feat(oidc-client): use Effect within token exchange

Author: cerebrl

.changeset/calm-waves-change.md

@@ -0,0 +1,9 @@
+---
+'@forgerock/iframe-manager': minor
+'@forgerock/storage': minor
+'@forgerock/sdk-oidc': minor
+'@forgerock/davinci-client': minor
+'@forgerock/oidc-client': minor
+---
+
+Implemented token exchange within OIDC Client

e2e/oidc-app/src/main.ts

@@ -1,17 +1,30 @@
 import { oidc } from '@forgerock/oidc-client';
 
-async function app() {
-  const oidcClient = await oidc({
-    config: {
-      clientId: 'WebOAuthClient',
-      redirectUri: 'http://localhost:8443/',
-      scope: 'openid',
-      serverConfig: {
-        wellknown:
-          'https://openam-sdks.forgeblocks.com/am/oauth2/alpha/.well-known/openid-configuration',
-      },
+// const pingAmConfig = {
+//   config: {
+//     clientId: 'WebOAuthClient',
+//     redirectUri: 'http://localhost:8443/',
+//     scope: 'openid',
+//     serverConfig: {
+//       wellknown:
+//         'https://openam-sdks.forgeblocks.com/am/oauth2/alpha/.well-known/openid-configuration',
+//     },
+//   },
+// };
+const pingOneConfig = {
+  config: {
+    clientId: '654b14e2-7cc5-4977-8104-c4113e43c537',
+    redirectUri: 'http://localhost:8443/',
+    scope: 'openid',
+    serverConfig: {
+      wellknown:
+        'https://auth.pingone.ca/02fb4743-189a-4bc7-9d6c-a919edfe6447/as/.well-known/openid-configuration',
     },
-  });
+  },
+};
+
+async function app() {
+  const oidcClient = await oidc(pingOneConfig);
 
   // create object from URL query parameters
   const urlParams = new URLSearchParams(window.location.search);
@@ -21,16 +34,32 @@ async function app() {
   const error = urlParams.get('error');
   // const errorDescription = urlParams.get('error_description');
 
+  // Handle background authorization flow
   if (!code && !error) {
     const response = await oidcClient.authorize.background();
 
     if ('error' in response) {
       console.error('Authorization Error:', response);
-      window.location.assign(response.redirectUrl);
+
+      if (response.redirectUrl) {
+        window.location.assign(response.redirectUrl);
+      } else {
+        console.log('Authorization failed with no ability to redirect:', response);
+      }
       return;
+
+      // Handle success response from background authorization
     } else if ('code' in response) {
       console.log('Authorization Code:', response.code);
+      const tokenResponse = await oidcClient.token.exchange(response.code, response.state);
+      if ('error' in response) {
+        console.error('Token Exchange Error:', tokenResponse);
+      } else {
+        console.log('Token Exchange Response:', tokenResponse);
+      }
     }
+
+    // Handle the user redirecting after authentication
   } else if (code && state) {
     const response = await oidcClient.token.exchange(code, state);
 

packages/davinci-client/src/lib/client.store.ts

@@ -66,10 +66,10 @@ export async function davinci<ActionType extends ActionTypes = ActionTypes>({
 }) {
   const log = loggerFn({ level: logger?.level || 'error', custom: logger?.custom });
   const store = createClientStore({ requestMiddleware, logger: log });
-  const serverInfo = createStorage<ContinueNode['server']>(
-    { storeType: 'localStorage' },
-    'serverInfo',
-  );
+  const serverInfo = createStorage<ContinueNode['server']>({
+    type: 'localStorage',
+    name: 'serverInfo',
+  });
   if (!config.serverConfig.wellknown) {
     const error = new Error(
       '`wellknown` property is a required as part of the `config.serverConfig`',

packages/oidc-client/README.md

@@ -4,7 +4,7 @@ A generic OpenID Connect (OIDC) client library for JavaScript and TypeScript, de
 
 ```js
 // Initialize OIDC Client
-const oidcClient = oidc({
+const oidcClient1 = oidc({
   /* config */
 });
 

packages/oidc-client/src/lib/authorize.request.ts

@@ -1,12 +1,9 @@
-<<<<<<< HEAD
 /*
  * Copyright (c) 2025 Ping Identity Corporation. All rights reserved.
  *
  * This software may be modified and distributed under the terms
  * of the MIT license. See the LICENSE file for details.
  */
-=======
->>>>>>> f35d74ad (feat(oidc-client): improve Effect usage)
 import { CustomLogger } from '@forgerock/sdk-logger';
 import { GetAuthorizationUrlOptions } from '@forgerock/sdk-oidc';
 import { Micro } from 'effect';
@@ -22,39 +19,18 @@ import {
 import type { WellKnownResponse } from '@forgerock/sdk-types';
 
 import type { OidcConfig } from './config.types.js';
-<<<<<<< HEAD
 import { AuthorizeErrorResponse, AuthorizeSuccessResponse } from './authorize.request.types.js';
-=======
-import { AuthorizeSuccessResponse } from './authorize.request.types.js';
->>>>>>> f35d74ad (feat(oidc-client): improve Effect usage)
 
 export async function authorizeµ(
   wellknown: WellKnownResponse,
   config: OidcConfig,
   log: CustomLogger,
   options?: GetAuthorizationUrlOptions,
 ) {
-<<<<<<< HEAD
   return buildAuthorizeOptionsµ(wellknown, config, options).pipe(
     Micro.flatMap(([url, config, options]) => createAuthorizeUrlµ(url, config, options)),
     Micro.tap((url) => log.debug('Authorize URL created', url)),
     Micro.tapError((url) => Micro.sync(() => log.error('Error creating authorize URL', url))),
-=======
-  const buildAuthorizeRequestµ = buildAuthorizeOptionsµ(wellknown, config, options).pipe(
-    Micro.flatMap(([url, config, options]) => createAuthorizeUrlµ(url, config, options)),
-    (effect) => {
-      return Micro.matchEffect(effect, {
-        onSuccess: (url) => {
-          log.debug('Created authorization URL', { url });
-          return effect;
-        },
-        onFailure: (error) => {
-          log.error('Error creating authorization URL', { error });
-          return effect;
-        },
-      });
-    },
->>>>>>> f35d74ad (feat(oidc-client): improve Effect usage)
     Micro.flatMap(([url, config, options]) => {
       if (options.responseMode === 'pi.flow') {
         /**
@@ -63,61 +39,39 @@ export async function authorizeµ(
          * set iframe's to DENY.
          */
         return authorizeFetchµ(url).pipe(
-          Micro.flatMap((response) => {
-<<<<<<< HEAD
-            if ('authorizeResponse' in response) {
-              log.debug('Received authorize response', response.authorizeResponse);
-              return Micro.succeed(response.authorizeResponse);
-            }
-            log.error('Error in authorize response', response);
-            return Micro.fail(createAuthorizeErrorµ(response, wellknown, config, options));
-=======
-            return Micro.gen(function* () {
+          Micro.flatMap(
+            (response): Micro.Micro<AuthorizeSuccessResponse, AuthorizeErrorResponse, never> => {
               if ('authorizeResponse' in response) {
                 log.debug('Received authorize response', response.authorizeResponse);
-                return yield* Micro.succeed(response.authorizeResponse as AuthorizeSuccessResponse);
+                return Micro.succeed(response.authorizeResponse);
               }
               log.error('Error in authorize response', response);
-              const errorResponse = response as { error: string; error_description: string };
-              return yield* createAuthorizeErrorµ(errorResponse, wellknown, config, options);
-            });
->>>>>>> f35d74ad (feat(oidc-client): improve Effect usage)
-          }),
+              // For redirection, we need to remore `pi.flow` from the options
+              const redirectOptions = options;
+              delete redirectOptions.responseMode;
+              return createAuthorizeErrorµ(response, wellknown, config, options);
+            },
+          ),
         );
       } else {
         /**
          * If the response mode is not pi.flow, then we are likely using a traditional
          * redirect based server supporting iframes. An example would be PingAM.
          */
         return authorizeIframeµ(url, config).pipe(
-          Micro.flatMap((response) => {
-<<<<<<< HEAD
-            if ('code' in response && 'state' in response) {
-              log.debug('Received authorization code', response);
-              return Micro.succeed(response as unknown as AuthorizeSuccessResponse);
-            }
-            log.error('Error in authorize response', response);
-            const errorResponse = response as unknown as AuthorizeErrorResponse;
-            return Micro.fail(createAuthorizeErrorµ(errorResponse, wellknown, config, options));
-=======
-            return Micro.gen(function* () {
+          Micro.flatMap(
+            (response): Micro.Micro<AuthorizeSuccessResponse, AuthorizeErrorResponse, never> => {
               if ('code' in response && 'state' in response) {
                 log.debug('Received authorization code', response);
-                return yield* Micro.succeed(response as unknown as AuthorizeSuccessResponse);
+                return Micro.succeed(response as unknown as AuthorizeSuccessResponse);
               }
               log.error('Error in authorize response', response);
-              const errorResponse = response as { error: string; error_description: string };
-              return yield* createAuthorizeErrorµ(errorResponse, wellknown, config, options);
-            });
->>>>>>> f35d74ad (feat(oidc-client): improve Effect usage)
-          }),
+              const errorResponse = response as unknown as AuthorizeErrorResponse;
+              return createAuthorizeErrorµ(errorResponse, wellknown, config, options);
+            },
+          ),
         );
       }
     }),
   );
-<<<<<<< HEAD
-=======
-
-  return Micro.runPromiseExit(buildAuthorizeRequestµ);
->>>>>>> f35d74ad (feat(oidc-client): improve Effect usage)
 }

packages/oidc-client/src/lib/authorize.request.types.ts

@@ -14,5 +14,5 @@ export interface AuthorizeErrorResponse {
   error: string;
   error_description: string;
   redirectUrl?: string; // URL to redirect the user to for re-authorization
-  type: 'auth_error' | 'wellknown_error' | 'network_error' | 'unknown_error';
+  type: 'auth_error' | 'argument_error' | 'wellknown_error';
 }

packages/oidc-client/src/lib/authorize.request.utils.ts

@@ -45,8 +45,8 @@ export function authorizeFetchµ(url: string) {
 
 export function authorizeIframeµ(url: string, config: OidcConfig) {
   return Micro.tryPromise({
-    try: () =>
-      iFrameManager().getParamsByRedirect({
+    try: () => {
+      const params = iFrameManager().getParamsByRedirect({
         url,
         /***
          * https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2
@@ -55,15 +55,17 @@ export function authorizeIframeµ(url: string, config: OidcConfig) {
         successParams: ['code', 'state'],
         errorParams: ['error', 'error_description'],
         timeout: config.serverConfig.timeout || 3000,
-      }),
+      });
+      return params;
+    },
     catch: (err) => {
-      let message = 'Error fetching authorization URL';
+      let message = 'Error calling authorization URL';
       if (err instanceof Error) {
         message = err.message;
       }
 
       return {
-        error: 'Authorization Notwork Failure',
+        error: 'Authorization Network Failure',
         error_description: message,
         type: 'auth_error',
       } as AuthorizeErrorResponse;
@@ -102,17 +104,10 @@ export function createAuthorizeErrorµ(
   options: GetAuthorizationUrlOptions,
 ) {
   return Micro.tryPromise({
-    try: async () => {
-      const url = await createAuthorizeUrl(wellknown.authorization_endpoint, {
+    try: () =>
+      createAuthorizeUrl(wellknown.authorization_endpoint, {
         ...options,
-      });
-      return {
-        error: res.error,
-        error_description: res.error_description,
-        type: 'auth_error',
-        redirectUrl: url,
-      } as AuthorizeErrorResponse;
-    },
+      }),
     catch: (error) => {
       let message = 'Error creating authorization URL';
       if (error instanceof Error) {
@@ -124,7 +119,16 @@ export function createAuthorizeErrorµ(
         type: 'auth_error',
       } as AuthorizeErrorResponse;
     },
-  });
+  }).pipe(
+    Micro.flatMap((url) => {
+      return Micro.fail({
+        error: res.error,
+        error_description: res.error_description,
+        type: 'auth_error',
+        redirectUrl: url,
+      } as AuthorizeErrorResponse);
+    }),
+  );
 }
 
 export function createAuthorizeUrlµ(