Support both auth styles

Author: LarryKlugerDS

package.json

@@ -4,7 +4,7 @@
   "license": "MIT",
   "description": "React code example with OAuth Implicit grant and DocuSign API. It redirects to the OAuth IdP.",
   "homepage_comment": "<homepage> is used by the build process as the build target URL path",
-  "homepage": "react-oauth-redirect-docusign/build",
+  "homepage": "react-oauth-docusign/build",
   "private": true,
   "dependencies": {
     "@testing-library/jest-dom": "^5.11.4",

public/config_example.js

@@ -4,17 +4,34 @@ var config = {};
 //
 // Development: Add to the public directory as config.js.
 // 
-// Production: Add to the build directory after the build is complete as config.js.
+// Production: Add to the build directory after the build is 
+// complete as config.js.
+
+// Your app's URL
+config.DS_APP_URL='http://localhost:3000/react-oauth-new-tab-docusign/build';
+// development url default is 'http://localhost:3000/react-oauth-new-tab-docusign/build';
+
+// If config.DS_REDIRECT_AUTHENTICATION is true, then add a
+// redirect URI to the integration key of DS_APP_URL
+//
+// If config.DS_REDIRECT_AUTHENTICATION is true, then add a
+// redirect URI to the integration key of 
+// DS_APP_URL/oauthResponse.html
 
 config.DS_CLIENT_ID='xxxx-xxxx-xxxx-xxxx-xxxxxxx';
 config.IMPLICIT_SCOPES='signature';
 
-// Your DocuSign eSignature REST API private CORS proxy 
-config.DS_API_CORS_PROXY='https://your_private_proxy.xxx.xxx';
-config.DS_API_CORS_PROXY_FOR='https://demo.docusign.net';
+// DocuSign Identity server
+config.DS_IDP='https://account-d.docusign.com';
 
-// Your app's URL
-config.DS_APP_URL='http://localhost:3000';
+// Your private API CORS proxies
+config.DS_API_CORS_PROXIES= {
+    'https://na2.docusign.net' : 'https://xxxproxy.example.com',
+    'https://demo.docusign.net': 'https://xxxproxy.example.com',
+}
+
+// redirect authentication? 
+// true: the app redirects to the IdP
+// false: the app opens a new tab for authentication, then closes it
+config.DS_REDIRECT_AUTHENTICATION=true;
 config.DS_DEBUG=true;
-config.DS_IDP='https://account-d.docusign.com';
-config.DS_AUTHENTICATION='https://account-d.docusign.com';

public/oauthResponse.html

@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta
+      name="description"
+      content="DocuSign OAuth response page"
+    />
+    <title>OAuth response handler</title>
+  </head>
+  <body>
+    <h2>Please close this tab or window.</h2>
+    <noscript>You need to enable JavaScript to run this app.</noscript>
+    <script>
+      const msg = {source: 'oauthResponse', hash: window.location.hash || ''}
+      if (window.opener) {
+        window.opener.postMessage(msg, '*');
+      } else {
+        window.parent.postMessage(msg, '*');
+      }
+    </script>
+  </body>
+</html>

src/App.js

@@ -47,20 +47,56 @@ class App extends React.Component {
         this.formEmailChange = this.formEmailChange.bind(this);
         this.sendEnvelope = this.sendEnvelope.bind(this);
         this.getEnvelope = this.getEnvelope.bind(this);
+        this.receiveMessage = this.receiveMessage.bind(this);
     }
 
     /**
      * Starting up--if our URL includes a hash, check it to see if 
      * it's the OAuth response
      */
     async componentDidMount() {
-        const hash = window.location.hash;
-        if (!hash) {return}
-        // possible OAuth response
-        this.setState({working: true, workingMessage: 'Loggin in'});
-        await this.oAuthImplicit.completeLogin();
-        this.setState({working: false});        
+        const config = window.config;
+        // if the url has a query parameter of ?error=logout_request (from a logout operation) 
+        // then remove it
+        if (window.location.search && window.location.search === '?error=logout_request') {
+            window.history.replaceState(null, '', config.DS_APP_URL);
+        }
+
+        if (config.DS_REDIRECT_AUTHENTICATION) {
+            const hash = window.location.hash;
+            if (!hash) {return}
+            // possible OAuth response
+            this.setState({working: true, workingMessage: 'Logging in'});
+            await this.oAuthImplicit.receiveHash(hash);
+            this.setState({working: false});
+        } else {
+            // await authentication via the new tab
+            window.addEventListener("message", this.receiveMessage, false);
+        }
     }
+
+    /**
+     * Receive message from a child .
+     * This method is only used if authentication is done
+     * in a new tab. See file public/oauthResponse.html
+     * @param {object} e 
+     */
+    async receiveMessage(e) {
+        const rawSource = e && e.data && e.data.source
+            , ignore = {'react-devtools-inject-backend': true,
+                        'react-devtools-content-script': true,
+                        'react-devtools-detector': true,
+                        'react-devtools-bridge': true}
+            , source = (rawSource && !ignore[rawSource]) ? rawSource : false
+            ;
+        if (!source) {return}; // Ignore if no source field
+        if (source === 'oauthResponse') {
+            this.setState({working: true, workingMessage: 'Logging in'});
+            const hash = e.data && e.data.hash;
+            await this.oAuthImplicit.receiveHash(hash);
+            this.setState ({working: false});
+        }
+    }    
 
     startAuthentication() {
         this.oAuthImplicit.startLogin();

src/DocuSign.js

@@ -82,7 +82,7 @@ class DocuSign {
 
         try {
         const url =
-            `${window.config.DS_API_CORS_PROXY}${urlFrag}` +
+            `${this.app.state.baseUri}${urlFrag}` +
             `/accounts/${this.app.state.accountId}` +
             `/envelopes`;
         const response = await fetch(url, {
@@ -152,7 +152,7 @@ class DocuSign {
      async getEnvelope() {
         try {
         const url =
-            `${window.config.DS_API_CORS_PROXY}${urlFrag}` +
+            `${this.app.state.baseUri}${urlFrag}` +
             `/accounts/${this.app.state.accountId}` +
             `/envelopes/${this.app.state.responseEnvelopeId}`;
         const response = await fetch(url, {

src/OAuthImplicit.js

@@ -4,6 +4,7 @@
  */
 import { toast } from 'react-toastify';
 
+const oauthResponseHtml = 'oauthResponse.html'; // only used for new tab auth
 const expirationBuffer = 10 * 60; // 10 minute buffer
 const sdkString = 'codeEg_react';
 const urlFrag = '/restapi/v2.1'; // DocuSign specific
@@ -34,15 +35,15 @@ class OAuthImplicit {
     //
     constructor(app) {
         this.app = app;
+        this.oauthWindow = null; // only used for new tab auth
     }
 
     /**
      * Handle incoming OAuth Implicit grant response
      */
-    async completeLogin() {
+    async receiveHash(hash) {
         const config = window.config;
-        const hash = window.location.hash
-            , accessTokenFound = hash && hash.substring(0,14) === '#access_token=';
+        const accessTokenFound = hash && hash.substring(0,14) === '#access_token=';
         if (!accessTokenFound) {return} // EARLY RETURN
 
         // Avoiding an injection attack: check that the hash only includes expected characters
@@ -70,10 +71,18 @@ class OAuthImplicit {
             console.error(`OAuth state mismatch!! Expected state: ${oauthStateValue}; received state: ${incomingState}`);
             return // EARLY RETURN
         }
-        // hash was good, so erase it from the browser
-        window.history.replaceState(null, '', config.DS_APP_URL);
         window.localStorage.clear(); // clean up
 
+        if (config.DS_REDIRECT_AUTHENTICATION) {
+            // Using redirect the window authentication:
+            // hash was good, so erase it from the browser
+            window.history.replaceState(null, '', config.DS_APP_URL);
+        } else {
+            // Using new tab authentication:
+            // close the tab that was used for authentication
+            if (this.oauthWindow) {this.oauthWindow.close()}
+        }
+
         // calculate expires
         let expires = new Date()
         expires.setTime(expires.getTime() + (expiresIn - expirationBuffer)* 1000)
@@ -96,10 +105,8 @@ class OAuthImplicit {
         }
         // 
         // Need to select the right proxy for the API call
-        let baseUri;
-        if (defaultAccount.base_uri === config.DS_API_CORS_PROXY_FOR) {
-            baseUri = config.DS_API_CORS_PROXY;
-        }
+        // update the baseUri setting
+        let baseUri = config.DS_API_CORS_PROXIES[defaultAccount.base_uri];
         if (!baseUri) {
             const msg = `Problem: no proxy for ${defaultAccount.base_uri}.`;
             log(msg);
@@ -118,26 +125,44 @@ class OAuthImplicit {
             accountId: defaultAccount.account_id,
             externalAccountId,
             accountName: defaultAccount.account_name,
-            baseUri: defaultAccount.base_uri,
+            baseUri: baseUri,
         })
     }
 
     /**
      * Start the login flow by computing the Implicit grant URL
-     * and redirecting to the URL for the user.
+     * and either redirecting to the URL for the user or
+     * creating a new browser tab for the authentication flow
      */
     startLogin() {
+        const config = window.config;
         const oauthStateValue = OAuthImplicit.generateId();
         window.localStorage.setItem(oauthState, oauthStateValue); // store for when we come back
-        const url =
-        `${window.config.DS_IDP}/oauth/auth?` +
-        `response_type=token&` +
-        `scope=${window.config.IMPLICIT_SCOPES}&` +
-        `client_id=${window.config.DS_CLIENT_ID}&` +
-        `state=${oauthStateValue}&` +
-        `redirect_uri=${encodeURIComponent(window.config.DS_APP_URL)}`;
+        let redirectUrl;
+        if (config.DS_REDIRECT_AUTHENTICATION) {
+            // Using redirect the window authentication:
+            redirectUrl = config.DS_APP_URL;
+        } else {
+            // Using new tab authentication
+            redirectUrl = `${config.DS_APP_URL}/${oauthResponseHtml}`;
+        }    
 
-        window.location = url;
+        const url =
+            `${window.config.DS_IDP}/oauth/auth?` +
+            `response_type=token&` +
+            `scope=${window.config.IMPLICIT_SCOPES}&` +
+            `client_id=${window.config.DS_CLIENT_ID}&` +
+            `state=${oauthStateValue}&` +
+            `redirect_uri=${encodeURIComponent(redirectUrl)}`;
+
+        if (config.DS_REDIRECT_AUTHENTICATION) {
+            // Using redirect the window authentication:
+            window.location = url;
+        } else {
+            // Using new tab authentication:
+            // Create a new tab for authentication
+            this.oauthWindow = window.open(url, "_blank");
+        }    
     }
 
     /**
@@ -146,15 +171,14 @@ class OAuthImplicit {
      * browser back to this app
      */
     logout () {
+        const config = window.config;
         const url =
-        `${window.config.DS_IDP}/logout?` +
-        //`response_type=code&` +
-        `response_type=token&` +
-        `scope=${window.config.IMPLICIT_SCOPES}&` +
-        `client_id=${window.config.DS_CLIENT_ID}&` +
-        `redirect_uri=${encodeURIComponent(window.config.DS_APP_URL)}&` +
-        `response_mode=logout_redirect`;
-
+            `${window.config.DS_IDP}/logout?` +
+            `response_type=token&` +
+            `scope=${config.IMPLICIT_SCOPES}&` +
+            `client_id=${config.DS_CLIENT_ID}&` +
+            `redirect_uri=${encodeURIComponent(config.DS_APP_URL)}&` +
+            `response_mode=logout_redirect`;
         window.location = url;
     }
 
@@ -167,7 +191,7 @@ class OAuthImplicit {
         let userInfoResponse
         try {
             userInfoResponse = await fetch(
-                `${window.config.DS_AUTHENTICATION}/oauth/userinfo`, {
+                `${window.config.DS_IDP}/oauth/userinfo`, {
                 headers: new Headers({
                     Authorization: `Bearer ${this.accessToken}`,
                     Accept: `application/json`,