Feat: Option to send credentials with http requests

index.d.ts

@@ -162,6 +162,8 @@ export interface OidcClientSettings {
   readonly stateStore?: StateStore;
   readonly userInfoJwtIssuer?: 'ANY' | 'OP' | string;
   readonly mergeClaims?: boolean;
+  /** sets XMLHTTPRequest.withCredentials value for requests */
+  readonly sendRequestsWithCredentials?: boolean;
   ResponseValidatorCtor?: ResponseValidatorCtor;
   MetadataServiceCtor?: MetadataServiceCtor;
   /** An object containing additional query string parameters to be including in the authorization request */

src/JsonService.js

@@ -8,8 +8,12 @@ export class JsonService {
     constructor(
         additionalContentTypes = null, 
         XMLHttpRequestCtor = Global.XMLHttpRequest, 
-        jwtHandler = null
+        jwtHandler = null,
+        settings,
     ) {
+
+        this._settings = settings;
+
         if (additionalContentTypes && Array.isArray(additionalContentTypes))
         {
             this._contentTypes = additionalContentTypes.slice();
@@ -40,6 +44,10 @@ export class JsonService {
             var req = new this._XMLHttpRequest();
             req.open('GET', url);
 
+            if(this._settings && this._settings.sendRequestsWithCredentials){
+                req.withCredentials = true;
+            }
+
             var allowedContentTypes = this._contentTypes;
             var jwtHandler = this._jwtHandler;
 
@@ -109,6 +117,10 @@ export class JsonService {
             var req = new this._XMLHttpRequest();
             req.open('POST', url);
 
+            if(this._settings && this._settings.sendRequestsWithCredentials){
+                req.withCredentials = true;
+            }
+
             var allowedContentTypes = this._contentTypes;
 
             req.onload = function() {

src/MetadataService.js

@@ -14,7 +14,7 @@ export class MetadataService {
         }
 
         this._settings = settings;
-        this._jsonService = new JsonServiceCtor(['application/jwk-set+json']);
+        this._jsonService = new JsonServiceCtor(['application/jwk-set+json'], undefined, undefined, this._settings);
     }
 
     get metadataUrl() {

src/OidcClientSettings.js

@@ -32,6 +32,7 @@ export class OidcClientSettings {
         clockService = new ClockService(),
         userInfoJwtIssuer = 'OP',
         mergeClaims = false,
+        sendRequestsWithCredentials = false,
         // other behavior
         stateStore = new WebStorageStateStore(),
         ResponseValidatorCtor = ResponseValidator,
@@ -75,6 +76,8 @@ export class OidcClientSettings {
         this._validator = new ResponseValidatorCtor(this);
         this._metadataService = new MetadataServiceCtor(this);
 
+        this._sendRequestsWithCredentials = sendRequestsWithCredentials;
+
         this._extraQueryParams = typeof extraQueryParams === 'object' ? extraQueryParams : {};
         this._extraTokenParams = typeof extraTokenParams === 'object' ? extraTokenParams : {};
     }
@@ -216,6 +219,9 @@ export class OidcClientSettings {
     get metadataService() {
         return this._metadataService;
     }
+   get sendRequestsWithCredentials() {
+        return this._sendRequestsWithCredentials;
+    }
 
     // extra query params
     get extraQueryParams() {

src/TokenClient.js

@@ -13,7 +13,7 @@ export class TokenClient {
         }
 
         this._settings = settings;
-        this._jsonService = new JsonServiceCtor();
+        this._jsonService = new JsonServiceCtor(undefined, undefined, undefined, this._settings);
         this._metadataService = new MetadataServiceCtor(this._settings);
     }
 

src/UserInfoService.js

@@ -19,7 +19,7 @@ export class UserInfoService {
         }
 
         this._settings = settings;
-        this._jsonService = new JsonServiceCtor(undefined, undefined, this._getClaimsFromJwt.bind(this));
+        this._jsonService = new JsonServiceCtor(undefined, undefined, this._getClaimsFromJwt.bind(this), this._settings);
         this._metadataService = new MetadataServiceCtor(this._settings);
         this._joseUtil = joseUtil;
     }