Enhance authentication and UserProfile component for AsgardeoV2

.changeset/cute-houses-beam.md

@@ -0,0 +1,7 @@
+---
+'@asgardeo/javascript': minor
+'@asgardeo/nuxt': minor
+'@asgardeo/vue': minor
+---
+
+Add AsgardeoV2 platform support with Basic Auth token requests, platform-aware sign-out/profile handling in Nuxt, and updated component exports in Vue

packages/javascript/src/__legacy__/client.ts

@@ -32,8 +32,10 @@ import {Platform} from '../models/platforms';
 import {SessionData, UserSession} from '../models/session';
 import {Storage, TemporaryStore} from '../models/store';
 import {TokenResponse, IdToken, TokenExchangeRequestConfig} from '../models/token';
+import {TokenEndpointAuthMethod} from '../models/token-endpoint-auth';
 import {User} from '../models/user';
 import StorageManager from '../StorageManager';
+import base64Encode from '../utils/base64Encode';
 import deepMerge from '../utils/deepMerge';
 import extractPkceStorageKeyFromState from '../utils/extractPkceStorageKeyFromState';
 import generatePkceStorageKey from '../utils/generatePkceStorageKey';
@@ -377,7 +379,12 @@ export class AsgardeoAuthClient<T> {
 
     body.set('client_id', configData.clientId);
 
-    if (configData.clientSecret && configData.clientSecret.trim().length > 0) {
+    const hasSecret: boolean = Boolean(configData.clientSecret && configData.clientSecret.trim().length > 0);
+    const tokenEndpointAuthMethod: TokenEndpointAuthMethod =
+      configData.tokenRequest?.authMethod ??
+      ((configData as any).platform === Platform.AsgardeoV2 ? 'client_secret_basic' : 'client_secret_post');
+
+    if (hasSecret && tokenEndpointAuthMethod === 'client_secret_post') {
       body.set('client_secret', configData.clientSecret);
     }
 
@@ -403,16 +410,25 @@ export class AsgardeoAuthClient<T> {
       await this.storageManager.removeTemporaryDataParameter(extractPkceStorageKeyFromState(state), userId);
     }
 
+    const tokenRequestHeaders: Record<string, string> = {
+      Accept: 'application/json',
+      'Content-Type': 'application/x-www-form-urlencoded',
+    };
+
+    if (hasSecret && tokenEndpointAuthMethod === 'client_secret_basic') {
+      const credential: string = `${encodeURIComponent(configData.clientId)}:${encodeURIComponent(
+        configData.clientSecret,
+      )}`;
+      tokenRequestHeaders['Authorization'] = `Basic ${base64Encode(credential)}`;
+    }
+
     let tokenResponse: Response;
 
     try {
       tokenResponse = await fetch(tokenEndpoint, {
         body,
         credentials: configData.sendCookiesInRequests ? 'include' : 'same-origin',
-        headers: {
-          Accept: 'application/json',
-          'Content-Type': 'application/x-www-form-urlencoded',
-        },
+        headers: tokenRequestHeaders,
         method: 'POST',
       });
     } catch (error: any) {

packages/javascript/src/__legacy__/models/client-config.ts

@@ -19,6 +19,7 @@
 import {OAuthResponseMode} from '../../models/oauth-response';
 import {OIDCEndpoints} from '../../models/oidc-endpoints';
 import {Platform} from '../../models/platforms';
+import {TokenEndpointAuthMethod} from '../../models/token-endpoint-auth';
 
 export interface DefaultAuthClientConfig {
   afterSignInUrl: string;
@@ -59,6 +60,14 @@ export interface DefaultAuthClientConfig {
    */
   sendCookiesInRequests?: boolean;
   sendIdTokenInLogoutRequest?: boolean;
+  tokenRequest?: {
+    /**
+     * OAuth 2.0 client authentication method used at the token endpoint.
+     * When omitted, defaults to `client_secret_basic` for AsgardeoV2 and
+     * `client_secret_post` for all other platforms.
+     */
+    authMethod?: TokenEndpointAuthMethod;
+  };
   tokenValidation?: {
     /**
      * ID token validation config.

packages/javascript/src/index.ts

@@ -171,6 +171,7 @@ export {
   SignOutOptions,
   SignUpOptions,
 } from './models/config';
+export {TokenEndpointAuthMethod} from './models/token-endpoint-auth';
 export type {ComponentRenderContext, ComponentRenderer, ComponentsExtensions} from './models/v2/extensions/components';
 export {TokenResponse, IdToken, TokenExchangeRequestConfig} from './models/token';
 export {AgentConfig} from './models/agent';

packages/javascript/src/models/config.ts

@@ -18,6 +18,7 @@
 
 import {I18nBundle} from '@asgardeo/i18n';
 import {Platform} from './platforms';
+import {TokenEndpointAuthMethod} from './token-endpoint-auth';
 import {RecursivePartial} from './utility-types';
 import {ComponentsExtensions} from './v2/extensions/components';
 import {ThemeConfig, ThemeMode} from '../theme/types';
@@ -323,6 +324,24 @@ export interface BaseConfig<T = unknown> extends WithPreferences, WithExtensions
     };
   };
 
+  /**
+   * Configuration for the token endpoint request.
+   */
+  tokenRequest?: {
+    /**
+     * OAuth 2.0 client authentication method used at the token endpoint.
+     * Maps to `token_endpoint_auth_method` in OIDC Discovery.
+     *
+     * - `client_secret_basic` — Credentials in the `Authorization: Basic` header.
+     * - `client_secret_post` — Credentials in the POST body.
+     * - `none` — No client authentication (public clients).
+     *
+     * When omitted the SDK applies its platform-based default:
+     * AsgardeoV2 → `client_secret_basic`; all others → `client_secret_post`.
+     */
+    authMethod?: TokenEndpointAuthMethod;
+  };
+
   /**
    * Token validation configuration.
    * This allows you to configure how the SDK validates tokens received from the authorization server.

packages/javascript/src/models/token-endpoint-auth.ts

@@ -0,0 +1,30 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/**
+ * OAuth 2.0 client authentication method used at the token endpoint.
+ * Corresponds to the `token_endpoint_auth_method` parameter in OIDC Discovery.
+ *
+ * - `client_secret_basic` — HTTP Basic authentication: credentials are sent in the
+ *   `Authorization: Basic base64(client_id:client_secret)` header (RFC 6749 §2.3.1).
+ *   Required for AsgardeoV2 (Thunder) by default.
+ * - `client_secret_post` — Credentials are sent as `client_id` / `client_secret`
+ *   parameters in the POST body (RFC 6749 §2.3.1). Default for all other platforms.
+ * - `none` — No client authentication (public clients that have no client secret).
+ */
+export type TokenEndpointAuthMethod = 'client_secret_basic' | 'client_secret_post' | 'none';

packages/javascript/src/utils/base64Encode.ts

@@ -0,0 +1,45 @@
+/**
+ * Copyright (c) 2026, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import * as jose from 'jose';
+
+/**
+ * Encodes a string to standard base64 using `jose` (already a package dependency).
+ *
+ * `jose.base64url.encode` is environment-agnostic (browser, Node.js, Deno, Bun,
+ * edge/service-worker runtimes). It produces base64url output, which is then
+ * converted to standard base64 by restoring the `+`/`/` characters and adding
+ * `=` padding.
+ *
+ * @param value - The UTF-8 string to encode.
+ * @returns The standard base64-encoded string (with `+`, `/`, and `=` padding).
+ *
+ * @example
+ * ```typescript
+ * base64Encode('clientId:clientSecret'); // "Y2xpZW50SWQ6Y2xpZW50U2VjcmV0"
+ * ```
+ */
+const base64Encode = (value: string): string => {
+  const b64url: string = jose.base64url.encode(new TextEncoder().encode(value));
+  const rem: number = b64url.length % 4;
+  const padded: string = rem === 0 ? b64url : b64url + '='.repeat(4 - rem);
+
+  return padded.replace(/-/g, '+').replace(/_/g, '/');
+};
+
+export default base64Encode;

packages/nuxt/src/module.ts

@@ -100,21 +100,25 @@ export default defineNuxtModule<AsgardeoNuxtConfig>({
         applicationId: publicConfig.applicationId,
         baseUrl: publicConfig.baseUrl,
         clientId: publicConfig.clientId,
+        platform: publicConfig.platform,
         preferences: publicConfig.preferences,
         scopes: publicConfig.scopes,
         signInUrl: publicConfig.signInUrl,
         signUpUrl: publicConfig.signUpUrl,
+        tokenRequest: publicConfig.tokenRequest,
       },
     ) as {
       afterSignInUrl: string;
       afterSignOutUrl: string;
       applicationId?: string;
       baseUrl: string;
       clientId: string;
+      platform?: AsgardeoNuxtConfig['platform'];
       preferences: AsgardeoNuxtConfig['preferences'];
       scopes: string[];
       signInUrl?: string;
       signUpUrl?: string;
+      tokenRequest?: AsgardeoNuxtConfig['tokenRequest'];
     };
 
     // Ensure clientSecret never leaks to public config
@@ -342,6 +346,7 @@ declare module '@nuxt/schema' {
       applicationId?: string;
       baseUrl: string;
       clientId: string;
+      platform?: AsgardeoNuxtConfig['platform'];
       preferences?: AsgardeoNuxtConfig['preferences'];
       scopes: string[];
       signInUrl?: string;

packages/nuxt/src/runtime/server/AsgardeoNuxtClient.ts

@@ -19,6 +19,7 @@
 import {
   AsgardeoNodeClient,
   LegacyAsgardeoNodeClient,
+  Platform,
   type AuthClientConfig,
   type IdToken,
   type Organization,
@@ -117,7 +118,9 @@ class AsgardeoNuxtClient extends AsgardeoNodeClient<AsgardeoNuxtConfig> {
       clientId: config.clientId as string,
       clientSecret: config.clientSecret || undefined,
       enablePKCE: true,
+      platform: config.platform,
       scopes: config.scopes || ['openid', 'profile'],
+      tokenRequest: config.tokenRequest,
     } as AuthClientConfig<AsgardeoNuxtConfig>;
 
     const result: boolean = await this.legacy.initialize(authConfig, storage);
@@ -300,9 +303,22 @@ class AsgardeoNuxtClient extends AsgardeoNodeClient<AsgardeoNuxtConfig> {
   /**
    * Clears the session and returns the RP-Initiated Logout URL.
    * Accepts either `(sessionId: string)` or `(options?, sessionId?, callback?)`.
+   *
+   * For AsgardeoV2 (Thunder), RP-Initiated Logout is not yet supported by the platform.
+   * Skip the /oidc/logout call and return afterSignOutUrl directly — the caller
+   * (signout.post.ts) is responsible for clearing session cookies.
    */
   override async signOut(...args: any[]): Promise<string> {
     const sessionId: string = typeof args[0] === 'string' ? args[0] : (args[1] as string);
+
+    const configData: AuthClientConfig<AsgardeoNuxtConfig> | undefined = (await this.legacy.getConfigData?.()) as
+      | AuthClientConfig<AsgardeoNuxtConfig>
+      | undefined;
+
+    if ((configData as any)?.platform === Platform.AsgardeoV2) {
+      return (configData?.afterSignOutUrl as string) || (configData?.afterSignInUrl as string) || '/';
+    }
+
     return this.legacy.signOut(sessionId);
   }
 
@@ -344,6 +360,12 @@ class AsgardeoNuxtClient extends AsgardeoNodeClient<AsgardeoNuxtConfig> {
       | undefined;
     const baseUrl: string = (configData?.baseUrl ?? '') as string;
 
+    // AsgardeoV2 (Thunder) does not support SCIM2 — return ID token claims directly.
+    if ((configData as any)?.platform === Platform.AsgardeoV2) {
+      const user: User = await this.getUser(sessionId);
+      return {flattenedProfile: user, profile: user, schemas: []};
+    }
+
     try {
       const authHeaders: Record<string, string> = {Authorization: `Bearer ${accessToken}`};
 
@@ -423,6 +445,11 @@ class AsgardeoNuxtClient extends AsgardeoNodeClient<AsgardeoNuxtConfig> {
       | undefined;
     const baseUrl: string = (configData?.baseUrl ?? '') as string;
 
+    // AsgardeoV2 (Thunder) does not support SCIM2 profile updates.
+    if ((configData as any)?.platform === Platform.AsgardeoV2) {
+      throw new Error('Profile updates are not supported for the AsgardeoV2 (Thunder) platform.');
+    }
+
     return updateMeProfile({
       ...config, // pass-through, includes payload
       baseUrl,

packages/nuxt/src/runtime/server/plugins/asgardeo-ssr.ts

@@ -100,7 +100,9 @@ export default defineNitroPlugin((nitro: {hooks: {hook: Function}}) => {
           baseUrl: publicConfig.baseUrl,
           clientId: publicConfig.clientId,
           clientSecret: privateConfig?.clientSecret || undefined,
+          platform: publicConfig.platform,
           scopes: publicConfig.scopes || ['openid', 'profile'],
+          tokenRequest: publicConfig.tokenRequest,
         });
       } catch (err) {
         log.error('Failed to initialize Asgardeo client:', err);

packages/nuxt/src/runtime/server/routes/auth/user/profile.patch.ts

@@ -16,9 +16,11 @@
  * under the License.
  */
 
+import {Platform} from '@asgardeo/node';
 import type {UpdateMeProfileConfig, User} from '@asgardeo/node';
 import {defineEventHandler, readBody, createError} from 'h3';
 import type {H3Event} from 'h3';
+import type {AsgardeoNuxtConfig} from '../../../../types';
 import AsgardeoNuxtClient from '../../../AsgardeoNuxtClient';
 import {verifyAndRehydrateSession} from '../../../utils/serverSession';
 import {useRuntimeConfig} from '#imports';
@@ -36,6 +38,14 @@ export default defineEventHandler(
   async (event: H3Event): Promise<{data: {user: User}; error: string; success: boolean}> => {
     const config: ReturnType<typeof useRuntimeConfig> = useRuntimeConfig();
     const sessionSecret: string | undefined = config.asgardeo?.sessionSecret;
+    const publicConfig: AsgardeoNuxtConfig = config.public.asgardeo as AsgardeoNuxtConfig;
+
+    if ((publicConfig?.platform as any) === Platform.AsgardeoV2) {
+      throw createError({
+        statusCode: 501,
+        statusMessage: 'Profile updates are not supported for the AsgardeoV2 (Thunder) platform.',
+      });
+    }
 
     const session: Awaited<ReturnType<typeof verifyAndRehydrateSession>> = await verifyAndRehydrateSession(
       event,

packages/nuxt/src/runtime/types.ts

@@ -16,7 +16,15 @@
  * under the License.
  */
 
-import type {BrandingPreference, I18nPreferences, Organization, User, UserProfile} from '@asgardeo/node';
+import type {
+  BrandingPreference,
+  I18nPreferences,
+  Organization,
+  Platform,
+  TokenEndpointAuthMethod,
+  User,
+  UserProfile,
+} from '@asgardeo/node';
 import type {JWTPayload} from 'jose';
 
 /**
@@ -38,6 +46,12 @@ export interface AsgardeoNuxtConfig {
   clientId?: string;
   /** OAuth2 Client Secret (server-only, use ASGARDEO_CLIENT_SECRET env var) */
   clientSecret?: string;
+  /**
+   * Identity platform variant. Set to `Platform.AsgardeoV2` when connecting to
+   * a Thunder (AsgardeoV2) instance. Forwarded to the underlying Node client so
+   * platform-specific behaviours (e.g. issuer resolution) apply correctly.
+   */
+  platform?: keyof typeof Platform;
   /**
    * Feature-gating preferences that control which server-side data fetches
    * the Nitro plugin performs on every SSR request.
@@ -83,6 +97,17 @@ export interface AsgardeoNuxtConfig {
    * here instead of deriving the URL from `baseUrl`/`clientId`.
    */
   signUpUrl?: string;
+  /**
+   * Configuration for the token endpoint request.
+   */
+  tokenRequest?: {
+    /**
+     * OAuth 2.0 client authentication method used at the token endpoint.
+     * Defaults to `client_secret_basic` for AsgardeoV2 and `client_secret_post`
+     * for all other platforms when not specified.
+     */
+    authMethod?: TokenEndpointAuthMethod;
+  };
 }
 
 /**