AxaFrance · guillaume-chervet · Jan 3, 2025 · Jan 1, 2025 · Jan 3, 2025 · Jan 3, 2025
diff --git a/examples/react-oidc-demo/public/OidcTrustedDomains.js b/examples/react-oidc-demo/public/OidcTrustedDomains.js
diff --git a/examples/react-oidc-demo/src/MultiAuth.tsx b/examples/react-oidc-demo/src/MultiAuth.tsx
@@ -90,6 +90,7 @@ const MultiAuth = ({ configurationName, handleConfigurationChange }) => {
                     tenantId: '1234',
                   },
                   true,
+                  'openid profile email',
                 )
               }
             >

diff --git a/packages/oidc-client-service-worker/src/OidcServiceWorker.ts b/packages/oidc-client-service-worker/src/OidcServiceWorker.ts
@@ -88,9 +88,14 @@ async function generateDpopAsync(
   ) {
     const dpopConfiguration = currentDatabase.demonstratingProofOfPossessionConfiguration;
     const jwk = currentDatabase.demonstratingProofOfPossessionJwkJson;
-    headersExtras['dpop'] = await generateJwtDemonstratingProofOfPossessionAsync(self)(
-      dpopConfiguration,
-    )(jwk, 'POST', url, extrasClaims);
+    const method = originalRequest.method;
+    const dpop = await generateJwtDemonstratingProofOfPossessionAsync(self)(dpopConfiguration)(
+      jwk,
+      method,
+      url,
+      extrasClaims,
+    );
+    headersExtras['dpop'] = dpop;
     if (currentDatabase.demonstratingProofOfPossessionNonce != null) {
       headersExtras['nonce'] = currentDatabase.demonstratingProofOfPossessionNonce;
     }
@@ -127,7 +132,6 @@ const handleFetch = async (event: FetchEvent) => {
     ) {
       requestMode = 'cors';
     }
-
     let headers: { [p: string]: string };
     if (
       originalRequest.mode == 'navigate' &&
@@ -142,11 +146,31 @@ const handleFetch = async (event: FetchEvent) => {
       if (authorization) {
         authenticationMode = authorization.split(' ')[0];
       }
-      headers = {
-        ...serializeHeaders(originalRequest.headers),
-        authorization:
-          authenticationMode + ' ' + currentDatabaseForRequestAccessToken.tokens.access_token,
-      };
+
+      if (authenticationMode.toLowerCase() == 'dpop') {
+        const claimsExtras = {
+          ath: await base64urlOfHashOfASCIIEncodingAsync(
+            currentDatabaseForRequestAccessToken.tokens.access_token,
+          ),
+        };
+        const dpopHeaders = await generateDpopAsync(
+          originalRequest,
+          currentDatabaseForRequestAccessToken,
+          url,
+          claimsExtras,
+        );
+        headers = {
+          ...dpopHeaders,
+          authorization:
+            authenticationMode + ' ' + currentDatabaseForRequestAccessToken.tokens.access_token,
+        };
+      } else {
+        headers = {
+          ...serializeHeaders(originalRequest.headers),
+          authorization:
+            authenticationMode + ' ' + currentDatabaseForRequestAccessToken.tokens.access_token,
+        };
+      }
     }
     let init: RequestInit;
     if (originalRequest.mode === 'navigate') {

diff --git a/packages/oidc-client/src/oidc.ts b/packages/oidc-client/src/oidc.ts
@@ -418,7 +418,7 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
 
   renewTokensPromise: Promise<any> = null;
 
-  async renewTokensAsync(extras: StringMap = null) {
+  async renewTokensAsync(extras: StringMap = null, scope: string = null) {
     if (this.renewTokensPromise !== null) {
       return this.renewTokensPromise;
     }
@@ -427,7 +427,7 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
     }
     timer.clearTimeout(this.timeoutId);
     // @ts-ignore
-    this.renewTokensPromise = renewTokensAndStartTimerAsync(this, true, extras);
+    this.renewTokensPromise = renewTokensAndStartTimerAsync(this, true, extras, scope);
     return this.renewTokensPromise.finally(() => {
       this.renewTokensPromise = null;
     });

diff --git a/packages/oidc-client/src/oidcClient.ts b/packages/oidc-client/src/oidcClient.ts
@@ -62,8 +62,8 @@ export class OidcClient {
     return this._oidc.silentLoginCallbackAsync();
   }
 
-  renewTokensAsync(extras: StringMap = null): Promise<void> {
-    return this._oidc.renewTokensAsync(extras);
+  renewTokensAsync(extras: StringMap = null, scope: string = null): Promise<void> {
+    return this._oidc.renewTokensAsync(extras, scope);
   }
 
   loginCallbackAsync(): Promise<LoginCallback> {

diff --git a/packages/oidc-client/src/renewTokens.ts b/packages/oidc-client/src/renewTokens.ts
@@ -8,7 +8,12 @@ import { _silentLoginAsync } from './silentLogin';
 import timer from './timer.js';
 import { OidcConfiguration, StringMap, TokenAutomaticRenewMode } from './types.js';
 
-async function syncTokens(oidc: Oidc, forceRefresh: boolean, extras: StringMap) {
+async function syncTokens(
+  oidc: Oidc,
+  forceRefresh: boolean,
+  extras: StringMap,
+  scope: string = null,
+) {
   const updateTokens = tokens => {
     oidc.tokens = tokens;
   };
@@ -17,6 +22,7 @@ async function syncTokens(oidc: Oidc, forceRefresh: boolean, extras: StringMap)
     0,
     forceRefresh,
     extras,
+    scope,
   );
 
   const serviceWorker = await initWorkerAsync(oidc.configuration, oidc.configurationName);
@@ -36,6 +42,7 @@ export async function renewTokensAndStartTimerAsync(
   oidc,
   forceRefresh = false,
   extras: StringMap = null,
+  scope: string = null,
 ) {
   const configuration = oidc.configuration;
   const lockResourcesName = `${configuration.client_id}_${oidc.configurationName}_${configuration.authority}`;
@@ -44,7 +51,7 @@ export async function renewTokensAndStartTimerAsync(
   const serviceWorker = await initWorkerAsync(oidc.configuration, oidc.configurationName);
 
   if ((configuration?.storage === window?.sessionStorage && !serviceWorker) || !navigator.locks) {
-    tokens = await syncTokens(oidc, forceRefresh, extras);
+    tokens = await syncTokens(oidc, forceRefresh, extras, scope);
   } else {
     let status: any = 'retry';
     while (status === 'retry') {
@@ -58,7 +65,7 @@ export async function renewTokensAndStartTimerAsync(
             });
             return 'retry';
           }
-          return await syncTokens(oidc, forceRefresh, extras);
+          return await syncTokens(oidc, forceRefresh, extras, scope);
         },
       );
     }
@@ -71,13 +78,18 @@ export async function renewTokensAndStartTimerAsync(
 
   if (oidc.timeoutId) {
     // @ts-ignore
-    oidc.timeoutId = autoRenewTokens(oidc, oidc.tokens.expiresAt, extras);
+    oidc.timeoutId = autoRenewTokens(oidc, oidc.tokens.expiresAt, extras, scope);
   }
 
   return oidc.tokens;
 }
 
-export const autoRenewTokens = (oidc: Oidc, expiresAt, extras: StringMap = null) => {
+export const autoRenewTokens = (
+  oidc: Oidc,
+  expiresAt,
+  extras: StringMap = null,
+  scope: string = null,
+) => {
   const refreshTimeBeforeTokensExpirationInSecond =
     oidc.configuration.refresh_time_before_tokens_expiration_in_second;
   if (oidc.timeoutId) {
@@ -87,7 +99,7 @@ export const autoRenewTokens = (oidc: Oidc, expiresAt, extras: StringMap = null)
     const timeLeft = computeTimeLeft(refreshTimeBeforeTokensExpirationInSecond, expiresAt);
     const timeInfo = { timeLeft };
     oidc.publishEvent(Oidc.eventNames.token_timer, timeInfo);
-    await renewTokensAndStartTimerAsync(oidc, false, extras);
+    await renewTokensAndStartTimerAsync(oidc, false, extras, scope);
   }, 1000);
 };
 
@@ -186,7 +198,13 @@ export const syncTokensInfoAsync =
 
 const synchroniseTokensAsync =
   (oidc: Oidc) =>
-  async (updateTokens, index = 0, forceRefresh = false, extras: StringMap = null) => {
+  async (
+    updateTokens,
+    index = 0,
+    forceRefresh = false,
+    extras: StringMap = null,
+    scope: string = null,
+  ) => {
     if (!navigator.onLine && document.hidden) {
       return { tokens: oidc.tokens, status: 'GIVE_UP' };
     }
@@ -211,7 +229,7 @@ const synchroniseTokensAsync =
         oidc.publishEvent.bind(oidc),
       )(extras, state, scope);
     };
-    const localsilentLoginAsync = async () => {
+    const localSilentLoginAsync = async () => {
       try {
         let loginParams;
         const serviceWorker = await initWorkerAsync(configuration, oidc.configurationName);
@@ -225,6 +243,7 @@ const synchroniseTokensAsync =
           ...loginParams.extras,
           ...extras,
           prompt: 'none',
+          scope,
         });
         if (!silent_token_response) {
           updateTokens(null);
@@ -250,7 +269,13 @@ const synchroniseTokensAsync =
           message: 'exceptionSilent',
           exception: exceptionSilent.message,
         });
-        return await synchroniseTokensAsync(oidc)(updateTokens, nextIndex, forceRefresh, extras);
+        return await synchroniseTokensAsync(oidc)(
+          updateTokens,
+          nextIndex,
+          forceRefresh,
+          extras,
+          scope,
+        );
       }
     };
 
@@ -297,7 +322,7 @@ const synchroniseTokensAsync =
           }
 
           oidc.publishEvent(eventNames.refreshTokensAsync_begin, { tryNumber: index });
-          return await localsilentLoginAsync();
+          return await localSilentLoginAsync();
         default: {
           if (
             configuration.token_automatic_renew_mode ==
@@ -314,7 +339,7 @@ const synchroniseTokensAsync =
             tryNumber: index,
           });
           if (!tokens.refreshToken) {
-            return await localsilentLoginAsync();
+            return await localSilentLoginAsync();
           }
 
           const clientId = configuration.client_id;
@@ -412,6 +437,7 @@ const synchroniseTokensAsync =
                 nextIndex,
                 forceRefresh,
                 extras,
+                scope,
               );
             }
           };
@@ -429,7 +455,7 @@ const synchroniseTokensAsync =
       // so we need to brake calls chain and delay next call
       return new Promise((resolve, reject) => {
         setTimeout(() => {
-          synchroniseTokensAsync(oidc)(updateTokens, nextIndex, forceRefresh, extras)
+          synchroniseTokensAsync(oidc)(updateTokens, nextIndex, forceRefresh, extras, scope)
             .then(resolve)
             .catch(reject);
         }, 1000);

diff --git a/packages/oidc-client/src/silentLogin.ts b/packages/oidc-client/src/silentLogin.ts
@@ -37,7 +37,7 @@ export const _silentLoginAsync =
         extras.state = state;
       }
 
-      if (scope) {
+      if (scope != null) {
         if (extras == null) {
           extras = {};
         }
@@ -136,11 +136,11 @@ export const defaultSilentLoginAsync =
   (extras: StringMap = null, scope: string = undefined) => {
     extras = { ...extras };
 
-    const silentLoginAsync = (extras, state, scope) => {
+    const silentLoginAsync = (extras, state, scopeInternal) => {
       return _silentLoginAsync(configurationName, configuration, publishEvent.bind(oidc))(
         extras,
         state,
-        scope,
+        scopeInternal,
       );
     };
 
@@ -170,7 +170,7 @@ export const defaultSilentLoginAsync =
           oidc.tokens = silentResult.tokens;
           publishEvent(eventNames.token_acquired, {});
           // @ts-ignore
-          oidc.timeoutId = autoRenewTokens(oidc, oidc.tokens.expiresAt, extras);
+          oidc.timeoutId = autoRenewTokens(oidc, oidc.tokens.expiresAt, extras, scope);
           return {};
         }
       } catch (e) {
-Original file line number
+Diff line change
@@ Expand Up @@
                         tenantId: '1234',
                       },
                       true,
+                      'openid profile email',
                     )
                   }
                 >
@@ Expand Down @@