Provides management of Globus authorization context for your application.

  • Handles the OAuth protcol flow (via PKCE)
  • Token lifecycle management
  • Common errors (e.g., ConsentRequired, authorization_requirements)

Once you configure your instance, you can determine the authenticated state using manager.authenticated.

To prompt a user to authenticate, call manager.login() on user interaction – this will initiate the OAuth protocol flow with your configured client and scopes, resulting in an initial redirect to Globus Auth.

Once the user authenticates with Globus Auth, they will be redirected to your application using the configured redirect URL. On this URL, you will need to call manager.handleCodeRedirect (using a manager instance configured in the same manner that initiated the manager.login() call) to complete the PKCE flow, exchanging the provided code for a valid token, or tokens.

All tokens managed by the AuthorizationManager instance can be found on manager.token.

The AuthorizationManager expects your Globus Application to be registered as an OAuth public client. In this Globus Web Application, this option is referenced as "Register a thick client or script that will be installed and run by users on their devices".

import { authorization } from "globus/sdk";

const manager = authorization.create({
// Your registered Globus Application client ID.
client: '...',
// The redirect URL for your application; Where you will call `manager.handleCodeRedirect()`
redirect: 'https://example.com/callback',
// Known scopes required by your application.
scopes: 'urn:globus:auth:scope:transfer.api.globus.org:all',
});

Constructors

Properties

events: {
    authenticated: Event<
        "authenticated",
        { isAuthenticated: boolean; token?: TokenResponse },
    >;
    revoke: Event<"revoke", unknown>;
} = ...

Type declaration

  • authenticated: Event<"authenticated", { isAuthenticated: boolean; token?: TokenResponse }>

    Emitted when the authenticated state changes. AuthorizationManager.events#authenticated

  • revoke: Event<"revoke", unknown>

    Emitted when the user revokes their authentication. AuthorizationManager.events#revoke

storage: Storage

The storage system used by the AuthorizationManager.

Storage

tokens: TokenManager

Accessors

  • get user(): null | JwtUserInfo
  • The user information decoded from the id_token (JWT) of the current Globus Auth token. This method can be used instead of auth.oauth2.userinfo to get the user information without an additional request.

    IMPORTANT: The id_token can only be processed if the openid scope is requested during the authorization process.

    Additionally, the profile and email scopes are required to get the full user information.

    Returns null | JwtUserInfo

Methods

  • Add a Globus Auth token response to storage, if other_tokens are present they are also added. This method is mostly used internally by the AuthorizationManager, but can be used by downstream consumers to add tokens to storage if necessary.

    Parameters

    • token: Token | TokenResponse

    Returns void

  • This method will attempt to complete the PKCE protocol flow.

    Parameters

    • options: {
          additionalParams?: { [key: string]: string };
          shouldReplace: undefined | boolean;
      } = ...

    Returns Promise<any>

  • Process a well-formed ConsentRequired error response from a Globus service and redirect the user to the Globus Auth login page with the necessary parameters.

    Parameters

    Returns Promise<void>

  • Handle an error response from a Globus service in the context of this AuthorizationManager. This method will introspect the response and attempt to handle any errors that should result in some additional Globus Auth interaction.

    Parameters

    • response: Record<string, unknown>

      The error response from a Globus service.

    • Optionaloptions: true | { additionalParams?: { [key: string]: string }; execute?: true }

      Options for handling the error response. If a boolean is provided, this will be treated as the options.execute value.

      • true
      • { additionalParams?: { [key: string]: string }; execute?: true }
        • OptionaladditionalParams?: { [key: string]: string }
        • Optionalexecute?: true

          Whether to execute the handler immediately.

    Returns Promise<void>

  • Handle an error response from a Globus service in the context of this AuthorizationManager. This method will introspect the response and attempt to handle any errors that should result in some additional Globus Auth interaction.

    Parameters

    • response: Record<string, unknown>

      The error response from a Globus service.

    • Optionaloptions: false | { additionalParams?: { [key: string]: string }; execute?: false }

      Options for handling the error response. If a boolean is provided, this will be treated as the options.execute value.

      • false
      • { additionalParams?: { [key: string]: string }; execute?: false }
        • OptionaladditionalParams?: { [key: string]: string }
        • Optionalexecute?: false

          Whether to execute the handler immediately.

    Returns Promise<() => Promise<void>>

  • Initiate the login process by redirecting to the Globus Auth login page.

    IMPORTANT: This method will reset the instance state before initiating the login process, including clearing all tokens from storage. If you need to maintain the current state, use the AuthorizationManager.prompt method.

    Parameters

    • options: { additionalParams: {} } = ...

    Returns Promise<void>

  • Prompt the user to authenticate with Globus Auth.

    Parameters

    • Optionaloptions: Partial<RedirectTransportOptions>

    Returns Promise<void>

  • Use the refresh_token attribute of a token to obtain a new access token.

    Parameters

    • token: TokenWithRefresh

      The well-formed token with a refresh_token attribute.

    Returns Promise<null | TokenResponse>

  • Attempt to refresh all of the tokens managed by the instance. This method will only attempt to refresh tokens that have a refresh_token attribute.

    Returns Promise<PromiseSettledResult<null | TokenResponse>[]>

  • Reset the authenticated state and clear all tokens from storage. This method does not emit the revoke event. If you need to emit the revoke event, use the AuthorizationManager.revoke method.

    Returns void

  • Call AuthroizationManager.reset, revoke all of the available tokns, and emit the revoke event.

    Returns Promise<void>

    AuthorizationManager.events#revoke

    AuthorizationManager.reset