npm - @azure/identity - Versions diffs - 1.0.0-preview.1 → 1.0.0-preview.2 - Mend

@azure/identity 1.0.0-preview.1 → 1.0.0-preview.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of @azure/identity might be problematic. Click here for more details.

Files changed (88) hide show

package/src/client/identityClient.ts CHANGED Viewed

@@ -2,44 +2,58 @@
 // Licensed under the MIT License.
 import qs from "qs";
-import jws from "jws";
-import uuid from "uuid";
 import {
   AccessToken,
   ServiceClient,
   ServiceClientOptions,
-  GetTokenOptions,
   WebResource,
   RequestPrepareOptions,
-  RestError
+  GetTokenOptions
 } from "@azure/core-http";
 import { AuthenticationError } from "./errors";
-const SelfSignedJwtLifetimeMins = 10;
 const DefaultAuthorityHost = "https://login.microsoftonline.com";
-const DefaultScopeSuffix = "/.default";
-export const ImdsEndpoint = "http://169.254.169.254/metadata/identity/oauth2/token";
-export const ImdsApiVersion = "2018-02-01";
-export const AppServiceMsiApiVersion = "2017-09-01";
+/**
+ * An internal type used to communicate details of a token request's
+ * response that should not be sent back as part of the AccessToken.
+ */
+export interface TokenResponse {
+  /**
+   * The AccessToken to be returned from getToken.
+   */
+  accessToken: AccessToken,
+  /**
+   * The refresh token if the 'offline_access' scope was used.
+   */
+  refreshToken?: string
+}
 export class IdentityClient extends ServiceClient {
+  public authorityHost: string;
   constructor(options?: IdentityClientOptions) {
     options = options || IdentityClient.getDefaultOptions();
     super(undefined, options);
-    this.baseUri = options.authorityHost;
+    this.baseUri = this.authorityHost = options.authorityHost || DefaultAuthorityHost;
+    if (!this.baseUri.startsWith("https:")) {
+      throw new Error("The authorityHost address must use the 'https' protocol.");
+    }
   }
-  private createWebResource(requestOptions: RequestPrepareOptions): WebResource {
+  createWebResource(requestOptions: RequestPrepareOptions): WebResource {
     const webResource = new WebResource();
     webResource.prepare(requestOptions);
     return webResource;
   }
-  private async sendTokenRequest(
+  async sendTokenRequest(
     webResource: WebResource,
     expiresOnParser?: (responseBody: any) => number,
-  ): Promise<AccessToken | null> {
+  ): Promise<TokenResponse | null> {
     const response = await this.sendRequest(webResource);
     expiresOnParser = expiresOnParser || ((responseBody: any) => {
@@ -48,262 +62,66 @@ export class IdentityClient extends ServiceClient {
     if (response.status === 200 || response.status === 201) {
       return {
-        token: response.parsedBody.access_token,
-        expiresOnTimestamp: expiresOnParser(response.parsedBody)
+        accessToken: {
+          token: response.parsedBody.access_token,
+          expiresOnTimestamp: expiresOnParser(response.parsedBody)
+        },
+        refreshToken: response.parsedBody.refresh_token,
       };
     } else {
-      throw new AuthenticationError(response.status, response.bodyAsText);
+      throw new AuthenticationError(response.status, response.parsedBody || response.bodyAsText);
     }
   }
-  private mapScopesToResource(scopes: string | string[]): string {
-    let scope = "";
-    if (Array.isArray(scopes)) {
-      if (scopes.length !== 1) {
-        throw "To convert to a resource string the specified array must be exactly length 1";
-      }
-      scope = scopes[0];
-    } else if (typeof scopes === "string") {
-      scope = scopes;
-    }
-    if (!scope.endsWith(DefaultScopeSuffix)) {
-      return scope;
-    }
-    return scope.substr(0, scope.lastIndexOf(DefaultScopeSuffix));
-  }
-  private dateInSeconds(date: Date): number {
-    return Math.floor(date.getTime() / 1000);
-  }
-  private addMinutes(date: Date, minutes: number): Date {
-    date.setMinutes(date.getMinutes() + minutes);
-    return date;
-  }
-  private createImdsAuthRequest(resource: string, clientId?: string): RequestPrepareOptions {
-    const queryParameters: any = {
-      resource,
-      "api-version": ImdsApiVersion
-    };
-    if (clientId) {
-      queryParameters.client_id = clientId;
-    }
-    return {
-      url: ImdsEndpoint,
-      method: "GET",
-      queryParameters,
-      headers: {
-        Accept: "application/json",
-        Metadata: true
-      }
-    };
-  }
-  private createAppServiceMsiAuthRequest(resource: string, clientId?: string): RequestPrepareOptions {
-    const queryParameters: any = {
-      resource,
-      "api-version": AppServiceMsiApiVersion,
-    };
-    if (clientId) {
-      queryParameters.client_id = clientId;
-    }
-    return {
-      url: process.env.MSI_ENDPOINT,
-      method: "GET",
-      queryParameters,
-      headers: {
-        Accept: "application/json",
-        secret: process.env.MSI_SECRET
-      }
-    };
-  }
-  private createCloudShellMsiAuthRequest(resource: string, clientId?: string): RequestPrepareOptions {
-    const body: any = {
-      resource
-    };
-    if (clientId) {
-      body.client_id = clientId;
+  async refreshAccessToken(
+    tenantId: string,
+    clientId: string,
+    scopes: string,
+    refreshToken: string | undefined,
+    clientSecret: string | undefined,
+    expiresOnParser?: (responseBody: any) => number,
+    options?: GetTokenOptions
+  ): Promise<TokenResponse | null> {
+    if (refreshToken === undefined) {
+      return null;
     }
-    return {
-      url: process.env.MSI_ENDPOINT,
-      method: "POST",
-      body: qs.stringify(body),
-      headers: {
-        Accept: "application/json",
-        Metadata: true,
-        "Content-Type": "application/x-www-form-urlencoded"
-      }
+    const refreshParams = {
+      grant_type: "refresh_token",
+      client_id: clientId,
+      refresh_token: refreshToken,
+      scope: scopes
     };
-  }
-  private async pingImdsEndpoint(resource: string, clientId?: string): Promise<boolean> {
-    const request = this.createImdsAuthRequest(resource, clientId);
-    // This will always be populated, but let's make TypeScript happy
-    if (request.headers) {
-      // Remove the Metadata header to invoke a request error from
-      // IMDS endpoint
-      delete request.headers.Metadata;
+    if (clientSecret !== undefined) {
+      (refreshParams as any).client_secret = clientSecret;
     }
-    // Create a request with a 500 msec timeout since we expect that
-    // not having a "Metadata" header should cause an error to be
-    // returned quickly from the endpoint, proving its availability.
-    const webResource = this.createWebResource(request);
-    webResource.timeout = 500;
-    try {
-      await this.sendRequest(webResource);
-    } catch (err) {
-      if (err instanceof RestError && err.code === RestError.REQUEST_SEND_ERROR) {
-        // Either request failed or IMDS endpoint isn't available
-        return false;
-      }
-    }
-    // If we received any response, the endpoint is available
-    return true;
-  }
-  authenticateClientSecret(
-    tenantId: string,
-    clientId: string,
-    clientSecret: string,
-    scopes: string | string[],
-    getTokenOptions?: GetTokenOptions
-  ): Promise<AccessToken | null> {
     const webResource = this.createWebResource({
-      url: `${this.baseUri}/${tenantId}/oauth2/v2.0/token`,
+      url: `${this.authorityHost}/${tenantId}/oauth2/v2.0/token`,
       method: "POST",
       disableJsonStringifyOnBody: true,
       deserializationMapper: undefined,
-      body: qs.stringify({
-        response_type: "token",
-        grant_type: "client_credentials",
-        client_id: clientId,
-        client_secret: clientSecret,
-        scope: typeof scopes === "string" ? scopes : scopes.join(" ")
-      }),
+      body: qs.stringify(refreshParams),
       headers: {
         Accept: "application/json",
         "Content-Type": "application/x-www-form-urlencoded"
       },
-      abortSignal: getTokenOptions && getTokenOptions.abortSignal
+      abortSignal: options && options.abortSignal
     });
-    return this.sendTokenRequest(webResource);
-  }
-  async authenticateManagedIdentity(
-    scopes: string | string[],
-    checkIfImdsEndpointAvailable: boolean,
-    clientId?: string,
-    getTokenOptions?: GetTokenOptions
-  ): Promise<AccessToken | null> {
-    let authRequestOptions: RequestPrepareOptions;
-    const resource = this.mapScopesToResource(scopes);
-    let expiresInParser: ((requestBody: any) => number) | undefined;
-    // Detect which type of environment we are running in
-    if (process.env.MSI_ENDPOINT) {
-      if (process.env.MSI_SECRET) {
-        // Running in App Service
-        authRequestOptions = this.createAppServiceMsiAuthRequest(resource, clientId);
-        expiresInParser = (requestBody: any) => {
-          // Parse a date format like "06/20/2019 02:57:58 +00:00" and
-          // convert it into a JavaScript-formatted date
-          const m = requestBody.expires_on.match(/(\d\d)\/(\d\d)\/(\d\d\d\d) (\d\d):(\d\d):(\d\d) (\+|-)(\d\d):(\d\d)/)
-          return Date.parse(`${m[3]}-${m[1]}-${m[2]}T${m[4]}:${m[5]}:${m[6]}${m[7]}${m[8]}:${m[9]}`)
-        };
-      } else {
-        // Running in Cloud Shell
-        authRequestOptions = this.createCloudShellMsiAuthRequest(resource, clientId);
-      }
-    } else {
-      // Ping the IMDS endpoint to see if it's available
-      if (!checkIfImdsEndpointAvailable || await this.pingImdsEndpoint(resource, clientId)) {
-        // Running in an Azure VM
-        authRequestOptions = this.createImdsAuthRequest(resource, clientId);
-      } else {
-        // Returning null tells the ManagedIdentityCredential that
-        // no MSI authentication endpoints are available
+    try {
+      return await this.sendTokenRequest(webResource, expiresOnParser);
+    } catch (err) {
+      if (err instanceof AuthenticationError && err.errorResponse.error === "interaction_required") {
+        // It's likely that the refresh token has expired, so
+        // return null so that the credential implementation will
+        // initiate the authentication flow again.
         return null;
+      } else {
+        throw err;
       }
     }
-    const webResource = this.createWebResource({
-      disableJsonStringifyOnBody: true,
-      deserializationMapper: undefined,
-      abortSignal: getTokenOptions && getTokenOptions.abortSignal,
-      ...authRequestOptions
-    });
-    return this.sendTokenRequest(webResource, expiresInParser);
-  }
-  authenticateClientCertificate(
-    tenantId: string,
-    clientId: string,
-    certificateString: string,
-    certificateX5t: string,
-    scopes: string | string[],
-    getTokenOptions?: GetTokenOptions
-  ): Promise<AccessToken | null> {
-    const tokenId = uuid.v4();
-    const audienceUrl = `${this.baseUri}/${tenantId}/oauth2/v2.0/token`;
-    const header: jws.Header = {
-      typ: "JWT",
-      alg: "RS256",
-      x5t: certificateX5t
-    };
-    const payload = {
-      iss: clientId,
-      sub: clientId,
-      aud: audienceUrl,
-      jti: tokenId,
-      nbf: this.dateInSeconds(new Date()),
-      exp: this.dateInSeconds(this.addMinutes(new Date(), SelfSignedJwtLifetimeMins))
-    };
-    const clientAssertion = jws.sign({
-      header,
-      payload,
-      secret: certificateString
-    });
-    const webResource = this.createWebResource({
-      url: audienceUrl,
-      method: "POST",
-      disableJsonStringifyOnBody: true,
-      deserializationMapper: undefined,
-      body: qs.stringify({
-        response_type: "token",
-        grant_type: "client_credentials",
-        client_id: clientId,
-        client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
-        client_assertion: clientAssertion,
-        scope: typeof scopes === "string" ? scopes : scopes.join(" ")
-      }),
-      headers: {
-        Accept: "application/json",
-        "Content-Type": "application/x-www-form-urlencoded"
-      },
-      abortSignal: getTokenOptions && getTokenOptions.abortSignal
-    });
-    return this.sendTokenRequest(webResource);
   }
   static getDefaultOptions(): IdentityClientOptions {
@@ -314,5 +132,5 @@ export class IdentityClient extends ServiceClient {
 }
 export interface IdentityClientOptions extends ServiceClientOptions {
-  authorityHost: string;
+  authorityHost?: string;
 }

package/src/credentials/clientCertificateCredential.browser.ts ADDED Viewed

@@ -0,0 +1,27 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+/* eslint-disable @typescript-eslint/no-unused-vars */
+import { TokenCredential, GetTokenOptions, AccessToken } from "@azure/core-http";
+import { IdentityClientOptions } from "../client/identityClient";
+const BrowserNotSupportedError = new Error("ClientCertificateCredential is not supported in the browser.");
+export class ClientCertificateCredential implements TokenCredential {
+  constructor(
+    tenantId: string,
+    clientId: string,
+    certificatePath: string,
+    options?: IdentityClientOptions
+  ) {
+    throw BrowserNotSupportedError;
+  }
+  public getToken(
+    scopes: string | string[],
+    options?: GetTokenOptions
+  ): Promise<AccessToken | null> {
+    throw BrowserNotSupportedError;
+  }
+}

package/src/credentials/clientCertificateCredential.ts CHANGED Viewed

@@ -1,32 +1,45 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
+import qs from "qs";
+import jws from "jws";
+import uuid from "uuid";
 import { readFileSync } from "fs";
 import { createHash } from "crypto";
 import { TokenCredential, GetTokenOptions, AccessToken } from "@azure/core-http";
 import { IdentityClientOptions, IdentityClient } from "../client/identityClient";
+const SelfSignedJwtLifetimeMins = 10;
+function timestampInSeconds(date: Date): number {
+  return Math.floor(date.getTime() / 1000);
+}
+function addMinutes(date: Date, minutes: number): Date {
+  date.setMinutes(date.getMinutes() + minutes);
+  return date;
+}
 /**
  * Enables authentication to Azure Active Directory using a PEM-encoded
  * certificate that is assigned to an App Registration.  More information
  * on how to configure certificate authentication can be found here:
- *
+ *
  * https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad
  *
  */
 export class ClientCertificateCredential implements TokenCredential {
   private identityClient: IdentityClient;
-  private _tenantId: string;
-  private _clientId: string;
-  private _certificateString: string;
-  public certificateThumbprint: string;
-  public certificateX5t: string;
+  private tenantId: string;
+  private clientId: string;
+  private certificateString: string;
+  private certificateThumbprint: string;
+  private certificateX5t: string;
   /**
    * Creates an instance of the ClientCertificateCredential with the details
    * needed to authenticate against Azure Active Directory with a certificate.
-   *
+   *
    * @param tenantId The Azure Active Directory tenant (directory) ID.
    * @param clientId The client (application) ID of an App Registration in the tenant.
    * @param certificatePath The path to a PEM-encoded public/private key certificate on the filesystem.
@@ -39,13 +52,13 @@ export class ClientCertificateCredential implements TokenCredential {
     options?: IdentityClientOptions
   ) {
     this.identityClient = new IdentityClient(options);
-    this._tenantId = tenantId;
-    this._clientId = clientId;
+    this.tenantId = tenantId;
+    this.clientId = clientId;
-    this._certificateString = readFileSync(certificatePath, "utf8");
+    this.certificateString = readFileSync(certificatePath, "utf8");
     const certificatePattern = /(-+BEGIN CERTIFICATE-+)(\n\r?|\r\n?)([A-Za-z0-9+/\n\r]+=*)(\n\r?|\r\n?)(-+END CERTIFICATE-+)/;
-    const matchCert = this._certificateString.match(certificatePattern);
+    const matchCert = this.certificateString.match(certificatePattern);
     const publicKey = matchCert ? matchCert[3] : "";
     if (!publicKey) {
       throw new Error(
@@ -66,22 +79,59 @@ export class ClientCertificateCredential implements TokenCredential {
    * successful.  If authentication cannot be performed at this time, this method may
    * return null.  If an error occurs during authentication, an {@link AuthenticationError}
    * containing failure details will be thrown.
-   *
+   *
    * @param scopes The list of scopes for which the token will have access.
    * @param options The options used to configure any requests this
    *                TokenCredential implementation might make.
    */
-  public getToken(
+  public async getToken(
     scopes: string | string[],
     options?: GetTokenOptions
   ): Promise<AccessToken | null> {
-    return this.identityClient.authenticateClientCertificate(
-      this._tenantId,
-      this._clientId,
-      this._certificateString,
-      this.certificateX5t,
-      scopes,
-      options
-    );
+    const tokenId = uuid.v4();
+    const audienceUrl = `${this.identityClient.authorityHost}/${this.tenantId}/oauth2/v2.0/token`;
+    const header: jws.Header = {
+      typ: "JWT",
+      alg: "RS256",
+      x5t: this.certificateX5t
+    };
+    const payload = {
+      iss: this.clientId,
+      sub: this.clientId,
+      aud: audienceUrl,
+      jti: tokenId,
+      nbf: timestampInSeconds(new Date()),
+      exp: timestampInSeconds(addMinutes(new Date(), SelfSignedJwtLifetimeMins))
+    };
+    const clientAssertion = jws.sign({
+      header,
+      payload,
+      secret: this.certificateString
+    });
+    const webResource = this.identityClient.createWebResource({
+      url: audienceUrl,
+      method: "POST",
+      disableJsonStringifyOnBody: true,
+      deserializationMapper: undefined,
+      body: qs.stringify({
+        response_type: "token",
+        grant_type: "client_credentials",
+        client_id: this.clientId,
+        client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+        client_assertion: clientAssertion,
+        scope: typeof scopes === "string" ? scopes : scopes.join(" ")
+      }),
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      abortSignal: options && options.abortSignal
+    });
+    const tokenResponse = await this.identityClient.sendTokenRequest(webResource);
+    return (tokenResponse && tokenResponse.accessToken) || null;
   }
 }

package/src/credentials/clientSecretCredential.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
+import qs from "qs";
 import { TokenCredential, GetTokenOptions, AccessToken } from "@azure/core-http";
 import { IdentityClientOptions, IdentityClient } from "../client/identityClient";
@@ -8,21 +9,21 @@ import { IdentityClientOptions, IdentityClient } from "../client/identityClient"
  * Enables authentication to Azure Active Directory using a client secret
  * that was generated for an App Registration.  More information on how
  * to configure a client secret can be found here:
- *
+ *
  * https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application
  *
  */
 export class ClientSecretCredential implements TokenCredential {
   private identityClient: IdentityClient;
-  private _tenantId: string;
-  private _clientId: string;
-  private _clientSecret: string;
+  private tenantId: string;
+  private clientId: string;
+  private clientSecret: string;
   /**
    * Creates an instance of the ClientSecretCredential with the details
    * needed to authenticate against Azure Active Directory with a client
    * secret.
-   *
+   *
    * @param tenantId The Azure Active Directory tenant (directory) ID.
    * @param clientId The client (application) ID of an App Registration in the tenant.
    * @param clientSecret A client secret that was generated for the App Registration.
@@ -35,9 +36,9 @@ export class ClientSecretCredential implements TokenCredential {
     options?: IdentityClientOptions
   ) {
     this.identityClient = new IdentityClient(options);
-    this._tenantId = tenantId;
-    this._clientId = clientId;
-    this._clientSecret = clientSecret;
+    this.tenantId = tenantId;
+    this.clientId = clientId;
+    this.clientSecret = clientSecret;
   }
   /**
@@ -45,21 +46,35 @@ export class ClientSecretCredential implements TokenCredential {
    * successful.  If authentication cannot be performed at this time, this method may
    * return null.  If an error occurs during authentication, an {@link AuthenticationError}
    * containing failure details will be thrown.
-   *
+   *
    * @param scopes The list of scopes for which the token will have access.
    * @param options The options used to configure any requests this
    *                TokenCredential implementation might make.
    */
-  public getToken(
+  public async getToken(
     scopes: string | string[],
     options?: GetTokenOptions
   ): Promise<AccessToken | null> {
-    return this.identityClient.authenticateClientSecret(
-      this._tenantId,
-      this._clientId,
-      this._clientSecret,
-      scopes,
-      options
-    );
+    const webResource = this.identityClient.createWebResource({
+      url: `${this.identityClient.authorityHost}/${this.tenantId}/oauth2/v2.0/token`,
+      method: "POST",
+      disableJsonStringifyOnBody: true,
+      deserializationMapper: undefined,
+      body: qs.stringify({
+        response_type: "token",
+        grant_type: "client_credentials",
+        client_id: this.clientId,
+        client_secret: this.clientSecret,
+        scope: typeof scopes === "string" ? scopes : scopes.join(" ")
+      }),
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      abortSignal: options && options.abortSignal
+    });
+    const tokenResponse = await this.identityClient.sendTokenRequest(webResource);
+    return (tokenResponse && tokenResponse.accessToken) || null;
   }
 }

package/src/credentials/deviceCodeCredential.browser.ts ADDED Viewed

@@ -0,0 +1,27 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+/* eslint-disable @typescript-eslint/no-unused-vars */
+import { TokenCredential, GetTokenOptions, AccessToken } from "@azure/core-http";
+import { IdentityClientOptions } from "../client/identityClient";
+const BrowserNotSupportedError = new Error("DeviceCodeCredential is not supported in the browser.");
+export class DeviceCodeCredential implements TokenCredential {
+  constructor(
+    tenantId: string,
+    clientId: string,
+    userPromptCallback: (details: any) => void,
+    options?: IdentityClientOptions
+  ) {
+    throw BrowserNotSupportedError;
+  }
+  public getToken(
+    scopes: string | string[],
+    options?: GetTokenOptions
+  ): Promise<AccessToken | null> {
+    throw BrowserNotSupportedError;
+  }
+}