From 3f279a4e01fff711ef4e4bc966e5efce0c433b00 Mon Sep 17 00:00:00 2001
From: Steve Hobbs <steve.hobbs@auth0.com>
Date: Tue, 19 May 2020 15:21:20 +0100
Subject: [PATCH] [SDK-1634] Pass custom options to the token endpoint (#465)

* Passed custom options to refresh token call

* Added custom params support for token endpoint (iframe)

* Added timeoutInSeconds to exclusion list when getting tokens

* Added generic dictionary type to TokenEndpointOptions

* Readded scope concatenation to _getTokenUsingRefreshToken

* Added timeoutInSeconds to exclusion list in _getTokenUsingRefreshToken
---
 __tests__/Auth0Client.test.ts | 64 +++++++++++++++++++++++++++++++++++
 src/Auth0Client.ts            | 23 ++++++++++++-
 src/global.ts                 |  1 +
 static/index.html             |  5 ++-
 4 files changed, 91 insertions(+), 2 deletions(-)

diff --git a/__tests__/Auth0Client.test.ts b/__tests__/Auth0Client.test.ts
index bec9bfdb1..1145ae2f3 100644
--- a/__tests__/Auth0Client.test.ts
+++ b/__tests__/Auth0Client.test.ts
@@ -542,4 +542,68 @@ describe('Auth0Client', () => {
     expect(access_token).toEqual('my_access_token');
     expect(utils.runIframe).not.toHaveBeenCalled();
   });
+
+  it('sends custom options through to the token endpoint when using an iframe', async () => {
+    const auth0 = setup();
+
+    await login(auth0, true);
+
+    jest.spyOn(<any>utils, 'runIframe').mockResolvedValue({
+      access_token: 'my_access_token',
+      state: 'MTIz'
+    });
+
+    await auth0.getTokenSilently({
+      ignoreCache: true,
+      customParam: 'hello world'
+    });
+
+    expect(
+      (<any>utils.runIframe).mock.calls[0][0].includes(
+        'customParam=hello%20world'
+      )
+    ).toBe(true);
+
+    expect(JSON.parse(mockFetch.mock.calls[1][1].body)).toEqual({
+      redirect_uri: 'my_callback_url',
+      client_id: 'auth0_client_id',
+      grant_type: 'authorization_code',
+      customParam: 'hello world',
+      code_verifier: '123'
+    });
+  });
+
+  it('sends custom options through to the token endpoint when using refresh tokens', async () => {
+    const auth0 = setup({
+      useRefreshTokens: true
+    });
+
+    await login(auth0, true, { refresh_token: 'a_refresh_token' });
+
+    mockFetch.mockResolvedValueOnce(
+      fetchResponse(true, {
+        id_token: 'my_id_token',
+        refresh_token: 'my_refresh_token',
+        access_token: 'my_access_token',
+        expires_in: 86400
+      })
+    );
+
+    expect(utils.runIframe).not.toHaveBeenCalled();
+
+    const access_token = await auth0.getTokenSilently({
+      ignoreCache: true,
+      customParam: 'hello world'
+    });
+
+    expect(JSON.parse(mockFetch.mock.calls[1][1].body)).toEqual({
+      redirect_uri: 'my_callback_url',
+      client_id: 'auth0_client_id',
+      grant_type: 'refresh_token',
+      refresh_token: 'a_refresh_token',
+      customParam: 'hello world'
+    });
+
+    expect(access_token).toEqual('my_access_token');
+  });
 });
diff --git a/src/Auth0Client.ts b/src/Auth0Client.ts
index c54958fda..9d8da5f6b 100644
--- a/src/Auth0Client.ts
+++ b/src/Auth0Client.ts
@@ -668,8 +668,18 @@ export default class Auth0Client {
       throw new Error('Invalid state');
     }
 
+    const {
+      scope,
+      audience,
+      redirect_uri,
+      ignoreCache,
+      timeoutInSeconds,
+      ...customOptions
+    } = options;
+
     const tokenResult = await oauthToken(
       {
+        ...customOptions,
         baseUrl: this.domainUrl,
         client_id: this.options.client_id,
         code_verifier,
@@ -695,7 +705,7 @@ export default class Auth0Client {
   ): Promise<any> {
     options.scope = getUniqueScopes(
       this.defaultScope,
-      this.scope,
+      this.options.scope,
       options.scope
     );
 
@@ -718,9 +728,19 @@ export default class Auth0Client {
       window.location.origin;
 
     let tokenResult;
+
+    const {
+      scope,
+      audience,
+      ignoreCache,
+      timeoutInSeconds,
+      ...customOptions
+    } = options;
+
     try {
       tokenResult = await oauthToken(
         {
+          ...customOptions,
           baseUrl: this.domainUrl,
           client_id: this.options.client_id,
           grant_type: 'refresh_token',
@@ -737,6 +757,7 @@ export default class Auth0Client {
       }
       throw e;
     }
+
     const decodedToken = this._verifyIdToken(tokenResult.id_token);
 
     return {
diff --git a/src/global.ts b/src/global.ts
index 6efb93a11..d48e8a766 100644
--- a/src/global.ts
+++ b/src/global.ts
@@ -313,6 +313,7 @@ export interface TokenEndpointOptions {
   client_id: string;
   grant_type: string;
   timeout?: number;
+  [key: string]: any;
 }
 
 /**
diff --git a/static/index.html b/static/index.html
index c4ad229b8..eb96a6103 100644
--- a/static/index.html
+++ b/static/index.html
@@ -414,7 +414,10 @@ <h3>Last error</h3>
             var _self = this;
 
             _self.auth0
-              .getTokenSilently({ ignoreCache: !_self.useCache })
+              .getTokenSilently({
+                ignoreCache: !_self.useCache,
+                aCustomOption: 'hello world'
+              })
               .then(function (token) {
                 _self.access_tokens.push(token);
                 _self.error = null;