@azure/msal-browser 4.5.1 → 4.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/app/IPublicClientApplication.mjs +1 -1
- package/dist/app/PublicClientApplication.mjs +1 -1
- package/dist/app/PublicClientNext.mjs +1 -1
- package/dist/broker/nativeBroker/NativeMessageHandler.mjs +1 -1
- package/dist/broker/nativeBroker/NativeStatusCodes.mjs +1 -1
- package/dist/cache/AccountManager.mjs +1 -1
- package/dist/cache/AsyncMemoryStorage.mjs +1 -1
- package/dist/cache/BrowserCacheManager.d.ts.map +1 -1
- package/dist/cache/BrowserCacheManager.mjs +9 -3
- package/dist/cache/BrowserCacheManager.mjs.map +1 -1
- package/dist/cache/CacheHelpers.mjs +1 -1
- package/dist/cache/CookieStorage.mjs +1 -1
- package/dist/cache/DatabaseStorage.mjs +1 -1
- package/dist/cache/LocalStorage.mjs +1 -1
- package/dist/cache/MemoryStorage.mjs +1 -1
- package/dist/cache/SessionStorage.mjs +1 -1
- package/dist/cache/TokenCache.d.ts.map +1 -1
- package/dist/cache/TokenCache.mjs +7 -7
- package/dist/cache/TokenCache.mjs.map +1 -1
- package/dist/config/Configuration.mjs +1 -1
- package/dist/controllers/ControllerFactory.mjs +1 -1
- package/dist/controllers/NestedAppAuthController.mjs +1 -1
- package/dist/controllers/StandardController.d.ts +8 -0
- package/dist/controllers/StandardController.d.ts.map +1 -1
- package/dist/controllers/StandardController.mjs +50 -47
- package/dist/controllers/StandardController.mjs.map +1 -1
- package/dist/controllers/UnknownOperatingContextController.mjs +1 -1
- package/dist/crypto/BrowserCrypto.mjs +1 -1
- package/dist/crypto/CryptoOps.mjs +1 -1
- package/dist/crypto/PkceGenerator.mjs +1 -1
- package/dist/crypto/SignedHttpRequest.mjs +1 -1
- package/dist/encode/Base64Decode.mjs +1 -1
- package/dist/encode/Base64Encode.mjs +1 -1
- package/dist/error/BrowserAuthError.mjs +1 -1
- package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
- package/dist/error/BrowserConfigurationAuthError.mjs +1 -1
- package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
- package/dist/error/NativeAuthError.mjs +1 -1
- package/dist/error/NativeAuthErrorCodes.mjs +1 -1
- package/dist/error/NestedAppAuthError.mjs +1 -1
- package/dist/event/EventHandler.d.ts +1 -1
- package/dist/event/EventHandler.d.ts.map +1 -1
- package/dist/event/EventHandler.mjs +7 -5
- package/dist/event/EventHandler.mjs.map +1 -1
- package/dist/event/EventMessage.mjs +1 -1
- package/dist/event/EventType.mjs +1 -1
- package/dist/index.mjs +1 -1
- package/dist/interaction_client/BaseInteractionClient.mjs +1 -1
- package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
- package/dist/interaction_client/NativeInteractionClient.d.ts.map +1 -1
- package/dist/interaction_client/NativeInteractionClient.mjs +11 -3
- package/dist/interaction_client/NativeInteractionClient.mjs.map +1 -1
- package/dist/interaction_client/PopupClient.d.ts.map +1 -1
- package/dist/interaction_client/PopupClient.mjs +16 -8
- package/dist/interaction_client/PopupClient.mjs.map +1 -1
- package/dist/interaction_client/RedirectClient.d.ts +3 -3
- package/dist/interaction_client/RedirectClient.d.ts.map +1 -1
- package/dist/interaction_client/RedirectClient.mjs +12 -5
- package/dist/interaction_client/RedirectClient.mjs.map +1 -1
- package/dist/interaction_client/SilentAuthCodeClient.mjs +1 -1
- package/dist/interaction_client/SilentCacheClient.mjs +1 -1
- package/dist/interaction_client/SilentIframeClient.d.ts +1 -1
- package/dist/interaction_client/SilentIframeClient.d.ts.map +1 -1
- package/dist/interaction_client/SilentIframeClient.mjs +19 -9
- package/dist/interaction_client/SilentIframeClient.mjs.map +1 -1
- package/dist/interaction_client/SilentRefreshClient.mjs +1 -1
- package/dist/interaction_client/StandardInteractionClient.d.ts +1 -7
- package/dist/interaction_client/StandardInteractionClient.d.ts.map +1 -1
- package/dist/interaction_client/StandardInteractionClient.mjs +2 -22
- package/dist/interaction_client/StandardInteractionClient.mjs.map +1 -1
- package/dist/interaction_handler/InteractionHandler.d.ts +2 -2
- package/dist/interaction_handler/InteractionHandler.d.ts.map +1 -1
- package/dist/interaction_handler/InteractionHandler.mjs +3 -3
- package/dist/interaction_handler/InteractionHandler.mjs.map +1 -1
- package/dist/interaction_handler/RedirectHandler.d.ts +2 -2
- package/dist/interaction_handler/RedirectHandler.d.ts.map +1 -1
- package/dist/interaction_handler/RedirectHandler.mjs +3 -3
- package/dist/interaction_handler/RedirectHandler.mjs.map +1 -1
- package/dist/interaction_handler/SilentHandler.mjs +1 -1
- package/dist/naa/BridgeError.mjs +1 -1
- package/dist/naa/BridgeProxy.mjs +1 -1
- package/dist/naa/BridgeStatusCode.mjs +1 -1
- package/dist/naa/mapping/NestedAppAuthAdapter.d.ts.map +1 -1
- package/dist/naa/mapping/NestedAppAuthAdapter.mjs +7 -7
- package/dist/naa/mapping/NestedAppAuthAdapter.mjs.map +1 -1
- package/dist/navigation/NavigationClient.mjs +1 -1
- package/dist/network/FetchClient.mjs +1 -1
- package/dist/operatingcontext/BaseOperatingContext.mjs +1 -1
- package/dist/operatingcontext/NestedAppOperatingContext.mjs +1 -1
- package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
- package/dist/operatingcontext/UnknownOperatingContext.mjs +1 -1
- package/dist/packageMetadata.d.ts +1 -1
- package/dist/packageMetadata.mjs +2 -2
- package/dist/protocol/Authorize.d.ts +13 -0
- package/dist/protocol/Authorize.d.ts.map +1 -0
- package/dist/protocol/Authorize.mjs +74 -0
- package/dist/protocol/Authorize.mjs.map +1 -0
- package/dist/request/PopupRequest.d.ts +1 -2
- package/dist/request/PopupRequest.d.ts.map +1 -1
- package/dist/request/RedirectRequest.d.ts +1 -2
- package/dist/request/RedirectRequest.d.ts.map +1 -1
- package/dist/request/RequestHelpers.mjs +1 -1
- package/dist/request/SilentRequest.d.ts +0 -1
- package/dist/request/SilentRequest.d.ts.map +1 -1
- package/dist/request/SsoSilentRequest.d.ts +2 -4
- package/dist/request/SsoSilentRequest.d.ts.map +1 -1
- package/dist/response/ResponseHandler.d.ts +3 -3
- package/dist/response/ResponseHandler.d.ts.map +1 -1
- package/dist/response/ResponseHandler.mjs +1 -1
- package/dist/response/ResponseHandler.mjs.map +1 -1
- package/dist/telemetry/BrowserPerformanceClient.mjs +1 -1
- package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
- package/dist/utils/BrowserConstants.mjs +1 -1
- package/dist/utils/BrowserProtocolUtils.mjs +1 -1
- package/dist/utils/BrowserUtils.mjs +1 -1
- package/lib/msal-browser.cjs +1049 -1053
- package/lib/msal-browser.cjs.map +1 -1
- package/lib/msal-browser.js +1049 -1053
- package/lib/msal-browser.js.map +1 -1
- package/lib/msal-browser.min.js +67 -65
- package/lib/types/cache/BrowserCacheManager.d.ts.map +1 -1
- package/lib/types/cache/TokenCache.d.ts.map +1 -1
- package/lib/types/controllers/StandardController.d.ts +8 -0
- package/lib/types/controllers/StandardController.d.ts.map +1 -1
- package/lib/types/event/EventHandler.d.ts +1 -1
- package/lib/types/event/EventHandler.d.ts.map +1 -1
- package/lib/types/interaction_client/NativeInteractionClient.d.ts.map +1 -1
- package/lib/types/interaction_client/PopupClient.d.ts.map +1 -1
- package/lib/types/interaction_client/RedirectClient.d.ts +3 -3
- package/lib/types/interaction_client/RedirectClient.d.ts.map +1 -1
- package/lib/types/interaction_client/SilentIframeClient.d.ts +1 -1
- package/lib/types/interaction_client/SilentIframeClient.d.ts.map +1 -1
- package/lib/types/interaction_client/StandardInteractionClient.d.ts +1 -7
- package/lib/types/interaction_client/StandardInteractionClient.d.ts.map +1 -1
- package/lib/types/interaction_handler/InteractionHandler.d.ts +2 -2
- package/lib/types/interaction_handler/InteractionHandler.d.ts.map +1 -1
- package/lib/types/interaction_handler/RedirectHandler.d.ts +2 -2
- package/lib/types/interaction_handler/RedirectHandler.d.ts.map +1 -1
- package/lib/types/naa/mapping/NestedAppAuthAdapter.d.ts.map +1 -1
- package/lib/types/packageMetadata.d.ts +1 -1
- package/lib/types/protocol/Authorize.d.ts +13 -0
- package/lib/types/protocol/Authorize.d.ts.map +1 -0
- package/lib/types/request/PopupRequest.d.ts +1 -2
- package/lib/types/request/PopupRequest.d.ts.map +1 -1
- package/lib/types/request/RedirectRequest.d.ts +1 -2
- package/lib/types/request/RedirectRequest.d.ts.map +1 -1
- package/lib/types/request/SilentRequest.d.ts +0 -1
- package/lib/types/request/SilentRequest.d.ts.map +1 -1
- package/lib/types/request/SsoSilentRequest.d.ts +2 -4
- package/lib/types/request/SsoSilentRequest.d.ts.map +1 -1
- package/lib/types/response/ResponseHandler.d.ts +3 -3
- package/lib/types/response/ResponseHandler.d.ts.map +1 -1
- package/package.json +2 -2
- package/src/cache/BrowserCacheManager.ts +8 -2
- package/src/cache/TokenCache.ts +8 -7
- package/src/controllers/StandardController.ts +66 -51
- package/src/event/EventHandler.ts +9 -5
- package/src/interaction_client/NativeInteractionClient.ts +14 -2
- package/src/interaction_client/PopupClient.ts +40 -21
- package/src/interaction_client/RedirectClient.ts +41 -22
- package/src/interaction_client/SilentIframeClient.ts +42 -29
- package/src/interaction_client/StandardInteractionClient.ts +0 -40
- package/src/interaction_handler/InteractionHandler.ts +4 -3
- package/src/interaction_handler/RedirectHandler.ts +4 -3
- package/src/naa/mapping/NestedAppAuthAdapter.ts +9 -8
- package/src/packageMetadata.ts +1 -1
- package/src/protocol/Authorize.ts +136 -0
- package/src/request/PopupRequest.ts +1 -5
- package/src/request/RedirectRequest.ts +1 -5
- package/src/request/SilentRequest.ts +0 -1
- package/src/request/SsoSilentRequest.ts +2 -7
- package/src/response/ResponseHandler.ts +3 -3
package/lib/msal-browser.cjs
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
|
-
/*! @azure/msal-browser v4.
|
|
1
|
+
/*! @azure/msal-browser v4.8.0 2025-03-20 */
|
|
2
2
|
'use strict';
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
5
|
-
/*! @azure/msal-common v15.
|
|
5
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6
6
|
/*
|
|
7
7
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
8
8
|
* Licensed under the MIT License.
|
|
@@ -250,13 +250,6 @@ const Errors = {
|
|
|
250
250
|
INVALID_GRANT_ERROR: "invalid_grant",
|
|
251
251
|
CLIENT_MISMATCH_ERROR: "client_mismatch",
|
|
252
252
|
};
|
|
253
|
-
/**
|
|
254
|
-
* Password grant parameters
|
|
255
|
-
*/
|
|
256
|
-
const PasswordGrantConstants = {
|
|
257
|
-
username: "username",
|
|
258
|
-
password: "password",
|
|
259
|
-
};
|
|
260
253
|
/**
|
|
261
254
|
* Response codes
|
|
262
255
|
*/
|
|
@@ -306,7 +299,7 @@ const JsonWebTokenTypes = {
|
|
|
306
299
|
// Token renewal offset default in seconds
|
|
307
300
|
const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
|
|
308
301
|
|
|
309
|
-
/*! @azure/msal-common v15.
|
|
302
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
310
303
|
/*
|
|
311
304
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
312
305
|
* Licensed under the MIT License.
|
|
@@ -323,7 +316,7 @@ var AuthErrorCodes = /*#__PURE__*/Object.freeze({
|
|
|
323
316
|
unexpectedError: unexpectedError
|
|
324
317
|
});
|
|
325
318
|
|
|
326
|
-
/*! @azure/msal-common v15.
|
|
319
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
327
320
|
|
|
328
321
|
/*
|
|
329
322
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -372,7 +365,7 @@ function createAuthError(code, additionalMessage) {
|
|
|
372
365
|
: AuthErrorMessages[code]);
|
|
373
366
|
}
|
|
374
367
|
|
|
375
|
-
/*! @azure/msal-common v15.
|
|
368
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
376
369
|
/*
|
|
377
370
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
378
371
|
* Licensed under the MIT License.
|
|
@@ -470,7 +463,7 @@ var ClientAuthErrorCodes = /*#__PURE__*/Object.freeze({
|
|
|
470
463
|
userTimeoutReached: userTimeoutReached
|
|
471
464
|
});
|
|
472
465
|
|
|
473
|
-
/*! @azure/msal-common v15.
|
|
466
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
474
467
|
|
|
475
468
|
/*
|
|
476
469
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -722,7 +715,7 @@ function createClientAuthError(errorCode, additionalMessage) {
|
|
|
722
715
|
return new ClientAuthError(errorCode, additionalMessage);
|
|
723
716
|
}
|
|
724
717
|
|
|
725
|
-
/*! @azure/msal-common v15.
|
|
718
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
726
719
|
|
|
727
720
|
/*
|
|
728
721
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -761,7 +754,7 @@ const DEFAULT_CRYPTO_IMPLEMENTATION = {
|
|
|
761
754
|
},
|
|
762
755
|
};
|
|
763
756
|
|
|
764
|
-
/*! @azure/msal-common v15.
|
|
757
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
765
758
|
|
|
766
759
|
/*
|
|
767
760
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -952,12 +945,12 @@ class Logger {
|
|
|
952
945
|
}
|
|
953
946
|
}
|
|
954
947
|
|
|
955
|
-
/*! @azure/msal-common v15.
|
|
948
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
956
949
|
/* eslint-disable header/header */
|
|
957
950
|
const name$1 = "@azure/msal-common";
|
|
958
|
-
const version$1 = "15.
|
|
951
|
+
const version$1 = "15.3.0";
|
|
959
952
|
|
|
960
|
-
/*! @azure/msal-common v15.
|
|
953
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
961
954
|
/*
|
|
962
955
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
963
956
|
* Licensed under the MIT License.
|
|
@@ -977,7 +970,7 @@ const AzureCloudInstance = {
|
|
|
977
970
|
AzureUsGovernment: "https://login.microsoftonline.us",
|
|
978
971
|
};
|
|
979
972
|
|
|
980
|
-
/*! @azure/msal-common v15.
|
|
973
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
981
974
|
|
|
982
975
|
/*
|
|
983
976
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1038,7 +1031,7 @@ function checkMaxAge(authTime, maxAge) {
|
|
|
1038
1031
|
}
|
|
1039
1032
|
}
|
|
1040
1033
|
|
|
1041
|
-
/*! @azure/msal-common v15.
|
|
1034
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1042
1035
|
/*
|
|
1043
1036
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1044
1037
|
* Licensed under the MIT License.
|
|
@@ -1053,6 +1046,24 @@ function nowSeconds() {
|
|
|
1053
1046
|
// Date.getTime() returns in milliseconds.
|
|
1054
1047
|
return Math.round(new Date().getTime() / 1000.0);
|
|
1055
1048
|
}
|
|
1049
|
+
/**
|
|
1050
|
+
* Converts JS Date object to seconds
|
|
1051
|
+
* @param date Date
|
|
1052
|
+
*/
|
|
1053
|
+
function toSecondsFromDate(date) {
|
|
1054
|
+
// Convert date to seconds
|
|
1055
|
+
return date.getTime() / 1000;
|
|
1056
|
+
}
|
|
1057
|
+
/**
|
|
1058
|
+
* Convert seconds to JS Date object. Seconds can be in a number or string format or undefined (will still return a date).
|
|
1059
|
+
* @param seconds
|
|
1060
|
+
*/
|
|
1061
|
+
function toDateFromSeconds(seconds) {
|
|
1062
|
+
if (seconds) {
|
|
1063
|
+
return new Date(Number(seconds) * 1000);
|
|
1064
|
+
}
|
|
1065
|
+
return new Date();
|
|
1066
|
+
}
|
|
1056
1067
|
/**
|
|
1057
1068
|
* check if a token is expired based on given UTC time in seconds.
|
|
1058
1069
|
* @param expiresOn
|
|
@@ -1075,7 +1086,7 @@ function wasClockTurnedBack(cachedAt) {
|
|
|
1075
1086
|
return cachedAtSec > nowSeconds();
|
|
1076
1087
|
}
|
|
1077
1088
|
|
|
1078
|
-
/*! @azure/msal-common v15.
|
|
1089
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1079
1090
|
|
|
1080
1091
|
/*
|
|
1081
1092
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1402,7 +1413,7 @@ function isAuthorityMetadataExpired(metadata) {
|
|
|
1402
1413
|
return metadata.expiresAt <= nowSeconds();
|
|
1403
1414
|
}
|
|
1404
1415
|
|
|
1405
|
-
/*! @azure/msal-common v15.
|
|
1416
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1406
1417
|
/*
|
|
1407
1418
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1408
1419
|
* Licensed under the MIT License.
|
|
@@ -1456,7 +1467,7 @@ var ClientConfigurationErrorCodes = /*#__PURE__*/Object.freeze({
|
|
|
1456
1467
|
urlParseError: urlParseError
|
|
1457
1468
|
});
|
|
1458
1469
|
|
|
1459
|
-
/*! @azure/msal-common v15.
|
|
1470
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1460
1471
|
|
|
1461
1472
|
/*
|
|
1462
1473
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1594,7 +1605,7 @@ function createClientConfigurationError(errorCode) {
|
|
|
1594
1605
|
return new ClientConfigurationError(errorCode);
|
|
1595
1606
|
}
|
|
1596
1607
|
|
|
1597
|
-
/*! @azure/msal-common v15.
|
|
1608
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1598
1609
|
/*
|
|
1599
1610
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1600
1611
|
* Licensed under the MIT License.
|
|
@@ -1691,7 +1702,7 @@ class StringUtils {
|
|
|
1691
1702
|
}
|
|
1692
1703
|
}
|
|
1693
1704
|
|
|
1694
|
-
/*! @azure/msal-common v15.
|
|
1705
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1695
1706
|
|
|
1696
1707
|
/*
|
|
1697
1708
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1882,7 +1893,7 @@ class ScopeSet {
|
|
|
1882
1893
|
}
|
|
1883
1894
|
}
|
|
1884
1895
|
|
|
1885
|
-
/*! @azure/msal-common v15.
|
|
1896
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1886
1897
|
|
|
1887
1898
|
/*
|
|
1888
1899
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1922,7 +1933,7 @@ function buildClientInfoFromHomeAccountId(homeAccountId) {
|
|
|
1922
1933
|
};
|
|
1923
1934
|
}
|
|
1924
1935
|
|
|
1925
|
-
/*! @azure/msal-common v15.
|
|
1936
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1926
1937
|
/*
|
|
1927
1938
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1928
1939
|
* Licensed under the MIT License.
|
|
@@ -2001,7 +2012,7 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
|
|
|
2001
2012
|
return updatedAccountInfo;
|
|
2002
2013
|
}
|
|
2003
2014
|
|
|
2004
|
-
/*! @azure/msal-common v15.
|
|
2015
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2005
2016
|
/*
|
|
2006
2017
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
2007
2018
|
* Licensed under the MIT License.
|
|
@@ -2016,7 +2027,7 @@ const AuthorityType = {
|
|
|
2016
2027
|
Ciam: 3,
|
|
2017
2028
|
};
|
|
2018
2029
|
|
|
2019
|
-
/*! @azure/msal-common v15.
|
|
2030
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2020
2031
|
/*
|
|
2021
2032
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
2022
2033
|
* Licensed under the MIT License.
|
|
@@ -2038,7 +2049,7 @@ function getTenantIdFromIdTokenClaims(idTokenClaims) {
|
|
|
2038
2049
|
return null;
|
|
2039
2050
|
}
|
|
2040
2051
|
|
|
2041
|
-
/*! @azure/msal-common v15.
|
|
2052
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2042
2053
|
/*
|
|
2043
2054
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
2044
2055
|
* Licensed under the MIT License.
|
|
@@ -2051,7 +2062,7 @@ const ProtocolMode = {
|
|
|
2051
2062
|
OIDC: "OIDC",
|
|
2052
2063
|
};
|
|
2053
2064
|
|
|
2054
|
-
/*! @azure/msal-common v15.
|
|
2065
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2055
2066
|
|
|
2056
2067
|
/*
|
|
2057
2068
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2294,7 +2305,7 @@ class AccountEntity {
|
|
|
2294
2305
|
}
|
|
2295
2306
|
}
|
|
2296
2307
|
|
|
2297
|
-
/*! @azure/msal-common v15.
|
|
2308
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2298
2309
|
|
|
2299
2310
|
/*
|
|
2300
2311
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2339,9 +2350,19 @@ function getDeserializedResponse(responseString) {
|
|
|
2339
2350
|
throw createClientAuthError(hashNotDeserialized);
|
|
2340
2351
|
}
|
|
2341
2352
|
return null;
|
|
2353
|
+
}
|
|
2354
|
+
/**
|
|
2355
|
+
* Utility to create a URL from the params map
|
|
2356
|
+
*/
|
|
2357
|
+
function mapToQueryString(parameters) {
|
|
2358
|
+
const queryParameterArray = new Array();
|
|
2359
|
+
parameters.forEach((value, key) => {
|
|
2360
|
+
queryParameterArray.push(`${key}=${encodeURIComponent(value)}`);
|
|
2361
|
+
});
|
|
2362
|
+
return queryParameterArray.join("&");
|
|
2342
2363
|
}
|
|
2343
2364
|
|
|
2344
|
-
/*! @azure/msal-common v15.
|
|
2365
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2345
2366
|
|
|
2346
2367
|
/*
|
|
2347
2368
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2505,7 +2526,7 @@ class UrlString {
|
|
|
2505
2526
|
}
|
|
2506
2527
|
}
|
|
2507
2528
|
|
|
2508
|
-
/*! @azure/msal-common v15.
|
|
2529
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2509
2530
|
|
|
2510
2531
|
/*
|
|
2511
2532
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2645,7 +2666,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
|
|
|
2645
2666
|
return null;
|
|
2646
2667
|
}
|
|
2647
2668
|
|
|
2648
|
-
/*! @azure/msal-common v15.
|
|
2669
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2649
2670
|
/*
|
|
2650
2671
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
2651
2672
|
* Licensed under the MIT License.
|
|
@@ -2653,7 +2674,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
|
|
|
2653
2674
|
const cacheQuotaExceededErrorCode = "cache_quota_exceeded";
|
|
2654
2675
|
const cacheUnknownErrorCode = "cache_error_unknown";
|
|
2655
2676
|
|
|
2656
|
-
/*! @azure/msal-common v15.
|
|
2677
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2657
2678
|
|
|
2658
2679
|
/*
|
|
2659
2680
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2680,7 +2701,7 @@ class CacheError extends Error {
|
|
|
2680
2701
|
}
|
|
2681
2702
|
}
|
|
2682
2703
|
|
|
2683
|
-
/*! @azure/msal-common v15.
|
|
2704
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2684
2705
|
|
|
2685
2706
|
/*
|
|
2686
2707
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -3865,7 +3886,7 @@ class DefaultStorageClass extends CacheManager {
|
|
|
3865
3886
|
}
|
|
3866
3887
|
}
|
|
3867
3888
|
|
|
3868
|
-
/*! @azure/msal-common v15.
|
|
3889
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
3869
3890
|
|
|
3870
3891
|
/*
|
|
3871
3892
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -3964,7 +3985,7 @@ function isOidcProtocolMode(config) {
|
|
|
3964
3985
|
return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
|
|
3965
3986
|
}
|
|
3966
3987
|
|
|
3967
|
-
/*! @azure/msal-common v15.
|
|
3988
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
3968
3989
|
/*
|
|
3969
3990
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
3970
3991
|
* Licensed under the MIT License.
|
|
@@ -3974,7 +3995,7 @@ const CcsCredentialType = {
|
|
|
3974
3995
|
UPN: "UPN",
|
|
3975
3996
|
};
|
|
3976
3997
|
|
|
3977
|
-
/*! @azure/msal-common v15.
|
|
3998
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
3978
3999
|
/*
|
|
3979
4000
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
3980
4001
|
* Licensed under the MIT License.
|
|
@@ -4006,14 +4027,11 @@ const X_APP_NAME = "x-app-name";
|
|
|
4006
4027
|
const X_APP_VER = "x-app-ver";
|
|
4007
4028
|
const POST_LOGOUT_URI = "post_logout_redirect_uri";
|
|
4008
4029
|
const ID_TOKEN_HINT = "id_token_hint";
|
|
4009
|
-
const DEVICE_CODE = "device_code";
|
|
4010
4030
|
const CLIENT_SECRET = "client_secret";
|
|
4011
4031
|
const CLIENT_ASSERTION = "client_assertion";
|
|
4012
4032
|
const CLIENT_ASSERTION_TYPE = "client_assertion_type";
|
|
4013
4033
|
const TOKEN_TYPE = "token_type";
|
|
4014
4034
|
const REQ_CNF = "req_cnf";
|
|
4015
|
-
const OBO_ASSERTION = "assertion";
|
|
4016
|
-
const REQUESTED_TOKEN_USE = "requested_token_use";
|
|
4017
4035
|
const RETURN_SPA_CODE = "return_spa_code";
|
|
4018
4036
|
const NATIVE_BROKER = "nativebroker";
|
|
4019
4037
|
const LOGOUT_HINT = "logout_hint";
|
|
@@ -4022,76 +4040,10 @@ const LOGIN_HINT = "login_hint";
|
|
|
4022
4040
|
const DOMAIN_HINT = "domain_hint";
|
|
4023
4041
|
const X_CLIENT_EXTRA_SKU = "x-client-xtra-sku";
|
|
4024
4042
|
const BROKER_CLIENT_ID = "brk_client_id";
|
|
4025
|
-
const BROKER_REDIRECT_URI = "brk_redirect_uri";
|
|
4026
|
-
|
|
4027
|
-
/*! @azure/msal-common v15.2.0 2025-03-04 */
|
|
4028
|
-
|
|
4029
|
-
/*
|
|
4030
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4031
|
-
* Licensed under the MIT License.
|
|
4032
|
-
*/
|
|
4033
|
-
/**
|
|
4034
|
-
* Validates server consumable params from the "request" objects
|
|
4035
|
-
*/
|
|
4036
|
-
class RequestValidator {
|
|
4037
|
-
/**
|
|
4038
|
-
* Utility to check if the `redirectUri` in the request is a non-null value
|
|
4039
|
-
* @param redirectUri
|
|
4040
|
-
*/
|
|
4041
|
-
static validateRedirectUri(redirectUri) {
|
|
4042
|
-
if (!redirectUri) {
|
|
4043
|
-
throw createClientConfigurationError(redirectUriEmpty);
|
|
4044
|
-
}
|
|
4045
|
-
}
|
|
4046
|
-
/**
|
|
4047
|
-
* Utility to validate prompt sent by the user in the request
|
|
4048
|
-
* @param prompt
|
|
4049
|
-
*/
|
|
4050
|
-
static validatePrompt(prompt) {
|
|
4051
|
-
const promptValues = [];
|
|
4052
|
-
for (const value in PromptValue) {
|
|
4053
|
-
promptValues.push(PromptValue[value]);
|
|
4054
|
-
}
|
|
4055
|
-
if (promptValues.indexOf(prompt) < 0) {
|
|
4056
|
-
throw createClientConfigurationError(invalidPromptValue);
|
|
4057
|
-
}
|
|
4058
|
-
}
|
|
4059
|
-
static validateClaims(claims) {
|
|
4060
|
-
try {
|
|
4061
|
-
JSON.parse(claims);
|
|
4062
|
-
}
|
|
4063
|
-
catch (e) {
|
|
4064
|
-
throw createClientConfigurationError(invalidClaims);
|
|
4065
|
-
}
|
|
4066
|
-
}
|
|
4067
|
-
/**
|
|
4068
|
-
* Utility to validate code_challenge and code_challenge_method
|
|
4069
|
-
* @param codeChallenge
|
|
4070
|
-
* @param codeChallengeMethod
|
|
4071
|
-
*/
|
|
4072
|
-
static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
|
|
4073
|
-
if (!codeChallenge || !codeChallengeMethod) {
|
|
4074
|
-
throw createClientConfigurationError(pkceParamsMissing);
|
|
4075
|
-
}
|
|
4076
|
-
else {
|
|
4077
|
-
this.validateCodeChallengeMethod(codeChallengeMethod);
|
|
4078
|
-
}
|
|
4079
|
-
}
|
|
4080
|
-
/**
|
|
4081
|
-
* Utility to validate code_challenge_method
|
|
4082
|
-
* @param codeChallengeMethod
|
|
4083
|
-
*/
|
|
4084
|
-
static validateCodeChallengeMethod(codeChallengeMethod) {
|
|
4085
|
-
if ([
|
|
4086
|
-
CodeChallengeMethodValues.PLAIN,
|
|
4087
|
-
CodeChallengeMethodValues.S256,
|
|
4088
|
-
].indexOf(codeChallengeMethod) < 0) {
|
|
4089
|
-
throw createClientConfigurationError(invalidCodeChallengeMethod);
|
|
4090
|
-
}
|
|
4091
|
-
}
|
|
4092
|
-
}
|
|
4043
|
+
const BROKER_REDIRECT_URI = "brk_redirect_uri";
|
|
4044
|
+
const INSTANCE_AWARE = "instance_aware";
|
|
4093
4045
|
|
|
4094
|
-
/*! @azure/msal-common v15.
|
|
4046
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
4095
4047
|
|
|
4096
4048
|
/*
|
|
4097
4049
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -4109,397 +4061,344 @@ function instrumentBrokerParams(parameters, correlationId, performanceClient) {
|
|
|
4109
4061
|
}, correlationId);
|
|
4110
4062
|
}
|
|
4111
4063
|
}
|
|
4112
|
-
/**
|
|
4113
|
-
|
|
4114
|
-
|
|
4115
|
-
|
|
4116
|
-
|
|
4117
|
-
|
|
4118
|
-
|
|
4119
|
-
|
|
4120
|
-
|
|
4121
|
-
|
|
4122
|
-
|
|
4123
|
-
|
|
4124
|
-
|
|
4125
|
-
|
|
4126
|
-
|
|
4127
|
-
|
|
4128
|
-
|
|
4129
|
-
|
|
4130
|
-
|
|
4131
|
-
|
|
4132
|
-
|
|
4133
|
-
|
|
4134
|
-
|
|
4135
|
-
|
|
4136
|
-
|
|
4137
|
-
|
|
4138
|
-
|
|
4139
|
-
|
|
4140
|
-
|
|
4141
|
-
|
|
4142
|
-
|
|
4143
|
-
|
|
4144
|
-
|
|
4145
|
-
|
|
4146
|
-
|
|
4147
|
-
|
|
4148
|
-
|
|
4149
|
-
|
|
4150
|
-
|
|
4151
|
-
|
|
4152
|
-
|
|
4153
|
-
|
|
4154
|
-
|
|
4155
|
-
|
|
4156
|
-
|
|
4157
|
-
|
|
4158
|
-
|
|
4159
|
-
|
|
4160
|
-
|
|
4064
|
+
/**
|
|
4065
|
+
* add response_type = code
|
|
4066
|
+
*/
|
|
4067
|
+
function addResponseTypeCode(parameters) {
|
|
4068
|
+
parameters.set(RESPONSE_TYPE, Constants.CODE_RESPONSE_TYPE);
|
|
4069
|
+
}
|
|
4070
|
+
/**
|
|
4071
|
+
* add response_mode. defaults to query.
|
|
4072
|
+
* @param responseMode
|
|
4073
|
+
*/
|
|
4074
|
+
function addResponseMode(parameters, responseMode) {
|
|
4075
|
+
parameters.set(RESPONSE_MODE, responseMode ? responseMode : ResponseMode.QUERY);
|
|
4076
|
+
}
|
|
4077
|
+
/**
|
|
4078
|
+
* Add flag to indicate STS should attempt to use WAM if available
|
|
4079
|
+
*/
|
|
4080
|
+
function addNativeBroker(parameters) {
|
|
4081
|
+
parameters.set(NATIVE_BROKER, "1");
|
|
4082
|
+
}
|
|
4083
|
+
/**
|
|
4084
|
+
* add scopes. set addOidcScopes to false to prevent default scopes in non-user scenarios
|
|
4085
|
+
* @param scopeSet
|
|
4086
|
+
* @param addOidcScopes
|
|
4087
|
+
*/
|
|
4088
|
+
function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
|
|
4089
|
+
// Always add openid to the scopes when adding OIDC scopes
|
|
4090
|
+
if (addOidcScopes &&
|
|
4091
|
+
!defaultScopes.includes("openid") &&
|
|
4092
|
+
!scopes.includes("openid")) {
|
|
4093
|
+
defaultScopes.push("openid");
|
|
4094
|
+
}
|
|
4095
|
+
const requestScopes = addOidcScopes
|
|
4096
|
+
? [...(scopes || []), ...defaultScopes]
|
|
4097
|
+
: scopes || [];
|
|
4098
|
+
const scopeSet = new ScopeSet(requestScopes);
|
|
4099
|
+
parameters.set(SCOPE, scopeSet.printScopes());
|
|
4100
|
+
}
|
|
4101
|
+
/**
|
|
4102
|
+
* add clientId
|
|
4103
|
+
* @param clientId
|
|
4104
|
+
*/
|
|
4105
|
+
function addClientId(parameters, clientId) {
|
|
4106
|
+
parameters.set(CLIENT_ID, clientId);
|
|
4107
|
+
}
|
|
4108
|
+
/**
|
|
4109
|
+
* add redirect_uri
|
|
4110
|
+
* @param redirectUri
|
|
4111
|
+
*/
|
|
4112
|
+
function addRedirectUri(parameters, redirectUri) {
|
|
4113
|
+
parameters.set(REDIRECT_URI, redirectUri);
|
|
4114
|
+
}
|
|
4115
|
+
/**
|
|
4116
|
+
* add post logout redirectUri
|
|
4117
|
+
* @param redirectUri
|
|
4118
|
+
*/
|
|
4119
|
+
function addPostLogoutRedirectUri(parameters, redirectUri) {
|
|
4120
|
+
parameters.set(POST_LOGOUT_URI, redirectUri);
|
|
4121
|
+
}
|
|
4122
|
+
/**
|
|
4123
|
+
* add id_token_hint to logout request
|
|
4124
|
+
* @param idTokenHint
|
|
4125
|
+
*/
|
|
4126
|
+
function addIdTokenHint(parameters, idTokenHint) {
|
|
4127
|
+
parameters.set(ID_TOKEN_HINT, idTokenHint);
|
|
4128
|
+
}
|
|
4129
|
+
/**
|
|
4130
|
+
* add domain_hint
|
|
4131
|
+
* @param domainHint
|
|
4132
|
+
*/
|
|
4133
|
+
function addDomainHint(parameters, domainHint) {
|
|
4134
|
+
parameters.set(DOMAIN_HINT, domainHint);
|
|
4135
|
+
}
|
|
4136
|
+
/**
|
|
4137
|
+
* add login_hint
|
|
4138
|
+
* @param loginHint
|
|
4139
|
+
*/
|
|
4140
|
+
function addLoginHint(parameters, loginHint) {
|
|
4141
|
+
parameters.set(LOGIN_HINT, loginHint);
|
|
4142
|
+
}
|
|
4143
|
+
/**
|
|
4144
|
+
* Adds the CCS (Cache Credential Service) query parameter for login_hint
|
|
4145
|
+
* @param loginHint
|
|
4146
|
+
*/
|
|
4147
|
+
function addCcsUpn(parameters, loginHint) {
|
|
4148
|
+
parameters.set(HeaderNames.CCS_HEADER, `UPN:${loginHint}`);
|
|
4149
|
+
}
|
|
4150
|
+
/**
|
|
4151
|
+
* Adds the CCS (Cache Credential Service) query parameter for account object
|
|
4152
|
+
* @param loginHint
|
|
4153
|
+
*/
|
|
4154
|
+
function addCcsOid(parameters, clientInfo) {
|
|
4155
|
+
parameters.set(HeaderNames.CCS_HEADER, `Oid:${clientInfo.uid}@${clientInfo.utid}`);
|
|
4156
|
+
}
|
|
4157
|
+
/**
|
|
4158
|
+
* add sid
|
|
4159
|
+
* @param sid
|
|
4160
|
+
*/
|
|
4161
|
+
function addSid(parameters, sid) {
|
|
4162
|
+
parameters.set(SID, sid);
|
|
4163
|
+
}
|
|
4164
|
+
/**
|
|
4165
|
+
* add claims
|
|
4166
|
+
* @param claims
|
|
4167
|
+
*/
|
|
4168
|
+
function addClaims(parameters, claims, clientCapabilities) {
|
|
4169
|
+
const mergedClaims = addClientCapabilitiesToClaims(claims, clientCapabilities);
|
|
4170
|
+
try {
|
|
4171
|
+
JSON.parse(mergedClaims);
|
|
4161
4172
|
}
|
|
4162
|
-
|
|
4163
|
-
|
|
4164
|
-
* @param clientId
|
|
4165
|
-
*/
|
|
4166
|
-
addClientId(clientId) {
|
|
4167
|
-
this.parameters.set(CLIENT_ID, encodeURIComponent(clientId));
|
|
4173
|
+
catch (e) {
|
|
4174
|
+
throw createClientConfigurationError(invalidClaims);
|
|
4168
4175
|
}
|
|
4169
|
-
|
|
4170
|
-
|
|
4171
|
-
|
|
4172
|
-
|
|
4173
|
-
|
|
4174
|
-
|
|
4175
|
-
|
|
4176
|
+
parameters.set(CLAIMS, mergedClaims);
|
|
4177
|
+
}
|
|
4178
|
+
/**
|
|
4179
|
+
* add correlationId
|
|
4180
|
+
* @param correlationId
|
|
4181
|
+
*/
|
|
4182
|
+
function addCorrelationId(parameters, correlationId) {
|
|
4183
|
+
parameters.set(CLIENT_REQUEST_ID, correlationId);
|
|
4184
|
+
}
|
|
4185
|
+
/**
|
|
4186
|
+
* add library info query params
|
|
4187
|
+
* @param libraryInfo
|
|
4188
|
+
*/
|
|
4189
|
+
function addLibraryInfo(parameters, libraryInfo) {
|
|
4190
|
+
// Telemetry Info
|
|
4191
|
+
parameters.set(X_CLIENT_SKU, libraryInfo.sku);
|
|
4192
|
+
parameters.set(X_CLIENT_VER, libraryInfo.version);
|
|
4193
|
+
if (libraryInfo.os) {
|
|
4194
|
+
parameters.set(X_CLIENT_OS, libraryInfo.os);
|
|
4176
4195
|
}
|
|
4177
|
-
|
|
4178
|
-
|
|
4179
|
-
* @param redirectUri
|
|
4180
|
-
*/
|
|
4181
|
-
addPostLogoutRedirectUri(redirectUri) {
|
|
4182
|
-
RequestValidator.validateRedirectUri(redirectUri);
|
|
4183
|
-
this.parameters.set(POST_LOGOUT_URI, encodeURIComponent(redirectUri));
|
|
4196
|
+
if (libraryInfo.cpu) {
|
|
4197
|
+
parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
|
|
4184
4198
|
}
|
|
4185
|
-
|
|
4186
|
-
|
|
4187
|
-
|
|
4188
|
-
|
|
4189
|
-
|
|
4190
|
-
|
|
4199
|
+
}
|
|
4200
|
+
/**
|
|
4201
|
+
* Add client telemetry parameters
|
|
4202
|
+
* @param appTelemetry
|
|
4203
|
+
*/
|
|
4204
|
+
function addApplicationTelemetry(parameters, appTelemetry) {
|
|
4205
|
+
if (appTelemetry?.appName) {
|
|
4206
|
+
parameters.set(X_APP_NAME, appTelemetry.appName);
|
|
4191
4207
|
}
|
|
4192
|
-
|
|
4193
|
-
|
|
4194
|
-
* @param domainHint
|
|
4195
|
-
*/
|
|
4196
|
-
addDomainHint(domainHint) {
|
|
4197
|
-
this.parameters.set(DOMAIN_HINT, encodeURIComponent(domainHint));
|
|
4208
|
+
if (appTelemetry?.appVersion) {
|
|
4209
|
+
parameters.set(X_APP_VER, appTelemetry.appVersion);
|
|
4198
4210
|
}
|
|
4199
|
-
|
|
4200
|
-
|
|
4201
|
-
|
|
4202
|
-
|
|
4203
|
-
|
|
4204
|
-
|
|
4211
|
+
}
|
|
4212
|
+
/**
|
|
4213
|
+
* add prompt
|
|
4214
|
+
* @param prompt
|
|
4215
|
+
*/
|
|
4216
|
+
function addPrompt(parameters, prompt) {
|
|
4217
|
+
parameters.set(PROMPT, prompt);
|
|
4218
|
+
}
|
|
4219
|
+
/**
|
|
4220
|
+
* add state
|
|
4221
|
+
* @param state
|
|
4222
|
+
*/
|
|
4223
|
+
function addState(parameters, state) {
|
|
4224
|
+
if (state) {
|
|
4225
|
+
parameters.set(STATE, state);
|
|
4205
4226
|
}
|
|
4206
|
-
|
|
4207
|
-
|
|
4208
|
-
|
|
4209
|
-
|
|
4210
|
-
|
|
4211
|
-
|
|
4227
|
+
}
|
|
4228
|
+
/**
|
|
4229
|
+
* add nonce
|
|
4230
|
+
* @param nonce
|
|
4231
|
+
*/
|
|
4232
|
+
function addNonce(parameters, nonce) {
|
|
4233
|
+
parameters.set(NONCE, nonce);
|
|
4234
|
+
}
|
|
4235
|
+
/**
|
|
4236
|
+
* add code_challenge and code_challenge_method
|
|
4237
|
+
* - throw if either of them are not passed
|
|
4238
|
+
* @param codeChallenge
|
|
4239
|
+
* @param codeChallengeMethod
|
|
4240
|
+
*/
|
|
4241
|
+
function addCodeChallengeParams(parameters, codeChallenge, codeChallengeMethod) {
|
|
4242
|
+
if (codeChallenge && codeChallengeMethod) {
|
|
4243
|
+
parameters.set(CODE_CHALLENGE, codeChallenge);
|
|
4244
|
+
parameters.set(CODE_CHALLENGE_METHOD, codeChallengeMethod);
|
|
4212
4245
|
}
|
|
4213
|
-
|
|
4214
|
-
|
|
4215
|
-
* @param loginHint
|
|
4216
|
-
*/
|
|
4217
|
-
addCcsOid(clientInfo) {
|
|
4218
|
-
this.parameters.set(HeaderNames.CCS_HEADER, encodeURIComponent(`Oid:${clientInfo.uid}@${clientInfo.utid}`));
|
|
4246
|
+
else {
|
|
4247
|
+
throw createClientConfigurationError(pkceParamsMissing);
|
|
4219
4248
|
}
|
|
4220
|
-
|
|
4221
|
-
|
|
4222
|
-
|
|
4223
|
-
|
|
4224
|
-
|
|
4225
|
-
|
|
4249
|
+
}
|
|
4250
|
+
/**
|
|
4251
|
+
* add the `authorization_code` passed by the user to exchange for a token
|
|
4252
|
+
* @param code
|
|
4253
|
+
*/
|
|
4254
|
+
function addAuthorizationCode(parameters, code) {
|
|
4255
|
+
parameters.set(CODE, code);
|
|
4256
|
+
}
|
|
4257
|
+
/**
|
|
4258
|
+
* add the `refreshToken` passed by the user
|
|
4259
|
+
* @param refreshToken
|
|
4260
|
+
*/
|
|
4261
|
+
function addRefreshToken(parameters, refreshToken) {
|
|
4262
|
+
parameters.set(REFRESH_TOKEN, refreshToken);
|
|
4263
|
+
}
|
|
4264
|
+
/**
|
|
4265
|
+
* add the `code_verifier` passed by the user to exchange for a token
|
|
4266
|
+
* @param codeVerifier
|
|
4267
|
+
*/
|
|
4268
|
+
function addCodeVerifier(parameters, codeVerifier) {
|
|
4269
|
+
parameters.set(CODE_VERIFIER, codeVerifier);
|
|
4270
|
+
}
|
|
4271
|
+
/**
|
|
4272
|
+
* add client_secret
|
|
4273
|
+
* @param clientSecret
|
|
4274
|
+
*/
|
|
4275
|
+
function addClientSecret(parameters, clientSecret) {
|
|
4276
|
+
parameters.set(CLIENT_SECRET, clientSecret);
|
|
4277
|
+
}
|
|
4278
|
+
/**
|
|
4279
|
+
* add clientAssertion for confidential client flows
|
|
4280
|
+
* @param clientAssertion
|
|
4281
|
+
*/
|
|
4282
|
+
function addClientAssertion(parameters, clientAssertion) {
|
|
4283
|
+
if (clientAssertion) {
|
|
4284
|
+
parameters.set(CLIENT_ASSERTION, clientAssertion);
|
|
4226
4285
|
}
|
|
4227
|
-
|
|
4228
|
-
|
|
4229
|
-
|
|
4230
|
-
|
|
4231
|
-
|
|
4232
|
-
|
|
4233
|
-
|
|
4234
|
-
|
|
4286
|
+
}
|
|
4287
|
+
/**
|
|
4288
|
+
* add clientAssertionType for confidential client flows
|
|
4289
|
+
* @param clientAssertionType
|
|
4290
|
+
*/
|
|
4291
|
+
function addClientAssertionType(parameters, clientAssertionType) {
|
|
4292
|
+
if (clientAssertionType) {
|
|
4293
|
+
parameters.set(CLIENT_ASSERTION_TYPE, clientAssertionType);
|
|
4235
4294
|
}
|
|
4236
|
-
|
|
4237
|
-
|
|
4238
|
-
|
|
4239
|
-
|
|
4240
|
-
|
|
4241
|
-
|
|
4295
|
+
}
|
|
4296
|
+
/**
|
|
4297
|
+
* add grant type
|
|
4298
|
+
* @param grantType
|
|
4299
|
+
*/
|
|
4300
|
+
function addGrantType(parameters, grantType) {
|
|
4301
|
+
parameters.set(GRANT_TYPE, grantType);
|
|
4302
|
+
}
|
|
4303
|
+
/**
|
|
4304
|
+
* add client info
|
|
4305
|
+
*
|
|
4306
|
+
*/
|
|
4307
|
+
function addClientInfo(parameters) {
|
|
4308
|
+
parameters.set(CLIENT_INFO, "1");
|
|
4309
|
+
}
|
|
4310
|
+
function addInstanceAware(parameters) {
|
|
4311
|
+
if (!parameters.has(INSTANCE_AWARE)) {
|
|
4312
|
+
parameters.set(INSTANCE_AWARE, "true");
|
|
4242
4313
|
}
|
|
4243
|
-
|
|
4244
|
-
|
|
4245
|
-
|
|
4246
|
-
|
|
4247
|
-
|
|
4248
|
-
|
|
4249
|
-
|
|
4250
|
-
|
|
4251
|
-
|
|
4252
|
-
this.parameters.set(X_CLIENT_OS, libraryInfo.os);
|
|
4253
|
-
}
|
|
4254
|
-
if (libraryInfo.cpu) {
|
|
4255
|
-
this.parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
|
|
4314
|
+
}
|
|
4315
|
+
/**
|
|
4316
|
+
* add extraQueryParams
|
|
4317
|
+
* @param eQParams
|
|
4318
|
+
*/
|
|
4319
|
+
function addExtraQueryParameters(parameters, eQParams) {
|
|
4320
|
+
Object.entries(eQParams).forEach(([key, value]) => {
|
|
4321
|
+
if (!parameters.has(key) && value) {
|
|
4322
|
+
parameters.set(key, value);
|
|
4256
4323
|
}
|
|
4324
|
+
});
|
|
4325
|
+
}
|
|
4326
|
+
function addClientCapabilitiesToClaims(claims, clientCapabilities) {
|
|
4327
|
+
let mergedClaims;
|
|
4328
|
+
// Parse provided claims into JSON object or initialize empty object
|
|
4329
|
+
if (!claims) {
|
|
4330
|
+
mergedClaims = {};
|
|
4257
4331
|
}
|
|
4258
|
-
|
|
4259
|
-
|
|
4260
|
-
|
|
4261
|
-
*/
|
|
4262
|
-
addApplicationTelemetry(appTelemetry) {
|
|
4263
|
-
if (appTelemetry?.appName) {
|
|
4264
|
-
this.parameters.set(X_APP_NAME, appTelemetry.appName);
|
|
4332
|
+
else {
|
|
4333
|
+
try {
|
|
4334
|
+
mergedClaims = JSON.parse(claims);
|
|
4265
4335
|
}
|
|
4266
|
-
|
|
4267
|
-
|
|
4336
|
+
catch (e) {
|
|
4337
|
+
throw createClientConfigurationError(invalidClaims);
|
|
4268
4338
|
}
|
|
4269
4339
|
}
|
|
4270
|
-
|
|
4271
|
-
|
|
4272
|
-
|
|
4273
|
-
|
|
4274
|
-
addPrompt(prompt) {
|
|
4275
|
-
RequestValidator.validatePrompt(prompt);
|
|
4276
|
-
this.parameters.set(`${PROMPT}`, encodeURIComponent(prompt));
|
|
4277
|
-
}
|
|
4278
|
-
/**
|
|
4279
|
-
* add state
|
|
4280
|
-
* @param state
|
|
4281
|
-
*/
|
|
4282
|
-
addState(state) {
|
|
4283
|
-
if (state) {
|
|
4284
|
-
this.parameters.set(STATE, encodeURIComponent(state));
|
|
4340
|
+
if (clientCapabilities && clientCapabilities.length > 0) {
|
|
4341
|
+
if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
|
|
4342
|
+
// Add access_token key to claims object
|
|
4343
|
+
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
|
|
4285
4344
|
}
|
|
4345
|
+
// Add xms_cc claim with provided clientCapabilities to access_token key
|
|
4346
|
+
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] =
|
|
4347
|
+
{
|
|
4348
|
+
values: clientCapabilities,
|
|
4349
|
+
};
|
|
4286
4350
|
}
|
|
4287
|
-
|
|
4288
|
-
|
|
4289
|
-
|
|
4290
|
-
|
|
4291
|
-
|
|
4292
|
-
|
|
4351
|
+
return JSON.stringify(mergedClaims);
|
|
4352
|
+
}
|
|
4353
|
+
/**
|
|
4354
|
+
* add pop_jwk to query params
|
|
4355
|
+
* @param cnfString
|
|
4356
|
+
*/
|
|
4357
|
+
function addPopToken(parameters, cnfString) {
|
|
4358
|
+
if (cnfString) {
|
|
4359
|
+
parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
|
|
4360
|
+
parameters.set(REQ_CNF, cnfString);
|
|
4293
4361
|
}
|
|
4294
|
-
|
|
4295
|
-
|
|
4296
|
-
|
|
4297
|
-
|
|
4298
|
-
|
|
4299
|
-
|
|
4300
|
-
|
|
4301
|
-
|
|
4302
|
-
if (codeChallenge && codeChallengeMethod) {
|
|
4303
|
-
this.parameters.set(CODE_CHALLENGE, encodeURIComponent(codeChallenge));
|
|
4304
|
-
this.parameters.set(CODE_CHALLENGE_METHOD, encodeURIComponent(codeChallengeMethod));
|
|
4305
|
-
}
|
|
4306
|
-
else {
|
|
4307
|
-
throw createClientConfigurationError(pkceParamsMissing);
|
|
4308
|
-
}
|
|
4309
|
-
}
|
|
4310
|
-
/**
|
|
4311
|
-
* add the `authorization_code` passed by the user to exchange for a token
|
|
4312
|
-
* @param code
|
|
4313
|
-
*/
|
|
4314
|
-
addAuthorizationCode(code) {
|
|
4315
|
-
this.parameters.set(CODE, encodeURIComponent(code));
|
|
4316
|
-
}
|
|
4317
|
-
/**
|
|
4318
|
-
* add the `authorization_code` passed by the user to exchange for a token
|
|
4319
|
-
* @param code
|
|
4320
|
-
*/
|
|
4321
|
-
addDeviceCode(code) {
|
|
4322
|
-
this.parameters.set(DEVICE_CODE, encodeURIComponent(code));
|
|
4323
|
-
}
|
|
4324
|
-
/**
|
|
4325
|
-
* add the `refreshToken` passed by the user
|
|
4326
|
-
* @param refreshToken
|
|
4327
|
-
*/
|
|
4328
|
-
addRefreshToken(refreshToken) {
|
|
4329
|
-
this.parameters.set(REFRESH_TOKEN, encodeURIComponent(refreshToken));
|
|
4330
|
-
}
|
|
4331
|
-
/**
|
|
4332
|
-
* add the `code_verifier` passed by the user to exchange for a token
|
|
4333
|
-
* @param codeVerifier
|
|
4334
|
-
*/
|
|
4335
|
-
addCodeVerifier(codeVerifier) {
|
|
4336
|
-
this.parameters.set(CODE_VERIFIER, encodeURIComponent(codeVerifier));
|
|
4337
|
-
}
|
|
4338
|
-
/**
|
|
4339
|
-
* add client_secret
|
|
4340
|
-
* @param clientSecret
|
|
4341
|
-
*/
|
|
4342
|
-
addClientSecret(clientSecret) {
|
|
4343
|
-
this.parameters.set(CLIENT_SECRET, encodeURIComponent(clientSecret));
|
|
4344
|
-
}
|
|
4345
|
-
/**
|
|
4346
|
-
* add clientAssertion for confidential client flows
|
|
4347
|
-
* @param clientAssertion
|
|
4348
|
-
*/
|
|
4349
|
-
addClientAssertion(clientAssertion) {
|
|
4350
|
-
if (clientAssertion) {
|
|
4351
|
-
this.parameters.set(CLIENT_ASSERTION, encodeURIComponent(clientAssertion));
|
|
4352
|
-
}
|
|
4353
|
-
}
|
|
4354
|
-
/**
|
|
4355
|
-
* add clientAssertionType for confidential client flows
|
|
4356
|
-
* @param clientAssertionType
|
|
4357
|
-
*/
|
|
4358
|
-
addClientAssertionType(clientAssertionType) {
|
|
4359
|
-
if (clientAssertionType) {
|
|
4360
|
-
this.parameters.set(CLIENT_ASSERTION_TYPE, encodeURIComponent(clientAssertionType));
|
|
4361
|
-
}
|
|
4362
|
-
}
|
|
4363
|
-
/**
|
|
4364
|
-
* add OBO assertion for confidential client flows
|
|
4365
|
-
* @param clientAssertion
|
|
4366
|
-
*/
|
|
4367
|
-
addOboAssertion(oboAssertion) {
|
|
4368
|
-
this.parameters.set(OBO_ASSERTION, encodeURIComponent(oboAssertion));
|
|
4369
|
-
}
|
|
4370
|
-
/**
|
|
4371
|
-
* add grant type
|
|
4372
|
-
* @param grantType
|
|
4373
|
-
*/
|
|
4374
|
-
addRequestTokenUse(tokenUse) {
|
|
4375
|
-
this.parameters.set(REQUESTED_TOKEN_USE, encodeURIComponent(tokenUse));
|
|
4376
|
-
}
|
|
4377
|
-
/**
|
|
4378
|
-
* add grant type
|
|
4379
|
-
* @param grantType
|
|
4380
|
-
*/
|
|
4381
|
-
addGrantType(grantType) {
|
|
4382
|
-
this.parameters.set(GRANT_TYPE, encodeURIComponent(grantType));
|
|
4383
|
-
}
|
|
4384
|
-
/**
|
|
4385
|
-
* add client info
|
|
4386
|
-
*
|
|
4387
|
-
*/
|
|
4388
|
-
addClientInfo() {
|
|
4389
|
-
this.parameters.set(CLIENT_INFO, "1");
|
|
4390
|
-
}
|
|
4391
|
-
/**
|
|
4392
|
-
* add extraQueryParams
|
|
4393
|
-
* @param eQParams
|
|
4394
|
-
*/
|
|
4395
|
-
addExtraQueryParameters(eQParams) {
|
|
4396
|
-
Object.entries(eQParams).forEach(([key, value]) => {
|
|
4397
|
-
if (!this.parameters.has(key) && value) {
|
|
4398
|
-
this.parameters.set(key, value);
|
|
4399
|
-
}
|
|
4400
|
-
});
|
|
4401
|
-
}
|
|
4402
|
-
addClientCapabilitiesToClaims(claims, clientCapabilities) {
|
|
4403
|
-
let mergedClaims;
|
|
4404
|
-
// Parse provided claims into JSON object or initialize empty object
|
|
4405
|
-
if (!claims) {
|
|
4406
|
-
mergedClaims = {};
|
|
4407
|
-
}
|
|
4408
|
-
else {
|
|
4409
|
-
try {
|
|
4410
|
-
mergedClaims = JSON.parse(claims);
|
|
4411
|
-
}
|
|
4412
|
-
catch (e) {
|
|
4413
|
-
throw createClientConfigurationError(invalidClaims);
|
|
4414
|
-
}
|
|
4415
|
-
}
|
|
4416
|
-
if (clientCapabilities && clientCapabilities.length > 0) {
|
|
4417
|
-
if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
|
|
4418
|
-
// Add access_token key to claims object
|
|
4419
|
-
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
|
|
4420
|
-
}
|
|
4421
|
-
// Add xms_cc claim with provided clientCapabilities to access_token key
|
|
4422
|
-
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] = {
|
|
4423
|
-
values: clientCapabilities,
|
|
4424
|
-
};
|
|
4425
|
-
}
|
|
4426
|
-
return JSON.stringify(mergedClaims);
|
|
4427
|
-
}
|
|
4428
|
-
/**
|
|
4429
|
-
* adds `username` for Password Grant flow
|
|
4430
|
-
* @param username
|
|
4431
|
-
*/
|
|
4432
|
-
addUsername(username) {
|
|
4433
|
-
this.parameters.set(PasswordGrantConstants.username, encodeURIComponent(username));
|
|
4434
|
-
}
|
|
4435
|
-
/**
|
|
4436
|
-
* adds `password` for Password Grant flow
|
|
4437
|
-
* @param password
|
|
4438
|
-
*/
|
|
4439
|
-
addPassword(password) {
|
|
4440
|
-
this.parameters.set(PasswordGrantConstants.password, encodeURIComponent(password));
|
|
4441
|
-
}
|
|
4442
|
-
/**
|
|
4443
|
-
* add pop_jwk to query params
|
|
4444
|
-
* @param cnfString
|
|
4445
|
-
*/
|
|
4446
|
-
addPopToken(cnfString) {
|
|
4447
|
-
if (cnfString) {
|
|
4448
|
-
this.parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
|
|
4449
|
-
this.parameters.set(REQ_CNF, encodeURIComponent(cnfString));
|
|
4450
|
-
}
|
|
4451
|
-
}
|
|
4452
|
-
/**
|
|
4453
|
-
* add SSH JWK and key ID to query params
|
|
4454
|
-
*/
|
|
4455
|
-
addSshJwk(sshJwkString) {
|
|
4456
|
-
if (sshJwkString) {
|
|
4457
|
-
this.parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
|
|
4458
|
-
this.parameters.set(REQ_CNF, encodeURIComponent(sshJwkString));
|
|
4459
|
-
}
|
|
4460
|
-
}
|
|
4461
|
-
/**
|
|
4462
|
-
* add server telemetry fields
|
|
4463
|
-
* @param serverTelemetryManager
|
|
4464
|
-
*/
|
|
4465
|
-
addServerTelemetry(serverTelemetryManager) {
|
|
4466
|
-
this.parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
|
|
4467
|
-
this.parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
|
|
4468
|
-
}
|
|
4469
|
-
/**
|
|
4470
|
-
* Adds parameter that indicates to the server that throttling is supported
|
|
4471
|
-
*/
|
|
4472
|
-
addThrottling() {
|
|
4473
|
-
this.parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
|
|
4474
|
-
}
|
|
4475
|
-
/**
|
|
4476
|
-
* Adds logout_hint parameter for "silent" logout which prevent server account picker
|
|
4477
|
-
*/
|
|
4478
|
-
addLogoutHint(logoutHint) {
|
|
4479
|
-
this.parameters.set(LOGOUT_HINT, encodeURIComponent(logoutHint));
|
|
4362
|
+
}
|
|
4363
|
+
/**
|
|
4364
|
+
* add SSH JWK and key ID to query params
|
|
4365
|
+
*/
|
|
4366
|
+
function addSshJwk(parameters, sshJwkString) {
|
|
4367
|
+
if (sshJwkString) {
|
|
4368
|
+
parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
|
|
4369
|
+
parameters.set(REQ_CNF, sshJwkString);
|
|
4480
4370
|
}
|
|
4481
|
-
|
|
4482
|
-
|
|
4483
|
-
|
|
4484
|
-
|
|
4485
|
-
|
|
4486
|
-
|
|
4487
|
-
|
|
4371
|
+
}
|
|
4372
|
+
/**
|
|
4373
|
+
* add server telemetry fields
|
|
4374
|
+
* @param serverTelemetryManager
|
|
4375
|
+
*/
|
|
4376
|
+
function addServerTelemetry(parameters, serverTelemetryManager) {
|
|
4377
|
+
parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
|
|
4378
|
+
parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
|
|
4379
|
+
}
|
|
4380
|
+
/**
|
|
4381
|
+
* Adds parameter that indicates to the server that throttling is supported
|
|
4382
|
+
*/
|
|
4383
|
+
function addThrottling(parameters) {
|
|
4384
|
+
parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
|
|
4385
|
+
}
|
|
4386
|
+
/**
|
|
4387
|
+
* Adds logout_hint parameter for "silent" logout which prevent server account picker
|
|
4388
|
+
*/
|
|
4389
|
+
function addLogoutHint(parameters, logoutHint) {
|
|
4390
|
+
parameters.set(LOGOUT_HINT, logoutHint);
|
|
4391
|
+
}
|
|
4392
|
+
function addBrokerParameters(parameters, brokerClientId, brokerRedirectUri) {
|
|
4393
|
+
if (!parameters.has(BROKER_CLIENT_ID)) {
|
|
4394
|
+
parameters.set(BROKER_CLIENT_ID, brokerClientId);
|
|
4488
4395
|
}
|
|
4489
|
-
|
|
4490
|
-
|
|
4491
|
-
*/
|
|
4492
|
-
createQueryString() {
|
|
4493
|
-
const queryParameterArray = new Array();
|
|
4494
|
-
this.parameters.forEach((value, key) => {
|
|
4495
|
-
queryParameterArray.push(`${key}=${value}`);
|
|
4496
|
-
});
|
|
4497
|
-
instrumentBrokerParams(this.parameters, this.correlationId, this.performanceClient);
|
|
4498
|
-
return queryParameterArray.join("&");
|
|
4396
|
+
if (!parameters.has(BROKER_REDIRECT_URI)) {
|
|
4397
|
+
parameters.set(BROKER_REDIRECT_URI, brokerRedirectUri);
|
|
4499
4398
|
}
|
|
4500
4399
|
}
|
|
4501
4400
|
|
|
4502
|
-
/*! @azure/msal-common v15.
|
|
4401
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
4503
4402
|
/*
|
|
4504
4403
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4505
4404
|
* Licensed under the MIT License.
|
|
@@ -4511,7 +4410,7 @@ function isOpenIdConfigResponse(response) {
|
|
|
4511
4410
|
response.hasOwnProperty("jwks_uri"));
|
|
4512
4411
|
}
|
|
4513
4412
|
|
|
4514
|
-
/*! @azure/msal-common v15.
|
|
4413
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
4515
4414
|
/*
|
|
4516
4415
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4517
4416
|
* Licensed under the MIT License.
|
|
@@ -4521,7 +4420,7 @@ function isCloudInstanceDiscoveryResponse(response) {
|
|
|
4521
4420
|
response.hasOwnProperty("metadata"));
|
|
4522
4421
|
}
|
|
4523
4422
|
|
|
4524
|
-
/*! @azure/msal-common v15.
|
|
4423
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
4525
4424
|
/*
|
|
4526
4425
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4527
4426
|
* Licensed under the MIT License.
|
|
@@ -4531,7 +4430,7 @@ function isCloudInstanceDiscoveryErrorResponse(response) {
|
|
|
4531
4430
|
response.hasOwnProperty("error_description"));
|
|
4532
4431
|
}
|
|
4533
4432
|
|
|
4534
|
-
/*! @azure/msal-common v15.
|
|
4433
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
4535
4434
|
/*
|
|
4536
4435
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4537
4436
|
* Licensed under the MIT License.
|
|
@@ -4707,11 +4606,11 @@ const PerformanceEvents = {
|
|
|
4707
4606
|
StandardInteractionClientCreateAuthCodeClient: "standardInteractionClientCreateAuthCodeClient",
|
|
4708
4607
|
StandardInteractionClientGetClientConfiguration: "standardInteractionClientGetClientConfiguration",
|
|
4709
4608
|
StandardInteractionClientInitializeAuthorizationRequest: "standardInteractionClientInitializeAuthorizationRequest",
|
|
4710
|
-
StandardInteractionClientInitializeAuthorizationCodeRequest: "standardInteractionClientInitializeAuthorizationCodeRequest",
|
|
4711
4609
|
/**
|
|
4712
4610
|
* getAuthCodeUrl API (msal-browser and msal-node).
|
|
4713
4611
|
*/
|
|
4714
4612
|
GetAuthCodeUrl: "getAuthCodeUrl",
|
|
4613
|
+
GetStandardParams: "getStandardParams",
|
|
4715
4614
|
/**
|
|
4716
4615
|
* Functions from InteractionHandler (msal-browser)
|
|
4717
4616
|
*/
|
|
@@ -4724,7 +4623,6 @@ const PerformanceEvents = {
|
|
|
4724
4623
|
AuthClientAcquireToken: "authClientAcquireToken",
|
|
4725
4624
|
AuthClientExecuteTokenRequest: "authClientExecuteTokenRequest",
|
|
4726
4625
|
AuthClientCreateTokenRequestBody: "authClientCreateTokenRequestBody",
|
|
4727
|
-
AuthClientCreateQueryString: "authClientCreateQueryString",
|
|
4728
4626
|
/**
|
|
4729
4627
|
* Generate functions in PopTokenGenerator (msal-common)
|
|
4730
4628
|
*/
|
|
@@ -4895,10 +4793,6 @@ const PerformanceEventAbbreviations = new Map([
|
|
|
4895
4793
|
PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest,
|
|
4896
4794
|
"StdIntClientInitAuthReq",
|
|
4897
4795
|
],
|
|
4898
|
-
[
|
|
4899
|
-
PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest,
|
|
4900
|
-
"StdIntClientInitAuthCodeReq",
|
|
4901
|
-
],
|
|
4902
4796
|
[PerformanceEvents.GetAuthCodeUrl, "GetAuthCodeUrl"],
|
|
4903
4797
|
[
|
|
4904
4798
|
PerformanceEvents.HandleCodeResponseFromServer,
|
|
@@ -4912,10 +4806,6 @@ const PerformanceEventAbbreviations = new Map([
|
|
|
4912
4806
|
PerformanceEvents.AuthClientCreateTokenRequestBody,
|
|
4913
4807
|
"AuthClientCreateTReqBody",
|
|
4914
4808
|
],
|
|
4915
|
-
[
|
|
4916
|
-
PerformanceEvents.AuthClientCreateQueryString,
|
|
4917
|
-
"AuthClientCreateQueryStr",
|
|
4918
|
-
],
|
|
4919
4809
|
[PerformanceEvents.PopTokenGenerateCnf, "PopTGenCnf"],
|
|
4920
4810
|
[PerformanceEvents.PopTokenGenerateKid, "PopTGenKid"],
|
|
4921
4811
|
[PerformanceEvents.HandleServerTokenResponse, "HandleServerTRes"],
|
|
@@ -5040,7 +4930,7 @@ const IntFields = new Set([
|
|
|
5040
4930
|
"encryptedCacheExpiredCount",
|
|
5041
4931
|
]);
|
|
5042
4932
|
|
|
5043
|
-
/*! @azure/msal-common v15.
|
|
4933
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
5044
4934
|
/*
|
|
5045
4935
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
5046
4936
|
* Licensed under the MIT License.
|
|
@@ -5136,7 +5026,7 @@ const invokeAsync = (callback, eventName, logger, telemetryClient, correlationId
|
|
|
5136
5026
|
};
|
|
5137
5027
|
};
|
|
5138
5028
|
|
|
5139
|
-
/*! @azure/msal-common v15.
|
|
5029
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
5140
5030
|
|
|
5141
5031
|
/*
|
|
5142
5032
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -5245,7 +5135,7 @@ RegionDiscovery.IMDS_OPTIONS = {
|
|
|
5245
5135
|
},
|
|
5246
5136
|
};
|
|
5247
5137
|
|
|
5248
|
-
/*! @azure/msal-common v15.
|
|
5138
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
5249
5139
|
|
|
5250
5140
|
/*
|
|
5251
5141
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6084,7 +5974,7 @@ function buildStaticAuthorityOptions(authOptions) {
|
|
|
6084
5974
|
};
|
|
6085
5975
|
}
|
|
6086
5976
|
|
|
6087
|
-
/*! @azure/msal-common v15.
|
|
5977
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6088
5978
|
|
|
6089
5979
|
/*
|
|
6090
5980
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6115,7 +6005,7 @@ async function createDiscoveredInstance(authorityUri, networkClient, cacheManage
|
|
|
6115
6005
|
}
|
|
6116
6006
|
}
|
|
6117
6007
|
|
|
6118
|
-
/*! @azure/msal-common v15.
|
|
6008
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6119
6009
|
|
|
6120
6010
|
/*
|
|
6121
6011
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6134,7 +6024,28 @@ class ServerError extends AuthError {
|
|
|
6134
6024
|
}
|
|
6135
6025
|
}
|
|
6136
6026
|
|
|
6137
|
-
/*! @azure/msal-common v15.
|
|
6027
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6028
|
+
/*
|
|
6029
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6030
|
+
* Licensed under the MIT License.
|
|
6031
|
+
*/
|
|
6032
|
+
function getRequestThumbprint(clientId, request, homeAccountId) {
|
|
6033
|
+
return {
|
|
6034
|
+
clientId: clientId,
|
|
6035
|
+
authority: request.authority,
|
|
6036
|
+
scopes: request.scopes,
|
|
6037
|
+
homeAccountIdentifier: homeAccountId,
|
|
6038
|
+
claims: request.claims,
|
|
6039
|
+
authenticationScheme: request.authenticationScheme,
|
|
6040
|
+
resourceRequestMethod: request.resourceRequestMethod,
|
|
6041
|
+
resourceRequestUri: request.resourceRequestUri,
|
|
6042
|
+
shrClaims: request.shrClaims,
|
|
6043
|
+
sshKid: request.sshKid,
|
|
6044
|
+
embeddedClientId: request.embeddedClientId || request.tokenBodyParameters?.clientId,
|
|
6045
|
+
};
|
|
6046
|
+
}
|
|
6047
|
+
|
|
6048
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6138
6049
|
|
|
6139
6050
|
/*
|
|
6140
6051
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6215,24 +6126,13 @@ class ThrottlingUtils {
|
|
|
6215
6126
|
ThrottlingConstants.DEFAULT_MAX_THROTTLE_TIME_SECONDS) * 1000);
|
|
6216
6127
|
}
|
|
6217
6128
|
static removeThrottle(cacheManager, clientId, request, homeAccountIdentifier) {
|
|
6218
|
-
const thumbprint =
|
|
6219
|
-
clientId: clientId,
|
|
6220
|
-
authority: request.authority,
|
|
6221
|
-
scopes: request.scopes,
|
|
6222
|
-
homeAccountIdentifier: homeAccountIdentifier,
|
|
6223
|
-
claims: request.claims,
|
|
6224
|
-
authenticationScheme: request.authenticationScheme,
|
|
6225
|
-
resourceRequestMethod: request.resourceRequestMethod,
|
|
6226
|
-
resourceRequestUri: request.resourceRequestUri,
|
|
6227
|
-
shrClaims: request.shrClaims,
|
|
6228
|
-
sshKid: request.sshKid,
|
|
6229
|
-
};
|
|
6129
|
+
const thumbprint = getRequestThumbprint(clientId, request, homeAccountIdentifier);
|
|
6230
6130
|
const key = this.generateThrottlingStorageKey(thumbprint);
|
|
6231
6131
|
cacheManager.removeItem(key);
|
|
6232
6132
|
}
|
|
6233
6133
|
}
|
|
6234
6134
|
|
|
6235
|
-
/*! @azure/msal-common v15.
|
|
6135
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6236
6136
|
|
|
6237
6137
|
/*
|
|
6238
6138
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6262,7 +6162,7 @@ function createNetworkError(error, httpStatus, responseHeaders) {
|
|
|
6262
6162
|
return new NetworkError(error, httpStatus, responseHeaders);
|
|
6263
6163
|
}
|
|
6264
6164
|
|
|
6265
|
-
/*! @azure/msal-common v15.
|
|
6165
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6266
6166
|
|
|
6267
6167
|
/*
|
|
6268
6168
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6397,22 +6297,20 @@ class BaseClient {
|
|
|
6397
6297
|
* @param request
|
|
6398
6298
|
*/
|
|
6399
6299
|
createTokenQueryParameters(request) {
|
|
6400
|
-
const
|
|
6300
|
+
const parameters = new Map();
|
|
6401
6301
|
if (request.embeddedClientId) {
|
|
6402
|
-
|
|
6403
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
6404
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
6405
|
-
});
|
|
6302
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
6406
6303
|
}
|
|
6407
6304
|
if (request.tokenQueryParameters) {
|
|
6408
|
-
|
|
6305
|
+
addExtraQueryParameters(parameters, request.tokenQueryParameters);
|
|
6409
6306
|
}
|
|
6410
|
-
|
|
6411
|
-
|
|
6307
|
+
addCorrelationId(parameters, request.correlationId);
|
|
6308
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
6309
|
+
return mapToQueryString(parameters);
|
|
6412
6310
|
}
|
|
6413
6311
|
}
|
|
6414
6312
|
|
|
6415
|
-
/*! @azure/msal-common v15.
|
|
6313
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6416
6314
|
/*
|
|
6417
6315
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6418
6316
|
* Licensed under the MIT License.
|
|
@@ -6438,7 +6336,7 @@ var InteractionRequiredAuthErrorCodes = /*#__PURE__*/Object.freeze({
|
|
|
6438
6336
|
refreshTokenExpired: refreshTokenExpired
|
|
6439
6337
|
});
|
|
6440
6338
|
|
|
6441
|
-
/*! @azure/msal-common v15.
|
|
6339
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6442
6340
|
|
|
6443
6341
|
/*
|
|
6444
6342
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6526,7 +6424,7 @@ function createInteractionRequiredAuthError(errorCode) {
|
|
|
6526
6424
|
return new InteractionRequiredAuthError(errorCode, InteractionRequiredAuthErrorMessages[errorCode]);
|
|
6527
6425
|
}
|
|
6528
6426
|
|
|
6529
|
-
/*! @azure/msal-common v15.
|
|
6427
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6530
6428
|
|
|
6531
6429
|
/*
|
|
6532
6430
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6598,7 +6496,7 @@ class ProtocolUtils {
|
|
|
6598
6496
|
}
|
|
6599
6497
|
}
|
|
6600
6498
|
|
|
6601
|
-
/*! @azure/msal-common v15.
|
|
6499
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6602
6500
|
|
|
6603
6501
|
/*
|
|
6604
6502
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6682,7 +6580,7 @@ class PopTokenGenerator {
|
|
|
6682
6580
|
}
|
|
6683
6581
|
}
|
|
6684
6582
|
|
|
6685
|
-
/*! @azure/msal-common v15.
|
|
6583
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6686
6584
|
/*
|
|
6687
6585
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6688
6586
|
* Licensed under the MIT License.
|
|
@@ -6709,19 +6607,12 @@ class PopTokenGenerator {
|
|
|
6709
6607
|
}
|
|
6710
6608
|
}
|
|
6711
6609
|
|
|
6712
|
-
/*! @azure/msal-common v15.
|
|
6610
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6713
6611
|
|
|
6714
6612
|
/*
|
|
6715
6613
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6716
6614
|
* Licensed under the MIT License.
|
|
6717
6615
|
*/
|
|
6718
|
-
function parseServerErrorNo(serverResponse) {
|
|
6719
|
-
const errorCodePrefix = "code=";
|
|
6720
|
-
const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
|
|
6721
|
-
return errorCodePrefixIndex && errorCodePrefixIndex >= 0
|
|
6722
|
-
? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
|
|
6723
|
-
: undefined;
|
|
6724
|
-
}
|
|
6725
6616
|
/**
|
|
6726
6617
|
* Class that handles response parsing.
|
|
6727
6618
|
* @internal
|
|
@@ -6736,46 +6627,6 @@ class ResponseHandler {
|
|
|
6736
6627
|
this.persistencePlugin = persistencePlugin;
|
|
6737
6628
|
this.performanceClient = performanceClient;
|
|
6738
6629
|
}
|
|
6739
|
-
/**
|
|
6740
|
-
* Function which validates server authorization code response.
|
|
6741
|
-
* @param serverResponseHash
|
|
6742
|
-
* @param requestState
|
|
6743
|
-
* @param cryptoObj
|
|
6744
|
-
*/
|
|
6745
|
-
validateServerAuthorizationCodeResponse(serverResponse, requestState) {
|
|
6746
|
-
if (!serverResponse.state || !requestState) {
|
|
6747
|
-
throw serverResponse.state
|
|
6748
|
-
? createClientAuthError(stateNotFound, "Cached State")
|
|
6749
|
-
: createClientAuthError(stateNotFound, "Server State");
|
|
6750
|
-
}
|
|
6751
|
-
let decodedServerResponseState;
|
|
6752
|
-
let decodedRequestState;
|
|
6753
|
-
try {
|
|
6754
|
-
decodedServerResponseState = decodeURIComponent(serverResponse.state);
|
|
6755
|
-
}
|
|
6756
|
-
catch (e) {
|
|
6757
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
6758
|
-
}
|
|
6759
|
-
try {
|
|
6760
|
-
decodedRequestState = decodeURIComponent(requestState);
|
|
6761
|
-
}
|
|
6762
|
-
catch (e) {
|
|
6763
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
6764
|
-
}
|
|
6765
|
-
if (decodedServerResponseState !== decodedRequestState) {
|
|
6766
|
-
throw createClientAuthError(stateMismatch);
|
|
6767
|
-
}
|
|
6768
|
-
// Check for error
|
|
6769
|
-
if (serverResponse.error ||
|
|
6770
|
-
serverResponse.error_description ||
|
|
6771
|
-
serverResponse.suberror) {
|
|
6772
|
-
const serverErrorNo = parseServerErrorNo(serverResponse);
|
|
6773
|
-
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
6774
|
-
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
|
|
6775
|
-
}
|
|
6776
|
-
throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
6777
|
-
}
|
|
6778
|
-
}
|
|
6779
6630
|
/**
|
|
6780
6631
|
* Function which validates server authorization token response.
|
|
6781
6632
|
* @param serverResponse
|
|
@@ -7001,10 +6852,11 @@ class ResponseHandler {
|
|
|
7001
6852
|
accessToken = cacheRecord.accessToken.secret;
|
|
7002
6853
|
}
|
|
7003
6854
|
responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target).asArray();
|
|
7004
|
-
expiresOn
|
|
7005
|
-
|
|
6855
|
+
// Access token expiresOn cached in seconds, converting to Date for AuthenticationResult
|
|
6856
|
+
expiresOn = toDateFromSeconds(cacheRecord.accessToken.expiresOn);
|
|
6857
|
+
extExpiresOn = toDateFromSeconds(cacheRecord.accessToken.extendedExpiresOn);
|
|
7006
6858
|
if (cacheRecord.accessToken.refreshOn) {
|
|
7007
|
-
refreshOn =
|
|
6859
|
+
refreshOn = toDateFromSeconds(cacheRecord.accessToken.refreshOn);
|
|
7008
6860
|
}
|
|
7009
6861
|
}
|
|
7010
6862
|
if (cacheRecord.appMetadata) {
|
|
@@ -7086,7 +6938,74 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
|
|
|
7086
6938
|
return baseAccount;
|
|
7087
6939
|
}
|
|
7088
6940
|
|
|
7089
|
-
/*! @azure/msal-common v15.
|
|
6941
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6942
|
+
|
|
6943
|
+
/*
|
|
6944
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6945
|
+
* Licensed under the MIT License.
|
|
6946
|
+
*/
|
|
6947
|
+
/**
|
|
6948
|
+
* Validates server consumable params from the "request" objects
|
|
6949
|
+
*/
|
|
6950
|
+
class RequestValidator {
|
|
6951
|
+
/**
|
|
6952
|
+
* Utility to check if the `redirectUri` in the request is a non-null value
|
|
6953
|
+
* @param redirectUri
|
|
6954
|
+
*/
|
|
6955
|
+
static validateRedirectUri(redirectUri) {
|
|
6956
|
+
if (!redirectUri) {
|
|
6957
|
+
throw createClientConfigurationError(redirectUriEmpty);
|
|
6958
|
+
}
|
|
6959
|
+
}
|
|
6960
|
+
/**
|
|
6961
|
+
* Utility to validate prompt sent by the user in the request
|
|
6962
|
+
* @param prompt
|
|
6963
|
+
*/
|
|
6964
|
+
static validatePrompt(prompt) {
|
|
6965
|
+
const promptValues = [];
|
|
6966
|
+
for (const value in PromptValue) {
|
|
6967
|
+
promptValues.push(PromptValue[value]);
|
|
6968
|
+
}
|
|
6969
|
+
if (promptValues.indexOf(prompt) < 0) {
|
|
6970
|
+
throw createClientConfigurationError(invalidPromptValue);
|
|
6971
|
+
}
|
|
6972
|
+
}
|
|
6973
|
+
static validateClaims(claims) {
|
|
6974
|
+
try {
|
|
6975
|
+
JSON.parse(claims);
|
|
6976
|
+
}
|
|
6977
|
+
catch (e) {
|
|
6978
|
+
throw createClientConfigurationError(invalidClaims);
|
|
6979
|
+
}
|
|
6980
|
+
}
|
|
6981
|
+
/**
|
|
6982
|
+
* Utility to validate code_challenge and code_challenge_method
|
|
6983
|
+
* @param codeChallenge
|
|
6984
|
+
* @param codeChallengeMethod
|
|
6985
|
+
*/
|
|
6986
|
+
static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
|
|
6987
|
+
if (!codeChallenge || !codeChallengeMethod) {
|
|
6988
|
+
throw createClientConfigurationError(pkceParamsMissing);
|
|
6989
|
+
}
|
|
6990
|
+
else {
|
|
6991
|
+
this.validateCodeChallengeMethod(codeChallengeMethod);
|
|
6992
|
+
}
|
|
6993
|
+
}
|
|
6994
|
+
/**
|
|
6995
|
+
* Utility to validate code_challenge_method
|
|
6996
|
+
* @param codeChallengeMethod
|
|
6997
|
+
*/
|
|
6998
|
+
static validateCodeChallengeMethod(codeChallengeMethod) {
|
|
6999
|
+
if ([
|
|
7000
|
+
CodeChallengeMethodValues.PLAIN,
|
|
7001
|
+
CodeChallengeMethodValues.S256,
|
|
7002
|
+
].indexOf(codeChallengeMethod) < 0) {
|
|
7003
|
+
throw createClientConfigurationError(invalidCodeChallengeMethod);
|
|
7004
|
+
}
|
|
7005
|
+
}
|
|
7006
|
+
}
|
|
7007
|
+
|
|
7008
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7090
7009
|
/*
|
|
7091
7010
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7092
7011
|
* Licensed under the MIT License.
|
|
@@ -7104,7 +7023,7 @@ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
|
|
|
7104
7023
|
}
|
|
7105
7024
|
}
|
|
7106
7025
|
|
|
7107
|
-
/*! @azure/msal-common v15.
|
|
7026
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7108
7027
|
|
|
7109
7028
|
/*
|
|
7110
7029
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7122,21 +7041,6 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7122
7041
|
this.oidcDefaultScopes =
|
|
7123
7042
|
this.config.authOptions.authority.options.OIDCOptions?.defaultScopes;
|
|
7124
7043
|
}
|
|
7125
|
-
/**
|
|
7126
|
-
* Creates the URL of the authorization request letting the user input credentials and consent to the
|
|
7127
|
-
* application. The URL target the /authorize endpoint of the authority configured in the
|
|
7128
|
-
* application object.
|
|
7129
|
-
*
|
|
7130
|
-
* Once the user inputs their credentials and consents, the authority will send a response to the redirect URI
|
|
7131
|
-
* sent in the request and should contain an authorization code, which can then be used to acquire tokens via
|
|
7132
|
-
* acquireToken(AuthorizationCodeRequest)
|
|
7133
|
-
* @param request
|
|
7134
|
-
*/
|
|
7135
|
-
async getAuthCodeUrl(request) {
|
|
7136
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.GetAuthCodeUrl, request.correlationId);
|
|
7137
|
-
const queryString = await invokeAsync(this.createAuthCodeUrlQueryString.bind(this), PerformanceEvents.AuthClientCreateQueryString, this.logger, this.performanceClient, request.correlationId)(request);
|
|
7138
|
-
return UrlString.appendQueryString(this.authority.authorizationEndpoint, queryString);
|
|
7139
|
-
}
|
|
7140
7044
|
/**
|
|
7141
7045
|
* API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
|
|
7142
7046
|
* authorization_code_grant
|
|
@@ -7156,22 +7060,6 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7156
7060
|
responseHandler.validateTokenResponse(response.body);
|
|
7157
7061
|
return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, authCodePayload, undefined, undefined, undefined, requestId);
|
|
7158
7062
|
}
|
|
7159
|
-
/**
|
|
7160
|
-
* Handles the hash fragment response from public client code request. Returns a code response used by
|
|
7161
|
-
* the client to exchange for a token in acquireToken.
|
|
7162
|
-
* @param hashFragment
|
|
7163
|
-
*/
|
|
7164
|
-
handleFragmentResponse(serverParams, cachedState) {
|
|
7165
|
-
// Handle responses.
|
|
7166
|
-
const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, null, null);
|
|
7167
|
-
// Get code response
|
|
7168
|
-
responseHandler.validateServerAuthorizationCodeResponse(serverParams, cachedState);
|
|
7169
|
-
// throw when there is no auth code in the response
|
|
7170
|
-
if (!serverParams.code) {
|
|
7171
|
-
throw createClientAuthError(authorizationCodeMissingFromServerResponse);
|
|
7172
|
-
}
|
|
7173
|
-
return serverParams;
|
|
7174
|
-
}
|
|
7175
7063
|
/**
|
|
7176
7064
|
* Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
|
|
7177
7065
|
* Default behaviour is to redirect the user to `window.location.href`.
|
|
@@ -7210,18 +7098,7 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7210
7098
|
}
|
|
7211
7099
|
}
|
|
7212
7100
|
const headers = this.createTokenRequestHeaders(ccsCredential || request.ccsCredential);
|
|
7213
|
-
const thumbprint =
|
|
7214
|
-
clientId: request.tokenBodyParameters?.clientId ||
|
|
7215
|
-
this.config.authOptions.clientId,
|
|
7216
|
-
authority: authority.canonicalAuthority,
|
|
7217
|
-
scopes: request.scopes,
|
|
7218
|
-
claims: request.claims,
|
|
7219
|
-
authenticationScheme: request.authenticationScheme,
|
|
7220
|
-
resourceRequestMethod: request.resourceRequestMethod,
|
|
7221
|
-
resourceRequestUri: request.resourceRequestUri,
|
|
7222
|
-
shrClaims: request.shrClaims,
|
|
7223
|
-
sshKid: request.sshKid,
|
|
7224
|
-
};
|
|
7101
|
+
const thumbprint = getRequestThumbprint(this.config.authOptions.clientId, request);
|
|
7225
7102
|
return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.AuthorizationCodeClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.AuthorizationCodeClientExecutePostToTokenEndpoint);
|
|
7226
7103
|
}
|
|
7227
7104
|
/**
|
|
@@ -7230,8 +7107,8 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7230
7107
|
*/
|
|
7231
7108
|
async createTokenRequestBody(request) {
|
|
7232
7109
|
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateTokenRequestBody, request.correlationId);
|
|
7233
|
-
const
|
|
7234
|
-
|
|
7110
|
+
const parameters = new Map();
|
|
7111
|
+
addClientId(parameters, request.embeddedClientId ||
|
|
7235
7112
|
request.tokenBodyParameters?.[CLIENT_ID] ||
|
|
7236
7113
|
this.config.authOptions.clientId);
|
|
7237
7114
|
/*
|
|
@@ -7244,33 +7121,33 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7244
7121
|
}
|
|
7245
7122
|
else {
|
|
7246
7123
|
// Validate and include redirect uri
|
|
7247
|
-
|
|
7124
|
+
addRedirectUri(parameters, request.redirectUri);
|
|
7248
7125
|
}
|
|
7249
7126
|
// Add scope array, parameter builder will add default scopes and dedupe
|
|
7250
|
-
|
|
7127
|
+
addScopes(parameters, request.scopes, true, this.oidcDefaultScopes);
|
|
7251
7128
|
// add code: user set, not validated
|
|
7252
|
-
|
|
7129
|
+
addAuthorizationCode(parameters, request.code);
|
|
7253
7130
|
// Add library metadata
|
|
7254
|
-
|
|
7255
|
-
|
|
7256
|
-
|
|
7131
|
+
addLibraryInfo(parameters, this.config.libraryInfo);
|
|
7132
|
+
addApplicationTelemetry(parameters, this.config.telemetry.application);
|
|
7133
|
+
addThrottling(parameters);
|
|
7257
7134
|
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
|
|
7258
|
-
|
|
7135
|
+
addServerTelemetry(parameters, this.serverTelemetryManager);
|
|
7259
7136
|
}
|
|
7260
7137
|
// add code_verifier if passed
|
|
7261
7138
|
if (request.codeVerifier) {
|
|
7262
|
-
|
|
7139
|
+
addCodeVerifier(parameters, request.codeVerifier);
|
|
7263
7140
|
}
|
|
7264
7141
|
if (this.config.clientCredentials.clientSecret) {
|
|
7265
|
-
|
|
7142
|
+
addClientSecret(parameters, this.config.clientCredentials.clientSecret);
|
|
7266
7143
|
}
|
|
7267
7144
|
if (this.config.clientCredentials.clientAssertion) {
|
|
7268
7145
|
const clientAssertion = this.config.clientCredentials.clientAssertion;
|
|
7269
|
-
|
|
7270
|
-
|
|
7146
|
+
addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
|
|
7147
|
+
addClientAssertionType(parameters, clientAssertion.assertionType);
|
|
7271
7148
|
}
|
|
7272
|
-
|
|
7273
|
-
|
|
7149
|
+
addGrantType(parameters, GrantType.AUTHORIZATION_CODE_GRANT);
|
|
7150
|
+
addClientInfo(parameters);
|
|
7274
7151
|
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
7275
7152
|
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
|
|
7276
7153
|
let reqCnfData;
|
|
@@ -7282,11 +7159,11 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7282
7159
|
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
7283
7160
|
}
|
|
7284
7161
|
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
|
|
7285
|
-
|
|
7162
|
+
addPopToken(parameters, reqCnfData);
|
|
7286
7163
|
}
|
|
7287
7164
|
else if (request.authenticationScheme === AuthenticationScheme.SSH) {
|
|
7288
7165
|
if (request.sshJwk) {
|
|
7289
|
-
|
|
7166
|
+
addSshJwk(parameters, request.sshJwk);
|
|
7290
7167
|
}
|
|
7291
7168
|
else {
|
|
7292
7169
|
throw createClientConfigurationError(missingSshJwk);
|
|
@@ -7295,7 +7172,7 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7295
7172
|
if (!StringUtils.isEmptyObj(request.claims) ||
|
|
7296
7173
|
(this.config.authOptions.clientCapabilities &&
|
|
7297
7174
|
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
7298
|
-
|
|
7175
|
+
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
|
|
7299
7176
|
}
|
|
7300
7177
|
let ccsCred = undefined;
|
|
7301
7178
|
if (request.clientInfo) {
|
|
@@ -7319,7 +7196,7 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7319
7196
|
case CcsCredentialType.HOME_ACCOUNT_ID:
|
|
7320
7197
|
try {
|
|
7321
7198
|
const clientInfo = buildClientInfoFromHomeAccountId(ccsCred.credential);
|
|
7322
|
-
|
|
7199
|
+
addCcsOid(parameters, clientInfo);
|
|
7323
7200
|
}
|
|
7324
7201
|
catch (e) {
|
|
7325
7202
|
this.logger.verbose("Could not parse home account ID for CCS Header: " +
|
|
@@ -7327,234 +7204,59 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7327
7204
|
}
|
|
7328
7205
|
break;
|
|
7329
7206
|
case CcsCredentialType.UPN:
|
|
7330
|
-
|
|
7207
|
+
addCcsUpn(parameters, ccsCred.credential);
|
|
7331
7208
|
break;
|
|
7332
7209
|
}
|
|
7333
7210
|
}
|
|
7334
7211
|
if (request.embeddedClientId) {
|
|
7335
|
-
|
|
7336
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
7337
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
7338
|
-
});
|
|
7212
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
7339
7213
|
}
|
|
7340
7214
|
if (request.tokenBodyParameters) {
|
|
7341
|
-
|
|
7215
|
+
addExtraQueryParameters(parameters, request.tokenBodyParameters);
|
|
7342
7216
|
}
|
|
7343
7217
|
// Add hybrid spa parameters if not already provided
|
|
7344
7218
|
if (request.enableSpaAuthorizationCode &&
|
|
7345
7219
|
(!request.tokenBodyParameters ||
|
|
7346
7220
|
!request.tokenBodyParameters[RETURN_SPA_CODE])) {
|
|
7347
|
-
|
|
7221
|
+
addExtraQueryParameters(parameters, {
|
|
7348
7222
|
[RETURN_SPA_CODE]: "1",
|
|
7349
7223
|
});
|
|
7350
7224
|
}
|
|
7351
|
-
|
|
7352
|
-
|
|
7353
|
-
/**
|
|
7354
|
-
* This API validates the `AuthorizationCodeUrlRequest` and creates a URL
|
|
7355
|
-
* @param request
|
|
7356
|
-
*/
|
|
7357
|
-
async createAuthCodeUrlQueryString(request) {
|
|
7358
|
-
// generate the correlationId if not set by the user and add
|
|
7359
|
-
const correlationId = request.correlationId ||
|
|
7360
|
-
this.config.cryptoInterface.createNewGuid();
|
|
7361
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateQueryString, correlationId);
|
|
7362
|
-
const parameterBuilder = new RequestParameterBuilder(correlationId, this.performanceClient);
|
|
7363
|
-
parameterBuilder.addClientId(request.embeddedClientId ||
|
|
7364
|
-
request.extraQueryParameters?.[CLIENT_ID] ||
|
|
7365
|
-
this.config.authOptions.clientId);
|
|
7366
|
-
const requestScopes = [
|
|
7367
|
-
...(request.scopes || []),
|
|
7368
|
-
...(request.extraScopesToConsent || []),
|
|
7369
|
-
];
|
|
7370
|
-
parameterBuilder.addScopes(requestScopes, true, this.oidcDefaultScopes);
|
|
7371
|
-
// validate the redirectUri (to be a non null value)
|
|
7372
|
-
parameterBuilder.addRedirectUri(request.redirectUri);
|
|
7373
|
-
parameterBuilder.addCorrelationId(correlationId);
|
|
7374
|
-
// add response_mode. If not passed in it defaults to query.
|
|
7375
|
-
parameterBuilder.addResponseMode(request.responseMode);
|
|
7376
|
-
// add response_type = code
|
|
7377
|
-
parameterBuilder.addResponseTypeCode();
|
|
7378
|
-
// add library info parameters
|
|
7379
|
-
parameterBuilder.addLibraryInfo(this.config.libraryInfo);
|
|
7380
|
-
if (!isOidcProtocolMode(this.config)) {
|
|
7381
|
-
parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
|
|
7382
|
-
}
|
|
7383
|
-
// add client_info=1
|
|
7384
|
-
parameterBuilder.addClientInfo();
|
|
7385
|
-
if (request.codeChallenge && request.codeChallengeMethod) {
|
|
7386
|
-
parameterBuilder.addCodeChallengeParams(request.codeChallenge, request.codeChallengeMethod);
|
|
7387
|
-
}
|
|
7388
|
-
if (request.prompt) {
|
|
7389
|
-
parameterBuilder.addPrompt(request.prompt);
|
|
7390
|
-
}
|
|
7391
|
-
if (request.domainHint) {
|
|
7392
|
-
parameterBuilder.addDomainHint(request.domainHint);
|
|
7393
|
-
this.performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
|
|
7394
|
-
}
|
|
7395
|
-
this.performanceClient?.addFields({ prompt: request.prompt }, correlationId);
|
|
7396
|
-
// Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
|
|
7397
|
-
if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
|
|
7398
|
-
// AAD will throw if prompt=select_account is passed with an account hint
|
|
7399
|
-
if (request.sid && request.prompt === PromptValue.NONE) {
|
|
7400
|
-
// SessionID is only used in silent calls
|
|
7401
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
|
|
7402
|
-
parameterBuilder.addSid(request.sid);
|
|
7403
|
-
this.performanceClient?.addFields({ sidFromRequest: true }, correlationId);
|
|
7404
|
-
}
|
|
7405
|
-
else if (request.account) {
|
|
7406
|
-
const accountSid = this.extractAccountSid(request.account);
|
|
7407
|
-
let accountLoginHintClaim = this.extractLoginHint(request.account);
|
|
7408
|
-
if (accountLoginHintClaim && request.domainHint) {
|
|
7409
|
-
this.logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
|
|
7410
|
-
accountLoginHintClaim = null;
|
|
7411
|
-
}
|
|
7412
|
-
// If login_hint claim is present, use it over sid/username
|
|
7413
|
-
if (accountLoginHintClaim) {
|
|
7414
|
-
this.logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
|
|
7415
|
-
parameterBuilder.addLoginHint(accountLoginHintClaim);
|
|
7416
|
-
this.performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
|
|
7417
|
-
try {
|
|
7418
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7419
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
7420
|
-
}
|
|
7421
|
-
catch (e) {
|
|
7422
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7423
|
-
}
|
|
7424
|
-
}
|
|
7425
|
-
else if (accountSid && request.prompt === PromptValue.NONE) {
|
|
7426
|
-
/*
|
|
7427
|
-
* If account and loginHint are provided, we will check account first for sid before adding loginHint
|
|
7428
|
-
* SessionId is only used in silent calls
|
|
7429
|
-
*/
|
|
7430
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
|
|
7431
|
-
parameterBuilder.addSid(accountSid);
|
|
7432
|
-
this.performanceClient?.addFields({ sidFromClaim: true }, correlationId);
|
|
7433
|
-
try {
|
|
7434
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7435
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
7436
|
-
}
|
|
7437
|
-
catch (e) {
|
|
7438
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7439
|
-
}
|
|
7440
|
-
}
|
|
7441
|
-
else if (request.loginHint) {
|
|
7442
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
|
|
7443
|
-
parameterBuilder.addLoginHint(request.loginHint);
|
|
7444
|
-
parameterBuilder.addCcsUpn(request.loginHint);
|
|
7445
|
-
this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7446
|
-
}
|
|
7447
|
-
else if (request.account.username) {
|
|
7448
|
-
// Fallback to account username if provided
|
|
7449
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
|
|
7450
|
-
parameterBuilder.addLoginHint(request.account.username);
|
|
7451
|
-
this.performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
|
|
7452
|
-
try {
|
|
7453
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7454
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
7455
|
-
}
|
|
7456
|
-
catch (e) {
|
|
7457
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7458
|
-
}
|
|
7459
|
-
}
|
|
7460
|
-
}
|
|
7461
|
-
else if (request.loginHint) {
|
|
7462
|
-
this.logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
|
|
7463
|
-
parameterBuilder.addLoginHint(request.loginHint);
|
|
7464
|
-
parameterBuilder.addCcsUpn(request.loginHint);
|
|
7465
|
-
this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7466
|
-
}
|
|
7467
|
-
}
|
|
7468
|
-
else {
|
|
7469
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
|
|
7470
|
-
}
|
|
7471
|
-
if (request.nonce) {
|
|
7472
|
-
parameterBuilder.addNonce(request.nonce);
|
|
7473
|
-
}
|
|
7474
|
-
if (request.state) {
|
|
7475
|
-
parameterBuilder.addState(request.state);
|
|
7476
|
-
}
|
|
7477
|
-
if (request.claims ||
|
|
7478
|
-
(this.config.authOptions.clientCapabilities &&
|
|
7479
|
-
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
7480
|
-
parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
|
|
7481
|
-
}
|
|
7482
|
-
if (request.embeddedClientId) {
|
|
7483
|
-
parameterBuilder.addBrokerParameters({
|
|
7484
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
7485
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
7486
|
-
});
|
|
7487
|
-
}
|
|
7488
|
-
this.addExtraQueryParams(request, parameterBuilder);
|
|
7489
|
-
if (request.platformBroker) {
|
|
7490
|
-
// signal ests that this is a WAM call
|
|
7491
|
-
parameterBuilder.addNativeBroker();
|
|
7492
|
-
// pass the req_cnf for POP
|
|
7493
|
-
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
7494
|
-
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils);
|
|
7495
|
-
// req_cnf is always sent as a string for SPAs
|
|
7496
|
-
let reqCnfData;
|
|
7497
|
-
if (!request.popKid) {
|
|
7498
|
-
const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
|
|
7499
|
-
reqCnfData = generatedReqCnfData.reqCnfString;
|
|
7500
|
-
}
|
|
7501
|
-
else {
|
|
7502
|
-
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
7503
|
-
}
|
|
7504
|
-
parameterBuilder.addPopToken(reqCnfData);
|
|
7505
|
-
}
|
|
7506
|
-
}
|
|
7507
|
-
return parameterBuilder.createQueryString();
|
|
7225
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
7226
|
+
return mapToQueryString(parameters);
|
|
7508
7227
|
}
|
|
7509
7228
|
/**
|
|
7510
7229
|
* This API validates the `EndSessionRequest` and creates a URL
|
|
7511
7230
|
* @param request
|
|
7512
7231
|
*/
|
|
7513
7232
|
createLogoutUrlQueryString(request) {
|
|
7514
|
-
const
|
|
7233
|
+
const parameters = new Map();
|
|
7515
7234
|
if (request.postLogoutRedirectUri) {
|
|
7516
|
-
|
|
7235
|
+
addPostLogoutRedirectUri(parameters, request.postLogoutRedirectUri);
|
|
7517
7236
|
}
|
|
7518
7237
|
if (request.correlationId) {
|
|
7519
|
-
|
|
7238
|
+
addCorrelationId(parameters, request.correlationId);
|
|
7520
7239
|
}
|
|
7521
7240
|
if (request.idTokenHint) {
|
|
7522
|
-
|
|
7241
|
+
addIdTokenHint(parameters, request.idTokenHint);
|
|
7523
7242
|
}
|
|
7524
7243
|
if (request.state) {
|
|
7525
|
-
|
|
7244
|
+
addState(parameters, request.state);
|
|
7526
7245
|
}
|
|
7527
7246
|
if (request.logoutHint) {
|
|
7528
|
-
|
|
7529
|
-
}
|
|
7530
|
-
this.addExtraQueryParams(request, parameterBuilder);
|
|
7531
|
-
return parameterBuilder.createQueryString();
|
|
7532
|
-
}
|
|
7533
|
-
addExtraQueryParams(request, parameterBuilder) {
|
|
7534
|
-
const hasRequestInstanceAware = request.extraQueryParameters &&
|
|
7535
|
-
request.extraQueryParameters.hasOwnProperty("instance_aware");
|
|
7536
|
-
// Set instance_aware flag if config auth param is set
|
|
7537
|
-
if (!hasRequestInstanceAware && this.config.authOptions.instanceAware) {
|
|
7538
|
-
request.extraQueryParameters = request.extraQueryParameters || {};
|
|
7539
|
-
request.extraQueryParameters["instance_aware"] = "true";
|
|
7247
|
+
addLogoutHint(parameters, request.logoutHint);
|
|
7540
7248
|
}
|
|
7541
7249
|
if (request.extraQueryParameters) {
|
|
7542
|
-
|
|
7250
|
+
addExtraQueryParameters(parameters, request.extraQueryParameters);
|
|
7543
7251
|
}
|
|
7544
|
-
|
|
7545
|
-
|
|
7546
|
-
|
|
7547
|
-
|
|
7548
|
-
*/
|
|
7549
|
-
extractAccountSid(account) {
|
|
7550
|
-
return account.idTokenClaims?.sid || null;
|
|
7551
|
-
}
|
|
7552
|
-
extractLoginHint(account) {
|
|
7553
|
-
return account.idTokenClaims?.login_hint || null;
|
|
7252
|
+
if (this.config.authOptions.instanceAware) {
|
|
7253
|
+
addInstanceAware(parameters);
|
|
7254
|
+
}
|
|
7255
|
+
return mapToQueryString(parameters);
|
|
7554
7256
|
}
|
|
7555
7257
|
}
|
|
7556
7258
|
|
|
7557
|
-
/*! @azure/msal-common v15.
|
|
7259
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7558
7260
|
|
|
7559
7261
|
/*
|
|
7560
7262
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7674,18 +7376,7 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7674
7376
|
const endpoint = UrlString.appendQueryString(authority.tokenEndpoint, queryParametersString);
|
|
7675
7377
|
const requestBody = await invokeAsync(this.createTokenRequestBody.bind(this), PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, this.logger, this.performanceClient, request.correlationId)(request);
|
|
7676
7378
|
const headers = this.createTokenRequestHeaders(request.ccsCredential);
|
|
7677
|
-
const thumbprint =
|
|
7678
|
-
clientId: request.tokenBodyParameters?.clientId ||
|
|
7679
|
-
this.config.authOptions.clientId,
|
|
7680
|
-
authority: authority.canonicalAuthority,
|
|
7681
|
-
scopes: request.scopes,
|
|
7682
|
-
claims: request.claims,
|
|
7683
|
-
authenticationScheme: request.authenticationScheme,
|
|
7684
|
-
resourceRequestMethod: request.resourceRequestMethod,
|
|
7685
|
-
resourceRequestUri: request.resourceRequestUri,
|
|
7686
|
-
shrClaims: request.shrClaims,
|
|
7687
|
-
sshKid: request.sshKid,
|
|
7688
|
-
};
|
|
7379
|
+
const thumbprint = getRequestThumbprint(this.config.authOptions.clientId, request);
|
|
7689
7380
|
return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint);
|
|
7690
7381
|
}
|
|
7691
7382
|
/**
|
|
@@ -7694,31 +7385,30 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7694
7385
|
*/
|
|
7695
7386
|
async createTokenRequestBody(request) {
|
|
7696
7387
|
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, request.correlationId);
|
|
7697
|
-
const
|
|
7698
|
-
|
|
7699
|
-
parameterBuilder.addClientId(request.embeddedClientId ||
|
|
7388
|
+
const parameters = new Map();
|
|
7389
|
+
addClientId(parameters, request.embeddedClientId ||
|
|
7700
7390
|
request.tokenBodyParameters?.[CLIENT_ID] ||
|
|
7701
7391
|
this.config.authOptions.clientId);
|
|
7702
7392
|
if (request.redirectUri) {
|
|
7703
|
-
|
|
7704
|
-
}
|
|
7705
|
-
|
|
7706
|
-
|
|
7707
|
-
|
|
7708
|
-
|
|
7709
|
-
|
|
7710
|
-
|
|
7393
|
+
addRedirectUri(parameters, request.redirectUri);
|
|
7394
|
+
}
|
|
7395
|
+
addScopes(parameters, request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7396
|
+
addGrantType(parameters, GrantType.REFRESH_TOKEN_GRANT);
|
|
7397
|
+
addClientInfo(parameters);
|
|
7398
|
+
addLibraryInfo(parameters, this.config.libraryInfo);
|
|
7399
|
+
addApplicationTelemetry(parameters, this.config.telemetry.application);
|
|
7400
|
+
addThrottling(parameters);
|
|
7711
7401
|
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
|
|
7712
|
-
|
|
7402
|
+
addServerTelemetry(parameters, this.serverTelemetryManager);
|
|
7713
7403
|
}
|
|
7714
|
-
|
|
7404
|
+
addRefreshToken(parameters, request.refreshToken);
|
|
7715
7405
|
if (this.config.clientCredentials.clientSecret) {
|
|
7716
|
-
|
|
7406
|
+
addClientSecret(parameters, this.config.clientCredentials.clientSecret);
|
|
7717
7407
|
}
|
|
7718
7408
|
if (this.config.clientCredentials.clientAssertion) {
|
|
7719
7409
|
const clientAssertion = this.config.clientCredentials.clientAssertion;
|
|
7720
|
-
|
|
7721
|
-
|
|
7410
|
+
addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
|
|
7411
|
+
addClientAssertionType(parameters, clientAssertion.assertionType);
|
|
7722
7412
|
}
|
|
7723
7413
|
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
7724
7414
|
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
|
|
@@ -7731,11 +7421,11 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7731
7421
|
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
7732
7422
|
}
|
|
7733
7423
|
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
|
|
7734
|
-
|
|
7424
|
+
addPopToken(parameters, reqCnfData);
|
|
7735
7425
|
}
|
|
7736
7426
|
else if (request.authenticationScheme === AuthenticationScheme.SSH) {
|
|
7737
7427
|
if (request.sshJwk) {
|
|
7738
|
-
|
|
7428
|
+
addSshJwk(parameters, request.sshJwk);
|
|
7739
7429
|
}
|
|
7740
7430
|
else {
|
|
7741
7431
|
throw createClientConfigurationError(missingSshJwk);
|
|
@@ -7744,7 +7434,7 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7744
7434
|
if (!StringUtils.isEmptyObj(request.claims) ||
|
|
7745
7435
|
(this.config.authOptions.clientCapabilities &&
|
|
7746
7436
|
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
7747
|
-
|
|
7437
|
+
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
|
|
7748
7438
|
}
|
|
7749
7439
|
if (this.config.systemOptions.preventCorsPreflight &&
|
|
7750
7440
|
request.ccsCredential) {
|
|
@@ -7752,7 +7442,7 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7752
7442
|
case CcsCredentialType.HOME_ACCOUNT_ID:
|
|
7753
7443
|
try {
|
|
7754
7444
|
const clientInfo = buildClientInfoFromHomeAccountId(request.ccsCredential.credential);
|
|
7755
|
-
|
|
7445
|
+
addCcsOid(parameters, clientInfo);
|
|
7756
7446
|
}
|
|
7757
7447
|
catch (e) {
|
|
7758
7448
|
this.logger.verbose("Could not parse home account ID for CCS Header: " +
|
|
@@ -7760,24 +7450,22 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7760
7450
|
}
|
|
7761
7451
|
break;
|
|
7762
7452
|
case CcsCredentialType.UPN:
|
|
7763
|
-
|
|
7453
|
+
addCcsUpn(parameters, request.ccsCredential.credential);
|
|
7764
7454
|
break;
|
|
7765
7455
|
}
|
|
7766
7456
|
}
|
|
7767
7457
|
if (request.embeddedClientId) {
|
|
7768
|
-
|
|
7769
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
7770
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
7771
|
-
});
|
|
7458
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
7772
7459
|
}
|
|
7773
7460
|
if (request.tokenBodyParameters) {
|
|
7774
|
-
|
|
7461
|
+
addExtraQueryParameters(parameters, request.tokenBodyParameters);
|
|
7775
7462
|
}
|
|
7776
|
-
|
|
7463
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
7464
|
+
return mapToQueryString(parameters);
|
|
7777
7465
|
}
|
|
7778
7466
|
}
|
|
7779
7467
|
|
|
7780
|
-
/*! @azure/msal-common v15.
|
|
7468
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7781
7469
|
|
|
7782
7470
|
/*
|
|
7783
7471
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7871,26 +7559,250 @@ class SilentFlowClient extends BaseClient {
|
|
|
7871
7559
|
}
|
|
7872
7560
|
checkMaxAge(authTime, request.maxAge);
|
|
7873
7561
|
}
|
|
7874
|
-
return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, idTokenClaims);
|
|
7562
|
+
return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, idTokenClaims);
|
|
7563
|
+
}
|
|
7564
|
+
}
|
|
7565
|
+
|
|
7566
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7567
|
+
|
|
7568
|
+
/*
|
|
7569
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7570
|
+
* Licensed under the MIT License.
|
|
7571
|
+
*/
|
|
7572
|
+
const StubbedNetworkModule = {
|
|
7573
|
+
sendGetRequestAsync: () => {
|
|
7574
|
+
return Promise.reject(createClientAuthError(methodNotImplemented));
|
|
7575
|
+
},
|
|
7576
|
+
sendPostRequestAsync: () => {
|
|
7577
|
+
return Promise.reject(createClientAuthError(methodNotImplemented));
|
|
7578
|
+
},
|
|
7579
|
+
};
|
|
7580
|
+
|
|
7581
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7582
|
+
|
|
7583
|
+
/*
|
|
7584
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7585
|
+
* Licensed under the MIT License.
|
|
7586
|
+
*/
|
|
7587
|
+
/**
|
|
7588
|
+
* Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
|
|
7589
|
+
* @param config
|
|
7590
|
+
* @param request
|
|
7591
|
+
* @param logger
|
|
7592
|
+
* @param performanceClient
|
|
7593
|
+
* @returns
|
|
7594
|
+
*/
|
|
7595
|
+
function getStandardAuthorizeRequestParameters(authOptions, request, logger, performanceClient) {
|
|
7596
|
+
// generate the correlationId if not set by the user and add
|
|
7597
|
+
const correlationId = request.correlationId;
|
|
7598
|
+
const parameters = new Map();
|
|
7599
|
+
addClientId(parameters, request.embeddedClientId ||
|
|
7600
|
+
request.extraQueryParameters?.[CLIENT_ID] ||
|
|
7601
|
+
authOptions.clientId);
|
|
7602
|
+
const requestScopes = [
|
|
7603
|
+
...(request.scopes || []),
|
|
7604
|
+
...(request.extraScopesToConsent || []),
|
|
7605
|
+
];
|
|
7606
|
+
addScopes(parameters, requestScopes, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7607
|
+
addRedirectUri(parameters, request.redirectUri);
|
|
7608
|
+
addCorrelationId(parameters, correlationId);
|
|
7609
|
+
// add response_mode. If not passed in it defaults to query.
|
|
7610
|
+
addResponseMode(parameters, request.responseMode);
|
|
7611
|
+
// add client_info=1
|
|
7612
|
+
addClientInfo(parameters);
|
|
7613
|
+
if (request.prompt) {
|
|
7614
|
+
addPrompt(parameters, request.prompt);
|
|
7615
|
+
performanceClient?.addFields({ prompt: request.prompt }, correlationId);
|
|
7616
|
+
}
|
|
7617
|
+
if (request.domainHint) {
|
|
7618
|
+
addDomainHint(parameters, request.domainHint);
|
|
7619
|
+
performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
|
|
7620
|
+
}
|
|
7621
|
+
// Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
|
|
7622
|
+
if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
|
|
7623
|
+
// AAD will throw if prompt=select_account is passed with an account hint
|
|
7624
|
+
if (request.sid && request.prompt === PromptValue.NONE) {
|
|
7625
|
+
// SessionID is only used in silent calls
|
|
7626
|
+
logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
|
|
7627
|
+
addSid(parameters, request.sid);
|
|
7628
|
+
performanceClient?.addFields({ sidFromRequest: true }, correlationId);
|
|
7629
|
+
}
|
|
7630
|
+
else if (request.account) {
|
|
7631
|
+
const accountSid = extractAccountSid(request.account);
|
|
7632
|
+
let accountLoginHintClaim = extractLoginHint(request.account);
|
|
7633
|
+
if (accountLoginHintClaim && request.domainHint) {
|
|
7634
|
+
logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
|
|
7635
|
+
accountLoginHintClaim = null;
|
|
7636
|
+
}
|
|
7637
|
+
// If login_hint claim is present, use it over sid/username
|
|
7638
|
+
if (accountLoginHintClaim) {
|
|
7639
|
+
logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
|
|
7640
|
+
addLoginHint(parameters, accountLoginHintClaim);
|
|
7641
|
+
performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
|
|
7642
|
+
try {
|
|
7643
|
+
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7644
|
+
addCcsOid(parameters, clientInfo);
|
|
7645
|
+
}
|
|
7646
|
+
catch (e) {
|
|
7647
|
+
logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7648
|
+
}
|
|
7649
|
+
}
|
|
7650
|
+
else if (accountSid && request.prompt === PromptValue.NONE) {
|
|
7651
|
+
/*
|
|
7652
|
+
* If account and loginHint are provided, we will check account first for sid before adding loginHint
|
|
7653
|
+
* SessionId is only used in silent calls
|
|
7654
|
+
*/
|
|
7655
|
+
logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
|
|
7656
|
+
addSid(parameters, accountSid);
|
|
7657
|
+
performanceClient?.addFields({ sidFromClaim: true }, correlationId);
|
|
7658
|
+
try {
|
|
7659
|
+
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7660
|
+
addCcsOid(parameters, clientInfo);
|
|
7661
|
+
}
|
|
7662
|
+
catch (e) {
|
|
7663
|
+
logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7664
|
+
}
|
|
7665
|
+
}
|
|
7666
|
+
else if (request.loginHint) {
|
|
7667
|
+
logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
|
|
7668
|
+
addLoginHint(parameters, request.loginHint);
|
|
7669
|
+
addCcsUpn(parameters, request.loginHint);
|
|
7670
|
+
performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7671
|
+
}
|
|
7672
|
+
else if (request.account.username) {
|
|
7673
|
+
// Fallback to account username if provided
|
|
7674
|
+
logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
|
|
7675
|
+
addLoginHint(parameters, request.account.username);
|
|
7676
|
+
performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
|
|
7677
|
+
try {
|
|
7678
|
+
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7679
|
+
addCcsOid(parameters, clientInfo);
|
|
7680
|
+
}
|
|
7681
|
+
catch (e) {
|
|
7682
|
+
logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7683
|
+
}
|
|
7684
|
+
}
|
|
7685
|
+
}
|
|
7686
|
+
else if (request.loginHint) {
|
|
7687
|
+
logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
|
|
7688
|
+
addLoginHint(parameters, request.loginHint);
|
|
7689
|
+
addCcsUpn(parameters, request.loginHint);
|
|
7690
|
+
performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7691
|
+
}
|
|
7692
|
+
}
|
|
7693
|
+
else {
|
|
7694
|
+
logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
|
|
7695
|
+
}
|
|
7696
|
+
if (request.nonce) {
|
|
7697
|
+
addNonce(parameters, request.nonce);
|
|
7698
|
+
}
|
|
7699
|
+
if (request.state) {
|
|
7700
|
+
addState(parameters, request.state);
|
|
7701
|
+
}
|
|
7702
|
+
if (request.claims ||
|
|
7703
|
+
(authOptions.clientCapabilities &&
|
|
7704
|
+
authOptions.clientCapabilities.length > 0)) {
|
|
7705
|
+
addClaims(parameters, request.claims, authOptions.clientCapabilities);
|
|
7706
|
+
}
|
|
7707
|
+
if (request.embeddedClientId) {
|
|
7708
|
+
addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
|
|
7709
|
+
}
|
|
7710
|
+
if (request.extraQueryParameters) {
|
|
7711
|
+
addExtraQueryParameters(parameters, request.extraQueryParameters);
|
|
7712
|
+
}
|
|
7713
|
+
if (authOptions.instanceAware) {
|
|
7714
|
+
addInstanceAware(parameters);
|
|
7715
|
+
}
|
|
7716
|
+
return parameters;
|
|
7717
|
+
}
|
|
7718
|
+
/**
|
|
7719
|
+
* Returns authorize endpoint with given request parameters in the query string
|
|
7720
|
+
* @param authority
|
|
7721
|
+
* @param requestParameters
|
|
7722
|
+
* @returns
|
|
7723
|
+
*/
|
|
7724
|
+
function getAuthorizeUrl(authority, requestParameters) {
|
|
7725
|
+
const queryString = mapToQueryString(requestParameters);
|
|
7726
|
+
return UrlString.appendQueryString(authority.authorizationEndpoint, queryString);
|
|
7727
|
+
}
|
|
7728
|
+
/**
|
|
7729
|
+
* Handles the hash fragment response from public client code request. Returns a code response used by
|
|
7730
|
+
* the client to exchange for a token in acquireToken.
|
|
7731
|
+
* @param serverParams
|
|
7732
|
+
* @param cachedState
|
|
7733
|
+
*/
|
|
7734
|
+
function getAuthorizationCodePayload(serverParams, cachedState) {
|
|
7735
|
+
// Get code response
|
|
7736
|
+
validateAuthorizationResponse(serverParams, cachedState);
|
|
7737
|
+
// throw when there is no auth code in the response
|
|
7738
|
+
if (!serverParams.code) {
|
|
7739
|
+
throw createClientAuthError(authorizationCodeMissingFromServerResponse);
|
|
7740
|
+
}
|
|
7741
|
+
return serverParams;
|
|
7742
|
+
}
|
|
7743
|
+
/**
|
|
7744
|
+
* Function which validates server authorization code response.
|
|
7745
|
+
* @param serverResponseHash
|
|
7746
|
+
* @param requestState
|
|
7747
|
+
*/
|
|
7748
|
+
function validateAuthorizationResponse(serverResponse, requestState) {
|
|
7749
|
+
if (!serverResponse.state || !requestState) {
|
|
7750
|
+
throw serverResponse.state
|
|
7751
|
+
? createClientAuthError(stateNotFound, "Cached State")
|
|
7752
|
+
: createClientAuthError(stateNotFound, "Server State");
|
|
7753
|
+
}
|
|
7754
|
+
let decodedServerResponseState;
|
|
7755
|
+
let decodedRequestState;
|
|
7756
|
+
try {
|
|
7757
|
+
decodedServerResponseState = decodeURIComponent(serverResponse.state);
|
|
7758
|
+
}
|
|
7759
|
+
catch (e) {
|
|
7760
|
+
throw createClientAuthError(invalidState, serverResponse.state);
|
|
7761
|
+
}
|
|
7762
|
+
try {
|
|
7763
|
+
decodedRequestState = decodeURIComponent(requestState);
|
|
7764
|
+
}
|
|
7765
|
+
catch (e) {
|
|
7766
|
+
throw createClientAuthError(invalidState, serverResponse.state);
|
|
7767
|
+
}
|
|
7768
|
+
if (decodedServerResponseState !== decodedRequestState) {
|
|
7769
|
+
throw createClientAuthError(stateMismatch);
|
|
7770
|
+
}
|
|
7771
|
+
// Check for error
|
|
7772
|
+
if (serverResponse.error ||
|
|
7773
|
+
serverResponse.error_description ||
|
|
7774
|
+
serverResponse.suberror) {
|
|
7775
|
+
const serverErrorNo = parseServerErrorNo(serverResponse);
|
|
7776
|
+
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
7777
|
+
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
|
|
7778
|
+
}
|
|
7779
|
+
throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
7875
7780
|
}
|
|
7876
|
-
}
|
|
7877
|
-
|
|
7878
|
-
|
|
7879
|
-
|
|
7880
|
-
|
|
7881
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7882
|
-
* Licensed under the MIT License.
|
|
7781
|
+
}
|
|
7782
|
+
/**
|
|
7783
|
+
* Get server error No from the error_uri
|
|
7784
|
+
* @param serverResponse
|
|
7785
|
+
* @returns
|
|
7883
7786
|
*/
|
|
7884
|
-
|
|
7885
|
-
|
|
7886
|
-
|
|
7887
|
-
|
|
7888
|
-
|
|
7889
|
-
|
|
7890
|
-
|
|
7891
|
-
|
|
7787
|
+
function parseServerErrorNo(serverResponse) {
|
|
7788
|
+
const errorCodePrefix = "code=";
|
|
7789
|
+
const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
|
|
7790
|
+
return errorCodePrefixIndex && errorCodePrefixIndex >= 0
|
|
7791
|
+
? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
|
|
7792
|
+
: undefined;
|
|
7793
|
+
}
|
|
7794
|
+
/**
|
|
7795
|
+
* Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
|
|
7796
|
+
* @param account
|
|
7797
|
+
*/
|
|
7798
|
+
function extractAccountSid(account) {
|
|
7799
|
+
return account.idTokenClaims?.sid || null;
|
|
7800
|
+
}
|
|
7801
|
+
function extractLoginHint(account) {
|
|
7802
|
+
return account.idTokenClaims?.login_hint || null;
|
|
7803
|
+
}
|
|
7892
7804
|
|
|
7893
|
-
/*! @azure/msal-common v15.
|
|
7805
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7894
7806
|
|
|
7895
7807
|
/*
|
|
7896
7808
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7948,7 +7860,7 @@ class AuthenticationHeaderParser {
|
|
|
7948
7860
|
}
|
|
7949
7861
|
}
|
|
7950
7862
|
|
|
7951
|
-
/*! @azure/msal-common v15.
|
|
7863
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7952
7864
|
|
|
7953
7865
|
/*
|
|
7954
7866
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -8211,7 +8123,7 @@ class ServerTelemetryManager {
|
|
|
8211
8123
|
}
|
|
8212
8124
|
}
|
|
8213
8125
|
|
|
8214
|
-
/*! @azure/msal-common v15.
|
|
8126
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
8215
8127
|
/*
|
|
8216
8128
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
8217
8129
|
* Licensed under the MIT License.
|
|
@@ -8219,7 +8131,7 @@ class ServerTelemetryManager {
|
|
|
8219
8131
|
const missingKidError = "missing_kid_error";
|
|
8220
8132
|
const missingAlgError = "missing_alg_error";
|
|
8221
8133
|
|
|
8222
|
-
/*! @azure/msal-common v15.
|
|
8134
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
8223
8135
|
|
|
8224
8136
|
/*
|
|
8225
8137
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -8244,7 +8156,7 @@ function createJoseHeaderError(code) {
|
|
|
8244
8156
|
return new JoseHeaderError(code, JoseHeaderErrorMessages[code]);
|
|
8245
8157
|
}
|
|
8246
8158
|
|
|
8247
|
-
/*! @azure/msal-common v15.
|
|
8159
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
8248
8160
|
|
|
8249
8161
|
/*
|
|
8250
8162
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -8284,7 +8196,7 @@ class JoseHeader {
|
|
|
8284
8196
|
}
|
|
8285
8197
|
}
|
|
8286
8198
|
|
|
8287
|
-
/*! @azure/msal-common v15.
|
|
8199
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
8288
8200
|
|
|
8289
8201
|
/*
|
|
8290
8202
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -8363,7 +8275,7 @@ class StubPerformanceClient {
|
|
|
8363
8275
|
}
|
|
8364
8276
|
}
|
|
8365
8277
|
|
|
8366
|
-
/*! @azure/msal-common v15.
|
|
8278
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
8367
8279
|
|
|
8368
8280
|
/*
|
|
8369
8281
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -10400,7 +10312,7 @@ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system
|
|
|
10400
10312
|
|
|
10401
10313
|
/* eslint-disable header/header */
|
|
10402
10314
|
const name = "@azure/msal-browser";
|
|
10403
|
-
const version = "4.
|
|
10315
|
+
const version = "4.8.0";
|
|
10404
10316
|
|
|
10405
10317
|
/*
|
|
10406
10318
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -12679,7 +12591,13 @@ class BrowserCacheManager extends CacheManager {
|
|
|
12679
12591
|
*
|
|
12680
12592
|
* The next MSAL VFuture should map these both to same value if possible
|
|
12681
12593
|
*/
|
|
12682
|
-
const accessTokenEntity = createAccessTokenEntity(result.account?.homeAccountId, result.account.environment, result.accessToken, this.clientId, result.tenantId, result.scopes.join(" "),
|
|
12594
|
+
const accessTokenEntity = createAccessTokenEntity(result.account?.homeAccountId, result.account.environment, result.accessToken, this.clientId, result.tenantId, result.scopes.join(" "),
|
|
12595
|
+
// Access token expiresOn stored in seconds, converting from AuthenticationResult expiresOn stored as Date
|
|
12596
|
+
result.expiresOn
|
|
12597
|
+
? toSecondsFromDate(result.expiresOn)
|
|
12598
|
+
: 0, result.extExpiresOn
|
|
12599
|
+
? toSecondsFromDate(result.extExpiresOn)
|
|
12600
|
+
: 0, base64Decode, undefined, // refreshOn
|
|
12683
12601
|
result.tokenType, undefined, // userAssertionHash
|
|
12684
12602
|
request.sshKid, request.claims, claimsHash);
|
|
12685
12603
|
const cacheRecord = {
|
|
@@ -12885,7 +12803,9 @@ class EventHandler {
|
|
|
12885
12803
|
constructor(logger) {
|
|
12886
12804
|
this.eventCallbacks = new Map();
|
|
12887
12805
|
this.logger = logger || new Logger({});
|
|
12888
|
-
|
|
12806
|
+
if (typeof BroadcastChannel !== "undefined") {
|
|
12807
|
+
this.broadcastChannel = new BroadcastChannel(BROADCAST_CHANNEL_NAME);
|
|
12808
|
+
}
|
|
12889
12809
|
this.invokeCrossTabCallbacks = this.invokeCrossTabCallbacks.bind(this);
|
|
12890
12810
|
}
|
|
12891
12811
|
/**
|
|
@@ -12935,7 +12855,7 @@ class EventHandler {
|
|
|
12935
12855
|
case EventType.ACCOUNT_REMOVED:
|
|
12936
12856
|
case EventType.ACTIVE_ACCOUNT_CHANGED:
|
|
12937
12857
|
// Send event to other open tabs / MSAL instances on same domain
|
|
12938
|
-
this.broadcastChannel
|
|
12858
|
+
this.broadcastChannel?.postMessage(message);
|
|
12939
12859
|
break;
|
|
12940
12860
|
default:
|
|
12941
12861
|
// Emit event to callbacks registered in this instance
|
|
@@ -12968,13 +12888,13 @@ class EventHandler {
|
|
|
12968
12888
|
* Listen for events broadcasted from other tabs/instances
|
|
12969
12889
|
*/
|
|
12970
12890
|
subscribeCrossTab() {
|
|
12971
|
-
this.broadcastChannel
|
|
12891
|
+
this.broadcastChannel?.addEventListener("message", this.invokeCrossTabCallbacks);
|
|
12972
12892
|
}
|
|
12973
12893
|
/**
|
|
12974
12894
|
* Unsubscribe from broadcast events
|
|
12975
12895
|
*/
|
|
12976
12896
|
unsubscribeCrossTab() {
|
|
12977
|
-
this.broadcastChannel
|
|
12897
|
+
this.broadcastChannel?.removeEventListener("message", this.invokeCrossTabCallbacks);
|
|
12978
12898
|
}
|
|
12979
12899
|
}
|
|
12980
12900
|
|
|
@@ -13096,61 +13016,6 @@ class BaseInteractionClient {
|
|
|
13096
13016
|
}
|
|
13097
13017
|
}
|
|
13098
13018
|
|
|
13099
|
-
/*
|
|
13100
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
13101
|
-
* Licensed under the MIT License.
|
|
13102
|
-
*/
|
|
13103
|
-
// Constant byte array length
|
|
13104
|
-
const RANDOM_BYTE_ARR_LENGTH = 32;
|
|
13105
|
-
/**
|
|
13106
|
-
* This file defines APIs to generate PKCE codes and code verifiers.
|
|
13107
|
-
*/
|
|
13108
|
-
/**
|
|
13109
|
-
* Generates PKCE Codes. See the RFC for more information: https://tools.ietf.org/html/rfc7636
|
|
13110
|
-
*/
|
|
13111
|
-
async function generatePkceCodes(performanceClient, logger, correlationId) {
|
|
13112
|
-
performanceClient.addQueueMeasurement(PerformanceEvents.GeneratePkceCodes, correlationId);
|
|
13113
|
-
const codeVerifier = invoke(generateCodeVerifier, PerformanceEvents.GenerateCodeVerifier, logger, performanceClient, correlationId)(performanceClient, logger, correlationId);
|
|
13114
|
-
const codeChallenge = await invokeAsync(generateCodeChallengeFromVerifier, PerformanceEvents.GenerateCodeChallengeFromVerifier, logger, performanceClient, correlationId)(codeVerifier, performanceClient, logger, correlationId);
|
|
13115
|
-
return {
|
|
13116
|
-
verifier: codeVerifier,
|
|
13117
|
-
challenge: codeChallenge,
|
|
13118
|
-
};
|
|
13119
|
-
}
|
|
13120
|
-
/**
|
|
13121
|
-
* Generates a random 32 byte buffer and returns the base64
|
|
13122
|
-
* encoded string to be used as a PKCE Code Verifier
|
|
13123
|
-
*/
|
|
13124
|
-
function generateCodeVerifier(performanceClient, logger, correlationId) {
|
|
13125
|
-
try {
|
|
13126
|
-
// Generate random values as utf-8
|
|
13127
|
-
const buffer = new Uint8Array(RANDOM_BYTE_ARR_LENGTH);
|
|
13128
|
-
invoke(getRandomValues, PerformanceEvents.GetRandomValues, logger, performanceClient, correlationId)(buffer);
|
|
13129
|
-
// encode verifier as base64
|
|
13130
|
-
const pkceCodeVerifierB64 = urlEncodeArr(buffer);
|
|
13131
|
-
return pkceCodeVerifierB64;
|
|
13132
|
-
}
|
|
13133
|
-
catch (e) {
|
|
13134
|
-
throw createBrowserAuthError(pkceNotCreated);
|
|
13135
|
-
}
|
|
13136
|
-
}
|
|
13137
|
-
/**
|
|
13138
|
-
* Creates a base64 encoded PKCE Code Challenge string from the
|
|
13139
|
-
* hash created from the PKCE Code Verifier supplied
|
|
13140
|
-
*/
|
|
13141
|
-
async function generateCodeChallengeFromVerifier(pkceCodeVerifier, performanceClient, logger, correlationId) {
|
|
13142
|
-
performanceClient.addQueueMeasurement(PerformanceEvents.GenerateCodeChallengeFromVerifier, correlationId);
|
|
13143
|
-
try {
|
|
13144
|
-
// hashed verifier
|
|
13145
|
-
const pkceHashedCodeVerifier = await invokeAsync(sha256Digest, PerformanceEvents.Sha256Digest, logger, performanceClient, correlationId)(pkceCodeVerifier, performanceClient, correlationId);
|
|
13146
|
-
// encode hash as base64
|
|
13147
|
-
return urlEncodeArr(new Uint8Array(pkceHashedCodeVerifier));
|
|
13148
|
-
}
|
|
13149
|
-
catch (e) {
|
|
13150
|
-
throw createBrowserAuthError(pkceNotCreated);
|
|
13151
|
-
}
|
|
13152
|
-
}
|
|
13153
|
-
|
|
13154
13019
|
/*
|
|
13155
13020
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
13156
13021
|
* Licensed under the MIT License.
|
|
@@ -13213,25 +13078,6 @@ async function initializeSilentRequest(request, account, config, performanceClie
|
|
|
13213
13078
|
* Defines the class structure and helper functions used by the "standard", non-brokered auth flows (popup, redirect, silent (RT), silent (iframe))
|
|
13214
13079
|
*/
|
|
13215
13080
|
class StandardInteractionClient extends BaseInteractionClient {
|
|
13216
|
-
/**
|
|
13217
|
-
* Generates an auth code request tied to the url request.
|
|
13218
|
-
* @param request
|
|
13219
|
-
* @param pkceCodes
|
|
13220
|
-
*/
|
|
13221
|
-
async initializeAuthorizationCodeRequest(request, pkceCodes) {
|
|
13222
|
-
this.performanceClient.addQueueMeasurement(PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.correlationId);
|
|
13223
|
-
const generatedPkceParams = pkceCodes ||
|
|
13224
|
-
(await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId));
|
|
13225
|
-
const authCodeRequest = {
|
|
13226
|
-
...request,
|
|
13227
|
-
redirectUri: request.redirectUri,
|
|
13228
|
-
code: Constants.EMPTY_STRING,
|
|
13229
|
-
codeVerifier: generatedPkceParams.verifier,
|
|
13230
|
-
};
|
|
13231
|
-
request.codeChallenge = generatedPkceParams.challenge;
|
|
13232
|
-
request.codeChallengeMethod = Constants.S256_CODE_CHALLENGE_METHOD;
|
|
13233
|
-
return authCodeRequest;
|
|
13234
|
-
}
|
|
13235
13081
|
/**
|
|
13236
13082
|
* Initializer for the logout request.
|
|
13237
13083
|
* @param logoutRequest
|
|
@@ -13810,7 +13656,12 @@ class NativeInteractionClient extends BaseInteractionClient {
|
|
|
13810
13656
|
const cachedhomeAccountId = this.browserStorage.getAccountInfoFilteredBy({
|
|
13811
13657
|
nativeAccountId: request.accountId,
|
|
13812
13658
|
})?.homeAccountId;
|
|
13813
|
-
|
|
13659
|
+
// add exception for double brokering, please note this is temporary and will be fortified in future
|
|
13660
|
+
if (request.extraParameters?.child_client_id &&
|
|
13661
|
+
response.account.id !== request.accountId) {
|
|
13662
|
+
this.logger.info("handleNativeServerResponse: Double broker flow detected, ignoring accountId mismatch");
|
|
13663
|
+
}
|
|
13664
|
+
else if (homeAccountIdentifier !== cachedhomeAccountId &&
|
|
13814
13665
|
response.account.id !== request.accountId) {
|
|
13815
13666
|
// User switch in native broker prompt is not supported. All users must first sign in through web flow to ensure server state is in sync
|
|
13816
13667
|
throw createNativeAuthError(userSwitch);
|
|
@@ -13822,6 +13673,8 @@ class NativeInteractionClient extends BaseInteractionClient {
|
|
|
13822
13673
|
const baseAccount = buildAccountToCache(this.browserStorage, authority, homeAccountIdentifier, base64Decode, idTokenClaims, response.client_info, undefined, // environment
|
|
13823
13674
|
idTokenClaims.tid, undefined, // auth code payload
|
|
13824
13675
|
response.account.id, this.logger);
|
|
13676
|
+
// Ensure expires_in is in number format
|
|
13677
|
+
response.expires_in = Number(response.expires_in);
|
|
13825
13678
|
// generate authenticationResult
|
|
13826
13679
|
const result = await this.generateAuthenticationResult(response, request, idTokenClaims, baseAccount, authority.canonicalAuthority, reqTimestamp);
|
|
13827
13680
|
// cache accounts and tokens in the appropriate storage
|
|
@@ -13938,7 +13791,8 @@ class NativeInteractionClient extends BaseInteractionClient {
|
|
|
13938
13791
|
idTokenClaims: idTokenClaims,
|
|
13939
13792
|
accessToken: responseAccessToken,
|
|
13940
13793
|
fromCache: mats ? this.isResponseFromCache(mats) : false,
|
|
13941
|
-
|
|
13794
|
+
// Request timestamp and NativeResponse expires_in are in seconds, converting to Date for AuthenticationResult
|
|
13795
|
+
expiresOn: toDateFromSeconds(reqTimestamp + response.expires_in),
|
|
13942
13796
|
tokenType: tokenType,
|
|
13943
13797
|
correlationId: this.correlationId,
|
|
13944
13798
|
state: response.state,
|
|
@@ -14468,7 +14322,7 @@ class InteractionHandler {
|
|
|
14468
14322
|
this.performanceClient.addQueueMeasurement(PerformanceEvents.HandleCodeResponse, request.correlationId);
|
|
14469
14323
|
let authCodeResponse;
|
|
14470
14324
|
try {
|
|
14471
|
-
authCodeResponse =
|
|
14325
|
+
authCodeResponse = getAuthorizationCodePayload(response, request.state);
|
|
14472
14326
|
}
|
|
14473
14327
|
catch (e) {
|
|
14474
14328
|
if (e instanceof ServerError &&
|
|
@@ -14576,6 +14430,126 @@ function validateInteractionType(response, browserCrypto, interactionType) {
|
|
|
14576
14430
|
}
|
|
14577
14431
|
}
|
|
14578
14432
|
|
|
14433
|
+
/*
|
|
14434
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
14435
|
+
* Licensed under the MIT License.
|
|
14436
|
+
*/
|
|
14437
|
+
/**
|
|
14438
|
+
* Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
|
|
14439
|
+
* @param config
|
|
14440
|
+
* @param authority
|
|
14441
|
+
* @param request
|
|
14442
|
+
* @param logger
|
|
14443
|
+
* @param performanceClient
|
|
14444
|
+
* @returns
|
|
14445
|
+
*/
|
|
14446
|
+
async function getStandardParameters(config, authority, request, logger, performanceClient) {
|
|
14447
|
+
const parameters = getStandardAuthorizeRequestParameters({ ...config.auth, authority: authority }, request, logger, performanceClient);
|
|
14448
|
+
addLibraryInfo(parameters, {
|
|
14449
|
+
sku: BrowserConstants.MSAL_SKU,
|
|
14450
|
+
version: version,
|
|
14451
|
+
os: "",
|
|
14452
|
+
cpu: "",
|
|
14453
|
+
});
|
|
14454
|
+
if (config.auth.protocolMode !== ProtocolMode.OIDC) {
|
|
14455
|
+
addApplicationTelemetry(parameters, config.telemetry.application);
|
|
14456
|
+
}
|
|
14457
|
+
if (request.platformBroker) {
|
|
14458
|
+
// signal ests that this is a WAM call
|
|
14459
|
+
addNativeBroker(parameters);
|
|
14460
|
+
// pass the req_cnf for POP
|
|
14461
|
+
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
14462
|
+
const cryptoOps = new CryptoOps(logger, performanceClient);
|
|
14463
|
+
const popTokenGenerator = new PopTokenGenerator(cryptoOps);
|
|
14464
|
+
// req_cnf is always sent as a string for SPAs
|
|
14465
|
+
let reqCnfData;
|
|
14466
|
+
if (!request.popKid) {
|
|
14467
|
+
const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, logger, performanceClient, request.correlationId)(request, logger);
|
|
14468
|
+
reqCnfData = generatedReqCnfData.reqCnfString;
|
|
14469
|
+
}
|
|
14470
|
+
else {
|
|
14471
|
+
reqCnfData = cryptoOps.encodeKid(request.popKid);
|
|
14472
|
+
}
|
|
14473
|
+
addPopToken(parameters, reqCnfData);
|
|
14474
|
+
}
|
|
14475
|
+
}
|
|
14476
|
+
instrumentBrokerParams(parameters, request.correlationId, performanceClient);
|
|
14477
|
+
return parameters;
|
|
14478
|
+
}
|
|
14479
|
+
/**
|
|
14480
|
+
* Gets the full /authorize URL with request parameters when using Auth Code + PKCE
|
|
14481
|
+
* @param config
|
|
14482
|
+
* @param authority
|
|
14483
|
+
* @param request
|
|
14484
|
+
* @param logger
|
|
14485
|
+
* @param performanceClient
|
|
14486
|
+
* @returns
|
|
14487
|
+
*/
|
|
14488
|
+
async function getAuthCodeRequestUrl(config, authority, request, logger, performanceClient) {
|
|
14489
|
+
if (!request.codeChallenge) {
|
|
14490
|
+
throw createClientConfigurationError(pkceParamsMissing);
|
|
14491
|
+
}
|
|
14492
|
+
const parameters = await invokeAsync(getStandardParameters, PerformanceEvents.GetStandardParams, logger, performanceClient, request.correlationId)(config, authority, request, logger, performanceClient);
|
|
14493
|
+
addResponseTypeCode(parameters);
|
|
14494
|
+
addCodeChallengeParams(parameters, request.codeChallenge, Constants.S256_CODE_CHALLENGE_METHOD);
|
|
14495
|
+
return getAuthorizeUrl(authority, parameters);
|
|
14496
|
+
}
|
|
14497
|
+
|
|
14498
|
+
/*
|
|
14499
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
14500
|
+
* Licensed under the MIT License.
|
|
14501
|
+
*/
|
|
14502
|
+
// Constant byte array length
|
|
14503
|
+
const RANDOM_BYTE_ARR_LENGTH = 32;
|
|
14504
|
+
/**
|
|
14505
|
+
* This file defines APIs to generate PKCE codes and code verifiers.
|
|
14506
|
+
*/
|
|
14507
|
+
/**
|
|
14508
|
+
* Generates PKCE Codes. See the RFC for more information: https://tools.ietf.org/html/rfc7636
|
|
14509
|
+
*/
|
|
14510
|
+
async function generatePkceCodes(performanceClient, logger, correlationId) {
|
|
14511
|
+
performanceClient.addQueueMeasurement(PerformanceEvents.GeneratePkceCodes, correlationId);
|
|
14512
|
+
const codeVerifier = invoke(generateCodeVerifier, PerformanceEvents.GenerateCodeVerifier, logger, performanceClient, correlationId)(performanceClient, logger, correlationId);
|
|
14513
|
+
const codeChallenge = await invokeAsync(generateCodeChallengeFromVerifier, PerformanceEvents.GenerateCodeChallengeFromVerifier, logger, performanceClient, correlationId)(codeVerifier, performanceClient, logger, correlationId);
|
|
14514
|
+
return {
|
|
14515
|
+
verifier: codeVerifier,
|
|
14516
|
+
challenge: codeChallenge,
|
|
14517
|
+
};
|
|
14518
|
+
}
|
|
14519
|
+
/**
|
|
14520
|
+
* Generates a random 32 byte buffer and returns the base64
|
|
14521
|
+
* encoded string to be used as a PKCE Code Verifier
|
|
14522
|
+
*/
|
|
14523
|
+
function generateCodeVerifier(performanceClient, logger, correlationId) {
|
|
14524
|
+
try {
|
|
14525
|
+
// Generate random values as utf-8
|
|
14526
|
+
const buffer = new Uint8Array(RANDOM_BYTE_ARR_LENGTH);
|
|
14527
|
+
invoke(getRandomValues, PerformanceEvents.GetRandomValues, logger, performanceClient, correlationId)(buffer);
|
|
14528
|
+
// encode verifier as base64
|
|
14529
|
+
const pkceCodeVerifierB64 = urlEncodeArr(buffer);
|
|
14530
|
+
return pkceCodeVerifierB64;
|
|
14531
|
+
}
|
|
14532
|
+
catch (e) {
|
|
14533
|
+
throw createBrowserAuthError(pkceNotCreated);
|
|
14534
|
+
}
|
|
14535
|
+
}
|
|
14536
|
+
/**
|
|
14537
|
+
* Creates a base64 encoded PKCE Code Challenge string from the
|
|
14538
|
+
* hash created from the PKCE Code Verifier supplied
|
|
14539
|
+
*/
|
|
14540
|
+
async function generateCodeChallengeFromVerifier(pkceCodeVerifier, performanceClient, logger, correlationId) {
|
|
14541
|
+
performanceClient.addQueueMeasurement(PerformanceEvents.GenerateCodeChallengeFromVerifier, correlationId);
|
|
14542
|
+
try {
|
|
14543
|
+
// hashed verifier
|
|
14544
|
+
const pkceHashedCodeVerifier = await invokeAsync(sha256Digest, PerformanceEvents.Sha256Digest, logger, performanceClient, correlationId)(pkceCodeVerifier, performanceClient, correlationId);
|
|
14545
|
+
// encode hash as base64
|
|
14546
|
+
return urlEncodeArr(new Uint8Array(pkceHashedCodeVerifier));
|
|
14547
|
+
}
|
|
14548
|
+
catch (e) {
|
|
14549
|
+
throw createBrowserAuthError(pkceNotCreated);
|
|
14550
|
+
}
|
|
14551
|
+
}
|
|
14552
|
+
|
|
14579
14553
|
/*
|
|
14580
14554
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
14581
14555
|
* Licensed under the MIT License.
|
|
@@ -14663,6 +14637,9 @@ class PopupClient extends StandardInteractionClient {
|
|
|
14663
14637
|
this.logger.verbose("acquireTokenPopupAsync called");
|
|
14664
14638
|
const serverTelemetryManager = this.initializeServerTelemetryManager(ApiId.acquireTokenPopup);
|
|
14665
14639
|
const validRequest = await invokeAsync(this.initializeAuthorizationRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(request, exports.InteractionType.Popup);
|
|
14640
|
+
const pkce = pkceCodes ||
|
|
14641
|
+
(await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId));
|
|
14642
|
+
validRequest.codeChallenge = pkce.challenge;
|
|
14666
14643
|
/*
|
|
14667
14644
|
* Skip pre-connect for async popups to reduce time between user interaction and popup window creation to avoid
|
|
14668
14645
|
* popup from being blocked by browsers with shorter popup timers
|
|
@@ -14671,8 +14648,6 @@ class PopupClient extends StandardInteractionClient {
|
|
|
14671
14648
|
preconnect(validRequest.authority);
|
|
14672
14649
|
}
|
|
14673
14650
|
try {
|
|
14674
|
-
// Create auth code request and generate PKCE params
|
|
14675
|
-
const authCodeRequest = await invokeAsync(this.initializeAuthorizationCodeRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.logger, this.performanceClient, this.correlationId)(validRequest, pkceCodes);
|
|
14676
14651
|
// Initialize the client
|
|
14677
14652
|
const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), PerformanceEvents.StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, this.correlationId)({
|
|
14678
14653
|
serverTelemetryManager,
|
|
@@ -14689,12 +14664,10 @@ class PopupClient extends StandardInteractionClient {
|
|
|
14689
14664
|
this.performanceClient.startMeasurement(PerformanceEvents.FetchAccountIdWithNativeBroker, request.correlationId);
|
|
14690
14665
|
}
|
|
14691
14666
|
// Create acquire token url.
|
|
14692
|
-
const navigateUrl = await authClient.
|
|
14667
|
+
const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, validRequest.correlationId)(this.config, authClient.authority, {
|
|
14693
14668
|
...validRequest,
|
|
14694
14669
|
platformBroker: isPlatformBroker,
|
|
14695
|
-
});
|
|
14696
|
-
// Create popup interaction handler.
|
|
14697
|
-
const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
|
|
14670
|
+
}, this.logger, this.performanceClient);
|
|
14698
14671
|
// Show the UI once the url has been created. Get the window handle for the popup.
|
|
14699
14672
|
const popupWindow = this.initiateAuthRequest(navigateUrl, popupParams);
|
|
14700
14673
|
this.eventHandler.emitEvent(EventType.POPUP_OPENED, exports.InteractionType.Popup, { popupWindow }, null);
|
|
@@ -14702,7 +14675,7 @@ class PopupClient extends StandardInteractionClient {
|
|
|
14702
14675
|
const responseString = await this.monitorPopupForHash(popupWindow, popupParams.popupWindowParent);
|
|
14703
14676
|
const serverParams = invoke(deserializeResponse, PerformanceEvents.DeserializeResponse, this.logger, this.performanceClient, this.correlationId)(responseString, this.config.auth.OIDCOptions.serverResponseType, this.logger);
|
|
14704
14677
|
// Remove throttle if it exists
|
|
14705
|
-
ThrottlingUtils.removeThrottle(this.browserStorage, this.config.auth.clientId,
|
|
14678
|
+
ThrottlingUtils.removeThrottle(this.browserStorage, this.config.auth.clientId, validRequest);
|
|
14706
14679
|
if (serverParams.accountId) {
|
|
14707
14680
|
this.logger.verbose("Account id found in hash, calling WAM for token");
|
|
14708
14681
|
// end measurement for server call with native brokering enabled
|
|
@@ -14723,6 +14696,13 @@ class PopupClient extends StandardInteractionClient {
|
|
|
14723
14696
|
prompt: undefined, // Server should handle the prompt, ideally native broker can do this part silently
|
|
14724
14697
|
});
|
|
14725
14698
|
}
|
|
14699
|
+
const authCodeRequest = {
|
|
14700
|
+
...validRequest,
|
|
14701
|
+
code: serverParams.code || "",
|
|
14702
|
+
codeVerifier: pkce.verifier,
|
|
14703
|
+
};
|
|
14704
|
+
// Create popup interaction handler.
|
|
14705
|
+
const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
|
|
14726
14706
|
// Handle response from hash string.
|
|
14727
14707
|
const result = await interactionHandler.handleCodeResponse(serverParams, validRequest);
|
|
14728
14708
|
return result;
|
|
@@ -15098,7 +15078,7 @@ class RedirectHandler {
|
|
|
15098
15078
|
}
|
|
15099
15079
|
let authCodeResponse;
|
|
15100
15080
|
try {
|
|
15101
|
-
authCodeResponse =
|
|
15081
|
+
authCodeResponse = getAuthorizationCodePayload(response, requestState);
|
|
15102
15082
|
}
|
|
15103
15083
|
catch (e) {
|
|
15104
15084
|
if (e instanceof ServerError &&
|
|
@@ -15182,6 +15162,8 @@ class RedirectClient extends StandardInteractionClient {
|
|
|
15182
15162
|
*/
|
|
15183
15163
|
async acquireToken(request) {
|
|
15184
15164
|
const validRequest = await invokeAsync(this.initializeAuthorizationRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(request, exports.InteractionType.Redirect);
|
|
15165
|
+
const pkceCodes = await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId);
|
|
15166
|
+
validRequest.codeChallenge = pkceCodes.challenge;
|
|
15185
15167
|
this.browserStorage.updateCacheEntries(validRequest.state, validRequest.nonce, validRequest.authority, validRequest.loginHint || "", validRequest.account || null);
|
|
15186
15168
|
const serverTelemetryManager = this.initializeServerTelemetryManager(ApiId.acquireTokenRedirect);
|
|
15187
15169
|
const handleBackButton = (event) => {
|
|
@@ -15193,8 +15175,6 @@ class RedirectClient extends StandardInteractionClient {
|
|
|
15193
15175
|
}
|
|
15194
15176
|
};
|
|
15195
15177
|
try {
|
|
15196
|
-
// Create auth code request and generate PKCE params
|
|
15197
|
-
const authCodeRequest = await invokeAsync(this.initializeAuthorizationCodeRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.logger, this.performanceClient, this.correlationId)(validRequest);
|
|
15198
15178
|
// Initialize the client
|
|
15199
15179
|
const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), PerformanceEvents.StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, this.correlationId)({
|
|
15200
15180
|
serverTelemetryManager,
|
|
@@ -15203,13 +15183,18 @@ class RedirectClient extends StandardInteractionClient {
|
|
|
15203
15183
|
requestExtraQueryParameters: validRequest.extraQueryParameters,
|
|
15204
15184
|
account: validRequest.account,
|
|
15205
15185
|
});
|
|
15186
|
+
const authCodeRequest = {
|
|
15187
|
+
...validRequest,
|
|
15188
|
+
code: "",
|
|
15189
|
+
codeVerifier: pkceCodes.verifier,
|
|
15190
|
+
};
|
|
15206
15191
|
// Create redirect interaction handler.
|
|
15207
15192
|
const interactionHandler = new RedirectHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
|
|
15208
15193
|
// Create acquire token url.
|
|
15209
|
-
const navigateUrl = await authClient.
|
|
15194
|
+
const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, validRequest.correlationId)(this.config, authClient.authority, {
|
|
15210
15195
|
...validRequest,
|
|
15211
15196
|
platformBroker: NativeMessageHandler.isPlatformBrokerAvailable(this.config, this.logger, this.nativeMessageHandler, request.authenticationScheme),
|
|
15212
|
-
});
|
|
15197
|
+
}, this.logger, this.performanceClient);
|
|
15213
15198
|
const redirectStartPage = this.getRedirectStartPage(request.redirectStartPage);
|
|
15214
15199
|
this.logger.verbosePii(`Redirect start page: ${redirectStartPage}`);
|
|
15215
15200
|
// Clear temporary cache if the back button is clicked during the redirect flow.
|
|
@@ -15714,18 +15699,19 @@ class SilentIframeClient extends StandardInteractionClient {
|
|
|
15714
15699
|
* @param navigateUrl
|
|
15715
15700
|
* @param userRequestScopes
|
|
15716
15701
|
*/
|
|
15717
|
-
async silentTokenHelper(authClient,
|
|
15718
|
-
const correlationId =
|
|
15702
|
+
async silentTokenHelper(authClient, request) {
|
|
15703
|
+
const correlationId = request.correlationId;
|
|
15719
15704
|
this.performanceClient.addQueueMeasurement(PerformanceEvents.SilentIframeClientTokenHelper, correlationId);
|
|
15720
|
-
|
|
15721
|
-
const
|
|
15705
|
+
const pkceCodes = await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId);
|
|
15706
|
+
const silentRequest = {
|
|
15707
|
+
...request,
|
|
15708
|
+
codeChallenge: pkceCodes.challenge,
|
|
15709
|
+
};
|
|
15722
15710
|
// Create authorize request url
|
|
15723
|
-
const navigateUrl = await invokeAsync(
|
|
15711
|
+
const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, correlationId)(this.config, authClient.authority, {
|
|
15724
15712
|
...silentRequest,
|
|
15725
15713
|
platformBroker: NativeMessageHandler.isPlatformBrokerAvailable(this.config, this.logger, this.nativeMessageHandler, silentRequest.authenticationScheme),
|
|
15726
|
-
});
|
|
15727
|
-
// Create silent handler
|
|
15728
|
-
const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
|
|
15714
|
+
}, this.logger, this.performanceClient);
|
|
15729
15715
|
// Get the frame handle for the silent request
|
|
15730
15716
|
const msalFrame = await invokeAsync(initiateAuthRequest, PerformanceEvents.SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(navigateUrl, this.performanceClient, this.logger, correlationId, this.config.system.navigateFrameWait);
|
|
15731
15717
|
const responseType = this.config.auth.OIDCOptions.serverResponseType;
|
|
@@ -15745,6 +15731,13 @@ class SilentIframeClient extends StandardInteractionClient {
|
|
|
15745
15731
|
prompt: silentRequest.prompt || PromptValue.NONE,
|
|
15746
15732
|
});
|
|
15747
15733
|
}
|
|
15734
|
+
const authCodeRequest = {
|
|
15735
|
+
...silentRequest,
|
|
15736
|
+
code: serverParams.code || "",
|
|
15737
|
+
codeVerifier: pkceCodes.verifier,
|
|
15738
|
+
};
|
|
15739
|
+
// Create silent handler
|
|
15740
|
+
const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
|
|
15748
15741
|
// Handle response from hash string
|
|
15749
15742
|
return invokeAsync(interactionHandler.handleCodeResponse.bind(interactionHandler), PerformanceEvents.HandleCodeResponse, this.logger, this.performanceClient, correlationId)(serverParams, silentRequest);
|
|
15750
15743
|
}
|
|
@@ -15939,11 +15932,10 @@ class TokenCache {
|
|
|
15939
15932
|
const scopes = response.scope
|
|
15940
15933
|
? ScopeSet.fromString(response.scope)
|
|
15941
15934
|
: new ScopeSet(request.scopes);
|
|
15942
|
-
const expiresOn = options.expiresOn ||
|
|
15943
|
-
response.expires_in + new Date().getTime() / 1000;
|
|
15935
|
+
const expiresOn = options.expiresOn || response.expires_in + nowSeconds();
|
|
15944
15936
|
const extendedExpiresOn = options.extendedExpiresOn ||
|
|
15945
15937
|
(response.ext_expires_in || response.expires_in) +
|
|
15946
|
-
|
|
15938
|
+
nowSeconds();
|
|
15947
15939
|
const accessTokenEntity = createAccessTokenEntity(homeAccountId, environment, response.access_token, this.config.auth.clientId, tenantId, scopes.printScopes(), expiresOn, extendedExpiresOn, base64Decode);
|
|
15948
15940
|
await this.storage.setAccessTokenCredential(accessTokenEntity, correlationId);
|
|
15949
15941
|
return accessTokenEntity;
|
|
@@ -15983,8 +15975,9 @@ class TokenCache {
|
|
|
15983
15975
|
if (cacheRecord?.accessToken) {
|
|
15984
15976
|
accessToken = cacheRecord.accessToken.secret;
|
|
15985
15977
|
responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target).asArray();
|
|
15986
|
-
expiresOn
|
|
15987
|
-
|
|
15978
|
+
// Access token expiresOn stored in seconds, converting to Date for AuthenticationResult
|
|
15979
|
+
expiresOn = toDateFromSeconds(cacheRecord.accessToken.expiresOn);
|
|
15980
|
+
extExpiresOn = toDateFromSeconds(cacheRecord.accessToken.extendedExpiresOn);
|
|
15988
15981
|
}
|
|
15989
15982
|
const accountEntity = cacheRecord.account;
|
|
15990
15983
|
return {
|
|
@@ -17231,60 +17224,63 @@ class StandardController {
|
|
|
17231
17224
|
throw createBrowserAuthError(noAccountError);
|
|
17232
17225
|
}
|
|
17233
17226
|
atsMeasurement.add({ accountType: getAccountType(account) });
|
|
17234
|
-
|
|
17235
|
-
|
|
17236
|
-
|
|
17237
|
-
|
|
17238
|
-
|
|
17239
|
-
|
|
17240
|
-
|
|
17241
|
-
|
|
17242
|
-
|
|
17243
|
-
|
|
17244
|
-
|
|
17245
|
-
|
|
17246
|
-
|
|
17227
|
+
return this.acquireTokenSilentDeduped(request, account, correlationId)
|
|
17228
|
+
.then((result) => {
|
|
17229
|
+
atsMeasurement.end({
|
|
17230
|
+
success: true,
|
|
17231
|
+
fromCache: result.fromCache,
|
|
17232
|
+
isNativeBroker: result.fromNativeBroker,
|
|
17233
|
+
accessTokenSize: result.accessToken.length,
|
|
17234
|
+
idTokenSize: result.idToken.length,
|
|
17235
|
+
});
|
|
17236
|
+
return {
|
|
17237
|
+
...result,
|
|
17238
|
+
state: request.state,
|
|
17239
|
+
correlationId: correlationId, // Ensures PWB scenarios can correctly match request to response
|
|
17240
|
+
};
|
|
17241
|
+
})
|
|
17242
|
+
.catch((error) => {
|
|
17243
|
+
if (error instanceof AuthError) {
|
|
17244
|
+
// Ensures PWB scenarios can correctly match request to response
|
|
17245
|
+
error.setCorrelationId(correlationId);
|
|
17246
|
+
}
|
|
17247
|
+
atsMeasurement.end({
|
|
17248
|
+
success: false,
|
|
17249
|
+
}, error);
|
|
17250
|
+
throw error;
|
|
17251
|
+
});
|
|
17252
|
+
}
|
|
17253
|
+
/**
|
|
17254
|
+
* Checks if identical request is already in flight and returns reference to the existing promise or fires off a new one if this is the first
|
|
17255
|
+
* @param request
|
|
17256
|
+
* @param account
|
|
17257
|
+
* @param correlationId
|
|
17258
|
+
* @returns
|
|
17259
|
+
*/
|
|
17260
|
+
async acquireTokenSilentDeduped(request, account, correlationId) {
|
|
17261
|
+
const thumbprint = getRequestThumbprint(this.config.auth.clientId, {
|
|
17262
|
+
...request,
|
|
17263
|
+
authority: request.authority || this.config.auth.authority,
|
|
17264
|
+
correlationId: correlationId,
|
|
17265
|
+
}, account.homeAccountId);
|
|
17247
17266
|
const silentRequestKey = JSON.stringify(thumbprint);
|
|
17248
|
-
const
|
|
17249
|
-
if (typeof
|
|
17267
|
+
const inProgressRequest = this.activeSilentTokenRequests.get(silentRequestKey);
|
|
17268
|
+
if (typeof inProgressRequest === "undefined") {
|
|
17250
17269
|
this.logger.verbose("acquireTokenSilent called for the first time, storing active request", correlationId);
|
|
17251
|
-
|
|
17270
|
+
this.performanceClient.addFields({ deduped: false }, correlationId);
|
|
17271
|
+
const activeRequest = invokeAsync(this.acquireTokenSilentAsync.bind(this), PerformanceEvents.AcquireTokenSilentAsync, this.logger, this.performanceClient, correlationId)({
|
|
17252
17272
|
...request,
|
|
17253
17273
|
correlationId,
|
|
17254
|
-
}, account)
|
|
17255
|
-
|
|
17256
|
-
|
|
17257
|
-
atsMeasurement.end({
|
|
17258
|
-
success: true,
|
|
17259
|
-
fromCache: result.fromCache,
|
|
17260
|
-
isNativeBroker: result.fromNativeBroker,
|
|
17261
|
-
cacheLookupPolicy: request.cacheLookupPolicy,
|
|
17262
|
-
accessTokenSize: result.accessToken.length,
|
|
17263
|
-
idTokenSize: result.idToken.length,
|
|
17264
|
-
});
|
|
17265
|
-
return result;
|
|
17266
|
-
})
|
|
17267
|
-
.catch((error) => {
|
|
17274
|
+
}, account);
|
|
17275
|
+
this.activeSilentTokenRequests.set(silentRequestKey, activeRequest);
|
|
17276
|
+
return activeRequest.finally(() => {
|
|
17268
17277
|
this.activeSilentTokenRequests.delete(silentRequestKey);
|
|
17269
|
-
atsMeasurement.end({
|
|
17270
|
-
success: false,
|
|
17271
|
-
}, error);
|
|
17272
|
-
throw error;
|
|
17273
17278
|
});
|
|
17274
|
-
this.activeSilentTokenRequests.set(silentRequestKey, response);
|
|
17275
|
-
return {
|
|
17276
|
-
...(await response),
|
|
17277
|
-
state: request.state,
|
|
17278
|
-
};
|
|
17279
17279
|
}
|
|
17280
17280
|
else {
|
|
17281
17281
|
this.logger.verbose("acquireTokenSilent has been called previously, returning the result from the first call", correlationId);
|
|
17282
|
-
|
|
17283
|
-
|
|
17284
|
-
return {
|
|
17285
|
-
...(await cachedResponse),
|
|
17286
|
-
state: request.state,
|
|
17287
|
-
};
|
|
17282
|
+
this.performanceClient.addFields({ deduped: true }, correlationId);
|
|
17283
|
+
return inProgressRequest;
|
|
17288
17284
|
}
|
|
17289
17285
|
}
|
|
17290
17286
|
/**
|
|
@@ -17495,8 +17491,7 @@ class NestedAppAuthAdapter {
|
|
|
17495
17491
|
extraParams = new Map(Object.entries(request.extraQueryParameters));
|
|
17496
17492
|
}
|
|
17497
17493
|
const correlationId = request.correlationId || this.crypto.createNewGuid();
|
|
17498
|
-
const
|
|
17499
|
-
const claims = requestBuilder.addClientCapabilitiesToClaims(request.claims, this.clientCapabilities);
|
|
17494
|
+
const claims = addClientCapabilitiesToClaims(request.claims, this.clientCapabilities);
|
|
17500
17495
|
const scopes = request.scopes || OIDC_DEFAULT_SCOPES;
|
|
17501
17496
|
const tokenRequest = {
|
|
17502
17497
|
platformBrokerId: request.account?.homeAccountId,
|
|
@@ -17515,7 +17510,8 @@ class NestedAppAuthAdapter {
|
|
|
17515
17510
|
if (!response.token.id_token || !response.token.access_token) {
|
|
17516
17511
|
throw createClientAuthError(nullOrEmptyToken);
|
|
17517
17512
|
}
|
|
17518
|
-
|
|
17513
|
+
// Request timestamp and AuthResult expires_in are in seconds, converting to Date for AuthenticationResult
|
|
17514
|
+
const expiresOn = toDateFromSeconds(reqTimestamp + (response.token.expires_in || 0));
|
|
17519
17515
|
const idTokenClaims = extractTokenClaims(response.token.id_token, this.crypto.base64Decode);
|
|
17520
17516
|
const account = this.fromNaaAccountInfo(response.account, response.token.id_token, idTokenClaims);
|
|
17521
17517
|
const scopes = response.token.scope || request.scope;
|
|
@@ -17644,10 +17640,10 @@ class NestedAppAuthAdapter {
|
|
|
17644
17640
|
idTokenClaims: idTokenClaims || {},
|
|
17645
17641
|
accessToken: accessToken.secret,
|
|
17646
17642
|
fromCache: true,
|
|
17647
|
-
expiresOn:
|
|
17643
|
+
expiresOn: toDateFromSeconds(accessToken.expiresOn),
|
|
17644
|
+
extExpiresOn: toDateFromSeconds(accessToken.extendedExpiresOn),
|
|
17648
17645
|
tokenType: request.authenticationScheme || AuthenticationScheme.BEARER,
|
|
17649
17646
|
correlationId,
|
|
17650
|
-
extExpiresOn: new Date(Number(accessToken.extendedExpiresOn) * 1000),
|
|
17651
17647
|
state: request.state,
|
|
17652
17648
|
};
|
|
17653
17649
|
return authenticationResult;
|