@azure/identity 1.0.0-preview.1 → 1.0.0-preview.2

package/src/credentials/deviceCodeCredential.ts

@@ -0,0 +1,203 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+import qs from "qs";
+import { TokenCredential, GetTokenOptions, AccessToken, delay } from "@azure/core-http";
+import { IdentityClientOptions, IdentityClient, TokenResponse } from "../client/identityClient";
+import { AuthenticationError } from "../client/errors";
+
+/**
+ * An internal interface that contains the verbatim devicecode response.
+ * This interface does not get exported from the public interface of the
+ * library.
+ */
+export interface DeviceCodeResponse {
+  device_code: string,
+  user_code: string,
+  verification_uri: string,
+  expires_in: number,
+  interval: number,
+  message: string
+}
+
+/**
+ * Provides the user code and verification URI where the code must be
+ * entered.  Also provides a message to display to the user which
+ * contains an instruction with these details.
+ */
+export interface DeviceCodeDetails {
+  userCode: string,
+  verificationUri: string,
+  message: string
+}
+
+/**
+ * Defines the signature of a callback which will be passed to
+ * DeviceCodeCredential for the purpose of displaying authentication
+ * details to the user.
+ */
+export type DeviceCodePromptCallback = (deviceCodeDetails: DeviceCodeDetails) => void;
+
+/**
+ * Enables authentication to Azure Active Directory using a device code
+ * that the user can enter into https://microsoft.com/devicelogin.
+ */
+export class DeviceCodeCredential implements TokenCredential {
+  private identityClient: IdentityClient;
+  private tenantId: string;
+  private clientId: string;
+  private userPromptCallback: DeviceCodePromptCallback;
+  private lastTokenResponse: TokenResponse | null = null;
+
+  /**
+   * Creates an instance of DeviceCodeCredential with the details needed
+   * to initiate the device code authorization flow with Azure Active Directory.
+   *
+   * @param tenantId The Azure Active Directory tenant (directory) ID or name.
+   * @param clientId The client (application) ID of an App Registration in the tenant.
+   * @param userPromptCallback A callback function that will be invoked to show
+                               {@link DeviceCodeDetails} to the user.
+   * @param options Options for configuring the client which makes the authentication request.
+   */
+  constructor(
+    tenantId: string,
+    clientId: string,
+    userPromptCallback: DeviceCodePromptCallback,
+    options?: IdentityClientOptions
+  ) {
+    this.identityClient = new IdentityClient(options);
+    this.tenantId = tenantId;
+    this.clientId = clientId;
+    this.userPromptCallback = userPromptCallback;
+  }
+
+  private async sendDeviceCodeRequest(
+    scope: string,
+    options?: GetTokenOptions
+  ): Promise<DeviceCodeResponse> {
+    const webResource = this.identityClient.createWebResource({
+      url: `${this.identityClient.authorityHost}/${this.tenantId}/oauth2/v2.0/devicecode`,
+      method: "POST",
+      disableJsonStringifyOnBody: true,
+      deserializationMapper: undefined,
+      body: qs.stringify({
+        client_id: this.clientId,
+        scope
+      }),
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      abortSignal: options && options.abortSignal
+    });
+
+    const response = await this.identityClient.sendRequest(webResource);
+    if (!(response.status === 200 || response.status === 201)) {
+      throw new AuthenticationError(response.status, response.bodyAsText);
+    }
+
+    return response.parsedBody as DeviceCodeResponse;
+  }
+
+  private async pollForToken(
+    deviceCodeResponse: DeviceCodeResponse,
+    options?: GetTokenOptions
+  ): Promise<TokenResponse | null> {
+    let tokenResponse: TokenResponse | null = null;
+
+    const webResource = this.identityClient.createWebResource({
+      url: `${this.identityClient.authorityHost}/${this.tenantId}/oauth2/v2.0/token`,
+      method: "POST",
+      disableJsonStringifyOnBody: true,
+      deserializationMapper: undefined,
+      body: qs.stringify({
+        grant_type: "urn:ietf:params:oauth:grant-type:device_code",
+        client_id: this.clientId,
+        device_code: deviceCodeResponse.device_code
+      }),
+      headers: {
+        Accept: "application/json",
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      abortSignal: options && options.abortSignal
+    });
+
+    while (tokenResponse === null) {
+      try {
+        await delay(deviceCodeResponse.interval * 1000);
+
+        // Check the abort signal before sending the request
+        if (options && options.abortSignal && options.abortSignal.aborted) {
+          return null;
+        }
+
+        tokenResponse = await this.identityClient.sendTokenRequest(webResource);
+      } catch (err) {
+        if (err instanceof AuthenticationError) {
+          switch (err.errorResponse.error) {
+            case "authorization_pending":
+              break;
+            case "authorization_declined":
+              return null;
+            case "expired_token":
+              throw err;
+            case "bad_verification_code":
+              throw err;
+          }
+        } else {
+          throw err;
+        }
+      }
+    }
+
+    return tokenResponse;
+  }
+
+  /**
+   * Authenticates with Azure Active Directory and returns an {@link AccessToken} if
+   * successful.  If authentication cannot be performed at this time, this method may
+   * return null.  If an error occurs during authentication, an {@link AuthenticationError}
+   * containing failure details will be thrown.
+   *
+   * @param scopes The list of scopes for which the token will have access.
+   * @param options The options used to configure any requests this
+   *                TokenCredential implementation might make.
+   */
+  public async getToken(
+    scopes: string | string[],
+    options?: GetTokenOptions
+  ): Promise<AccessToken | null> {
+    let tokenResponse: TokenResponse | null = null;
+    let scopeString = typeof scopes === "string" ? scopes : scopes.join(" ");
+    if (scopeString.indexOf("offline_access") < 0) {
+      scopeString += " offline_access";
+    }
+
+    // Try to use the refresh token first
+    if (this.lastTokenResponse && this.lastTokenResponse.refreshToken) {
+      tokenResponse = await this.identityClient.refreshAccessToken(
+        this.tenantId,
+        this.clientId,
+        scopeString,
+        this.lastTokenResponse.refreshToken,
+        undefined, // clientSecret not needed for device code auth
+        undefined,
+        options);
+    }
+
+    if (tokenResponse === null) {
+      const deviceCodeResponse = await this.sendDeviceCodeRequest(scopeString, options);
+
+      this.userPromptCallback({
+        userCode: deviceCodeResponse.user_code,
+        verificationUri: deviceCodeResponse.verification_uri,
+        message: deviceCodeResponse.message
+      });
+
+      tokenResponse = await this.pollForToken(deviceCodeResponse, options);
+    }
+
+    this.lastTokenResponse = tokenResponse;
+    return (tokenResponse && tokenResponse.accessToken) || null;
+  }
+}

package/src/credentials/environmentCredential.browser.ts

@@ -0,0 +1,19 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+/* eslint-disable @typescript-eslint/no-unused-vars */
+
+import { AccessToken, TokenCredential, GetTokenOptions } from "@azure/core-http";
+import { IdentityClientOptions } from "../client/identityClient";
+
+const BrowserNotSupportedError = new Error("EnvironmentCredential is not supported in the browser.");
+
+export class EnvironmentCredential implements TokenCredential {
+  constructor(options?: IdentityClientOptions) {
+    throw BrowserNotSupportedError;
+  }
+
+  getToken(scopes: string | string[], options?: GetTokenOptions): Promise<AccessToken | null> {
+    throw BrowserNotSupportedError;
+  }
+}

package/src/credentials/environmentCredential.ts

@@ -1,18 +1,18 @@
 // Copyright (c) Microsoft Corporation.
 // Licensed under the MIT License.
 
-import { AccessToken, TokenCredential, isNode, GetTokenOptions } from "@azure/core-http";
+import { AccessToken, TokenCredential, GetTokenOptions } from "@azure/core-http";
 import { IdentityClientOptions } from "../client/identityClient";
 import { ClientSecretCredential } from "./clientSecretCredential";
 
 /**
  * Enables authentication to Azure Active Directory using client secret
  * details configured in the following environment variables:
- * 
+ *
  * - AZURE_TENANT_ID: The Azure Active Directory tenant (directory) ID.
  * - AZURE_CLIENT_ID: The client (application) ID of an App Registration in the tenant.
  * - AZURE_CLIENT_SECRET: A client secret that was generated for the App Registration.
- * 
+ *
  * This credential ultimately uses a {@link ClientSecretCredential} to
  * perform the authentication using these details.  Please consult the
  * documentation of that class for more details.
@@ -24,14 +24,10 @@ export class EnvironmentCredential implements TokenCredential {
    * client secret details from environment variables.  If the expected
    * environment variables are not found at this time, the getToken method
    * will return null when invoked.
-   * 
+   *
    * @param options Options for configuring the client which makes the authentication request.
    */
   constructor(options?: IdentityClientOptions) {
-    if (!isNode) {
-      throw "EnvironmentCredential is only supported when running in Node.js.";
-    }
-
     const tenantId = process.env.AZURE_TENANT_ID,
       clientId = process.env.AZURE_CLIENT_ID,
       clientSecret = process.env.AZURE_CLIENT_SECRET;
@@ -46,7 +42,7 @@ export class EnvironmentCredential implements TokenCredential {
    * successful.  If authentication cannot be performed at this time, this method may
    * return null.  If an error occurs during authentication, an {@link AuthenticationError}
    * containing failure details will be thrown.
-   * 
+   *
    * @param scopes The list of scopes for which the token will have access.
    * @param options The options used to configure any requests this
    *                TokenCredential implementation might make.

package/src/credentials/interactiveBrowserCredential.browser.ts

@@ -0,0 +1,134 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+import * as msal from "msal";
+import { AccessToken, TokenCredential, GetTokenOptions } from "@azure/core-http";
+import { IdentityClient } from "../client/identityClient";
+import { BrowserLoginStyle, InteractiveBrowserCredentialOptions } from "./interactiveBrowserCredentialOptions";
+
+/**
+ * Enables authentication to Azure Active Directory inside of the web browser
+ * using the interactive login flow, either via browser redirects or a popup
+ * window.
+ */
+export class InteractiveBrowserCredential implements TokenCredential {
+  private loginStyle: BrowserLoginStyle;
+  private msalConfig: msal.Configuration;
+  private msalObject: msal.UserAgentApplication;
+
+  /**
+   * Creates an instance of the InteractiveBrowserCredential with the
+   * details needed to authenticate against Azure Active Directory with
+   * a user identity.
+   *
+   * @param tenantId The Azure Active Directory tenant (directory) ID.
+   * @param clientId The client (application) ID of an App Registration in the tenant.
+   * @param options Options for configuring the client which makes the authentication request.
+   */
+  constructor(
+    tenantId: string,
+    clientId: string,
+    options?: InteractiveBrowserCredentialOptions
+  ) {
+    options = { ...IdentityClient.getDefaultOptions(), ...options };
+
+    this.loginStyle = options.loginStyle || "popup";
+    if (["redirect", "popup"].indexOf(this.loginStyle) === -1) {
+        throw new Error(`Invalid loginStyle: ${options.loginStyle}`);
+    }
+
+    this.msalConfig = {
+      auth: {
+        clientId: clientId,
+        authority: `${options.authorityHost}/${tenantId}`,
+        ...options.redirectUri && { redirectUri: options.redirectUri},
+        ...options.postLogoutRedirectUri && { redirectUri: options.postLogoutRedirectUri }
+      },
+      cache: {
+        cacheLocation: "localStorage",
+        storeAuthStateInCookie: true
+      }
+    };
+
+    this.msalObject = new msal.UserAgentApplication(this.msalConfig);
+  }
+
+  private login(): Promise<msal.AuthResponse> {
+    switch (this.loginStyle) {
+      case "redirect": {
+        const loginPromise = new Promise<msal.AuthResponse>((resolve, reject) => {
+          this.msalObject.handleRedirectCallback(resolve, reject);
+        });
+        this.msalObject.loginRedirect();
+        return loginPromise;
+      }
+      case "popup":
+        return this.msalObject.loginPopup();
+    }
+  }
+
+  private async acquireToken(authParams: msal.AuthenticationParameters): Promise<msal.AuthResponse | undefined> {
+    let authResponse: msal.AuthResponse | undefined;
+    try {
+      authResponse = await this.msalObject.acquireTokenSilent(authParams);
+    } catch (err) {
+      if (err instanceof msal.AuthError) {
+        switch (err.errorCode) {
+          case "consent_required":
+          case "interaction_required":
+          case "login_required":
+            break;
+          default:
+            throw err;
+        }
+      }
+    }
+
+    let authPromise: Promise<msal.AuthResponse> | undefined;
+    if (authResponse === undefined) {
+      switch (this.loginStyle) {
+        case "redirect":
+          authPromise = new Promise((resolve, reject) => {
+            this.msalObject.handleRedirectCallback(resolve, reject);
+          });
+          this.msalObject.acquireTokenRedirect(authParams);
+          break;
+        case "popup":
+          authPromise = this.msalObject.acquireTokenPopup(authParams);
+          break;
+      }
+
+      authResponse = authPromise && await authPromise;
+    }
+
+    return authResponse;
+  }
+
+  /**
+   *
+   * @param scopes The list of scopes for which the token will have access.
+   * @param options The options used to configure any requests this
+   *                TokenCredential implementation might make.
+   */
+  async getToken(
+    scopes: string | string[],
+    options?: GetTokenOptions // eslint-disable-line @typescript-eslint/no-unused-vars
+  ): Promise<AccessToken | null> {
+    if (!this.msalObject.getAccount()) {
+      await this.login();
+    }
+
+    const authResponse = await this.acquireToken({
+      scopes: Array.isArray(scopes) ? scopes : scopes.split(',')
+    });
+
+    if (authResponse) {
+      return {
+        token: authResponse.accessToken,
+        expiresOnTimestamp: authResponse.expiresOn.getTime()
+      };
+    } else {
+      return null;
+    }
+  }
+}

package/src/credentials/interactiveBrowserCredential.ts

@@ -0,0 +1,31 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+/* eslint-disable @typescript-eslint/no-unused-vars */
+
+import { TokenCredential, GetTokenOptions, AccessToken } from "@azure/core-http";
+import { InteractiveBrowserCredentialOptions } from "./interactiveBrowserCredentialOptions";
+
+const BrowserNotSupportedError = new Error("InteractiveBrowserCredential is not supported in Node.js.");
+
+/**
+ * Enables authentication to Azure Active Directory inside of the web browser
+ * using the interactive login flow, either via browser redirects or a popup
+ * window.  This credential is not currently supported in Node.js.
+ */
+export class InteractiveBrowserCredential implements TokenCredential {
+  constructor(
+    tenantId: string,
+    clientId: string,
+    options?: InteractiveBrowserCredentialOptions
+  ) {
+    throw BrowserNotSupportedError;
+  }
+
+  public getToken(
+    scopes: string | string[],
+    options?: GetTokenOptions
+  ): Promise<AccessToken | null> {
+    throw BrowserNotSupportedError;
+  }
+}

package/src/credentials/interactiveBrowserCredentialOptions.ts

@@ -0,0 +1,30 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+import { IdentityClientOptions } from "../client/identityClient";
+
+export type BrowserLoginStyle = "redirect" | "popup";
+
+/**
+ * Defines options for the InteractiveBrowserCredential class.
+ */
+export interface InteractiveBrowserCredentialOptions extends IdentityClientOptions {
+  /**
+   * Specifies whether a redirect or a popup window should be used to
+   * initiate the user authentication flow. Possible values are "redirect"
+   * or "popup" (default).
+   */
+  loginStyle?: BrowserLoginStyle;
+
+  /**
+   * Gets the redirect URI of the application. This should be same as the value
+   * in the application registration portal.  Defaults to `window.location.href`.
+   */
+  redirectUri?: string | (() => string);
+
+  /**
+   * Gets the URI to which the user will be redirected when logging out.
+   * Defaults to `window.location.href`.
+   */
+  postLogoutRedirectUri?: string | (() => string);
+}

package/src/credentials/managedIdentityCredential.browser.ts

@@ -0,0 +1,22 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+/* eslint-disable @typescript-eslint/no-unused-vars */
+
+import { AccessToken, GetTokenOptions, TokenCredential } from "@azure/core-http";
+import { IdentityClientOptions } from "../client/identityClient";
+
+const BrowserNotSupportedError = new Error("ManagedIdentityCredential is not supported in the browser.");
+
+export class ManagedIdentityCredential implements TokenCredential {
+  constructor(clientId?: string, options?: IdentityClientOptions) {
+    throw BrowserNotSupportedError;
+  }
+
+  public async getToken(
+    scopes: string | string[],
+    options?: GetTokenOptions
+  ): Promise<AccessToken | null> {
+    throw BrowserNotSupportedError;
+  }
+}