@azure/msal-browser 4.5.1 → 4.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (172) hide show
  1. package/dist/app/IPublicClientApplication.mjs +1 -1
  2. package/dist/app/PublicClientApplication.mjs +1 -1
  3. package/dist/app/PublicClientNext.mjs +1 -1
  4. package/dist/broker/nativeBroker/NativeMessageHandler.mjs +1 -1
  5. package/dist/broker/nativeBroker/NativeStatusCodes.mjs +1 -1
  6. package/dist/cache/AccountManager.mjs +1 -1
  7. package/dist/cache/AsyncMemoryStorage.mjs +1 -1
  8. package/dist/cache/BrowserCacheManager.d.ts.map +1 -1
  9. package/dist/cache/BrowserCacheManager.mjs +9 -3
  10. package/dist/cache/BrowserCacheManager.mjs.map +1 -1
  11. package/dist/cache/CacheHelpers.mjs +1 -1
  12. package/dist/cache/CookieStorage.mjs +1 -1
  13. package/dist/cache/DatabaseStorage.mjs +1 -1
  14. package/dist/cache/LocalStorage.mjs +1 -1
  15. package/dist/cache/MemoryStorage.mjs +1 -1
  16. package/dist/cache/SessionStorage.mjs +1 -1
  17. package/dist/cache/TokenCache.d.ts.map +1 -1
  18. package/dist/cache/TokenCache.mjs +7 -7
  19. package/dist/cache/TokenCache.mjs.map +1 -1
  20. package/dist/config/Configuration.mjs +1 -1
  21. package/dist/controllers/ControllerFactory.mjs +1 -1
  22. package/dist/controllers/NestedAppAuthController.mjs +1 -1
  23. package/dist/controllers/StandardController.d.ts +8 -0
  24. package/dist/controllers/StandardController.d.ts.map +1 -1
  25. package/dist/controllers/StandardController.mjs +50 -47
  26. package/dist/controllers/StandardController.mjs.map +1 -1
  27. package/dist/controllers/UnknownOperatingContextController.mjs +1 -1
  28. package/dist/crypto/BrowserCrypto.mjs +1 -1
  29. package/dist/crypto/CryptoOps.mjs +1 -1
  30. package/dist/crypto/PkceGenerator.mjs +1 -1
  31. package/dist/crypto/SignedHttpRequest.mjs +1 -1
  32. package/dist/encode/Base64Decode.mjs +1 -1
  33. package/dist/encode/Base64Encode.mjs +1 -1
  34. package/dist/error/BrowserAuthError.mjs +1 -1
  35. package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
  36. package/dist/error/BrowserConfigurationAuthError.mjs +1 -1
  37. package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  38. package/dist/error/NativeAuthError.mjs +1 -1
  39. package/dist/error/NativeAuthErrorCodes.mjs +1 -1
  40. package/dist/error/NestedAppAuthError.mjs +1 -1
  41. package/dist/event/EventHandler.d.ts +1 -1
  42. package/dist/event/EventHandler.d.ts.map +1 -1
  43. package/dist/event/EventHandler.mjs +7 -5
  44. package/dist/event/EventHandler.mjs.map +1 -1
  45. package/dist/event/EventMessage.mjs +1 -1
  46. package/dist/event/EventType.mjs +1 -1
  47. package/dist/index.mjs +1 -1
  48. package/dist/interaction_client/BaseInteractionClient.mjs +1 -1
  49. package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  50. package/dist/interaction_client/NativeInteractionClient.d.ts.map +1 -1
  51. package/dist/interaction_client/NativeInteractionClient.mjs +11 -3
  52. package/dist/interaction_client/NativeInteractionClient.mjs.map +1 -1
  53. package/dist/interaction_client/PopupClient.d.ts.map +1 -1
  54. package/dist/interaction_client/PopupClient.mjs +16 -8
  55. package/dist/interaction_client/PopupClient.mjs.map +1 -1
  56. package/dist/interaction_client/RedirectClient.d.ts +3 -3
  57. package/dist/interaction_client/RedirectClient.d.ts.map +1 -1
  58. package/dist/interaction_client/RedirectClient.mjs +12 -5
  59. package/dist/interaction_client/RedirectClient.mjs.map +1 -1
  60. package/dist/interaction_client/SilentAuthCodeClient.mjs +1 -1
  61. package/dist/interaction_client/SilentCacheClient.mjs +1 -1
  62. package/dist/interaction_client/SilentIframeClient.d.ts +1 -1
  63. package/dist/interaction_client/SilentIframeClient.d.ts.map +1 -1
  64. package/dist/interaction_client/SilentIframeClient.mjs +19 -9
  65. package/dist/interaction_client/SilentIframeClient.mjs.map +1 -1
  66. package/dist/interaction_client/SilentRefreshClient.mjs +1 -1
  67. package/dist/interaction_client/StandardInteractionClient.d.ts +1 -7
  68. package/dist/interaction_client/StandardInteractionClient.d.ts.map +1 -1
  69. package/dist/interaction_client/StandardInteractionClient.mjs +2 -22
  70. package/dist/interaction_client/StandardInteractionClient.mjs.map +1 -1
  71. package/dist/interaction_handler/InteractionHandler.d.ts +2 -2
  72. package/dist/interaction_handler/InteractionHandler.d.ts.map +1 -1
  73. package/dist/interaction_handler/InteractionHandler.mjs +3 -3
  74. package/dist/interaction_handler/InteractionHandler.mjs.map +1 -1
  75. package/dist/interaction_handler/RedirectHandler.d.ts +2 -2
  76. package/dist/interaction_handler/RedirectHandler.d.ts.map +1 -1
  77. package/dist/interaction_handler/RedirectHandler.mjs +3 -3
  78. package/dist/interaction_handler/RedirectHandler.mjs.map +1 -1
  79. package/dist/interaction_handler/SilentHandler.mjs +1 -1
  80. package/dist/naa/BridgeError.mjs +1 -1
  81. package/dist/naa/BridgeProxy.mjs +1 -1
  82. package/dist/naa/BridgeStatusCode.mjs +1 -1
  83. package/dist/naa/mapping/NestedAppAuthAdapter.d.ts.map +1 -1
  84. package/dist/naa/mapping/NestedAppAuthAdapter.mjs +7 -7
  85. package/dist/naa/mapping/NestedAppAuthAdapter.mjs.map +1 -1
  86. package/dist/navigation/NavigationClient.mjs +1 -1
  87. package/dist/network/FetchClient.mjs +1 -1
  88. package/dist/operatingcontext/BaseOperatingContext.mjs +1 -1
  89. package/dist/operatingcontext/NestedAppOperatingContext.mjs +1 -1
  90. package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
  91. package/dist/operatingcontext/UnknownOperatingContext.mjs +1 -1
  92. package/dist/packageMetadata.d.ts +1 -1
  93. package/dist/packageMetadata.mjs +2 -2
  94. package/dist/protocol/Authorize.d.ts +13 -0
  95. package/dist/protocol/Authorize.d.ts.map +1 -0
  96. package/dist/protocol/Authorize.mjs +74 -0
  97. package/dist/protocol/Authorize.mjs.map +1 -0
  98. package/dist/request/PopupRequest.d.ts +1 -2
  99. package/dist/request/PopupRequest.d.ts.map +1 -1
  100. package/dist/request/RedirectRequest.d.ts +1 -2
  101. package/dist/request/RedirectRequest.d.ts.map +1 -1
  102. package/dist/request/RequestHelpers.mjs +1 -1
  103. package/dist/request/SilentRequest.d.ts +0 -1
  104. package/dist/request/SilentRequest.d.ts.map +1 -1
  105. package/dist/request/SsoSilentRequest.d.ts +2 -4
  106. package/dist/request/SsoSilentRequest.d.ts.map +1 -1
  107. package/dist/response/ResponseHandler.d.ts +3 -3
  108. package/dist/response/ResponseHandler.d.ts.map +1 -1
  109. package/dist/response/ResponseHandler.mjs +1 -1
  110. package/dist/response/ResponseHandler.mjs.map +1 -1
  111. package/dist/telemetry/BrowserPerformanceClient.mjs +1 -1
  112. package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
  113. package/dist/utils/BrowserConstants.mjs +1 -1
  114. package/dist/utils/BrowserProtocolUtils.mjs +1 -1
  115. package/dist/utils/BrowserUtils.mjs +1 -1
  116. package/lib/msal-browser.cjs +1049 -1053
  117. package/lib/msal-browser.cjs.map +1 -1
  118. package/lib/msal-browser.js +1049 -1053
  119. package/lib/msal-browser.js.map +1 -1
  120. package/lib/msal-browser.min.js +67 -65
  121. package/lib/types/cache/BrowserCacheManager.d.ts.map +1 -1
  122. package/lib/types/cache/TokenCache.d.ts.map +1 -1
  123. package/lib/types/controllers/StandardController.d.ts +8 -0
  124. package/lib/types/controllers/StandardController.d.ts.map +1 -1
  125. package/lib/types/event/EventHandler.d.ts +1 -1
  126. package/lib/types/event/EventHandler.d.ts.map +1 -1
  127. package/lib/types/interaction_client/NativeInteractionClient.d.ts.map +1 -1
  128. package/lib/types/interaction_client/PopupClient.d.ts.map +1 -1
  129. package/lib/types/interaction_client/RedirectClient.d.ts +3 -3
  130. package/lib/types/interaction_client/RedirectClient.d.ts.map +1 -1
  131. package/lib/types/interaction_client/SilentIframeClient.d.ts +1 -1
  132. package/lib/types/interaction_client/SilentIframeClient.d.ts.map +1 -1
  133. package/lib/types/interaction_client/StandardInteractionClient.d.ts +1 -7
  134. package/lib/types/interaction_client/StandardInteractionClient.d.ts.map +1 -1
  135. package/lib/types/interaction_handler/InteractionHandler.d.ts +2 -2
  136. package/lib/types/interaction_handler/InteractionHandler.d.ts.map +1 -1
  137. package/lib/types/interaction_handler/RedirectHandler.d.ts +2 -2
  138. package/lib/types/interaction_handler/RedirectHandler.d.ts.map +1 -1
  139. package/lib/types/naa/mapping/NestedAppAuthAdapter.d.ts.map +1 -1
  140. package/lib/types/packageMetadata.d.ts +1 -1
  141. package/lib/types/protocol/Authorize.d.ts +13 -0
  142. package/lib/types/protocol/Authorize.d.ts.map +1 -0
  143. package/lib/types/request/PopupRequest.d.ts +1 -2
  144. package/lib/types/request/PopupRequest.d.ts.map +1 -1
  145. package/lib/types/request/RedirectRequest.d.ts +1 -2
  146. package/lib/types/request/RedirectRequest.d.ts.map +1 -1
  147. package/lib/types/request/SilentRequest.d.ts +0 -1
  148. package/lib/types/request/SilentRequest.d.ts.map +1 -1
  149. package/lib/types/request/SsoSilentRequest.d.ts +2 -4
  150. package/lib/types/request/SsoSilentRequest.d.ts.map +1 -1
  151. package/lib/types/response/ResponseHandler.d.ts +3 -3
  152. package/lib/types/response/ResponseHandler.d.ts.map +1 -1
  153. package/package.json +2 -2
  154. package/src/cache/BrowserCacheManager.ts +8 -2
  155. package/src/cache/TokenCache.ts +8 -7
  156. package/src/controllers/StandardController.ts +66 -51
  157. package/src/event/EventHandler.ts +9 -5
  158. package/src/interaction_client/NativeInteractionClient.ts +14 -2
  159. package/src/interaction_client/PopupClient.ts +40 -21
  160. package/src/interaction_client/RedirectClient.ts +41 -22
  161. package/src/interaction_client/SilentIframeClient.ts +42 -29
  162. package/src/interaction_client/StandardInteractionClient.ts +0 -40
  163. package/src/interaction_handler/InteractionHandler.ts +4 -3
  164. package/src/interaction_handler/RedirectHandler.ts +4 -3
  165. package/src/naa/mapping/NestedAppAuthAdapter.ts +9 -8
  166. package/src/packageMetadata.ts +1 -1
  167. package/src/protocol/Authorize.ts +136 -0
  168. package/src/request/PopupRequest.ts +1 -5
  169. package/src/request/RedirectRequest.ts +1 -5
  170. package/src/request/SilentRequest.ts +0 -1
  171. package/src/request/SsoSilentRequest.ts +2 -7
  172. package/src/response/ResponseHandler.ts +3 -3
@@ -1,8 +1,8 @@
1
- /*! @azure/msal-browser v4.5.1 2025-03-04 */
1
+ /*! @azure/msal-browser v4.8.0 2025-03-20 */
2
2
  'use strict';
3
3
  'use strict';
4
4
 
5
- /*! @azure/msal-common v15.2.0 2025-03-04 */
5
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6
6
  /*
7
7
  * Copyright (c) Microsoft Corporation. All rights reserved.
8
8
  * Licensed under the MIT License.
@@ -250,13 +250,6 @@ const Errors = {
250
250
  INVALID_GRANT_ERROR: "invalid_grant",
251
251
  CLIENT_MISMATCH_ERROR: "client_mismatch",
252
252
  };
253
- /**
254
- * Password grant parameters
255
- */
256
- const PasswordGrantConstants = {
257
- username: "username",
258
- password: "password",
259
- };
260
253
  /**
261
254
  * Response codes
262
255
  */
@@ -306,7 +299,7 @@ const JsonWebTokenTypes = {
306
299
  // Token renewal offset default in seconds
307
300
  const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
308
301
 
309
- /*! @azure/msal-common v15.2.0 2025-03-04 */
302
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
310
303
  /*
311
304
  * Copyright (c) Microsoft Corporation. All rights reserved.
312
305
  * Licensed under the MIT License.
@@ -323,7 +316,7 @@ var AuthErrorCodes = /*#__PURE__*/Object.freeze({
323
316
  unexpectedError: unexpectedError
324
317
  });
325
318
 
326
- /*! @azure/msal-common v15.2.0 2025-03-04 */
319
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
327
320
 
328
321
  /*
329
322
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -372,7 +365,7 @@ function createAuthError(code, additionalMessage) {
372
365
  : AuthErrorMessages[code]);
373
366
  }
374
367
 
375
- /*! @azure/msal-common v15.2.0 2025-03-04 */
368
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
376
369
  /*
377
370
  * Copyright (c) Microsoft Corporation. All rights reserved.
378
371
  * Licensed under the MIT License.
@@ -470,7 +463,7 @@ var ClientAuthErrorCodes = /*#__PURE__*/Object.freeze({
470
463
  userTimeoutReached: userTimeoutReached
471
464
  });
472
465
 
473
- /*! @azure/msal-common v15.2.0 2025-03-04 */
466
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
474
467
 
475
468
  /*
476
469
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -722,7 +715,7 @@ function createClientAuthError(errorCode, additionalMessage) {
722
715
  return new ClientAuthError(errorCode, additionalMessage);
723
716
  }
724
717
 
725
- /*! @azure/msal-common v15.2.0 2025-03-04 */
718
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
726
719
 
727
720
  /*
728
721
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -761,7 +754,7 @@ const DEFAULT_CRYPTO_IMPLEMENTATION = {
761
754
  },
762
755
  };
763
756
 
764
- /*! @azure/msal-common v15.2.0 2025-03-04 */
757
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
765
758
 
766
759
  /*
767
760
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -952,12 +945,12 @@ class Logger {
952
945
  }
953
946
  }
954
947
 
955
- /*! @azure/msal-common v15.2.0 2025-03-04 */
948
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
956
949
  /* eslint-disable header/header */
957
950
  const name$1 = "@azure/msal-common";
958
- const version$1 = "15.2.0";
951
+ const version$1 = "15.3.0";
959
952
 
960
- /*! @azure/msal-common v15.2.0 2025-03-04 */
953
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
961
954
  /*
962
955
  * Copyright (c) Microsoft Corporation. All rights reserved.
963
956
  * Licensed under the MIT License.
@@ -977,7 +970,7 @@ const AzureCloudInstance = {
977
970
  AzureUsGovernment: "https://login.microsoftonline.us",
978
971
  };
979
972
 
980
- /*! @azure/msal-common v15.2.0 2025-03-04 */
973
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
981
974
 
982
975
  /*
983
976
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1038,7 +1031,7 @@ function checkMaxAge(authTime, maxAge) {
1038
1031
  }
1039
1032
  }
1040
1033
 
1041
- /*! @azure/msal-common v15.2.0 2025-03-04 */
1034
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1042
1035
  /*
1043
1036
  * Copyright (c) Microsoft Corporation. All rights reserved.
1044
1037
  * Licensed under the MIT License.
@@ -1053,6 +1046,24 @@ function nowSeconds() {
1053
1046
  // Date.getTime() returns in milliseconds.
1054
1047
  return Math.round(new Date().getTime() / 1000.0);
1055
1048
  }
1049
+ /**
1050
+ * Converts JS Date object to seconds
1051
+ * @param date Date
1052
+ */
1053
+ function toSecondsFromDate(date) {
1054
+ // Convert date to seconds
1055
+ return date.getTime() / 1000;
1056
+ }
1057
+ /**
1058
+ * Convert seconds to JS Date object. Seconds can be in a number or string format or undefined (will still return a date).
1059
+ * @param seconds
1060
+ */
1061
+ function toDateFromSeconds(seconds) {
1062
+ if (seconds) {
1063
+ return new Date(Number(seconds) * 1000);
1064
+ }
1065
+ return new Date();
1066
+ }
1056
1067
  /**
1057
1068
  * check if a token is expired based on given UTC time in seconds.
1058
1069
  * @param expiresOn
@@ -1075,7 +1086,7 @@ function wasClockTurnedBack(cachedAt) {
1075
1086
  return cachedAtSec > nowSeconds();
1076
1087
  }
1077
1088
 
1078
- /*! @azure/msal-common v15.2.0 2025-03-04 */
1089
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1079
1090
 
1080
1091
  /*
1081
1092
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1402,7 +1413,7 @@ function isAuthorityMetadataExpired(metadata) {
1402
1413
  return metadata.expiresAt <= nowSeconds();
1403
1414
  }
1404
1415
 
1405
- /*! @azure/msal-common v15.2.0 2025-03-04 */
1416
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1406
1417
  /*
1407
1418
  * Copyright (c) Microsoft Corporation. All rights reserved.
1408
1419
  * Licensed under the MIT License.
@@ -1456,7 +1467,7 @@ var ClientConfigurationErrorCodes = /*#__PURE__*/Object.freeze({
1456
1467
  urlParseError: urlParseError
1457
1468
  });
1458
1469
 
1459
- /*! @azure/msal-common v15.2.0 2025-03-04 */
1470
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1460
1471
 
1461
1472
  /*
1462
1473
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1594,7 +1605,7 @@ function createClientConfigurationError(errorCode) {
1594
1605
  return new ClientConfigurationError(errorCode);
1595
1606
  }
1596
1607
 
1597
- /*! @azure/msal-common v15.2.0 2025-03-04 */
1608
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1598
1609
  /*
1599
1610
  * Copyright (c) Microsoft Corporation. All rights reserved.
1600
1611
  * Licensed under the MIT License.
@@ -1691,7 +1702,7 @@ class StringUtils {
1691
1702
  }
1692
1703
  }
1693
1704
 
1694
- /*! @azure/msal-common v15.2.0 2025-03-04 */
1705
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1695
1706
 
1696
1707
  /*
1697
1708
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1882,7 +1893,7 @@ class ScopeSet {
1882
1893
  }
1883
1894
  }
1884
1895
 
1885
- /*! @azure/msal-common v15.2.0 2025-03-04 */
1896
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1886
1897
 
1887
1898
  /*
1888
1899
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1922,7 +1933,7 @@ function buildClientInfoFromHomeAccountId(homeAccountId) {
1922
1933
  };
1923
1934
  }
1924
1935
 
1925
- /*! @azure/msal-common v15.2.0 2025-03-04 */
1936
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1926
1937
  /*
1927
1938
  * Copyright (c) Microsoft Corporation. All rights reserved.
1928
1939
  * Licensed under the MIT License.
@@ -2001,7 +2012,7 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
2001
2012
  return updatedAccountInfo;
2002
2013
  }
2003
2014
 
2004
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2015
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2005
2016
  /*
2006
2017
  * Copyright (c) Microsoft Corporation. All rights reserved.
2007
2018
  * Licensed under the MIT License.
@@ -2016,7 +2027,7 @@ const AuthorityType = {
2016
2027
  Ciam: 3,
2017
2028
  };
2018
2029
 
2019
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2030
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2020
2031
  /*
2021
2032
  * Copyright (c) Microsoft Corporation. All rights reserved.
2022
2033
  * Licensed under the MIT License.
@@ -2038,7 +2049,7 @@ function getTenantIdFromIdTokenClaims(idTokenClaims) {
2038
2049
  return null;
2039
2050
  }
2040
2051
 
2041
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2052
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2042
2053
  /*
2043
2054
  * Copyright (c) Microsoft Corporation. All rights reserved.
2044
2055
  * Licensed under the MIT License.
@@ -2051,7 +2062,7 @@ const ProtocolMode = {
2051
2062
  OIDC: "OIDC",
2052
2063
  };
2053
2064
 
2054
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2065
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2055
2066
 
2056
2067
  /*
2057
2068
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2294,7 +2305,7 @@ class AccountEntity {
2294
2305
  }
2295
2306
  }
2296
2307
 
2297
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2308
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2298
2309
 
2299
2310
  /*
2300
2311
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2339,9 +2350,19 @@ function getDeserializedResponse(responseString) {
2339
2350
  throw createClientAuthError(hashNotDeserialized);
2340
2351
  }
2341
2352
  return null;
2353
+ }
2354
+ /**
2355
+ * Utility to create a URL from the params map
2356
+ */
2357
+ function mapToQueryString(parameters) {
2358
+ const queryParameterArray = new Array();
2359
+ parameters.forEach((value, key) => {
2360
+ queryParameterArray.push(`${key}=${encodeURIComponent(value)}`);
2361
+ });
2362
+ return queryParameterArray.join("&");
2342
2363
  }
2343
2364
 
2344
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2365
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2345
2366
 
2346
2367
  /*
2347
2368
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2505,7 +2526,7 @@ class UrlString {
2505
2526
  }
2506
2527
  }
2507
2528
 
2508
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2529
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2509
2530
 
2510
2531
  /*
2511
2532
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2645,7 +2666,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
2645
2666
  return null;
2646
2667
  }
2647
2668
 
2648
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2669
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2649
2670
  /*
2650
2671
  * Copyright (c) Microsoft Corporation. All rights reserved.
2651
2672
  * Licensed under the MIT License.
@@ -2653,7 +2674,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
2653
2674
  const cacheQuotaExceededErrorCode = "cache_quota_exceeded";
2654
2675
  const cacheUnknownErrorCode = "cache_error_unknown";
2655
2676
 
2656
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2677
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2657
2678
 
2658
2679
  /*
2659
2680
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2680,7 +2701,7 @@ class CacheError extends Error {
2680
2701
  }
2681
2702
  }
2682
2703
 
2683
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2704
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2684
2705
 
2685
2706
  /*
2686
2707
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3865,7 +3886,7 @@ class DefaultStorageClass extends CacheManager {
3865
3886
  }
3866
3887
  }
3867
3888
 
3868
- /*! @azure/msal-common v15.2.0 2025-03-04 */
3889
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
3869
3890
 
3870
3891
  /*
3871
3892
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3964,7 +3985,7 @@ function isOidcProtocolMode(config) {
3964
3985
  return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
3965
3986
  }
3966
3987
 
3967
- /*! @azure/msal-common v15.2.0 2025-03-04 */
3988
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
3968
3989
  /*
3969
3990
  * Copyright (c) Microsoft Corporation. All rights reserved.
3970
3991
  * Licensed under the MIT License.
@@ -3974,7 +3995,7 @@ const CcsCredentialType = {
3974
3995
  UPN: "UPN",
3975
3996
  };
3976
3997
 
3977
- /*! @azure/msal-common v15.2.0 2025-03-04 */
3998
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
3978
3999
  /*
3979
4000
  * Copyright (c) Microsoft Corporation. All rights reserved.
3980
4001
  * Licensed under the MIT License.
@@ -4006,14 +4027,11 @@ const X_APP_NAME = "x-app-name";
4006
4027
  const X_APP_VER = "x-app-ver";
4007
4028
  const POST_LOGOUT_URI = "post_logout_redirect_uri";
4008
4029
  const ID_TOKEN_HINT = "id_token_hint";
4009
- const DEVICE_CODE = "device_code";
4010
4030
  const CLIENT_SECRET = "client_secret";
4011
4031
  const CLIENT_ASSERTION = "client_assertion";
4012
4032
  const CLIENT_ASSERTION_TYPE = "client_assertion_type";
4013
4033
  const TOKEN_TYPE = "token_type";
4014
4034
  const REQ_CNF = "req_cnf";
4015
- const OBO_ASSERTION = "assertion";
4016
- const REQUESTED_TOKEN_USE = "requested_token_use";
4017
4035
  const RETURN_SPA_CODE = "return_spa_code";
4018
4036
  const NATIVE_BROKER = "nativebroker";
4019
4037
  const LOGOUT_HINT = "logout_hint";
@@ -4022,76 +4040,10 @@ const LOGIN_HINT = "login_hint";
4022
4040
  const DOMAIN_HINT = "domain_hint";
4023
4041
  const X_CLIENT_EXTRA_SKU = "x-client-xtra-sku";
4024
4042
  const BROKER_CLIENT_ID = "brk_client_id";
4025
- const BROKER_REDIRECT_URI = "brk_redirect_uri";
4026
-
4027
- /*! @azure/msal-common v15.2.0 2025-03-04 */
4028
-
4029
- /*
4030
- * Copyright (c) Microsoft Corporation. All rights reserved.
4031
- * Licensed under the MIT License.
4032
- */
4033
- /**
4034
- * Validates server consumable params from the "request" objects
4035
- */
4036
- class RequestValidator {
4037
- /**
4038
- * Utility to check if the `redirectUri` in the request is a non-null value
4039
- * @param redirectUri
4040
- */
4041
- static validateRedirectUri(redirectUri) {
4042
- if (!redirectUri) {
4043
- throw createClientConfigurationError(redirectUriEmpty);
4044
- }
4045
- }
4046
- /**
4047
- * Utility to validate prompt sent by the user in the request
4048
- * @param prompt
4049
- */
4050
- static validatePrompt(prompt) {
4051
- const promptValues = [];
4052
- for (const value in PromptValue) {
4053
- promptValues.push(PromptValue[value]);
4054
- }
4055
- if (promptValues.indexOf(prompt) < 0) {
4056
- throw createClientConfigurationError(invalidPromptValue);
4057
- }
4058
- }
4059
- static validateClaims(claims) {
4060
- try {
4061
- JSON.parse(claims);
4062
- }
4063
- catch (e) {
4064
- throw createClientConfigurationError(invalidClaims);
4065
- }
4066
- }
4067
- /**
4068
- * Utility to validate code_challenge and code_challenge_method
4069
- * @param codeChallenge
4070
- * @param codeChallengeMethod
4071
- */
4072
- static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
4073
- if (!codeChallenge || !codeChallengeMethod) {
4074
- throw createClientConfigurationError(pkceParamsMissing);
4075
- }
4076
- else {
4077
- this.validateCodeChallengeMethod(codeChallengeMethod);
4078
- }
4079
- }
4080
- /**
4081
- * Utility to validate code_challenge_method
4082
- * @param codeChallengeMethod
4083
- */
4084
- static validateCodeChallengeMethod(codeChallengeMethod) {
4085
- if ([
4086
- CodeChallengeMethodValues.PLAIN,
4087
- CodeChallengeMethodValues.S256,
4088
- ].indexOf(codeChallengeMethod) < 0) {
4089
- throw createClientConfigurationError(invalidCodeChallengeMethod);
4090
- }
4091
- }
4092
- }
4043
+ const BROKER_REDIRECT_URI = "brk_redirect_uri";
4044
+ const INSTANCE_AWARE = "instance_aware";
4093
4045
 
4094
- /*! @azure/msal-common v15.2.0 2025-03-04 */
4046
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4095
4047
 
4096
4048
  /*
4097
4049
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4109,397 +4061,344 @@ function instrumentBrokerParams(parameters, correlationId, performanceClient) {
4109
4061
  }, correlationId);
4110
4062
  }
4111
4063
  }
4112
- /** @internal */
4113
- class RequestParameterBuilder {
4114
- constructor(correlationId, performanceClient) {
4115
- this.parameters = new Map();
4116
- this.performanceClient = performanceClient;
4117
- this.correlationId = correlationId;
4118
- }
4119
- /**
4120
- * add response_type = code
4121
- */
4122
- addResponseTypeCode() {
4123
- this.parameters.set(RESPONSE_TYPE, encodeURIComponent(Constants.CODE_RESPONSE_TYPE));
4124
- }
4125
- /**
4126
- * add response_type = token id_token
4127
- */
4128
- addResponseTypeForTokenAndIdToken() {
4129
- this.parameters.set(RESPONSE_TYPE, encodeURIComponent(`${Constants.TOKEN_RESPONSE_TYPE} ${Constants.ID_TOKEN_RESPONSE_TYPE}`));
4130
- }
4131
- /**
4132
- * add response_mode. defaults to query.
4133
- * @param responseMode
4134
- */
4135
- addResponseMode(responseMode) {
4136
- this.parameters.set(RESPONSE_MODE, encodeURIComponent(responseMode ? responseMode : ResponseMode.QUERY));
4137
- }
4138
- /**
4139
- * Add flag to indicate STS should attempt to use WAM if available
4140
- */
4141
- addNativeBroker() {
4142
- this.parameters.set(NATIVE_BROKER, encodeURIComponent("1"));
4143
- }
4144
- /**
4145
- * add scopes. set addOidcScopes to false to prevent default scopes in non-user scenarios
4146
- * @param scopeSet
4147
- * @param addOidcScopes
4148
- */
4149
- addScopes(scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
4150
- // Always add openid to the scopes when adding OIDC scopes
4151
- if (addOidcScopes &&
4152
- !defaultScopes.includes("openid") &&
4153
- !scopes.includes("openid")) {
4154
- defaultScopes.push("openid");
4155
- }
4156
- const requestScopes = addOidcScopes
4157
- ? [...(scopes || []), ...defaultScopes]
4158
- : scopes || [];
4159
- const scopeSet = new ScopeSet(requestScopes);
4160
- this.parameters.set(SCOPE, encodeURIComponent(scopeSet.printScopes()));
4064
+ /**
4065
+ * add response_type = code
4066
+ */
4067
+ function addResponseTypeCode(parameters) {
4068
+ parameters.set(RESPONSE_TYPE, Constants.CODE_RESPONSE_TYPE);
4069
+ }
4070
+ /**
4071
+ * add response_mode. defaults to query.
4072
+ * @param responseMode
4073
+ */
4074
+ function addResponseMode(parameters, responseMode) {
4075
+ parameters.set(RESPONSE_MODE, responseMode ? responseMode : ResponseMode.QUERY);
4076
+ }
4077
+ /**
4078
+ * Add flag to indicate STS should attempt to use WAM if available
4079
+ */
4080
+ function addNativeBroker(parameters) {
4081
+ parameters.set(NATIVE_BROKER, "1");
4082
+ }
4083
+ /**
4084
+ * add scopes. set addOidcScopes to false to prevent default scopes in non-user scenarios
4085
+ * @param scopeSet
4086
+ * @param addOidcScopes
4087
+ */
4088
+ function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
4089
+ // Always add openid to the scopes when adding OIDC scopes
4090
+ if (addOidcScopes &&
4091
+ !defaultScopes.includes("openid") &&
4092
+ !scopes.includes("openid")) {
4093
+ defaultScopes.push("openid");
4094
+ }
4095
+ const requestScopes = addOidcScopes
4096
+ ? [...(scopes || []), ...defaultScopes]
4097
+ : scopes || [];
4098
+ const scopeSet = new ScopeSet(requestScopes);
4099
+ parameters.set(SCOPE, scopeSet.printScopes());
4100
+ }
4101
+ /**
4102
+ * add clientId
4103
+ * @param clientId
4104
+ */
4105
+ function addClientId(parameters, clientId) {
4106
+ parameters.set(CLIENT_ID, clientId);
4107
+ }
4108
+ /**
4109
+ * add redirect_uri
4110
+ * @param redirectUri
4111
+ */
4112
+ function addRedirectUri(parameters, redirectUri) {
4113
+ parameters.set(REDIRECT_URI, redirectUri);
4114
+ }
4115
+ /**
4116
+ * add post logout redirectUri
4117
+ * @param redirectUri
4118
+ */
4119
+ function addPostLogoutRedirectUri(parameters, redirectUri) {
4120
+ parameters.set(POST_LOGOUT_URI, redirectUri);
4121
+ }
4122
+ /**
4123
+ * add id_token_hint to logout request
4124
+ * @param idTokenHint
4125
+ */
4126
+ function addIdTokenHint(parameters, idTokenHint) {
4127
+ parameters.set(ID_TOKEN_HINT, idTokenHint);
4128
+ }
4129
+ /**
4130
+ * add domain_hint
4131
+ * @param domainHint
4132
+ */
4133
+ function addDomainHint(parameters, domainHint) {
4134
+ parameters.set(DOMAIN_HINT, domainHint);
4135
+ }
4136
+ /**
4137
+ * add login_hint
4138
+ * @param loginHint
4139
+ */
4140
+ function addLoginHint(parameters, loginHint) {
4141
+ parameters.set(LOGIN_HINT, loginHint);
4142
+ }
4143
+ /**
4144
+ * Adds the CCS (Cache Credential Service) query parameter for login_hint
4145
+ * @param loginHint
4146
+ */
4147
+ function addCcsUpn(parameters, loginHint) {
4148
+ parameters.set(HeaderNames.CCS_HEADER, `UPN:${loginHint}`);
4149
+ }
4150
+ /**
4151
+ * Adds the CCS (Cache Credential Service) query parameter for account object
4152
+ * @param loginHint
4153
+ */
4154
+ function addCcsOid(parameters, clientInfo) {
4155
+ parameters.set(HeaderNames.CCS_HEADER, `Oid:${clientInfo.uid}@${clientInfo.utid}`);
4156
+ }
4157
+ /**
4158
+ * add sid
4159
+ * @param sid
4160
+ */
4161
+ function addSid(parameters, sid) {
4162
+ parameters.set(SID, sid);
4163
+ }
4164
+ /**
4165
+ * add claims
4166
+ * @param claims
4167
+ */
4168
+ function addClaims(parameters, claims, clientCapabilities) {
4169
+ const mergedClaims = addClientCapabilitiesToClaims(claims, clientCapabilities);
4170
+ try {
4171
+ JSON.parse(mergedClaims);
4161
4172
  }
4162
- /**
4163
- * add clientId
4164
- * @param clientId
4165
- */
4166
- addClientId(clientId) {
4167
- this.parameters.set(CLIENT_ID, encodeURIComponent(clientId));
4173
+ catch (e) {
4174
+ throw createClientConfigurationError(invalidClaims);
4168
4175
  }
4169
- /**
4170
- * add redirect_uri
4171
- * @param redirectUri
4172
- */
4173
- addRedirectUri(redirectUri) {
4174
- RequestValidator.validateRedirectUri(redirectUri);
4175
- this.parameters.set(REDIRECT_URI, encodeURIComponent(redirectUri));
4176
+ parameters.set(CLAIMS, mergedClaims);
4177
+ }
4178
+ /**
4179
+ * add correlationId
4180
+ * @param correlationId
4181
+ */
4182
+ function addCorrelationId(parameters, correlationId) {
4183
+ parameters.set(CLIENT_REQUEST_ID, correlationId);
4184
+ }
4185
+ /**
4186
+ * add library info query params
4187
+ * @param libraryInfo
4188
+ */
4189
+ function addLibraryInfo(parameters, libraryInfo) {
4190
+ // Telemetry Info
4191
+ parameters.set(X_CLIENT_SKU, libraryInfo.sku);
4192
+ parameters.set(X_CLIENT_VER, libraryInfo.version);
4193
+ if (libraryInfo.os) {
4194
+ parameters.set(X_CLIENT_OS, libraryInfo.os);
4176
4195
  }
4177
- /**
4178
- * add post logout redirectUri
4179
- * @param redirectUri
4180
- */
4181
- addPostLogoutRedirectUri(redirectUri) {
4182
- RequestValidator.validateRedirectUri(redirectUri);
4183
- this.parameters.set(POST_LOGOUT_URI, encodeURIComponent(redirectUri));
4196
+ if (libraryInfo.cpu) {
4197
+ parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
4184
4198
  }
4185
- /**
4186
- * add id_token_hint to logout request
4187
- * @param idTokenHint
4188
- */
4189
- addIdTokenHint(idTokenHint) {
4190
- this.parameters.set(ID_TOKEN_HINT, encodeURIComponent(idTokenHint));
4199
+ }
4200
+ /**
4201
+ * Add client telemetry parameters
4202
+ * @param appTelemetry
4203
+ */
4204
+ function addApplicationTelemetry(parameters, appTelemetry) {
4205
+ if (appTelemetry?.appName) {
4206
+ parameters.set(X_APP_NAME, appTelemetry.appName);
4191
4207
  }
4192
- /**
4193
- * add domain_hint
4194
- * @param domainHint
4195
- */
4196
- addDomainHint(domainHint) {
4197
- this.parameters.set(DOMAIN_HINT, encodeURIComponent(domainHint));
4208
+ if (appTelemetry?.appVersion) {
4209
+ parameters.set(X_APP_VER, appTelemetry.appVersion);
4198
4210
  }
4199
- /**
4200
- * add login_hint
4201
- * @param loginHint
4202
- */
4203
- addLoginHint(loginHint) {
4204
- this.parameters.set(LOGIN_HINT, encodeURIComponent(loginHint));
4211
+ }
4212
+ /**
4213
+ * add prompt
4214
+ * @param prompt
4215
+ */
4216
+ function addPrompt(parameters, prompt) {
4217
+ parameters.set(PROMPT, prompt);
4218
+ }
4219
+ /**
4220
+ * add state
4221
+ * @param state
4222
+ */
4223
+ function addState(parameters, state) {
4224
+ if (state) {
4225
+ parameters.set(STATE, state);
4205
4226
  }
4206
- /**
4207
- * Adds the CCS (Cache Credential Service) query parameter for login_hint
4208
- * @param loginHint
4209
- */
4210
- addCcsUpn(loginHint) {
4211
- this.parameters.set(HeaderNames.CCS_HEADER, encodeURIComponent(`UPN:${loginHint}`));
4227
+ }
4228
+ /**
4229
+ * add nonce
4230
+ * @param nonce
4231
+ */
4232
+ function addNonce(parameters, nonce) {
4233
+ parameters.set(NONCE, nonce);
4234
+ }
4235
+ /**
4236
+ * add code_challenge and code_challenge_method
4237
+ * - throw if either of them are not passed
4238
+ * @param codeChallenge
4239
+ * @param codeChallengeMethod
4240
+ */
4241
+ function addCodeChallengeParams(parameters, codeChallenge, codeChallengeMethod) {
4242
+ if (codeChallenge && codeChallengeMethod) {
4243
+ parameters.set(CODE_CHALLENGE, codeChallenge);
4244
+ parameters.set(CODE_CHALLENGE_METHOD, codeChallengeMethod);
4212
4245
  }
4213
- /**
4214
- * Adds the CCS (Cache Credential Service) query parameter for account object
4215
- * @param loginHint
4216
- */
4217
- addCcsOid(clientInfo) {
4218
- this.parameters.set(HeaderNames.CCS_HEADER, encodeURIComponent(`Oid:${clientInfo.uid}@${clientInfo.utid}`));
4246
+ else {
4247
+ throw createClientConfigurationError(pkceParamsMissing);
4219
4248
  }
4220
- /**
4221
- * add sid
4222
- * @param sid
4223
- */
4224
- addSid(sid) {
4225
- this.parameters.set(SID, encodeURIComponent(sid));
4249
+ }
4250
+ /**
4251
+ * add the `authorization_code` passed by the user to exchange for a token
4252
+ * @param code
4253
+ */
4254
+ function addAuthorizationCode(parameters, code) {
4255
+ parameters.set(CODE, code);
4256
+ }
4257
+ /**
4258
+ * add the `refreshToken` passed by the user
4259
+ * @param refreshToken
4260
+ */
4261
+ function addRefreshToken(parameters, refreshToken) {
4262
+ parameters.set(REFRESH_TOKEN, refreshToken);
4263
+ }
4264
+ /**
4265
+ * add the `code_verifier` passed by the user to exchange for a token
4266
+ * @param codeVerifier
4267
+ */
4268
+ function addCodeVerifier(parameters, codeVerifier) {
4269
+ parameters.set(CODE_VERIFIER, codeVerifier);
4270
+ }
4271
+ /**
4272
+ * add client_secret
4273
+ * @param clientSecret
4274
+ */
4275
+ function addClientSecret(parameters, clientSecret) {
4276
+ parameters.set(CLIENT_SECRET, clientSecret);
4277
+ }
4278
+ /**
4279
+ * add clientAssertion for confidential client flows
4280
+ * @param clientAssertion
4281
+ */
4282
+ function addClientAssertion(parameters, clientAssertion) {
4283
+ if (clientAssertion) {
4284
+ parameters.set(CLIENT_ASSERTION, clientAssertion);
4226
4285
  }
4227
- /**
4228
- * add claims
4229
- * @param claims
4230
- */
4231
- addClaims(claims, clientCapabilities) {
4232
- const mergedClaims = this.addClientCapabilitiesToClaims(claims, clientCapabilities);
4233
- RequestValidator.validateClaims(mergedClaims);
4234
- this.parameters.set(CLAIMS, encodeURIComponent(mergedClaims));
4286
+ }
4287
+ /**
4288
+ * add clientAssertionType for confidential client flows
4289
+ * @param clientAssertionType
4290
+ */
4291
+ function addClientAssertionType(parameters, clientAssertionType) {
4292
+ if (clientAssertionType) {
4293
+ parameters.set(CLIENT_ASSERTION_TYPE, clientAssertionType);
4235
4294
  }
4236
- /**
4237
- * add correlationId
4238
- * @param correlationId
4239
- */
4240
- addCorrelationId(correlationId) {
4241
- this.parameters.set(CLIENT_REQUEST_ID, encodeURIComponent(correlationId));
4295
+ }
4296
+ /**
4297
+ * add grant type
4298
+ * @param grantType
4299
+ */
4300
+ function addGrantType(parameters, grantType) {
4301
+ parameters.set(GRANT_TYPE, grantType);
4302
+ }
4303
+ /**
4304
+ * add client info
4305
+ *
4306
+ */
4307
+ function addClientInfo(parameters) {
4308
+ parameters.set(CLIENT_INFO, "1");
4309
+ }
4310
+ function addInstanceAware(parameters) {
4311
+ if (!parameters.has(INSTANCE_AWARE)) {
4312
+ parameters.set(INSTANCE_AWARE, "true");
4242
4313
  }
4243
- /**
4244
- * add library info query params
4245
- * @param libraryInfo
4246
- */
4247
- addLibraryInfo(libraryInfo) {
4248
- // Telemetry Info
4249
- this.parameters.set(X_CLIENT_SKU, libraryInfo.sku);
4250
- this.parameters.set(X_CLIENT_VER, libraryInfo.version);
4251
- if (libraryInfo.os) {
4252
- this.parameters.set(X_CLIENT_OS, libraryInfo.os);
4253
- }
4254
- if (libraryInfo.cpu) {
4255
- this.parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
4314
+ }
4315
+ /**
4316
+ * add extraQueryParams
4317
+ * @param eQParams
4318
+ */
4319
+ function addExtraQueryParameters(parameters, eQParams) {
4320
+ Object.entries(eQParams).forEach(([key, value]) => {
4321
+ if (!parameters.has(key) && value) {
4322
+ parameters.set(key, value);
4256
4323
  }
4324
+ });
4325
+ }
4326
+ function addClientCapabilitiesToClaims(claims, clientCapabilities) {
4327
+ let mergedClaims;
4328
+ // Parse provided claims into JSON object or initialize empty object
4329
+ if (!claims) {
4330
+ mergedClaims = {};
4257
4331
  }
4258
- /**
4259
- * Add client telemetry parameters
4260
- * @param appTelemetry
4261
- */
4262
- addApplicationTelemetry(appTelemetry) {
4263
- if (appTelemetry?.appName) {
4264
- this.parameters.set(X_APP_NAME, appTelemetry.appName);
4332
+ else {
4333
+ try {
4334
+ mergedClaims = JSON.parse(claims);
4265
4335
  }
4266
- if (appTelemetry?.appVersion) {
4267
- this.parameters.set(X_APP_VER, appTelemetry.appVersion);
4336
+ catch (e) {
4337
+ throw createClientConfigurationError(invalidClaims);
4268
4338
  }
4269
4339
  }
4270
- /**
4271
- * add prompt
4272
- * @param prompt
4273
- */
4274
- addPrompt(prompt) {
4275
- RequestValidator.validatePrompt(prompt);
4276
- this.parameters.set(`${PROMPT}`, encodeURIComponent(prompt));
4277
- }
4278
- /**
4279
- * add state
4280
- * @param state
4281
- */
4282
- addState(state) {
4283
- if (state) {
4284
- this.parameters.set(STATE, encodeURIComponent(state));
4340
+ if (clientCapabilities && clientCapabilities.length > 0) {
4341
+ if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
4342
+ // Add access_token key to claims object
4343
+ mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
4285
4344
  }
4345
+ // Add xms_cc claim with provided clientCapabilities to access_token key
4346
+ mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] =
4347
+ {
4348
+ values: clientCapabilities,
4349
+ };
4286
4350
  }
4287
- /**
4288
- * add nonce
4289
- * @param nonce
4290
- */
4291
- addNonce(nonce) {
4292
- this.parameters.set(NONCE, encodeURIComponent(nonce));
4351
+ return JSON.stringify(mergedClaims);
4352
+ }
4353
+ /**
4354
+ * add pop_jwk to query params
4355
+ * @param cnfString
4356
+ */
4357
+ function addPopToken(parameters, cnfString) {
4358
+ if (cnfString) {
4359
+ parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
4360
+ parameters.set(REQ_CNF, cnfString);
4293
4361
  }
4294
- /**
4295
- * add code_challenge and code_challenge_method
4296
- * - throw if either of them are not passed
4297
- * @param codeChallenge
4298
- * @param codeChallengeMethod
4299
- */
4300
- addCodeChallengeParams(codeChallenge, codeChallengeMethod) {
4301
- RequestValidator.validateCodeChallengeParams(codeChallenge, codeChallengeMethod);
4302
- if (codeChallenge && codeChallengeMethod) {
4303
- this.parameters.set(CODE_CHALLENGE, encodeURIComponent(codeChallenge));
4304
- this.parameters.set(CODE_CHALLENGE_METHOD, encodeURIComponent(codeChallengeMethod));
4305
- }
4306
- else {
4307
- throw createClientConfigurationError(pkceParamsMissing);
4308
- }
4309
- }
4310
- /**
4311
- * add the `authorization_code` passed by the user to exchange for a token
4312
- * @param code
4313
- */
4314
- addAuthorizationCode(code) {
4315
- this.parameters.set(CODE, encodeURIComponent(code));
4316
- }
4317
- /**
4318
- * add the `authorization_code` passed by the user to exchange for a token
4319
- * @param code
4320
- */
4321
- addDeviceCode(code) {
4322
- this.parameters.set(DEVICE_CODE, encodeURIComponent(code));
4323
- }
4324
- /**
4325
- * add the `refreshToken` passed by the user
4326
- * @param refreshToken
4327
- */
4328
- addRefreshToken(refreshToken) {
4329
- this.parameters.set(REFRESH_TOKEN, encodeURIComponent(refreshToken));
4330
- }
4331
- /**
4332
- * add the `code_verifier` passed by the user to exchange for a token
4333
- * @param codeVerifier
4334
- */
4335
- addCodeVerifier(codeVerifier) {
4336
- this.parameters.set(CODE_VERIFIER, encodeURIComponent(codeVerifier));
4337
- }
4338
- /**
4339
- * add client_secret
4340
- * @param clientSecret
4341
- */
4342
- addClientSecret(clientSecret) {
4343
- this.parameters.set(CLIENT_SECRET, encodeURIComponent(clientSecret));
4344
- }
4345
- /**
4346
- * add clientAssertion for confidential client flows
4347
- * @param clientAssertion
4348
- */
4349
- addClientAssertion(clientAssertion) {
4350
- if (clientAssertion) {
4351
- this.parameters.set(CLIENT_ASSERTION, encodeURIComponent(clientAssertion));
4352
- }
4353
- }
4354
- /**
4355
- * add clientAssertionType for confidential client flows
4356
- * @param clientAssertionType
4357
- */
4358
- addClientAssertionType(clientAssertionType) {
4359
- if (clientAssertionType) {
4360
- this.parameters.set(CLIENT_ASSERTION_TYPE, encodeURIComponent(clientAssertionType));
4361
- }
4362
- }
4363
- /**
4364
- * add OBO assertion for confidential client flows
4365
- * @param clientAssertion
4366
- */
4367
- addOboAssertion(oboAssertion) {
4368
- this.parameters.set(OBO_ASSERTION, encodeURIComponent(oboAssertion));
4369
- }
4370
- /**
4371
- * add grant type
4372
- * @param grantType
4373
- */
4374
- addRequestTokenUse(tokenUse) {
4375
- this.parameters.set(REQUESTED_TOKEN_USE, encodeURIComponent(tokenUse));
4376
- }
4377
- /**
4378
- * add grant type
4379
- * @param grantType
4380
- */
4381
- addGrantType(grantType) {
4382
- this.parameters.set(GRANT_TYPE, encodeURIComponent(grantType));
4383
- }
4384
- /**
4385
- * add client info
4386
- *
4387
- */
4388
- addClientInfo() {
4389
- this.parameters.set(CLIENT_INFO, "1");
4390
- }
4391
- /**
4392
- * add extraQueryParams
4393
- * @param eQParams
4394
- */
4395
- addExtraQueryParameters(eQParams) {
4396
- Object.entries(eQParams).forEach(([key, value]) => {
4397
- if (!this.parameters.has(key) && value) {
4398
- this.parameters.set(key, value);
4399
- }
4400
- });
4401
- }
4402
- addClientCapabilitiesToClaims(claims, clientCapabilities) {
4403
- let mergedClaims;
4404
- // Parse provided claims into JSON object or initialize empty object
4405
- if (!claims) {
4406
- mergedClaims = {};
4407
- }
4408
- else {
4409
- try {
4410
- mergedClaims = JSON.parse(claims);
4411
- }
4412
- catch (e) {
4413
- throw createClientConfigurationError(invalidClaims);
4414
- }
4415
- }
4416
- if (clientCapabilities && clientCapabilities.length > 0) {
4417
- if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
4418
- // Add access_token key to claims object
4419
- mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
4420
- }
4421
- // Add xms_cc claim with provided clientCapabilities to access_token key
4422
- mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] = {
4423
- values: clientCapabilities,
4424
- };
4425
- }
4426
- return JSON.stringify(mergedClaims);
4427
- }
4428
- /**
4429
- * adds `username` for Password Grant flow
4430
- * @param username
4431
- */
4432
- addUsername(username) {
4433
- this.parameters.set(PasswordGrantConstants.username, encodeURIComponent(username));
4434
- }
4435
- /**
4436
- * adds `password` for Password Grant flow
4437
- * @param password
4438
- */
4439
- addPassword(password) {
4440
- this.parameters.set(PasswordGrantConstants.password, encodeURIComponent(password));
4441
- }
4442
- /**
4443
- * add pop_jwk to query params
4444
- * @param cnfString
4445
- */
4446
- addPopToken(cnfString) {
4447
- if (cnfString) {
4448
- this.parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
4449
- this.parameters.set(REQ_CNF, encodeURIComponent(cnfString));
4450
- }
4451
- }
4452
- /**
4453
- * add SSH JWK and key ID to query params
4454
- */
4455
- addSshJwk(sshJwkString) {
4456
- if (sshJwkString) {
4457
- this.parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
4458
- this.parameters.set(REQ_CNF, encodeURIComponent(sshJwkString));
4459
- }
4460
- }
4461
- /**
4462
- * add server telemetry fields
4463
- * @param serverTelemetryManager
4464
- */
4465
- addServerTelemetry(serverTelemetryManager) {
4466
- this.parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
4467
- this.parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
4468
- }
4469
- /**
4470
- * Adds parameter that indicates to the server that throttling is supported
4471
- */
4472
- addThrottling() {
4473
- this.parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
4474
- }
4475
- /**
4476
- * Adds logout_hint parameter for "silent" logout which prevent server account picker
4477
- */
4478
- addLogoutHint(logoutHint) {
4479
- this.parameters.set(LOGOUT_HINT, encodeURIComponent(logoutHint));
4362
+ }
4363
+ /**
4364
+ * add SSH JWK and key ID to query params
4365
+ */
4366
+ function addSshJwk(parameters, sshJwkString) {
4367
+ if (sshJwkString) {
4368
+ parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
4369
+ parameters.set(REQ_CNF, sshJwkString);
4480
4370
  }
4481
- addBrokerParameters(params) {
4482
- const brokerParams = {};
4483
- brokerParams[BROKER_CLIENT_ID] =
4484
- params.brokerClientId;
4485
- brokerParams[BROKER_REDIRECT_URI] =
4486
- params.brokerRedirectUri;
4487
- this.addExtraQueryParameters(brokerParams);
4371
+ }
4372
+ /**
4373
+ * add server telemetry fields
4374
+ * @param serverTelemetryManager
4375
+ */
4376
+ function addServerTelemetry(parameters, serverTelemetryManager) {
4377
+ parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
4378
+ parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
4379
+ }
4380
+ /**
4381
+ * Adds parameter that indicates to the server that throttling is supported
4382
+ */
4383
+ function addThrottling(parameters) {
4384
+ parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
4385
+ }
4386
+ /**
4387
+ * Adds logout_hint parameter for "silent" logout which prevent server account picker
4388
+ */
4389
+ function addLogoutHint(parameters, logoutHint) {
4390
+ parameters.set(LOGOUT_HINT, logoutHint);
4391
+ }
4392
+ function addBrokerParameters(parameters, brokerClientId, brokerRedirectUri) {
4393
+ if (!parameters.has(BROKER_CLIENT_ID)) {
4394
+ parameters.set(BROKER_CLIENT_ID, brokerClientId);
4488
4395
  }
4489
- /**
4490
- * Utility to create a URL from the params map
4491
- */
4492
- createQueryString() {
4493
- const queryParameterArray = new Array();
4494
- this.parameters.forEach((value, key) => {
4495
- queryParameterArray.push(`${key}=${value}`);
4496
- });
4497
- instrumentBrokerParams(this.parameters, this.correlationId, this.performanceClient);
4498
- return queryParameterArray.join("&");
4396
+ if (!parameters.has(BROKER_REDIRECT_URI)) {
4397
+ parameters.set(BROKER_REDIRECT_URI, brokerRedirectUri);
4499
4398
  }
4500
4399
  }
4501
4400
 
4502
- /*! @azure/msal-common v15.2.0 2025-03-04 */
4401
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4503
4402
  /*
4504
4403
  * Copyright (c) Microsoft Corporation. All rights reserved.
4505
4404
  * Licensed under the MIT License.
@@ -4511,7 +4410,7 @@ function isOpenIdConfigResponse(response) {
4511
4410
  response.hasOwnProperty("jwks_uri"));
4512
4411
  }
4513
4412
 
4514
- /*! @azure/msal-common v15.2.0 2025-03-04 */
4413
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4515
4414
  /*
4516
4415
  * Copyright (c) Microsoft Corporation. All rights reserved.
4517
4416
  * Licensed under the MIT License.
@@ -4521,7 +4420,7 @@ function isCloudInstanceDiscoveryResponse(response) {
4521
4420
  response.hasOwnProperty("metadata"));
4522
4421
  }
4523
4422
 
4524
- /*! @azure/msal-common v15.2.0 2025-03-04 */
4423
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4525
4424
  /*
4526
4425
  * Copyright (c) Microsoft Corporation. All rights reserved.
4527
4426
  * Licensed under the MIT License.
@@ -4531,7 +4430,7 @@ function isCloudInstanceDiscoveryErrorResponse(response) {
4531
4430
  response.hasOwnProperty("error_description"));
4532
4431
  }
4533
4432
 
4534
- /*! @azure/msal-common v15.2.0 2025-03-04 */
4433
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4535
4434
  /*
4536
4435
  * Copyright (c) Microsoft Corporation. All rights reserved.
4537
4436
  * Licensed under the MIT License.
@@ -4707,11 +4606,11 @@ const PerformanceEvents = {
4707
4606
  StandardInteractionClientCreateAuthCodeClient: "standardInteractionClientCreateAuthCodeClient",
4708
4607
  StandardInteractionClientGetClientConfiguration: "standardInteractionClientGetClientConfiguration",
4709
4608
  StandardInteractionClientInitializeAuthorizationRequest: "standardInteractionClientInitializeAuthorizationRequest",
4710
- StandardInteractionClientInitializeAuthorizationCodeRequest: "standardInteractionClientInitializeAuthorizationCodeRequest",
4711
4609
  /**
4712
4610
  * getAuthCodeUrl API (msal-browser and msal-node).
4713
4611
  */
4714
4612
  GetAuthCodeUrl: "getAuthCodeUrl",
4613
+ GetStandardParams: "getStandardParams",
4715
4614
  /**
4716
4615
  * Functions from InteractionHandler (msal-browser)
4717
4616
  */
@@ -4724,7 +4623,6 @@ const PerformanceEvents = {
4724
4623
  AuthClientAcquireToken: "authClientAcquireToken",
4725
4624
  AuthClientExecuteTokenRequest: "authClientExecuteTokenRequest",
4726
4625
  AuthClientCreateTokenRequestBody: "authClientCreateTokenRequestBody",
4727
- AuthClientCreateQueryString: "authClientCreateQueryString",
4728
4626
  /**
4729
4627
  * Generate functions in PopTokenGenerator (msal-common)
4730
4628
  */
@@ -4895,10 +4793,6 @@ const PerformanceEventAbbreviations = new Map([
4895
4793
  PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest,
4896
4794
  "StdIntClientInitAuthReq",
4897
4795
  ],
4898
- [
4899
- PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest,
4900
- "StdIntClientInitAuthCodeReq",
4901
- ],
4902
4796
  [PerformanceEvents.GetAuthCodeUrl, "GetAuthCodeUrl"],
4903
4797
  [
4904
4798
  PerformanceEvents.HandleCodeResponseFromServer,
@@ -4912,10 +4806,6 @@ const PerformanceEventAbbreviations = new Map([
4912
4806
  PerformanceEvents.AuthClientCreateTokenRequestBody,
4913
4807
  "AuthClientCreateTReqBody",
4914
4808
  ],
4915
- [
4916
- PerformanceEvents.AuthClientCreateQueryString,
4917
- "AuthClientCreateQueryStr",
4918
- ],
4919
4809
  [PerformanceEvents.PopTokenGenerateCnf, "PopTGenCnf"],
4920
4810
  [PerformanceEvents.PopTokenGenerateKid, "PopTGenKid"],
4921
4811
  [PerformanceEvents.HandleServerTokenResponse, "HandleServerTRes"],
@@ -5040,7 +4930,7 @@ const IntFields = new Set([
5040
4930
  "encryptedCacheExpiredCount",
5041
4931
  ]);
5042
4932
 
5043
- /*! @azure/msal-common v15.2.0 2025-03-04 */
4933
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
5044
4934
  /*
5045
4935
  * Copyright (c) Microsoft Corporation. All rights reserved.
5046
4936
  * Licensed under the MIT License.
@@ -5136,7 +5026,7 @@ const invokeAsync = (callback, eventName, logger, telemetryClient, correlationId
5136
5026
  };
5137
5027
  };
5138
5028
 
5139
- /*! @azure/msal-common v15.2.0 2025-03-04 */
5029
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
5140
5030
 
5141
5031
  /*
5142
5032
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5245,7 +5135,7 @@ RegionDiscovery.IMDS_OPTIONS = {
5245
5135
  },
5246
5136
  };
5247
5137
 
5248
- /*! @azure/msal-common v15.2.0 2025-03-04 */
5138
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
5249
5139
 
5250
5140
  /*
5251
5141
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6084,7 +5974,7 @@ function buildStaticAuthorityOptions(authOptions) {
6084
5974
  };
6085
5975
  }
6086
5976
 
6087
- /*! @azure/msal-common v15.2.0 2025-03-04 */
5977
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6088
5978
 
6089
5979
  /*
6090
5980
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6115,7 +6005,7 @@ async function createDiscoveredInstance(authorityUri, networkClient, cacheManage
6115
6005
  }
6116
6006
  }
6117
6007
 
6118
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6008
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6119
6009
 
6120
6010
  /*
6121
6011
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6134,7 +6024,28 @@ class ServerError extends AuthError {
6134
6024
  }
6135
6025
  }
6136
6026
 
6137
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6027
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6028
+ /*
6029
+ * Copyright (c) Microsoft Corporation. All rights reserved.
6030
+ * Licensed under the MIT License.
6031
+ */
6032
+ function getRequestThumbprint(clientId, request, homeAccountId) {
6033
+ return {
6034
+ clientId: clientId,
6035
+ authority: request.authority,
6036
+ scopes: request.scopes,
6037
+ homeAccountIdentifier: homeAccountId,
6038
+ claims: request.claims,
6039
+ authenticationScheme: request.authenticationScheme,
6040
+ resourceRequestMethod: request.resourceRequestMethod,
6041
+ resourceRequestUri: request.resourceRequestUri,
6042
+ shrClaims: request.shrClaims,
6043
+ sshKid: request.sshKid,
6044
+ embeddedClientId: request.embeddedClientId || request.tokenBodyParameters?.clientId,
6045
+ };
6046
+ }
6047
+
6048
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6138
6049
 
6139
6050
  /*
6140
6051
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6215,24 +6126,13 @@ class ThrottlingUtils {
6215
6126
  ThrottlingConstants.DEFAULT_MAX_THROTTLE_TIME_SECONDS) * 1000);
6216
6127
  }
6217
6128
  static removeThrottle(cacheManager, clientId, request, homeAccountIdentifier) {
6218
- const thumbprint = {
6219
- clientId: clientId,
6220
- authority: request.authority,
6221
- scopes: request.scopes,
6222
- homeAccountIdentifier: homeAccountIdentifier,
6223
- claims: request.claims,
6224
- authenticationScheme: request.authenticationScheme,
6225
- resourceRequestMethod: request.resourceRequestMethod,
6226
- resourceRequestUri: request.resourceRequestUri,
6227
- shrClaims: request.shrClaims,
6228
- sshKid: request.sshKid,
6229
- };
6129
+ const thumbprint = getRequestThumbprint(clientId, request, homeAccountIdentifier);
6230
6130
  const key = this.generateThrottlingStorageKey(thumbprint);
6231
6131
  cacheManager.removeItem(key);
6232
6132
  }
6233
6133
  }
6234
6134
 
6235
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6135
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6236
6136
 
6237
6137
  /*
6238
6138
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6262,7 +6162,7 @@ function createNetworkError(error, httpStatus, responseHeaders) {
6262
6162
  return new NetworkError(error, httpStatus, responseHeaders);
6263
6163
  }
6264
6164
 
6265
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6165
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6266
6166
 
6267
6167
  /*
6268
6168
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6397,22 +6297,20 @@ class BaseClient {
6397
6297
  * @param request
6398
6298
  */
6399
6299
  createTokenQueryParameters(request) {
6400
- const parameterBuilder = new RequestParameterBuilder(request.correlationId, this.performanceClient);
6300
+ const parameters = new Map();
6401
6301
  if (request.embeddedClientId) {
6402
- parameterBuilder.addBrokerParameters({
6403
- brokerClientId: this.config.authOptions.clientId,
6404
- brokerRedirectUri: this.config.authOptions.redirectUri,
6405
- });
6302
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
6406
6303
  }
6407
6304
  if (request.tokenQueryParameters) {
6408
- parameterBuilder.addExtraQueryParameters(request.tokenQueryParameters);
6305
+ addExtraQueryParameters(parameters, request.tokenQueryParameters);
6409
6306
  }
6410
- parameterBuilder.addCorrelationId(request.correlationId);
6411
- return parameterBuilder.createQueryString();
6307
+ addCorrelationId(parameters, request.correlationId);
6308
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
6309
+ return mapToQueryString(parameters);
6412
6310
  }
6413
6311
  }
6414
6312
 
6415
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6313
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6416
6314
  /*
6417
6315
  * Copyright (c) Microsoft Corporation. All rights reserved.
6418
6316
  * Licensed under the MIT License.
@@ -6438,7 +6336,7 @@ var InteractionRequiredAuthErrorCodes = /*#__PURE__*/Object.freeze({
6438
6336
  refreshTokenExpired: refreshTokenExpired
6439
6337
  });
6440
6338
 
6441
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6339
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6442
6340
 
6443
6341
  /*
6444
6342
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6526,7 +6424,7 @@ function createInteractionRequiredAuthError(errorCode) {
6526
6424
  return new InteractionRequiredAuthError(errorCode, InteractionRequiredAuthErrorMessages[errorCode]);
6527
6425
  }
6528
6426
 
6529
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6427
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6530
6428
 
6531
6429
  /*
6532
6430
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6598,7 +6496,7 @@ class ProtocolUtils {
6598
6496
  }
6599
6497
  }
6600
6498
 
6601
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6499
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6602
6500
 
6603
6501
  /*
6604
6502
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6682,7 +6580,7 @@ class PopTokenGenerator {
6682
6580
  }
6683
6581
  }
6684
6582
 
6685
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6583
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6686
6584
  /*
6687
6585
  * Copyright (c) Microsoft Corporation. All rights reserved.
6688
6586
  * Licensed under the MIT License.
@@ -6709,19 +6607,12 @@ class PopTokenGenerator {
6709
6607
  }
6710
6608
  }
6711
6609
 
6712
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6610
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6713
6611
 
6714
6612
  /*
6715
6613
  * Copyright (c) Microsoft Corporation. All rights reserved.
6716
6614
  * Licensed under the MIT License.
6717
6615
  */
6718
- function parseServerErrorNo(serverResponse) {
6719
- const errorCodePrefix = "code=";
6720
- const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
6721
- return errorCodePrefixIndex && errorCodePrefixIndex >= 0
6722
- ? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
6723
- : undefined;
6724
- }
6725
6616
  /**
6726
6617
  * Class that handles response parsing.
6727
6618
  * @internal
@@ -6736,46 +6627,6 @@ class ResponseHandler {
6736
6627
  this.persistencePlugin = persistencePlugin;
6737
6628
  this.performanceClient = performanceClient;
6738
6629
  }
6739
- /**
6740
- * Function which validates server authorization code response.
6741
- * @param serverResponseHash
6742
- * @param requestState
6743
- * @param cryptoObj
6744
- */
6745
- validateServerAuthorizationCodeResponse(serverResponse, requestState) {
6746
- if (!serverResponse.state || !requestState) {
6747
- throw serverResponse.state
6748
- ? createClientAuthError(stateNotFound, "Cached State")
6749
- : createClientAuthError(stateNotFound, "Server State");
6750
- }
6751
- let decodedServerResponseState;
6752
- let decodedRequestState;
6753
- try {
6754
- decodedServerResponseState = decodeURIComponent(serverResponse.state);
6755
- }
6756
- catch (e) {
6757
- throw createClientAuthError(invalidState, serverResponse.state);
6758
- }
6759
- try {
6760
- decodedRequestState = decodeURIComponent(requestState);
6761
- }
6762
- catch (e) {
6763
- throw createClientAuthError(invalidState, serverResponse.state);
6764
- }
6765
- if (decodedServerResponseState !== decodedRequestState) {
6766
- throw createClientAuthError(stateMismatch);
6767
- }
6768
- // Check for error
6769
- if (serverResponse.error ||
6770
- serverResponse.error_description ||
6771
- serverResponse.suberror) {
6772
- const serverErrorNo = parseServerErrorNo(serverResponse);
6773
- if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
6774
- throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
6775
- }
6776
- throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
6777
- }
6778
- }
6779
6630
  /**
6780
6631
  * Function which validates server authorization token response.
6781
6632
  * @param serverResponse
@@ -7001,10 +6852,11 @@ class ResponseHandler {
7001
6852
  accessToken = cacheRecord.accessToken.secret;
7002
6853
  }
7003
6854
  responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target).asArray();
7004
- expiresOn = new Date(Number(cacheRecord.accessToken.expiresOn) * 1000);
7005
- extExpiresOn = new Date(Number(cacheRecord.accessToken.extendedExpiresOn) * 1000);
6855
+ // Access token expiresOn cached in seconds, converting to Date for AuthenticationResult
6856
+ expiresOn = toDateFromSeconds(cacheRecord.accessToken.expiresOn);
6857
+ extExpiresOn = toDateFromSeconds(cacheRecord.accessToken.extendedExpiresOn);
7006
6858
  if (cacheRecord.accessToken.refreshOn) {
7007
- refreshOn = new Date(Number(cacheRecord.accessToken.refreshOn) * 1000);
6859
+ refreshOn = toDateFromSeconds(cacheRecord.accessToken.refreshOn);
7008
6860
  }
7009
6861
  }
7010
6862
  if (cacheRecord.appMetadata) {
@@ -7086,7 +6938,74 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
7086
6938
  return baseAccount;
7087
6939
  }
7088
6940
 
7089
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6941
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6942
+
6943
+ /*
6944
+ * Copyright (c) Microsoft Corporation. All rights reserved.
6945
+ * Licensed under the MIT License.
6946
+ */
6947
+ /**
6948
+ * Validates server consumable params from the "request" objects
6949
+ */
6950
+ class RequestValidator {
6951
+ /**
6952
+ * Utility to check if the `redirectUri` in the request is a non-null value
6953
+ * @param redirectUri
6954
+ */
6955
+ static validateRedirectUri(redirectUri) {
6956
+ if (!redirectUri) {
6957
+ throw createClientConfigurationError(redirectUriEmpty);
6958
+ }
6959
+ }
6960
+ /**
6961
+ * Utility to validate prompt sent by the user in the request
6962
+ * @param prompt
6963
+ */
6964
+ static validatePrompt(prompt) {
6965
+ const promptValues = [];
6966
+ for (const value in PromptValue) {
6967
+ promptValues.push(PromptValue[value]);
6968
+ }
6969
+ if (promptValues.indexOf(prompt) < 0) {
6970
+ throw createClientConfigurationError(invalidPromptValue);
6971
+ }
6972
+ }
6973
+ static validateClaims(claims) {
6974
+ try {
6975
+ JSON.parse(claims);
6976
+ }
6977
+ catch (e) {
6978
+ throw createClientConfigurationError(invalidClaims);
6979
+ }
6980
+ }
6981
+ /**
6982
+ * Utility to validate code_challenge and code_challenge_method
6983
+ * @param codeChallenge
6984
+ * @param codeChallengeMethod
6985
+ */
6986
+ static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
6987
+ if (!codeChallenge || !codeChallengeMethod) {
6988
+ throw createClientConfigurationError(pkceParamsMissing);
6989
+ }
6990
+ else {
6991
+ this.validateCodeChallengeMethod(codeChallengeMethod);
6992
+ }
6993
+ }
6994
+ /**
6995
+ * Utility to validate code_challenge_method
6996
+ * @param codeChallengeMethod
6997
+ */
6998
+ static validateCodeChallengeMethod(codeChallengeMethod) {
6999
+ if ([
7000
+ CodeChallengeMethodValues.PLAIN,
7001
+ CodeChallengeMethodValues.S256,
7002
+ ].indexOf(codeChallengeMethod) < 0) {
7003
+ throw createClientConfigurationError(invalidCodeChallengeMethod);
7004
+ }
7005
+ }
7006
+ }
7007
+
7008
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7090
7009
  /*
7091
7010
  * Copyright (c) Microsoft Corporation. All rights reserved.
7092
7011
  * Licensed under the MIT License.
@@ -7104,7 +7023,7 @@ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
7104
7023
  }
7105
7024
  }
7106
7025
 
7107
- /*! @azure/msal-common v15.2.0 2025-03-04 */
7026
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7108
7027
 
7109
7028
  /*
7110
7029
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7122,21 +7041,6 @@ class AuthorizationCodeClient extends BaseClient {
7122
7041
  this.oidcDefaultScopes =
7123
7042
  this.config.authOptions.authority.options.OIDCOptions?.defaultScopes;
7124
7043
  }
7125
- /**
7126
- * Creates the URL of the authorization request letting the user input credentials and consent to the
7127
- * application. The URL target the /authorize endpoint of the authority configured in the
7128
- * application object.
7129
- *
7130
- * Once the user inputs their credentials and consents, the authority will send a response to the redirect URI
7131
- * sent in the request and should contain an authorization code, which can then be used to acquire tokens via
7132
- * acquireToken(AuthorizationCodeRequest)
7133
- * @param request
7134
- */
7135
- async getAuthCodeUrl(request) {
7136
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.GetAuthCodeUrl, request.correlationId);
7137
- const queryString = await invokeAsync(this.createAuthCodeUrlQueryString.bind(this), PerformanceEvents.AuthClientCreateQueryString, this.logger, this.performanceClient, request.correlationId)(request);
7138
- return UrlString.appendQueryString(this.authority.authorizationEndpoint, queryString);
7139
- }
7140
7044
  /**
7141
7045
  * API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
7142
7046
  * authorization_code_grant
@@ -7156,22 +7060,6 @@ class AuthorizationCodeClient extends BaseClient {
7156
7060
  responseHandler.validateTokenResponse(response.body);
7157
7061
  return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, authCodePayload, undefined, undefined, undefined, requestId);
7158
7062
  }
7159
- /**
7160
- * Handles the hash fragment response from public client code request. Returns a code response used by
7161
- * the client to exchange for a token in acquireToken.
7162
- * @param hashFragment
7163
- */
7164
- handleFragmentResponse(serverParams, cachedState) {
7165
- // Handle responses.
7166
- const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, null, null);
7167
- // Get code response
7168
- responseHandler.validateServerAuthorizationCodeResponse(serverParams, cachedState);
7169
- // throw when there is no auth code in the response
7170
- if (!serverParams.code) {
7171
- throw createClientAuthError(authorizationCodeMissingFromServerResponse);
7172
- }
7173
- return serverParams;
7174
- }
7175
7063
  /**
7176
7064
  * Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
7177
7065
  * Default behaviour is to redirect the user to `window.location.href`.
@@ -7210,18 +7098,7 @@ class AuthorizationCodeClient extends BaseClient {
7210
7098
  }
7211
7099
  }
7212
7100
  const headers = this.createTokenRequestHeaders(ccsCredential || request.ccsCredential);
7213
- const thumbprint = {
7214
- clientId: request.tokenBodyParameters?.clientId ||
7215
- this.config.authOptions.clientId,
7216
- authority: authority.canonicalAuthority,
7217
- scopes: request.scopes,
7218
- claims: request.claims,
7219
- authenticationScheme: request.authenticationScheme,
7220
- resourceRequestMethod: request.resourceRequestMethod,
7221
- resourceRequestUri: request.resourceRequestUri,
7222
- shrClaims: request.shrClaims,
7223
- sshKid: request.sshKid,
7224
- };
7101
+ const thumbprint = getRequestThumbprint(this.config.authOptions.clientId, request);
7225
7102
  return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.AuthorizationCodeClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.AuthorizationCodeClientExecutePostToTokenEndpoint);
7226
7103
  }
7227
7104
  /**
@@ -7230,8 +7107,8 @@ class AuthorizationCodeClient extends BaseClient {
7230
7107
  */
7231
7108
  async createTokenRequestBody(request) {
7232
7109
  this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateTokenRequestBody, request.correlationId);
7233
- const parameterBuilder = new RequestParameterBuilder(request.correlationId, this.performanceClient);
7234
- parameterBuilder.addClientId(request.embeddedClientId ||
7110
+ const parameters = new Map();
7111
+ addClientId(parameters, request.embeddedClientId ||
7235
7112
  request.tokenBodyParameters?.[CLIENT_ID] ||
7236
7113
  this.config.authOptions.clientId);
7237
7114
  /*
@@ -7244,33 +7121,33 @@ class AuthorizationCodeClient extends BaseClient {
7244
7121
  }
7245
7122
  else {
7246
7123
  // Validate and include redirect uri
7247
- parameterBuilder.addRedirectUri(request.redirectUri);
7124
+ addRedirectUri(parameters, request.redirectUri);
7248
7125
  }
7249
7126
  // Add scope array, parameter builder will add default scopes and dedupe
7250
- parameterBuilder.addScopes(request.scopes, true, this.oidcDefaultScopes);
7127
+ addScopes(parameters, request.scopes, true, this.oidcDefaultScopes);
7251
7128
  // add code: user set, not validated
7252
- parameterBuilder.addAuthorizationCode(request.code);
7129
+ addAuthorizationCode(parameters, request.code);
7253
7130
  // Add library metadata
7254
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
7255
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
7256
- parameterBuilder.addThrottling();
7131
+ addLibraryInfo(parameters, this.config.libraryInfo);
7132
+ addApplicationTelemetry(parameters, this.config.telemetry.application);
7133
+ addThrottling(parameters);
7257
7134
  if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
7258
- parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
7135
+ addServerTelemetry(parameters, this.serverTelemetryManager);
7259
7136
  }
7260
7137
  // add code_verifier if passed
7261
7138
  if (request.codeVerifier) {
7262
- parameterBuilder.addCodeVerifier(request.codeVerifier);
7139
+ addCodeVerifier(parameters, request.codeVerifier);
7263
7140
  }
7264
7141
  if (this.config.clientCredentials.clientSecret) {
7265
- parameterBuilder.addClientSecret(this.config.clientCredentials.clientSecret);
7142
+ addClientSecret(parameters, this.config.clientCredentials.clientSecret);
7266
7143
  }
7267
7144
  if (this.config.clientCredentials.clientAssertion) {
7268
7145
  const clientAssertion = this.config.clientCredentials.clientAssertion;
7269
- parameterBuilder.addClientAssertion(await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7270
- parameterBuilder.addClientAssertionType(clientAssertion.assertionType);
7146
+ addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7147
+ addClientAssertionType(parameters, clientAssertion.assertionType);
7271
7148
  }
7272
- parameterBuilder.addGrantType(GrantType.AUTHORIZATION_CODE_GRANT);
7273
- parameterBuilder.addClientInfo();
7149
+ addGrantType(parameters, GrantType.AUTHORIZATION_CODE_GRANT);
7150
+ addClientInfo(parameters);
7274
7151
  if (request.authenticationScheme === AuthenticationScheme.POP) {
7275
7152
  const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
7276
7153
  let reqCnfData;
@@ -7282,11 +7159,11 @@ class AuthorizationCodeClient extends BaseClient {
7282
7159
  reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
7283
7160
  }
7284
7161
  // SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
7285
- parameterBuilder.addPopToken(reqCnfData);
7162
+ addPopToken(parameters, reqCnfData);
7286
7163
  }
7287
7164
  else if (request.authenticationScheme === AuthenticationScheme.SSH) {
7288
7165
  if (request.sshJwk) {
7289
- parameterBuilder.addSshJwk(request.sshJwk);
7166
+ addSshJwk(parameters, request.sshJwk);
7290
7167
  }
7291
7168
  else {
7292
7169
  throw createClientConfigurationError(missingSshJwk);
@@ -7295,7 +7172,7 @@ class AuthorizationCodeClient extends BaseClient {
7295
7172
  if (!StringUtils.isEmptyObj(request.claims) ||
7296
7173
  (this.config.authOptions.clientCapabilities &&
7297
7174
  this.config.authOptions.clientCapabilities.length > 0)) {
7298
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
7175
+ addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
7299
7176
  }
7300
7177
  let ccsCred = undefined;
7301
7178
  if (request.clientInfo) {
@@ -7319,7 +7196,7 @@ class AuthorizationCodeClient extends BaseClient {
7319
7196
  case CcsCredentialType.HOME_ACCOUNT_ID:
7320
7197
  try {
7321
7198
  const clientInfo = buildClientInfoFromHomeAccountId(ccsCred.credential);
7322
- parameterBuilder.addCcsOid(clientInfo);
7199
+ addCcsOid(parameters, clientInfo);
7323
7200
  }
7324
7201
  catch (e) {
7325
7202
  this.logger.verbose("Could not parse home account ID for CCS Header: " +
@@ -7327,234 +7204,59 @@ class AuthorizationCodeClient extends BaseClient {
7327
7204
  }
7328
7205
  break;
7329
7206
  case CcsCredentialType.UPN:
7330
- parameterBuilder.addCcsUpn(ccsCred.credential);
7207
+ addCcsUpn(parameters, ccsCred.credential);
7331
7208
  break;
7332
7209
  }
7333
7210
  }
7334
7211
  if (request.embeddedClientId) {
7335
- parameterBuilder.addBrokerParameters({
7336
- brokerClientId: this.config.authOptions.clientId,
7337
- brokerRedirectUri: this.config.authOptions.redirectUri,
7338
- });
7212
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
7339
7213
  }
7340
7214
  if (request.tokenBodyParameters) {
7341
- parameterBuilder.addExtraQueryParameters(request.tokenBodyParameters);
7215
+ addExtraQueryParameters(parameters, request.tokenBodyParameters);
7342
7216
  }
7343
7217
  // Add hybrid spa parameters if not already provided
7344
7218
  if (request.enableSpaAuthorizationCode &&
7345
7219
  (!request.tokenBodyParameters ||
7346
7220
  !request.tokenBodyParameters[RETURN_SPA_CODE])) {
7347
- parameterBuilder.addExtraQueryParameters({
7221
+ addExtraQueryParameters(parameters, {
7348
7222
  [RETURN_SPA_CODE]: "1",
7349
7223
  });
7350
7224
  }
7351
- return parameterBuilder.createQueryString();
7352
- }
7353
- /**
7354
- * This API validates the `AuthorizationCodeUrlRequest` and creates a URL
7355
- * @param request
7356
- */
7357
- async createAuthCodeUrlQueryString(request) {
7358
- // generate the correlationId if not set by the user and add
7359
- const correlationId = request.correlationId ||
7360
- this.config.cryptoInterface.createNewGuid();
7361
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateQueryString, correlationId);
7362
- const parameterBuilder = new RequestParameterBuilder(correlationId, this.performanceClient);
7363
- parameterBuilder.addClientId(request.embeddedClientId ||
7364
- request.extraQueryParameters?.[CLIENT_ID] ||
7365
- this.config.authOptions.clientId);
7366
- const requestScopes = [
7367
- ...(request.scopes || []),
7368
- ...(request.extraScopesToConsent || []),
7369
- ];
7370
- parameterBuilder.addScopes(requestScopes, true, this.oidcDefaultScopes);
7371
- // validate the redirectUri (to be a non null value)
7372
- parameterBuilder.addRedirectUri(request.redirectUri);
7373
- parameterBuilder.addCorrelationId(correlationId);
7374
- // add response_mode. If not passed in it defaults to query.
7375
- parameterBuilder.addResponseMode(request.responseMode);
7376
- // add response_type = code
7377
- parameterBuilder.addResponseTypeCode();
7378
- // add library info parameters
7379
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
7380
- if (!isOidcProtocolMode(this.config)) {
7381
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
7382
- }
7383
- // add client_info=1
7384
- parameterBuilder.addClientInfo();
7385
- if (request.codeChallenge && request.codeChallengeMethod) {
7386
- parameterBuilder.addCodeChallengeParams(request.codeChallenge, request.codeChallengeMethod);
7387
- }
7388
- if (request.prompt) {
7389
- parameterBuilder.addPrompt(request.prompt);
7390
- }
7391
- if (request.domainHint) {
7392
- parameterBuilder.addDomainHint(request.domainHint);
7393
- this.performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
7394
- }
7395
- this.performanceClient?.addFields({ prompt: request.prompt }, correlationId);
7396
- // Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
7397
- if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
7398
- // AAD will throw if prompt=select_account is passed with an account hint
7399
- if (request.sid && request.prompt === PromptValue.NONE) {
7400
- // SessionID is only used in silent calls
7401
- this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
7402
- parameterBuilder.addSid(request.sid);
7403
- this.performanceClient?.addFields({ sidFromRequest: true }, correlationId);
7404
- }
7405
- else if (request.account) {
7406
- const accountSid = this.extractAccountSid(request.account);
7407
- let accountLoginHintClaim = this.extractLoginHint(request.account);
7408
- if (accountLoginHintClaim && request.domainHint) {
7409
- this.logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
7410
- accountLoginHintClaim = null;
7411
- }
7412
- // If login_hint claim is present, use it over sid/username
7413
- if (accountLoginHintClaim) {
7414
- this.logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
7415
- parameterBuilder.addLoginHint(accountLoginHintClaim);
7416
- this.performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
7417
- try {
7418
- const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7419
- parameterBuilder.addCcsOid(clientInfo);
7420
- }
7421
- catch (e) {
7422
- this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7423
- }
7424
- }
7425
- else if (accountSid && request.prompt === PromptValue.NONE) {
7426
- /*
7427
- * If account and loginHint are provided, we will check account first for sid before adding loginHint
7428
- * SessionId is only used in silent calls
7429
- */
7430
- this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
7431
- parameterBuilder.addSid(accountSid);
7432
- this.performanceClient?.addFields({ sidFromClaim: true }, correlationId);
7433
- try {
7434
- const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7435
- parameterBuilder.addCcsOid(clientInfo);
7436
- }
7437
- catch (e) {
7438
- this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7439
- }
7440
- }
7441
- else if (request.loginHint) {
7442
- this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
7443
- parameterBuilder.addLoginHint(request.loginHint);
7444
- parameterBuilder.addCcsUpn(request.loginHint);
7445
- this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7446
- }
7447
- else if (request.account.username) {
7448
- // Fallback to account username if provided
7449
- this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
7450
- parameterBuilder.addLoginHint(request.account.username);
7451
- this.performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
7452
- try {
7453
- const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7454
- parameterBuilder.addCcsOid(clientInfo);
7455
- }
7456
- catch (e) {
7457
- this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7458
- }
7459
- }
7460
- }
7461
- else if (request.loginHint) {
7462
- this.logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
7463
- parameterBuilder.addLoginHint(request.loginHint);
7464
- parameterBuilder.addCcsUpn(request.loginHint);
7465
- this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7466
- }
7467
- }
7468
- else {
7469
- this.logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
7470
- }
7471
- if (request.nonce) {
7472
- parameterBuilder.addNonce(request.nonce);
7473
- }
7474
- if (request.state) {
7475
- parameterBuilder.addState(request.state);
7476
- }
7477
- if (request.claims ||
7478
- (this.config.authOptions.clientCapabilities &&
7479
- this.config.authOptions.clientCapabilities.length > 0)) {
7480
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
7481
- }
7482
- if (request.embeddedClientId) {
7483
- parameterBuilder.addBrokerParameters({
7484
- brokerClientId: this.config.authOptions.clientId,
7485
- brokerRedirectUri: this.config.authOptions.redirectUri,
7486
- });
7487
- }
7488
- this.addExtraQueryParams(request, parameterBuilder);
7489
- if (request.platformBroker) {
7490
- // signal ests that this is a WAM call
7491
- parameterBuilder.addNativeBroker();
7492
- // pass the req_cnf for POP
7493
- if (request.authenticationScheme === AuthenticationScheme.POP) {
7494
- const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils);
7495
- // req_cnf is always sent as a string for SPAs
7496
- let reqCnfData;
7497
- if (!request.popKid) {
7498
- const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
7499
- reqCnfData = generatedReqCnfData.reqCnfString;
7500
- }
7501
- else {
7502
- reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
7503
- }
7504
- parameterBuilder.addPopToken(reqCnfData);
7505
- }
7506
- }
7507
- return parameterBuilder.createQueryString();
7225
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
7226
+ return mapToQueryString(parameters);
7508
7227
  }
7509
7228
  /**
7510
7229
  * This API validates the `EndSessionRequest` and creates a URL
7511
7230
  * @param request
7512
7231
  */
7513
7232
  createLogoutUrlQueryString(request) {
7514
- const parameterBuilder = new RequestParameterBuilder(request.correlationId, this.performanceClient);
7233
+ const parameters = new Map();
7515
7234
  if (request.postLogoutRedirectUri) {
7516
- parameterBuilder.addPostLogoutRedirectUri(request.postLogoutRedirectUri);
7235
+ addPostLogoutRedirectUri(parameters, request.postLogoutRedirectUri);
7517
7236
  }
7518
7237
  if (request.correlationId) {
7519
- parameterBuilder.addCorrelationId(request.correlationId);
7238
+ addCorrelationId(parameters, request.correlationId);
7520
7239
  }
7521
7240
  if (request.idTokenHint) {
7522
- parameterBuilder.addIdTokenHint(request.idTokenHint);
7241
+ addIdTokenHint(parameters, request.idTokenHint);
7523
7242
  }
7524
7243
  if (request.state) {
7525
- parameterBuilder.addState(request.state);
7244
+ addState(parameters, request.state);
7526
7245
  }
7527
7246
  if (request.logoutHint) {
7528
- parameterBuilder.addLogoutHint(request.logoutHint);
7529
- }
7530
- this.addExtraQueryParams(request, parameterBuilder);
7531
- return parameterBuilder.createQueryString();
7532
- }
7533
- addExtraQueryParams(request, parameterBuilder) {
7534
- const hasRequestInstanceAware = request.extraQueryParameters &&
7535
- request.extraQueryParameters.hasOwnProperty("instance_aware");
7536
- // Set instance_aware flag if config auth param is set
7537
- if (!hasRequestInstanceAware && this.config.authOptions.instanceAware) {
7538
- request.extraQueryParameters = request.extraQueryParameters || {};
7539
- request.extraQueryParameters["instance_aware"] = "true";
7247
+ addLogoutHint(parameters, request.logoutHint);
7540
7248
  }
7541
7249
  if (request.extraQueryParameters) {
7542
- parameterBuilder.addExtraQueryParameters(request.extraQueryParameters);
7250
+ addExtraQueryParameters(parameters, request.extraQueryParameters);
7543
7251
  }
7544
- }
7545
- /**
7546
- * Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
7547
- * @param account
7548
- */
7549
- extractAccountSid(account) {
7550
- return account.idTokenClaims?.sid || null;
7551
- }
7552
- extractLoginHint(account) {
7553
- return account.idTokenClaims?.login_hint || null;
7252
+ if (this.config.authOptions.instanceAware) {
7253
+ addInstanceAware(parameters);
7254
+ }
7255
+ return mapToQueryString(parameters);
7554
7256
  }
7555
7257
  }
7556
7258
 
7557
- /*! @azure/msal-common v15.2.0 2025-03-04 */
7259
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7558
7260
 
7559
7261
  /*
7560
7262
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7674,18 +7376,7 @@ class RefreshTokenClient extends BaseClient {
7674
7376
  const endpoint = UrlString.appendQueryString(authority.tokenEndpoint, queryParametersString);
7675
7377
  const requestBody = await invokeAsync(this.createTokenRequestBody.bind(this), PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, this.logger, this.performanceClient, request.correlationId)(request);
7676
7378
  const headers = this.createTokenRequestHeaders(request.ccsCredential);
7677
- const thumbprint = {
7678
- clientId: request.tokenBodyParameters?.clientId ||
7679
- this.config.authOptions.clientId,
7680
- authority: authority.canonicalAuthority,
7681
- scopes: request.scopes,
7682
- claims: request.claims,
7683
- authenticationScheme: request.authenticationScheme,
7684
- resourceRequestMethod: request.resourceRequestMethod,
7685
- resourceRequestUri: request.resourceRequestUri,
7686
- shrClaims: request.shrClaims,
7687
- sshKid: request.sshKid,
7688
- };
7379
+ const thumbprint = getRequestThumbprint(this.config.authOptions.clientId, request);
7689
7380
  return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint);
7690
7381
  }
7691
7382
  /**
@@ -7694,31 +7385,30 @@ class RefreshTokenClient extends BaseClient {
7694
7385
  */
7695
7386
  async createTokenRequestBody(request) {
7696
7387
  this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, request.correlationId);
7697
- const correlationId = request.correlationId;
7698
- const parameterBuilder = new RequestParameterBuilder(correlationId, this.performanceClient);
7699
- parameterBuilder.addClientId(request.embeddedClientId ||
7388
+ const parameters = new Map();
7389
+ addClientId(parameters, request.embeddedClientId ||
7700
7390
  request.tokenBodyParameters?.[CLIENT_ID] ||
7701
7391
  this.config.authOptions.clientId);
7702
7392
  if (request.redirectUri) {
7703
- parameterBuilder.addRedirectUri(request.redirectUri);
7704
- }
7705
- parameterBuilder.addScopes(request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
7706
- parameterBuilder.addGrantType(GrantType.REFRESH_TOKEN_GRANT);
7707
- parameterBuilder.addClientInfo();
7708
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
7709
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
7710
- parameterBuilder.addThrottling();
7393
+ addRedirectUri(parameters, request.redirectUri);
7394
+ }
7395
+ addScopes(parameters, request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
7396
+ addGrantType(parameters, GrantType.REFRESH_TOKEN_GRANT);
7397
+ addClientInfo(parameters);
7398
+ addLibraryInfo(parameters, this.config.libraryInfo);
7399
+ addApplicationTelemetry(parameters, this.config.telemetry.application);
7400
+ addThrottling(parameters);
7711
7401
  if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
7712
- parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
7402
+ addServerTelemetry(parameters, this.serverTelemetryManager);
7713
7403
  }
7714
- parameterBuilder.addRefreshToken(request.refreshToken);
7404
+ addRefreshToken(parameters, request.refreshToken);
7715
7405
  if (this.config.clientCredentials.clientSecret) {
7716
- parameterBuilder.addClientSecret(this.config.clientCredentials.clientSecret);
7406
+ addClientSecret(parameters, this.config.clientCredentials.clientSecret);
7717
7407
  }
7718
7408
  if (this.config.clientCredentials.clientAssertion) {
7719
7409
  const clientAssertion = this.config.clientCredentials.clientAssertion;
7720
- parameterBuilder.addClientAssertion(await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7721
- parameterBuilder.addClientAssertionType(clientAssertion.assertionType);
7410
+ addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7411
+ addClientAssertionType(parameters, clientAssertion.assertionType);
7722
7412
  }
7723
7413
  if (request.authenticationScheme === AuthenticationScheme.POP) {
7724
7414
  const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
@@ -7731,11 +7421,11 @@ class RefreshTokenClient extends BaseClient {
7731
7421
  reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
7732
7422
  }
7733
7423
  // SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
7734
- parameterBuilder.addPopToken(reqCnfData);
7424
+ addPopToken(parameters, reqCnfData);
7735
7425
  }
7736
7426
  else if (request.authenticationScheme === AuthenticationScheme.SSH) {
7737
7427
  if (request.sshJwk) {
7738
- parameterBuilder.addSshJwk(request.sshJwk);
7428
+ addSshJwk(parameters, request.sshJwk);
7739
7429
  }
7740
7430
  else {
7741
7431
  throw createClientConfigurationError(missingSshJwk);
@@ -7744,7 +7434,7 @@ class RefreshTokenClient extends BaseClient {
7744
7434
  if (!StringUtils.isEmptyObj(request.claims) ||
7745
7435
  (this.config.authOptions.clientCapabilities &&
7746
7436
  this.config.authOptions.clientCapabilities.length > 0)) {
7747
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
7437
+ addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
7748
7438
  }
7749
7439
  if (this.config.systemOptions.preventCorsPreflight &&
7750
7440
  request.ccsCredential) {
@@ -7752,7 +7442,7 @@ class RefreshTokenClient extends BaseClient {
7752
7442
  case CcsCredentialType.HOME_ACCOUNT_ID:
7753
7443
  try {
7754
7444
  const clientInfo = buildClientInfoFromHomeAccountId(request.ccsCredential.credential);
7755
- parameterBuilder.addCcsOid(clientInfo);
7445
+ addCcsOid(parameters, clientInfo);
7756
7446
  }
7757
7447
  catch (e) {
7758
7448
  this.logger.verbose("Could not parse home account ID for CCS Header: " +
@@ -7760,24 +7450,22 @@ class RefreshTokenClient extends BaseClient {
7760
7450
  }
7761
7451
  break;
7762
7452
  case CcsCredentialType.UPN:
7763
- parameterBuilder.addCcsUpn(request.ccsCredential.credential);
7453
+ addCcsUpn(parameters, request.ccsCredential.credential);
7764
7454
  break;
7765
7455
  }
7766
7456
  }
7767
7457
  if (request.embeddedClientId) {
7768
- parameterBuilder.addBrokerParameters({
7769
- brokerClientId: this.config.authOptions.clientId,
7770
- brokerRedirectUri: this.config.authOptions.redirectUri,
7771
- });
7458
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
7772
7459
  }
7773
7460
  if (request.tokenBodyParameters) {
7774
- parameterBuilder.addExtraQueryParameters(request.tokenBodyParameters);
7461
+ addExtraQueryParameters(parameters, request.tokenBodyParameters);
7775
7462
  }
7776
- return parameterBuilder.createQueryString();
7463
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
7464
+ return mapToQueryString(parameters);
7777
7465
  }
7778
7466
  }
7779
7467
 
7780
- /*! @azure/msal-common v15.2.0 2025-03-04 */
7468
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7781
7469
 
7782
7470
  /*
7783
7471
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7871,26 +7559,250 @@ class SilentFlowClient extends BaseClient {
7871
7559
  }
7872
7560
  checkMaxAge(authTime, request.maxAge);
7873
7561
  }
7874
- return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, idTokenClaims);
7562
+ return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, idTokenClaims);
7563
+ }
7564
+ }
7565
+
7566
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7567
+
7568
+ /*
7569
+ * Copyright (c) Microsoft Corporation. All rights reserved.
7570
+ * Licensed under the MIT License.
7571
+ */
7572
+ const StubbedNetworkModule = {
7573
+ sendGetRequestAsync: () => {
7574
+ return Promise.reject(createClientAuthError(methodNotImplemented));
7575
+ },
7576
+ sendPostRequestAsync: () => {
7577
+ return Promise.reject(createClientAuthError(methodNotImplemented));
7578
+ },
7579
+ };
7580
+
7581
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7582
+
7583
+ /*
7584
+ * Copyright (c) Microsoft Corporation. All rights reserved.
7585
+ * Licensed under the MIT License.
7586
+ */
7587
+ /**
7588
+ * Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
7589
+ * @param config
7590
+ * @param request
7591
+ * @param logger
7592
+ * @param performanceClient
7593
+ * @returns
7594
+ */
7595
+ function getStandardAuthorizeRequestParameters(authOptions, request, logger, performanceClient) {
7596
+ // generate the correlationId if not set by the user and add
7597
+ const correlationId = request.correlationId;
7598
+ const parameters = new Map();
7599
+ addClientId(parameters, request.embeddedClientId ||
7600
+ request.extraQueryParameters?.[CLIENT_ID] ||
7601
+ authOptions.clientId);
7602
+ const requestScopes = [
7603
+ ...(request.scopes || []),
7604
+ ...(request.extraScopesToConsent || []),
7605
+ ];
7606
+ addScopes(parameters, requestScopes, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
7607
+ addRedirectUri(parameters, request.redirectUri);
7608
+ addCorrelationId(parameters, correlationId);
7609
+ // add response_mode. If not passed in it defaults to query.
7610
+ addResponseMode(parameters, request.responseMode);
7611
+ // add client_info=1
7612
+ addClientInfo(parameters);
7613
+ if (request.prompt) {
7614
+ addPrompt(parameters, request.prompt);
7615
+ performanceClient?.addFields({ prompt: request.prompt }, correlationId);
7616
+ }
7617
+ if (request.domainHint) {
7618
+ addDomainHint(parameters, request.domainHint);
7619
+ performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
7620
+ }
7621
+ // Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
7622
+ if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
7623
+ // AAD will throw if prompt=select_account is passed with an account hint
7624
+ if (request.sid && request.prompt === PromptValue.NONE) {
7625
+ // SessionID is only used in silent calls
7626
+ logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
7627
+ addSid(parameters, request.sid);
7628
+ performanceClient?.addFields({ sidFromRequest: true }, correlationId);
7629
+ }
7630
+ else if (request.account) {
7631
+ const accountSid = extractAccountSid(request.account);
7632
+ let accountLoginHintClaim = extractLoginHint(request.account);
7633
+ if (accountLoginHintClaim && request.domainHint) {
7634
+ logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
7635
+ accountLoginHintClaim = null;
7636
+ }
7637
+ // If login_hint claim is present, use it over sid/username
7638
+ if (accountLoginHintClaim) {
7639
+ logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
7640
+ addLoginHint(parameters, accountLoginHintClaim);
7641
+ performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
7642
+ try {
7643
+ const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7644
+ addCcsOid(parameters, clientInfo);
7645
+ }
7646
+ catch (e) {
7647
+ logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7648
+ }
7649
+ }
7650
+ else if (accountSid && request.prompt === PromptValue.NONE) {
7651
+ /*
7652
+ * If account and loginHint are provided, we will check account first for sid before adding loginHint
7653
+ * SessionId is only used in silent calls
7654
+ */
7655
+ logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
7656
+ addSid(parameters, accountSid);
7657
+ performanceClient?.addFields({ sidFromClaim: true }, correlationId);
7658
+ try {
7659
+ const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7660
+ addCcsOid(parameters, clientInfo);
7661
+ }
7662
+ catch (e) {
7663
+ logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7664
+ }
7665
+ }
7666
+ else if (request.loginHint) {
7667
+ logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
7668
+ addLoginHint(parameters, request.loginHint);
7669
+ addCcsUpn(parameters, request.loginHint);
7670
+ performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7671
+ }
7672
+ else if (request.account.username) {
7673
+ // Fallback to account username if provided
7674
+ logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
7675
+ addLoginHint(parameters, request.account.username);
7676
+ performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
7677
+ try {
7678
+ const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7679
+ addCcsOid(parameters, clientInfo);
7680
+ }
7681
+ catch (e) {
7682
+ logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7683
+ }
7684
+ }
7685
+ }
7686
+ else if (request.loginHint) {
7687
+ logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
7688
+ addLoginHint(parameters, request.loginHint);
7689
+ addCcsUpn(parameters, request.loginHint);
7690
+ performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7691
+ }
7692
+ }
7693
+ else {
7694
+ logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
7695
+ }
7696
+ if (request.nonce) {
7697
+ addNonce(parameters, request.nonce);
7698
+ }
7699
+ if (request.state) {
7700
+ addState(parameters, request.state);
7701
+ }
7702
+ if (request.claims ||
7703
+ (authOptions.clientCapabilities &&
7704
+ authOptions.clientCapabilities.length > 0)) {
7705
+ addClaims(parameters, request.claims, authOptions.clientCapabilities);
7706
+ }
7707
+ if (request.embeddedClientId) {
7708
+ addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
7709
+ }
7710
+ if (request.extraQueryParameters) {
7711
+ addExtraQueryParameters(parameters, request.extraQueryParameters);
7712
+ }
7713
+ if (authOptions.instanceAware) {
7714
+ addInstanceAware(parameters);
7715
+ }
7716
+ return parameters;
7717
+ }
7718
+ /**
7719
+ * Returns authorize endpoint with given request parameters in the query string
7720
+ * @param authority
7721
+ * @param requestParameters
7722
+ * @returns
7723
+ */
7724
+ function getAuthorizeUrl(authority, requestParameters) {
7725
+ const queryString = mapToQueryString(requestParameters);
7726
+ return UrlString.appendQueryString(authority.authorizationEndpoint, queryString);
7727
+ }
7728
+ /**
7729
+ * Handles the hash fragment response from public client code request. Returns a code response used by
7730
+ * the client to exchange for a token in acquireToken.
7731
+ * @param serverParams
7732
+ * @param cachedState
7733
+ */
7734
+ function getAuthorizationCodePayload(serverParams, cachedState) {
7735
+ // Get code response
7736
+ validateAuthorizationResponse(serverParams, cachedState);
7737
+ // throw when there is no auth code in the response
7738
+ if (!serverParams.code) {
7739
+ throw createClientAuthError(authorizationCodeMissingFromServerResponse);
7740
+ }
7741
+ return serverParams;
7742
+ }
7743
+ /**
7744
+ * Function which validates server authorization code response.
7745
+ * @param serverResponseHash
7746
+ * @param requestState
7747
+ */
7748
+ function validateAuthorizationResponse(serverResponse, requestState) {
7749
+ if (!serverResponse.state || !requestState) {
7750
+ throw serverResponse.state
7751
+ ? createClientAuthError(stateNotFound, "Cached State")
7752
+ : createClientAuthError(stateNotFound, "Server State");
7753
+ }
7754
+ let decodedServerResponseState;
7755
+ let decodedRequestState;
7756
+ try {
7757
+ decodedServerResponseState = decodeURIComponent(serverResponse.state);
7758
+ }
7759
+ catch (e) {
7760
+ throw createClientAuthError(invalidState, serverResponse.state);
7761
+ }
7762
+ try {
7763
+ decodedRequestState = decodeURIComponent(requestState);
7764
+ }
7765
+ catch (e) {
7766
+ throw createClientAuthError(invalidState, serverResponse.state);
7767
+ }
7768
+ if (decodedServerResponseState !== decodedRequestState) {
7769
+ throw createClientAuthError(stateMismatch);
7770
+ }
7771
+ // Check for error
7772
+ if (serverResponse.error ||
7773
+ serverResponse.error_description ||
7774
+ serverResponse.suberror) {
7775
+ const serverErrorNo = parseServerErrorNo(serverResponse);
7776
+ if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
7777
+ throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
7778
+ }
7779
+ throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
7875
7780
  }
7876
- }
7877
-
7878
- /*! @azure/msal-common v15.2.0 2025-03-04 */
7879
-
7880
- /*
7881
- * Copyright (c) Microsoft Corporation. All rights reserved.
7882
- * Licensed under the MIT License.
7781
+ }
7782
+ /**
7783
+ * Get server error No from the error_uri
7784
+ * @param serverResponse
7785
+ * @returns
7883
7786
  */
7884
- const StubbedNetworkModule = {
7885
- sendGetRequestAsync: () => {
7886
- return Promise.reject(createClientAuthError(methodNotImplemented));
7887
- },
7888
- sendPostRequestAsync: () => {
7889
- return Promise.reject(createClientAuthError(methodNotImplemented));
7890
- },
7891
- };
7787
+ function parseServerErrorNo(serverResponse) {
7788
+ const errorCodePrefix = "code=";
7789
+ const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
7790
+ return errorCodePrefixIndex && errorCodePrefixIndex >= 0
7791
+ ? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
7792
+ : undefined;
7793
+ }
7794
+ /**
7795
+ * Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
7796
+ * @param account
7797
+ */
7798
+ function extractAccountSid(account) {
7799
+ return account.idTokenClaims?.sid || null;
7800
+ }
7801
+ function extractLoginHint(account) {
7802
+ return account.idTokenClaims?.login_hint || null;
7803
+ }
7892
7804
 
7893
- /*! @azure/msal-common v15.2.0 2025-03-04 */
7805
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7894
7806
 
7895
7807
  /*
7896
7808
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7948,7 +7860,7 @@ class AuthenticationHeaderParser {
7948
7860
  }
7949
7861
  }
7950
7862
 
7951
- /*! @azure/msal-common v15.2.0 2025-03-04 */
7863
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7952
7864
 
7953
7865
  /*
7954
7866
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8211,7 +8123,7 @@ class ServerTelemetryManager {
8211
8123
  }
8212
8124
  }
8213
8125
 
8214
- /*! @azure/msal-common v15.2.0 2025-03-04 */
8126
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8215
8127
  /*
8216
8128
  * Copyright (c) Microsoft Corporation. All rights reserved.
8217
8129
  * Licensed under the MIT License.
@@ -8219,7 +8131,7 @@ class ServerTelemetryManager {
8219
8131
  const missingKidError = "missing_kid_error";
8220
8132
  const missingAlgError = "missing_alg_error";
8221
8133
 
8222
- /*! @azure/msal-common v15.2.0 2025-03-04 */
8134
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8223
8135
 
8224
8136
  /*
8225
8137
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8244,7 +8156,7 @@ function createJoseHeaderError(code) {
8244
8156
  return new JoseHeaderError(code, JoseHeaderErrorMessages[code]);
8245
8157
  }
8246
8158
 
8247
- /*! @azure/msal-common v15.2.0 2025-03-04 */
8159
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8248
8160
 
8249
8161
  /*
8250
8162
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8284,7 +8196,7 @@ class JoseHeader {
8284
8196
  }
8285
8197
  }
8286
8198
 
8287
- /*! @azure/msal-common v15.2.0 2025-03-04 */
8199
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8288
8200
 
8289
8201
  /*
8290
8202
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8363,7 +8275,7 @@ class StubPerformanceClient {
8363
8275
  }
8364
8276
  }
8365
8277
 
8366
- /*! @azure/msal-common v15.2.0 2025-03-04 */
8278
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8367
8279
 
8368
8280
  /*
8369
8281
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -10400,7 +10312,7 @@ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system
10400
10312
 
10401
10313
  /* eslint-disable header/header */
10402
10314
  const name = "@azure/msal-browser";
10403
- const version = "4.5.1";
10315
+ const version = "4.8.0";
10404
10316
 
10405
10317
  /*
10406
10318
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -12679,7 +12591,13 @@ class BrowserCacheManager extends CacheManager {
12679
12591
  *
12680
12592
  * The next MSAL VFuture should map these both to same value if possible
12681
12593
  */
12682
- const accessTokenEntity = createAccessTokenEntity(result.account?.homeAccountId, result.account.environment, result.accessToken, this.clientId, result.tenantId, result.scopes.join(" "), result.expiresOn ? result.expiresOn.getTime() / 1000 : 0, result.extExpiresOn ? result.extExpiresOn.getTime() / 1000 : 0, base64Decode, undefined, // refreshOn
12594
+ const accessTokenEntity = createAccessTokenEntity(result.account?.homeAccountId, result.account.environment, result.accessToken, this.clientId, result.tenantId, result.scopes.join(" "),
12595
+ // Access token expiresOn stored in seconds, converting from AuthenticationResult expiresOn stored as Date
12596
+ result.expiresOn
12597
+ ? toSecondsFromDate(result.expiresOn)
12598
+ : 0, result.extExpiresOn
12599
+ ? toSecondsFromDate(result.extExpiresOn)
12600
+ : 0, base64Decode, undefined, // refreshOn
12683
12601
  result.tokenType, undefined, // userAssertionHash
12684
12602
  request.sshKid, request.claims, claimsHash);
12685
12603
  const cacheRecord = {
@@ -12885,7 +12803,9 @@ class EventHandler {
12885
12803
  constructor(logger) {
12886
12804
  this.eventCallbacks = new Map();
12887
12805
  this.logger = logger || new Logger({});
12888
- this.broadcastChannel = new BroadcastChannel(BROADCAST_CHANNEL_NAME);
12806
+ if (typeof BroadcastChannel !== "undefined") {
12807
+ this.broadcastChannel = new BroadcastChannel(BROADCAST_CHANNEL_NAME);
12808
+ }
12889
12809
  this.invokeCrossTabCallbacks = this.invokeCrossTabCallbacks.bind(this);
12890
12810
  }
12891
12811
  /**
@@ -12935,7 +12855,7 @@ class EventHandler {
12935
12855
  case EventType.ACCOUNT_REMOVED:
12936
12856
  case EventType.ACTIVE_ACCOUNT_CHANGED:
12937
12857
  // Send event to other open tabs / MSAL instances on same domain
12938
- this.broadcastChannel.postMessage(message);
12858
+ this.broadcastChannel?.postMessage(message);
12939
12859
  break;
12940
12860
  default:
12941
12861
  // Emit event to callbacks registered in this instance
@@ -12968,13 +12888,13 @@ class EventHandler {
12968
12888
  * Listen for events broadcasted from other tabs/instances
12969
12889
  */
12970
12890
  subscribeCrossTab() {
12971
- this.broadcastChannel.addEventListener("message", this.invokeCrossTabCallbacks);
12891
+ this.broadcastChannel?.addEventListener("message", this.invokeCrossTabCallbacks);
12972
12892
  }
12973
12893
  /**
12974
12894
  * Unsubscribe from broadcast events
12975
12895
  */
12976
12896
  unsubscribeCrossTab() {
12977
- this.broadcastChannel.removeEventListener("message", this.invokeCrossTabCallbacks);
12897
+ this.broadcastChannel?.removeEventListener("message", this.invokeCrossTabCallbacks);
12978
12898
  }
12979
12899
  }
12980
12900
 
@@ -13096,61 +13016,6 @@ class BaseInteractionClient {
13096
13016
  }
13097
13017
  }
13098
13018
 
13099
- /*
13100
- * Copyright (c) Microsoft Corporation. All rights reserved.
13101
- * Licensed under the MIT License.
13102
- */
13103
- // Constant byte array length
13104
- const RANDOM_BYTE_ARR_LENGTH = 32;
13105
- /**
13106
- * This file defines APIs to generate PKCE codes and code verifiers.
13107
- */
13108
- /**
13109
- * Generates PKCE Codes. See the RFC for more information: https://tools.ietf.org/html/rfc7636
13110
- */
13111
- async function generatePkceCodes(performanceClient, logger, correlationId) {
13112
- performanceClient.addQueueMeasurement(PerformanceEvents.GeneratePkceCodes, correlationId);
13113
- const codeVerifier = invoke(generateCodeVerifier, PerformanceEvents.GenerateCodeVerifier, logger, performanceClient, correlationId)(performanceClient, logger, correlationId);
13114
- const codeChallenge = await invokeAsync(generateCodeChallengeFromVerifier, PerformanceEvents.GenerateCodeChallengeFromVerifier, logger, performanceClient, correlationId)(codeVerifier, performanceClient, logger, correlationId);
13115
- return {
13116
- verifier: codeVerifier,
13117
- challenge: codeChallenge,
13118
- };
13119
- }
13120
- /**
13121
- * Generates a random 32 byte buffer and returns the base64
13122
- * encoded string to be used as a PKCE Code Verifier
13123
- */
13124
- function generateCodeVerifier(performanceClient, logger, correlationId) {
13125
- try {
13126
- // Generate random values as utf-8
13127
- const buffer = new Uint8Array(RANDOM_BYTE_ARR_LENGTH);
13128
- invoke(getRandomValues, PerformanceEvents.GetRandomValues, logger, performanceClient, correlationId)(buffer);
13129
- // encode verifier as base64
13130
- const pkceCodeVerifierB64 = urlEncodeArr(buffer);
13131
- return pkceCodeVerifierB64;
13132
- }
13133
- catch (e) {
13134
- throw createBrowserAuthError(pkceNotCreated);
13135
- }
13136
- }
13137
- /**
13138
- * Creates a base64 encoded PKCE Code Challenge string from the
13139
- * hash created from the PKCE Code Verifier supplied
13140
- */
13141
- async function generateCodeChallengeFromVerifier(pkceCodeVerifier, performanceClient, logger, correlationId) {
13142
- performanceClient.addQueueMeasurement(PerformanceEvents.GenerateCodeChallengeFromVerifier, correlationId);
13143
- try {
13144
- // hashed verifier
13145
- const pkceHashedCodeVerifier = await invokeAsync(sha256Digest, PerformanceEvents.Sha256Digest, logger, performanceClient, correlationId)(pkceCodeVerifier, performanceClient, correlationId);
13146
- // encode hash as base64
13147
- return urlEncodeArr(new Uint8Array(pkceHashedCodeVerifier));
13148
- }
13149
- catch (e) {
13150
- throw createBrowserAuthError(pkceNotCreated);
13151
- }
13152
- }
13153
-
13154
13019
  /*
13155
13020
  * Copyright (c) Microsoft Corporation. All rights reserved.
13156
13021
  * Licensed under the MIT License.
@@ -13213,25 +13078,6 @@ async function initializeSilentRequest(request, account, config, performanceClie
13213
13078
  * Defines the class structure and helper functions used by the "standard", non-brokered auth flows (popup, redirect, silent (RT), silent (iframe))
13214
13079
  */
13215
13080
  class StandardInteractionClient extends BaseInteractionClient {
13216
- /**
13217
- * Generates an auth code request tied to the url request.
13218
- * @param request
13219
- * @param pkceCodes
13220
- */
13221
- async initializeAuthorizationCodeRequest(request, pkceCodes) {
13222
- this.performanceClient.addQueueMeasurement(PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.correlationId);
13223
- const generatedPkceParams = pkceCodes ||
13224
- (await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId));
13225
- const authCodeRequest = {
13226
- ...request,
13227
- redirectUri: request.redirectUri,
13228
- code: Constants.EMPTY_STRING,
13229
- codeVerifier: generatedPkceParams.verifier,
13230
- };
13231
- request.codeChallenge = generatedPkceParams.challenge;
13232
- request.codeChallengeMethod = Constants.S256_CODE_CHALLENGE_METHOD;
13233
- return authCodeRequest;
13234
- }
13235
13081
  /**
13236
13082
  * Initializer for the logout request.
13237
13083
  * @param logoutRequest
@@ -13810,7 +13656,12 @@ class NativeInteractionClient extends BaseInteractionClient {
13810
13656
  const cachedhomeAccountId = this.browserStorage.getAccountInfoFilteredBy({
13811
13657
  nativeAccountId: request.accountId,
13812
13658
  })?.homeAccountId;
13813
- if (homeAccountIdentifier !== cachedhomeAccountId &&
13659
+ // add exception for double brokering, please note this is temporary and will be fortified in future
13660
+ if (request.extraParameters?.child_client_id &&
13661
+ response.account.id !== request.accountId) {
13662
+ this.logger.info("handleNativeServerResponse: Double broker flow detected, ignoring accountId mismatch");
13663
+ }
13664
+ else if (homeAccountIdentifier !== cachedhomeAccountId &&
13814
13665
  response.account.id !== request.accountId) {
13815
13666
  // User switch in native broker prompt is not supported. All users must first sign in through web flow to ensure server state is in sync
13816
13667
  throw createNativeAuthError(userSwitch);
@@ -13822,6 +13673,8 @@ class NativeInteractionClient extends BaseInteractionClient {
13822
13673
  const baseAccount = buildAccountToCache(this.browserStorage, authority, homeAccountIdentifier, base64Decode, idTokenClaims, response.client_info, undefined, // environment
13823
13674
  idTokenClaims.tid, undefined, // auth code payload
13824
13675
  response.account.id, this.logger);
13676
+ // Ensure expires_in is in number format
13677
+ response.expires_in = Number(response.expires_in);
13825
13678
  // generate authenticationResult
13826
13679
  const result = await this.generateAuthenticationResult(response, request, idTokenClaims, baseAccount, authority.canonicalAuthority, reqTimestamp);
13827
13680
  // cache accounts and tokens in the appropriate storage
@@ -13938,7 +13791,8 @@ class NativeInteractionClient extends BaseInteractionClient {
13938
13791
  idTokenClaims: idTokenClaims,
13939
13792
  accessToken: responseAccessToken,
13940
13793
  fromCache: mats ? this.isResponseFromCache(mats) : false,
13941
- expiresOn: new Date(Number(reqTimestamp + response.expires_in) * 1000),
13794
+ // Request timestamp and NativeResponse expires_in are in seconds, converting to Date for AuthenticationResult
13795
+ expiresOn: toDateFromSeconds(reqTimestamp + response.expires_in),
13942
13796
  tokenType: tokenType,
13943
13797
  correlationId: this.correlationId,
13944
13798
  state: response.state,
@@ -14468,7 +14322,7 @@ class InteractionHandler {
14468
14322
  this.performanceClient.addQueueMeasurement(PerformanceEvents.HandleCodeResponse, request.correlationId);
14469
14323
  let authCodeResponse;
14470
14324
  try {
14471
- authCodeResponse = this.authModule.handleFragmentResponse(response, request.state);
14325
+ authCodeResponse = getAuthorizationCodePayload(response, request.state);
14472
14326
  }
14473
14327
  catch (e) {
14474
14328
  if (e instanceof ServerError &&
@@ -14576,6 +14430,126 @@ function validateInteractionType(response, browserCrypto, interactionType) {
14576
14430
  }
14577
14431
  }
14578
14432
 
14433
+ /*
14434
+ * Copyright (c) Microsoft Corporation. All rights reserved.
14435
+ * Licensed under the MIT License.
14436
+ */
14437
+ /**
14438
+ * Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
14439
+ * @param config
14440
+ * @param authority
14441
+ * @param request
14442
+ * @param logger
14443
+ * @param performanceClient
14444
+ * @returns
14445
+ */
14446
+ async function getStandardParameters(config, authority, request, logger, performanceClient) {
14447
+ const parameters = getStandardAuthorizeRequestParameters({ ...config.auth, authority: authority }, request, logger, performanceClient);
14448
+ addLibraryInfo(parameters, {
14449
+ sku: BrowserConstants.MSAL_SKU,
14450
+ version: version,
14451
+ os: "",
14452
+ cpu: "",
14453
+ });
14454
+ if (config.auth.protocolMode !== ProtocolMode.OIDC) {
14455
+ addApplicationTelemetry(parameters, config.telemetry.application);
14456
+ }
14457
+ if (request.platformBroker) {
14458
+ // signal ests that this is a WAM call
14459
+ addNativeBroker(parameters);
14460
+ // pass the req_cnf for POP
14461
+ if (request.authenticationScheme === AuthenticationScheme.POP) {
14462
+ const cryptoOps = new CryptoOps(logger, performanceClient);
14463
+ const popTokenGenerator = new PopTokenGenerator(cryptoOps);
14464
+ // req_cnf is always sent as a string for SPAs
14465
+ let reqCnfData;
14466
+ if (!request.popKid) {
14467
+ const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, logger, performanceClient, request.correlationId)(request, logger);
14468
+ reqCnfData = generatedReqCnfData.reqCnfString;
14469
+ }
14470
+ else {
14471
+ reqCnfData = cryptoOps.encodeKid(request.popKid);
14472
+ }
14473
+ addPopToken(parameters, reqCnfData);
14474
+ }
14475
+ }
14476
+ instrumentBrokerParams(parameters, request.correlationId, performanceClient);
14477
+ return parameters;
14478
+ }
14479
+ /**
14480
+ * Gets the full /authorize URL with request parameters when using Auth Code + PKCE
14481
+ * @param config
14482
+ * @param authority
14483
+ * @param request
14484
+ * @param logger
14485
+ * @param performanceClient
14486
+ * @returns
14487
+ */
14488
+ async function getAuthCodeRequestUrl(config, authority, request, logger, performanceClient) {
14489
+ if (!request.codeChallenge) {
14490
+ throw createClientConfigurationError(pkceParamsMissing);
14491
+ }
14492
+ const parameters = await invokeAsync(getStandardParameters, PerformanceEvents.GetStandardParams, logger, performanceClient, request.correlationId)(config, authority, request, logger, performanceClient);
14493
+ addResponseTypeCode(parameters);
14494
+ addCodeChallengeParams(parameters, request.codeChallenge, Constants.S256_CODE_CHALLENGE_METHOD);
14495
+ return getAuthorizeUrl(authority, parameters);
14496
+ }
14497
+
14498
+ /*
14499
+ * Copyright (c) Microsoft Corporation. All rights reserved.
14500
+ * Licensed under the MIT License.
14501
+ */
14502
+ // Constant byte array length
14503
+ const RANDOM_BYTE_ARR_LENGTH = 32;
14504
+ /**
14505
+ * This file defines APIs to generate PKCE codes and code verifiers.
14506
+ */
14507
+ /**
14508
+ * Generates PKCE Codes. See the RFC for more information: https://tools.ietf.org/html/rfc7636
14509
+ */
14510
+ async function generatePkceCodes(performanceClient, logger, correlationId) {
14511
+ performanceClient.addQueueMeasurement(PerformanceEvents.GeneratePkceCodes, correlationId);
14512
+ const codeVerifier = invoke(generateCodeVerifier, PerformanceEvents.GenerateCodeVerifier, logger, performanceClient, correlationId)(performanceClient, logger, correlationId);
14513
+ const codeChallenge = await invokeAsync(generateCodeChallengeFromVerifier, PerformanceEvents.GenerateCodeChallengeFromVerifier, logger, performanceClient, correlationId)(codeVerifier, performanceClient, logger, correlationId);
14514
+ return {
14515
+ verifier: codeVerifier,
14516
+ challenge: codeChallenge,
14517
+ };
14518
+ }
14519
+ /**
14520
+ * Generates a random 32 byte buffer and returns the base64
14521
+ * encoded string to be used as a PKCE Code Verifier
14522
+ */
14523
+ function generateCodeVerifier(performanceClient, logger, correlationId) {
14524
+ try {
14525
+ // Generate random values as utf-8
14526
+ const buffer = new Uint8Array(RANDOM_BYTE_ARR_LENGTH);
14527
+ invoke(getRandomValues, PerformanceEvents.GetRandomValues, logger, performanceClient, correlationId)(buffer);
14528
+ // encode verifier as base64
14529
+ const pkceCodeVerifierB64 = urlEncodeArr(buffer);
14530
+ return pkceCodeVerifierB64;
14531
+ }
14532
+ catch (e) {
14533
+ throw createBrowserAuthError(pkceNotCreated);
14534
+ }
14535
+ }
14536
+ /**
14537
+ * Creates a base64 encoded PKCE Code Challenge string from the
14538
+ * hash created from the PKCE Code Verifier supplied
14539
+ */
14540
+ async function generateCodeChallengeFromVerifier(pkceCodeVerifier, performanceClient, logger, correlationId) {
14541
+ performanceClient.addQueueMeasurement(PerformanceEvents.GenerateCodeChallengeFromVerifier, correlationId);
14542
+ try {
14543
+ // hashed verifier
14544
+ const pkceHashedCodeVerifier = await invokeAsync(sha256Digest, PerformanceEvents.Sha256Digest, logger, performanceClient, correlationId)(pkceCodeVerifier, performanceClient, correlationId);
14545
+ // encode hash as base64
14546
+ return urlEncodeArr(new Uint8Array(pkceHashedCodeVerifier));
14547
+ }
14548
+ catch (e) {
14549
+ throw createBrowserAuthError(pkceNotCreated);
14550
+ }
14551
+ }
14552
+
14579
14553
  /*
14580
14554
  * Copyright (c) Microsoft Corporation. All rights reserved.
14581
14555
  * Licensed under the MIT License.
@@ -14663,6 +14637,9 @@ class PopupClient extends StandardInteractionClient {
14663
14637
  this.logger.verbose("acquireTokenPopupAsync called");
14664
14638
  const serverTelemetryManager = this.initializeServerTelemetryManager(ApiId.acquireTokenPopup);
14665
14639
  const validRequest = await invokeAsync(this.initializeAuthorizationRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(request, exports.InteractionType.Popup);
14640
+ const pkce = pkceCodes ||
14641
+ (await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId));
14642
+ validRequest.codeChallenge = pkce.challenge;
14666
14643
  /*
14667
14644
  * Skip pre-connect for async popups to reduce time between user interaction and popup window creation to avoid
14668
14645
  * popup from being blocked by browsers with shorter popup timers
@@ -14671,8 +14648,6 @@ class PopupClient extends StandardInteractionClient {
14671
14648
  preconnect(validRequest.authority);
14672
14649
  }
14673
14650
  try {
14674
- // Create auth code request and generate PKCE params
14675
- const authCodeRequest = await invokeAsync(this.initializeAuthorizationCodeRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.logger, this.performanceClient, this.correlationId)(validRequest, pkceCodes);
14676
14651
  // Initialize the client
14677
14652
  const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), PerformanceEvents.StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, this.correlationId)({
14678
14653
  serverTelemetryManager,
@@ -14689,12 +14664,10 @@ class PopupClient extends StandardInteractionClient {
14689
14664
  this.performanceClient.startMeasurement(PerformanceEvents.FetchAccountIdWithNativeBroker, request.correlationId);
14690
14665
  }
14691
14666
  // Create acquire token url.
14692
- const navigateUrl = await authClient.getAuthCodeUrl({
14667
+ const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, validRequest.correlationId)(this.config, authClient.authority, {
14693
14668
  ...validRequest,
14694
14669
  platformBroker: isPlatformBroker,
14695
- });
14696
- // Create popup interaction handler.
14697
- const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
14670
+ }, this.logger, this.performanceClient);
14698
14671
  // Show the UI once the url has been created. Get the window handle for the popup.
14699
14672
  const popupWindow = this.initiateAuthRequest(navigateUrl, popupParams);
14700
14673
  this.eventHandler.emitEvent(EventType.POPUP_OPENED, exports.InteractionType.Popup, { popupWindow }, null);
@@ -14702,7 +14675,7 @@ class PopupClient extends StandardInteractionClient {
14702
14675
  const responseString = await this.monitorPopupForHash(popupWindow, popupParams.popupWindowParent);
14703
14676
  const serverParams = invoke(deserializeResponse, PerformanceEvents.DeserializeResponse, this.logger, this.performanceClient, this.correlationId)(responseString, this.config.auth.OIDCOptions.serverResponseType, this.logger);
14704
14677
  // Remove throttle if it exists
14705
- ThrottlingUtils.removeThrottle(this.browserStorage, this.config.auth.clientId, authCodeRequest);
14678
+ ThrottlingUtils.removeThrottle(this.browserStorage, this.config.auth.clientId, validRequest);
14706
14679
  if (serverParams.accountId) {
14707
14680
  this.logger.verbose("Account id found in hash, calling WAM for token");
14708
14681
  // end measurement for server call with native brokering enabled
@@ -14723,6 +14696,13 @@ class PopupClient extends StandardInteractionClient {
14723
14696
  prompt: undefined, // Server should handle the prompt, ideally native broker can do this part silently
14724
14697
  });
14725
14698
  }
14699
+ const authCodeRequest = {
14700
+ ...validRequest,
14701
+ code: serverParams.code || "",
14702
+ codeVerifier: pkce.verifier,
14703
+ };
14704
+ // Create popup interaction handler.
14705
+ const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
14726
14706
  // Handle response from hash string.
14727
14707
  const result = await interactionHandler.handleCodeResponse(serverParams, validRequest);
14728
14708
  return result;
@@ -15098,7 +15078,7 @@ class RedirectHandler {
15098
15078
  }
15099
15079
  let authCodeResponse;
15100
15080
  try {
15101
- authCodeResponse = this.authModule.handleFragmentResponse(response, requestState);
15081
+ authCodeResponse = getAuthorizationCodePayload(response, requestState);
15102
15082
  }
15103
15083
  catch (e) {
15104
15084
  if (e instanceof ServerError &&
@@ -15182,6 +15162,8 @@ class RedirectClient extends StandardInteractionClient {
15182
15162
  */
15183
15163
  async acquireToken(request) {
15184
15164
  const validRequest = await invokeAsync(this.initializeAuthorizationRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(request, exports.InteractionType.Redirect);
15165
+ const pkceCodes = await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId);
15166
+ validRequest.codeChallenge = pkceCodes.challenge;
15185
15167
  this.browserStorage.updateCacheEntries(validRequest.state, validRequest.nonce, validRequest.authority, validRequest.loginHint || "", validRequest.account || null);
15186
15168
  const serverTelemetryManager = this.initializeServerTelemetryManager(ApiId.acquireTokenRedirect);
15187
15169
  const handleBackButton = (event) => {
@@ -15193,8 +15175,6 @@ class RedirectClient extends StandardInteractionClient {
15193
15175
  }
15194
15176
  };
15195
15177
  try {
15196
- // Create auth code request and generate PKCE params
15197
- const authCodeRequest = await invokeAsync(this.initializeAuthorizationCodeRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.logger, this.performanceClient, this.correlationId)(validRequest);
15198
15178
  // Initialize the client
15199
15179
  const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), PerformanceEvents.StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, this.correlationId)({
15200
15180
  serverTelemetryManager,
@@ -15203,13 +15183,18 @@ class RedirectClient extends StandardInteractionClient {
15203
15183
  requestExtraQueryParameters: validRequest.extraQueryParameters,
15204
15184
  account: validRequest.account,
15205
15185
  });
15186
+ const authCodeRequest = {
15187
+ ...validRequest,
15188
+ code: "",
15189
+ codeVerifier: pkceCodes.verifier,
15190
+ };
15206
15191
  // Create redirect interaction handler.
15207
15192
  const interactionHandler = new RedirectHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
15208
15193
  // Create acquire token url.
15209
- const navigateUrl = await authClient.getAuthCodeUrl({
15194
+ const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, validRequest.correlationId)(this.config, authClient.authority, {
15210
15195
  ...validRequest,
15211
15196
  platformBroker: NativeMessageHandler.isPlatformBrokerAvailable(this.config, this.logger, this.nativeMessageHandler, request.authenticationScheme),
15212
- });
15197
+ }, this.logger, this.performanceClient);
15213
15198
  const redirectStartPage = this.getRedirectStartPage(request.redirectStartPage);
15214
15199
  this.logger.verbosePii(`Redirect start page: ${redirectStartPage}`);
15215
15200
  // Clear temporary cache if the back button is clicked during the redirect flow.
@@ -15714,18 +15699,19 @@ class SilentIframeClient extends StandardInteractionClient {
15714
15699
  * @param navigateUrl
15715
15700
  * @param userRequestScopes
15716
15701
  */
15717
- async silentTokenHelper(authClient, silentRequest) {
15718
- const correlationId = silentRequest.correlationId;
15702
+ async silentTokenHelper(authClient, request) {
15703
+ const correlationId = request.correlationId;
15719
15704
  this.performanceClient.addQueueMeasurement(PerformanceEvents.SilentIframeClientTokenHelper, correlationId);
15720
- // Create auth code request and generate PKCE params
15721
- const authCodeRequest = await invokeAsync(this.initializeAuthorizationCodeRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.logger, this.performanceClient, correlationId)(silentRequest);
15705
+ const pkceCodes = await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId);
15706
+ const silentRequest = {
15707
+ ...request,
15708
+ codeChallenge: pkceCodes.challenge,
15709
+ };
15722
15710
  // Create authorize request url
15723
- const navigateUrl = await invokeAsync(authClient.getAuthCodeUrl.bind(authClient), PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, correlationId)({
15711
+ const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, correlationId)(this.config, authClient.authority, {
15724
15712
  ...silentRequest,
15725
15713
  platformBroker: NativeMessageHandler.isPlatformBrokerAvailable(this.config, this.logger, this.nativeMessageHandler, silentRequest.authenticationScheme),
15726
- });
15727
- // Create silent handler
15728
- const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
15714
+ }, this.logger, this.performanceClient);
15729
15715
  // Get the frame handle for the silent request
15730
15716
  const msalFrame = await invokeAsync(initiateAuthRequest, PerformanceEvents.SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(navigateUrl, this.performanceClient, this.logger, correlationId, this.config.system.navigateFrameWait);
15731
15717
  const responseType = this.config.auth.OIDCOptions.serverResponseType;
@@ -15745,6 +15731,13 @@ class SilentIframeClient extends StandardInteractionClient {
15745
15731
  prompt: silentRequest.prompt || PromptValue.NONE,
15746
15732
  });
15747
15733
  }
15734
+ const authCodeRequest = {
15735
+ ...silentRequest,
15736
+ code: serverParams.code || "",
15737
+ codeVerifier: pkceCodes.verifier,
15738
+ };
15739
+ // Create silent handler
15740
+ const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
15748
15741
  // Handle response from hash string
15749
15742
  return invokeAsync(interactionHandler.handleCodeResponse.bind(interactionHandler), PerformanceEvents.HandleCodeResponse, this.logger, this.performanceClient, correlationId)(serverParams, silentRequest);
15750
15743
  }
@@ -15939,11 +15932,10 @@ class TokenCache {
15939
15932
  const scopes = response.scope
15940
15933
  ? ScopeSet.fromString(response.scope)
15941
15934
  : new ScopeSet(request.scopes);
15942
- const expiresOn = options.expiresOn ||
15943
- response.expires_in + new Date().getTime() / 1000;
15935
+ const expiresOn = options.expiresOn || response.expires_in + nowSeconds();
15944
15936
  const extendedExpiresOn = options.extendedExpiresOn ||
15945
15937
  (response.ext_expires_in || response.expires_in) +
15946
- new Date().getTime() / 1000;
15938
+ nowSeconds();
15947
15939
  const accessTokenEntity = createAccessTokenEntity(homeAccountId, environment, response.access_token, this.config.auth.clientId, tenantId, scopes.printScopes(), expiresOn, extendedExpiresOn, base64Decode);
15948
15940
  await this.storage.setAccessTokenCredential(accessTokenEntity, correlationId);
15949
15941
  return accessTokenEntity;
@@ -15983,8 +15975,9 @@ class TokenCache {
15983
15975
  if (cacheRecord?.accessToken) {
15984
15976
  accessToken = cacheRecord.accessToken.secret;
15985
15977
  responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target).asArray();
15986
- expiresOn = new Date(Number(cacheRecord.accessToken.expiresOn) * 1000);
15987
- extExpiresOn = new Date(Number(cacheRecord.accessToken.extendedExpiresOn) * 1000);
15978
+ // Access token expiresOn stored in seconds, converting to Date for AuthenticationResult
15979
+ expiresOn = toDateFromSeconds(cacheRecord.accessToken.expiresOn);
15980
+ extExpiresOn = toDateFromSeconds(cacheRecord.accessToken.extendedExpiresOn);
15988
15981
  }
15989
15982
  const accountEntity = cacheRecord.account;
15990
15983
  return {
@@ -17231,60 +17224,63 @@ class StandardController {
17231
17224
  throw createBrowserAuthError(noAccountError);
17232
17225
  }
17233
17226
  atsMeasurement.add({ accountType: getAccountType(account) });
17234
- const thumbprint = {
17235
- clientId: this.config.auth.clientId,
17236
- authority: request.authority || Constants.EMPTY_STRING,
17237
- scopes: request.scopes,
17238
- homeAccountIdentifier: account.homeAccountId,
17239
- claims: request.claims,
17240
- authenticationScheme: request.authenticationScheme,
17241
- resourceRequestMethod: request.resourceRequestMethod,
17242
- resourceRequestUri: request.resourceRequestUri,
17243
- shrClaims: request.shrClaims,
17244
- sshKid: request.sshKid,
17245
- shrOptions: request.shrOptions,
17246
- };
17227
+ return this.acquireTokenSilentDeduped(request, account, correlationId)
17228
+ .then((result) => {
17229
+ atsMeasurement.end({
17230
+ success: true,
17231
+ fromCache: result.fromCache,
17232
+ isNativeBroker: result.fromNativeBroker,
17233
+ accessTokenSize: result.accessToken.length,
17234
+ idTokenSize: result.idToken.length,
17235
+ });
17236
+ return {
17237
+ ...result,
17238
+ state: request.state,
17239
+ correlationId: correlationId, // Ensures PWB scenarios can correctly match request to response
17240
+ };
17241
+ })
17242
+ .catch((error) => {
17243
+ if (error instanceof AuthError) {
17244
+ // Ensures PWB scenarios can correctly match request to response
17245
+ error.setCorrelationId(correlationId);
17246
+ }
17247
+ atsMeasurement.end({
17248
+ success: false,
17249
+ }, error);
17250
+ throw error;
17251
+ });
17252
+ }
17253
+ /**
17254
+ * Checks if identical request is already in flight and returns reference to the existing promise or fires off a new one if this is the first
17255
+ * @param request
17256
+ * @param account
17257
+ * @param correlationId
17258
+ * @returns
17259
+ */
17260
+ async acquireTokenSilentDeduped(request, account, correlationId) {
17261
+ const thumbprint = getRequestThumbprint(this.config.auth.clientId, {
17262
+ ...request,
17263
+ authority: request.authority || this.config.auth.authority,
17264
+ correlationId: correlationId,
17265
+ }, account.homeAccountId);
17247
17266
  const silentRequestKey = JSON.stringify(thumbprint);
17248
- const cachedResponse = this.activeSilentTokenRequests.get(silentRequestKey);
17249
- if (typeof cachedResponse === "undefined") {
17267
+ const inProgressRequest = this.activeSilentTokenRequests.get(silentRequestKey);
17268
+ if (typeof inProgressRequest === "undefined") {
17250
17269
  this.logger.verbose("acquireTokenSilent called for the first time, storing active request", correlationId);
17251
- const response = invokeAsync(this.acquireTokenSilentAsync.bind(this), PerformanceEvents.AcquireTokenSilentAsync, this.logger, this.performanceClient, correlationId)({
17270
+ this.performanceClient.addFields({ deduped: false }, correlationId);
17271
+ const activeRequest = invokeAsync(this.acquireTokenSilentAsync.bind(this), PerformanceEvents.AcquireTokenSilentAsync, this.logger, this.performanceClient, correlationId)({
17252
17272
  ...request,
17253
17273
  correlationId,
17254
- }, account)
17255
- .then((result) => {
17256
- this.activeSilentTokenRequests.delete(silentRequestKey);
17257
- atsMeasurement.end({
17258
- success: true,
17259
- fromCache: result.fromCache,
17260
- isNativeBroker: result.fromNativeBroker,
17261
- cacheLookupPolicy: request.cacheLookupPolicy,
17262
- accessTokenSize: result.accessToken.length,
17263
- idTokenSize: result.idToken.length,
17264
- });
17265
- return result;
17266
- })
17267
- .catch((error) => {
17274
+ }, account);
17275
+ this.activeSilentTokenRequests.set(silentRequestKey, activeRequest);
17276
+ return activeRequest.finally(() => {
17268
17277
  this.activeSilentTokenRequests.delete(silentRequestKey);
17269
- atsMeasurement.end({
17270
- success: false,
17271
- }, error);
17272
- throw error;
17273
17278
  });
17274
- this.activeSilentTokenRequests.set(silentRequestKey, response);
17275
- return {
17276
- ...(await response),
17277
- state: request.state,
17278
- };
17279
17279
  }
17280
17280
  else {
17281
17281
  this.logger.verbose("acquireTokenSilent has been called previously, returning the result from the first call", correlationId);
17282
- // Discard measurements for memoized calls, as they are usually only a couple of ms and will artificially deflate metrics
17283
- atsMeasurement.discard();
17284
- return {
17285
- ...(await cachedResponse),
17286
- state: request.state,
17287
- };
17282
+ this.performanceClient.addFields({ deduped: true }, correlationId);
17283
+ return inProgressRequest;
17288
17284
  }
17289
17285
  }
17290
17286
  /**
@@ -17495,8 +17491,7 @@ class NestedAppAuthAdapter {
17495
17491
  extraParams = new Map(Object.entries(request.extraQueryParameters));
17496
17492
  }
17497
17493
  const correlationId = request.correlationId || this.crypto.createNewGuid();
17498
- const requestBuilder = new RequestParameterBuilder(correlationId);
17499
- const claims = requestBuilder.addClientCapabilitiesToClaims(request.claims, this.clientCapabilities);
17494
+ const claims = addClientCapabilitiesToClaims(request.claims, this.clientCapabilities);
17500
17495
  const scopes = request.scopes || OIDC_DEFAULT_SCOPES;
17501
17496
  const tokenRequest = {
17502
17497
  platformBrokerId: request.account?.homeAccountId,
@@ -17515,7 +17510,8 @@ class NestedAppAuthAdapter {
17515
17510
  if (!response.token.id_token || !response.token.access_token) {
17516
17511
  throw createClientAuthError(nullOrEmptyToken);
17517
17512
  }
17518
- const expiresOn = new Date((reqTimestamp + (response.token.expires_in || 0)) * 1000);
17513
+ // Request timestamp and AuthResult expires_in are in seconds, converting to Date for AuthenticationResult
17514
+ const expiresOn = toDateFromSeconds(reqTimestamp + (response.token.expires_in || 0));
17519
17515
  const idTokenClaims = extractTokenClaims(response.token.id_token, this.crypto.base64Decode);
17520
17516
  const account = this.fromNaaAccountInfo(response.account, response.token.id_token, idTokenClaims);
17521
17517
  const scopes = response.token.scope || request.scope;
@@ -17644,10 +17640,10 @@ class NestedAppAuthAdapter {
17644
17640
  idTokenClaims: idTokenClaims || {},
17645
17641
  accessToken: accessToken.secret,
17646
17642
  fromCache: true,
17647
- expiresOn: new Date(Number(accessToken.expiresOn) * 1000),
17643
+ expiresOn: toDateFromSeconds(accessToken.expiresOn),
17644
+ extExpiresOn: toDateFromSeconds(accessToken.extendedExpiresOn),
17648
17645
  tokenType: request.authenticationScheme || AuthenticationScheme.BEARER,
17649
17646
  correlationId,
17650
- extExpiresOn: new Date(Number(accessToken.extendedExpiresOn) * 1000),
17651
17647
  state: request.state,
17652
17648
  };
17653
17649
  return authenticationResult;