UI with a "feature phone" type interface
|
8 | */
|
9 | display?: 'page' | 'popup' | 'touch' | 'wap';
|
10 | /**
|
11 | * - `'none'`: do not prompt user for login or consent on reauthentication
|
12 | * - `'login'`: prompt user for reauthentication
|
13 | * - `'consent'`: prompt user for consent before processing request
|
14 | * - `'select_account'`: prompt user to select an account
|
15 | */
|
16 | prompt?: 'none' | 'login' | 'consent' | 'select_account';
|
17 | /**
|
18 | * Maximum allowable elapsed time (in seconds) since authentication.
|
19 | * If the last time the user authenticated is greater than this value,
|
20 | * the user must be reauthenticated.
|
21 | */
|
22 | max_age?: string | number;
|
23 | /**
|
24 | * The space-separated list of language tags, ordered by preference.
|
25 | * For example: `'fr-CA fr en'`.
|
26 | */
|
27 | ui_locales?: string;
|
28 | /**
|
29 | * Previously issued ID Token.
|
30 | */
|
31 | id_token_hint?: string;
|
32 | /**
|
33 | * Provides a hint to Auth0 as to what flow should be displayed.
|
34 | * The default behavior is to show a login page but you can override
|
35 | * this by passing 'signup' to show the signup page instead.
|
36 | *
|
37 | * This only affects the New Universal Login Experience.
|
38 | */
|
39 | screen_hint?: 'signup' | 'login' | string;
|
40 | /**
|
41 | * The user's email address or other identifier. When your app knows
|
42 | * which user is trying to authenticate, you can provide this parameter
|
43 | * to pre-fill the email box or select the right session for sign-in.
|
44 | *
|
45 | * This currently only affects the classic Lock experience.
|
46 | */
|
47 | login_hint?: string;
|
48 | acr_values?: string;
|
49 | /**
|
50 | * The default scope to be used on authentication requests.
|
51 | *
|
52 | * This defaults to `profile email` if not set. If you are setting extra scopes and require
|
53 | * `profile` and `email` to be included then you must include them in the provided scope.
|
54 | *
|
55 | * Note: The `openid` scope is **always applied** regardless of this setting.
|
56 | */
|
57 | scope?: string;
|
58 | /**
|
59 | * The default audience to be used for requesting API access.
|
60 | */
|
61 | audience?: string;
|
62 | /**
|
63 | * The name of the connection configured for your application.
|
64 | * If null, it will redirect to the Auth0 Login Page and show
|
65 | * the Login Widget.
|
66 | */
|
67 | connection?: string;
|
68 | /**
|
69 | * The Id of an organization to log in to.
|
70 | *
|
71 | * This will specify an `organization` parameter in your user's login request and will add a step to validate
|
72 | * the `org_id` claim in your user's ID Token.
|
73 | */
|
74 | organization?: string;
|
75 | /**
|
76 | * The Id of an invitation to accept. This is available from the user invitation URL that is given when participating in a user invitation flow.
|
77 | */
|
78 | invitation?: string;
|
79 | /**
|
80 | * The default URL where Auth0 will redirect your browser to with
|
81 | * the authentication result. It must be whitelisted in
|
82 | * the "Allowed Callback URLs" field in your Auth0 Application's
|
83 | * settings. If not provided here, it should be provided in the other
|
84 | * methods that provide authentication.
|
85 | */
|
86 | redirect_uri?: string;
|
87 | /**
|
88 | * If you need to send custom parameters to the Authorization Server,
|
89 | * make sure to use the original parameter name.
|
90 | */
|
91 | [key: string]: any;
|
92 | }
|
93 | interface BaseLoginOptions {
|
94 | /**
|
95 | * URL parameters that will be sent back to the Authorization Server. This can be known parameters
|
96 | * defined by Auth0 or custom parameters that you define.
|
97 | */
|
98 | authorizationParams?: AuthorizationParams;
|
99 | }
|
100 | export interface Auth0ClientOptions extends BaseLoginOptions {
|
101 | /**
|
102 | * Your Auth0 account domain such as `'example.auth0.com'`,
|
103 | * `'example.eu.auth0.com'` or , `'example.mycompany.com'`
|
104 | * (when using [custom domains](https://auth0.com/docs/custom-domains))
|
105 | */
|
106 | domain: string;
|
107 | /**
|
108 | * The issuer to be used for validation of JWTs, optionally defaults to the domain above
|
109 | */
|
110 | issuer?: string;
|
111 | /**
|
112 | * The Client ID found on your Application settings page
|
113 | */
|
114 | clientId: string;
|
115 | /**
|
116 | * The value in seconds used to account for clock skew in JWT expirations.
|
117 | * Typically, this value is no more than a minute or two at maximum.
|
118 | * Defaults to 60s.
|
119 | */
|
120 | leeway?: number;
|
121 | /**
|
122 | * The location to use when storing cache data. Valid values are `memory` or `localstorage`.
|
123 | * The default setting is `memory`.
|
124 | *
|
125 | * Read more about [changing storage options in the Auth0 docs](https://auth0.com/docs/libraries/auth0-single-page-app-sdk#change-storage-options)
|
126 | */
|
127 | cacheLocation?: CacheLocation;
|
128 | /**
|
129 | * Specify a custom cache implementation to use for token storage and retrieval. This setting takes precedence over `cacheLocation` if they are both specified.
|
130 | */
|
131 | cache?: ICache;
|
132 | /**
|
133 | * If true, refresh tokens are used to fetch new access tokens from the Auth0 server. If false, the legacy technique of using a hidden iframe and the `authorization_code` grant with `prompt=none` is used.
|
134 | * The default setting is `false`.
|
135 | *
|
136 | * **Note**: Use of refresh tokens must be enabled by an administrator on your Auth0 client application.
|
137 | */
|
138 | useRefreshTokens?: boolean;
|
139 | /**
|
140 | * If true, fallback to the technique of using a hidden iframe and the `authorization_code` grant with `prompt=none` when unable to use refresh tokens. If false, the iframe fallback is not used and
|
141 | * errors relating to a failed `refresh_token` grant should be handled appropriately. The default setting is `false`.
|
142 | *
|
143 | * **Note**: There might be situations where doing silent auth with a Web Message response from an iframe is not possible,
|
144 | * like when you're serving your application from the file system or a custom protocol (like in a Desktop or Native app).
|
145 | * In situations like this you can disable the iframe fallback and handle the failed `refresh_token` grant and prompt the user to login interactively with `loginWithRedirect` or `loginWithPopup`."
|
146 | *
|
147 | * E.g. Using the `file:` protocol in an Electron application does not support that legacy technique.
|
148 | *
|
149 | * @example
|
150 | * let token: string;
|
151 | * try {
|
152 | * token = await auth0.getTokenSilently();
|
153 | * } catch (e) {
|
154 | * if (e.error === 'missing_refresh_token' || e.error === 'invalid_grant') {
|
155 | * auth0.loginWithRedirect();
|
156 | * }
|
157 | * }
|
158 | */
|
159 | useRefreshTokensFallback?: boolean;
|
160 | /**
|
161 | * A maximum number of seconds to wait before declaring background calls to /authorize as failed for timeout
|
162 | * Defaults to 60s.
|
163 | */
|
164 | authorizeTimeoutInSeconds?: number;
|
165 | /**
|
166 | * Specify the timeout for HTTP calls using `fetch`. The default is 10 seconds.
|
167 | */
|
168 | httpTimeoutInSeconds?: number;
|
169 | /**
|
170 | * Internal property to send information about the client to the authorization server.
|
171 | * @internal
|
172 | */
|
173 | auth0Client?: {
|
174 | name: string;
|
175 | version: string;
|
176 | env?: {
|
177 | [key: string]: string;
|
178 | };
|
179 | };
|
180 | /**
|
181 | * Sets an additional cookie with no SameSite attribute to support legacy browsers
|
182 | * that are not compatible with the latest SameSite changes.
|
183 | * This will log a warning on modern browsers, you can disable the warning by setting
|
184 | * this to false but be aware that some older useragents will not work,
|
185 | * See https://www.chromium.org/updates/same-site/incompatible-clients
|
186 | * Defaults to true
|
187 | */
|
188 | legacySameSiteCookie?: boolean;
|
189 | /**
|
190 | * If `true`, the SDK will use a cookie when storing information about the auth transaction while
|
191 | * the user is going through the authentication flow on the authorization server.
|
192 | *
|
193 | * The default is `false`, in which case the SDK will use session storage.
|
194 | *
|
195 | * @notes
|
196 | *
|
197 | * You might want to enable this if you rely on your users being able to authenticate using flows that
|
198 | * may end up spanning across multiple tabs (e.g. magic links) or you cannot otherwise rely on session storage being available.
|
199 | */
|
200 | useCookiesForTransactions?: boolean;
|
201 | /**
|
202 | * Number of days until the cookie `auth0.is.authenticated` will expire
|
203 | * Defaults to 1.
|
204 | */
|
205 | sessionCheckExpiryDays?: number;
|
206 | /**
|
207 | * The domain the cookie is accessible from. If not set, the cookie is scoped to
|
208 | * the current domain, including the subdomain.
|
209 | *
|
210 | * Note: setting this incorrectly may cause silent authentication to stop working
|
211 | * on page load.
|
212 | *
|
213 | *
|
214 | * To keep a user logged in across multiple subdomains set this to your
|
215 | * top-level domain and prefixed with a `.` (eg: `.example.com`).
|
216 | */
|
217 | cookieDomain?: string;
|
218 | /**
|
219 | * If true, data to the token endpoint is transmitted as x-www-form-urlencoded data, if false it will be transmitted as JSON. The default setting is `true`.
|
220 | *
|
221 | * **Note:** Setting this to `false` may affect you if you use Auth0 Rules and are sending custom, non-primitive data. If you disable this,
|
222 | * please verify that your Auth0 Rules continue to work as intended.
|
223 | */
|
224 | useFormData?: boolean;
|
225 | /**
|
226 | * Modify the value used as the current time during the token validation.
|
227 | *
|
228 | * **Note**: Using this improperly can potentially compromise the token validation.
|
229 | */
|
230 | nowProvider?: () => Promise<number> | number;
|
231 | }
|
232 | /**
|
233 | * The possible locations where tokens can be stored
|
234 | */
|
235 | export declare type CacheLocation = 'memory' | 'localstorage';
|
236 | /**
|
237 | * @ignore
|
238 | */
|
239 | export interface AuthorizeOptions extends AuthorizationParams {
|
240 | response_type: string;
|
241 | response_mode: string;
|
242 | redirect_uri?: string;
|
243 | nonce: string;
|
244 | state: string;
|
245 | scope: string;
|
246 | code_challenge: string;
|
247 | code_challenge_method: string;
|
248 | }
|
249 | export interface RedirectLoginOptions<TAppState = any> extends BaseLoginOptions {
|
250 | /**
|
251 | * Used to store state before doing the redirect
|
252 | */
|
253 | appState?: TAppState;
|
254 | /**
|
255 | * Used to add to the URL fragment before redirecting
|
256 | */
|
257 | fragment?: string;
|
258 | /**
|
259 | * Used to control the redirect and not rely on the SDK to do the actual redirect.
|
260 | *
|
261 | * @example
|
262 | * const client = new Auth0Client({
|
263 | * async onRedirect(url) {
|
264 | * window.location.replace(url);
|
265 | * }
|
266 | * });
|
267 | * @deprecated since v2.0.1, use `openUrl` instead.
|
268 | */
|
269 | onRedirect?: (url: string) => Promise<void>;
|
270 | /**
|
271 | * Used to control the redirect and not rely on the SDK to do the actual redirect.
|
272 | *
|
273 | * @example
|
274 | * const client = new Auth0Client({
|
275 | * openUrl(url) {
|
276 | * window.location.replace(url);
|
277 | * }
|
278 | * });
|
279 | *
|
280 | * @example
|
281 | * import { Browser } from '@capacitor/browser';
|
282 | *
|
283 | * const client = new Auth0Client({
|
284 | * async openUrl(url) {
|
285 | * await Browser.open({ url });
|
286 | * }
|
287 | * });
|
288 | */
|
289 | openUrl?: (url: string) => Promise<void> | void;
|
290 | }
|
291 | export interface RedirectLoginResult<TAppState = any> {
|
292 | /**
|
293 | * State stored when the redirect request was made
|
294 | */
|
295 | appState?: TAppState;
|
296 | }
|
297 | export interface PopupLoginOptions extends BaseLoginOptions {
|
298 | }
|
299 | export interface PopupConfigOptions {
|
300 | /**
|
301 | * The number of seconds to wait for a popup response before
|
302 | * throwing a timeout error. Defaults to 60s
|
303 | */
|
304 | timeoutInSeconds?: number;
|
305 | /**
|
306 | * Accepts an already-created popup window to use. If not specified, the SDK
|
307 | * will create its own. This may be useful for platforms like iOS that have
|
308 | * security restrictions around when popups can be invoked (e.g. from a user click event)
|
309 | */
|
310 | popup?: any;
|
311 | }
|
312 | export interface GetTokenSilentlyOptions {
|
313 | /**
|
314 | * When `off`, ignores the cache and always sends a
|
315 | * request to Auth0.
|
316 | * When `cache-only`, only reads from the cache and never sends a request to Auth0.
|
317 | * Defaults to `on`, where it both reads from the cache and sends a request to Auth0 as needed.
|
318 | */
|
319 | cacheMode?: 'on' | 'off' | 'cache-only';
|
320 | /**
|
321 | * Parameters that will be sent back to Auth0 as part of a request.
|
322 | */
|
323 | authorizationParams?: {
|
324 | /**
|
325 | * There's no actual redirect when getting a token silently,
|
326 | * but, according to the spec, a `redirect_uri` param is required.
|
327 | * Auth0 uses this parameter to validate that the current `origin`
|
328 | * matches the `redirect_uri` `origin` when sending the response.
|
329 | * It must be whitelisted in the "Allowed Web Origins" in your
|
330 | * Auth0 Application's settings.
|
331 | */
|
332 | redirect_uri?: string;
|
333 | /**
|
334 | * The scope that was used in the authentication request
|
335 | */
|
336 | scope?: string;
|
337 | /**
|
338 | * The audience that was used in the authentication request
|
339 | */
|
340 | audience?: string;
|
341 | /**
|
342 | * If you need to send custom parameters to the Authorization Server,
|
343 | * make sure to use the original parameter name.
|
344 | */
|
345 | [key: string]: any;
|
346 | };
|
347 | /** A maximum number of seconds to wait before declaring the background /authorize call as failed for timeout
|
348 | * Defaults to 60s.
|
349 | */
|
350 | timeoutInSeconds?: number;
|
351 | /**
|
352 | * If true, the full response from the /oauth/token endpoint (or the cache, if the cache was used) is returned
|
353 | * (minus `refresh_token` if one was issued). Otherwise, just the access token is returned.
|
354 | *
|
355 | * The default is `false`.
|
356 | */
|
357 | detailedResponse?: boolean;
|
358 | }
|
359 | export interface GetTokenWithPopupOptions extends PopupLoginOptions {
|
360 | /**
|
361 | * When `off`, ignores the cache and always sends a request to Auth0.
|
362 | * When `cache-only`, only reads from the cache and never sends a request to Auth0.
|
363 | * Defaults to `on`, where it both reads from the cache and sends a request to Auth0 as needed.
|
364 | */
|
365 | cacheMode?: 'on' | 'off' | 'cache-only';
|
366 | }
|
367 | export interface LogoutUrlOptions {
|
368 | /**
|
369 | * The `clientId` of your application.
|
370 | *
|
371 | * If this property is not set, then the `clientId` that was used during initialization of the SDK is sent to the logout endpoint.
|
372 | *
|
373 | * If this property is set to `null`, then no client ID value is sent to the logout endpoint.
|
374 | *
|
375 | * [Read more about how redirecting after logout works](https://auth0.com/docs/logout/guides/redirect-users-after-logout)
|
376 | */
|
377 | clientId?: string | null;
|
378 | /**
|
379 | * Parameters to pass to the logout endpoint. This can be known parameters defined by Auth0 or custom parameters
|
380 | * you wish to provide.
|
381 | */
|
382 | logoutParams?: {
|
383 | /**
|
384 | * When supported by the upstream identity provider,
|
385 | * forces the user to logout of their identity provider
|
386 | * and from Auth0.
|
387 | * [Read more about how federated logout works at Auth0](https://auth0.com/docs/logout/guides/logout-idps)
|
388 | */
|
389 | federated?: boolean;
|
390 | /**
|
391 | * The URL where Auth0 will redirect your browser to after the logout.
|
392 | *
|
393 | * **Note**: If the `client_id` parameter is included, the
|
394 | * `returnTo` URL that is provided must be listed in the
|
395 | * Application's "Allowed Logout URLs" in the Auth0 dashboard.
|
396 | * However, if the `client_id` parameter is not included, the
|
397 | * `returnTo` URL must be listed in the "Allowed Logout URLs" at
|
398 | * the account level in the Auth0 dashboard.
|
399 | *
|
400 | * [Read more about how redirecting after logout works](https://auth0.com/docs/logout/guides/redirect-users-after-logout)
|
401 | */
|
402 | returnTo?: string;
|
403 | /**
|
404 | * If you need to send custom parameters to the logout endpoint, make sure to use the original parameter name.
|
405 | */
|
406 | [key: string]: any;
|
407 | };
|
408 | }
|
409 | export interface LogoutOptions extends LogoutUrlOptions {
|
410 | /**
|
411 | * Used to control the redirect and not rely on the SDK to do the actual redirect.
|
412 | *
|
413 | * @example
|
414 | * await auth0.logout({
|
415 | * async onRedirect(url) {
|
416 | * window.location.replace(url);
|
417 | * }
|
418 | * });
|
419 | * @deprecated since v2.0.1, use `openUrl` instead.
|
420 | */
|
421 | onRedirect?: (url: string) => Promise<void>;
|
422 | /**
|
423 | * Used to control the redirect and not rely on the SDK to do the actual redirect.
|
424 | *
|
425 | * Set to `false` to disable the redirect, or provide a function to handle the actual redirect yourself.
|
426 | *
|
427 | * @example
|
428 | * await auth0.logout({
|
429 | * openUrl(url) {
|
430 | * window.location.replace(url);
|
431 | * }
|
432 | * });
|
433 | *
|
434 | * @example
|
435 | * import { Browser } from '@capacitor/browser';
|
436 | *
|
437 | * await auth0.logout({
|
438 | * async openUrl(url) {
|
439 | * await Browser.open({ url });
|
440 | * }
|
441 | * });
|
442 | */
|
443 | openUrl?: false | ((url: string) => Promise<void> | void);
|
444 | }
|
445 | /**
|
446 | * @ignore
|
447 | */
|
448 | export interface AuthenticationResult {
|
449 | state: string;
|
450 | code?: string;
|
451 | error?: string;
|
452 | error_description?: string;
|
453 | }
|
454 | /**
|
455 | * @ignore
|
456 | */
|
457 | export interface TokenEndpointOptions {
|
458 | baseUrl: string;
|
459 | client_id: string;
|
460 | grant_type: string;
|
461 | timeout?: number;
|
462 | auth0Client: any;
|
463 | useFormData?: boolean;
|
464 | [key: string]: any;
|
465 | }
|
466 | export declare type TokenEndpointResponse = {
|
467 | id_token: string;
|
468 | access_token: string;
|
469 | refresh_token?: string;
|
470 | expires_in: number;
|
471 | scope?: string;
|
472 | };
|
473 | /**
|
474 | * @ignore
|
475 | */
|
476 | export interface OAuthTokenOptions extends TokenEndpointOptions {
|
477 | code_verifier: string;
|
478 | code: string;
|
479 | redirect_uri: string;
|
480 | audience: string;
|
481 | scope: string;
|
482 | }
|
483 | /**
|
484 | * @ignore
|
485 | */
|
486 | export interface RefreshTokenOptions extends TokenEndpointOptions {
|
487 | refresh_token: string;
|
488 | }
|
489 | /**
|
490 | * @ignore
|
491 | */
|
492 | export interface JWTVerifyOptions {
|
493 | iss: string;
|
494 | aud: string;
|
495 | id_token: string;
|
496 | nonce?: string;
|
497 | leeway?: number;
|
498 | max_age?: number;
|
499 | organizationId?: string;
|
500 | now?: number;
|
501 | }
|
502 | export interface IdToken {
|
503 | __raw: string;
|
504 | name?: string;
|
505 | given_name?: string;
|
506 | family_name?: string;
|
507 | middle_name?: string;
|
508 | nickname?: string;
|
509 | preferred_username?: string;
|
510 | profile?: string;
|
511 | picture?: string;
|
512 | website?: string;
|
513 | email?: string;
|
514 | email_verified?: boolean;
|
515 | gender?: string;
|
516 | birthdate?: string;
|
517 | zoneinfo?: string;
|
518 | locale?: string;
|
519 | phone_number?: string;
|
520 | phone_number_verified?: boolean;
|
521 | address?: string;
|
522 | updated_at?: string;
|
523 | iss?: string;
|
524 | aud?: string;
|
525 | exp?: number;
|
526 | nbf?: number;
|
527 | iat?: number;
|
528 | jti?: string;
|
529 | azp?: string;
|
530 | nonce?: string;
|
531 | auth_time?: string;
|
532 | at_hash?: string;
|
533 | c_hash?: string;
|
534 | acr?: string;
|
535 | amr?: string;
|
536 | sub_jwk?: string;
|
537 | cnf?: string;
|
538 | sid?: string;
|
539 | org_id?: string;
|
540 | [key: string]: any;
|
541 | }
|
542 | export declare class User {
|
543 | name?: string;
|
544 | given_name?: string;
|
545 | family_name?: string;
|
546 | middle_name?: string;
|
547 | nickname?: string;
|
548 | preferred_username?: string;
|
549 | profile?: string;
|
550 | picture?: string;
|
551 | website?: string;
|
552 | email?: string;
|
553 | email_verified?: boolean;
|
554 | gender?: string;
|
555 | birthdate?: string;
|
556 | zoneinfo?: string;
|
557 | locale?: string;
|
558 | phone_number?: string;
|
559 | phone_number_verified?: boolean;
|
560 | address?: string;
|
561 | updated_at?: string;
|
562 | sub?: string;
|
563 | [key: string]: any;
|
564 | }
|
565 | /**
|
566 | * @ignore
|
567 | */
|
568 | export declare type FetchOptions = {
|
569 | method?: string;
|
570 | headers?: Record<string, string>;
|
571 | credentials?: 'include' | 'omit';
|
572 | body?: string;
|
573 | signal?: AbortSignal;
|
574 | };
|
575 | export declare type GetTokenSilentlyVerboseResponse = Omit<TokenEndpointResponse, 'refresh_token'>;
|
576 | export {};
|
577 |
|
\ | No newline at end of file |