@azure/msal-browser 4.25.1 → 4.26.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/app/IPublicClientApplication.mjs +1 -1
- package/dist/app/PublicClientApplication.mjs +1 -1
- package/dist/app/PublicClientNext.mjs +1 -1
- package/dist/broker/nativeBroker/NativeStatusCodes.mjs +1 -1
- package/dist/broker/nativeBroker/PlatformAuthDOMHandler.mjs +1 -1
- package/dist/broker/nativeBroker/PlatformAuthExtensionHandler.mjs +1 -1
- package/dist/broker/nativeBroker/PlatformAuthProvider.mjs +1 -1
- package/dist/cache/AccountManager.mjs +1 -1
- package/dist/cache/AsyncMemoryStorage.mjs +1 -1
- package/dist/cache/BrowserCacheManager.d.ts +64 -7
- package/dist/cache/BrowserCacheManager.d.ts.map +1 -1
- package/dist/cache/BrowserCacheManager.mjs +400 -141
- package/dist/cache/BrowserCacheManager.mjs.map +1 -1
- package/dist/cache/CacheHelpers.mjs +1 -1
- package/dist/cache/CacheKeys.d.ts +3 -3
- package/dist/cache/CacheKeys.mjs +4 -4
- package/dist/cache/CookieStorage.mjs +1 -1
- package/dist/cache/DatabaseStorage.mjs +1 -1
- package/dist/cache/EncryptedData.mjs +1 -1
- package/dist/cache/IWindowStorage.d.ts +1 -1
- package/dist/cache/IWindowStorage.d.ts.map +1 -1
- package/dist/cache/LocalStorage.d.ts +1 -1
- package/dist/cache/LocalStorage.d.ts.map +1 -1
- package/dist/cache/LocalStorage.mjs +21 -12
- package/dist/cache/LocalStorage.mjs.map +1 -1
- package/dist/cache/MemoryStorage.mjs +1 -1
- package/dist/cache/SessionStorage.mjs +1 -1
- package/dist/cache/TokenCache.d.ts.map +1 -1
- package/dist/cache/TokenCache.mjs +14 -13
- package/dist/cache/TokenCache.mjs.map +1 -1
- package/dist/config/Configuration.mjs +1 -1
- package/dist/controllers/ControllerFactory.mjs +1 -1
- package/dist/controllers/NestedAppAuthController.d.ts.map +1 -1
- package/dist/controllers/NestedAppAuthController.mjs +3 -3
- package/dist/controllers/NestedAppAuthController.mjs.map +1 -1
- package/dist/controllers/StandardController.d.ts.map +1 -1
- package/dist/controllers/StandardController.mjs +3 -3
- package/dist/controllers/StandardController.mjs.map +1 -1
- package/dist/controllers/UnknownOperatingContextController.mjs +1 -1
- package/dist/crypto/BrowserCrypto.mjs +1 -1
- package/dist/crypto/CryptoOps.mjs +1 -1
- package/dist/crypto/PkceGenerator.mjs +1 -1
- package/dist/crypto/SignedHttpRequest.mjs +1 -1
- package/dist/custom-auth-path/app/PublicClientApplication.mjs +1 -1
- package/dist/custom-auth-path/broker/nativeBroker/NativeStatusCodes.mjs +1 -1
- package/dist/custom-auth-path/broker/nativeBroker/PlatformAuthDOMHandler.mjs +1 -1
- package/dist/custom-auth-path/broker/nativeBroker/PlatformAuthExtensionHandler.mjs +1 -1
- package/dist/custom-auth-path/broker/nativeBroker/PlatformAuthProvider.mjs +1 -1
- package/dist/custom-auth-path/cache/AccountManager.mjs +1 -1
- package/dist/custom-auth-path/cache/AsyncMemoryStorage.mjs +1 -1
- package/dist/custom-auth-path/cache/BrowserCacheManager.d.ts +64 -7
- package/dist/custom-auth-path/cache/BrowserCacheManager.d.ts.map +1 -1
- package/dist/custom-auth-path/cache/BrowserCacheManager.mjs +400 -141
- package/dist/custom-auth-path/cache/BrowserCacheManager.mjs.map +1 -1
- package/dist/custom-auth-path/cache/CacheHelpers.mjs +1 -1
- package/dist/custom-auth-path/cache/CacheKeys.d.ts +3 -3
- package/dist/custom-auth-path/cache/CacheKeys.mjs +4 -4
- package/dist/custom-auth-path/cache/CookieStorage.mjs +1 -1
- package/dist/custom-auth-path/cache/DatabaseStorage.mjs +1 -1
- package/dist/custom-auth-path/cache/EncryptedData.mjs +1 -1
- package/dist/custom-auth-path/cache/IWindowStorage.d.ts +1 -1
- package/dist/custom-auth-path/cache/IWindowStorage.d.ts.map +1 -1
- package/dist/custom-auth-path/cache/LocalStorage.d.ts +1 -1
- package/dist/custom-auth-path/cache/LocalStorage.d.ts.map +1 -1
- package/dist/custom-auth-path/cache/LocalStorage.mjs +21 -12
- package/dist/custom-auth-path/cache/LocalStorage.mjs.map +1 -1
- package/dist/custom-auth-path/cache/MemoryStorage.mjs +1 -1
- package/dist/custom-auth-path/cache/SessionStorage.mjs +1 -1
- package/dist/custom-auth-path/cache/TokenCache.d.ts.map +1 -1
- package/dist/custom-auth-path/cache/TokenCache.mjs +14 -13
- package/dist/custom-auth-path/cache/TokenCache.mjs.map +1 -1
- package/dist/custom-auth-path/config/Configuration.mjs +1 -1
- package/dist/custom-auth-path/controllers/ControllerFactory.mjs +1 -1
- package/dist/custom-auth-path/controllers/NestedAppAuthController.d.ts.map +1 -1
- package/dist/custom-auth-path/controllers/StandardController.d.ts.map +1 -1
- package/dist/custom-auth-path/controllers/StandardController.mjs +3 -3
- package/dist/custom-auth-path/controllers/StandardController.mjs.map +1 -1
- package/dist/custom-auth-path/crypto/BrowserCrypto.mjs +1 -1
- package/dist/custom-auth-path/crypto/CryptoOps.mjs +1 -1
- package/dist/custom-auth-path/crypto/PkceGenerator.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/CustomAuthConstants.d.ts +1 -1
- package/dist/custom-auth-path/custom_auth/CustomAuthConstants.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/CustomAuthPublicClientApplication.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/controller/CustomAuthStandardController.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/CustomAuthAuthority.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowErrorBase.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowResultBase.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/auth_flow/AuthFlowStateTypes.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/error_type/AuthMethodRegistrationError.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationChallengeMethodResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationSubmitChallengeResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationCompletedState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationFailedState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/error_type/MfaError.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/result/MfaRequestChallengeResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/result/MfaSubmitChallengeResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/state/MfaCompletedState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/state/MfaFailedState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/auth_flow/mfa/state/MfaState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/error/CustomAuthApiError.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/error/CustomAuthError.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/error/HttpError.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/error/HttpErrorCodes.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/error/InvalidArgumentError.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/error/InvalidConfigurationError.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/error/InvalidConfigurationErrorCodes.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/error/MethodNotImplementedError.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/error/MsalCustomAuthError.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/error/NoCachedAccountFoundError.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/error/ParsedUrlError.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/error/ParsedUrlErrorCodes.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/error/UnexpectedError.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/error/UnsupportedEnvironmentError.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/error/UserAccountAttributeError.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/error/UserAlreadySignedInError.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/interaction_client/CustomAuthInteractionClientBase.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/interaction_client/CustomAuthInterationClientFactory.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/interaction_client/jit/JitClient.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/interaction_client/jit/result/JitActionResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/interaction_client/mfa/MfaClient.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/interaction_client/mfa/result/MfaActionResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/BaseApiClient.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/CustomAuthApiEndpoint.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/RegisterApiClient.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/SignInApiClient.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/SignupApiClient.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/types/ApiErrorCodes.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/network_client/custom_auth_api/types/ApiSuberrors.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/network_client/http_client/FetchHttpClient.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/network_client/http_client/IHttpClient.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/telemetry/PublicApiId.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/utils/ArgumentValidator.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/core/utils/UrlUtils.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/get_account/auth_flow/CustomAuthAccountData.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/get_account/auth_flow/error_type/GetAccountError.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/get_account/auth_flow/result/GetAccessTokenResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/get_account/auth_flow/result/GetAccountResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/get_account/auth_flow/result/SignOutResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/get_account/auth_flow/state/GetAccessTokenState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/get_account/auth_flow/state/GetAccountState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/get_account/auth_flow/state/SignOutState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/index.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/operating_context/CustomAuthOperatingContext.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/error_type/ResetPasswordError.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordResendCodeResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordStartResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitCodeResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitPasswordResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordCodeRequiredState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordCompletedState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordFailedState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordPasswordRequiredState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/reset_password/auth_flow/state/ResetPasswordState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/reset_password/interaction_client/ResetPasswordClient.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/SignInScenario.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/error_type/SignInError.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInResendCodeResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInSubmitCodeResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/result/SignInSubmitPasswordResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInCodeRequiredState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInCompletedState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInContinuationState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInFailedState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInPasswordRequiredState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_in/auth_flow/state/SignInState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_in/interaction_client/SignInClient.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_in/interaction_client/result/SignInActionResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/error_type/SignUpError.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpResendCodeResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpSubmitAttributesResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpSubmitCodeResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/result/SignUpSubmitPasswordResult.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpAttributesRequiredState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpCodeRequiredState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpCompletedState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpFailedState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpPasswordRequiredState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_up/auth_flow/state/SignUpState.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_up/interaction_client/SignUpClient.mjs +1 -1
- package/dist/custom-auth-path/custom_auth/sign_up/interaction_client/result/SignUpActionResult.mjs +1 -1
- package/dist/custom-auth-path/encode/Base64Decode.mjs +1 -1
- package/dist/custom-auth-path/encode/Base64Encode.mjs +1 -1
- package/dist/custom-auth-path/error/BrowserAuthError.mjs +1 -1
- package/dist/custom-auth-path/error/BrowserAuthErrorCodes.mjs +1 -1
- package/dist/custom-auth-path/error/BrowserConfigurationAuthError.mjs +1 -1
- package/dist/custom-auth-path/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
- package/dist/custom-auth-path/error/NativeAuthError.mjs +1 -1
- package/dist/custom-auth-path/error/NativeAuthErrorCodes.mjs +1 -1
- package/dist/custom-auth-path/event/EventHandler.mjs +1 -1
- package/dist/custom-auth-path/event/EventType.mjs +1 -1
- package/dist/custom-auth-path/interaction_client/BaseInteractionClient.mjs +1 -1
- package/dist/custom-auth-path/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
- package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.d.ts +1 -1
- package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
- package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.mjs +7 -7
- package/dist/custom-auth-path/interaction_client/PlatformAuthInteractionClient.mjs.map +1 -1
- package/dist/custom-auth-path/interaction_client/PopupClient.mjs +1 -1
- package/dist/custom-auth-path/interaction_client/RedirectClient.mjs +1 -1
- package/dist/custom-auth-path/interaction_client/SilentAuthCodeClient.mjs +1 -1
- package/dist/custom-auth-path/interaction_client/SilentCacheClient.mjs +1 -1
- package/dist/custom-auth-path/interaction_client/SilentIframeClient.mjs +1 -1
- package/dist/custom-auth-path/interaction_client/SilentRefreshClient.mjs +1 -1
- package/dist/custom-auth-path/interaction_client/StandardInteractionClient.mjs +1 -1
- package/dist/custom-auth-path/interaction_handler/InteractionHandler.mjs +1 -1
- package/dist/custom-auth-path/interaction_handler/SilentHandler.mjs +2 -1
- package/dist/custom-auth-path/interaction_handler/SilentHandler.mjs.map +1 -1
- package/dist/custom-auth-path/navigation/NavigationClient.mjs +1 -1
- package/dist/custom-auth-path/network/FetchClient.mjs +1 -1
- package/dist/custom-auth-path/operatingcontext/BaseOperatingContext.mjs +1 -1
- package/dist/custom-auth-path/operatingcontext/StandardOperatingContext.mjs +1 -1
- package/dist/custom-auth-path/packageMetadata.d.ts +1 -1
- package/dist/custom-auth-path/packageMetadata.mjs +2 -2
- package/dist/custom-auth-path/protocol/Authorize.mjs +1 -1
- package/dist/custom-auth-path/request/RequestHelpers.mjs +1 -1
- package/dist/custom-auth-path/response/ResponseHandler.mjs +1 -1
- package/dist/custom-auth-path/utils/BrowserConstants.mjs +1 -1
- package/dist/custom-auth-path/utils/BrowserProtocolUtils.mjs +1 -1
- package/dist/custom-auth-path/utils/BrowserUtils.mjs +1 -1
- package/dist/custom-auth-path/utils/Helpers.mjs +1 -1
- package/dist/custom-auth-path/utils/MsalFrameStatsUtils.mjs +1 -1
- package/dist/custom_auth/CustomAuthConstants.d.ts +1 -1
- package/dist/encode/Base64Decode.mjs +1 -1
- package/dist/encode/Base64Encode.mjs +1 -1
- package/dist/error/BrowserAuthError.mjs +1 -1
- package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
- package/dist/error/BrowserConfigurationAuthError.mjs +1 -1
- package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
- package/dist/error/NativeAuthError.mjs +1 -1
- package/dist/error/NativeAuthErrorCodes.mjs +1 -1
- package/dist/error/NestedAppAuthError.mjs +1 -1
- package/dist/event/EventHandler.mjs +1 -1
- package/dist/event/EventMessage.mjs +1 -1
- package/dist/event/EventType.mjs +1 -1
- package/dist/index.mjs +1 -1
- package/dist/interaction_client/BaseInteractionClient.mjs +1 -1
- package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
- package/dist/interaction_client/PlatformAuthInteractionClient.d.ts +1 -1
- package/dist/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
- package/dist/interaction_client/PlatformAuthInteractionClient.mjs +7 -7
- package/dist/interaction_client/PlatformAuthInteractionClient.mjs.map +1 -1
- package/dist/interaction_client/PopupClient.mjs +1 -1
- package/dist/interaction_client/RedirectClient.mjs +1 -1
- package/dist/interaction_client/SilentAuthCodeClient.mjs +1 -1
- package/dist/interaction_client/SilentCacheClient.mjs +1 -1
- package/dist/interaction_client/SilentIframeClient.mjs +1 -1
- package/dist/interaction_client/SilentRefreshClient.mjs +1 -1
- package/dist/interaction_client/StandardInteractionClient.mjs +1 -1
- package/dist/interaction_handler/InteractionHandler.mjs +1 -1
- package/dist/interaction_handler/SilentHandler.mjs +2 -1
- package/dist/interaction_handler/SilentHandler.mjs.map +1 -1
- package/dist/naa/BridgeError.mjs +1 -1
- package/dist/naa/BridgeProxy.mjs +1 -1
- package/dist/naa/BridgeStatusCode.mjs +1 -1
- package/dist/naa/mapping/NestedAppAuthAdapter.mjs +1 -1
- package/dist/navigation/NavigationClient.mjs +1 -1
- package/dist/network/FetchClient.mjs +1 -1
- package/dist/operatingcontext/BaseOperatingContext.mjs +1 -1
- package/dist/operatingcontext/NestedAppOperatingContext.mjs +1 -1
- package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
- package/dist/operatingcontext/UnknownOperatingContext.mjs +1 -1
- package/dist/packageMetadata.d.ts +1 -1
- package/dist/packageMetadata.mjs +2 -2
- package/dist/protocol/Authorize.mjs +1 -1
- package/dist/request/RequestHelpers.mjs +1 -1
- package/dist/response/ResponseHandler.mjs +1 -1
- package/dist/telemetry/BrowserPerformanceClient.mjs +1 -1
- package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
- package/dist/utils/BrowserConstants.mjs +1 -1
- package/dist/utils/BrowserProtocolUtils.mjs +1 -1
- package/dist/utils/BrowserUtils.mjs +1 -1
- package/dist/utils/Helpers.mjs +1 -1
- package/dist/utils/MsalFrameStatsUtils.mjs +1 -1
- package/lib/custom-auth-path/msal-custom-auth.cjs +1238 -947
- package/lib/custom-auth-path/msal-custom-auth.cjs.map +1 -1
- package/lib/custom-auth-path/types/cache/BrowserCacheManager.d.ts +64 -7
- package/lib/custom-auth-path/types/cache/BrowserCacheManager.d.ts.map +1 -1
- package/lib/custom-auth-path/types/cache/CacheKeys.d.ts +3 -3
- package/lib/custom-auth-path/types/cache/IWindowStorage.d.ts +1 -1
- package/lib/custom-auth-path/types/cache/IWindowStorage.d.ts.map +1 -1
- package/lib/custom-auth-path/types/cache/LocalStorage.d.ts +1 -1
- package/lib/custom-auth-path/types/cache/LocalStorage.d.ts.map +1 -1
- package/lib/custom-auth-path/types/cache/TokenCache.d.ts.map +1 -1
- package/lib/custom-auth-path/types/controllers/NestedAppAuthController.d.ts.map +1 -1
- package/lib/custom-auth-path/types/controllers/StandardController.d.ts.map +1 -1
- package/lib/custom-auth-path/types/custom_auth/CustomAuthConstants.d.ts +1 -1
- package/lib/custom-auth-path/types/interaction_client/PlatformAuthInteractionClient.d.ts +1 -1
- package/lib/custom-auth-path/types/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
- package/lib/custom-auth-path/types/packageMetadata.d.ts +1 -1
- package/lib/msal-browser.cjs +947 -656
- package/lib/msal-browser.cjs.map +1 -1
- package/lib/msal-browser.js +947 -656
- package/lib/msal-browser.js.map +1 -1
- package/lib/msal-browser.min.js +67 -67
- package/lib/types/cache/BrowserCacheManager.d.ts +64 -7
- package/lib/types/cache/BrowserCacheManager.d.ts.map +1 -1
- package/lib/types/cache/CacheKeys.d.ts +3 -3
- package/lib/types/cache/IWindowStorage.d.ts +1 -1
- package/lib/types/cache/IWindowStorage.d.ts.map +1 -1
- package/lib/types/cache/LocalStorage.d.ts +1 -1
- package/lib/types/cache/LocalStorage.d.ts.map +1 -1
- package/lib/types/cache/TokenCache.d.ts.map +1 -1
- package/lib/types/controllers/NestedAppAuthController.d.ts.map +1 -1
- package/lib/types/controllers/StandardController.d.ts.map +1 -1
- package/lib/types/custom_auth/CustomAuthConstants.d.ts +1 -1
- package/lib/types/interaction_client/PlatformAuthInteractionClient.d.ts +1 -1
- package/lib/types/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
- package/lib/types/packageMetadata.d.ts +1 -1
- package/package.json +2 -2
- package/src/cache/BrowserCacheManager.ts +738 -225
- package/src/cache/CacheKeys.ts +3 -3
- package/src/cache/IWindowStorage.ts +2 -1
- package/src/cache/LocalStorage.ts +30 -17
- package/src/cache/TokenCache.ts +33 -12
- package/src/controllers/NestedAppAuthController.ts +3 -1
- package/src/controllers/StandardController.ts +3 -1
- package/src/interaction_client/PlatformAuthInteractionClient.ts +15 -5
- package/src/interaction_handler/SilentHandler.ts +1 -0
- package/src/packageMetadata.ts +1 -1
package/lib/msal-browser.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @azure/msal-browser v4.
|
|
1
|
+
/*! @azure/msal-browser v4.26.1 2025-11-06 */
|
|
2
2
|
'use strict';
|
|
3
3
|
(function (global, factory) {
|
|
4
4
|
typeof exports === 'object' && typeof module !== 'undefined' ? factory(exports) :
|
|
@@ -6,7 +6,7 @@
|
|
|
6
6
|
(global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global.msal = {}));
|
|
7
7
|
})(this, (function (exports) { 'use strict';
|
|
8
8
|
|
|
9
|
-
/*! @azure/msal-common v15.13.
|
|
9
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
10
10
|
/*
|
|
11
11
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
12
12
|
* Licensed under the MIT License.
|
|
@@ -283,7 +283,7 @@
|
|
|
283
283
|
// Token renewal offset default in seconds
|
|
284
284
|
const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
|
|
285
285
|
|
|
286
|
-
/*! @azure/msal-common v15.13.
|
|
286
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
287
287
|
/*
|
|
288
288
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
289
289
|
* Licensed under the MIT License.
|
|
@@ -300,7 +300,7 @@
|
|
|
300
300
|
unexpectedError: unexpectedError
|
|
301
301
|
});
|
|
302
302
|
|
|
303
|
-
/*! @azure/msal-common v15.13.
|
|
303
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
304
304
|
|
|
305
305
|
/*
|
|
306
306
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -349,7 +349,7 @@
|
|
|
349
349
|
: AuthErrorMessages[code]);
|
|
350
350
|
}
|
|
351
351
|
|
|
352
|
-
/*! @azure/msal-common v15.13.
|
|
352
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
353
353
|
/*
|
|
354
354
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
355
355
|
* Licensed under the MIT License.
|
|
@@ -447,7 +447,7 @@
|
|
|
447
447
|
userTimeoutReached: userTimeoutReached
|
|
448
448
|
});
|
|
449
449
|
|
|
450
|
-
/*! @azure/msal-common v15.13.
|
|
450
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
451
451
|
|
|
452
452
|
/*
|
|
453
453
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -699,7 +699,7 @@
|
|
|
699
699
|
return new ClientAuthError(errorCode, additionalMessage);
|
|
700
700
|
}
|
|
701
701
|
|
|
702
|
-
/*! @azure/msal-common v15.13.
|
|
702
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
703
703
|
|
|
704
704
|
/*
|
|
705
705
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -738,7 +738,7 @@
|
|
|
738
738
|
},
|
|
739
739
|
};
|
|
740
740
|
|
|
741
|
-
/*! @azure/msal-common v15.13.
|
|
741
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
742
742
|
|
|
743
743
|
/*
|
|
744
744
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -929,12 +929,12 @@
|
|
|
929
929
|
}
|
|
930
930
|
}
|
|
931
931
|
|
|
932
|
-
/*! @azure/msal-common v15.13.
|
|
932
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
933
933
|
/* eslint-disable header/header */
|
|
934
934
|
const name$1 = "@azure/msal-common";
|
|
935
|
-
const version$1 = "15.13.
|
|
935
|
+
const version$1 = "15.13.1";
|
|
936
936
|
|
|
937
|
-
/*! @azure/msal-common v15.13.
|
|
937
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
938
938
|
/*
|
|
939
939
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
940
940
|
* Licensed under the MIT License.
|
|
@@ -954,7 +954,7 @@
|
|
|
954
954
|
AzureUsGovernment: "https://login.microsoftonline.us",
|
|
955
955
|
};
|
|
956
956
|
|
|
957
|
-
/*! @azure/msal-common v15.13.
|
|
957
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
958
958
|
/*
|
|
959
959
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
960
960
|
* Licensed under the MIT License.
|
|
@@ -1010,7 +1010,7 @@
|
|
|
1010
1010
|
urlParseError: urlParseError
|
|
1011
1011
|
});
|
|
1012
1012
|
|
|
1013
|
-
/*! @azure/msal-common v15.13.
|
|
1013
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
1014
1014
|
|
|
1015
1015
|
/*
|
|
1016
1016
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1153,7 +1153,7 @@
|
|
|
1153
1153
|
return new ClientConfigurationError(errorCode);
|
|
1154
1154
|
}
|
|
1155
1155
|
|
|
1156
|
-
/*! @azure/msal-common v15.13.
|
|
1156
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
1157
1157
|
/*
|
|
1158
1158
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1159
1159
|
* Licensed under the MIT License.
|
|
@@ -1250,7 +1250,7 @@
|
|
|
1250
1250
|
}
|
|
1251
1251
|
}
|
|
1252
1252
|
|
|
1253
|
-
/*! @azure/msal-common v15.13.
|
|
1253
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
1254
1254
|
|
|
1255
1255
|
/*
|
|
1256
1256
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1445,7 +1445,47 @@
|
|
|
1445
1445
|
}
|
|
1446
1446
|
}
|
|
1447
1447
|
|
|
1448
|
-
/*! @azure/msal-common v15.13.
|
|
1448
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
1449
|
+
|
|
1450
|
+
/*
|
|
1451
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1452
|
+
* Licensed under the MIT License.
|
|
1453
|
+
*/
|
|
1454
|
+
/**
|
|
1455
|
+
* Function to build a client info object from server clientInfo string
|
|
1456
|
+
* @param rawClientInfo
|
|
1457
|
+
* @param crypto
|
|
1458
|
+
*/
|
|
1459
|
+
function buildClientInfo(rawClientInfo, base64Decode) {
|
|
1460
|
+
if (!rawClientInfo) {
|
|
1461
|
+
throw createClientAuthError(clientInfoEmptyError);
|
|
1462
|
+
}
|
|
1463
|
+
try {
|
|
1464
|
+
const decodedClientInfo = base64Decode(rawClientInfo);
|
|
1465
|
+
return JSON.parse(decodedClientInfo);
|
|
1466
|
+
}
|
|
1467
|
+
catch (e) {
|
|
1468
|
+
throw createClientAuthError(clientInfoDecodingError);
|
|
1469
|
+
}
|
|
1470
|
+
}
|
|
1471
|
+
/**
|
|
1472
|
+
* Function to build a client info object from cached homeAccountId string
|
|
1473
|
+
* @param homeAccountId
|
|
1474
|
+
*/
|
|
1475
|
+
function buildClientInfoFromHomeAccountId(homeAccountId) {
|
|
1476
|
+
if (!homeAccountId) {
|
|
1477
|
+
throw createClientAuthError(clientInfoDecodingError);
|
|
1478
|
+
}
|
|
1479
|
+
const clientInfoParts = homeAccountId.split(Separators.CLIENT_INFO_SEPARATOR, 2);
|
|
1480
|
+
return {
|
|
1481
|
+
uid: clientInfoParts[0],
|
|
1482
|
+
utid: clientInfoParts.length < 2
|
|
1483
|
+
? Constants.EMPTY_STRING
|
|
1484
|
+
: clientInfoParts[1],
|
|
1485
|
+
};
|
|
1486
|
+
}
|
|
1487
|
+
|
|
1488
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
1449
1489
|
/*
|
|
1450
1490
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1451
1491
|
* Licensed under the MIT License.
|
|
@@ -1527,7 +1567,289 @@
|
|
|
1527
1567
|
return updatedAccountInfo;
|
|
1528
1568
|
}
|
|
1529
1569
|
|
|
1530
|
-
/*! @azure/msal-common v15.13.
|
|
1570
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
1571
|
+
/*
|
|
1572
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1573
|
+
* Licensed under the MIT License.
|
|
1574
|
+
*/
|
|
1575
|
+
/**
|
|
1576
|
+
* Authority types supported by MSAL.
|
|
1577
|
+
*/
|
|
1578
|
+
const AuthorityType = {
|
|
1579
|
+
Default: 0,
|
|
1580
|
+
Adfs: 1,
|
|
1581
|
+
Dsts: 2,
|
|
1582
|
+
Ciam: 3,
|
|
1583
|
+
};
|
|
1584
|
+
|
|
1585
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
1586
|
+
/*
|
|
1587
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1588
|
+
* Licensed under the MIT License.
|
|
1589
|
+
*/
|
|
1590
|
+
/**
|
|
1591
|
+
* Gets tenantId from available ID token claims to set as credential realm with the following precedence:
|
|
1592
|
+
* 1. tid - if the token is acquired from an Azure AD tenant tid will be present
|
|
1593
|
+
* 2. tfp - if the token is acquired from a modern B2C tenant tfp should be present
|
|
1594
|
+
* 3. acr - if the token is acquired from a legacy B2C tenant acr should be present
|
|
1595
|
+
* Downcased to match the realm case-insensitive comparison requirements
|
|
1596
|
+
* @param idTokenClaims
|
|
1597
|
+
* @returns
|
|
1598
|
+
*/
|
|
1599
|
+
function getTenantIdFromIdTokenClaims(idTokenClaims) {
|
|
1600
|
+
if (idTokenClaims) {
|
|
1601
|
+
const tenantId = idTokenClaims.tid || idTokenClaims.tfp || idTokenClaims.acr;
|
|
1602
|
+
return tenantId || null;
|
|
1603
|
+
}
|
|
1604
|
+
return null;
|
|
1605
|
+
}
|
|
1606
|
+
|
|
1607
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
1608
|
+
/*
|
|
1609
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1610
|
+
* Licensed under the MIT License.
|
|
1611
|
+
*/
|
|
1612
|
+
/**
|
|
1613
|
+
* Protocol modes supported by MSAL.
|
|
1614
|
+
*/
|
|
1615
|
+
const ProtocolMode = {
|
|
1616
|
+
/**
|
|
1617
|
+
* Auth Code + PKCE with Entra ID (formerly AAD) specific optimizations and features
|
|
1618
|
+
*/
|
|
1619
|
+
AAD: "AAD",
|
|
1620
|
+
/**
|
|
1621
|
+
* Auth Code + PKCE without Entra ID specific optimizations and features. For use only with non-Microsoft owned authorities.
|
|
1622
|
+
* Support is limited for this mode.
|
|
1623
|
+
*/
|
|
1624
|
+
OIDC: "OIDC",
|
|
1625
|
+
/**
|
|
1626
|
+
* Encrypted Authorize Response (EAR) with Entra ID specific optimizations and features
|
|
1627
|
+
*/
|
|
1628
|
+
EAR: "EAR",
|
|
1629
|
+
};
|
|
1630
|
+
|
|
1631
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
1632
|
+
|
|
1633
|
+
/*
|
|
1634
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1635
|
+
* Licensed under the MIT License.
|
|
1636
|
+
*/
|
|
1637
|
+
/**
|
|
1638
|
+
* Type that defines required and optional parameters for an Account field (based on universal cache schema implemented by all MSALs).
|
|
1639
|
+
*
|
|
1640
|
+
* Key : Value Schema
|
|
1641
|
+
*
|
|
1642
|
+
* Key: <home_account_id>-<environment>-<realm*>
|
|
1643
|
+
*
|
|
1644
|
+
* Value Schema:
|
|
1645
|
+
* {
|
|
1646
|
+
* homeAccountId: home account identifier for the auth scheme,
|
|
1647
|
+
* environment: entity that issued the token, represented as a full host
|
|
1648
|
+
* realm: Full tenant or organizational identifier that the account belongs to
|
|
1649
|
+
* localAccountId: Original tenant-specific accountID, usually used for legacy cases
|
|
1650
|
+
* username: primary username that represents the user, usually corresponds to preferred_username in the v2 endpt
|
|
1651
|
+
* authorityType: Accounts authority type as a string
|
|
1652
|
+
* name: Full name for the account, including given name and family name,
|
|
1653
|
+
* lastModificationTime: last time this entity was modified in the cache
|
|
1654
|
+
* lastModificationApp:
|
|
1655
|
+
* nativeAccountId: Account identifier on the native device
|
|
1656
|
+
* tenantProfiles: Array of tenant profile objects for each tenant that the account has authenticated with in the browser
|
|
1657
|
+
* }
|
|
1658
|
+
* @internal
|
|
1659
|
+
*/
|
|
1660
|
+
class AccountEntity {
|
|
1661
|
+
/**
|
|
1662
|
+
* Returns the AccountInfo interface for this account.
|
|
1663
|
+
*/
|
|
1664
|
+
static getAccountInfo(accountEntity) {
|
|
1665
|
+
return {
|
|
1666
|
+
homeAccountId: accountEntity.homeAccountId,
|
|
1667
|
+
environment: accountEntity.environment,
|
|
1668
|
+
tenantId: accountEntity.realm,
|
|
1669
|
+
username: accountEntity.username,
|
|
1670
|
+
localAccountId: accountEntity.localAccountId,
|
|
1671
|
+
loginHint: accountEntity.loginHint,
|
|
1672
|
+
name: accountEntity.name,
|
|
1673
|
+
nativeAccountId: accountEntity.nativeAccountId,
|
|
1674
|
+
authorityType: accountEntity.authorityType,
|
|
1675
|
+
// Deserialize tenant profiles array into a Map
|
|
1676
|
+
tenantProfiles: new Map((accountEntity.tenantProfiles || []).map((tenantProfile) => {
|
|
1677
|
+
return [tenantProfile.tenantId, tenantProfile];
|
|
1678
|
+
})),
|
|
1679
|
+
dataBoundary: accountEntity.dataBoundary,
|
|
1680
|
+
};
|
|
1681
|
+
}
|
|
1682
|
+
/**
|
|
1683
|
+
* Returns true if the account entity is in single tenant format (outdated), false otherwise
|
|
1684
|
+
*/
|
|
1685
|
+
isSingleTenant() {
|
|
1686
|
+
return !this.tenantProfiles;
|
|
1687
|
+
}
|
|
1688
|
+
/**
|
|
1689
|
+
* Build Account cache from IdToken, clientInfo and authority/policy. Associated with AAD.
|
|
1690
|
+
* @param accountDetails
|
|
1691
|
+
*/
|
|
1692
|
+
static createAccount(accountDetails, authority, base64Decode) {
|
|
1693
|
+
const account = new AccountEntity();
|
|
1694
|
+
if (authority.authorityType === AuthorityType.Adfs) {
|
|
1695
|
+
account.authorityType = CacheAccountType.ADFS_ACCOUNT_TYPE;
|
|
1696
|
+
}
|
|
1697
|
+
else if (authority.protocolMode === ProtocolMode.OIDC) {
|
|
1698
|
+
account.authorityType = CacheAccountType.GENERIC_ACCOUNT_TYPE;
|
|
1699
|
+
}
|
|
1700
|
+
else {
|
|
1701
|
+
account.authorityType = CacheAccountType.MSSTS_ACCOUNT_TYPE;
|
|
1702
|
+
}
|
|
1703
|
+
let clientInfo;
|
|
1704
|
+
if (accountDetails.clientInfo && base64Decode) {
|
|
1705
|
+
clientInfo = buildClientInfo(accountDetails.clientInfo, base64Decode);
|
|
1706
|
+
if (clientInfo.xms_tdbr) {
|
|
1707
|
+
account.dataBoundary =
|
|
1708
|
+
clientInfo.xms_tdbr === "EU" ? "EU" : "None";
|
|
1709
|
+
}
|
|
1710
|
+
}
|
|
1711
|
+
account.clientInfo = accountDetails.clientInfo;
|
|
1712
|
+
account.homeAccountId = accountDetails.homeAccountId;
|
|
1713
|
+
account.nativeAccountId = accountDetails.nativeAccountId;
|
|
1714
|
+
const env = accountDetails.environment ||
|
|
1715
|
+
(authority && authority.getPreferredCache());
|
|
1716
|
+
if (!env) {
|
|
1717
|
+
throw createClientAuthError(invalidCacheEnvironment);
|
|
1718
|
+
}
|
|
1719
|
+
account.environment = env;
|
|
1720
|
+
// non AAD scenarios can have empty realm
|
|
1721
|
+
account.realm =
|
|
1722
|
+
clientInfo?.utid ||
|
|
1723
|
+
getTenantIdFromIdTokenClaims(accountDetails.idTokenClaims) ||
|
|
1724
|
+
"";
|
|
1725
|
+
// How do you account for MSA CID here?
|
|
1726
|
+
account.localAccountId =
|
|
1727
|
+
clientInfo?.uid ||
|
|
1728
|
+
accountDetails.idTokenClaims?.oid ||
|
|
1729
|
+
accountDetails.idTokenClaims?.sub ||
|
|
1730
|
+
"";
|
|
1731
|
+
/*
|
|
1732
|
+
* In B2C scenarios the emails claim is used instead of preferred_username and it is an array.
|
|
1733
|
+
* In most cases it will contain a single email. This field should not be relied upon if a custom
|
|
1734
|
+
* policy is configured to return more than 1 email.
|
|
1735
|
+
*/
|
|
1736
|
+
const preferredUsername = accountDetails.idTokenClaims?.preferred_username ||
|
|
1737
|
+
accountDetails.idTokenClaims?.upn;
|
|
1738
|
+
const email = accountDetails.idTokenClaims?.emails
|
|
1739
|
+
? accountDetails.idTokenClaims.emails[0]
|
|
1740
|
+
: null;
|
|
1741
|
+
account.username = preferredUsername || email || "";
|
|
1742
|
+
account.loginHint = accountDetails.idTokenClaims?.login_hint;
|
|
1743
|
+
account.name = accountDetails.idTokenClaims?.name || "";
|
|
1744
|
+
account.cloudGraphHostName = accountDetails.cloudGraphHostName;
|
|
1745
|
+
account.msGraphHost = accountDetails.msGraphHost;
|
|
1746
|
+
if (accountDetails.tenantProfiles) {
|
|
1747
|
+
account.tenantProfiles = accountDetails.tenantProfiles;
|
|
1748
|
+
}
|
|
1749
|
+
else {
|
|
1750
|
+
const tenantProfile = buildTenantProfile(accountDetails.homeAccountId, account.localAccountId, account.realm, accountDetails.idTokenClaims);
|
|
1751
|
+
account.tenantProfiles = [tenantProfile];
|
|
1752
|
+
}
|
|
1753
|
+
return account;
|
|
1754
|
+
}
|
|
1755
|
+
/**
|
|
1756
|
+
* Creates an AccountEntity object from AccountInfo
|
|
1757
|
+
* @param accountInfo
|
|
1758
|
+
* @param cloudGraphHostName
|
|
1759
|
+
* @param msGraphHost
|
|
1760
|
+
* @returns
|
|
1761
|
+
*/
|
|
1762
|
+
static createFromAccountInfo(accountInfo, cloudGraphHostName, msGraphHost) {
|
|
1763
|
+
const account = new AccountEntity();
|
|
1764
|
+
account.authorityType =
|
|
1765
|
+
accountInfo.authorityType || CacheAccountType.GENERIC_ACCOUNT_TYPE;
|
|
1766
|
+
account.homeAccountId = accountInfo.homeAccountId;
|
|
1767
|
+
account.localAccountId = accountInfo.localAccountId;
|
|
1768
|
+
account.nativeAccountId = accountInfo.nativeAccountId;
|
|
1769
|
+
account.realm = accountInfo.tenantId;
|
|
1770
|
+
account.environment = accountInfo.environment;
|
|
1771
|
+
account.username = accountInfo.username;
|
|
1772
|
+
account.name = accountInfo.name;
|
|
1773
|
+
account.loginHint = accountInfo.loginHint;
|
|
1774
|
+
account.cloudGraphHostName = cloudGraphHostName;
|
|
1775
|
+
account.msGraphHost = msGraphHost;
|
|
1776
|
+
// Serialize tenant profiles map into an array
|
|
1777
|
+
account.tenantProfiles = Array.from(accountInfo.tenantProfiles?.values() || []);
|
|
1778
|
+
account.dataBoundary = accountInfo.dataBoundary;
|
|
1779
|
+
return account;
|
|
1780
|
+
}
|
|
1781
|
+
/**
|
|
1782
|
+
* Generate HomeAccountId from server response
|
|
1783
|
+
* @param serverClientInfo
|
|
1784
|
+
* @param authType
|
|
1785
|
+
*/
|
|
1786
|
+
static generateHomeAccountId(serverClientInfo, authType, logger, cryptoObj, idTokenClaims) {
|
|
1787
|
+
// since ADFS/DSTS do not have tid and does not set client_info
|
|
1788
|
+
if (!(authType === AuthorityType.Adfs ||
|
|
1789
|
+
authType === AuthorityType.Dsts)) {
|
|
1790
|
+
// for cases where there is clientInfo
|
|
1791
|
+
if (serverClientInfo) {
|
|
1792
|
+
try {
|
|
1793
|
+
const clientInfo = buildClientInfo(serverClientInfo, cryptoObj.base64Decode);
|
|
1794
|
+
if (clientInfo.uid && clientInfo.utid) {
|
|
1795
|
+
return `${clientInfo.uid}.${clientInfo.utid}`;
|
|
1796
|
+
}
|
|
1797
|
+
}
|
|
1798
|
+
catch (e) { }
|
|
1799
|
+
}
|
|
1800
|
+
logger.warning("No client info in response");
|
|
1801
|
+
}
|
|
1802
|
+
// default to "sub" claim
|
|
1803
|
+
return idTokenClaims?.sub || "";
|
|
1804
|
+
}
|
|
1805
|
+
/**
|
|
1806
|
+
* Validates an entity: checks for all expected params
|
|
1807
|
+
* @param entity
|
|
1808
|
+
*/
|
|
1809
|
+
static isAccountEntity(entity) {
|
|
1810
|
+
if (!entity) {
|
|
1811
|
+
return false;
|
|
1812
|
+
}
|
|
1813
|
+
return (entity.hasOwnProperty("homeAccountId") &&
|
|
1814
|
+
entity.hasOwnProperty("environment") &&
|
|
1815
|
+
entity.hasOwnProperty("realm") &&
|
|
1816
|
+
entity.hasOwnProperty("localAccountId") &&
|
|
1817
|
+
entity.hasOwnProperty("username") &&
|
|
1818
|
+
entity.hasOwnProperty("authorityType"));
|
|
1819
|
+
}
|
|
1820
|
+
/**
|
|
1821
|
+
* Helper function to determine whether 2 accountInfo objects represent the same account
|
|
1822
|
+
* @param accountA
|
|
1823
|
+
* @param accountB
|
|
1824
|
+
* @param compareClaims - If set to true idTokenClaims will also be compared to determine account equality
|
|
1825
|
+
*/
|
|
1826
|
+
static accountInfoIsEqual(accountA, accountB, compareClaims) {
|
|
1827
|
+
if (!accountA || !accountB) {
|
|
1828
|
+
return false;
|
|
1829
|
+
}
|
|
1830
|
+
let claimsMatch = true; // default to true so as to not fail comparison below if compareClaims: false
|
|
1831
|
+
if (compareClaims) {
|
|
1832
|
+
const accountAClaims = (accountA.idTokenClaims ||
|
|
1833
|
+
{});
|
|
1834
|
+
const accountBClaims = (accountB.idTokenClaims ||
|
|
1835
|
+
{});
|
|
1836
|
+
// issued at timestamp and nonce are expected to change each time a new id token is acquired
|
|
1837
|
+
claimsMatch =
|
|
1838
|
+
accountAClaims.iat === accountBClaims.iat &&
|
|
1839
|
+
accountAClaims.nonce === accountBClaims.nonce;
|
|
1840
|
+
}
|
|
1841
|
+
return (accountA.homeAccountId === accountB.homeAccountId &&
|
|
1842
|
+
accountA.localAccountId === accountB.localAccountId &&
|
|
1843
|
+
accountA.username === accountB.username &&
|
|
1844
|
+
accountA.tenantId === accountB.tenantId &&
|
|
1845
|
+
accountA.loginHint === accountB.loginHint &&
|
|
1846
|
+
accountA.environment === accountB.environment &&
|
|
1847
|
+
accountA.nativeAccountId === accountB.nativeAccountId &&
|
|
1848
|
+
claimsMatch);
|
|
1849
|
+
}
|
|
1850
|
+
}
|
|
1851
|
+
|
|
1852
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
1531
1853
|
|
|
1532
1854
|
/*
|
|
1533
1855
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1550,6 +1872,26 @@
|
|
|
1550
1872
|
throw createClientAuthError(tokenParsingError);
|
|
1551
1873
|
}
|
|
1552
1874
|
}
|
|
1875
|
+
/**
|
|
1876
|
+
* Check if the signin_state claim contains "kmsi"
|
|
1877
|
+
* @param idTokenClaims
|
|
1878
|
+
* @returns
|
|
1879
|
+
*/
|
|
1880
|
+
function isKmsi(idTokenClaims) {
|
|
1881
|
+
if (!idTokenClaims.signin_state) {
|
|
1882
|
+
return false;
|
|
1883
|
+
}
|
|
1884
|
+
/**
|
|
1885
|
+
* Signin_state claim known values:
|
|
1886
|
+
* dvc_mngd - device is managed
|
|
1887
|
+
* dvc_dmjd - device is domain joined
|
|
1888
|
+
* kmsi - user opted to "keep me signed in"
|
|
1889
|
+
* inknownntwk - Request made inside a known network. Don't use this, use CAE instead.
|
|
1890
|
+
*/
|
|
1891
|
+
const kmsiClaims = ["kmsi", "dvc_dmjd"]; // There are some cases where kmsi may not be returned but persistent storage is still OK - allow dvc_dmjd as well
|
|
1892
|
+
const kmsi = idTokenClaims.signin_state.some((value) => kmsiClaims.includes(value.trim().toLowerCase()));
|
|
1893
|
+
return kmsi;
|
|
1894
|
+
}
|
|
1553
1895
|
/**
|
|
1554
1896
|
* decode a JWT
|
|
1555
1897
|
*
|
|
@@ -1588,7 +1930,7 @@
|
|
|
1588
1930
|
}
|
|
1589
1931
|
}
|
|
1590
1932
|
|
|
1591
|
-
/*! @azure/msal-common v15.13.
|
|
1933
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
1592
1934
|
|
|
1593
1935
|
/*
|
|
1594
1936
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1704,7 +2046,7 @@
|
|
|
1704
2046
|
}
|
|
1705
2047
|
}
|
|
1706
2048
|
|
|
1707
|
-
/*! @azure/msal-common v15.13.
|
|
2049
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
1708
2050
|
|
|
1709
2051
|
/*
|
|
1710
2052
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1868,7 +2210,7 @@
|
|
|
1868
2210
|
}
|
|
1869
2211
|
}
|
|
1870
2212
|
|
|
1871
|
-
/*! @azure/msal-common v15.13.
|
|
2213
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
1872
2214
|
|
|
1873
2215
|
/*
|
|
1874
2216
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2007,7 +2349,7 @@
|
|
|
2007
2349
|
return null;
|
|
2008
2350
|
}
|
|
2009
2351
|
|
|
2010
|
-
/*! @azure/msal-common v15.13.
|
|
2352
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
2011
2353
|
/*
|
|
2012
2354
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
2013
2355
|
* Licensed under the MIT License.
|
|
@@ -2015,7 +2357,7 @@
|
|
|
2015
2357
|
const cacheQuotaExceeded = "cache_quota_exceeded";
|
|
2016
2358
|
const cacheErrorUnknown = "cache_error_unknown";
|
|
2017
2359
|
|
|
2018
|
-
/*! @azure/msal-common v15.13.
|
|
2360
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
2019
2361
|
|
|
2020
2362
|
/*
|
|
2021
2363
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2060,7 +2402,7 @@
|
|
|
2060
2402
|
}
|
|
2061
2403
|
}
|
|
2062
2404
|
|
|
2063
|
-
/*! @azure/msal-common v15.13.
|
|
2405
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
2064
2406
|
|
|
2065
2407
|
/*
|
|
2066
2408
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2119,7 +2461,7 @@
|
|
|
2119
2461
|
getBaseAccountInfo(accountFilter, correlationId) {
|
|
2120
2462
|
const accountEntities = this.getAccountsFilteredBy(accountFilter, correlationId);
|
|
2121
2463
|
if (accountEntities.length > 0) {
|
|
2122
|
-
return accountEntities[0]
|
|
2464
|
+
return AccountEntity.getAccountInfo(accountEntities[0]);
|
|
2123
2465
|
}
|
|
2124
2466
|
else {
|
|
2125
2467
|
return null;
|
|
@@ -2158,7 +2500,7 @@
|
|
|
2158
2500
|
return tenantedAccountInfo;
|
|
2159
2501
|
}
|
|
2160
2502
|
getTenantProfilesFromAccountEntity(accountEntity, correlationId, targetTenantId, tenantProfileFilter) {
|
|
2161
|
-
const accountInfo =
|
|
2503
|
+
const accountInfo = AccountEntity.getAccountInfo(accountEntity);
|
|
2162
2504
|
let searchTenantProfiles = accountInfo.tenantProfiles || new Map();
|
|
2163
2505
|
const tokenKeys = this.getTokenKeys();
|
|
2164
2506
|
// If a tenant ID was provided, only return the tenant profile for that tenant ID if it exists
|
|
@@ -2228,27 +2570,28 @@
|
|
|
2228
2570
|
/**
|
|
2229
2571
|
* saves a cache record
|
|
2230
2572
|
* @param cacheRecord {CacheRecord}
|
|
2231
|
-
* @param storeInCache {?StoreInCache}
|
|
2232
2573
|
* @param correlationId {?string} correlation id
|
|
2574
|
+
* @param kmsi - Keep Me Signed In
|
|
2575
|
+
* @param storeInCache {?StoreInCache}
|
|
2233
2576
|
*/
|
|
2234
|
-
async saveCacheRecord(cacheRecord, correlationId, storeInCache) {
|
|
2577
|
+
async saveCacheRecord(cacheRecord, correlationId, kmsi, storeInCache) {
|
|
2235
2578
|
if (!cacheRecord) {
|
|
2236
2579
|
throw createClientAuthError(invalidCacheRecord);
|
|
2237
2580
|
}
|
|
2238
2581
|
try {
|
|
2239
2582
|
if (!!cacheRecord.account) {
|
|
2240
|
-
await this.setAccount(cacheRecord.account, correlationId);
|
|
2583
|
+
await this.setAccount(cacheRecord.account, correlationId, kmsi);
|
|
2241
2584
|
}
|
|
2242
2585
|
if (!!cacheRecord.idToken && storeInCache?.idToken !== false) {
|
|
2243
|
-
await this.setIdTokenCredential(cacheRecord.idToken, correlationId);
|
|
2586
|
+
await this.setIdTokenCredential(cacheRecord.idToken, correlationId, kmsi);
|
|
2244
2587
|
}
|
|
2245
2588
|
if (!!cacheRecord.accessToken &&
|
|
2246
2589
|
storeInCache?.accessToken !== false) {
|
|
2247
|
-
await this.saveAccessToken(cacheRecord.accessToken, correlationId);
|
|
2590
|
+
await this.saveAccessToken(cacheRecord.accessToken, correlationId, kmsi);
|
|
2248
2591
|
}
|
|
2249
2592
|
if (!!cacheRecord.refreshToken &&
|
|
2250
2593
|
storeInCache?.refreshToken !== false) {
|
|
2251
|
-
await this.setRefreshTokenCredential(cacheRecord.refreshToken, correlationId);
|
|
2594
|
+
await this.setRefreshTokenCredential(cacheRecord.refreshToken, correlationId, kmsi);
|
|
2252
2595
|
}
|
|
2253
2596
|
if (!!cacheRecord.appMetadata) {
|
|
2254
2597
|
this.setAppMetadata(cacheRecord.appMetadata, correlationId);
|
|
@@ -2268,7 +2611,7 @@
|
|
|
2268
2611
|
* saves access token credential
|
|
2269
2612
|
* @param credential
|
|
2270
2613
|
*/
|
|
2271
|
-
async saveAccessToken(credential, correlationId) {
|
|
2614
|
+
async saveAccessToken(credential, correlationId, kmsi) {
|
|
2272
2615
|
const accessTokenFilter = {
|
|
2273
2616
|
clientId: credential.clientId,
|
|
2274
2617
|
credentialType: credential.credentialType,
|
|
@@ -2293,7 +2636,7 @@
|
|
|
2293
2636
|
}
|
|
2294
2637
|
}
|
|
2295
2638
|
});
|
|
2296
|
-
await this.setAccessTokenCredential(credential, correlationId);
|
|
2639
|
+
await this.setAccessTokenCredential(credential, correlationId, kmsi);
|
|
2297
2640
|
}
|
|
2298
2641
|
/**
|
|
2299
2642
|
* Retrieve account entities matching all provided tenant-agnostic filters; if no filter is set, get all account entities in the cache
|
|
@@ -3169,31 +3512,7 @@
|
|
|
3169
3512
|
}
|
|
3170
3513
|
}
|
|
3171
3514
|
|
|
3172
|
-
/*! @azure/msal-common v15.13.
|
|
3173
|
-
/*
|
|
3174
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
3175
|
-
* Licensed under the MIT License.
|
|
3176
|
-
*/
|
|
3177
|
-
/**
|
|
3178
|
-
* Protocol modes supported by MSAL.
|
|
3179
|
-
*/
|
|
3180
|
-
const ProtocolMode = {
|
|
3181
|
-
/**
|
|
3182
|
-
* Auth Code + PKCE with Entra ID (formerly AAD) specific optimizations and features
|
|
3183
|
-
*/
|
|
3184
|
-
AAD: "AAD",
|
|
3185
|
-
/**
|
|
3186
|
-
* Auth Code + PKCE without Entra ID specific optimizations and features. For use only with non-Microsoft owned authorities.
|
|
3187
|
-
* Support is limited for this mode.
|
|
3188
|
-
*/
|
|
3189
|
-
OIDC: "OIDC",
|
|
3190
|
-
/**
|
|
3191
|
-
* Encrypted Authorize Response (EAR) with Entra ID specific optimizations and features
|
|
3192
|
-
*/
|
|
3193
|
-
EAR: "EAR",
|
|
3194
|
-
};
|
|
3195
|
-
|
|
3196
|
-
/*! @azure/msal-common v15.13.0 2025-10-17 */
|
|
3515
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
3197
3516
|
/*
|
|
3198
3517
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
3199
3518
|
* Licensed under the MIT License.
|
|
@@ -3715,7 +4034,7 @@
|
|
|
3715
4034
|
"upgradedCacheCount",
|
|
3716
4035
|
]);
|
|
3717
4036
|
|
|
3718
|
-
/*! @azure/msal-common v15.13.
|
|
4037
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
3719
4038
|
|
|
3720
4039
|
/*
|
|
3721
4040
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -3794,7 +4113,7 @@
|
|
|
3794
4113
|
}
|
|
3795
4114
|
}
|
|
3796
4115
|
|
|
3797
|
-
/*! @azure/msal-common v15.13.
|
|
4116
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
3798
4117
|
|
|
3799
4118
|
/*
|
|
3800
4119
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -3872,79 +4191,39 @@
|
|
|
3872
4191
|
serializableCache: serializableCache || null,
|
|
3873
4192
|
};
|
|
3874
4193
|
}
|
|
3875
|
-
/**
|
|
3876
|
-
* Construct authoptions from the client and platform passed values
|
|
3877
|
-
* @param authOptions
|
|
3878
|
-
*/
|
|
3879
|
-
function buildAuthOptions(authOptions) {
|
|
3880
|
-
return {
|
|
3881
|
-
clientCapabilities: [],
|
|
3882
|
-
azureCloudOptions: DEFAULT_AZURE_CLOUD_OPTIONS,
|
|
3883
|
-
skipAuthorityMetadataCache: false,
|
|
3884
|
-
instanceAware: false,
|
|
3885
|
-
encodeExtraQueryParams: false,
|
|
3886
|
-
...authOptions,
|
|
3887
|
-
};
|
|
3888
|
-
}
|
|
3889
|
-
/**
|
|
3890
|
-
* Returns true if config has protocolMode set to ProtocolMode.OIDC, false otherwise
|
|
3891
|
-
* @param ClientConfiguration
|
|
3892
|
-
*/
|
|
3893
|
-
function isOidcProtocolMode(config) {
|
|
3894
|
-
return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
|
|
3895
|
-
}
|
|
3896
|
-
|
|
3897
|
-
/*! @azure/msal-common v15.13.0 2025-10-17 */
|
|
3898
|
-
/*
|
|
3899
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
3900
|
-
* Licensed under the MIT License.
|
|
3901
|
-
*/
|
|
3902
|
-
const CcsCredentialType = {
|
|
3903
|
-
HOME_ACCOUNT_ID: "home_account_id",
|
|
3904
|
-
UPN: "UPN",
|
|
3905
|
-
};
|
|
3906
|
-
|
|
3907
|
-
/*! @azure/msal-common v15.13.0 2025-10-17 */
|
|
3908
|
-
|
|
3909
|
-
/*
|
|
3910
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
3911
|
-
* Licensed under the MIT License.
|
|
3912
|
-
*/
|
|
3913
|
-
/**
|
|
3914
|
-
* Function to build a client info object from server clientInfo string
|
|
3915
|
-
* @param rawClientInfo
|
|
3916
|
-
* @param crypto
|
|
3917
|
-
*/
|
|
3918
|
-
function buildClientInfo(rawClientInfo, base64Decode) {
|
|
3919
|
-
if (!rawClientInfo) {
|
|
3920
|
-
throw createClientAuthError(clientInfoEmptyError);
|
|
3921
|
-
}
|
|
3922
|
-
try {
|
|
3923
|
-
const decodedClientInfo = base64Decode(rawClientInfo);
|
|
3924
|
-
return JSON.parse(decodedClientInfo);
|
|
3925
|
-
}
|
|
3926
|
-
catch (e) {
|
|
3927
|
-
throw createClientAuthError(clientInfoDecodingError);
|
|
3928
|
-
}
|
|
3929
|
-
}
|
|
3930
|
-
/**
|
|
3931
|
-
* Function to build a client info object from cached homeAccountId string
|
|
3932
|
-
* @param homeAccountId
|
|
4194
|
+
/**
|
|
4195
|
+
* Construct authoptions from the client and platform passed values
|
|
4196
|
+
* @param authOptions
|
|
3933
4197
|
*/
|
|
3934
|
-
function
|
|
3935
|
-
if (!homeAccountId) {
|
|
3936
|
-
throw createClientAuthError(clientInfoDecodingError);
|
|
3937
|
-
}
|
|
3938
|
-
const clientInfoParts = homeAccountId.split(Separators.CLIENT_INFO_SEPARATOR, 2);
|
|
4198
|
+
function buildAuthOptions(authOptions) {
|
|
3939
4199
|
return {
|
|
3940
|
-
|
|
3941
|
-
|
|
3942
|
-
|
|
3943
|
-
|
|
4200
|
+
clientCapabilities: [],
|
|
4201
|
+
azureCloudOptions: DEFAULT_AZURE_CLOUD_OPTIONS,
|
|
4202
|
+
skipAuthorityMetadataCache: false,
|
|
4203
|
+
instanceAware: false,
|
|
4204
|
+
encodeExtraQueryParams: false,
|
|
4205
|
+
...authOptions,
|
|
3944
4206
|
};
|
|
4207
|
+
}
|
|
4208
|
+
/**
|
|
4209
|
+
* Returns true if config has protocolMode set to ProtocolMode.OIDC, false otherwise
|
|
4210
|
+
* @param ClientConfiguration
|
|
4211
|
+
*/
|
|
4212
|
+
function isOidcProtocolMode(config) {
|
|
4213
|
+
return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
|
|
3945
4214
|
}
|
|
3946
4215
|
|
|
3947
|
-
/*! @azure/msal-common v15.13.
|
|
4216
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
4217
|
+
/*
|
|
4218
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4219
|
+
* Licensed under the MIT License.
|
|
4220
|
+
*/
|
|
4221
|
+
const CcsCredentialType = {
|
|
4222
|
+
HOME_ACCOUNT_ID: "home_account_id",
|
|
4223
|
+
UPN: "UPN",
|
|
4224
|
+
};
|
|
4225
|
+
|
|
4226
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
3948
4227
|
/*
|
|
3949
4228
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
3950
4229
|
* Licensed under the MIT License.
|
|
@@ -3994,7 +4273,7 @@
|
|
|
3994
4273
|
const EAR_JWK = "ear_jwk";
|
|
3995
4274
|
const EAR_JWE_CRYPTO = "ear_jwe_crypto";
|
|
3996
4275
|
|
|
3997
|
-
/*! @azure/msal-common v15.13.
|
|
4276
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
3998
4277
|
|
|
3999
4278
|
/*
|
|
4000
4279
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -4374,22 +4653,7 @@
|
|
|
4374
4653
|
});
|
|
4375
4654
|
}
|
|
4376
4655
|
|
|
4377
|
-
/*! @azure/msal-common v15.13.
|
|
4378
|
-
/*
|
|
4379
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4380
|
-
* Licensed under the MIT License.
|
|
4381
|
-
*/
|
|
4382
|
-
/**
|
|
4383
|
-
* Authority types supported by MSAL.
|
|
4384
|
-
*/
|
|
4385
|
-
const AuthorityType = {
|
|
4386
|
-
Default: 0,
|
|
4387
|
-
Adfs: 1,
|
|
4388
|
-
Dsts: 2,
|
|
4389
|
-
Ciam: 3,
|
|
4390
|
-
};
|
|
4391
|
-
|
|
4392
|
-
/*! @azure/msal-common v15.13.0 2025-10-17 */
|
|
4656
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
4393
4657
|
/*
|
|
4394
4658
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4395
4659
|
* Licensed under the MIT License.
|
|
@@ -4401,7 +4665,7 @@
|
|
|
4401
4665
|
response.hasOwnProperty("jwks_uri"));
|
|
4402
4666
|
}
|
|
4403
4667
|
|
|
4404
|
-
/*! @azure/msal-common v15.13.
|
|
4668
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
4405
4669
|
/*
|
|
4406
4670
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4407
4671
|
* Licensed under the MIT License.
|
|
@@ -4411,7 +4675,7 @@
|
|
|
4411
4675
|
response.hasOwnProperty("metadata"));
|
|
4412
4676
|
}
|
|
4413
4677
|
|
|
4414
|
-
/*! @azure/msal-common v15.13.
|
|
4678
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
4415
4679
|
/*
|
|
4416
4680
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4417
4681
|
* Licensed under the MIT License.
|
|
@@ -4421,7 +4685,7 @@
|
|
|
4421
4685
|
response.hasOwnProperty("error_description"));
|
|
4422
4686
|
}
|
|
4423
4687
|
|
|
4424
|
-
/*! @azure/msal-common v15.13.
|
|
4688
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
4425
4689
|
/*
|
|
4426
4690
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4427
4691
|
* Licensed under the MIT License.
|
|
@@ -4517,7 +4781,7 @@
|
|
|
4517
4781
|
};
|
|
4518
4782
|
};
|
|
4519
4783
|
|
|
4520
|
-
/*! @azure/msal-common v15.13.
|
|
4784
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
4521
4785
|
|
|
4522
4786
|
/*
|
|
4523
4787
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -4623,7 +4887,7 @@
|
|
|
4623
4887
|
},
|
|
4624
4888
|
};
|
|
4625
4889
|
|
|
4626
|
-
/*! @azure/msal-common v15.13.
|
|
4890
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
4627
4891
|
/*
|
|
4628
4892
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4629
4893
|
* Licensed under the MIT License.
|
|
@@ -4688,7 +4952,7 @@
|
|
|
4688
4952
|
return cachedAtSec > nowSeconds();
|
|
4689
4953
|
}
|
|
4690
4954
|
|
|
4691
|
-
/*! @azure/msal-common v15.13.
|
|
4955
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
4692
4956
|
|
|
4693
4957
|
/*
|
|
4694
4958
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -4950,7 +5214,7 @@
|
|
|
4950
5214
|
return metadata.expiresAt <= nowSeconds();
|
|
4951
5215
|
}
|
|
4952
5216
|
|
|
4953
|
-
/*! @azure/msal-common v15.13.
|
|
5217
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
4954
5218
|
|
|
4955
5219
|
/*
|
|
4956
5220
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -5789,7 +6053,7 @@
|
|
|
5789
6053
|
};
|
|
5790
6054
|
}
|
|
5791
6055
|
|
|
5792
|
-
/*! @azure/msal-common v15.13.
|
|
6056
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
5793
6057
|
|
|
5794
6058
|
/*
|
|
5795
6059
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -5820,7 +6084,7 @@
|
|
|
5820
6084
|
}
|
|
5821
6085
|
}
|
|
5822
6086
|
|
|
5823
|
-
/*! @azure/msal-common v15.13.
|
|
6087
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
5824
6088
|
|
|
5825
6089
|
/*
|
|
5826
6090
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -5839,7 +6103,7 @@
|
|
|
5839
6103
|
}
|
|
5840
6104
|
}
|
|
5841
6105
|
|
|
5842
|
-
/*! @azure/msal-common v15.13.
|
|
6106
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
5843
6107
|
/*
|
|
5844
6108
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
5845
6109
|
* Licensed under the MIT License.
|
|
@@ -5860,7 +6124,7 @@
|
|
|
5860
6124
|
};
|
|
5861
6125
|
}
|
|
5862
6126
|
|
|
5863
|
-
/*! @azure/msal-common v15.13.
|
|
6127
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
5864
6128
|
|
|
5865
6129
|
/*
|
|
5866
6130
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -5947,7 +6211,7 @@
|
|
|
5947
6211
|
}
|
|
5948
6212
|
}
|
|
5949
6213
|
|
|
5950
|
-
/*! @azure/msal-common v15.13.
|
|
6214
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
5951
6215
|
|
|
5952
6216
|
/*
|
|
5953
6217
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -5978,7 +6242,7 @@
|
|
|
5978
6242
|
return new NetworkError(error, httpStatus, responseHeaders);
|
|
5979
6243
|
}
|
|
5980
6244
|
|
|
5981
|
-
/*! @azure/msal-common v15.13.
|
|
6245
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
5982
6246
|
|
|
5983
6247
|
/*
|
|
5984
6248
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6048,328 +6312,85 @@
|
|
|
6048
6312
|
response.status < 500 &&
|
|
6049
6313
|
response.status !== 429) {
|
|
6050
6314
|
// Telemetry data successfully logged by server, clear Telemetry cache
|
|
6051
|
-
this.config.serverTelemetryManager.clearTelemetryCache();
|
|
6052
|
-
}
|
|
6053
|
-
return response;
|
|
6054
|
-
}
|
|
6055
|
-
/**
|
|
6056
|
-
* Wraps sendPostRequestAsync with necessary preflight and postflight logic
|
|
6057
|
-
* @param thumbprint - Request thumbprint for throttling
|
|
6058
|
-
* @param tokenEndpoint - Endpoint to make the POST to
|
|
6059
|
-
* @param options - Body and Headers to include on the POST request
|
|
6060
|
-
* @param correlationId - CorrelationId for telemetry
|
|
6061
|
-
*/
|
|
6062
|
-
async sendPostRequest(thumbprint, tokenEndpoint, options, correlationId) {
|
|
6063
|
-
ThrottlingUtils.preProcess(this.cacheManager, thumbprint, correlationId);
|
|
6064
|
-
let response;
|
|
6065
|
-
try {
|
|
6066
|
-
response = await invokeAsync((this.networkClient.sendPostRequestAsync.bind(this.networkClient)), PerformanceEvents.NetworkClientSendPostRequestAsync, this.logger, this.performanceClient, correlationId)(tokenEndpoint, options);
|
|
6067
|
-
const responseHeaders = response.headers || {};
|
|
6068
|
-
this.performanceClient?.addFields({
|
|
6069
|
-
refreshTokenSize: response.body.refresh_token?.length || 0,
|
|
6070
|
-
httpVerToken: responseHeaders[HeaderNames.X_MS_HTTP_VERSION] || "",
|
|
6071
|
-
requestId: responseHeaders[HeaderNames.X_MS_REQUEST_ID] || "",
|
|
6072
|
-
}, correlationId);
|
|
6073
|
-
}
|
|
6074
|
-
catch (e) {
|
|
6075
|
-
if (e instanceof NetworkError) {
|
|
6076
|
-
const responseHeaders = e.responseHeaders;
|
|
6077
|
-
if (responseHeaders) {
|
|
6078
|
-
this.performanceClient?.addFields({
|
|
6079
|
-
httpVerToken: responseHeaders[HeaderNames.X_MS_HTTP_VERSION] || "",
|
|
6080
|
-
requestId: responseHeaders[HeaderNames.X_MS_REQUEST_ID] ||
|
|
6081
|
-
"",
|
|
6082
|
-
contentTypeHeader: responseHeaders[HeaderNames.CONTENT_TYPE] ||
|
|
6083
|
-
undefined,
|
|
6084
|
-
contentLengthHeader: responseHeaders[HeaderNames.CONTENT_LENGTH] ||
|
|
6085
|
-
undefined,
|
|
6086
|
-
httpStatus: e.httpStatus,
|
|
6087
|
-
}, correlationId);
|
|
6088
|
-
}
|
|
6089
|
-
throw e.error;
|
|
6090
|
-
}
|
|
6091
|
-
if (e instanceof AuthError) {
|
|
6092
|
-
throw e;
|
|
6093
|
-
}
|
|
6094
|
-
else {
|
|
6095
|
-
throw createClientAuthError(networkError);
|
|
6096
|
-
}
|
|
6097
|
-
}
|
|
6098
|
-
ThrottlingUtils.postProcess(this.cacheManager, thumbprint, response, correlationId);
|
|
6099
|
-
return response;
|
|
6100
|
-
}
|
|
6101
|
-
/**
|
|
6102
|
-
* Updates the authority object of the client. Endpoint discovery must be completed.
|
|
6103
|
-
* @param updatedAuthority
|
|
6104
|
-
*/
|
|
6105
|
-
async updateAuthority(cloudInstanceHostname, correlationId) {
|
|
6106
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.UpdateTokenEndpointAuthority, correlationId);
|
|
6107
|
-
const cloudInstanceAuthorityUri = `https://${cloudInstanceHostname}/${this.authority.tenant}/`;
|
|
6108
|
-
const cloudInstanceAuthority = await createDiscoveredInstance(cloudInstanceAuthorityUri, this.networkClient, this.cacheManager, this.authority.options, this.logger, correlationId, this.performanceClient);
|
|
6109
|
-
this.authority = cloudInstanceAuthority;
|
|
6110
|
-
}
|
|
6111
|
-
/**
|
|
6112
|
-
* Creates query string for the /token request
|
|
6113
|
-
* @param request
|
|
6114
|
-
*/
|
|
6115
|
-
createTokenQueryParameters(request) {
|
|
6116
|
-
const parameters = new Map();
|
|
6117
|
-
if (request.embeddedClientId) {
|
|
6118
|
-
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
6119
|
-
}
|
|
6120
|
-
if (request.tokenQueryParameters) {
|
|
6121
|
-
addExtraQueryParameters(parameters, request.tokenQueryParameters);
|
|
6122
|
-
}
|
|
6123
|
-
addCorrelationId(parameters, request.correlationId);
|
|
6124
|
-
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
6125
|
-
return mapToQueryString(parameters);
|
|
6126
|
-
}
|
|
6127
|
-
}
|
|
6128
|
-
|
|
6129
|
-
/*! @azure/msal-common v15.13.0 2025-10-17 */
|
|
6130
|
-
/*
|
|
6131
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6132
|
-
* Licensed under the MIT License.
|
|
6133
|
-
*/
|
|
6134
|
-
/**
|
|
6135
|
-
* Gets tenantId from available ID token claims to set as credential realm with the following precedence:
|
|
6136
|
-
* 1. tid - if the token is acquired from an Azure AD tenant tid will be present
|
|
6137
|
-
* 2. tfp - if the token is acquired from a modern B2C tenant tfp should be present
|
|
6138
|
-
* 3. acr - if the token is acquired from a legacy B2C tenant acr should be present
|
|
6139
|
-
* Downcased to match the realm case-insensitive comparison requirements
|
|
6140
|
-
* @param idTokenClaims
|
|
6141
|
-
* @returns
|
|
6142
|
-
*/
|
|
6143
|
-
function getTenantIdFromIdTokenClaims(idTokenClaims) {
|
|
6144
|
-
if (idTokenClaims) {
|
|
6145
|
-
const tenantId = idTokenClaims.tid || idTokenClaims.tfp || idTokenClaims.acr;
|
|
6146
|
-
return tenantId || null;
|
|
6147
|
-
}
|
|
6148
|
-
return null;
|
|
6149
|
-
}
|
|
6150
|
-
|
|
6151
|
-
/*! @azure/msal-common v15.13.0 2025-10-17 */
|
|
6152
|
-
|
|
6153
|
-
/*
|
|
6154
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6155
|
-
* Licensed under the MIT License.
|
|
6156
|
-
*/
|
|
6157
|
-
/**
|
|
6158
|
-
* Type that defines required and optional parameters for an Account field (based on universal cache schema implemented by all MSALs).
|
|
6159
|
-
*
|
|
6160
|
-
* Key : Value Schema
|
|
6161
|
-
*
|
|
6162
|
-
* Key: <home_account_id>-<environment>-<realm*>
|
|
6163
|
-
*
|
|
6164
|
-
* Value Schema:
|
|
6165
|
-
* {
|
|
6166
|
-
* homeAccountId: home account identifier for the auth scheme,
|
|
6167
|
-
* environment: entity that issued the token, represented as a full host
|
|
6168
|
-
* realm: Full tenant or organizational identifier that the account belongs to
|
|
6169
|
-
* localAccountId: Original tenant-specific accountID, usually used for legacy cases
|
|
6170
|
-
* username: primary username that represents the user, usually corresponds to preferred_username in the v2 endpt
|
|
6171
|
-
* authorityType: Accounts authority type as a string
|
|
6172
|
-
* name: Full name for the account, including given name and family name,
|
|
6173
|
-
* lastModificationTime: last time this entity was modified in the cache
|
|
6174
|
-
* lastModificationApp:
|
|
6175
|
-
* nativeAccountId: Account identifier on the native device
|
|
6176
|
-
* tenantProfiles: Array of tenant profile objects for each tenant that the account has authenticated with in the browser
|
|
6177
|
-
* }
|
|
6178
|
-
* @internal
|
|
6179
|
-
*/
|
|
6180
|
-
class AccountEntity {
|
|
6181
|
-
/**
|
|
6182
|
-
* Returns the AccountInfo interface for this account.
|
|
6183
|
-
*/
|
|
6184
|
-
getAccountInfo() {
|
|
6185
|
-
return {
|
|
6186
|
-
homeAccountId: this.homeAccountId,
|
|
6187
|
-
environment: this.environment,
|
|
6188
|
-
tenantId: this.realm,
|
|
6189
|
-
username: this.username,
|
|
6190
|
-
localAccountId: this.localAccountId,
|
|
6191
|
-
loginHint: this.loginHint,
|
|
6192
|
-
name: this.name,
|
|
6193
|
-
nativeAccountId: this.nativeAccountId,
|
|
6194
|
-
authorityType: this.authorityType,
|
|
6195
|
-
// Deserialize tenant profiles array into a Map
|
|
6196
|
-
tenantProfiles: new Map((this.tenantProfiles || []).map((tenantProfile) => {
|
|
6197
|
-
return [tenantProfile.tenantId, tenantProfile];
|
|
6198
|
-
})),
|
|
6199
|
-
dataBoundary: this.dataBoundary,
|
|
6200
|
-
};
|
|
6201
|
-
}
|
|
6202
|
-
/**
|
|
6203
|
-
* Returns true if the account entity is in single tenant format (outdated), false otherwise
|
|
6204
|
-
*/
|
|
6205
|
-
isSingleTenant() {
|
|
6206
|
-
return !this.tenantProfiles;
|
|
6207
|
-
}
|
|
6208
|
-
/**
|
|
6209
|
-
* Build Account cache from IdToken, clientInfo and authority/policy. Associated with AAD.
|
|
6210
|
-
* @param accountDetails
|
|
6211
|
-
*/
|
|
6212
|
-
static createAccount(accountDetails, authority, base64Decode) {
|
|
6213
|
-
const account = new AccountEntity();
|
|
6214
|
-
if (authority.authorityType === AuthorityType.Adfs) {
|
|
6215
|
-
account.authorityType = CacheAccountType.ADFS_ACCOUNT_TYPE;
|
|
6216
|
-
}
|
|
6217
|
-
else if (authority.protocolMode === ProtocolMode.OIDC) {
|
|
6218
|
-
account.authorityType = CacheAccountType.GENERIC_ACCOUNT_TYPE;
|
|
6219
|
-
}
|
|
6220
|
-
else {
|
|
6221
|
-
account.authorityType = CacheAccountType.MSSTS_ACCOUNT_TYPE;
|
|
6222
|
-
}
|
|
6223
|
-
let clientInfo;
|
|
6224
|
-
if (accountDetails.clientInfo && base64Decode) {
|
|
6225
|
-
clientInfo = buildClientInfo(accountDetails.clientInfo, base64Decode);
|
|
6226
|
-
if (clientInfo.xms_tdbr) {
|
|
6227
|
-
account.dataBoundary =
|
|
6228
|
-
clientInfo.xms_tdbr === "EU" ? "EU" : "None";
|
|
6229
|
-
}
|
|
6230
|
-
}
|
|
6231
|
-
account.clientInfo = accountDetails.clientInfo;
|
|
6232
|
-
account.homeAccountId = accountDetails.homeAccountId;
|
|
6233
|
-
account.nativeAccountId = accountDetails.nativeAccountId;
|
|
6234
|
-
const env = accountDetails.environment ||
|
|
6235
|
-
(authority && authority.getPreferredCache());
|
|
6236
|
-
if (!env) {
|
|
6237
|
-
throw createClientAuthError(invalidCacheEnvironment);
|
|
6238
|
-
}
|
|
6239
|
-
account.environment = env;
|
|
6240
|
-
// non AAD scenarios can have empty realm
|
|
6241
|
-
account.realm =
|
|
6242
|
-
clientInfo?.utid ||
|
|
6243
|
-
getTenantIdFromIdTokenClaims(accountDetails.idTokenClaims) ||
|
|
6244
|
-
"";
|
|
6245
|
-
// How do you account for MSA CID here?
|
|
6246
|
-
account.localAccountId =
|
|
6247
|
-
clientInfo?.uid ||
|
|
6248
|
-
accountDetails.idTokenClaims?.oid ||
|
|
6249
|
-
accountDetails.idTokenClaims?.sub ||
|
|
6250
|
-
"";
|
|
6251
|
-
/*
|
|
6252
|
-
* In B2C scenarios the emails claim is used instead of preferred_username and it is an array.
|
|
6253
|
-
* In most cases it will contain a single email. This field should not be relied upon if a custom
|
|
6254
|
-
* policy is configured to return more than 1 email.
|
|
6255
|
-
*/
|
|
6256
|
-
const preferredUsername = accountDetails.idTokenClaims?.preferred_username ||
|
|
6257
|
-
accountDetails.idTokenClaims?.upn;
|
|
6258
|
-
const email = accountDetails.idTokenClaims?.emails
|
|
6259
|
-
? accountDetails.idTokenClaims.emails[0]
|
|
6260
|
-
: null;
|
|
6261
|
-
account.username = preferredUsername || email || "";
|
|
6262
|
-
account.loginHint = accountDetails.idTokenClaims?.login_hint;
|
|
6263
|
-
account.name = accountDetails.idTokenClaims?.name || "";
|
|
6264
|
-
account.cloudGraphHostName = accountDetails.cloudGraphHostName;
|
|
6265
|
-
account.msGraphHost = accountDetails.msGraphHost;
|
|
6266
|
-
if (accountDetails.tenantProfiles) {
|
|
6267
|
-
account.tenantProfiles = accountDetails.tenantProfiles;
|
|
6268
|
-
}
|
|
6269
|
-
else {
|
|
6270
|
-
const tenantProfile = buildTenantProfile(accountDetails.homeAccountId, account.localAccountId, account.realm, accountDetails.idTokenClaims);
|
|
6271
|
-
account.tenantProfiles = [tenantProfile];
|
|
6315
|
+
this.config.serverTelemetryManager.clearTelemetryCache();
|
|
6272
6316
|
}
|
|
6273
|
-
return
|
|
6274
|
-
}
|
|
6275
|
-
/**
|
|
6276
|
-
* Creates an AccountEntity object from AccountInfo
|
|
6277
|
-
* @param accountInfo
|
|
6278
|
-
* @param cloudGraphHostName
|
|
6279
|
-
* @param msGraphHost
|
|
6280
|
-
* @returns
|
|
6281
|
-
*/
|
|
6282
|
-
static createFromAccountInfo(accountInfo, cloudGraphHostName, msGraphHost) {
|
|
6283
|
-
const account = new AccountEntity();
|
|
6284
|
-
account.authorityType =
|
|
6285
|
-
accountInfo.authorityType || CacheAccountType.GENERIC_ACCOUNT_TYPE;
|
|
6286
|
-
account.homeAccountId = accountInfo.homeAccountId;
|
|
6287
|
-
account.localAccountId = accountInfo.localAccountId;
|
|
6288
|
-
account.nativeAccountId = accountInfo.nativeAccountId;
|
|
6289
|
-
account.realm = accountInfo.tenantId;
|
|
6290
|
-
account.environment = accountInfo.environment;
|
|
6291
|
-
account.username = accountInfo.username;
|
|
6292
|
-
account.name = accountInfo.name;
|
|
6293
|
-
account.loginHint = accountInfo.loginHint;
|
|
6294
|
-
account.cloudGraphHostName = cloudGraphHostName;
|
|
6295
|
-
account.msGraphHost = msGraphHost;
|
|
6296
|
-
// Serialize tenant profiles map into an array
|
|
6297
|
-
account.tenantProfiles = Array.from(accountInfo.tenantProfiles?.values() || []);
|
|
6298
|
-
account.dataBoundary = accountInfo.dataBoundary;
|
|
6299
|
-
return account;
|
|
6317
|
+
return response;
|
|
6300
6318
|
}
|
|
6301
6319
|
/**
|
|
6302
|
-
*
|
|
6303
|
-
* @param
|
|
6304
|
-
* @param
|
|
6320
|
+
* Wraps sendPostRequestAsync with necessary preflight and postflight logic
|
|
6321
|
+
* @param thumbprint - Request thumbprint for throttling
|
|
6322
|
+
* @param tokenEndpoint - Endpoint to make the POST to
|
|
6323
|
+
* @param options - Body and Headers to include on the POST request
|
|
6324
|
+
* @param correlationId - CorrelationId for telemetry
|
|
6305
6325
|
*/
|
|
6306
|
-
|
|
6307
|
-
|
|
6308
|
-
|
|
6309
|
-
|
|
6310
|
-
|
|
6311
|
-
|
|
6312
|
-
|
|
6313
|
-
|
|
6314
|
-
|
|
6315
|
-
|
|
6316
|
-
|
|
6326
|
+
async sendPostRequest(thumbprint, tokenEndpoint, options, correlationId) {
|
|
6327
|
+
ThrottlingUtils.preProcess(this.cacheManager, thumbprint, correlationId);
|
|
6328
|
+
let response;
|
|
6329
|
+
try {
|
|
6330
|
+
response = await invokeAsync((this.networkClient.sendPostRequestAsync.bind(this.networkClient)), PerformanceEvents.NetworkClientSendPostRequestAsync, this.logger, this.performanceClient, correlationId)(tokenEndpoint, options);
|
|
6331
|
+
const responseHeaders = response.headers || {};
|
|
6332
|
+
this.performanceClient?.addFields({
|
|
6333
|
+
refreshTokenSize: response.body.refresh_token?.length || 0,
|
|
6334
|
+
httpVerToken: responseHeaders[HeaderNames.X_MS_HTTP_VERSION] || "",
|
|
6335
|
+
requestId: responseHeaders[HeaderNames.X_MS_REQUEST_ID] || "",
|
|
6336
|
+
}, correlationId);
|
|
6337
|
+
}
|
|
6338
|
+
catch (e) {
|
|
6339
|
+
if (e instanceof NetworkError) {
|
|
6340
|
+
const responseHeaders = e.responseHeaders;
|
|
6341
|
+
if (responseHeaders) {
|
|
6342
|
+
this.performanceClient?.addFields({
|
|
6343
|
+
httpVerToken: responseHeaders[HeaderNames.X_MS_HTTP_VERSION] || "",
|
|
6344
|
+
requestId: responseHeaders[HeaderNames.X_MS_REQUEST_ID] ||
|
|
6345
|
+
"",
|
|
6346
|
+
contentTypeHeader: responseHeaders[HeaderNames.CONTENT_TYPE] ||
|
|
6347
|
+
undefined,
|
|
6348
|
+
contentLengthHeader: responseHeaders[HeaderNames.CONTENT_LENGTH] ||
|
|
6349
|
+
undefined,
|
|
6350
|
+
httpStatus: e.httpStatus,
|
|
6351
|
+
}, correlationId);
|
|
6317
6352
|
}
|
|
6318
|
-
|
|
6353
|
+
throw e.error;
|
|
6354
|
+
}
|
|
6355
|
+
if (e instanceof AuthError) {
|
|
6356
|
+
throw e;
|
|
6357
|
+
}
|
|
6358
|
+
else {
|
|
6359
|
+
throw createClientAuthError(networkError);
|
|
6319
6360
|
}
|
|
6320
|
-
logger.warning("No client info in response");
|
|
6321
6361
|
}
|
|
6322
|
-
|
|
6323
|
-
return
|
|
6362
|
+
ThrottlingUtils.postProcess(this.cacheManager, thumbprint, response, correlationId);
|
|
6363
|
+
return response;
|
|
6324
6364
|
}
|
|
6325
6365
|
/**
|
|
6326
|
-
*
|
|
6327
|
-
* @param
|
|
6366
|
+
* Updates the authority object of the client. Endpoint discovery must be completed.
|
|
6367
|
+
* @param updatedAuthority
|
|
6328
6368
|
*/
|
|
6329
|
-
|
|
6330
|
-
|
|
6331
|
-
|
|
6332
|
-
|
|
6333
|
-
|
|
6334
|
-
entity.hasOwnProperty("environment") &&
|
|
6335
|
-
entity.hasOwnProperty("realm") &&
|
|
6336
|
-
entity.hasOwnProperty("localAccountId") &&
|
|
6337
|
-
entity.hasOwnProperty("username") &&
|
|
6338
|
-
entity.hasOwnProperty("authorityType"));
|
|
6369
|
+
async updateAuthority(cloudInstanceHostname, correlationId) {
|
|
6370
|
+
this.performanceClient?.addQueueMeasurement(PerformanceEvents.UpdateTokenEndpointAuthority, correlationId);
|
|
6371
|
+
const cloudInstanceAuthorityUri = `https://${cloudInstanceHostname}/${this.authority.tenant}/`;
|
|
6372
|
+
const cloudInstanceAuthority = await createDiscoveredInstance(cloudInstanceAuthorityUri, this.networkClient, this.cacheManager, this.authority.options, this.logger, correlationId, this.performanceClient);
|
|
6373
|
+
this.authority = cloudInstanceAuthority;
|
|
6339
6374
|
}
|
|
6340
6375
|
/**
|
|
6341
|
-
*
|
|
6342
|
-
* @param
|
|
6343
|
-
* @param accountB
|
|
6344
|
-
* @param compareClaims - If set to true idTokenClaims will also be compared to determine account equality
|
|
6376
|
+
* Creates query string for the /token request
|
|
6377
|
+
* @param request
|
|
6345
6378
|
*/
|
|
6346
|
-
|
|
6347
|
-
|
|
6348
|
-
|
|
6379
|
+
createTokenQueryParameters(request) {
|
|
6380
|
+
const parameters = new Map();
|
|
6381
|
+
if (request.embeddedClientId) {
|
|
6382
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
6349
6383
|
}
|
|
6350
|
-
|
|
6351
|
-
|
|
6352
|
-
const accountAClaims = (accountA.idTokenClaims ||
|
|
6353
|
-
{});
|
|
6354
|
-
const accountBClaims = (accountB.idTokenClaims ||
|
|
6355
|
-
{});
|
|
6356
|
-
// issued at timestamp and nonce are expected to change each time a new id token is acquired
|
|
6357
|
-
claimsMatch =
|
|
6358
|
-
accountAClaims.iat === accountBClaims.iat &&
|
|
6359
|
-
accountAClaims.nonce === accountBClaims.nonce;
|
|
6384
|
+
if (request.tokenQueryParameters) {
|
|
6385
|
+
addExtraQueryParameters(parameters, request.tokenQueryParameters);
|
|
6360
6386
|
}
|
|
6361
|
-
|
|
6362
|
-
|
|
6363
|
-
|
|
6364
|
-
accountA.tenantId === accountB.tenantId &&
|
|
6365
|
-
accountA.loginHint === accountB.loginHint &&
|
|
6366
|
-
accountA.environment === accountB.environment &&
|
|
6367
|
-
accountA.nativeAccountId === accountB.nativeAccountId &&
|
|
6368
|
-
claimsMatch);
|
|
6387
|
+
addCorrelationId(parameters, request.correlationId);
|
|
6388
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
6389
|
+
return mapToQueryString(parameters);
|
|
6369
6390
|
}
|
|
6370
6391
|
}
|
|
6371
6392
|
|
|
6372
|
-
/*! @azure/msal-common v15.13.
|
|
6393
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
6373
6394
|
/*
|
|
6374
6395
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6375
6396
|
* Licensed under the MIT License.
|
|
@@ -6397,7 +6418,7 @@
|
|
|
6397
6418
|
uxNotAllowed: uxNotAllowed
|
|
6398
6419
|
});
|
|
6399
6420
|
|
|
6400
|
-
/*! @azure/msal-common v15.13.
|
|
6421
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
6401
6422
|
|
|
6402
6423
|
/*
|
|
6403
6424
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6487,7 +6508,7 @@
|
|
|
6487
6508
|
return new InteractionRequiredAuthError(errorCode, InteractionRequiredAuthErrorMessages[errorCode]);
|
|
6488
6509
|
}
|
|
6489
6510
|
|
|
6490
|
-
/*! @azure/msal-common v15.13.
|
|
6511
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
6491
6512
|
|
|
6492
6513
|
/*
|
|
6493
6514
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6559,7 +6580,7 @@
|
|
|
6559
6580
|
}
|
|
6560
6581
|
}
|
|
6561
6582
|
|
|
6562
|
-
/*! @azure/msal-common v15.13.
|
|
6583
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
6563
6584
|
|
|
6564
6585
|
/*
|
|
6565
6586
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6641,7 +6662,7 @@
|
|
|
6641
6662
|
}
|
|
6642
6663
|
}
|
|
6643
6664
|
|
|
6644
|
-
/*! @azure/msal-common v15.13.
|
|
6665
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
6645
6666
|
/*
|
|
6646
6667
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6647
6668
|
* Licensed under the MIT License.
|
|
@@ -6668,7 +6689,7 @@
|
|
|
6668
6689
|
}
|
|
6669
6690
|
}
|
|
6670
6691
|
|
|
6671
|
-
/*! @azure/msal-common v15.13.
|
|
6692
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
6672
6693
|
|
|
6673
6694
|
/*
|
|
6674
6695
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6780,14 +6801,14 @@
|
|
|
6780
6801
|
if (handlingRefreshTokenResponse &&
|
|
6781
6802
|
!forceCacheRefreshTokenResponse &&
|
|
6782
6803
|
cacheRecord.account) {
|
|
6783
|
-
const key = this.cacheStorage.generateAccountKey(cacheRecord.account
|
|
6804
|
+
const key = this.cacheStorage.generateAccountKey(AccountEntity.getAccountInfo(cacheRecord.account));
|
|
6784
6805
|
const account = this.cacheStorage.getAccount(key, request.correlationId);
|
|
6785
6806
|
if (!account) {
|
|
6786
6807
|
this.logger.warning("Account used to refresh tokens not in persistence, refreshed tokens will not be stored in the cache");
|
|
6787
6808
|
return await ResponseHandler.generateAuthenticationResult(this.cryptoObj, authority, cacheRecord, false, request, idTokenClaims, requestStateObj, undefined, serverRequestId);
|
|
6788
6809
|
}
|
|
6789
6810
|
}
|
|
6790
|
-
await this.cacheStorage.saveCacheRecord(cacheRecord, request.correlationId, request.storeInCache);
|
|
6811
|
+
await this.cacheStorage.saveCacheRecord(cacheRecord, request.correlationId, isKmsi(idTokenClaims || {}), request.storeInCache);
|
|
6791
6812
|
}
|
|
6792
6813
|
finally {
|
|
6793
6814
|
if (this.persistencePlugin &&
|
|
@@ -6934,7 +6955,7 @@
|
|
|
6934
6955
|
serverTokenResponse?.spa_accountid;
|
|
6935
6956
|
}
|
|
6936
6957
|
const accountInfo = cacheRecord.account
|
|
6937
|
-
? updateAccountTenantProfileData(cacheRecord.account
|
|
6958
|
+
? updateAccountTenantProfileData(AccountEntity.getAccountInfo(cacheRecord.account), undefined, // tenantProfile optional
|
|
6938
6959
|
idTokenClaims, cacheRecord.idToken?.secret)
|
|
6939
6960
|
: null;
|
|
6940
6961
|
return {
|
|
@@ -6999,7 +7020,7 @@
|
|
|
6999
7020
|
return baseAccount;
|
|
7000
7021
|
}
|
|
7001
7022
|
|
|
7002
|
-
/*! @azure/msal-common v15.13.
|
|
7023
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
7003
7024
|
/*
|
|
7004
7025
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7005
7026
|
* Licensed under the MIT License.
|
|
@@ -7017,7 +7038,7 @@
|
|
|
7017
7038
|
}
|
|
7018
7039
|
}
|
|
7019
7040
|
|
|
7020
|
-
/*! @azure/msal-common v15.13.
|
|
7041
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
7021
7042
|
|
|
7022
7043
|
/*
|
|
7023
7044
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7252,7 +7273,7 @@
|
|
|
7252
7273
|
}
|
|
7253
7274
|
}
|
|
7254
7275
|
|
|
7255
|
-
/*! @azure/msal-common v15.13.
|
|
7276
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
7256
7277
|
|
|
7257
7278
|
/*
|
|
7258
7279
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7461,7 +7482,7 @@
|
|
|
7461
7482
|
}
|
|
7462
7483
|
}
|
|
7463
7484
|
|
|
7464
|
-
/*! @azure/msal-common v15.13.
|
|
7485
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
7465
7486
|
|
|
7466
7487
|
/*
|
|
7467
7488
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7559,7 +7580,7 @@
|
|
|
7559
7580
|
}
|
|
7560
7581
|
}
|
|
7561
7582
|
|
|
7562
|
-
/*! @azure/msal-common v15.13.
|
|
7583
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
7563
7584
|
|
|
7564
7585
|
/*
|
|
7565
7586
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7574,7 +7595,7 @@
|
|
|
7574
7595
|
},
|
|
7575
7596
|
};
|
|
7576
7597
|
|
|
7577
|
-
/*! @azure/msal-common v15.13.
|
|
7598
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
7578
7599
|
|
|
7579
7600
|
/*
|
|
7580
7601
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7798,7 +7819,7 @@
|
|
|
7798
7819
|
return account.loginHint || account.idTokenClaims?.login_hint || null;
|
|
7799
7820
|
}
|
|
7800
7821
|
|
|
7801
|
-
/*! @azure/msal-common v15.13.
|
|
7822
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
7802
7823
|
|
|
7803
7824
|
/*
|
|
7804
7825
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7856,7 +7877,7 @@
|
|
|
7856
7877
|
}
|
|
7857
7878
|
}
|
|
7858
7879
|
|
|
7859
|
-
/*! @azure/msal-common v15.13.
|
|
7880
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
7860
7881
|
|
|
7861
7882
|
/*
|
|
7862
7883
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -8119,7 +8140,7 @@
|
|
|
8119
8140
|
}
|
|
8120
8141
|
}
|
|
8121
8142
|
|
|
8122
|
-
/*! @azure/msal-common v15.13.
|
|
8143
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
8123
8144
|
/*
|
|
8124
8145
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
8125
8146
|
* Licensed under the MIT License.
|
|
@@ -8127,7 +8148,7 @@
|
|
|
8127
8148
|
const missingKidError = "missing_kid_error";
|
|
8128
8149
|
const missingAlgError = "missing_alg_error";
|
|
8129
8150
|
|
|
8130
|
-
/*! @azure/msal-common v15.13.
|
|
8151
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
8131
8152
|
|
|
8132
8153
|
/*
|
|
8133
8154
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -8152,7 +8173,7 @@
|
|
|
8152
8173
|
return new JoseHeaderError(code, JoseHeaderErrorMessages[code]);
|
|
8153
8174
|
}
|
|
8154
8175
|
|
|
8155
|
-
/*! @azure/msal-common v15.13.
|
|
8176
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
8156
8177
|
|
|
8157
8178
|
/*
|
|
8158
8179
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -8192,7 +8213,7 @@
|
|
|
8192
8213
|
}
|
|
8193
8214
|
}
|
|
8194
8215
|
|
|
8195
|
-
/*! @azure/msal-common v15.13.
|
|
8216
|
+
/*! @azure/msal-common v15.13.1 2025-11-06 */
|
|
8196
8217
|
|
|
8197
8218
|
/*
|
|
8198
8219
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -10308,7 +10329,7 @@
|
|
|
10308
10329
|
|
|
10309
10330
|
/* eslint-disable header/header */
|
|
10310
10331
|
const name = "@azure/msal-browser";
|
|
10311
|
-
const version = "4.
|
|
10332
|
+
const version = "4.26.1";
|
|
10312
10333
|
|
|
10313
10334
|
/*
|
|
10314
10335
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -10316,9 +10337,9 @@
|
|
|
10316
10337
|
*/
|
|
10317
10338
|
const PREFIX = "msal";
|
|
10318
10339
|
const BROWSER_PREFIX = "browser";
|
|
10319
|
-
const CACHE_KEY_SEPARATOR = "
|
|
10320
|
-
const CREDENTIAL_SCHEMA_VERSION =
|
|
10321
|
-
const ACCOUNT_SCHEMA_VERSION =
|
|
10340
|
+
const CACHE_KEY_SEPARATOR = "|";
|
|
10341
|
+
const CREDENTIAL_SCHEMA_VERSION = 2;
|
|
10342
|
+
const ACCOUNT_SCHEMA_VERSION = 2;
|
|
10322
10343
|
const LOG_LEVEL_CACHE_KEY = `${PREFIX}.${BROWSER_PREFIX}.log.level`;
|
|
10323
10344
|
const LOG_PII_CACHE_KEY = `${PREFIX}.${BROWSER_PREFIX}.log.pii`;
|
|
10324
10345
|
const BROWSER_PERF_ENABLED_KEY = `${PREFIX}.${BROWSER_PREFIX}.performance.enabled`;
|
|
@@ -11478,7 +11499,10 @@
|
|
|
11478
11499
|
return null;
|
|
11479
11500
|
}
|
|
11480
11501
|
try {
|
|
11481
|
-
return
|
|
11502
|
+
return {
|
|
11503
|
+
...JSON.parse(decryptedData),
|
|
11504
|
+
lastUpdatedAt: data.lastUpdatedAt,
|
|
11505
|
+
};
|
|
11482
11506
|
}
|
|
11483
11507
|
catch (e) {
|
|
11484
11508
|
this.performanceClient.incrementFields({ encryptedCacheCorruptionCount: 1 }, correlationId);
|
|
@@ -11488,19 +11512,24 @@
|
|
|
11488
11512
|
setItem(key, value) {
|
|
11489
11513
|
window.localStorage.setItem(key, value);
|
|
11490
11514
|
}
|
|
11491
|
-
async setUserData(key, value, correlationId, timestamp) {
|
|
11515
|
+
async setUserData(key, value, correlationId, timestamp, kmsi) {
|
|
11492
11516
|
if (!this.initialized || !this.encryptionCookie) {
|
|
11493
11517
|
throw createBrowserAuthError(uninitializedPublicClientApplication);
|
|
11494
11518
|
}
|
|
11495
|
-
|
|
11496
|
-
|
|
11497
|
-
|
|
11498
|
-
|
|
11499
|
-
|
|
11500
|
-
|
|
11501
|
-
|
|
11519
|
+
if (kmsi) {
|
|
11520
|
+
this.setItem(key, value);
|
|
11521
|
+
}
|
|
11522
|
+
else {
|
|
11523
|
+
const { data, nonce } = await invokeAsync(encrypt, PerformanceEvents.Encrypt, this.logger, this.performanceClient, correlationId)(this.encryptionCookie.key, value, this.getContext(key));
|
|
11524
|
+
const encryptedData = {
|
|
11525
|
+
id: this.encryptionCookie.id,
|
|
11526
|
+
nonce: nonce,
|
|
11527
|
+
data: data,
|
|
11528
|
+
lastUpdatedAt: timestamp,
|
|
11529
|
+
};
|
|
11530
|
+
this.setItem(key, JSON.stringify(encryptedData));
|
|
11531
|
+
}
|
|
11502
11532
|
this.memoryStorage.setItem(key, value);
|
|
11503
|
-
this.setItem(key, JSON.stringify(encryptedData));
|
|
11504
11533
|
// Notify other frames to update their in-memory cache
|
|
11505
11534
|
this.broadcast.postMessage({
|
|
11506
11535
|
key: key,
|
|
@@ -11600,13 +11629,14 @@
|
|
|
11600
11629
|
if (!isEncrypted(encObj)) {
|
|
11601
11630
|
// Data is not encrypted
|
|
11602
11631
|
this.performanceClient.incrementFields({ unencryptedCacheCount: 1 }, correlationId);
|
|
11603
|
-
return
|
|
11632
|
+
return rawCache;
|
|
11604
11633
|
}
|
|
11605
11634
|
if (encObj.id !== this.encryptionCookie.id) {
|
|
11606
11635
|
// Data was encrypted with a different key. It must be removed because it is from a previous session.
|
|
11607
11636
|
this.performanceClient.incrementFields({ encryptedCacheExpiredCount: 1 }, correlationId);
|
|
11608
11637
|
return null;
|
|
11609
11638
|
}
|
|
11639
|
+
this.performanceClient.incrementFields({ encryptedCacheCount: 1 }, correlationId);
|
|
11610
11640
|
return invokeAsync(decrypt, PerformanceEvents.Decrypt, this.logger, this.performanceClient, correlationId)(this.encryptionCookie.key, encObj.nonce, this.getContext(key), encObj.data);
|
|
11611
11641
|
}
|
|
11612
11642
|
/**
|
|
@@ -11798,108 +11828,338 @@
|
|
|
11798
11828
|
* Migrates any existing cache data from previous versions of MSAL.js into the current cache structure.
|
|
11799
11829
|
*/
|
|
11800
11830
|
async migrateExistingCache(correlationId) {
|
|
11801
|
-
|
|
11802
|
-
|
|
11831
|
+
let accountKeys = getAccountKeys(this.browserStorage);
|
|
11832
|
+
let tokenKeys = getTokenKeys(this.clientId, this.browserStorage);
|
|
11803
11833
|
this.performanceClient.addFields({
|
|
11804
|
-
|
|
11805
|
-
|
|
11806
|
-
|
|
11807
|
-
|
|
11834
|
+
preMigrateAcntCount: accountKeys.length,
|
|
11835
|
+
preMigrateATCount: tokenKeys.accessToken.length,
|
|
11836
|
+
preMigrateITCount: tokenKeys.idToken.length,
|
|
11837
|
+
preMigrateRTCount: tokenKeys.refreshToken.length,
|
|
11808
11838
|
}, correlationId);
|
|
11809
|
-
|
|
11810
|
-
|
|
11839
|
+
for (let i = 0; i < ACCOUNT_SCHEMA_VERSION; i++) {
|
|
11840
|
+
const credentialSchema = i; // For now account and credential schemas are the same, but may diverge in future
|
|
11841
|
+
await this.removeStaleAccounts(i, credentialSchema, correlationId);
|
|
11842
|
+
}
|
|
11843
|
+
// Must migrate idTokens first to ensure we have KMSI info for the rest
|
|
11844
|
+
for (let i = 0; i < CREDENTIAL_SCHEMA_VERSION; i++) {
|
|
11845
|
+
const accountSchema = i; // For now account and credential schemas are the same, but may diverge in future
|
|
11846
|
+
await this.migrateIdTokens(i, accountSchema, correlationId);
|
|
11847
|
+
}
|
|
11848
|
+
const kmsiMap = this.getKMSIValues();
|
|
11849
|
+
for (let i = 0; i < CREDENTIAL_SCHEMA_VERSION; i++) {
|
|
11850
|
+
await this.migrateAccessTokens(i, kmsiMap, correlationId);
|
|
11851
|
+
await this.migrateRefreshTokens(i, kmsiMap, correlationId);
|
|
11852
|
+
}
|
|
11853
|
+
accountKeys = getAccountKeys(this.browserStorage);
|
|
11854
|
+
tokenKeys = getTokenKeys(this.clientId, this.browserStorage);
|
|
11811
11855
|
this.performanceClient.addFields({
|
|
11812
|
-
|
|
11813
|
-
|
|
11814
|
-
|
|
11815
|
-
|
|
11856
|
+
postMigrateAcntCount: accountKeys.length,
|
|
11857
|
+
postMigrateATCount: tokenKeys.accessToken.length,
|
|
11858
|
+
postMigrateITCount: tokenKeys.idToken.length,
|
|
11859
|
+
postMigrateRTCount: tokenKeys.refreshToken.length,
|
|
11816
11860
|
}, correlationId);
|
|
11817
|
-
|
|
11818
|
-
|
|
11819
|
-
|
|
11820
|
-
|
|
11821
|
-
|
|
11822
|
-
|
|
11823
|
-
|
|
11824
|
-
|
|
11861
|
+
}
|
|
11862
|
+
/**
|
|
11863
|
+
* Parses entry, adds lastUpdatedAt if it doesn't exist, removes entry if expired or invalid
|
|
11864
|
+
* @param key
|
|
11865
|
+
* @param correlationId
|
|
11866
|
+
* @returns
|
|
11867
|
+
*/
|
|
11868
|
+
async updateOldEntry(key, correlationId) {
|
|
11869
|
+
const rawValue = this.browserStorage.getItem(key);
|
|
11870
|
+
const parsedValue = this.validateAndParseJson(rawValue || "");
|
|
11871
|
+
if (!parsedValue) {
|
|
11872
|
+
this.browserStorage.removeItem(key);
|
|
11873
|
+
return null;
|
|
11825
11874
|
}
|
|
11826
|
-
|
|
11827
|
-
|
|
11875
|
+
if (!parsedValue.lastUpdatedAt) {
|
|
11876
|
+
// Add lastUpdatedAt to the existing v0 entry if it doesnt exist so we know when it's safe to remove it
|
|
11877
|
+
parsedValue.lastUpdatedAt = Date.now().toString();
|
|
11878
|
+
this.setItem(key, JSON.stringify(parsedValue), correlationId);
|
|
11828
11879
|
}
|
|
11829
|
-
if (
|
|
11830
|
-
this.browserStorage.
|
|
11880
|
+
else if (isCacheExpired(parsedValue.lastUpdatedAt, this.cacheConfig.cacheRetentionDays)) {
|
|
11881
|
+
this.browserStorage.removeItem(key);
|
|
11882
|
+
this.performanceClient.incrementFields({ expiredCacheRemovedCount: 1 }, correlationId);
|
|
11883
|
+
return null;
|
|
11831
11884
|
}
|
|
11832
|
-
|
|
11833
|
-
this.browserStorage.
|
|
11834
|
-
|
|
11835
|
-
|
|
11836
|
-
|
|
11837
|
-
|
|
11838
|
-
|
|
11839
|
-
|
|
11840
|
-
|
|
11841
|
-
|
|
11842
|
-
|
|
11843
|
-
|
|
11844
|
-
|
|
11885
|
+
const decryptedData = isEncrypted(parsedValue)
|
|
11886
|
+
? await this.browserStorage.decryptData(key, parsedValue, correlationId)
|
|
11887
|
+
: parsedValue;
|
|
11888
|
+
if (!decryptedData || !isCredentialEntity(decryptedData)) {
|
|
11889
|
+
this.performanceClient.incrementFields({ invalidCacheCount: 1 }, correlationId);
|
|
11890
|
+
return null;
|
|
11891
|
+
}
|
|
11892
|
+
if ((isAccessTokenEntity(decryptedData) ||
|
|
11893
|
+
isRefreshTokenEntity(decryptedData)) &&
|
|
11894
|
+
decryptedData.expiresOn &&
|
|
11895
|
+
isTokenExpired(decryptedData.expiresOn, DEFAULT_TOKEN_RENEWAL_OFFSET_SEC)) {
|
|
11896
|
+
this.browserStorage.removeItem(key);
|
|
11897
|
+
this.performanceClient.incrementFields({ expiredCacheRemovedCount: 1 }, correlationId);
|
|
11898
|
+
return null;
|
|
11899
|
+
}
|
|
11900
|
+
return decryptedData;
|
|
11901
|
+
}
|
|
11902
|
+
/**
|
|
11903
|
+
* Remove accounts from the cache for older schema versions if they have not been updated in the last cacheRetentionDays
|
|
11904
|
+
* @param accountSchema
|
|
11905
|
+
* @param credentialSchema
|
|
11906
|
+
* @param correlationId
|
|
11907
|
+
* @returns
|
|
11908
|
+
*/
|
|
11909
|
+
async removeStaleAccounts(accountSchema, credentialSchema, correlationId) {
|
|
11910
|
+
const accountKeysToCheck = getAccountKeys(this.browserStorage, accountSchema);
|
|
11911
|
+
if (accountKeysToCheck.length === 0) {
|
|
11912
|
+
return;
|
|
11913
|
+
}
|
|
11914
|
+
for (const accountKey of [...accountKeysToCheck]) {
|
|
11915
|
+
this.performanceClient.incrementFields({ oldAcntCount: 1 }, correlationId);
|
|
11916
|
+
const rawValue = this.browserStorage.getItem(accountKey);
|
|
11917
|
+
const parsedValue = this.validateAndParseJson(rawValue || "");
|
|
11918
|
+
if (!parsedValue) {
|
|
11919
|
+
removeElementFromArray(accountKeysToCheck, accountKey);
|
|
11920
|
+
continue;
|
|
11921
|
+
}
|
|
11922
|
+
if (!parsedValue.lastUpdatedAt) {
|
|
11923
|
+
// Add lastUpdatedAt to the existing entry if it doesnt exist so we know when it's safe to remove it
|
|
11924
|
+
parsedValue.lastUpdatedAt = Date.now().toString();
|
|
11925
|
+
this.setItem(accountKey, JSON.stringify(parsedValue), correlationId);
|
|
11926
|
+
continue;
|
|
11927
|
+
}
|
|
11928
|
+
else if (isCacheExpired(parsedValue.lastUpdatedAt, this.cacheConfig.cacheRetentionDays)) {
|
|
11929
|
+
// Cache expired remove account and associated tokens
|
|
11930
|
+
await this.removeAccountOldSchema(accountKey, parsedValue, credentialSchema, correlationId);
|
|
11931
|
+
removeElementFromArray(accountKeysToCheck, accountKey);
|
|
11932
|
+
}
|
|
11933
|
+
}
|
|
11934
|
+
this.setAccountKeys(accountKeysToCheck, correlationId, accountSchema);
|
|
11935
|
+
}
|
|
11936
|
+
/**
|
|
11937
|
+
* Remove the given account and all associated tokens from the cache
|
|
11938
|
+
* @param accountKey
|
|
11939
|
+
* @param rawObject
|
|
11940
|
+
* @param credentialSchema
|
|
11941
|
+
* @param correlationId
|
|
11942
|
+
*/
|
|
11943
|
+
async removeAccountOldSchema(accountKey, rawObject, credentialSchema, correlationId) {
|
|
11944
|
+
const decryptedData = isEncrypted(rawObject)
|
|
11945
|
+
? (await this.browserStorage.decryptData(accountKey, rawObject, correlationId))
|
|
11946
|
+
: rawObject;
|
|
11947
|
+
const homeAccountId = decryptedData?.homeAccountId;
|
|
11948
|
+
if (homeAccountId) {
|
|
11949
|
+
const tokenKeys = this.getTokenKeys(credentialSchema);
|
|
11950
|
+
[...tokenKeys.idToken]
|
|
11951
|
+
.filter((key) => key.includes(homeAccountId))
|
|
11952
|
+
.forEach((key) => {
|
|
11953
|
+
this.browserStorage.removeItem(key);
|
|
11954
|
+
removeElementFromArray(tokenKeys.idToken, key);
|
|
11955
|
+
});
|
|
11956
|
+
[...tokenKeys.accessToken]
|
|
11957
|
+
.filter((key) => key.includes(homeAccountId))
|
|
11958
|
+
.forEach((key) => {
|
|
11959
|
+
this.browserStorage.removeItem(key);
|
|
11960
|
+
removeElementFromArray(tokenKeys.accessToken, key);
|
|
11961
|
+
});
|
|
11962
|
+
[...tokenKeys.refreshToken]
|
|
11963
|
+
.filter((key) => key.includes(homeAccountId))
|
|
11964
|
+
.forEach((key) => {
|
|
11965
|
+
this.browserStorage.removeItem(key);
|
|
11966
|
+
removeElementFromArray(tokenKeys.refreshToken, key);
|
|
11967
|
+
});
|
|
11968
|
+
this.setTokenKeys(tokenKeys, correlationId, credentialSchema);
|
|
11969
|
+
}
|
|
11970
|
+
this.performanceClient.incrementFields({ expiredAcntRemovedCount: 1 }, correlationId);
|
|
11971
|
+
this.browserStorage.removeItem(accountKey);
|
|
11972
|
+
}
|
|
11973
|
+
/**
|
|
11974
|
+
* Gets key value pair mapping homeAccountId to KMSI value
|
|
11975
|
+
* @returns
|
|
11976
|
+
*/
|
|
11977
|
+
getKMSIValues() {
|
|
11978
|
+
const kmsiMap = {};
|
|
11979
|
+
const tokenKeys = this.getTokenKeys().idToken;
|
|
11980
|
+
for (const key of tokenKeys) {
|
|
11981
|
+
const rawValue = this.browserStorage.getUserData(key);
|
|
11982
|
+
if (rawValue) {
|
|
11983
|
+
const idToken = JSON.parse(rawValue);
|
|
11984
|
+
const claims = extractTokenClaims(idToken.secret, base64Decode);
|
|
11985
|
+
if (claims) {
|
|
11986
|
+
kmsiMap[idToken.homeAccountId] = isKmsi(claims);
|
|
11987
|
+
}
|
|
11988
|
+
}
|
|
11989
|
+
}
|
|
11990
|
+
return kmsiMap;
|
|
11991
|
+
}
|
|
11992
|
+
/**
|
|
11993
|
+
* Migrates id tokens from the old schema to the new schema, also migrates associated account object if it doesn't already exist in the new schema
|
|
11994
|
+
* @param credentialSchema
|
|
11995
|
+
* @param accountSchema
|
|
11996
|
+
* @param correlationId
|
|
11997
|
+
* @returns
|
|
11998
|
+
*/
|
|
11999
|
+
async migrateIdTokens(credentialSchema, accountSchema, correlationId) {
|
|
12000
|
+
const credentialKeysToMigrate = getTokenKeys(this.clientId, this.browserStorage, credentialSchema);
|
|
12001
|
+
if (credentialKeysToMigrate.idToken.length === 0) {
|
|
12002
|
+
return;
|
|
12003
|
+
}
|
|
12004
|
+
const currentCredentialKeys = getTokenKeys(this.clientId, this.browserStorage, CREDENTIAL_SCHEMA_VERSION);
|
|
12005
|
+
const currentAccountKeys = getAccountKeys(this.browserStorage);
|
|
12006
|
+
const previousAccountKeys = getAccountKeys(this.browserStorage, accountSchema);
|
|
12007
|
+
for (const idTokenKey of [...credentialKeysToMigrate.idToken]) {
|
|
12008
|
+
this.performanceClient.incrementFields({ oldITCount: 1 }, correlationId);
|
|
12009
|
+
const oldSchemaData = (await this.updateOldEntry(idTokenKey, correlationId));
|
|
12010
|
+
if (!oldSchemaData) {
|
|
12011
|
+
removeElementFromArray(credentialKeysToMigrate.idToken, idTokenKey);
|
|
12012
|
+
continue;
|
|
12013
|
+
}
|
|
12014
|
+
const currentAccountKey = currentAccountKeys.find((key) => key.includes(oldSchemaData.homeAccountId));
|
|
12015
|
+
const previousAccountKey = previousAccountKeys.find((key) => key.includes(oldSchemaData.homeAccountId));
|
|
12016
|
+
let account = null;
|
|
12017
|
+
if (currentAccountKey) {
|
|
12018
|
+
account = this.getAccount(currentAccountKey, correlationId);
|
|
12019
|
+
}
|
|
12020
|
+
else if (previousAccountKey) {
|
|
12021
|
+
const rawValue = this.browserStorage.getItem(previousAccountKey);
|
|
12022
|
+
const parsedValue = this.validateAndParseJson(rawValue || "");
|
|
12023
|
+
account =
|
|
12024
|
+
parsedValue && isEncrypted(parsedValue)
|
|
12025
|
+
? (await this.browserStorage.decryptData(previousAccountKey, parsedValue, correlationId))
|
|
12026
|
+
: parsedValue;
|
|
12027
|
+
}
|
|
12028
|
+
if (!account) {
|
|
12029
|
+
// Don't migrate idToken if we don't have an account for it
|
|
12030
|
+
this.performanceClient.incrementFields({ skipITMigrateCount: 1 }, correlationId);
|
|
11845
12031
|
continue;
|
|
11846
12032
|
}
|
|
11847
|
-
|
|
11848
|
-
|
|
11849
|
-
|
|
11850
|
-
|
|
11851
|
-
|
|
11852
|
-
|
|
11853
|
-
|
|
11854
|
-
|
|
11855
|
-
|
|
11856
|
-
|
|
11857
|
-
|
|
11858
|
-
|
|
12033
|
+
const claims = extractTokenClaims(oldSchemaData.secret, base64Decode);
|
|
12034
|
+
const newIdTokenKey = this.generateCredentialKey(oldSchemaData);
|
|
12035
|
+
const currentIdToken = this.getIdTokenCredential(newIdTokenKey, correlationId);
|
|
12036
|
+
const oldTokenHasSignInState = Object.keys(claims).includes("signin_state");
|
|
12037
|
+
const currentTokenHasSignInState = currentIdToken &&
|
|
12038
|
+
Object.keys(extractTokenClaims(currentIdToken.secret, base64Decode) || {}).includes("signin_state");
|
|
12039
|
+
/**
|
|
12040
|
+
* Only migrate if:
|
|
12041
|
+
* 1. Token doesn't yet exist in current schema
|
|
12042
|
+
* 2. Old schema token has been updated more recently than the current one AND migrating it won't result in loss of KMSI state
|
|
12043
|
+
*/
|
|
12044
|
+
if (!currentIdToken ||
|
|
12045
|
+
(oldSchemaData.lastUpdatedAt > currentIdToken.lastUpdatedAt &&
|
|
12046
|
+
(oldTokenHasSignInState || !currentTokenHasSignInState))) {
|
|
12047
|
+
const tenantProfiles = account.tenantProfiles || [];
|
|
12048
|
+
const tenantId = getTenantIdFromIdTokenClaims(claims) || account.realm;
|
|
12049
|
+
if (tenantId &&
|
|
12050
|
+
!tenantProfiles.find((tenantProfile) => {
|
|
12051
|
+
return tenantProfile.tenantId === tenantId;
|
|
12052
|
+
})) {
|
|
12053
|
+
const newTenantProfile = buildTenantProfile(account.homeAccountId, account.localAccountId, tenantId, claims);
|
|
12054
|
+
tenantProfiles.push(newTenantProfile);
|
|
11859
12055
|
}
|
|
11860
|
-
|
|
11861
|
-
|
|
12056
|
+
account.tenantProfiles = tenantProfiles;
|
|
12057
|
+
const newAccountKey = this.generateAccountKey(AccountEntity.getAccountInfo(account));
|
|
12058
|
+
const kmsi = isKmsi(claims);
|
|
12059
|
+
await this.setUserData(newAccountKey, JSON.stringify(account), correlationId, account.lastUpdatedAt, kmsi);
|
|
12060
|
+
if (!currentAccountKeys.includes(newAccountKey)) {
|
|
12061
|
+
currentAccountKeys.push(newAccountKey);
|
|
11862
12062
|
}
|
|
12063
|
+
await this.setUserData(newIdTokenKey, JSON.stringify(oldSchemaData), correlationId, oldSchemaData.lastUpdatedAt, kmsi);
|
|
12064
|
+
this.performanceClient.incrementFields({ migratedITCount: 1 }, correlationId);
|
|
12065
|
+
currentCredentialKeys.idToken.push(newIdTokenKey);
|
|
12066
|
+
}
|
|
12067
|
+
}
|
|
12068
|
+
this.setTokenKeys(credentialKeysToMigrate, correlationId, credentialSchema);
|
|
12069
|
+
this.setTokenKeys(currentCredentialKeys, correlationId);
|
|
12070
|
+
this.setAccountKeys(currentAccountKeys, correlationId);
|
|
12071
|
+
}
|
|
12072
|
+
/**
|
|
12073
|
+
* Migrates access tokens from old cache schema to current schema
|
|
12074
|
+
* @param credentialSchema
|
|
12075
|
+
* @param kmsiMap
|
|
12076
|
+
* @param correlationId
|
|
12077
|
+
* @returns
|
|
12078
|
+
*/
|
|
12079
|
+
async migrateAccessTokens(credentialSchema, kmsiMap, correlationId) {
|
|
12080
|
+
const credentialKeysToMigrate = getTokenKeys(this.clientId, this.browserStorage, credentialSchema);
|
|
12081
|
+
if (credentialKeysToMigrate.accessToken.length === 0) {
|
|
12082
|
+
return;
|
|
12083
|
+
}
|
|
12084
|
+
const currentCredentialKeys = getTokenKeys(this.clientId, this.browserStorage, CREDENTIAL_SCHEMA_VERSION);
|
|
12085
|
+
for (const accessTokenKey of [...credentialKeysToMigrate.accessToken]) {
|
|
12086
|
+
this.performanceClient.incrementFields({ oldATCount: 1 }, correlationId);
|
|
12087
|
+
const oldSchemaData = (await this.updateOldEntry(accessTokenKey, correlationId));
|
|
12088
|
+
if (!oldSchemaData) {
|
|
12089
|
+
removeElementFromArray(credentialKeysToMigrate.accessToken, accessTokenKey);
|
|
12090
|
+
continue;
|
|
11863
12091
|
}
|
|
11864
|
-
if (!
|
|
11865
|
-
|
|
11866
|
-
(
|
|
11867
|
-
isTokenExpired(expirationTime, DEFAULT_TOKEN_RENEWAL_OFFSET_SEC))) {
|
|
11868
|
-
this.browserStorage.removeItem(v0Key);
|
|
11869
|
-
removeElementFromArray(v0Keys, v0Key);
|
|
11870
|
-
this.performanceClient.incrementFields({ expiredCacheRemovedCount: 1 }, correlationId);
|
|
12092
|
+
if (!Object.keys(kmsiMap).includes(oldSchemaData.homeAccountId)) {
|
|
12093
|
+
// Don't migrate tokens if we don't have an idToken for them
|
|
12094
|
+
this.performanceClient.incrementFields({ skipATMigrateCount: 1 }, correlationId);
|
|
11871
12095
|
continue;
|
|
11872
12096
|
}
|
|
11873
|
-
|
|
11874
|
-
|
|
11875
|
-
|
|
11876
|
-
|
|
11877
|
-
|
|
11878
|
-
|
|
11879
|
-
|
|
11880
|
-
|
|
11881
|
-
|
|
11882
|
-
|
|
11883
|
-
|
|
12097
|
+
const newKey = this.generateCredentialKey(oldSchemaData);
|
|
12098
|
+
const kmsi = kmsiMap[oldSchemaData.homeAccountId];
|
|
12099
|
+
if (!currentCredentialKeys.accessToken.includes(newKey)) {
|
|
12100
|
+
await this.setUserData(newKey, JSON.stringify(oldSchemaData), correlationId, oldSchemaData.lastUpdatedAt, kmsi);
|
|
12101
|
+
this.performanceClient.incrementFields({ migratedATCount: 1 }, correlationId);
|
|
12102
|
+
currentCredentialKeys.accessToken.push(newKey);
|
|
12103
|
+
}
|
|
12104
|
+
else {
|
|
12105
|
+
const currentToken = this.getAccessTokenCredential(newKey, correlationId);
|
|
12106
|
+
if (!currentToken ||
|
|
12107
|
+
oldSchemaData.lastUpdatedAt > currentToken.lastUpdatedAt) {
|
|
12108
|
+
// If the token already exists, only overwrite it if the old token has a more recent lastUpdatedAt
|
|
12109
|
+
await this.setUserData(newKey, JSON.stringify(oldSchemaData), correlationId, oldSchemaData.lastUpdatedAt, kmsi);
|
|
12110
|
+
this.performanceClient.incrementFields({ migratedATCount: 1 }, correlationId);
|
|
11884
12111
|
}
|
|
11885
|
-
|
|
11886
|
-
|
|
11887
|
-
|
|
11888
|
-
|
|
11889
|
-
|
|
11890
|
-
|
|
11891
|
-
|
|
11892
|
-
|
|
11893
|
-
|
|
11894
|
-
|
|
12112
|
+
}
|
|
12113
|
+
}
|
|
12114
|
+
this.setTokenKeys(credentialKeysToMigrate, correlationId, credentialSchema);
|
|
12115
|
+
this.setTokenKeys(currentCredentialKeys, correlationId);
|
|
12116
|
+
}
|
|
12117
|
+
/**
|
|
12118
|
+
* Migrates refresh tokens from old cache schema to current schema
|
|
12119
|
+
* @param credentialSchema
|
|
12120
|
+
* @param kmsiMap
|
|
12121
|
+
* @param correlationId
|
|
12122
|
+
* @returns
|
|
12123
|
+
*/
|
|
12124
|
+
async migrateRefreshTokens(credentialSchema, kmsiMap, correlationId) {
|
|
12125
|
+
const credentialKeysToMigrate = getTokenKeys(this.clientId, this.browserStorage, credentialSchema);
|
|
12126
|
+
if (credentialKeysToMigrate.refreshToken.length === 0) {
|
|
12127
|
+
return;
|
|
12128
|
+
}
|
|
12129
|
+
const currentCredentialKeys = getTokenKeys(this.clientId, this.browserStorage, CREDENTIAL_SCHEMA_VERSION);
|
|
12130
|
+
for (const refreshTokenKey of [
|
|
12131
|
+
...credentialKeysToMigrate.refreshToken,
|
|
12132
|
+
]) {
|
|
12133
|
+
this.performanceClient.incrementFields({ oldRTCount: 1 }, correlationId);
|
|
12134
|
+
const oldSchemaData = (await this.updateOldEntry(refreshTokenKey, correlationId));
|
|
12135
|
+
if (!oldSchemaData) {
|
|
12136
|
+
removeElementFromArray(credentialKeysToMigrate.refreshToken, refreshTokenKey);
|
|
12137
|
+
continue;
|
|
12138
|
+
}
|
|
12139
|
+
if (!Object.keys(kmsiMap).includes(oldSchemaData.homeAccountId)) {
|
|
12140
|
+
// Don't migrate tokens if we don't have an idToken for them
|
|
12141
|
+
this.performanceClient.incrementFields({ skipRTMigrateCount: 1 }, correlationId);
|
|
12142
|
+
continue;
|
|
12143
|
+
}
|
|
12144
|
+
const newKey = this.generateCredentialKey(oldSchemaData);
|
|
12145
|
+
const kmsi = kmsiMap[oldSchemaData.homeAccountId];
|
|
12146
|
+
if (!currentCredentialKeys.refreshToken.includes(newKey)) {
|
|
12147
|
+
await this.setUserData(newKey, JSON.stringify(oldSchemaData), correlationId, oldSchemaData.lastUpdatedAt, kmsi);
|
|
12148
|
+
this.performanceClient.incrementFields({ migratedRTCount: 1 }, correlationId);
|
|
12149
|
+
currentCredentialKeys.refreshToken.push(newKey);
|
|
12150
|
+
}
|
|
12151
|
+
else {
|
|
12152
|
+
const currentToken = this.getRefreshTokenCredential(newKey, correlationId);
|
|
12153
|
+
if (!currentToken ||
|
|
12154
|
+
oldSchemaData.lastUpdatedAt > currentToken.lastUpdatedAt) {
|
|
12155
|
+
// If the token already exists, only overwrite it if the old token has a more recent lastUpdatedAt
|
|
12156
|
+
await this.setUserData(newKey, JSON.stringify(oldSchemaData), correlationId, oldSchemaData.lastUpdatedAt, kmsi);
|
|
12157
|
+
this.performanceClient.incrementFields({ migratedRTCount: 1 }, correlationId);
|
|
11895
12158
|
}
|
|
11896
12159
|
}
|
|
11897
|
-
/*
|
|
11898
|
-
* Note: If we reach here for unencrypted localStorage data, we continue without migrating
|
|
11899
|
-
* as we can't migrate unencrypted localStorage data right now since we can't guarantee KMSI=no
|
|
11900
|
-
*/
|
|
11901
12160
|
}
|
|
11902
|
-
|
|
12161
|
+
this.setTokenKeys(credentialKeysToMigrate, correlationId, credentialSchema);
|
|
12162
|
+
this.setTokenKeys(currentCredentialKeys, correlationId);
|
|
11903
12163
|
}
|
|
11904
12164
|
/**
|
|
11905
12165
|
* Tracks upgrades and downgrades for telemetry and debugging purposes
|
|
@@ -11944,20 +12204,31 @@
|
|
|
11944
12204
|
* @param value
|
|
11945
12205
|
*/
|
|
11946
12206
|
setItem(key, value, correlationId) {
|
|
11947
|
-
|
|
11948
|
-
|
|
12207
|
+
const tokenKeysCount = new Array(CREDENTIAL_SCHEMA_VERSION + 1).fill(0); // Array mapping schema version to number of token keys stored for that version
|
|
12208
|
+
const accessTokenKeys = []; // Flat map of all access token keys stored, ordered by schema version
|
|
11949
12209
|
const maxRetries = 20;
|
|
11950
12210
|
for (let i = 0; i <= maxRetries; i++) {
|
|
12211
|
+
// Attempt to store item in cache, if cache is full this call will throw and we'll attempt to clear space by removing access tokens from the cache one by one, starting with tokens stored by previous versions of MSAL.js
|
|
11951
12212
|
try {
|
|
11952
12213
|
this.browserStorage.setItem(key, value);
|
|
11953
12214
|
if (i > 0) {
|
|
11954
|
-
//
|
|
11955
|
-
|
|
11956
|
-
this
|
|
11957
|
-
|
|
11958
|
-
|
|
11959
|
-
|
|
11960
|
-
|
|
12215
|
+
// If any tokens were removed in order to store this item update the token keys array with the tokens removed
|
|
12216
|
+
for (let schemaVersion = 0; schemaVersion <= CREDENTIAL_SCHEMA_VERSION; schemaVersion++) {
|
|
12217
|
+
// Get the sum of all previous token counts to use as start index for this schema version
|
|
12218
|
+
const startIndex = tokenKeysCount
|
|
12219
|
+
.slice(0, schemaVersion)
|
|
12220
|
+
.reduce((sum, count) => sum + count, 0);
|
|
12221
|
+
if (startIndex >= i) {
|
|
12222
|
+
// Done removing tokens
|
|
12223
|
+
break;
|
|
12224
|
+
}
|
|
12225
|
+
const endIndex = i > startIndex + tokenKeysCount[schemaVersion]
|
|
12226
|
+
? startIndex + tokenKeysCount[schemaVersion]
|
|
12227
|
+
: i;
|
|
12228
|
+
if (i > startIndex &&
|
|
12229
|
+
tokenKeysCount[schemaVersion] > 0) {
|
|
12230
|
+
this.removeAccessTokenKeys(accessTokenKeys.slice(startIndex, endIndex), correlationId, schemaVersion);
|
|
12231
|
+
}
|
|
11961
12232
|
}
|
|
11962
12233
|
}
|
|
11963
12234
|
break; // If setItem succeeds, exit the loop
|
|
@@ -11969,16 +12240,19 @@
|
|
|
11969
12240
|
i < maxRetries) {
|
|
11970
12241
|
if (!accessTokenKeys.length) {
|
|
11971
12242
|
// If we are currently trying to set the token keys, use the value we're trying to set
|
|
11972
|
-
|
|
11973
|
-
|
|
11974
|
-
|
|
11975
|
-
|
|
11976
|
-
|
|
11977
|
-
|
|
11978
|
-
|
|
11979
|
-
|
|
11980
|
-
|
|
11981
|
-
|
|
12243
|
+
for (let i = 0; i <= CREDENTIAL_SCHEMA_VERSION; i++) {
|
|
12244
|
+
if (key ===
|
|
12245
|
+
getTokenKeysCacheKey(this.clientId, i)) {
|
|
12246
|
+
const tokenKeys = JSON.parse(value).accessToken;
|
|
12247
|
+
accessTokenKeys.push(...tokenKeys);
|
|
12248
|
+
tokenKeysCount[i] = tokenKeys.length;
|
|
12249
|
+
}
|
|
12250
|
+
else {
|
|
12251
|
+
const tokenKeys = this.getTokenKeys(i).accessToken;
|
|
12252
|
+
accessTokenKeys.push(...tokenKeys);
|
|
12253
|
+
tokenKeysCount[i] = tokenKeys.length;
|
|
12254
|
+
}
|
|
12255
|
+
}
|
|
11982
12256
|
}
|
|
11983
12257
|
if (accessTokenKeys.length <= i) {
|
|
11984
12258
|
// Nothing to remove, rethrow the error
|
|
@@ -12001,21 +12275,32 @@
|
|
|
12001
12275
|
* @param value
|
|
12002
12276
|
* @param correlationId
|
|
12003
12277
|
*/
|
|
12004
|
-
async setUserData(key, value, correlationId, timestamp) {
|
|
12005
|
-
|
|
12006
|
-
|
|
12278
|
+
async setUserData(key, value, correlationId, timestamp, kmsi) {
|
|
12279
|
+
const tokenKeysCount = new Array(CREDENTIAL_SCHEMA_VERSION + 1).fill(0); // Array mapping schema version to number of token keys stored for that version
|
|
12280
|
+
const accessTokenKeys = []; // Flat map of all access token keys stored, ordered by schema version
|
|
12007
12281
|
const maxRetries = 20;
|
|
12008
12282
|
for (let i = 0; i <= maxRetries; i++) {
|
|
12009
12283
|
try {
|
|
12010
|
-
|
|
12284
|
+
// Attempt to store item in cache, if cache is full this call will throw and we'll attempt to clear space by removing access tokens from the cache one by one, starting with tokens stored by previous versions of MSAL.js
|
|
12285
|
+
await invokeAsync(this.browserStorage.setUserData.bind(this.browserStorage), PerformanceEvents.SetUserData, this.logger, this.performanceClient)(key, value, correlationId, timestamp, kmsi);
|
|
12011
12286
|
if (i > 0) {
|
|
12012
|
-
//
|
|
12013
|
-
|
|
12014
|
-
this
|
|
12015
|
-
|
|
12016
|
-
|
|
12017
|
-
|
|
12018
|
-
|
|
12287
|
+
// If any tokens were removed in order to store this item update the token keys array with the tokens removed
|
|
12288
|
+
for (let schemaVersion = 0; schemaVersion <= CREDENTIAL_SCHEMA_VERSION; schemaVersion++) {
|
|
12289
|
+
// Get the sum of all previous token counts to use as start index for this schema version
|
|
12290
|
+
const startIndex = tokenKeysCount
|
|
12291
|
+
.slice(0, schemaVersion)
|
|
12292
|
+
.reduce((sum, count) => sum + count, 0);
|
|
12293
|
+
if (startIndex >= i) {
|
|
12294
|
+
// Done removing tokens
|
|
12295
|
+
break;
|
|
12296
|
+
}
|
|
12297
|
+
const endIndex = i > startIndex + tokenKeysCount[schemaVersion]
|
|
12298
|
+
? startIndex + tokenKeysCount[schemaVersion]
|
|
12299
|
+
: i;
|
|
12300
|
+
if (i > startIndex &&
|
|
12301
|
+
tokenKeysCount[schemaVersion] > 0) {
|
|
12302
|
+
this.removeAccessTokenKeys(accessTokenKeys.slice(startIndex, endIndex), correlationId, schemaVersion);
|
|
12303
|
+
}
|
|
12019
12304
|
}
|
|
12020
12305
|
}
|
|
12021
12306
|
break; // If setItem succeeds, exit the loop
|
|
@@ -12026,10 +12311,12 @@
|
|
|
12026
12311
|
cacheQuotaExceeded &&
|
|
12027
12312
|
i < maxRetries) {
|
|
12028
12313
|
if (!accessTokenKeys.length) {
|
|
12029
|
-
|
|
12030
|
-
|
|
12031
|
-
|
|
12032
|
-
|
|
12314
|
+
// If we are currently trying to set the token keys, use the value we're trying to set
|
|
12315
|
+
for (let i = 0; i <= CREDENTIAL_SCHEMA_VERSION; i++) {
|
|
12316
|
+
const tokenKeys = this.getTokenKeys(i).accessToken;
|
|
12317
|
+
accessTokenKeys.push(...tokenKeys);
|
|
12318
|
+
tokenKeysCount[i] = tokenKeys.length;
|
|
12319
|
+
}
|
|
12033
12320
|
}
|
|
12034
12321
|
if (accessTokenKeys.length <= i) {
|
|
12035
12322
|
// Nothing left to remove, rethrow the error
|
|
@@ -12069,20 +12356,21 @@
|
|
|
12069
12356
|
* set account entity in the platform cache
|
|
12070
12357
|
* @param account
|
|
12071
12358
|
*/
|
|
12072
|
-
async setAccount(account, correlationId) {
|
|
12359
|
+
async setAccount(account, correlationId, kmsi) {
|
|
12073
12360
|
this.logger.trace("BrowserCacheManager.setAccount called");
|
|
12074
|
-
const key = this.generateAccountKey(
|
|
12361
|
+
const key = this.generateAccountKey(AccountEntity.getAccountInfo(account));
|
|
12075
12362
|
const timestamp = Date.now().toString();
|
|
12076
12363
|
account.lastUpdatedAt = timestamp;
|
|
12077
|
-
await this.setUserData(key, JSON.stringify(account), correlationId, timestamp);
|
|
12364
|
+
await this.setUserData(key, JSON.stringify(account), correlationId, timestamp, kmsi);
|
|
12078
12365
|
const wasAdded = this.addAccountKeyToMap(key, correlationId);
|
|
12366
|
+
this.performanceClient.addFields({ kmsi: kmsi }, correlationId);
|
|
12079
12367
|
/**
|
|
12080
12368
|
* @deprecated - Remove this in next major version in favor of more consistent LOGIN event
|
|
12081
12369
|
*/
|
|
12082
12370
|
if (this.cacheConfig.cacheLocation ===
|
|
12083
12371
|
BrowserCacheLocation.LocalStorage &&
|
|
12084
12372
|
wasAdded) {
|
|
12085
|
-
this.eventHandler.emitEvent(EventType.ACCOUNT_ADDED, undefined,
|
|
12373
|
+
this.eventHandler.emitEvent(EventType.ACCOUNT_ADDED, undefined, AccountEntity.getAccountInfo(account));
|
|
12086
12374
|
}
|
|
12087
12375
|
}
|
|
12088
12376
|
/**
|
|
@@ -12092,6 +12380,14 @@
|
|
|
12092
12380
|
getAccountKeys() {
|
|
12093
12381
|
return getAccountKeys(this.browserStorage);
|
|
12094
12382
|
}
|
|
12383
|
+
setAccountKeys(accountKeys, correlationId, schemaVersion = ACCOUNT_SCHEMA_VERSION) {
|
|
12384
|
+
if (accountKeys.length === 0) {
|
|
12385
|
+
this.removeItem(getAccountKeysCacheKey(schemaVersion));
|
|
12386
|
+
}
|
|
12387
|
+
else {
|
|
12388
|
+
this.setItem(getAccountKeysCacheKey(schemaVersion), JSON.stringify(accountKeys), correlationId);
|
|
12389
|
+
}
|
|
12390
|
+
}
|
|
12095
12391
|
/**
|
|
12096
12392
|
* Add a new account to the key map
|
|
12097
12393
|
* @param key
|
|
@@ -12123,14 +12419,7 @@
|
|
|
12123
12419
|
const removalIndex = accountKeys.indexOf(key);
|
|
12124
12420
|
if (removalIndex > -1) {
|
|
12125
12421
|
accountKeys.splice(removalIndex, 1);
|
|
12126
|
-
|
|
12127
|
-
// If no keys left, remove the map
|
|
12128
|
-
this.removeItem(getAccountKeysCacheKey());
|
|
12129
|
-
return;
|
|
12130
|
-
}
|
|
12131
|
-
else {
|
|
12132
|
-
this.setItem(getAccountKeysCacheKey(), JSON.stringify(accountKeys), correlationId);
|
|
12133
|
-
}
|
|
12422
|
+
this.setAccountKeys(accountKeys, correlationId);
|
|
12134
12423
|
this.logger.trace("BrowserCacheManager.removeAccountKeyFromMap account key removed");
|
|
12135
12424
|
}
|
|
12136
12425
|
else {
|
|
@@ -12270,12 +12559,12 @@
|
|
|
12270
12559
|
* set IdToken credential to the platform cache
|
|
12271
12560
|
* @param idToken
|
|
12272
12561
|
*/
|
|
12273
|
-
async setIdTokenCredential(idToken, correlationId) {
|
|
12562
|
+
async setIdTokenCredential(idToken, correlationId, kmsi) {
|
|
12274
12563
|
this.logger.trace("BrowserCacheManager.setIdTokenCredential called");
|
|
12275
12564
|
const idTokenKey = this.generateCredentialKey(idToken);
|
|
12276
12565
|
const timestamp = Date.now().toString();
|
|
12277
12566
|
idToken.lastUpdatedAt = timestamp;
|
|
12278
|
-
await this.setUserData(idTokenKey, JSON.stringify(idToken), correlationId, timestamp);
|
|
12567
|
+
await this.setUserData(idTokenKey, JSON.stringify(idToken), correlationId, timestamp, kmsi);
|
|
12279
12568
|
const tokenKeys = this.getTokenKeys();
|
|
12280
12569
|
if (tokenKeys.idToken.indexOf(idTokenKey) === -1) {
|
|
12281
12570
|
this.logger.info("BrowserCacheManager: addTokenKey - idToken added to map");
|
|
@@ -12307,12 +12596,12 @@
|
|
|
12307
12596
|
* set accessToken credential to the platform cache
|
|
12308
12597
|
* @param accessToken
|
|
12309
12598
|
*/
|
|
12310
|
-
async setAccessTokenCredential(accessToken, correlationId) {
|
|
12599
|
+
async setAccessTokenCredential(accessToken, correlationId, kmsi) {
|
|
12311
12600
|
this.logger.trace("BrowserCacheManager.setAccessTokenCredential called");
|
|
12312
12601
|
const accessTokenKey = this.generateCredentialKey(accessToken);
|
|
12313
12602
|
const timestamp = Date.now().toString();
|
|
12314
12603
|
accessToken.lastUpdatedAt = timestamp;
|
|
12315
|
-
await this.setUserData(accessTokenKey, JSON.stringify(accessToken), correlationId, timestamp);
|
|
12604
|
+
await this.setUserData(accessTokenKey, JSON.stringify(accessToken), correlationId, timestamp, kmsi);
|
|
12316
12605
|
const tokenKeys = this.getTokenKeys();
|
|
12317
12606
|
const index = tokenKeys.accessToken.indexOf(accessTokenKey);
|
|
12318
12607
|
if (index !== -1) {
|
|
@@ -12346,12 +12635,12 @@
|
|
|
12346
12635
|
* set refreshToken credential to the platform cache
|
|
12347
12636
|
* @param refreshToken
|
|
12348
12637
|
*/
|
|
12349
|
-
async setRefreshTokenCredential(refreshToken, correlationId) {
|
|
12638
|
+
async setRefreshTokenCredential(refreshToken, correlationId, kmsi) {
|
|
12350
12639
|
this.logger.trace("BrowserCacheManager.setRefreshTokenCredential called");
|
|
12351
12640
|
const refreshTokenKey = this.generateCredentialKey(refreshToken);
|
|
12352
12641
|
const timestamp = Date.now().toString();
|
|
12353
12642
|
refreshToken.lastUpdatedAt = timestamp;
|
|
12354
|
-
await this.setUserData(refreshTokenKey, JSON.stringify(refreshToken), correlationId, timestamp);
|
|
12643
|
+
await this.setUserData(refreshTokenKey, JSON.stringify(refreshToken), correlationId, timestamp, kmsi);
|
|
12355
12644
|
const tokenKeys = this.getTokenKeys();
|
|
12356
12645
|
if (tokenKeys.refreshToken.indexOf(refreshTokenKey) === -1) {
|
|
12357
12646
|
this.logger.info("BrowserCacheManager: addTokenKey - refreshToken added to map");
|
|
@@ -12851,7 +13140,7 @@
|
|
|
12851
13140
|
idToken: idTokenEntity,
|
|
12852
13141
|
accessToken: accessTokenEntity,
|
|
12853
13142
|
};
|
|
12854
|
-
return this.saveCacheRecord(cacheRecord, result.correlationId);
|
|
13143
|
+
return this.saveCacheRecord(cacheRecord, result.correlationId, isKmsi(extractTokenClaims(result.idToken, base64Decode)));
|
|
12855
13144
|
}
|
|
12856
13145
|
/**
|
|
12857
13146
|
* saves a cache record
|
|
@@ -12859,9 +13148,9 @@
|
|
|
12859
13148
|
* @param storeInCache {?StoreInCache}
|
|
12860
13149
|
* @param correlationId {?string} correlation id
|
|
12861
13150
|
*/
|
|
12862
|
-
async saveCacheRecord(cacheRecord, correlationId, storeInCache) {
|
|
13151
|
+
async saveCacheRecord(cacheRecord, correlationId, kmsi, storeInCache) {
|
|
12863
13152
|
try {
|
|
12864
|
-
await super.saveCacheRecord(cacheRecord, correlationId, storeInCache);
|
|
13153
|
+
await super.saveCacheRecord(cacheRecord, correlationId, kmsi, storeInCache);
|
|
12865
13154
|
}
|
|
12866
13155
|
catch (e) {
|
|
12867
13156
|
if (e instanceof CacheError &&
|
|
@@ -14093,7 +14382,7 @@
|
|
|
14093
14382
|
// generate authenticationResult
|
|
14094
14383
|
const result = await this.generateAuthenticationResult(response, request, idTokenClaims, baseAccount, authority.canonicalAuthority, reqTimestamp);
|
|
14095
14384
|
// cache accounts and tokens in the appropriate storage
|
|
14096
|
-
await this.cacheAccount(baseAccount, this.correlationId);
|
|
14385
|
+
await this.cacheAccount(baseAccount, this.correlationId, isKmsi(idTokenClaims));
|
|
14097
14386
|
await this.cacheNativeTokens(response, request, homeAccountIdentifier, idTokenClaims, response.access_token, result.tenantId, reqTimestamp);
|
|
14098
14387
|
return result;
|
|
14099
14388
|
}
|
|
@@ -14180,7 +14469,7 @@
|
|
|
14180
14469
|
const tid = accountProperties["TenantId"] ||
|
|
14181
14470
|
idTokenClaims.tid ||
|
|
14182
14471
|
Constants.EMPTY_STRING;
|
|
14183
|
-
const accountInfo = updateAccountTenantProfileData(
|
|
14472
|
+
const accountInfo = updateAccountTenantProfileData(AccountEntity.getAccountInfo(accountEntity), undefined, // tenantProfile optional
|
|
14184
14473
|
idTokenClaims, response.id_token);
|
|
14185
14474
|
/**
|
|
14186
14475
|
* In pairwise broker flows, this check prevents the broker's native account id
|
|
@@ -14217,11 +14506,11 @@
|
|
|
14217
14506
|
* cache the account entity in browser storage
|
|
14218
14507
|
* @param accountEntity
|
|
14219
14508
|
*/
|
|
14220
|
-
async cacheAccount(accountEntity, correlationId) {
|
|
14509
|
+
async cacheAccount(accountEntity, correlationId, kmsi) {
|
|
14221
14510
|
// Store the account info and hence `nativeAccountId` in browser cache
|
|
14222
|
-
await this.browserStorage.setAccount(accountEntity, this.correlationId);
|
|
14511
|
+
await this.browserStorage.setAccount(accountEntity, this.correlationId, kmsi);
|
|
14223
14512
|
// Remove any existing cached tokens for this account in browser storage
|
|
14224
|
-
this.browserStorage.removeAccountContext(
|
|
14513
|
+
this.browserStorage.removeAccountContext(AccountEntity.getAccountInfo(accountEntity), correlationId);
|
|
14225
14514
|
}
|
|
14226
14515
|
/**
|
|
14227
14516
|
* Stores the access_token and id_token in inmemory storage
|
|
@@ -14248,7 +14537,7 @@
|
|
|
14248
14537
|
idToken: cachedIdToken,
|
|
14249
14538
|
accessToken: cachedAccessToken,
|
|
14250
14539
|
};
|
|
14251
|
-
return this.nativeStorageManager.saveCacheRecord(nativeCacheRecord, this.correlationId, request.storeInCache);
|
|
14540
|
+
return this.nativeStorageManager.saveCacheRecord(nativeCacheRecord, this.correlationId, isKmsi(idTokenClaims), request.storeInCache);
|
|
14252
14541
|
}
|
|
14253
14542
|
getExpiresInValue(tokenType, expiresIn) {
|
|
14254
14543
|
return tokenType === AuthenticationScheme.POP
|
|
@@ -16274,6 +16563,7 @@
|
|
|
16274
16563
|
authFrame.style.width = authFrame.style.height = "0";
|
|
16275
16564
|
authFrame.style.border = "0";
|
|
16276
16565
|
authFrame.setAttribute("sandbox", "allow-scripts allow-same-origin allow-forms");
|
|
16566
|
+
authFrame.setAttribute("allow", "local-network-access *");
|
|
16277
16567
|
document.body.appendChild(authFrame);
|
|
16278
16568
|
return authFrame;
|
|
16279
16569
|
}
|
|
@@ -16526,6 +16816,7 @@
|
|
|
16526
16816
|
const idTokenClaims = response.id_token
|
|
16527
16817
|
? extractTokenClaims(response.id_token, base64Decode)
|
|
16528
16818
|
: undefined;
|
|
16819
|
+
const kmsi = isKmsi(idTokenClaims || {});
|
|
16529
16820
|
const authorityOptions = {
|
|
16530
16821
|
protocolMode: this.config.auth.protocolMode,
|
|
16531
16822
|
knownAuthorities: this.config.auth.knownAuthorities,
|
|
@@ -16537,9 +16828,9 @@
|
|
|
16537
16828
|
? new Authority(Authority.generateAuthority(request.authority, request.azureCloudOptions), this.config.system.networkClient, this.storage, authorityOptions, this.logger, request.correlationId || createNewGuid())
|
|
16538
16829
|
: undefined;
|
|
16539
16830
|
const cacheRecordAccount = await this.loadAccount(request, options.clientInfo || response.client_info || "", correlationId, idTokenClaims, authority);
|
|
16540
|
-
const idToken = await this.loadIdToken(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, correlationId);
|
|
16541
|
-
const accessToken = await this.loadAccessToken(request, response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, options, correlationId);
|
|
16542
|
-
const refreshToken = await this.loadRefreshToken(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, correlationId);
|
|
16831
|
+
const idToken = await this.loadIdToken(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, correlationId, kmsi);
|
|
16832
|
+
const accessToken = await this.loadAccessToken(request, response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, cacheRecordAccount.realm, options, correlationId, kmsi);
|
|
16833
|
+
const refreshToken = await this.loadRefreshToken(response, cacheRecordAccount.homeAccountId, cacheRecordAccount.environment, correlationId, kmsi);
|
|
16543
16834
|
return this.generateAuthenticationResult(request, {
|
|
16544
16835
|
account: cacheRecordAccount,
|
|
16545
16836
|
idToken,
|
|
@@ -16560,7 +16851,7 @@
|
|
|
16560
16851
|
this.logger.verbose("TokenCache - loading account");
|
|
16561
16852
|
if (request.account) {
|
|
16562
16853
|
const accountEntity = AccountEntity.createFromAccountInfo(request.account);
|
|
16563
|
-
await this.storage.setAccount(accountEntity, correlationId);
|
|
16854
|
+
await this.storage.setAccount(accountEntity, correlationId, isKmsi(idTokenClaims || {}));
|
|
16564
16855
|
return accountEntity;
|
|
16565
16856
|
}
|
|
16566
16857
|
else if (!authority || (!clientInfo && !idTokenClaims)) {
|
|
@@ -16572,7 +16863,7 @@
|
|
|
16572
16863
|
const cachedAccount = buildAccountToCache(this.storage, authority, homeAccountId, base64Decode, correlationId, idTokenClaims, clientInfo, authority.hostnameAndPort, claimsTenantId, undefined, // authCodePayload
|
|
16573
16864
|
undefined, // nativeAccountId
|
|
16574
16865
|
this.logger);
|
|
16575
|
-
await this.storage.setAccount(cachedAccount, correlationId);
|
|
16866
|
+
await this.storage.setAccount(cachedAccount, correlationId, isKmsi(idTokenClaims || {}));
|
|
16576
16867
|
return cachedAccount;
|
|
16577
16868
|
}
|
|
16578
16869
|
/**
|
|
@@ -16583,14 +16874,14 @@
|
|
|
16583
16874
|
* @param tenantId
|
|
16584
16875
|
* @returns `IdTokenEntity`
|
|
16585
16876
|
*/
|
|
16586
|
-
async loadIdToken(response, homeAccountId, environment, tenantId, correlationId) {
|
|
16877
|
+
async loadIdToken(response, homeAccountId, environment, tenantId, correlationId, kmsi) {
|
|
16587
16878
|
if (!response.id_token) {
|
|
16588
16879
|
this.logger.verbose("TokenCache - no id token found in response");
|
|
16589
16880
|
return null;
|
|
16590
16881
|
}
|
|
16591
16882
|
this.logger.verbose("TokenCache - loading id token");
|
|
16592
16883
|
const idTokenEntity = createIdTokenEntity(homeAccountId, environment, response.id_token, this.config.auth.clientId, tenantId);
|
|
16593
|
-
await this.storage.setIdTokenCredential(idTokenEntity, correlationId);
|
|
16884
|
+
await this.storage.setIdTokenCredential(idTokenEntity, correlationId, kmsi);
|
|
16594
16885
|
return idTokenEntity;
|
|
16595
16886
|
}
|
|
16596
16887
|
/**
|
|
@@ -16602,7 +16893,7 @@
|
|
|
16602
16893
|
* @param tenantId
|
|
16603
16894
|
* @returns `AccessTokenEntity`
|
|
16604
16895
|
*/
|
|
16605
|
-
async loadAccessToken(request, response, homeAccountId, environment, tenantId, options, correlationId) {
|
|
16896
|
+
async loadAccessToken(request, response, homeAccountId, environment, tenantId, options, correlationId, kmsi) {
|
|
16606
16897
|
if (!response.access_token) {
|
|
16607
16898
|
this.logger.verbose("TokenCache - no access token found in response");
|
|
16608
16899
|
return null;
|
|
@@ -16625,7 +16916,7 @@
|
|
|
16625
16916
|
(response.ext_expires_in || response.expires_in) +
|
|
16626
16917
|
nowSeconds();
|
|
16627
16918
|
const accessTokenEntity = createAccessTokenEntity(homeAccountId, environment, response.access_token, this.config.auth.clientId, tenantId, scopes.printScopes(), expiresOn, extendedExpiresOn, base64Decode);
|
|
16628
|
-
await this.storage.setAccessTokenCredential(accessTokenEntity, correlationId);
|
|
16919
|
+
await this.storage.setAccessTokenCredential(accessTokenEntity, correlationId, kmsi);
|
|
16629
16920
|
return accessTokenEntity;
|
|
16630
16921
|
}
|
|
16631
16922
|
/**
|
|
@@ -16636,7 +16927,7 @@
|
|
|
16636
16927
|
* @param environment
|
|
16637
16928
|
* @returns `RefreshTokenEntity`
|
|
16638
16929
|
*/
|
|
16639
|
-
async loadRefreshToken(response, homeAccountId, environment, correlationId) {
|
|
16930
|
+
async loadRefreshToken(response, homeAccountId, environment, correlationId, kmsi) {
|
|
16640
16931
|
if (!response.refresh_token) {
|
|
16641
16932
|
this.logger.verbose("TokenCache - no refresh token found in response");
|
|
16642
16933
|
return null;
|
|
@@ -16644,7 +16935,7 @@
|
|
|
16644
16935
|
this.logger.verbose("TokenCache - loading refresh token");
|
|
16645
16936
|
const refreshTokenEntity = createRefreshTokenEntity(homeAccountId, environment, response.refresh_token, this.config.auth.clientId, response.foci, undefined, // userAssertionHash
|
|
16646
16937
|
response.refresh_token_expires_in);
|
|
16647
|
-
await this.storage.setRefreshTokenCredential(refreshTokenEntity, correlationId);
|
|
16938
|
+
await this.storage.setRefreshTokenCredential(refreshTokenEntity, correlationId, kmsi);
|
|
16648
16939
|
return refreshTokenEntity;
|
|
16649
16940
|
}
|
|
16650
16941
|
/**
|
|
@@ -16673,7 +16964,7 @@
|
|
|
16673
16964
|
uniqueId: cacheRecord.account.localAccountId,
|
|
16674
16965
|
tenantId: cacheRecord.account.realm,
|
|
16675
16966
|
scopes: responseScopes,
|
|
16676
|
-
account:
|
|
16967
|
+
account: AccountEntity.getAccountInfo(accountEntity),
|
|
16677
16968
|
idToken: cacheRecord.idToken?.secret || "",
|
|
16678
16969
|
idTokenClaims: idTokenClaims || {},
|
|
16679
16970
|
accessToken: accessToken,
|
|
@@ -17691,7 +17982,7 @@
|
|
|
17691
17982
|
this.logger.verbose("hydrateCache called");
|
|
17692
17983
|
// Account gets saved to browser storage regardless of native or not
|
|
17693
17984
|
const accountEntity = AccountEntity.createFromAccountInfo(result.account, result.cloudGraphHostName, result.msGraphHost);
|
|
17694
|
-
await this.browserStorage.setAccount(accountEntity, result.correlationId);
|
|
17985
|
+
await this.browserStorage.setAccount(accountEntity, result.correlationId, isKmsi(result.idTokenClaims));
|
|
17695
17986
|
if (result.fromNativeBroker) {
|
|
17696
17987
|
this.logger.verbose("Response was from native broker, storing in-memory");
|
|
17697
17988
|
// Tokens from native broker are stored in-memory
|
|
@@ -18969,7 +19260,7 @@
|
|
|
18969
19260
|
async hydrateCache(result, request) {
|
|
18970
19261
|
this.logger.verbose("hydrateCache called");
|
|
18971
19262
|
const accountEntity = AccountEntity.createFromAccountInfo(result.account, result.cloudGraphHostName, result.msGraphHost);
|
|
18972
|
-
await this.browserStorage.setAccount(accountEntity, result.correlationId);
|
|
19263
|
+
await this.browserStorage.setAccount(accountEntity, result.correlationId, isKmsi(result.idTokenClaims));
|
|
18973
19264
|
return this.browserStorage.hydrateCache(result, request);
|
|
18974
19265
|
}
|
|
18975
19266
|
}
|