diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
index f6fd1a69..0c841437 100644
--- a/.github/workflows/publish-docs.yml
+++ b/.github/workflows/publish-docs.yml
@@ -1,70 +1,70 @@
name: PUBLISH DOCS
on:
- workflow_dispatch:
- workflow_call:
- # or set up your own custom triggers
+ workflow_dispatch:
+ workflow_call:
+ # or set up your own custom triggers
permissions:
- contents: write # allows the 'Commit' step without tokens
+ contents: write # allows the 'Commit' step without tokens
jobs:
- get_history: # create an artifact from the existing documentation builds
- runs-on: ubuntu-latest
- steps:
- - name: get the gh-pages repo
- uses: actions/checkout@v6
- with:
- ref: gh-pages
+ get_history: # create an artifact from the existing documentation builds
+ runs-on: ubuntu-latest
+ steps:
+ - name: get the gh-pages repo
+ uses: actions/checkout@v6
+ with:
+ ref: gh-pages
- - name: remove all symbolic links from root if present
- run: |
- find . -maxdepth 1 -type l -delete
+ - name: remove all symbolic links from root if present
+ run: |
+ find . -maxdepth 1 -type l -delete
- - name: tar the existing docs from root
- run: |
- tar -cvf documentation.tar ./
+ - name: tar the existing docs from root
+ run: |
+ tar -cvf documentation.tar ./
- - name: create a document artifact
- uses: actions/upload-artifact@v5
- with:
- name: documentation
- path: documentation.tar
- retention-days: 1
+ - name: create a document artifact
+ uses: actions/upload-artifact@v5
+ with:
+ name: documentation
+ path: documentation.tar
+ retention-days: 1
- build_and_deploy: # builds the distribution and then the documentation
- needs: get_history
- runs-on: ubuntu-latest
- permissions:
- contents: write
- steps:
- - name: Checkout src
- uses: actions/checkout@v6
- with:
- token: ${{ github.token }}
+ build_and_deploy: # builds the distribution and then the documentation
+ needs: get_history
+ runs-on: ubuntu-latest
+ permissions:
+ contents: write
+ steps:
+ - name: Checkout src
+ uses: actions/checkout@v6
+ with:
+ token: ${{ github.token }}
- - name: Download the existing documents artifact
- uses: actions/download-artifact@v6
- with:
- name: documentation
- - run: rm -rf ./docs # delete previous docs folder present
- - run: mkdir ./docs # create an empty docs folder
- - run: tar -xf documentation.tar -C ./docs
- - run: rm -f documentation.tar
+ - name: Download the existing documents artifact
+ uses: actions/download-artifact@v6
+ with:
+ name: documentation
+ - run: rm -rf ./docs # delete previous docs folder present
+ - run: mkdir ./docs # create an empty docs folder
+ - run: tar -xf documentation.tar -C ./docs
+ - run: rm -f documentation.tar
- - name: Setup
- uses: ./.github/actions/setup
+ - name: Setup
+ uses: ./.github/actions/setup
- - name: Build documents
- run: yarn docs #set up 'docs' build script in your package.json
+ - name: Build documents
+ run: yarn docs #set up 'docs' build script in your package.json
- - name: Remove all the symbolic links from docs folder
- run: find ./docs -type l -delete
+ - name: Remove all the symbolic links from docs folder
+ run: find ./docs -type l -delete
- - name: Run cleanup and manage document versions
- run: node scripts/manage-doc-versions.js
+ - name: Run cleanup and manage document versions
+ run: node scripts/manage-doc-versions.js
- - name: Deploy to GitHub Pages
- uses: peaceiris/actions-gh-pages@v4
- with:
- github_token: ${{ github.token }}
- publish_dir: ./docs
- keep_files: false
+ - name: Deploy to GitHub Pages
+ uses: peaceiris/actions-gh-pages@v4
+ with:
+ github_token: ${{ github.token }}
+ publish_dir: ./docs
+ keep_files: false
diff --git a/EXAMPLES.md b/EXAMPLES.md
index 93fe387b..03876d0f 100644
--- a/EXAMPLES.md
+++ b/EXAMPLES.md
@@ -25,6 +25,12 @@
- [Handling DPoP token migration](#handling-dpop-token-migration)
- [Checking token type](#checking-token-type)
- [Handling nonce errors](#handling-nonce-errors)
+- [Multi-Resource Refresh Tokens (MRRT)](#multi-resource-refresh-tokens-mrrt)
+ - [Overview](#mrrt-overview)
+ - [Prerequisites](#mrrt-prerequisites)
+ - [Using MRRT with Hooks](#using-mrrt-with-hooks)
+ - [Using MRRT with Auth0 Class](#using-mrrt-with-auth0-class)
+ - [Web Platform Configuration](#web-platform-configuration)
- [Bot Protection](#bot-protection)
- [Domain Switching](#domain-switching)
- [Android](#android)
@@ -304,6 +310,128 @@ auth0.webAuth
If the URL doesn't contain the expected values, an error will be raised through the provided callback.
+## Multi-Resource Refresh Tokens (MRRT)
+
+### MRRT Overview
+
+Multi-Resource Refresh Tokens (MRRT) allow your application to obtain access tokens for multiple APIs using a single refresh token. This is useful when your application needs to access multiple backend services, each identified by a different audience.
+
+### MRRT Prerequisites
+
+Before using MRRT, ensure:
+
+1. **MRRT is enabled on your Auth0 tenant** - Contact Auth0 support or enable it through the Auth0 Dashboard
+2. **Request `offline_access` scope during login** - This ensures a refresh token is issued
+3. **Configure your APIs in Auth0 Dashboard** - Each API you want to access should be registered with its own audience identifier
+
+### Using MRRT with Hooks
+
+```tsx
+import { useAuth0 } from 'react-native-auth0';
+
+function MyComponent() {
+ const { authorize, getApiCredentials, clearApiCredentials } = useAuth0();
+
+ const login = async () => {
+ // Login with offline_access to get a refresh token
+ await authorize({
+ scope: 'openid profile email offline_access',
+ audience: 'https://primary-api.example.com',
+ });
+ };
+
+ const getFirstApiToken = async () => {
+ try {
+ // Get credentials for the first API
+ const credentials = await getApiCredentials(
+ 'https://first-api.example.com',
+ 'read:data write:data'
+ );
+ console.log('First API Access Token:', credentials.accessToken);
+ console.log('Expires At:', new Date(credentials.expiresAt * 1000));
+ } catch (error) {
+ console.error('Error:', error);
+ }
+ };
+
+ const getSecondApiToken = async () => {
+ try {
+ // Get credentials for a different API using the same refresh token
+ const credentials = await getApiCredentials(
+ 'https://second-api.example.com',
+ 'read:reports'
+ );
+ console.log('Second API Access Token:', credentials.accessToken);
+ } catch (error) {
+ console.error('Error:', error);
+ }
+ };
+
+ const clearFirstApiCache = async () => {
+ // Clear cached credentials for a specific API
+ await clearApiCredentials('https://first-api.example.com');
+ };
+
+ return (
+ // Your UI components
+ );
+}
+```
+
+### Using MRRT with Auth0 Class
+
+```js
+import Auth0 from 'react-native-auth0';
+
+const auth0 = new Auth0({
+ domain: 'YOUR_AUTH0_DOMAIN',
+ clientId: 'YOUR_AUTH0_CLIENT_ID',
+});
+
+// Login with offline_access scope
+await auth0.webAuth.authorize({
+ scope: 'openid profile email offline_access',
+ audience: 'https://primary-api.example.com',
+});
+
+// Get credentials for a specific API
+const apiCredentials = await auth0.credentialsManager.getApiCredentials(
+ 'https://first-api.example.com',
+ 'read:data write:data'
+);
+
+console.log('Access Token:', apiCredentials.accessToken);
+console.log('Token Type:', apiCredentials.tokenType);
+console.log('Expires At:', apiCredentials.expiresAt);
+console.log('Scope:', apiCredentials.scope);
+
+// Clear cached credentials for a specific API
+await auth0.credentialsManager.clearApiCredentials(
+ 'https://first-api.example.com'
+);
+```
+
+### Web Platform Configuration
+
+On the **web platform**, you must explicitly enable MRRT support in the `Auth0Provider`:
+
+```tsx
+import { Auth0Provider } from 'react-native-auth0';
+
+function App() {
+ return (
+
+
+
+ );
+}
+```
+
## Bot Protection
If you are using the [Bot Protection](https://auth0.com/docs/anomaly-detection/bot-protection) feature and performing database login/signup via the Authentication API, you need to handle the `requires_verification` error. It indicates that the request was flagged as suspicious and an additional verification step is necessary to log the user in. That verification step is web-based, so you need to use Universal Login to complete it.
diff --git a/FAQ.md b/FAQ.md
index 3a465279..9001243f 100644
--- a/FAQ.md
+++ b/FAQ.md
@@ -391,7 +391,7 @@ function App() {
const onLogin = async () => {
await authorize({
audience: AUDIENCE,
- scope: 'openid profile email offline_access'
+ scope: 'openid profile email offline_access',
});
};
@@ -400,7 +400,7 @@ function App() {
const credentials = await getCredentials(
'openid profile email offline_access',
0,
- { audience: AUDIENCE } // ← Must include audience here!
+ { audience: AUDIENCE } // ← Must include audience here!
);
console.log('JWT Access Token:', credentials.accessToken);
};
@@ -427,7 +427,7 @@ Define your auth configuration once and reuse it:
```javascript
const AUTH_CONFIG = {
audience: 'https://your-api.example.com',
- scope: 'openid profile email offline_access'
+ scope: 'openid profile email offline_access',
};
// Login
@@ -435,7 +435,7 @@ await authorize(AUTH_CONFIG);
// Get credentials later (include audience in parameters)
await getCredentials(AUTH_CONFIG.scope, 0, {
- audience: AUTH_CONFIG.audience
+ audience: AUTH_CONFIG.audience,
});
```
@@ -444,13 +444,13 @@ await getCredentials(AUTH_CONFIG.scope, 0, {
```javascript
const auth0 = new Auth0({
domain: 'YOUR_DOMAIN',
- clientId: 'YOUR_CLIENT_ID'
+ clientId: 'YOUR_CLIENT_ID',
});
// Login
await auth0.webAuth.authorize({
audience: 'https://your-api.example.com',
- scope: 'openid profile email offline_access'
+ scope: 'openid profile email offline_access',
});
// Get credentials (must include audience)
diff --git a/README.md b/README.md
index 6b48b604..07c0ba14 100644
--- a/README.md
+++ b/README.md
@@ -212,9 +212,9 @@ To use the SDK with Expo, configure the app at build time by providing the `doma
> :info: If you want to switch between multiple domains in your app, refer [here](https://github.com/auth0/react-native-auth0/blob/master/EXAMPLES.md#domain-switching)
-| API | Description |
-| ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| domain | Mandatory: Provide the Auth0 domain that can be found at the [Application Settings](https://manage.auth0.com/#/applications) |
+| API | Description |
+| ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| domain | Mandatory: Provide the Auth0 domain that can be found at the [Application Settings](https://manage.auth0.com/#/applications) |
| customScheme | Optional: Custom scheme to build the callback URL with. The value provided here should be passed to the `customScheme` option parameter of the `authorize` and `clearSession` methods. The custom scheme should be a unique, all lowercase value with no special characters. To use Android App Links, set this value to `"https"`. |
**Note:** When using `customScheme: "https"` for Android App Links, the plugin will automatically add `android:autoVerify="true"` to the intent-filter in your Android manifest to enable automatic verification of App Links.
diff --git a/android/build.gradle b/android/build.gradle
index 42e77318..ffcf375f 100644
--- a/android/build.gradle
+++ b/android/build.gradle
@@ -96,7 +96,7 @@ dependencies {
implementation "com.facebook.react:react-android"
implementation "org.jetbrains.kotlin:kotlin-stdlib:$kotlin_version"
implementation "androidx.browser:browser:1.2.0"
- implementation 'com.auth0.android:auth0:3.10.0'
+ implementation 'com.auth0.android:auth0:3.11.0'
}
if (isNewArchitectureEnabled()) {
diff --git a/android/src/main/java/com/auth0/react/A0Auth0Module.kt b/android/src/main/java/com/auth0/react/A0Auth0Module.kt
index 79f2dde7..eed82a1e 100644
--- a/android/src/main/java/com/auth0/react/A0Auth0Module.kt
+++ b/android/src/main/java/com/auth0/react/A0Auth0Module.kt
@@ -4,6 +4,7 @@ import android.app.Activity
import android.content.Intent
import androidx.fragment.app.FragmentActivity
import com.auth0.android.Auth0
+import com.auth0.android.result.APICredentials
import com.auth0.android.authentication.AuthenticationAPIClient
import com.auth0.android.authentication.AuthenticationException
import com.auth0.android.authentication.storage.CredentialsManagerException
@@ -183,6 +184,7 @@ class A0Auth0Module(private val reactContext: ReactApplicationContext) : A0Auth0
try {
val localAuthOptions = LocalAuthenticationOptionsParser.fromMap(options)
secureCredentialsManager = SecureCredentialsManager(
+ authAPI,
reactContext,
auth0!!,
SharedPreferencesStorage(reactContext),
@@ -192,7 +194,7 @@ class A0Auth0Module(private val reactContext: ReactApplicationContext) : A0Auth0
promise.resolve(true)
return
} catch (e: Exception) {
- secureCredentialsManager = getSecureCredentialsManagerWithoutBiometrics()
+ secureCredentialsManager = getSecureCredentialsManagerWithoutBiometrics(authAPI)
promise.reject(
BIOMETRICS_AUTHENTICATION_ERROR_CODE,
"Failed to parse the Local Authentication Options, hence proceeding without Biometrics Authentication for handling Credentials"
@@ -200,7 +202,7 @@ class A0Auth0Module(private val reactContext: ReactApplicationContext) : A0Auth0
return
}
} else {
- secureCredentialsManager = getSecureCredentialsManagerWithoutBiometrics()
+ secureCredentialsManager = getSecureCredentialsManagerWithoutBiometrics(authAPI)
promise.reject(
BIOMETRICS_AUTHENTICATION_ERROR_CODE,
"Biometrics Authentication for Handling Credentials are supported only on FragmentActivity, since a different activity is supplied, proceeding without it"
@@ -209,7 +211,7 @@ class A0Auth0Module(private val reactContext: ReactApplicationContext) : A0Auth0
}
}
- secureCredentialsManager = getSecureCredentialsManagerWithoutBiometrics()
+ secureCredentialsManager = getSecureCredentialsManagerWithoutBiometrics(authAPI)
promise.resolve(true)
}
@@ -290,6 +292,47 @@ class A0Auth0Module(private val reactContext: ReactApplicationContext) : A0Auth0
promise.resolve(secureCredentialsManager.hasValidCredentials(minTtl.toLong()))
}
+ @ReactMethod
+ override fun getApiCredentials(
+ audience: String,
+ scope: String?,
+ minTtl: Double,
+ parameters: ReadableMap,
+ promise: Promise
+ ) {
+ val cleanedParameters = mutableMapOf()
+ parameters.toHashMap().forEach { (key, value) ->
+ value?.let { cleanedParameters[key] = it.toString() }
+ }
+
+ UiThreadUtil.runOnUiThread {
+ secureCredentialsManager.getApiCredentials(
+ audience,
+ scope,
+ minTtl.toInt(),
+ cleanedParameters,
+ emptyMap(), // headers not supported from JS yet
+ object : com.auth0.android.callback.Callback {
+ override fun onSuccess(credentials: APICredentials) {
+ val map = ApiCredentialsParser.toMap(credentials)
+ promise.resolve(map)
+ }
+
+ override fun onFailure(e: CredentialsManagerException) {
+ val errorCode = deduceErrorCode(e)
+ promise.reject(errorCode, e.message, e)
+ }
+ }
+ )
+ }
+ }
+
+ @ReactMethod
+ override fun clearApiCredentials(audience: String, promise: Promise) {
+ secureCredentialsManager.clearApiCredentials(audience)
+ promise.resolve(true)
+ }
+
override fun getConstants(): Map {
return mapOf("bundleIdentifier" to reactContext.applicationInfo.packageName)
}
@@ -415,8 +458,9 @@ class A0Auth0Module(private val reactContext: ReactApplicationContext) : A0Auth0
promise.resolve(true)
}
- private fun getSecureCredentialsManagerWithoutBiometrics(): SecureCredentialsManager {
+ private fun getSecureCredentialsManagerWithoutBiometrics(authAPI: AuthenticationAPIClient): SecureCredentialsManager {
return SecureCredentialsManager(
+ authAPI,
reactContext,
auth0!!,
SharedPreferencesStorage(reactContext)
diff --git a/android/src/main/java/com/auth0/react/ApiCredentialsParser.kt b/android/src/main/java/com/auth0/react/ApiCredentialsParser.kt
new file mode 100644
index 00000000..b640d1b1
--- /dev/null
+++ b/android/src/main/java/com/auth0/react/ApiCredentialsParser.kt
@@ -0,0 +1,22 @@
+package com.auth0.react
+
+import com.auth0.android.result.APICredentials
+import com.facebook.react.bridge.Arguments
+import com.facebook.react.bridge.ReadableMap
+
+object ApiCredentialsParser {
+
+ private const val ACCESS_TOKEN_KEY = "accessToken"
+ private const val EXPIRES_AT_KEY = "expiresAt"
+ private const val SCOPE_KEY = "scope"
+ private const val TOKEN_TYPE_KEY = "tokenType"
+
+ fun toMap(credentials: APICredentials): ReadableMap {
+ val map = Arguments.createMap()
+ map.putString(ACCESS_TOKEN_KEY, credentials.accessToken)
+ map.putDouble(EXPIRES_AT_KEY, credentials.expiresAt.time / 1000.0)
+ map.putString(SCOPE_KEY, credentials.scope)
+ map.putString(TOKEN_TYPE_KEY, credentials.type)
+ return map
+ }
+}
diff --git a/android/src/main/oldarch/com/auth0/react/A0Auth0Spec.kt b/android/src/main/oldarch/com/auth0/react/A0Auth0Spec.kt
index 58c764ae..9f8ed786 100644
--- a/android/src/main/oldarch/com/auth0/react/A0Auth0Spec.kt
+++ b/android/src/main/oldarch/com/auth0/react/A0Auth0Spec.kt
@@ -51,6 +51,20 @@ abstract class A0Auth0Spec(context: ReactApplicationContext) : ReactContextBaseJ
@DoNotStrip
abstract fun clearCredentials(promise: Promise)
+ @ReactMethod
+ @DoNotStrip
+ abstract fun getApiCredentials(
+ audience: String,
+ scope: String?,
+ minTTL: Double,
+ parameters: ReadableMap,
+ promise: Promise
+ )
+
+ @ReactMethod
+ @DoNotStrip
+ abstract fun clearApiCredentials(audience: String, promise: Promise)
+
@ReactMethod
@DoNotStrip
abstract fun webAuth(
diff --git a/eslint.config.mjs b/eslint.config.mjs
index b5bb3924..349b8d96 100644
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@@ -36,7 +36,14 @@ export default defineConfig([
// TypeScript-specific configuration for type-checked rules
{
files: ['**/*.ts', '**/*.tsx'],
- ignores: ['**/__tests__/**', '**/__mocks__/**', '**/*.spec.ts', '**/*.spec.tsx', '**/*.test.ts', '**/*.test.tsx'],
+ ignores: [
+ '**/__tests__/**',
+ '**/__mocks__/**',
+ '**/*.spec.ts',
+ '**/*.spec.tsx',
+ '**/*.test.ts',
+ '**/*.test.tsx',
+ ],
languageOptions: {
parserOptions: {
project: true,
diff --git a/example/src/navigation/MainTabNavigator.tsx b/example/src/navigation/MainTabNavigator.tsx
index fe465ed5..0a9c866f 100644
--- a/example/src/navigation/MainTabNavigator.tsx
+++ b/example/src/navigation/MainTabNavigator.tsx
@@ -5,11 +5,13 @@ import { createBottomTabNavigator } from '@react-navigation/bottom-tabs';
import ProfileScreen from '../screens/hooks/Profile';
import ApiScreen from '../screens/hooks/Api';
import MoreScreen from '../screens/hooks/More';
+import CredentialsScreen from '../screens/hooks/CredentialsScreen';
export type MainTabParamList = {
Profile: undefined;
Api: undefined;
More: undefined;
+ Credentials: undefined;
};
const Tab = createBottomTabNavigator();
@@ -31,6 +33,7 @@ const MainTabNavigator = () => {
component={ProfileScreen}
// You can add icons here if desired
/>
+
diff --git a/example/src/screens/class-based/ClassProfile.tsx b/example/src/screens/class-based/ClassProfile.tsx
index d41b07af..744c6cc8 100644
--- a/example/src/screens/class-based/ClassProfile.tsx
+++ b/example/src/screens/class-based/ClassProfile.tsx
@@ -1,86 +1,195 @@
-import React, { useMemo } from 'react';
-import { SafeAreaView, ScrollView, View, StyleSheet } from 'react-native';
-import { useNavigation, RouteProp } from '@react-navigation/native';
-import type { StackNavigationProp } from '@react-navigation/stack';
+import React, { Component } from 'react';
+import {
+ SafeAreaView,
+ ScrollView,
+ View,
+ StyleSheet,
+ Text,
+ Alert,
+} from 'react-native';
+import { RouteProp, NavigationProp } from '@react-navigation/native';
import { jwtDecode } from 'jwt-decode';
import auth0 from '../../api/auth0';
import Button from '../../components/Button';
import Header from '../../components/Header';
import UserInfo from '../../components/UserInfo';
-import { User } from 'react-native-auth0';
+import { User, Credentials, ApiCredentials } from 'react-native-auth0';
import type { ClassDemoStackParamList } from '../../navigation/ClassDemoNavigator';
+import LabeledInput from '../../components/LabeledInput';
+import config from '../../auth0-configuration';
+import Result from '../../components/Result';
type ProfileRouteProp = RouteProp;
-type NavigationProp = StackNavigationProp<
- ClassDemoStackParamList,
- 'ClassProfile'
->;
type Props = {
route: ProfileRouteProp;
+ navigation: NavigationProp;
};
-const ClassProfileScreen = ({ route }: Props) => {
- const navigation = useNavigation();
- const { credentials } = route.params;
+interface State {
+ user: User | null;
+ result: Credentials | ApiCredentials | object | boolean | null;
+ error: Error | null;
+ audience: string;
+}
- const user = useMemo(() => {
+class ClassProfileScreen extends Component {
+ constructor(props: Props) {
+ super(props);
+ const user = this.decodeIdToken(props.route.params.credentials.idToken);
+ this.state = {
+ user,
+ result: null,
+ error: null,
+ audience: config.audience,
+ };
+ }
+
+ decodeIdToken = (idToken: string): User | null => {
try {
- return jwtDecode(credentials.idToken);
- // eslint-disable-next-line @typescript-eslint/no-unused-vars
- } catch (e) {
+ return jwtDecode(idToken);
+ } catch {
return null;
}
- }, [credentials.idToken]);
+ };
- const onLogout = async () => {
+ runTest = async (testFn: () => Promise, title: string) => {
+ this.setState({ error: null, result: null });
+ try {
+ const res = await testFn();
+ this.setState({ result: res ?? { success: `${title} completed` } });
+ } catch (e) {
+ this.setState({ error: e as Error });
+ }
+ };
+
+ onLogout = async () => {
try {
await auth0.webAuth.clearSession();
await auth0.credentialsManager.clearCredentials();
- navigation.goBack();
+ this.props.navigation.goBack();
} catch (e) {
- console.log('Logout error: ', e);
+ Alert.alert('Error', (e as Error).message);
}
};
- const onNavigateToApiTests = () => {
- navigation.navigate('ClassApiTests', {
- accessToken: credentials.accessToken,
- });
- };
+ render() {
+ const { user, result, error, audience } = this.state;
+ const { accessToken } = this.props.route.params.credentials;
- return (
-
-
-
-
-
-
-
-
-
- );
-};
+ return (
+
+
+
+
+
+
+
+
+
+
+ this.setState({ audience: text })}
+ autoCapitalize="none"
+ />
+
+
+
+
+
+
+ );
+ }
+}
+
+const Section = ({
+ title,
+ children,
+}: {
+ title: string;
+ children: React.ReactNode;
+}) => (
+
+ {title}
+ {children}
+
+);
const styles = StyleSheet.create({
- container: {
- flex: 1,
- backgroundColor: '#FFFFFF',
- },
- content: {
+ container: { flex: 1, backgroundColor: '#FFFFFF' },
+ content: { padding: 16, paddingBottom: 50, alignItems: 'center' },
+ section: {
+ width: '100%',
+ marginBottom: 20,
+ borderWidth: 1,
+ borderColor: '#E0E0E0',
+ borderRadius: 8,
padding: 16,
- alignItems: 'center',
- },
- spacer: {
- height: 16,
- },
- logoutButton: {
- backgroundColor: '#424242',
},
+ sectionTitle: { fontSize: 18, fontWeight: 'bold', marginBottom: 12 },
+ buttonGroup: { gap: 10 },
+ destructiveButton: { backgroundColor: '#424242' },
+ secondaryButton: { backgroundColor: '#FF9800' },
});
export default ClassProfileScreen;
diff --git a/example/src/screens/hooks/CredentialsScreen.tsx b/example/src/screens/hooks/CredentialsScreen.tsx
new file mode 100644
index 00000000..cb8e9cdd
--- /dev/null
+++ b/example/src/screens/hooks/CredentialsScreen.tsx
@@ -0,0 +1,154 @@
+import React, { useState } from 'react';
+import { SafeAreaView, ScrollView, StyleSheet, View, Text } from 'react-native';
+import { useAuth0, Credentials, ApiCredentials } from 'react-native-auth0';
+import Button from '../../components/Button';
+import Header from '../../components/Header';
+import Result from '../../components/Result';
+import LabeledInput from '../../components/LabeledInput';
+import config from '../../auth0-configuration';
+
+const CredentialsScreen = () => {
+ const {
+ getCredentials,
+ hasValidCredentials,
+ clearCredentials,
+ getApiCredentials,
+ clearApiCredentials,
+ revokeRefreshToken,
+ } = useAuth0();
+
+ const [result, setResult] = useState<
+ Credentials | ApiCredentials | object | boolean | null
+ >(null);
+ const [error, setError] = useState(null);
+ const [audience, setAudience] = useState(config.audience);
+ const [scope, setScope] = useState('openid profile email');
+
+ const runTest = async (testFn: () => Promise, title: string) => {
+ setError(null);
+ setResult(null);
+ try {
+ const res = await testFn();
+ setResult(res ?? { success: `${title} completed` });
+ } catch (e) {
+ setError(e as Error);
+ }
+ };
+
+ return (
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ );
+};
+
+const Section = ({
+ title,
+ children,
+}: {
+ title: string;
+ children: React.ReactNode;
+}) => (
+
+ {title}
+ {children}
+
+);
+
+const styles = StyleSheet.create({
+ container: { flex: 1, backgroundColor: '#FFFFFF' },
+ content: { padding: 16, paddingBottom: 50 },
+ section: {
+ marginBottom: 20,
+ borderWidth: 1,
+ borderColor: '#E0E0E0',
+ borderRadius: 8,
+ padding: 16,
+ },
+ sectionTitle: { fontSize: 18, fontWeight: 'bold', marginBottom: 12 },
+ buttonGroup: { gap: 10 },
+ destructiveButton: { backgroundColor: '#424242' },
+ secondaryButton: { backgroundColor: '#FF9800' },
+});
+
+export default CredentialsScreen;
diff --git a/ios/A0Auth0.mm b/ios/A0Auth0.mm
index 8c1ff0b4..6050dc21 100644
--- a/ios/A0Auth0.mm
+++ b/ios/A0Auth0.mm
@@ -77,6 +77,21 @@ - (dispatch_queue_t)methodQueue
[self.nativeBridge hasValidCredentialsWithMinTTL:minTTL resolve:resolve];
}
+RCT_EXPORT_METHOD(getApiCredentials: (NSString *)audience
+ scope:(NSString * _Nullable)scope
+ minTTL:(NSInteger)minTTL
+ parameters:(NSDictionary *)parameters
+ resolve:(RCTPromiseResolveBlock)resolve
+ reject:(RCTPromiseRejectBlock)reject) {
+ [self.nativeBridge getApiCredentialsWithAudience:audience scope:scope minTTL:minTTL parameters:parameters resolve:resolve reject:reject];
+}
+
+RCT_EXPORT_METHOD(clearApiCredentials: (NSString *)audience
+ resolve:(RCTPromiseResolveBlock)resolve
+ reject:(RCTPromiseRejectBlock)reject) {
+ [self.nativeBridge clearApiCredentialsWithAudience:audience resolve:resolve reject:reject];
+}
+
RCT_EXPORT_METHOD(initializeAuth0WithConfiguration:(NSString *)clientId
domain:(NSString *)domain
diff --git a/ios/NativeBridge.swift b/ios/NativeBridge.swift
index 8b142b2e..f5e2f3c1 100644
--- a/ios/NativeBridge.swift
+++ b/ios/NativeBridge.swift
@@ -13,7 +13,6 @@ import LocalAuthentication
@objc
public class NativeBridge: NSObject {
-
static let accessTokenKey = "accessToken";
static let idTokenKey = "idToken";
static let expiresAtKey = "expiresAt";
@@ -325,6 +324,24 @@ public class NativeBridge: NSObject {
}
}
+ @objc public func getApiCredentials(audience: String, scope: String?, minTTL: Int, parameters: [String: Any], resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) {
+ credentialsManager.apiCredentials(forAudience: audience, scope: scope, minTTL: minTTL, parameters: parameters) { result in
+ switch result {
+ case .success(let credentials):
+ resolve(credentials.asDictionary())
+ case .failure(let error):
+ reject(error.reactNativeErrorCode(), error.errorDescription, error)
+ }
+ }
+ }
+
+
+ @objc public func clearApiCredentials(audience: String, resolve: RCTPromiseResolveBlock, reject: RCTPromiseRejectBlock) {
+ // The clear(forAudience:) method returns a boolean indicating success.
+ // We can resolve the promise with this boolean value.
+ resolve(credentialsManager.clear(forAudience: audience))
+ }
+
@objc public func getClientId() -> String {
return clientId
}
@@ -355,6 +372,17 @@ extension Credentials {
}
}
+extension APICredentials {
+ func asDictionary() -> [String: Any] {
+ return [
+ NativeBridge.accessTokenKey: self.accessToken,
+ NativeBridge.tokenTypeKey: self.tokenType,
+ NativeBridge.expiresAtKey: floor(self.expiresIn.timeIntervalSince1970),
+ NativeBridge.scopeKey: self.scope
+ ]
+ }
+}
+
extension WebAuthError {
func reactNativeErrorCode() -> String {
var code: String
diff --git a/src/core/interfaces/ICredentialsManager.ts b/src/core/interfaces/ICredentialsManager.ts
index dcdcdccc..65f4defc 100644
--- a/src/core/interfaces/ICredentialsManager.ts
+++ b/src/core/interfaces/ICredentialsManager.ts
@@ -1,4 +1,5 @@
import type { Credentials } from '../../types';
+import { ApiCredentials } from '../models';
/**
* Defines the contract for securely managing user credentials on the device.
@@ -48,4 +49,64 @@ export interface ICredentialsManager {
* @returns A promise that resolves when the credentials have been cleared.
*/
clearCredentials(): Promise;
+
+ /**
+ * Retrieves API-specific credentials for a given audience using the Multi-Resource Refresh Token (MRRT).
+ *
+ * @remarks
+ * This method obtains an access token for a specific API (audience). If a valid
+ * token is already cached, it's returned. Otherwise, it uses the refresh token
+ * to get a new one.
+ *
+ * @param audience The identifier of the API for which to get credentials (e.g., 'https://api.example.com').
+ * @param scope The scopes to request for the new access token. If omitted, default scopes configured for the API will be used.
+ * @param minTtl The minimum time-to-live (in seconds) required for the access token. If the token expires sooner, a refresh will be attempted.
+ * @param parameters Additional parameters to send during the token refresh request.
+ * @returns A promise that resolves with the API credentials.
+ * @throws {CredentialsManagerError} If the operation fails. Common error types include:
+ * - `NO_CREDENTIALS`: No stored credentials found
+ * - `NO_REFRESH_TOKEN`: Refresh token is not available (ensure 'offline_access' scope was requested during login)
+ * - `API_EXCHANGE_FAILED`: Token exchange for API credentials failed
+ * - `STORE_FAILED`: Failed to store API credentials
+ * - `LARGE_MIN_TTL`: Requested minimum TTL exceeds token lifetime
+ * - `NO_NETWORK`: Network error during token exchange
+ *
+ * @example
+ * ```typescript
+ * try {
+ * const apiCredentials = await credentialsManager.getApiCredentials(
+ * 'https://api.example.com',
+ * 'read:data write:data'
+ * );
+ * console.log('Access Token:', apiCredentials.accessToken);
+ * } catch (error) {
+ * if (error instanceof CredentialsManagerError) {
+ * console.log('Error type:', error.type);
+ * }
+ * }
+ * ```
+ */
+ getApiCredentials(
+ audience: string,
+ scope?: string,
+ minTtl?: number,
+ parameters?: Record
+ ): Promise;
+
+ /**
+ * Removes cached credentials for a specific audience.
+ *
+ * This clears the stored API credentials for the given audience, forcing the next
+ * `getApiCredentials` call for this audience to perform a fresh token exchange.
+ *
+ * @param audience The identifier of the API for which to clear credentials.
+ * @returns A promise that resolves when the credentials are cleared.
+ * @throws {CredentialsManagerError} If the operation fails.
+ *
+ * @example
+ * ```typescript
+ * await credentialsManager.clearApiCredentials('https://api.example.com');
+ * ```
+ */
+ clearApiCredentials(audience: string): Promise;
}
diff --git a/src/core/models/ApiCredentials.ts b/src/core/models/ApiCredentials.ts
new file mode 100644
index 00000000..a6dc8f8a
--- /dev/null
+++ b/src/core/models/ApiCredentials.ts
@@ -0,0 +1,36 @@
+import type { ApiCredentials as IApiCredentials } from '../../types';
+
+/**
+ * A class representation of API-specific user credentials.
+ * It encapsulates the tokens and provides helper methods for convenience.
+ */
+export class ApiCredentials implements IApiCredentials {
+ public accessToken: string;
+ public tokenType: string;
+ public expiresAt: number;
+ public scope?: string;
+
+ /**
+ * Creates an instance of ApiCredentials.
+ *
+ * @param params An object conforming to the ApiCredentials type definition.
+ */
+ constructor(params: IApiCredentials) {
+ this.accessToken = params.accessToken;
+ this.tokenType = params.tokenType;
+ this.expiresAt = params.expiresAt;
+ this.scope = params.scope;
+ }
+
+ /**
+ * Checks if the access token is expired.
+ *
+ * @param [leeway=0] - A buffer in seconds to account for clock skew. The token will be
+ * considered expired if it expires within this buffer.
+ * @returns `true` if the token is expired, `false` otherwise.
+ */
+ isExpired(leeway: number = 0): boolean {
+ const nowInSeconds = Math.floor(Date.now() / 1000);
+ return this.expiresAt <= nowInSeconds + leeway;
+ }
+}
diff --git a/src/core/models/CredentialsManagerError.ts b/src/core/models/CredentialsManagerError.ts
index 230152a9..102577f5 100644
--- a/src/core/models/CredentialsManagerError.ts
+++ b/src/core/models/CredentialsManagerError.ts
@@ -1,6 +1,7 @@
import { AuthError } from './AuthError';
const ERROR_CODE_MAP: Record = {
+ // --- Core CredentialsManager error codes ---
INVALID_CREDENTIALS: 'INVALID_CREDENTIALS',
NO_CREDENTIALS: 'NO_CREDENTIALS',
NO_REFRESH_TOKEN: 'NO_REFRESH_TOKEN',
@@ -13,6 +14,9 @@ const ERROR_CODE_MAP: Record = {
NO_NETWORK: 'NO_NETWORK',
API_ERROR: 'API_ERROR',
+ // --- API Credentials (MRRT) specific codes ---
+ API_EXCHANGE_FAILED: 'API_EXCHANGE_FAILED',
+
// --- Web (@auth0/auth0-spa-js) mappings ---
login_required: 'NO_CREDENTIALS',
consent_required: 'RENEW_FAILED',
@@ -20,6 +24,18 @@ const ERROR_CODE_MAP: Record = {
invalid_grant: 'RENEW_FAILED',
invalid_refresh_token: 'RENEW_FAILED',
missing_refresh_token: 'NO_REFRESH_TOKEN',
+ invalid_request: 'API_ERROR',
+ invalid_scope: 'API_ERROR',
+ server_error: 'API_ERROR',
+ temporarily_unavailable: 'NO_NETWORK',
+
+ // --- iOS-specific mappings ---
+ renewFailed: 'RENEW_FAILED',
+ apiExchangeFailed: 'API_EXCHANGE_FAILED',
+ noCredentials: 'NO_CREDENTIALS',
+ noRefreshToken: 'NO_REFRESH_TOKEN',
+ storeFailed: 'STORE_FAILED',
+ largeMinTTL: 'LARGE_MIN_TTL',
// --- Many-to-one mapping for granular Android Biometric errors ---
INCOMPATIBLE_DEVICE: 'INCOMPATIBLE_DEVICE',
@@ -51,7 +67,159 @@ const ERROR_CODE_MAP: Record = {
BIOMETRIC_AUTHENTICATION_FAILED: 'BIOMETRICS_FAILED',
};
+/**
+ * Represents an error that occurred during Credentials Manager operations.
+ *
+ * This class wraps authentication errors related to credentials management functionality,
+ * including:
+ * - Storing and retrieving credentials
+ * - Refreshing expired credentials
+ * - Multi-Resource Refresh Token (MRRT) / API credentials operations
+ * - Biometric authentication
+ * - Token revocation
+ *
+ * The `type` property provides a normalized, platform-agnostic error code that
+ * applications can use for consistent error handling across iOS, Android, and Web.
+ *
+ * ## Common Error Types:
+ *
+ * ### Credentials Operations:
+ * - `NO_CREDENTIALS`: No stored credentials found
+ * - `NO_REFRESH_TOKEN`: Refresh token not available (ensure 'offline_access' scope was requested)
+ * - `INVALID_CREDENTIALS`: Stored credentials are invalid
+ * - `RENEW_FAILED`: Failed to refresh credentials using refresh token
+ * - `STORE_FAILED`: Failed to store credentials
+ * - `REVOKE_FAILED`: Failed to revoke refresh token
+ * - `LARGE_MIN_TTL`: Requested minimum TTL exceeds token lifetime
+ *
+ * ### API Credentials (MRRT):
+ * - `API_EXCHANGE_FAILED`: Failed to exchange refresh token for API-specific credentials
+ *
+ * ### Network & API:
+ * - `NO_NETWORK`: Network connectivity issue
+ * - `API_ERROR`: Generic API error
+ *
+ * ### Biometric Authentication:
+ * - `BIOMETRICS_FAILED`: Biometric authentication failed
+ * - `INCOMPATIBLE_DEVICE`: Device incompatible with secure storage
+ * - `CRYPTO_EXCEPTION`: Cryptographic operation failed
+ *
+ * @example
+ * ```typescript
+ * // Using with hooks - getCredentials
+ * import { useAuth0, CredentialsManagerError } from 'react-native-auth0';
+ *
+ * function MyComponent() {
+ * const { getCredentials } = useAuth0();
+ *
+ * const fetchCredentials = async () => {
+ * try {
+ * const credentials = await getCredentials();
+ * console.log('Access Token:', credentials.accessToken);
+ * } catch (error) {
+ * if (error instanceof CredentialsManagerError) {
+ * switch (error.type) {
+ * case 'NO_CREDENTIALS':
+ * // User needs to log in
+ * break;
+ * case 'NO_REFRESH_TOKEN':
+ * // Refresh token missing - ensure offline_access scope was requested
+ * break;
+ * case 'RENEW_FAILED':
+ * // Token refresh failed - may need to re-authenticate
+ * break;
+ * case 'BIOMETRICS_FAILED':
+ * // Biometric authentication failed
+ * break;
+ * }
+ * }
+ * }
+ * };
+ * }
+ * ```
+ *
+ * @example
+ * ```typescript
+ * // Using with hooks - getApiCredentials (MRRT)
+ * import { useAuth0, CredentialsManagerError } from 'react-native-auth0';
+ *
+ * function MyComponent() {
+ * const { getApiCredentials } = useAuth0();
+ *
+ * const fetchApiCredentials = async () => {
+ * try {
+ * const apiCredentials = await getApiCredentials(
+ * 'https://api.example.com',
+ * 'read:data write:data'
+ * );
+ * console.log('API Access Token:', apiCredentials.accessToken);
+ * } catch (error) {
+ * if (error instanceof CredentialsManagerError) {
+ * switch (error.type) {
+ * case 'NO_REFRESH_TOKEN':
+ * // Request offline_access scope on login
+ * break;
+ * case 'API_EXCHANGE_FAILED':
+ * // Check audience and scopes
+ * break;
+ * case 'LARGE_MIN_TTL':
+ * // Reduce minTTL or increase API token expiration
+ * break;
+ * }
+ * }
+ * }
+ * };
+ * }
+ * ```
+ *
+ * @example
+ * ```typescript
+ * // Using with Auth0 class
+ * import Auth0, { CredentialsManagerError } from 'react-native-auth0';
+ *
+ * const auth0 = new Auth0({
+ * domain: 'your-domain.auth0.com',
+ * clientId: 'your-client-id'
+ * });
+ *
+ * async function manageCredentials() {
+ * try {
+ * const credentials = await auth0.credentialsManager.getCredentials();
+ * console.log('Credentials:', credentials);
+ * } catch (error) {
+ * if (error instanceof CredentialsManagerError) {
+ * console.log('Error type:', error.type);
+ * console.log('Error message:', error.message);
+ * }
+ * }
+ * }
+ * ```
+ *
+ * @see {@link https://auth0.com/docs/secure/tokens/refresh-tokens|Auth0 Refresh Tokens Documentation}
+ * @see {@link https://auth0.com/docs/get-started/apis/scopes|Auth0 Scopes Documentation}
+ */
export class CredentialsManagerError extends AuthError {
+ /**
+ * A normalized error type that is consistent across platforms.
+ * This can be used for reliable error handling in application code.
+ *
+ * Possible values:
+ * - `INVALID_CREDENTIALS`: Stored credentials are invalid
+ * - `NO_CREDENTIALS`: No stored credentials found
+ * - `NO_REFRESH_TOKEN`: Refresh token is not available
+ * - `RENEW_FAILED`: Token renewal failed
+ * - `API_EXCHANGE_FAILED`: API credentials exchange failed (MRRT)
+ * - `STORE_FAILED`: Failed to store credentials
+ * - `REVOKE_FAILED`: Failed to revoke refresh token
+ * - `LARGE_MIN_TTL`: Requested minimum TTL exceeds token lifetime
+ * - `BIOMETRICS_FAILED`: Biometric authentication failed
+ * - `INCOMPATIBLE_DEVICE`: Device incompatible with secure storage
+ * - `CRYPTO_EXCEPTION`: Cryptographic operation failed
+ * - `NO_NETWORK`: Network error
+ * - `API_ERROR`: Generic API error
+ * - `CREDENTIAL_MANAGER_ERROR`: Generic credentials manager error
+ * - `UNKNOWN_ERROR`: Unknown error type
+ */
public readonly type: string;
constructor(originalError: AuthError) {
diff --git a/src/core/models/index.ts b/src/core/models/index.ts
index 1332fd48..81e84a8b 100644
--- a/src/core/models/index.ts
+++ b/src/core/models/index.ts
@@ -1,6 +1,7 @@
export { AuthError } from './AuthError';
export { Credentials } from './Credentials';
export { Auth0User } from './Auth0User';
+export { ApiCredentials } from './ApiCredentials';
export { CredentialsManagerError } from './CredentialsManagerError';
export { WebAuthError } from './WebAuthError';
export { DPoPError } from './DPoPError';
diff --git a/src/core/services/AuthenticationOrchestrator.ts b/src/core/services/AuthenticationOrchestrator.ts
index 82acd14f..0f0d0538 100644
--- a/src/core/services/AuthenticationOrchestrator.ts
+++ b/src/core/services/AuthenticationOrchestrator.ts
@@ -175,6 +175,7 @@ export class AuthenticationOrchestrator implements IAuthenticationProvider {
client_id: this.clientId,
refresh_token: payload.refreshToken,
scope: includeRequiredScope(payload.scope),
+ audience: payload.audience,
};
const { json, response } =
await this.client.post(
diff --git a/src/hooks/Auth0Context.ts b/src/hooks/Auth0Context.ts
index 44140373..779f8712 100644
--- a/src/hooks/Auth0Context.ts
+++ b/src/hooks/Auth0Context.ts
@@ -21,6 +21,7 @@ import type {
MfaChallengeResponse,
DPoPHeadersParams,
} from '../types';
+import type { ApiCredentials } from '../core/models';
import type {
NativeAuthorizeOptions,
NativeClearSessionOptions,
@@ -98,6 +99,30 @@ export interface Auth0ContextInterface extends AuthState {
*/
hasValidCredentials: (minTtl?: number) => Promise;
+ /**
+ * Retrieves API-specific credentials.
+ *
+ * @param audience The identifier of the API for which to get credentials.
+ * @param scope The scopes to request for the new access token.
+ * @param minTtl The minimum time-to-live (in seconds) required for the access token. If the token expires sooner, a refresh will be attempted.
+ * @param parameters Additional parameters to send during the token refresh request.
+ * @returns A promise that resolves with the API credentials.
+ * @throws {AuthError} If credentials cannot be retrieved or refreshed.
+ */
+ getApiCredentials(
+ audience: string,
+ scope?: string,
+ minTtl?: number,
+ parameters?: Record
+ ): Promise;
+
+ /**
+ * Removes cached credentials for a specific audience.
+ *
+ * @param audience The identifier of the API for which to clear credentials.
+ * @returns A promise that resolves when the credentials are cleared.
+ */
+ clearApiCredentials(audience: string): Promise;
/**
* Cancels the ongoing web authentication process.
* This works only on iOS. On other platforms, it will resolve without performing an action.
@@ -267,6 +292,8 @@ const initialContext: Auth0ContextInterface = {
getCredentials: stub,
clearCredentials: stub,
hasValidCredentials: stub,
+ getApiCredentials: stub,
+ clearApiCredentials: stub,
loginWithPasswordRealm: stub,
cancelWebAuth: stub,
authorizeWithExchange: stub,
diff --git a/src/hooks/Auth0Provider.tsx b/src/hooks/Auth0Provider.tsx
index 889efa4d..eb436073 100644
--- a/src/hooks/Auth0Provider.tsx
+++ b/src/hooks/Auth0Provider.tsx
@@ -1,5 +1,6 @@
import { useEffect, useReducer, useMemo, useCallback } from 'react';
import type { PropsWithChildren } from 'react';
+import type { ApiCredentials } from '../core/models';
import { Auth0Context, type Auth0ContextInterface } from './Auth0Context';
import { reducer } from './reducer';
import type {
@@ -218,6 +219,38 @@ export const Auth0Provider = ({
[client, voidFlow]
);
+ const getApiCredentials = useCallback(
+ async (
+ audience: string,
+ scope?: string,
+ minTtl?: number,
+ parameters?: Record
+ ): Promise => {
+ try {
+ return await client.credentialsManager.getApiCredentials(
+ audience,
+ scope,
+ minTtl,
+ parameters
+ );
+ } catch (e) {
+ const error = e as AuthError;
+ dispatch({ type: 'ERROR', error });
+ throw error;
+ }
+ },
+ [client]
+ );
+
+ const clearApiCredentials = useCallback(
+ (audience: string): Promise => {
+ // Clearing API credentials doesn't affect the user's login state
+ // so we don't need to dispatch any actions.
+ return voidFlow(client.credentialsManager.clearApiCredentials(audience));
+ },
+ [client, voidFlow]
+ );
+
const loginWithPasswordRealm = useCallback(
(parameters: PasswordRealmParameters) =>
loginFlow(client.auth.passwordRealm(parameters)),
@@ -339,6 +372,8 @@ export const Auth0Provider = ({
getCredentials,
hasValidCredentials,
clearCredentials,
+ getApiCredentials,
+ clearApiCredentials,
cancelWebAuth,
loginWithPasswordRealm,
createUser,
@@ -364,6 +399,8 @@ export const Auth0Provider = ({
getCredentials,
hasValidCredentials,
clearCredentials,
+ getApiCredentials,
+ clearApiCredentials,
cancelWebAuth,
loginWithPasswordRealm,
createUser,
diff --git a/src/hooks/__tests__/Auth0Provider.spec.tsx b/src/hooks/__tests__/Auth0Provider.spec.tsx
index 3e32f43d..68ce4b36 100644
--- a/src/hooks/__tests__/Auth0Provider.spec.tsx
+++ b/src/hooks/__tests__/Auth0Provider.spec.tsx
@@ -553,12 +553,6 @@ describe('Auth0Provider', () => {
await act(async () => {
fireEvent.click(clearCredentialsButton);
});
-
- await waitFor(() =>
- expect(screen.getByTestId('user-status')).toHaveTextContent(
- 'Not logged in'
- )
- );
expect(
mockClientInstance.credentialsManager.clearCredentials
).toHaveBeenCalled();
diff --git a/src/platforms/native/adapters/NativeCredentialsManager.ts b/src/platforms/native/adapters/NativeCredentialsManager.ts
index 5624a3ad..82c4f3bc 100644
--- a/src/platforms/native/adapters/NativeCredentialsManager.ts
+++ b/src/platforms/native/adapters/NativeCredentialsManager.ts
@@ -1,7 +1,10 @@
import type { ICredentialsManager } from '../../../core/interfaces';
-import { AuthError } from '../../../core/models';
+import { ApiCredentials, AuthError } from '../../../core/models';
import { CredentialsManagerError } from '../../../core/models';
-import type { Credentials } from '../../../types';
+import type {
+ ApiCredentials as IApiCredentials,
+ Credentials,
+} from '../../../types';
import type { INativeBridge } from '../bridge';
/**
@@ -43,6 +46,30 @@ export class NativeCredentialsManager implements ICredentialsManager {
async clearCredentials(): Promise {
await this.handleError(this.bridge.clearCredentials());
// Also clear the DPoP key when clearing credentials
- await this.handleError(this.bridge.clearDPoPKey());
+ // Ignore errors from DPoP key clearing - this matches iOS behavior
+ // where we log the error but don't fail the operation
+ try {
+ await this.bridge.clearDPoPKey();
+ } catch {
+ // Silently ignore DPoP key clearing errors
+ // The main credentials are already cleared at this point
+ }
+ }
+
+ async getApiCredentials(
+ audience: string,
+ scope?: string,
+ minTtl?: number,
+ parameters?: Record
+ ): Promise {
+ const nativeCredentials = await this.handleError(
+ this.bridge.getApiCredentials(audience, scope, minTtl ?? 0, parameters)
+ );
+ // Convert plain object from native to class instance
+ return new ApiCredentials(nativeCredentials as IApiCredentials);
+ }
+
+ clearApiCredentials(audience: string): Promise {
+ return this.handleError(this.bridge.clearApiCredentials(audience));
}
}
diff --git a/src/platforms/native/adapters/__tests__/NativeCredentialsManager.spec.ts b/src/platforms/native/adapters/__tests__/NativeCredentialsManager.spec.ts
index 3924a903..d223cfbb 100644
--- a/src/platforms/native/adapters/__tests__/NativeCredentialsManager.spec.ts
+++ b/src/platforms/native/adapters/__tests__/NativeCredentialsManager.spec.ts
@@ -1,5 +1,6 @@
import { NativeCredentialsManager } from '../NativeCredentialsManager';
import { INativeBridge } from '../../bridge';
+import { AuthError, CredentialsManagerError } from '../../../../core/models';
// 1. Create a mock of the INativeBridge dependency.
const mockBridge: jest.Mocked = {
@@ -9,6 +10,8 @@ const mockBridge: jest.Mocked = {
hasValidCredentials: jest.fn(),
clearCredentials: jest.fn(),
clearDPoPKey: jest.fn(),
+ getApiCredentials: jest.fn(),
+ clearApiCredentials: jest.fn(),
// Add stubs for other INativeBridge methods to satisfy the type.
initialize: jest.fn(),
hasValidInstance: jest.fn(),
@@ -131,4 +134,130 @@ describe('NativeCredentialsManager', () => {
expect(mockBridge.clearCredentials).toHaveBeenCalledTimes(1);
});
});
+
+ describe('getApiCredentials', () => {
+ it('should throw CredentialsManagerError on NO_CREDENTIALS error', async () => {
+ const authError = new AuthError('NO_CREDENTIALS', 'No credentials', {
+ code: 'NO_CREDENTIALS',
+ });
+ mockBridge.getApiCredentials.mockRejectedValue(authError);
+
+ await expect(
+ manager.getApiCredentials('https://api.example.com')
+ ).rejects.toThrow(CredentialsManagerError);
+
+ await expect(
+ manager.getApiCredentials('https://api.example.com')
+ ).rejects.toMatchObject({
+ type: 'NO_CREDENTIALS',
+ message: 'No credentials',
+ });
+ });
+
+ it('should throw CredentialsManagerError on NO_REFRESH_TOKEN error', async () => {
+ const authError = new AuthError('NO_REFRESH_TOKEN', 'No refresh token', {
+ code: 'NO_REFRESH_TOKEN',
+ });
+ mockBridge.getApiCredentials.mockRejectedValue(authError);
+
+ await expect(
+ manager.getApiCredentials('https://api.example.com', 'read:data')
+ ).rejects.toThrow(CredentialsManagerError);
+
+ await expect(
+ manager.getApiCredentials('https://api.example.com', 'read:data')
+ ).rejects.toMatchObject({
+ type: 'NO_REFRESH_TOKEN',
+ message: 'No refresh token',
+ });
+ });
+
+ it('should throw CredentialsManagerError on API_EXCHANGE_FAILED error', async () => {
+ const authError = new AuthError(
+ 'invalid_grant',
+ 'Refresh token is invalid',
+ {
+ code: 'invalid_grant',
+ status: 403,
+ }
+ );
+ mockBridge.getApiCredentials.mockRejectedValue(authError);
+
+ await expect(
+ manager.getApiCredentials('https://api.example.com')
+ ).rejects.toThrow(CredentialsManagerError);
+
+ const error = await manager
+ .getApiCredentials('https://api.example.com')
+ .catch((e) => e);
+
+ expect(error).toBeInstanceOf(CredentialsManagerError);
+ expect(error.type).toBe('RENEW_FAILED');
+ expect(error.message).toBe('Refresh token is invalid');
+ expect(error.status).toBe(403);
+ });
+
+ it('should throw CredentialsManagerError with proper error code mapping', async () => {
+ const authError = new AuthError('RENEW_FAILED', 'Renewal failed', {
+ code: 'RENEW_FAILED',
+ });
+ mockBridge.getApiCredentials.mockRejectedValue(authError);
+
+ const error = await manager
+ .getApiCredentials('https://api.example.com')
+ .catch((e) => e);
+
+ expect(error).toBeInstanceOf(CredentialsManagerError);
+ expect(error.type).toBe('RENEW_FAILED');
+ });
+
+ it('should return API credentials on success', async () => {
+ const mockCredentials = {
+ accessToken: 'access_token_123',
+ tokenType: 'Bearer',
+ expiresAt: Date.now() + 3600000,
+ scope: 'read:data',
+ };
+ mockBridge.getApiCredentials.mockResolvedValue(mockCredentials);
+
+ const result = await manager.getApiCredentials(
+ 'https://api.example.com',
+ 'read:data'
+ );
+
+ expect(result.accessToken).toBe('access_token_123');
+ expect(result.tokenType).toBe('Bearer');
+ expect(mockBridge.getApiCredentials).toHaveBeenCalledWith(
+ 'https://api.example.com',
+ 'read:data',
+ 0,
+ undefined
+ );
+ });
+ });
+
+ describe('clearApiCredentials', () => {
+ it('should throw CredentialsManagerError on error', async () => {
+ const authError = new AuthError('CLEAR_FAILED', 'Clear failed', {
+ code: 'CLEAR_FAILED',
+ });
+ mockBridge.clearApiCredentials.mockRejectedValue(authError);
+
+ await expect(
+ manager.clearApiCredentials('https://api.example.com')
+ ).rejects.toThrow(CredentialsManagerError);
+ });
+
+ it('should clear credentials on success', async () => {
+ mockBridge.clearApiCredentials.mockResolvedValue(undefined);
+
+ await expect(
+ manager.clearApiCredentials('https://api.example.com')
+ ).resolves.toBeUndefined();
+
+ expect(mockBridge.clearApiCredentials).toHaveBeenCalledWith(
+ 'https://api.example.com'
+ );
+ });
+ });
});
diff --git a/src/platforms/native/bridge/INativeBridge.ts b/src/platforms/native/bridge/INativeBridge.ts
index 43e5f242..03938500 100644
--- a/src/platforms/native/bridge/INativeBridge.ts
+++ b/src/platforms/native/bridge/INativeBridge.ts
@@ -1,5 +1,6 @@
import type {
Credentials,
+ ApiCredentials,
WebAuthorizeParameters,
ClearSessionParameters,
DPoPHeadersParams,
@@ -105,6 +106,23 @@ export interface INativeBridge {
*/
hasValidCredentials(minTtl?: number): Promise;
+ /**
+ * Retrieves API-specific credentials from secure storage.
+ *
+ * @param audience The audience of the API.
+ * @param scope The scopes to request during a token refresh.
+ * @param minTtl The minimum time-to-live (in seconds) for the access token.
+ * @param parameters Additional parameters for the refresh request.
+ * @returns A promise that resolves with the API credentials.
+ */
+ getApiCredentials(
+ audience: string,
+ scope?: string,
+ minTtl?: number,
+ parameters?: object
+ ): Promise;
+
+ clearApiCredentials(audience: string): Promise;
/**
* Clears credentials from secure storage.
*/
diff --git a/src/platforms/native/bridge/NativeBridgeManager.ts b/src/platforms/native/bridge/NativeBridgeManager.ts
index 150bc337..29b2837d 100644
--- a/src/platforms/native/bridge/NativeBridgeManager.ts
+++ b/src/platforms/native/bridge/NativeBridgeManager.ts
@@ -1,5 +1,6 @@
import type { INativeBridge } from './INativeBridge';
import type {
+ ApiCredentials,
Credentials,
WebAuthorizeParameters,
ClearSessionParameters,
@@ -147,6 +148,29 @@ export class NativeBridgeManager implements INativeBridge {
);
}
+ getApiCredentials(
+ audience: string,
+ scope?: string,
+ minTtl?: number,
+ parameters?: Record
+ ): Promise {
+ const params = parameters ?? {};
+ return this.a0_call(
+ Auth0NativeModule.getApiCredentials.bind(Auth0NativeModule),
+ audience,
+ scope,
+ minTtl ?? 0,
+ params
+ );
+ }
+
+ clearApiCredentials(audience: string): Promise {
+ return this.a0_call(
+ Auth0NativeModule.clearApiCredentials.bind(Auth0NativeModule),
+ audience
+ );
+ }
+
async hasValidCredentials(minTtl?: number): Promise {
return this.a0_call(
Auth0NativeModule.hasValidCredentials.bind(Auth0NativeModule),
diff --git a/src/platforms/web/adapters/WebAuth0Client.ts b/src/platforms/web/adapters/WebAuth0Client.ts
index 46d4f589..ad365df4 100644
--- a/src/platforms/web/adapters/WebAuth0Client.ts
+++ b/src/platforms/web/adapters/WebAuth0Client.ts
@@ -66,8 +66,11 @@ export class WebAuth0Client implements IAuth0Client {
const clientOptions: Auth0ClientOptions = {
domain: options.domain,
clientId: options.clientId,
+ useMrrt: options.useMrrt,
cacheLocation: options.cacheLocation ?? 'memory',
- useRefreshTokens: options.useRefreshTokens ?? false,
+ // MRRT requires refresh tokens to work - automatically enable if useMrrt is true
+ useRefreshTokens: options.useRefreshTokens ?? options.useMrrt ?? false,
+ useRefreshTokensFallback: options.useRefreshTokensFallback ?? true,
useDpop: options.useDPoP ?? true,
authorizationParams: {
redirect_uri:
diff --git a/src/platforms/web/adapters/WebCredentialsManager.ts b/src/platforms/web/adapters/WebCredentialsManager.ts
index e49eef64..126279d9 100644
--- a/src/platforms/web/adapters/WebCredentialsManager.ts
+++ b/src/platforms/web/adapters/WebCredentialsManager.ts
@@ -4,6 +4,7 @@ import {
AuthError,
CredentialsManagerError,
Credentials as CredentialsModel,
+ ApiCredentials,
} from '../../../core/models';
import type { Auth0Client } from '@auth0/auth0-spa-js';
@@ -55,6 +56,43 @@ export class WebCredentialsManager implements ICredentialsManager {
}
}
+ async getApiCredentials(
+ audience: string,
+ scope?: string,
+ _minTtl?: number,
+ parameters?: Record
+ ): Promise {
+ try {
+ const tokenResponse = await this.client.getTokenSilently({
+ authorizationParams: {
+ ...parameters,
+ audience: audience,
+ scope: scope,
+ },
+ detailedResponse: true,
+ });
+
+ // Calculate access token expiration from expires_in (seconds until expiration)
+ // This is more accurate than using ID token claims for API credentials
+ const nowInSeconds = Math.floor(Date.now() / 1000);
+ const expiresAt = nowInSeconds + (tokenResponse.expires_in ?? 3600);
+
+ return new ApiCredentials({
+ accessToken: tokenResponse.access_token,
+ tokenType: tokenResponse.token_type,
+ expiresAt: expiresAt,
+ scope: tokenResponse.scope,
+ });
+ } catch (e: any) {
+ const code = e.error ?? 'GetApiCredentialsFailed';
+ const authError = new AuthError(code, e.error_description ?? e.message, {
+ json: e,
+ code,
+ });
+ throw new CredentialsManagerError(authError);
+ }
+ }
+
async hasValidCredentials(): Promise {
return this.client.isAuthenticated();
}
@@ -71,4 +109,11 @@ export class WebCredentialsManager implements ICredentialsManager {
throw new CredentialsManagerError(authError);
}
}
+
+ async clearApiCredentials(audience: string): Promise {
+ console.warn(
+ `'clearApiCredentials' for audience ${audience} is a no-op on the web. @auth0/auth0-spa-js handles credential storage automatically.`
+ );
+ return Promise.resolve();
+ }
}
diff --git a/src/platforms/web/adapters/__tests__/WebCredentialsManager.spec.ts b/src/platforms/web/adapters/__tests__/WebCredentialsManager.spec.ts
index 5aa0f9a1..a2bef6f2 100644
--- a/src/platforms/web/adapters/__tests__/WebCredentialsManager.spec.ts
+++ b/src/platforms/web/adapters/__tests__/WebCredentialsManager.spec.ts
@@ -218,4 +218,135 @@ describe('WebCredentialsManager', () => {
);
});
});
+
+ describe('getApiCredentials', () => {
+ it('should throw CredentialsManagerError on login_required error', async () => {
+ const spaError = {
+ error: 'login_required',
+ error_description: 'Login is required',
+ };
+ mockSpaClient.getTokenSilently.mockRejectedValue(spaError);
+
+ await expect(
+ credentialsManager.getApiCredentials('https://api.example.com')
+ ).rejects.toThrow();
+
+ const error = await credentialsManager
+ .getApiCredentials('https://api.example.com')
+ .catch((e) => e);
+
+ expect(error.type).toBe('MOCKED_TYPE');
+ expect(error.name).toBe('login_required');
+ });
+
+ it('should throw CredentialsManagerError on invalid_grant error', async () => {
+ const spaError = {
+ error: 'invalid_grant',
+ error_description: 'Refresh token is invalid',
+ };
+ mockSpaClient.getTokenSilently.mockRejectedValue(spaError);
+
+ const error = await credentialsManager
+ .getApiCredentials('https://api.example.com', 'read:data')
+ .catch((e) => e);
+
+ expect(error.type).toBe('MOCKED_TYPE');
+ expect(error.message).toBe('Refresh token is invalid');
+ });
+
+ it('should throw CredentialsManagerError on missing_refresh_token error', async () => {
+ const spaError = {
+ error: 'missing_refresh_token',
+ error_description: 'No refresh token available',
+ };
+ mockSpaClient.getTokenSilently.mockRejectedValue(spaError);
+
+ const error = await credentialsManager
+ .getApiCredentials('https://api.example.com')
+ .catch((e) => e);
+
+ expect(error.type).toBe('MOCKED_TYPE');
+ });
+
+ it('should throw CredentialsManagerError on consent_required error', async () => {
+ const spaError = {
+ error: 'consent_required',
+ error_description: 'Consent is required',
+ };
+ mockSpaClient.getTokenSilently.mockRejectedValue(spaError);
+
+ const error = await credentialsManager
+ .getApiCredentials('https://api.example.com')
+ .catch((e) => e);
+
+ expect(error.type).toBe('MOCKED_TYPE');
+ });
+
+ it('should throw CredentialsManagerError on network error', async () => {
+ const spaError = {
+ error: 'temporarily_unavailable',
+ error_description: 'Service temporarily unavailable',
+ };
+ mockSpaClient.getTokenSilently.mockRejectedValue(spaError);
+
+ const error = await credentialsManager
+ .getApiCredentials('https://api.example.com')
+ .catch((e) => e);
+
+ expect(error.type).toBe('MOCKED_TYPE');
+ });
+
+ it('should throw CredentialsManagerError on invalid_scope error', async () => {
+ const spaError = {
+ error: 'invalid_scope',
+ error_description: 'The requested scope is invalid',
+ };
+ mockSpaClient.getTokenSilently.mockRejectedValue(spaError);
+
+ const error = await credentialsManager
+ .getApiCredentials('https://api.example.com', 'invalid:scope')
+ .catch((e) => e);
+
+ expect(error.type).toBe('MOCKED_TYPE');
+ });
+
+ it('should throw CredentialsManagerError on unknown error', async () => {
+ const spaError = {
+ error: 'unknown_error',
+ error_description: 'An unknown error occurred',
+ };
+ mockSpaClient.getTokenSilently.mockRejectedValue(spaError);
+
+ const error = await credentialsManager
+ .getApiCredentials('https://api.example.com')
+ .catch((e) => e);
+
+ expect(error.type).toBe('MOCKED_TYPE');
+ });
+
+ it('should handle error without error_description', async () => {
+ const spaError = {
+ error: 'invalid_grant',
+ message: 'The refresh token is invalid',
+ };
+ mockSpaClient.getTokenSilently.mockRejectedValue(spaError);
+
+ const error = await credentialsManager
+ .getApiCredentials('https://api.example.com')
+ .catch((e) => e);
+
+ expect(error.type).toBe('MOCKED_TYPE');
+ expect(error.message).toBe('The refresh token is invalid');
+ });
+ });
+
+ describe('clearApiCredentials', () => {
+ it('should log a warning and resolve without doing anything', async () => {
+ await credentialsManager.clearApiCredentials('https://api.example.com');
+
+ expect(consoleWarnSpy).toHaveBeenCalledWith(
+ "'clearApiCredentials' for audience https://api.example.com is a no-op on the web. @auth0/auth0-spa-js handles credential storage automatically."
+ );
+ });
+ });
});
diff --git a/src/specs/NativeA0Auth0.ts b/src/specs/NativeA0Auth0.ts
index 94be1535..da43d253 100644
--- a/src/specs/NativeA0Auth0.ts
+++ b/src/specs/NativeA0Auth0.ts
@@ -1,6 +1,6 @@
import { TurboModuleRegistry, type TurboModule } from 'react-native';
import type { Int32 } from 'react-native/Libraries/Types/CodegenTypes';
-import type { Credentials } from '../types';
+import type { ApiCredentials, Credentials } from '../types';
export interface Spec extends TurboModule {
/**
* Get the bundle identifier
@@ -54,6 +54,21 @@ export interface Spec extends TurboModule {
*/
clearCredentials(): Promise;
+ /**
+ * Get API credentials for a specific audience
+ */
+ getApiCredentials(
+ audience: string,
+ scope: string | undefined,
+ minTTL: Int32,
+ parameters: Object
+ ): Promise;
+
+ /**
+ * Clear API credentials for a specific audience
+ */
+ clearApiCredentials(audience: string): Promise;
+
/**
* Start web authentication
*/
diff --git a/src/types/common.ts b/src/types/common.ts
index cfc54a12..8196b6b2 100644
--- a/src/types/common.ts
+++ b/src/types/common.ts
@@ -34,6 +34,17 @@ export type Credentials = {
[key: string]: any;
};
+/**
+ * Represents API-specific credentials, primarily containing an access token.
+ * This is returned when requesting tokens for a specific API (audience).
+ */
+export type ApiCredentials = {
+ accessToken: string;
+ tokenType: string;
+ expiresAt: number;
+ scope?: string;
+};
+
/**
* Represents the standard profile information of an authenticated user,
* typically decoded from the ID token.
diff --git a/src/types/parameters.ts b/src/types/parameters.ts
index c2caf5cb..8aef8fc8 100644
--- a/src/types/parameters.ts
+++ b/src/types/parameters.ts
@@ -137,6 +137,10 @@ export interface RefreshTokenParameters extends RequestOptions {
* The scopes requested for the issued tokens. e.g. `openid profile`
*/
scope?: string;
+ /**
+ * The intended API identifier that will be the consumer for the issued access token.
+ */
+ audience?: string;
}
/** Parameters for revoking a refresh token. */
diff --git a/src/types/platform-specific.ts b/src/types/platform-specific.ts
index 14e7c039..1741fff5 100644
--- a/src/types/platform-specific.ts
+++ b/src/types/platform-specific.ts
@@ -149,10 +149,21 @@ export interface WebAuth0Options extends Auth0Options {
cacheLocation?: 'memory' | 'localstorage';
/** Enables the use of refresh tokens for silent authentication. */
useRefreshTokens?: boolean;
+ /**
+ * Fallback to iframe-based token retrieval if refresh token fails.
+ * @default true
+ */
+ useRefreshTokensFallback?: boolean;
/** A custom audience for the `getTokenSilently` call. */
audience?: string;
/** A custom scope for the `getTokenSilently` call. */
scope?: string;
+ /**
+ * **Web only:** Enables the use of Multi-Resource Refresh Tokens (MRRT).
+ * When enabled, `useRefreshTokens` is automatically set to `true`.
+ * @default false
+ */
+ useMrrt?: boolean;
}
/**