feat: allow passing device context to interact call

CHANGELOG.md

@@ -6,6 +6,7 @@
 
 - [#1036](https://github.com/okta/okta-auth-js/pull/1036) Adds `webauthn` authenticator support in idx module
 - [#1075](https://github.com/okta/okta-auth-js/pull/1075) Adds top level `invokeApiMethod` method as an escape hatch to make arbitrary OKTA API request
+- [#1093](https://github.com/okta/okta-auth-js/pull/1093) Allows passing device context headers (`X-Forwarded-For`, `User-Agent`, `X-Okta-User-Agent-Extended` and `X-Device-Token`) to `idx.interact`. Follow [setHeaders](README.md#setheaders) section to add headers to http requests.
 
 ### Fixes
 

lib/idx/interact.ts

@@ -26,6 +26,7 @@ export interface InteractOptions {
   codeChallengeMethod?: string;
   activationToken?: string;
   recoveryToken?: string;
+  clientSecret?: string;
 }
 
 export interface InteractResponse {
@@ -65,8 +66,9 @@ export async function interact (authClient: OktaAuth, options: InteractOptions =
     codeChallenge,
     codeChallengeMethod,
     activationToken,
-    recoveryToken
+    recoveryToken,
   } = meta as IdxTransactionMeta;
+  const clientSecret = options.clientSecret || authClient.options.clientSecret;
 
   const interactionHandle = await idx.interact({
     withCredentials,
@@ -86,7 +88,12 @@ export async function interact (authClient: OktaAuth, options: InteractOptions =
     activationToken,
 
     // Recovery
-    recoveryToken
+    recoveryToken,
+
+    // X-Device-Token header need to pair with `client_secret`
+    // eslint-disable-next-line max-len
+    // https://oktawiki.atlassian.net/wiki/spaces/eng/pages/2445902453/Support+Device+Binding+in+interact#Scenario-1%3A-Non-User-Agent-with-Confidential-Client-(top-priority)
+    clientSecret
   });
   const newMeta = {
     ...meta,

package.json

@@ -70,7 +70,7 @@
   },
   "dependencies": {
     "@babel/runtime": "^7.12.5",
-    "@okta/okta-idx-js": "0.24.0",
+    "@okta/okta-idx-js": "0.25.0",
     "@peculiar/webcrypto": "1.1.6",
     "Base64": "1.1.0",
     "atob": "^2.1.2",

samples/templates/express-embedded-auth-with-sdk/package.json

@@ -17,6 +17,7 @@
     "cors": "^2.8.5",
     "js-yaml": "^4.1.0",
     "dotenv": "^10.0.0",
+    "express-async-errors": "^3.1.1",
     "@okta/okta-auth-js": "*"
   },
   "devDependencies": {

samples/templates/express-embedded-auth-with-sdk/web-server/server.js

@@ -18,6 +18,7 @@ const express = require('express');
 const session = require('express-session');
 const mustacheExpress = require('mustache-express');
 const path = require('path');
+require('express-async-errors');
 const { 
   userContext, 
   authTransaction,

test/spec/idx/interact.ts

@@ -22,8 +22,9 @@ jest.mock('@okta/okta-idx-js', () => {
 });
 
 jest.mock('../../../lib/idx/transactionMeta', () => {
+  const actual = jest.requireActual('../../../lib/idx/transactionMeta');
   return {
-    createTransactionMeta: () => {},
+    ...actual,
     getSavedTransactionMeta: () => {},
     saveTransactionMeta: () => {}
   };
@@ -391,6 +392,79 @@ describe('idx/interact', () => {
           });
         });
       });
+
+      describe('clientSecret', () => {
+        beforeEach(() => {
+          // use original createTransactionMeta implementation
+          jest.spyOn(mocked.transactionMeta, 'createTransactionMeta').mockRestore();
+          jest.spyOn(mocked.transactionMeta, 'saveTransactionMeta');
+        });
+
+        it('uses clientSecret from sdk options', async () => {
+          const { authClient } = testContext;
+          authClient.options.clientSecret = 'sdk-clientSecret';
+          await interact(authClient, {});
+          expect(mocked.idx.interact).toHaveBeenCalled();
+          const interactArg = mocked.idx.interact.mock.calls[0][0];
+          expect(interactArg).toMatchObject({
+            'clientId': 'authClient-clientId',
+            'baseUrl': 'authClient-issuer/oauth2',
+            'codeChallenge': 'tp-codeChallenge',
+            'codeChallengeMethod': 'tp-codeChallengeMethod',
+            'redirectUri': 'authClient-redirectUri',
+            'scopes': ['tp-scopes'],
+            'state': 'tp-state',
+            'clientSecret': 'sdk-clientSecret'
+          });
+          expect(mocked.transactionMeta.saveTransactionMeta).toHaveBeenCalledWith(authClient, {
+            'clientId': 'authClient-clientId',
+            'codeChallenge': 'tp-codeChallenge',
+            'codeChallengeMethod': 'tp-codeChallengeMethod',
+            'codeVerifier': 'tp-codeVerifier',
+            'flow': 'default',
+            'interactionHandle': 'idx-interactionHandle',
+            'issuer': 'authClient-issuer',
+            'redirectUri': 'authClient-redirectUri',
+            'responseType': 'tp-responseType',
+            'scopes': ['tp-scopes'],
+            'state': 'tp-state',
+            'urls': expect.any(Object),
+            'withCredentials': true,
+          });
+        });
+        it('uses clientSecret from function options (overrides sdk option)', async () => {
+          const { authClient } = testContext;
+          authClient.options.clientSecret = 'sdk-clientSecret';
+          await interact(authClient, { clientSecret: 'fn-clientSecret' });
+          expect(mocked.idx.interact).toHaveBeenCalled();
+          const functionArg = mocked.idx.interact.mock.calls[0][0];
+          expect(functionArg).toMatchObject({
+            'clientId': 'authClient-clientId',
+            'baseUrl': 'authClient-issuer/oauth2',
+            'codeChallenge': 'tp-codeChallenge',
+            'codeChallengeMethod': 'tp-codeChallengeMethod',
+            'redirectUri': 'authClient-redirectUri',
+            'scopes': ['tp-scopes'],
+            'state': 'tp-state',
+            'clientSecret': 'fn-clientSecret'
+          });
+          expect(mocked.transactionMeta.saveTransactionMeta).toHaveBeenCalledWith(authClient, {
+            'clientId': 'authClient-clientId',
+            'codeChallenge': 'tp-codeChallenge',
+            'codeChallengeMethod': 'tp-codeChallengeMethod',
+            'codeVerifier': 'tp-codeVerifier',
+            'flow': 'default',
+            'interactionHandle': 'idx-interactionHandle',
+            'issuer': 'authClient-issuer',
+            'redirectUri': 'authClient-redirectUri',
+            'responseType': 'tp-responseType',
+            'scopes': ['tp-scopes'],
+            'state': 'tp-state',
+            'urls': expect.any(Object),
+            'withCredentials': true,
+          });
+        });
+      });
 
       it('saves returned interactionHandle', async () => {
         const { authClient } = testContext;

yarn.lock

@@ -2364,10 +2364,10 @@
     mkdirp "^1.0.4"
     rimraf "^3.0.2"
 
-"@okta/okta-idx-js@0.24.0":
-  version "0.24.0"
-  resolved "https://registry.yarnpkg.com/@okta/okta-idx-js/-/okta-idx-js-0.24.0.tgz#f7c048a866add49f40fde0e25734fe61998be7c3"
-  integrity sha512-ut4LPYvsXKKQm+PVgsGuoeU1RzVteNHrZPYvhz7REJEaNkY7pKUPBmYxsq9zyjRyzEEkAH7YrWeyhMcW8Lpt9w==
+"@okta/okta-idx-js@0.25.0":
+  version "0.25.0"
+  resolved "https://registry.yarnpkg.com/@okta/okta-idx-js/-/okta-idx-js-0.25.0.tgz#4ca1d1a9b5617cbdc5374965caea9949b5b22cbc"
+  integrity sha512-cNOYSHCzLR5NKqiBsvPYYuWYPerLIVva6SNF7+/vb4zH1/hBjznlj/W6guVl0m5Tycz/ZUuVSQzHtEQoock/uQ==
   dependencies:
     "@babel/runtime" "^7.12.5"
     "@babel/runtime-corejs3" "^7.12.5"
@@ -9052,6 +9052,11 @@ expect@^27.0.2:
     jest-message-util "^27.0.6"
     jest-regex-util "^27.0.6"
 
+express-async-errors@^3.1.1:
+  version "3.1.1"
+  resolved "https://registry.yarnpkg.com/express-async-errors/-/express-async-errors-3.1.1.tgz#6053236d61d21ddef4892d6bd1d736889fc9da41"
+  integrity sha512-h6aK1da4tpqWSbyCa3FxB/V6Ehd4EEB15zyQq9qe75OZBp0krinNKuH4rAY+S/U/2I36vdLAUFSjQJ+TFmODng==
+
 express-session@^1.17.1:
   version "1.17.2"
   resolved "https://registry.yarnpkg.com/express-session/-/express-session-1.17.2.tgz#397020374f9bf7997f891b85ea338767b30d0efd"