Class AuthorizationManager

Provides management of Globus authorization context for your application.

  • Handles the OAuth protcol flow (via PKCE)
  • Token lifecycle management
  • Common errors (e.g., ConsentRequired, authorization_requirements)

Once you configure your instance, you can determine the authenticated state using manager.authenticated.

To prompt a user to authenticate, call manager.login() on user interaction – this will initiate the OAuth protocol flow with your configured client and scopes, resulting in an initial redirect to Globus Auth.

Once the user authenticates with Globus Auth, they will be redirected to your application using the configured redirect URL. On this URL, you will need to call manager.handleCodeRedirect (using a manager instance configured in the same manner that initiated the manager.login() call) to complete the PKCE flow, exchanging the provided code for a valid token, or tokens.

All tokens managed by the AuthorizationManager instance can be found on manager.token.

Registering your Globus Application

The AuthorizationManager expects your Globus Application to be registered as an OAuth public client. In this Globus Web Application, this option is referenced as "Register a thick client or script that will be installed and run by users on their devices".

Example: Creating an AuthorizationManager instance.

import { authorization } from "globus/sdk";

const manager = authorization.create({
 // Your registered Globus Application client ID.
 client: '...',
 // The redirect URL for your application; Where you will call `manager.handleCodeRedirect()`
 redirect: 'https://example.com/callback',
 // Known scopes required by your application.
 scopes: 'urn:globus:auth:scope:transfer.api.globus.org:all',
});

Constructors

constructor

Properties

configuration events storage tokens

Accessors

authenticated storageKeyPrefix user

Methods

addTokenResponse getGlobusAuthToken handleAuthorizationRequirementsError handleCodeRedirect handleConsentRequiredError handleErrorResponse hasGlobusAuthToken login prompt refreshToken refreshTokens reset revoke

Constructors

constructor

Properties

configuration

configuration: AuthorizationManagerConfiguration

events

events: {
    authenticated: Event<"authenticated", {
        isAuthenticated: boolean;
        token?: TokenResponse;
    }>;
    revoke: Event<"revoke", unknown>;
} = ...

Type declaration

  • authenticated: Event<"authenticated", {
        isAuthenticated: boolean;
        token?: TokenResponse;
    }>

    Emitted when the authenticated state changes. AuthorizationManager.events#authenticated

  • revoke: Event<"revoke", unknown>

    Emitted when the user revokes their authentication. AuthorizationManager.events#revoke

storage

storage: Storage

The storage system used by the AuthorizationManager.

Implements

Storage

tokens

tokens: TokenManager

Accessors

authenticated

storageKeyPrefix

user

  • get user(): null | JwtUserInfo

  • The user information decoded from the id_token (JWT) of the current Globus Auth token. This method can be used instead of auth.oauth2.userinfo to get the user information without an additional request.

    IMPORTANT: The id_token can only be processed if the openid scope is requested during the authorization process.

    Additionally, the profile and email scopes are required to get the full user information.

    Returns null | JwtUserInfo

    See

    https://docs.globus.org/api/auth/reference/#oidc_userinfo_endpoint

Methods

addTokenResponse

  • addTokenResponse(token): void

  • Add a Globus Auth token response to storage, if other_tokens are present they are also added. This method is mostly used internally by the AuthorizationManager, but can be used by downstream consumers to add tokens to storage if necessary.

    Parameters

    • token: Token | TokenResponse

    Returns void

getGlobusAuthToken

handleAuthorizationRequirementsError

  • handleAuthorizationRequirementsError(response, options?): Promise<void>

  • Process a well-formed Authorization Requirements error response from a Globus service and redirect the user to the Globus Auth login page with the necessary parameters.

    Parameters

    • response: AuthorizationRequirementsError
    • Optionaloptions: {
          additionalParams?: {
              [key: string]: string;
          };
      }
      • OptionaladditionalParams?: {
            [key: string]: string;
        }
        • [key: string]: string

    Returns Promise<void>

handleCodeRedirect

  • handleCodeRedirect(options?): Promise<any>

  • This method will attempt to complete the PKCE protocol flow.

    Parameters

    • options: {
          additionalParams?: {
              [key: string]: string;
          };
          shouldReplace: undefined | boolean;
      } = ...
      • OptionaladditionalParams?: {
            [key: string]: string;
        }
        • [key: string]: string
      • shouldReplace: undefined | boolean

    Returns Promise<any>

handleConsentRequiredError

  • handleConsentRequiredError(response, options?): Promise<void>

  • Process a well-formed ConsentRequired error response from a Globus service and redirect the user to the Globus Auth login page with the necessary parameters.

    Parameters

    • response: ConsentRequiredError
    • Optionaloptions: {
          additionalParams?: {
              [key: string]: string;
          };
      }
      • OptionaladditionalParams?: {
            [key: string]: string;
        }
        • [key: string]: string

    Returns Promise<void>

handleErrorResponse

  • handleErrorResponse(response, options?): Promise<void>

  • Handle an error response from a Globus service in the context of this AuthorizationManager. This method will introspect the response and attempt to handle any errors that should result in some additional Globus Auth interaction.

    Parameters

    • response: Record<string, unknown>

      The error response from a Globus service.

    • Optionaloptions: true | {
          additionalParams?: {
              [key: string]: string;
          };
          execute?: true;
      }

      Options for handling the error response. If a boolean is provided, this will be treated as the options.execute value.

    Returns Promise<void>

  • handleErrorResponse(response, options?): Promise<(() => Promise<void>)>

  • Parameters

    • response: Record<string, unknown>
    • Optionaloptions: false | {
          additionalParams?: {
              [key: string]: string;
          };
          execute?: false;
      }

    Returns Promise<(() => Promise<void>)>

hasGlobusAuthToken

login

  • login(options?): Promise<void>

  • Initiate the login process by redirecting to the Globus Auth login page.

    IMPORTANT: This method will reset the instance state before initiating the login process, including clearing all tokens from storage. If you need to maintain the current state, use the AuthorizationManager.prompt method.

    Parameters

    • options: {
          additionalParams: {};
      } = ...
      • additionalParams: {}

      Returns Promise<void>

    prompt

    refreshToken

    • refreshToken(token): Promise<null | TokenResponse>

    • Use the refresh_token attribute of a token to obtain a new access token.

      Parameters

      • token: TokenWithRefresh

        The well-formed token with a refresh_token attribute.

      Returns Promise<null | TokenResponse>

    refreshTokens

    • refreshTokens(): Promise<PromiseSettledResult<null | TokenResponse>[]>

    • Attempt to refresh all of the tokens managed by the instance. This method will only attempt to refresh tokens that have a refresh_token attribute.

      Returns Promise<PromiseSettledResult<null | TokenResponse>[]>

    reset

    • reset(): void

    • Reset the authenticated state and clear all tokens from storage. This method does not emit the revoke event. If you need to emit the revoke event, use the AuthorizationManager.revoke method.

      Returns void

    revoke

    • revoke(): Promise<void>

    • Call AuthroizationManager.reset, revoke all of the available tokns, and emit the revoke event.

      Returns Promise<void>

      Emits

      AuthorizationManager.events#revoke

      See

      AuthorizationManager.reset

    Settings

    Member Visibility

    On This Page

    Registering your Globus Application
    Constructors
    Properties
    Accessors
    Methods