@azure/msal-browser 4.5.1 → 4.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/app/IPublicClientApplication.mjs +1 -1
- package/dist/app/PublicClientApplication.mjs +1 -1
- package/dist/app/PublicClientNext.mjs +1 -1
- package/dist/broker/nativeBroker/NativeMessageHandler.mjs +1 -1
- package/dist/broker/nativeBroker/NativeStatusCodes.mjs +1 -1
- package/dist/cache/AccountManager.mjs +1 -1
- package/dist/cache/AsyncMemoryStorage.mjs +1 -1
- package/dist/cache/BrowserCacheManager.d.ts.map +1 -1
- package/dist/cache/BrowserCacheManager.mjs +9 -3
- package/dist/cache/BrowserCacheManager.mjs.map +1 -1
- package/dist/cache/CacheHelpers.mjs +1 -1
- package/dist/cache/CookieStorage.mjs +1 -1
- package/dist/cache/DatabaseStorage.mjs +1 -1
- package/dist/cache/LocalStorage.mjs +1 -1
- package/dist/cache/MemoryStorage.mjs +1 -1
- package/dist/cache/SessionStorage.mjs +1 -1
- package/dist/cache/TokenCache.d.ts.map +1 -1
- package/dist/cache/TokenCache.mjs +7 -7
- package/dist/cache/TokenCache.mjs.map +1 -1
- package/dist/config/Configuration.mjs +1 -1
- package/dist/controllers/ControllerFactory.mjs +1 -1
- package/dist/controllers/NestedAppAuthController.mjs +1 -1
- package/dist/controllers/StandardController.d.ts +8 -0
- package/dist/controllers/StandardController.d.ts.map +1 -1
- package/dist/controllers/StandardController.mjs +50 -47
- package/dist/controllers/StandardController.mjs.map +1 -1
- package/dist/controllers/UnknownOperatingContextController.mjs +1 -1
- package/dist/crypto/BrowserCrypto.mjs +1 -1
- package/dist/crypto/CryptoOps.mjs +1 -1
- package/dist/crypto/PkceGenerator.mjs +1 -1
- package/dist/crypto/SignedHttpRequest.mjs +1 -1
- package/dist/encode/Base64Decode.mjs +1 -1
- package/dist/encode/Base64Encode.mjs +1 -1
- package/dist/error/BrowserAuthError.mjs +1 -1
- package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
- package/dist/error/BrowserConfigurationAuthError.mjs +1 -1
- package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
- package/dist/error/NativeAuthError.mjs +1 -1
- package/dist/error/NativeAuthErrorCodes.mjs +1 -1
- package/dist/error/NestedAppAuthError.mjs +1 -1
- package/dist/event/EventHandler.d.ts +1 -1
- package/dist/event/EventHandler.d.ts.map +1 -1
- package/dist/event/EventHandler.mjs +7 -5
- package/dist/event/EventHandler.mjs.map +1 -1
- package/dist/event/EventMessage.mjs +1 -1
- package/dist/event/EventType.mjs +1 -1
- package/dist/index.mjs +1 -1
- package/dist/interaction_client/BaseInteractionClient.mjs +1 -1
- package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
- package/dist/interaction_client/NativeInteractionClient.d.ts.map +1 -1
- package/dist/interaction_client/NativeInteractionClient.mjs +11 -3
- package/dist/interaction_client/NativeInteractionClient.mjs.map +1 -1
- package/dist/interaction_client/PopupClient.d.ts.map +1 -1
- package/dist/interaction_client/PopupClient.mjs +16 -8
- package/dist/interaction_client/PopupClient.mjs.map +1 -1
- package/dist/interaction_client/RedirectClient.d.ts +3 -3
- package/dist/interaction_client/RedirectClient.d.ts.map +1 -1
- package/dist/interaction_client/RedirectClient.mjs +12 -5
- package/dist/interaction_client/RedirectClient.mjs.map +1 -1
- package/dist/interaction_client/SilentAuthCodeClient.mjs +1 -1
- package/dist/interaction_client/SilentCacheClient.mjs +1 -1
- package/dist/interaction_client/SilentIframeClient.d.ts +1 -1
- package/dist/interaction_client/SilentIframeClient.d.ts.map +1 -1
- package/dist/interaction_client/SilentIframeClient.mjs +19 -9
- package/dist/interaction_client/SilentIframeClient.mjs.map +1 -1
- package/dist/interaction_client/SilentRefreshClient.mjs +1 -1
- package/dist/interaction_client/StandardInteractionClient.d.ts +1 -7
- package/dist/interaction_client/StandardInteractionClient.d.ts.map +1 -1
- package/dist/interaction_client/StandardInteractionClient.mjs +2 -22
- package/dist/interaction_client/StandardInteractionClient.mjs.map +1 -1
- package/dist/interaction_handler/InteractionHandler.d.ts +2 -2
- package/dist/interaction_handler/InteractionHandler.d.ts.map +1 -1
- package/dist/interaction_handler/InteractionHandler.mjs +3 -3
- package/dist/interaction_handler/InteractionHandler.mjs.map +1 -1
- package/dist/interaction_handler/RedirectHandler.d.ts +2 -2
- package/dist/interaction_handler/RedirectHandler.d.ts.map +1 -1
- package/dist/interaction_handler/RedirectHandler.mjs +3 -3
- package/dist/interaction_handler/RedirectHandler.mjs.map +1 -1
- package/dist/interaction_handler/SilentHandler.mjs +1 -1
- package/dist/naa/BridgeError.mjs +1 -1
- package/dist/naa/BridgeProxy.mjs +1 -1
- package/dist/naa/BridgeStatusCode.mjs +1 -1
- package/dist/naa/mapping/NestedAppAuthAdapter.d.ts.map +1 -1
- package/dist/naa/mapping/NestedAppAuthAdapter.mjs +7 -7
- package/dist/naa/mapping/NestedAppAuthAdapter.mjs.map +1 -1
- package/dist/navigation/NavigationClient.mjs +1 -1
- package/dist/network/FetchClient.mjs +1 -1
- package/dist/operatingcontext/BaseOperatingContext.mjs +1 -1
- package/dist/operatingcontext/NestedAppOperatingContext.mjs +1 -1
- package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
- package/dist/operatingcontext/UnknownOperatingContext.mjs +1 -1
- package/dist/packageMetadata.d.ts +1 -1
- package/dist/packageMetadata.mjs +2 -2
- package/dist/protocol/Authorize.d.ts +13 -0
- package/dist/protocol/Authorize.d.ts.map +1 -0
- package/dist/protocol/Authorize.mjs +74 -0
- package/dist/protocol/Authorize.mjs.map +1 -0
- package/dist/request/PopupRequest.d.ts +1 -2
- package/dist/request/PopupRequest.d.ts.map +1 -1
- package/dist/request/RedirectRequest.d.ts +1 -2
- package/dist/request/RedirectRequest.d.ts.map +1 -1
- package/dist/request/RequestHelpers.mjs +1 -1
- package/dist/request/SilentRequest.d.ts +0 -1
- package/dist/request/SilentRequest.d.ts.map +1 -1
- package/dist/request/SsoSilentRequest.d.ts +2 -4
- package/dist/request/SsoSilentRequest.d.ts.map +1 -1
- package/dist/response/ResponseHandler.d.ts +3 -3
- package/dist/response/ResponseHandler.d.ts.map +1 -1
- package/dist/response/ResponseHandler.mjs +1 -1
- package/dist/response/ResponseHandler.mjs.map +1 -1
- package/dist/telemetry/BrowserPerformanceClient.mjs +1 -1
- package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
- package/dist/utils/BrowserConstants.mjs +1 -1
- package/dist/utils/BrowserProtocolUtils.mjs +1 -1
- package/dist/utils/BrowserUtils.mjs +1 -1
- package/lib/msal-browser.cjs +1049 -1053
- package/lib/msal-browser.cjs.map +1 -1
- package/lib/msal-browser.js +1049 -1053
- package/lib/msal-browser.js.map +1 -1
- package/lib/msal-browser.min.js +67 -65
- package/lib/types/cache/BrowserCacheManager.d.ts.map +1 -1
- package/lib/types/cache/TokenCache.d.ts.map +1 -1
- package/lib/types/controllers/StandardController.d.ts +8 -0
- package/lib/types/controllers/StandardController.d.ts.map +1 -1
- package/lib/types/event/EventHandler.d.ts +1 -1
- package/lib/types/event/EventHandler.d.ts.map +1 -1
- package/lib/types/interaction_client/NativeInteractionClient.d.ts.map +1 -1
- package/lib/types/interaction_client/PopupClient.d.ts.map +1 -1
- package/lib/types/interaction_client/RedirectClient.d.ts +3 -3
- package/lib/types/interaction_client/RedirectClient.d.ts.map +1 -1
- package/lib/types/interaction_client/SilentIframeClient.d.ts +1 -1
- package/lib/types/interaction_client/SilentIframeClient.d.ts.map +1 -1
- package/lib/types/interaction_client/StandardInteractionClient.d.ts +1 -7
- package/lib/types/interaction_client/StandardInteractionClient.d.ts.map +1 -1
- package/lib/types/interaction_handler/InteractionHandler.d.ts +2 -2
- package/lib/types/interaction_handler/InteractionHandler.d.ts.map +1 -1
- package/lib/types/interaction_handler/RedirectHandler.d.ts +2 -2
- package/lib/types/interaction_handler/RedirectHandler.d.ts.map +1 -1
- package/lib/types/naa/mapping/NestedAppAuthAdapter.d.ts.map +1 -1
- package/lib/types/packageMetadata.d.ts +1 -1
- package/lib/types/protocol/Authorize.d.ts +13 -0
- package/lib/types/protocol/Authorize.d.ts.map +1 -0
- package/lib/types/request/PopupRequest.d.ts +1 -2
- package/lib/types/request/PopupRequest.d.ts.map +1 -1
- package/lib/types/request/RedirectRequest.d.ts +1 -2
- package/lib/types/request/RedirectRequest.d.ts.map +1 -1
- package/lib/types/request/SilentRequest.d.ts +0 -1
- package/lib/types/request/SilentRequest.d.ts.map +1 -1
- package/lib/types/request/SsoSilentRequest.d.ts +2 -4
- package/lib/types/request/SsoSilentRequest.d.ts.map +1 -1
- package/lib/types/response/ResponseHandler.d.ts +3 -3
- package/lib/types/response/ResponseHandler.d.ts.map +1 -1
- package/package.json +2 -2
- package/src/cache/BrowserCacheManager.ts +8 -2
- package/src/cache/TokenCache.ts +8 -7
- package/src/controllers/StandardController.ts +66 -51
- package/src/event/EventHandler.ts +9 -5
- package/src/interaction_client/NativeInteractionClient.ts +14 -2
- package/src/interaction_client/PopupClient.ts +40 -21
- package/src/interaction_client/RedirectClient.ts +41 -22
- package/src/interaction_client/SilentIframeClient.ts +42 -29
- package/src/interaction_client/StandardInteractionClient.ts +0 -40
- package/src/interaction_handler/InteractionHandler.ts +4 -3
- package/src/interaction_handler/RedirectHandler.ts +4 -3
- package/src/naa/mapping/NestedAppAuthAdapter.ts +9 -8
- package/src/packageMetadata.ts +1 -1
- package/src/protocol/Authorize.ts +136 -0
- package/src/request/PopupRequest.ts +1 -5
- package/src/request/RedirectRequest.ts +1 -5
- package/src/request/SilentRequest.ts +0 -1
- package/src/request/SsoSilentRequest.ts +2 -7
- package/src/response/ResponseHandler.ts +3 -3
package/lib/msal-browser.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @azure/msal-browser v4.
|
|
1
|
+
/*! @azure/msal-browser v4.8.0 2025-03-20 */
|
|
2
2
|
'use strict';
|
|
3
3
|
(function (global, factory) {
|
|
4
4
|
typeof exports === 'object' && typeof module !== 'undefined' ? factory(exports) :
|
|
@@ -6,7 +6,7 @@
|
|
|
6
6
|
(global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global.msal = {}));
|
|
7
7
|
})(this, (function (exports) { 'use strict';
|
|
8
8
|
|
|
9
|
-
/*! @azure/msal-common v15.
|
|
9
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
10
10
|
/*
|
|
11
11
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
12
12
|
* Licensed under the MIT License.
|
|
@@ -254,13 +254,6 @@
|
|
|
254
254
|
INVALID_GRANT_ERROR: "invalid_grant",
|
|
255
255
|
CLIENT_MISMATCH_ERROR: "client_mismatch",
|
|
256
256
|
};
|
|
257
|
-
/**
|
|
258
|
-
* Password grant parameters
|
|
259
|
-
*/
|
|
260
|
-
const PasswordGrantConstants = {
|
|
261
|
-
username: "username",
|
|
262
|
-
password: "password",
|
|
263
|
-
};
|
|
264
257
|
/**
|
|
265
258
|
* Response codes
|
|
266
259
|
*/
|
|
@@ -310,7 +303,7 @@
|
|
|
310
303
|
// Token renewal offset default in seconds
|
|
311
304
|
const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
|
|
312
305
|
|
|
313
|
-
/*! @azure/msal-common v15.
|
|
306
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
314
307
|
/*
|
|
315
308
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
316
309
|
* Licensed under the MIT License.
|
|
@@ -327,7 +320,7 @@
|
|
|
327
320
|
unexpectedError: unexpectedError
|
|
328
321
|
});
|
|
329
322
|
|
|
330
|
-
/*! @azure/msal-common v15.
|
|
323
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
331
324
|
|
|
332
325
|
/*
|
|
333
326
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -376,7 +369,7 @@
|
|
|
376
369
|
: AuthErrorMessages[code]);
|
|
377
370
|
}
|
|
378
371
|
|
|
379
|
-
/*! @azure/msal-common v15.
|
|
372
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
380
373
|
/*
|
|
381
374
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
382
375
|
* Licensed under the MIT License.
|
|
@@ -474,7 +467,7 @@
|
|
|
474
467
|
userTimeoutReached: userTimeoutReached
|
|
475
468
|
});
|
|
476
469
|
|
|
477
|
-
/*! @azure/msal-common v15.
|
|
470
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
478
471
|
|
|
479
472
|
/*
|
|
480
473
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -726,7 +719,7 @@
|
|
|
726
719
|
return new ClientAuthError(errorCode, additionalMessage);
|
|
727
720
|
}
|
|
728
721
|
|
|
729
|
-
/*! @azure/msal-common v15.
|
|
722
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
730
723
|
|
|
731
724
|
/*
|
|
732
725
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -765,7 +758,7 @@
|
|
|
765
758
|
},
|
|
766
759
|
};
|
|
767
760
|
|
|
768
|
-
/*! @azure/msal-common v15.
|
|
761
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
769
762
|
|
|
770
763
|
/*
|
|
771
764
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -956,12 +949,12 @@
|
|
|
956
949
|
}
|
|
957
950
|
}
|
|
958
951
|
|
|
959
|
-
/*! @azure/msal-common v15.
|
|
952
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
960
953
|
/* eslint-disable header/header */
|
|
961
954
|
const name$1 = "@azure/msal-common";
|
|
962
|
-
const version$1 = "15.
|
|
955
|
+
const version$1 = "15.3.0";
|
|
963
956
|
|
|
964
|
-
/*! @azure/msal-common v15.
|
|
957
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
965
958
|
/*
|
|
966
959
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
967
960
|
* Licensed under the MIT License.
|
|
@@ -981,7 +974,7 @@
|
|
|
981
974
|
AzureUsGovernment: "https://login.microsoftonline.us",
|
|
982
975
|
};
|
|
983
976
|
|
|
984
|
-
/*! @azure/msal-common v15.
|
|
977
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
985
978
|
|
|
986
979
|
/*
|
|
987
980
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1042,7 +1035,7 @@
|
|
|
1042
1035
|
}
|
|
1043
1036
|
}
|
|
1044
1037
|
|
|
1045
|
-
/*! @azure/msal-common v15.
|
|
1038
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1046
1039
|
/*
|
|
1047
1040
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1048
1041
|
* Licensed under the MIT License.
|
|
@@ -1057,6 +1050,24 @@
|
|
|
1057
1050
|
// Date.getTime() returns in milliseconds.
|
|
1058
1051
|
return Math.round(new Date().getTime() / 1000.0);
|
|
1059
1052
|
}
|
|
1053
|
+
/**
|
|
1054
|
+
* Converts JS Date object to seconds
|
|
1055
|
+
* @param date Date
|
|
1056
|
+
*/
|
|
1057
|
+
function toSecondsFromDate(date) {
|
|
1058
|
+
// Convert date to seconds
|
|
1059
|
+
return date.getTime() / 1000;
|
|
1060
|
+
}
|
|
1061
|
+
/**
|
|
1062
|
+
* Convert seconds to JS Date object. Seconds can be in a number or string format or undefined (will still return a date).
|
|
1063
|
+
* @param seconds
|
|
1064
|
+
*/
|
|
1065
|
+
function toDateFromSeconds(seconds) {
|
|
1066
|
+
if (seconds) {
|
|
1067
|
+
return new Date(Number(seconds) * 1000);
|
|
1068
|
+
}
|
|
1069
|
+
return new Date();
|
|
1070
|
+
}
|
|
1060
1071
|
/**
|
|
1061
1072
|
* check if a token is expired based on given UTC time in seconds.
|
|
1062
1073
|
* @param expiresOn
|
|
@@ -1079,7 +1090,7 @@
|
|
|
1079
1090
|
return cachedAtSec > nowSeconds();
|
|
1080
1091
|
}
|
|
1081
1092
|
|
|
1082
|
-
/*! @azure/msal-common v15.
|
|
1093
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1083
1094
|
|
|
1084
1095
|
/*
|
|
1085
1096
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1406,7 +1417,7 @@
|
|
|
1406
1417
|
return metadata.expiresAt <= nowSeconds();
|
|
1407
1418
|
}
|
|
1408
1419
|
|
|
1409
|
-
/*! @azure/msal-common v15.
|
|
1420
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1410
1421
|
/*
|
|
1411
1422
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1412
1423
|
* Licensed under the MIT License.
|
|
@@ -1460,7 +1471,7 @@
|
|
|
1460
1471
|
urlParseError: urlParseError
|
|
1461
1472
|
});
|
|
1462
1473
|
|
|
1463
|
-
/*! @azure/msal-common v15.
|
|
1474
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1464
1475
|
|
|
1465
1476
|
/*
|
|
1466
1477
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1598,7 +1609,7 @@
|
|
|
1598
1609
|
return new ClientConfigurationError(errorCode);
|
|
1599
1610
|
}
|
|
1600
1611
|
|
|
1601
|
-
/*! @azure/msal-common v15.
|
|
1612
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1602
1613
|
/*
|
|
1603
1614
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1604
1615
|
* Licensed under the MIT License.
|
|
@@ -1695,7 +1706,7 @@
|
|
|
1695
1706
|
}
|
|
1696
1707
|
}
|
|
1697
1708
|
|
|
1698
|
-
/*! @azure/msal-common v15.
|
|
1709
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1699
1710
|
|
|
1700
1711
|
/*
|
|
1701
1712
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1886,7 +1897,7 @@
|
|
|
1886
1897
|
}
|
|
1887
1898
|
}
|
|
1888
1899
|
|
|
1889
|
-
/*! @azure/msal-common v15.
|
|
1900
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1890
1901
|
|
|
1891
1902
|
/*
|
|
1892
1903
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1926,7 +1937,7 @@
|
|
|
1926
1937
|
};
|
|
1927
1938
|
}
|
|
1928
1939
|
|
|
1929
|
-
/*! @azure/msal-common v15.
|
|
1940
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1930
1941
|
/*
|
|
1931
1942
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1932
1943
|
* Licensed under the MIT License.
|
|
@@ -2005,7 +2016,7 @@
|
|
|
2005
2016
|
return updatedAccountInfo;
|
|
2006
2017
|
}
|
|
2007
2018
|
|
|
2008
|
-
/*! @azure/msal-common v15.
|
|
2019
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2009
2020
|
/*
|
|
2010
2021
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
2011
2022
|
* Licensed under the MIT License.
|
|
@@ -2020,7 +2031,7 @@
|
|
|
2020
2031
|
Ciam: 3,
|
|
2021
2032
|
};
|
|
2022
2033
|
|
|
2023
|
-
/*! @azure/msal-common v15.
|
|
2034
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2024
2035
|
/*
|
|
2025
2036
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
2026
2037
|
* Licensed under the MIT License.
|
|
@@ -2042,7 +2053,7 @@
|
|
|
2042
2053
|
return null;
|
|
2043
2054
|
}
|
|
2044
2055
|
|
|
2045
|
-
/*! @azure/msal-common v15.
|
|
2056
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2046
2057
|
/*
|
|
2047
2058
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
2048
2059
|
* Licensed under the MIT License.
|
|
@@ -2055,7 +2066,7 @@
|
|
|
2055
2066
|
OIDC: "OIDC",
|
|
2056
2067
|
};
|
|
2057
2068
|
|
|
2058
|
-
/*! @azure/msal-common v15.
|
|
2069
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2059
2070
|
|
|
2060
2071
|
/*
|
|
2061
2072
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2298,7 +2309,7 @@
|
|
|
2298
2309
|
}
|
|
2299
2310
|
}
|
|
2300
2311
|
|
|
2301
|
-
/*! @azure/msal-common v15.
|
|
2312
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2302
2313
|
|
|
2303
2314
|
/*
|
|
2304
2315
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2343,9 +2354,19 @@
|
|
|
2343
2354
|
throw createClientAuthError(hashNotDeserialized);
|
|
2344
2355
|
}
|
|
2345
2356
|
return null;
|
|
2357
|
+
}
|
|
2358
|
+
/**
|
|
2359
|
+
* Utility to create a URL from the params map
|
|
2360
|
+
*/
|
|
2361
|
+
function mapToQueryString(parameters) {
|
|
2362
|
+
const queryParameterArray = new Array();
|
|
2363
|
+
parameters.forEach((value, key) => {
|
|
2364
|
+
queryParameterArray.push(`${key}=${encodeURIComponent(value)}`);
|
|
2365
|
+
});
|
|
2366
|
+
return queryParameterArray.join("&");
|
|
2346
2367
|
}
|
|
2347
2368
|
|
|
2348
|
-
/*! @azure/msal-common v15.
|
|
2369
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2349
2370
|
|
|
2350
2371
|
/*
|
|
2351
2372
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2509,7 +2530,7 @@
|
|
|
2509
2530
|
}
|
|
2510
2531
|
}
|
|
2511
2532
|
|
|
2512
|
-
/*! @azure/msal-common v15.
|
|
2533
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2513
2534
|
|
|
2514
2535
|
/*
|
|
2515
2536
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2649,7 +2670,7 @@
|
|
|
2649
2670
|
return null;
|
|
2650
2671
|
}
|
|
2651
2672
|
|
|
2652
|
-
/*! @azure/msal-common v15.
|
|
2673
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2653
2674
|
/*
|
|
2654
2675
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
2655
2676
|
* Licensed under the MIT License.
|
|
@@ -2657,7 +2678,7 @@
|
|
|
2657
2678
|
const cacheQuotaExceededErrorCode = "cache_quota_exceeded";
|
|
2658
2679
|
const cacheUnknownErrorCode = "cache_error_unknown";
|
|
2659
2680
|
|
|
2660
|
-
/*! @azure/msal-common v15.
|
|
2681
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2661
2682
|
|
|
2662
2683
|
/*
|
|
2663
2684
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2684,7 +2705,7 @@
|
|
|
2684
2705
|
}
|
|
2685
2706
|
}
|
|
2686
2707
|
|
|
2687
|
-
/*! @azure/msal-common v15.
|
|
2708
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2688
2709
|
|
|
2689
2710
|
/*
|
|
2690
2711
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -3869,7 +3890,7 @@
|
|
|
3869
3890
|
}
|
|
3870
3891
|
}
|
|
3871
3892
|
|
|
3872
|
-
/*! @azure/msal-common v15.
|
|
3893
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
3873
3894
|
|
|
3874
3895
|
/*
|
|
3875
3896
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -3968,7 +3989,7 @@
|
|
|
3968
3989
|
return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
|
|
3969
3990
|
}
|
|
3970
3991
|
|
|
3971
|
-
/*! @azure/msal-common v15.
|
|
3992
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
3972
3993
|
/*
|
|
3973
3994
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
3974
3995
|
* Licensed under the MIT License.
|
|
@@ -3978,7 +3999,7 @@
|
|
|
3978
3999
|
UPN: "UPN",
|
|
3979
4000
|
};
|
|
3980
4001
|
|
|
3981
|
-
/*! @azure/msal-common v15.
|
|
4002
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
3982
4003
|
/*
|
|
3983
4004
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
3984
4005
|
* Licensed under the MIT License.
|
|
@@ -4010,14 +4031,11 @@
|
|
|
4010
4031
|
const X_APP_VER = "x-app-ver";
|
|
4011
4032
|
const POST_LOGOUT_URI = "post_logout_redirect_uri";
|
|
4012
4033
|
const ID_TOKEN_HINT = "id_token_hint";
|
|
4013
|
-
const DEVICE_CODE = "device_code";
|
|
4014
4034
|
const CLIENT_SECRET = "client_secret";
|
|
4015
4035
|
const CLIENT_ASSERTION = "client_assertion";
|
|
4016
4036
|
const CLIENT_ASSERTION_TYPE = "client_assertion_type";
|
|
4017
4037
|
const TOKEN_TYPE = "token_type";
|
|
4018
4038
|
const REQ_CNF = "req_cnf";
|
|
4019
|
-
const OBO_ASSERTION = "assertion";
|
|
4020
|
-
const REQUESTED_TOKEN_USE = "requested_token_use";
|
|
4021
4039
|
const RETURN_SPA_CODE = "return_spa_code";
|
|
4022
4040
|
const NATIVE_BROKER = "nativebroker";
|
|
4023
4041
|
const LOGOUT_HINT = "logout_hint";
|
|
@@ -4026,76 +4044,10 @@
|
|
|
4026
4044
|
const DOMAIN_HINT = "domain_hint";
|
|
4027
4045
|
const X_CLIENT_EXTRA_SKU = "x-client-xtra-sku";
|
|
4028
4046
|
const BROKER_CLIENT_ID = "brk_client_id";
|
|
4029
|
-
const BROKER_REDIRECT_URI = "brk_redirect_uri";
|
|
4030
|
-
|
|
4031
|
-
/*! @azure/msal-common v15.2.0 2025-03-04 */
|
|
4032
|
-
|
|
4033
|
-
/*
|
|
4034
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4035
|
-
* Licensed under the MIT License.
|
|
4036
|
-
*/
|
|
4037
|
-
/**
|
|
4038
|
-
* Validates server consumable params from the "request" objects
|
|
4039
|
-
*/
|
|
4040
|
-
class RequestValidator {
|
|
4041
|
-
/**
|
|
4042
|
-
* Utility to check if the `redirectUri` in the request is a non-null value
|
|
4043
|
-
* @param redirectUri
|
|
4044
|
-
*/
|
|
4045
|
-
static validateRedirectUri(redirectUri) {
|
|
4046
|
-
if (!redirectUri) {
|
|
4047
|
-
throw createClientConfigurationError(redirectUriEmpty);
|
|
4048
|
-
}
|
|
4049
|
-
}
|
|
4050
|
-
/**
|
|
4051
|
-
* Utility to validate prompt sent by the user in the request
|
|
4052
|
-
* @param prompt
|
|
4053
|
-
*/
|
|
4054
|
-
static validatePrompt(prompt) {
|
|
4055
|
-
const promptValues = [];
|
|
4056
|
-
for (const value in PromptValue) {
|
|
4057
|
-
promptValues.push(PromptValue[value]);
|
|
4058
|
-
}
|
|
4059
|
-
if (promptValues.indexOf(prompt) < 0) {
|
|
4060
|
-
throw createClientConfigurationError(invalidPromptValue);
|
|
4061
|
-
}
|
|
4062
|
-
}
|
|
4063
|
-
static validateClaims(claims) {
|
|
4064
|
-
try {
|
|
4065
|
-
JSON.parse(claims);
|
|
4066
|
-
}
|
|
4067
|
-
catch (e) {
|
|
4068
|
-
throw createClientConfigurationError(invalidClaims);
|
|
4069
|
-
}
|
|
4070
|
-
}
|
|
4071
|
-
/**
|
|
4072
|
-
* Utility to validate code_challenge and code_challenge_method
|
|
4073
|
-
* @param codeChallenge
|
|
4074
|
-
* @param codeChallengeMethod
|
|
4075
|
-
*/
|
|
4076
|
-
static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
|
|
4077
|
-
if (!codeChallenge || !codeChallengeMethod) {
|
|
4078
|
-
throw createClientConfigurationError(pkceParamsMissing);
|
|
4079
|
-
}
|
|
4080
|
-
else {
|
|
4081
|
-
this.validateCodeChallengeMethod(codeChallengeMethod);
|
|
4082
|
-
}
|
|
4083
|
-
}
|
|
4084
|
-
/**
|
|
4085
|
-
* Utility to validate code_challenge_method
|
|
4086
|
-
* @param codeChallengeMethod
|
|
4087
|
-
*/
|
|
4088
|
-
static validateCodeChallengeMethod(codeChallengeMethod) {
|
|
4089
|
-
if ([
|
|
4090
|
-
CodeChallengeMethodValues.PLAIN,
|
|
4091
|
-
CodeChallengeMethodValues.S256,
|
|
4092
|
-
].indexOf(codeChallengeMethod) < 0) {
|
|
4093
|
-
throw createClientConfigurationError(invalidCodeChallengeMethod);
|
|
4094
|
-
}
|
|
4095
|
-
}
|
|
4096
|
-
}
|
|
4047
|
+
const BROKER_REDIRECT_URI = "brk_redirect_uri";
|
|
4048
|
+
const INSTANCE_AWARE = "instance_aware";
|
|
4097
4049
|
|
|
4098
|
-
/*! @azure/msal-common v15.
|
|
4050
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
4099
4051
|
|
|
4100
4052
|
/*
|
|
4101
4053
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -4113,397 +4065,344 @@
|
|
|
4113
4065
|
}, correlationId);
|
|
4114
4066
|
}
|
|
4115
4067
|
}
|
|
4116
|
-
/**
|
|
4117
|
-
|
|
4118
|
-
|
|
4119
|
-
|
|
4120
|
-
|
|
4121
|
-
|
|
4122
|
-
|
|
4123
|
-
|
|
4124
|
-
|
|
4125
|
-
|
|
4126
|
-
|
|
4127
|
-
|
|
4128
|
-
|
|
4129
|
-
|
|
4130
|
-
|
|
4131
|
-
|
|
4132
|
-
|
|
4133
|
-
|
|
4134
|
-
|
|
4135
|
-
|
|
4136
|
-
|
|
4137
|
-
|
|
4138
|
-
|
|
4139
|
-
|
|
4140
|
-
|
|
4141
|
-
|
|
4142
|
-
|
|
4143
|
-
|
|
4144
|
-
|
|
4145
|
-
|
|
4146
|
-
|
|
4147
|
-
|
|
4148
|
-
|
|
4149
|
-
|
|
4150
|
-
|
|
4151
|
-
|
|
4152
|
-
|
|
4153
|
-
|
|
4154
|
-
|
|
4155
|
-
|
|
4156
|
-
|
|
4157
|
-
|
|
4158
|
-
|
|
4159
|
-
|
|
4160
|
-
|
|
4161
|
-
|
|
4162
|
-
|
|
4163
|
-
|
|
4164
|
-
|
|
4068
|
+
/**
|
|
4069
|
+
* add response_type = code
|
|
4070
|
+
*/
|
|
4071
|
+
function addResponseTypeCode(parameters) {
|
|
4072
|
+
parameters.set(RESPONSE_TYPE, Constants.CODE_RESPONSE_TYPE);
|
|
4073
|
+
}
|
|
4074
|
+
/**
|
|
4075
|
+
* add response_mode. defaults to query.
|
|
4076
|
+
* @param responseMode
|
|
4077
|
+
*/
|
|
4078
|
+
function addResponseMode(parameters, responseMode) {
|
|
4079
|
+
parameters.set(RESPONSE_MODE, responseMode ? responseMode : ResponseMode.QUERY);
|
|
4080
|
+
}
|
|
4081
|
+
/**
|
|
4082
|
+
* Add flag to indicate STS should attempt to use WAM if available
|
|
4083
|
+
*/
|
|
4084
|
+
function addNativeBroker(parameters) {
|
|
4085
|
+
parameters.set(NATIVE_BROKER, "1");
|
|
4086
|
+
}
|
|
4087
|
+
/**
|
|
4088
|
+
* add scopes. set addOidcScopes to false to prevent default scopes in non-user scenarios
|
|
4089
|
+
* @param scopeSet
|
|
4090
|
+
* @param addOidcScopes
|
|
4091
|
+
*/
|
|
4092
|
+
function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
|
|
4093
|
+
// Always add openid to the scopes when adding OIDC scopes
|
|
4094
|
+
if (addOidcScopes &&
|
|
4095
|
+
!defaultScopes.includes("openid") &&
|
|
4096
|
+
!scopes.includes("openid")) {
|
|
4097
|
+
defaultScopes.push("openid");
|
|
4098
|
+
}
|
|
4099
|
+
const requestScopes = addOidcScopes
|
|
4100
|
+
? [...(scopes || []), ...defaultScopes]
|
|
4101
|
+
: scopes || [];
|
|
4102
|
+
const scopeSet = new ScopeSet(requestScopes);
|
|
4103
|
+
parameters.set(SCOPE, scopeSet.printScopes());
|
|
4104
|
+
}
|
|
4105
|
+
/**
|
|
4106
|
+
* add clientId
|
|
4107
|
+
* @param clientId
|
|
4108
|
+
*/
|
|
4109
|
+
function addClientId(parameters, clientId) {
|
|
4110
|
+
parameters.set(CLIENT_ID, clientId);
|
|
4111
|
+
}
|
|
4112
|
+
/**
|
|
4113
|
+
* add redirect_uri
|
|
4114
|
+
* @param redirectUri
|
|
4115
|
+
*/
|
|
4116
|
+
function addRedirectUri(parameters, redirectUri) {
|
|
4117
|
+
parameters.set(REDIRECT_URI, redirectUri);
|
|
4118
|
+
}
|
|
4119
|
+
/**
|
|
4120
|
+
* add post logout redirectUri
|
|
4121
|
+
* @param redirectUri
|
|
4122
|
+
*/
|
|
4123
|
+
function addPostLogoutRedirectUri(parameters, redirectUri) {
|
|
4124
|
+
parameters.set(POST_LOGOUT_URI, redirectUri);
|
|
4125
|
+
}
|
|
4126
|
+
/**
|
|
4127
|
+
* add id_token_hint to logout request
|
|
4128
|
+
* @param idTokenHint
|
|
4129
|
+
*/
|
|
4130
|
+
function addIdTokenHint(parameters, idTokenHint) {
|
|
4131
|
+
parameters.set(ID_TOKEN_HINT, idTokenHint);
|
|
4132
|
+
}
|
|
4133
|
+
/**
|
|
4134
|
+
* add domain_hint
|
|
4135
|
+
* @param domainHint
|
|
4136
|
+
*/
|
|
4137
|
+
function addDomainHint(parameters, domainHint) {
|
|
4138
|
+
parameters.set(DOMAIN_HINT, domainHint);
|
|
4139
|
+
}
|
|
4140
|
+
/**
|
|
4141
|
+
* add login_hint
|
|
4142
|
+
* @param loginHint
|
|
4143
|
+
*/
|
|
4144
|
+
function addLoginHint(parameters, loginHint) {
|
|
4145
|
+
parameters.set(LOGIN_HINT, loginHint);
|
|
4146
|
+
}
|
|
4147
|
+
/**
|
|
4148
|
+
* Adds the CCS (Cache Credential Service) query parameter for login_hint
|
|
4149
|
+
* @param loginHint
|
|
4150
|
+
*/
|
|
4151
|
+
function addCcsUpn(parameters, loginHint) {
|
|
4152
|
+
parameters.set(HeaderNames.CCS_HEADER, `UPN:${loginHint}`);
|
|
4153
|
+
}
|
|
4154
|
+
/**
|
|
4155
|
+
* Adds the CCS (Cache Credential Service) query parameter for account object
|
|
4156
|
+
* @param loginHint
|
|
4157
|
+
*/
|
|
4158
|
+
function addCcsOid(parameters, clientInfo) {
|
|
4159
|
+
parameters.set(HeaderNames.CCS_HEADER, `Oid:${clientInfo.uid}@${clientInfo.utid}`);
|
|
4160
|
+
}
|
|
4161
|
+
/**
|
|
4162
|
+
* add sid
|
|
4163
|
+
* @param sid
|
|
4164
|
+
*/
|
|
4165
|
+
function addSid(parameters, sid) {
|
|
4166
|
+
parameters.set(SID, sid);
|
|
4167
|
+
}
|
|
4168
|
+
/**
|
|
4169
|
+
* add claims
|
|
4170
|
+
* @param claims
|
|
4171
|
+
*/
|
|
4172
|
+
function addClaims(parameters, claims, clientCapabilities) {
|
|
4173
|
+
const mergedClaims = addClientCapabilitiesToClaims(claims, clientCapabilities);
|
|
4174
|
+
try {
|
|
4175
|
+
JSON.parse(mergedClaims);
|
|
4165
4176
|
}
|
|
4166
|
-
|
|
4167
|
-
|
|
4168
|
-
* @param clientId
|
|
4169
|
-
*/
|
|
4170
|
-
addClientId(clientId) {
|
|
4171
|
-
this.parameters.set(CLIENT_ID, encodeURIComponent(clientId));
|
|
4177
|
+
catch (e) {
|
|
4178
|
+
throw createClientConfigurationError(invalidClaims);
|
|
4172
4179
|
}
|
|
4173
|
-
|
|
4174
|
-
|
|
4175
|
-
|
|
4176
|
-
|
|
4177
|
-
|
|
4178
|
-
|
|
4179
|
-
|
|
4180
|
+
parameters.set(CLAIMS, mergedClaims);
|
|
4181
|
+
}
|
|
4182
|
+
/**
|
|
4183
|
+
* add correlationId
|
|
4184
|
+
* @param correlationId
|
|
4185
|
+
*/
|
|
4186
|
+
function addCorrelationId(parameters, correlationId) {
|
|
4187
|
+
parameters.set(CLIENT_REQUEST_ID, correlationId);
|
|
4188
|
+
}
|
|
4189
|
+
/**
|
|
4190
|
+
* add library info query params
|
|
4191
|
+
* @param libraryInfo
|
|
4192
|
+
*/
|
|
4193
|
+
function addLibraryInfo(parameters, libraryInfo) {
|
|
4194
|
+
// Telemetry Info
|
|
4195
|
+
parameters.set(X_CLIENT_SKU, libraryInfo.sku);
|
|
4196
|
+
parameters.set(X_CLIENT_VER, libraryInfo.version);
|
|
4197
|
+
if (libraryInfo.os) {
|
|
4198
|
+
parameters.set(X_CLIENT_OS, libraryInfo.os);
|
|
4180
4199
|
}
|
|
4181
|
-
|
|
4182
|
-
|
|
4183
|
-
* @param redirectUri
|
|
4184
|
-
*/
|
|
4185
|
-
addPostLogoutRedirectUri(redirectUri) {
|
|
4186
|
-
RequestValidator.validateRedirectUri(redirectUri);
|
|
4187
|
-
this.parameters.set(POST_LOGOUT_URI, encodeURIComponent(redirectUri));
|
|
4200
|
+
if (libraryInfo.cpu) {
|
|
4201
|
+
parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
|
|
4188
4202
|
}
|
|
4189
|
-
|
|
4190
|
-
|
|
4191
|
-
|
|
4192
|
-
|
|
4193
|
-
|
|
4194
|
-
|
|
4203
|
+
}
|
|
4204
|
+
/**
|
|
4205
|
+
* Add client telemetry parameters
|
|
4206
|
+
* @param appTelemetry
|
|
4207
|
+
*/
|
|
4208
|
+
function addApplicationTelemetry(parameters, appTelemetry) {
|
|
4209
|
+
if (appTelemetry?.appName) {
|
|
4210
|
+
parameters.set(X_APP_NAME, appTelemetry.appName);
|
|
4195
4211
|
}
|
|
4196
|
-
|
|
4197
|
-
|
|
4198
|
-
* @param domainHint
|
|
4199
|
-
*/
|
|
4200
|
-
addDomainHint(domainHint) {
|
|
4201
|
-
this.parameters.set(DOMAIN_HINT, encodeURIComponent(domainHint));
|
|
4212
|
+
if (appTelemetry?.appVersion) {
|
|
4213
|
+
parameters.set(X_APP_VER, appTelemetry.appVersion);
|
|
4202
4214
|
}
|
|
4203
|
-
|
|
4204
|
-
|
|
4205
|
-
|
|
4206
|
-
|
|
4207
|
-
|
|
4208
|
-
|
|
4215
|
+
}
|
|
4216
|
+
/**
|
|
4217
|
+
* add prompt
|
|
4218
|
+
* @param prompt
|
|
4219
|
+
*/
|
|
4220
|
+
function addPrompt(parameters, prompt) {
|
|
4221
|
+
parameters.set(PROMPT, prompt);
|
|
4222
|
+
}
|
|
4223
|
+
/**
|
|
4224
|
+
* add state
|
|
4225
|
+
* @param state
|
|
4226
|
+
*/
|
|
4227
|
+
function addState(parameters, state) {
|
|
4228
|
+
if (state) {
|
|
4229
|
+
parameters.set(STATE, state);
|
|
4209
4230
|
}
|
|
4210
|
-
|
|
4211
|
-
|
|
4212
|
-
|
|
4213
|
-
|
|
4214
|
-
|
|
4215
|
-
|
|
4231
|
+
}
|
|
4232
|
+
/**
|
|
4233
|
+
* add nonce
|
|
4234
|
+
* @param nonce
|
|
4235
|
+
*/
|
|
4236
|
+
function addNonce(parameters, nonce) {
|
|
4237
|
+
parameters.set(NONCE, nonce);
|
|
4238
|
+
}
|
|
4239
|
+
/**
|
|
4240
|
+
* add code_challenge and code_challenge_method
|
|
4241
|
+
* - throw if either of them are not passed
|
|
4242
|
+
* @param codeChallenge
|
|
4243
|
+
* @param codeChallengeMethod
|
|
4244
|
+
*/
|
|
4245
|
+
function addCodeChallengeParams(parameters, codeChallenge, codeChallengeMethod) {
|
|
4246
|
+
if (codeChallenge && codeChallengeMethod) {
|
|
4247
|
+
parameters.set(CODE_CHALLENGE, codeChallenge);
|
|
4248
|
+
parameters.set(CODE_CHALLENGE_METHOD, codeChallengeMethod);
|
|
4216
4249
|
}
|
|
4217
|
-
|
|
4218
|
-
|
|
4219
|
-
* @param loginHint
|
|
4220
|
-
*/
|
|
4221
|
-
addCcsOid(clientInfo) {
|
|
4222
|
-
this.parameters.set(HeaderNames.CCS_HEADER, encodeURIComponent(`Oid:${clientInfo.uid}@${clientInfo.utid}`));
|
|
4250
|
+
else {
|
|
4251
|
+
throw createClientConfigurationError(pkceParamsMissing);
|
|
4223
4252
|
}
|
|
4224
|
-
|
|
4225
|
-
|
|
4226
|
-
|
|
4227
|
-
|
|
4228
|
-
|
|
4229
|
-
|
|
4253
|
+
}
|
|
4254
|
+
/**
|
|
4255
|
+
* add the `authorization_code` passed by the user to exchange for a token
|
|
4256
|
+
* @param code
|
|
4257
|
+
*/
|
|
4258
|
+
function addAuthorizationCode(parameters, code) {
|
|
4259
|
+
parameters.set(CODE, code);
|
|
4260
|
+
}
|
|
4261
|
+
/**
|
|
4262
|
+
* add the `refreshToken` passed by the user
|
|
4263
|
+
* @param refreshToken
|
|
4264
|
+
*/
|
|
4265
|
+
function addRefreshToken(parameters, refreshToken) {
|
|
4266
|
+
parameters.set(REFRESH_TOKEN, refreshToken);
|
|
4267
|
+
}
|
|
4268
|
+
/**
|
|
4269
|
+
* add the `code_verifier` passed by the user to exchange for a token
|
|
4270
|
+
* @param codeVerifier
|
|
4271
|
+
*/
|
|
4272
|
+
function addCodeVerifier(parameters, codeVerifier) {
|
|
4273
|
+
parameters.set(CODE_VERIFIER, codeVerifier);
|
|
4274
|
+
}
|
|
4275
|
+
/**
|
|
4276
|
+
* add client_secret
|
|
4277
|
+
* @param clientSecret
|
|
4278
|
+
*/
|
|
4279
|
+
function addClientSecret(parameters, clientSecret) {
|
|
4280
|
+
parameters.set(CLIENT_SECRET, clientSecret);
|
|
4281
|
+
}
|
|
4282
|
+
/**
|
|
4283
|
+
* add clientAssertion for confidential client flows
|
|
4284
|
+
* @param clientAssertion
|
|
4285
|
+
*/
|
|
4286
|
+
function addClientAssertion(parameters, clientAssertion) {
|
|
4287
|
+
if (clientAssertion) {
|
|
4288
|
+
parameters.set(CLIENT_ASSERTION, clientAssertion);
|
|
4230
4289
|
}
|
|
4231
|
-
|
|
4232
|
-
|
|
4233
|
-
|
|
4234
|
-
|
|
4235
|
-
|
|
4236
|
-
|
|
4237
|
-
|
|
4238
|
-
|
|
4290
|
+
}
|
|
4291
|
+
/**
|
|
4292
|
+
* add clientAssertionType for confidential client flows
|
|
4293
|
+
* @param clientAssertionType
|
|
4294
|
+
*/
|
|
4295
|
+
function addClientAssertionType(parameters, clientAssertionType) {
|
|
4296
|
+
if (clientAssertionType) {
|
|
4297
|
+
parameters.set(CLIENT_ASSERTION_TYPE, clientAssertionType);
|
|
4239
4298
|
}
|
|
4240
|
-
|
|
4241
|
-
|
|
4242
|
-
|
|
4243
|
-
|
|
4244
|
-
|
|
4245
|
-
|
|
4299
|
+
}
|
|
4300
|
+
/**
|
|
4301
|
+
* add grant type
|
|
4302
|
+
* @param grantType
|
|
4303
|
+
*/
|
|
4304
|
+
function addGrantType(parameters, grantType) {
|
|
4305
|
+
parameters.set(GRANT_TYPE, grantType);
|
|
4306
|
+
}
|
|
4307
|
+
/**
|
|
4308
|
+
* add client info
|
|
4309
|
+
*
|
|
4310
|
+
*/
|
|
4311
|
+
function addClientInfo(parameters) {
|
|
4312
|
+
parameters.set(CLIENT_INFO, "1");
|
|
4313
|
+
}
|
|
4314
|
+
function addInstanceAware(parameters) {
|
|
4315
|
+
if (!parameters.has(INSTANCE_AWARE)) {
|
|
4316
|
+
parameters.set(INSTANCE_AWARE, "true");
|
|
4246
4317
|
}
|
|
4247
|
-
|
|
4248
|
-
|
|
4249
|
-
|
|
4250
|
-
|
|
4251
|
-
|
|
4252
|
-
|
|
4253
|
-
|
|
4254
|
-
|
|
4255
|
-
|
|
4256
|
-
this.parameters.set(X_CLIENT_OS, libraryInfo.os);
|
|
4257
|
-
}
|
|
4258
|
-
if (libraryInfo.cpu) {
|
|
4259
|
-
this.parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
|
|
4318
|
+
}
|
|
4319
|
+
/**
|
|
4320
|
+
* add extraQueryParams
|
|
4321
|
+
* @param eQParams
|
|
4322
|
+
*/
|
|
4323
|
+
function addExtraQueryParameters(parameters, eQParams) {
|
|
4324
|
+
Object.entries(eQParams).forEach(([key, value]) => {
|
|
4325
|
+
if (!parameters.has(key) && value) {
|
|
4326
|
+
parameters.set(key, value);
|
|
4260
4327
|
}
|
|
4328
|
+
});
|
|
4329
|
+
}
|
|
4330
|
+
function addClientCapabilitiesToClaims(claims, clientCapabilities) {
|
|
4331
|
+
let mergedClaims;
|
|
4332
|
+
// Parse provided claims into JSON object or initialize empty object
|
|
4333
|
+
if (!claims) {
|
|
4334
|
+
mergedClaims = {};
|
|
4261
4335
|
}
|
|
4262
|
-
|
|
4263
|
-
|
|
4264
|
-
|
|
4265
|
-
*/
|
|
4266
|
-
addApplicationTelemetry(appTelemetry) {
|
|
4267
|
-
if (appTelemetry?.appName) {
|
|
4268
|
-
this.parameters.set(X_APP_NAME, appTelemetry.appName);
|
|
4336
|
+
else {
|
|
4337
|
+
try {
|
|
4338
|
+
mergedClaims = JSON.parse(claims);
|
|
4269
4339
|
}
|
|
4270
|
-
|
|
4271
|
-
|
|
4340
|
+
catch (e) {
|
|
4341
|
+
throw createClientConfigurationError(invalidClaims);
|
|
4272
4342
|
}
|
|
4273
4343
|
}
|
|
4274
|
-
|
|
4275
|
-
|
|
4276
|
-
|
|
4277
|
-
|
|
4278
|
-
addPrompt(prompt) {
|
|
4279
|
-
RequestValidator.validatePrompt(prompt);
|
|
4280
|
-
this.parameters.set(`${PROMPT}`, encodeURIComponent(prompt));
|
|
4281
|
-
}
|
|
4282
|
-
/**
|
|
4283
|
-
* add state
|
|
4284
|
-
* @param state
|
|
4285
|
-
*/
|
|
4286
|
-
addState(state) {
|
|
4287
|
-
if (state) {
|
|
4288
|
-
this.parameters.set(STATE, encodeURIComponent(state));
|
|
4344
|
+
if (clientCapabilities && clientCapabilities.length > 0) {
|
|
4345
|
+
if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
|
|
4346
|
+
// Add access_token key to claims object
|
|
4347
|
+
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
|
|
4289
4348
|
}
|
|
4349
|
+
// Add xms_cc claim with provided clientCapabilities to access_token key
|
|
4350
|
+
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] =
|
|
4351
|
+
{
|
|
4352
|
+
values: clientCapabilities,
|
|
4353
|
+
};
|
|
4290
4354
|
}
|
|
4291
|
-
|
|
4292
|
-
|
|
4293
|
-
|
|
4294
|
-
|
|
4295
|
-
|
|
4296
|
-
|
|
4355
|
+
return JSON.stringify(mergedClaims);
|
|
4356
|
+
}
|
|
4357
|
+
/**
|
|
4358
|
+
* add pop_jwk to query params
|
|
4359
|
+
* @param cnfString
|
|
4360
|
+
*/
|
|
4361
|
+
function addPopToken(parameters, cnfString) {
|
|
4362
|
+
if (cnfString) {
|
|
4363
|
+
parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
|
|
4364
|
+
parameters.set(REQ_CNF, cnfString);
|
|
4297
4365
|
}
|
|
4298
|
-
|
|
4299
|
-
|
|
4300
|
-
|
|
4301
|
-
|
|
4302
|
-
|
|
4303
|
-
|
|
4304
|
-
|
|
4305
|
-
|
|
4306
|
-
if (codeChallenge && codeChallengeMethod) {
|
|
4307
|
-
this.parameters.set(CODE_CHALLENGE, encodeURIComponent(codeChallenge));
|
|
4308
|
-
this.parameters.set(CODE_CHALLENGE_METHOD, encodeURIComponent(codeChallengeMethod));
|
|
4309
|
-
}
|
|
4310
|
-
else {
|
|
4311
|
-
throw createClientConfigurationError(pkceParamsMissing);
|
|
4312
|
-
}
|
|
4313
|
-
}
|
|
4314
|
-
/**
|
|
4315
|
-
* add the `authorization_code` passed by the user to exchange for a token
|
|
4316
|
-
* @param code
|
|
4317
|
-
*/
|
|
4318
|
-
addAuthorizationCode(code) {
|
|
4319
|
-
this.parameters.set(CODE, encodeURIComponent(code));
|
|
4320
|
-
}
|
|
4321
|
-
/**
|
|
4322
|
-
* add the `authorization_code` passed by the user to exchange for a token
|
|
4323
|
-
* @param code
|
|
4324
|
-
*/
|
|
4325
|
-
addDeviceCode(code) {
|
|
4326
|
-
this.parameters.set(DEVICE_CODE, encodeURIComponent(code));
|
|
4327
|
-
}
|
|
4328
|
-
/**
|
|
4329
|
-
* add the `refreshToken` passed by the user
|
|
4330
|
-
* @param refreshToken
|
|
4331
|
-
*/
|
|
4332
|
-
addRefreshToken(refreshToken) {
|
|
4333
|
-
this.parameters.set(REFRESH_TOKEN, encodeURIComponent(refreshToken));
|
|
4334
|
-
}
|
|
4335
|
-
/**
|
|
4336
|
-
* add the `code_verifier` passed by the user to exchange for a token
|
|
4337
|
-
* @param codeVerifier
|
|
4338
|
-
*/
|
|
4339
|
-
addCodeVerifier(codeVerifier) {
|
|
4340
|
-
this.parameters.set(CODE_VERIFIER, encodeURIComponent(codeVerifier));
|
|
4341
|
-
}
|
|
4342
|
-
/**
|
|
4343
|
-
* add client_secret
|
|
4344
|
-
* @param clientSecret
|
|
4345
|
-
*/
|
|
4346
|
-
addClientSecret(clientSecret) {
|
|
4347
|
-
this.parameters.set(CLIENT_SECRET, encodeURIComponent(clientSecret));
|
|
4348
|
-
}
|
|
4349
|
-
/**
|
|
4350
|
-
* add clientAssertion for confidential client flows
|
|
4351
|
-
* @param clientAssertion
|
|
4352
|
-
*/
|
|
4353
|
-
addClientAssertion(clientAssertion) {
|
|
4354
|
-
if (clientAssertion) {
|
|
4355
|
-
this.parameters.set(CLIENT_ASSERTION, encodeURIComponent(clientAssertion));
|
|
4356
|
-
}
|
|
4357
|
-
}
|
|
4358
|
-
/**
|
|
4359
|
-
* add clientAssertionType for confidential client flows
|
|
4360
|
-
* @param clientAssertionType
|
|
4361
|
-
*/
|
|
4362
|
-
addClientAssertionType(clientAssertionType) {
|
|
4363
|
-
if (clientAssertionType) {
|
|
4364
|
-
this.parameters.set(CLIENT_ASSERTION_TYPE, encodeURIComponent(clientAssertionType));
|
|
4365
|
-
}
|
|
4366
|
-
}
|
|
4367
|
-
/**
|
|
4368
|
-
* add OBO assertion for confidential client flows
|
|
4369
|
-
* @param clientAssertion
|
|
4370
|
-
*/
|
|
4371
|
-
addOboAssertion(oboAssertion) {
|
|
4372
|
-
this.parameters.set(OBO_ASSERTION, encodeURIComponent(oboAssertion));
|
|
4373
|
-
}
|
|
4374
|
-
/**
|
|
4375
|
-
* add grant type
|
|
4376
|
-
* @param grantType
|
|
4377
|
-
*/
|
|
4378
|
-
addRequestTokenUse(tokenUse) {
|
|
4379
|
-
this.parameters.set(REQUESTED_TOKEN_USE, encodeURIComponent(tokenUse));
|
|
4380
|
-
}
|
|
4381
|
-
/**
|
|
4382
|
-
* add grant type
|
|
4383
|
-
* @param grantType
|
|
4384
|
-
*/
|
|
4385
|
-
addGrantType(grantType) {
|
|
4386
|
-
this.parameters.set(GRANT_TYPE, encodeURIComponent(grantType));
|
|
4387
|
-
}
|
|
4388
|
-
/**
|
|
4389
|
-
* add client info
|
|
4390
|
-
*
|
|
4391
|
-
*/
|
|
4392
|
-
addClientInfo() {
|
|
4393
|
-
this.parameters.set(CLIENT_INFO, "1");
|
|
4394
|
-
}
|
|
4395
|
-
/**
|
|
4396
|
-
* add extraQueryParams
|
|
4397
|
-
* @param eQParams
|
|
4398
|
-
*/
|
|
4399
|
-
addExtraQueryParameters(eQParams) {
|
|
4400
|
-
Object.entries(eQParams).forEach(([key, value]) => {
|
|
4401
|
-
if (!this.parameters.has(key) && value) {
|
|
4402
|
-
this.parameters.set(key, value);
|
|
4403
|
-
}
|
|
4404
|
-
});
|
|
4405
|
-
}
|
|
4406
|
-
addClientCapabilitiesToClaims(claims, clientCapabilities) {
|
|
4407
|
-
let mergedClaims;
|
|
4408
|
-
// Parse provided claims into JSON object or initialize empty object
|
|
4409
|
-
if (!claims) {
|
|
4410
|
-
mergedClaims = {};
|
|
4411
|
-
}
|
|
4412
|
-
else {
|
|
4413
|
-
try {
|
|
4414
|
-
mergedClaims = JSON.parse(claims);
|
|
4415
|
-
}
|
|
4416
|
-
catch (e) {
|
|
4417
|
-
throw createClientConfigurationError(invalidClaims);
|
|
4418
|
-
}
|
|
4419
|
-
}
|
|
4420
|
-
if (clientCapabilities && clientCapabilities.length > 0) {
|
|
4421
|
-
if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
|
|
4422
|
-
// Add access_token key to claims object
|
|
4423
|
-
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
|
|
4424
|
-
}
|
|
4425
|
-
// Add xms_cc claim with provided clientCapabilities to access_token key
|
|
4426
|
-
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] = {
|
|
4427
|
-
values: clientCapabilities,
|
|
4428
|
-
};
|
|
4429
|
-
}
|
|
4430
|
-
return JSON.stringify(mergedClaims);
|
|
4431
|
-
}
|
|
4432
|
-
/**
|
|
4433
|
-
* adds `username` for Password Grant flow
|
|
4434
|
-
* @param username
|
|
4435
|
-
*/
|
|
4436
|
-
addUsername(username) {
|
|
4437
|
-
this.parameters.set(PasswordGrantConstants.username, encodeURIComponent(username));
|
|
4438
|
-
}
|
|
4439
|
-
/**
|
|
4440
|
-
* adds `password` for Password Grant flow
|
|
4441
|
-
* @param password
|
|
4442
|
-
*/
|
|
4443
|
-
addPassword(password) {
|
|
4444
|
-
this.parameters.set(PasswordGrantConstants.password, encodeURIComponent(password));
|
|
4445
|
-
}
|
|
4446
|
-
/**
|
|
4447
|
-
* add pop_jwk to query params
|
|
4448
|
-
* @param cnfString
|
|
4449
|
-
*/
|
|
4450
|
-
addPopToken(cnfString) {
|
|
4451
|
-
if (cnfString) {
|
|
4452
|
-
this.parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
|
|
4453
|
-
this.parameters.set(REQ_CNF, encodeURIComponent(cnfString));
|
|
4454
|
-
}
|
|
4455
|
-
}
|
|
4456
|
-
/**
|
|
4457
|
-
* add SSH JWK and key ID to query params
|
|
4458
|
-
*/
|
|
4459
|
-
addSshJwk(sshJwkString) {
|
|
4460
|
-
if (sshJwkString) {
|
|
4461
|
-
this.parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
|
|
4462
|
-
this.parameters.set(REQ_CNF, encodeURIComponent(sshJwkString));
|
|
4463
|
-
}
|
|
4464
|
-
}
|
|
4465
|
-
/**
|
|
4466
|
-
* add server telemetry fields
|
|
4467
|
-
* @param serverTelemetryManager
|
|
4468
|
-
*/
|
|
4469
|
-
addServerTelemetry(serverTelemetryManager) {
|
|
4470
|
-
this.parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
|
|
4471
|
-
this.parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
|
|
4472
|
-
}
|
|
4473
|
-
/**
|
|
4474
|
-
* Adds parameter that indicates to the server that throttling is supported
|
|
4475
|
-
*/
|
|
4476
|
-
addThrottling() {
|
|
4477
|
-
this.parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
|
|
4478
|
-
}
|
|
4479
|
-
/**
|
|
4480
|
-
* Adds logout_hint parameter for "silent" logout which prevent server account picker
|
|
4481
|
-
*/
|
|
4482
|
-
addLogoutHint(logoutHint) {
|
|
4483
|
-
this.parameters.set(LOGOUT_HINT, encodeURIComponent(logoutHint));
|
|
4366
|
+
}
|
|
4367
|
+
/**
|
|
4368
|
+
* add SSH JWK and key ID to query params
|
|
4369
|
+
*/
|
|
4370
|
+
function addSshJwk(parameters, sshJwkString) {
|
|
4371
|
+
if (sshJwkString) {
|
|
4372
|
+
parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
|
|
4373
|
+
parameters.set(REQ_CNF, sshJwkString);
|
|
4484
4374
|
}
|
|
4485
|
-
|
|
4486
|
-
|
|
4487
|
-
|
|
4488
|
-
|
|
4489
|
-
|
|
4490
|
-
|
|
4491
|
-
|
|
4375
|
+
}
|
|
4376
|
+
/**
|
|
4377
|
+
* add server telemetry fields
|
|
4378
|
+
* @param serverTelemetryManager
|
|
4379
|
+
*/
|
|
4380
|
+
function addServerTelemetry(parameters, serverTelemetryManager) {
|
|
4381
|
+
parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
|
|
4382
|
+
parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
|
|
4383
|
+
}
|
|
4384
|
+
/**
|
|
4385
|
+
* Adds parameter that indicates to the server that throttling is supported
|
|
4386
|
+
*/
|
|
4387
|
+
function addThrottling(parameters) {
|
|
4388
|
+
parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
|
|
4389
|
+
}
|
|
4390
|
+
/**
|
|
4391
|
+
* Adds logout_hint parameter for "silent" logout which prevent server account picker
|
|
4392
|
+
*/
|
|
4393
|
+
function addLogoutHint(parameters, logoutHint) {
|
|
4394
|
+
parameters.set(LOGOUT_HINT, logoutHint);
|
|
4395
|
+
}
|
|
4396
|
+
function addBrokerParameters(parameters, brokerClientId, brokerRedirectUri) {
|
|
4397
|
+
if (!parameters.has(BROKER_CLIENT_ID)) {
|
|
4398
|
+
parameters.set(BROKER_CLIENT_ID, brokerClientId);
|
|
4492
4399
|
}
|
|
4493
|
-
|
|
4494
|
-
|
|
4495
|
-
*/
|
|
4496
|
-
createQueryString() {
|
|
4497
|
-
const queryParameterArray = new Array();
|
|
4498
|
-
this.parameters.forEach((value, key) => {
|
|
4499
|
-
queryParameterArray.push(`${key}=${value}`);
|
|
4500
|
-
});
|
|
4501
|
-
instrumentBrokerParams(this.parameters, this.correlationId, this.performanceClient);
|
|
4502
|
-
return queryParameterArray.join("&");
|
|
4400
|
+
if (!parameters.has(BROKER_REDIRECT_URI)) {
|
|
4401
|
+
parameters.set(BROKER_REDIRECT_URI, brokerRedirectUri);
|
|
4503
4402
|
}
|
|
4504
4403
|
}
|
|
4505
4404
|
|
|
4506
|
-
/*! @azure/msal-common v15.
|
|
4405
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
4507
4406
|
/*
|
|
4508
4407
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4509
4408
|
* Licensed under the MIT License.
|
|
@@ -4515,7 +4414,7 @@
|
|
|
4515
4414
|
response.hasOwnProperty("jwks_uri"));
|
|
4516
4415
|
}
|
|
4517
4416
|
|
|
4518
|
-
/*! @azure/msal-common v15.
|
|
4417
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
4519
4418
|
/*
|
|
4520
4419
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4521
4420
|
* Licensed under the MIT License.
|
|
@@ -4525,7 +4424,7 @@
|
|
|
4525
4424
|
response.hasOwnProperty("metadata"));
|
|
4526
4425
|
}
|
|
4527
4426
|
|
|
4528
|
-
/*! @azure/msal-common v15.
|
|
4427
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
4529
4428
|
/*
|
|
4530
4429
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4531
4430
|
* Licensed under the MIT License.
|
|
@@ -4535,7 +4434,7 @@
|
|
|
4535
4434
|
response.hasOwnProperty("error_description"));
|
|
4536
4435
|
}
|
|
4537
4436
|
|
|
4538
|
-
/*! @azure/msal-common v15.
|
|
4437
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
4539
4438
|
/*
|
|
4540
4439
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4541
4440
|
* Licensed under the MIT License.
|
|
@@ -4711,11 +4610,11 @@
|
|
|
4711
4610
|
StandardInteractionClientCreateAuthCodeClient: "standardInteractionClientCreateAuthCodeClient",
|
|
4712
4611
|
StandardInteractionClientGetClientConfiguration: "standardInteractionClientGetClientConfiguration",
|
|
4713
4612
|
StandardInteractionClientInitializeAuthorizationRequest: "standardInteractionClientInitializeAuthorizationRequest",
|
|
4714
|
-
StandardInteractionClientInitializeAuthorizationCodeRequest: "standardInteractionClientInitializeAuthorizationCodeRequest",
|
|
4715
4613
|
/**
|
|
4716
4614
|
* getAuthCodeUrl API (msal-browser and msal-node).
|
|
4717
4615
|
*/
|
|
4718
4616
|
GetAuthCodeUrl: "getAuthCodeUrl",
|
|
4617
|
+
GetStandardParams: "getStandardParams",
|
|
4719
4618
|
/**
|
|
4720
4619
|
* Functions from InteractionHandler (msal-browser)
|
|
4721
4620
|
*/
|
|
@@ -4728,7 +4627,6 @@
|
|
|
4728
4627
|
AuthClientAcquireToken: "authClientAcquireToken",
|
|
4729
4628
|
AuthClientExecuteTokenRequest: "authClientExecuteTokenRequest",
|
|
4730
4629
|
AuthClientCreateTokenRequestBody: "authClientCreateTokenRequestBody",
|
|
4731
|
-
AuthClientCreateQueryString: "authClientCreateQueryString",
|
|
4732
4630
|
/**
|
|
4733
4631
|
* Generate functions in PopTokenGenerator (msal-common)
|
|
4734
4632
|
*/
|
|
@@ -4899,10 +4797,6 @@
|
|
|
4899
4797
|
PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest,
|
|
4900
4798
|
"StdIntClientInitAuthReq",
|
|
4901
4799
|
],
|
|
4902
|
-
[
|
|
4903
|
-
PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest,
|
|
4904
|
-
"StdIntClientInitAuthCodeReq",
|
|
4905
|
-
],
|
|
4906
4800
|
[PerformanceEvents.GetAuthCodeUrl, "GetAuthCodeUrl"],
|
|
4907
4801
|
[
|
|
4908
4802
|
PerformanceEvents.HandleCodeResponseFromServer,
|
|
@@ -4916,10 +4810,6 @@
|
|
|
4916
4810
|
PerformanceEvents.AuthClientCreateTokenRequestBody,
|
|
4917
4811
|
"AuthClientCreateTReqBody",
|
|
4918
4812
|
],
|
|
4919
|
-
[
|
|
4920
|
-
PerformanceEvents.AuthClientCreateQueryString,
|
|
4921
|
-
"AuthClientCreateQueryStr",
|
|
4922
|
-
],
|
|
4923
4813
|
[PerformanceEvents.PopTokenGenerateCnf, "PopTGenCnf"],
|
|
4924
4814
|
[PerformanceEvents.PopTokenGenerateKid, "PopTGenKid"],
|
|
4925
4815
|
[PerformanceEvents.HandleServerTokenResponse, "HandleServerTRes"],
|
|
@@ -5044,7 +4934,7 @@
|
|
|
5044
4934
|
"encryptedCacheExpiredCount",
|
|
5045
4935
|
]);
|
|
5046
4936
|
|
|
5047
|
-
/*! @azure/msal-common v15.
|
|
4937
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
5048
4938
|
/*
|
|
5049
4939
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
5050
4940
|
* Licensed under the MIT License.
|
|
@@ -5140,7 +5030,7 @@
|
|
|
5140
5030
|
};
|
|
5141
5031
|
};
|
|
5142
5032
|
|
|
5143
|
-
/*! @azure/msal-common v15.
|
|
5033
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
5144
5034
|
|
|
5145
5035
|
/*
|
|
5146
5036
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -5249,7 +5139,7 @@
|
|
|
5249
5139
|
},
|
|
5250
5140
|
};
|
|
5251
5141
|
|
|
5252
|
-
/*! @azure/msal-common v15.
|
|
5142
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
5253
5143
|
|
|
5254
5144
|
/*
|
|
5255
5145
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6088,7 +5978,7 @@
|
|
|
6088
5978
|
};
|
|
6089
5979
|
}
|
|
6090
5980
|
|
|
6091
|
-
/*! @azure/msal-common v15.
|
|
5981
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6092
5982
|
|
|
6093
5983
|
/*
|
|
6094
5984
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6119,7 +6009,7 @@
|
|
|
6119
6009
|
}
|
|
6120
6010
|
}
|
|
6121
6011
|
|
|
6122
|
-
/*! @azure/msal-common v15.
|
|
6012
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6123
6013
|
|
|
6124
6014
|
/*
|
|
6125
6015
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6138,7 +6028,28 @@
|
|
|
6138
6028
|
}
|
|
6139
6029
|
}
|
|
6140
6030
|
|
|
6141
|
-
/*! @azure/msal-common v15.
|
|
6031
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6032
|
+
/*
|
|
6033
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6034
|
+
* Licensed under the MIT License.
|
|
6035
|
+
*/
|
|
6036
|
+
function getRequestThumbprint(clientId, request, homeAccountId) {
|
|
6037
|
+
return {
|
|
6038
|
+
clientId: clientId,
|
|
6039
|
+
authority: request.authority,
|
|
6040
|
+
scopes: request.scopes,
|
|
6041
|
+
homeAccountIdentifier: homeAccountId,
|
|
6042
|
+
claims: request.claims,
|
|
6043
|
+
authenticationScheme: request.authenticationScheme,
|
|
6044
|
+
resourceRequestMethod: request.resourceRequestMethod,
|
|
6045
|
+
resourceRequestUri: request.resourceRequestUri,
|
|
6046
|
+
shrClaims: request.shrClaims,
|
|
6047
|
+
sshKid: request.sshKid,
|
|
6048
|
+
embeddedClientId: request.embeddedClientId || request.tokenBodyParameters?.clientId,
|
|
6049
|
+
};
|
|
6050
|
+
}
|
|
6051
|
+
|
|
6052
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6142
6053
|
|
|
6143
6054
|
/*
|
|
6144
6055
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6219,24 +6130,13 @@
|
|
|
6219
6130
|
ThrottlingConstants.DEFAULT_MAX_THROTTLE_TIME_SECONDS) * 1000);
|
|
6220
6131
|
}
|
|
6221
6132
|
static removeThrottle(cacheManager, clientId, request, homeAccountIdentifier) {
|
|
6222
|
-
const thumbprint =
|
|
6223
|
-
clientId: clientId,
|
|
6224
|
-
authority: request.authority,
|
|
6225
|
-
scopes: request.scopes,
|
|
6226
|
-
homeAccountIdentifier: homeAccountIdentifier,
|
|
6227
|
-
claims: request.claims,
|
|
6228
|
-
authenticationScheme: request.authenticationScheme,
|
|
6229
|
-
resourceRequestMethod: request.resourceRequestMethod,
|
|
6230
|
-
resourceRequestUri: request.resourceRequestUri,
|
|
6231
|
-
shrClaims: request.shrClaims,
|
|
6232
|
-
sshKid: request.sshKid,
|
|
6233
|
-
};
|
|
6133
|
+
const thumbprint = getRequestThumbprint(clientId, request, homeAccountIdentifier);
|
|
6234
6134
|
const key = this.generateThrottlingStorageKey(thumbprint);
|
|
6235
6135
|
cacheManager.removeItem(key);
|
|
6236
6136
|
}
|
|
6237
6137
|
}
|
|
6238
6138
|
|
|
6239
|
-
/*! @azure/msal-common v15.
|
|
6139
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6240
6140
|
|
|
6241
6141
|
/*
|
|
6242
6142
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6266,7 +6166,7 @@
|
|
|
6266
6166
|
return new NetworkError(error, httpStatus, responseHeaders);
|
|
6267
6167
|
}
|
|
6268
6168
|
|
|
6269
|
-
/*! @azure/msal-common v15.
|
|
6169
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6270
6170
|
|
|
6271
6171
|
/*
|
|
6272
6172
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6401,22 +6301,20 @@
|
|
|
6401
6301
|
* @param request
|
|
6402
6302
|
*/
|
|
6403
6303
|
createTokenQueryParameters(request) {
|
|
6404
|
-
const
|
|
6304
|
+
const parameters = new Map();
|
|
6405
6305
|
if (request.embeddedClientId) {
|
|
6406
|
-
|
|
6407
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
6408
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
6409
|
-
});
|
|
6306
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
6410
6307
|
}
|
|
6411
6308
|
if (request.tokenQueryParameters) {
|
|
6412
|
-
|
|
6309
|
+
addExtraQueryParameters(parameters, request.tokenQueryParameters);
|
|
6413
6310
|
}
|
|
6414
|
-
|
|
6415
|
-
|
|
6311
|
+
addCorrelationId(parameters, request.correlationId);
|
|
6312
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
6313
|
+
return mapToQueryString(parameters);
|
|
6416
6314
|
}
|
|
6417
6315
|
}
|
|
6418
6316
|
|
|
6419
|
-
/*! @azure/msal-common v15.
|
|
6317
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6420
6318
|
/*
|
|
6421
6319
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6422
6320
|
* Licensed under the MIT License.
|
|
@@ -6442,7 +6340,7 @@
|
|
|
6442
6340
|
refreshTokenExpired: refreshTokenExpired
|
|
6443
6341
|
});
|
|
6444
6342
|
|
|
6445
|
-
/*! @azure/msal-common v15.
|
|
6343
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6446
6344
|
|
|
6447
6345
|
/*
|
|
6448
6346
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6530,7 +6428,7 @@
|
|
|
6530
6428
|
return new InteractionRequiredAuthError(errorCode, InteractionRequiredAuthErrorMessages[errorCode]);
|
|
6531
6429
|
}
|
|
6532
6430
|
|
|
6533
|
-
/*! @azure/msal-common v15.
|
|
6431
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6534
6432
|
|
|
6535
6433
|
/*
|
|
6536
6434
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6602,7 +6500,7 @@
|
|
|
6602
6500
|
}
|
|
6603
6501
|
}
|
|
6604
6502
|
|
|
6605
|
-
/*! @azure/msal-common v15.
|
|
6503
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6606
6504
|
|
|
6607
6505
|
/*
|
|
6608
6506
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6686,7 +6584,7 @@
|
|
|
6686
6584
|
}
|
|
6687
6585
|
}
|
|
6688
6586
|
|
|
6689
|
-
/*! @azure/msal-common v15.
|
|
6587
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6690
6588
|
/*
|
|
6691
6589
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6692
6590
|
* Licensed under the MIT License.
|
|
@@ -6713,19 +6611,12 @@
|
|
|
6713
6611
|
}
|
|
6714
6612
|
}
|
|
6715
6613
|
|
|
6716
|
-
/*! @azure/msal-common v15.
|
|
6614
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6717
6615
|
|
|
6718
6616
|
/*
|
|
6719
6617
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6720
6618
|
* Licensed under the MIT License.
|
|
6721
6619
|
*/
|
|
6722
|
-
function parseServerErrorNo(serverResponse) {
|
|
6723
|
-
const errorCodePrefix = "code=";
|
|
6724
|
-
const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
|
|
6725
|
-
return errorCodePrefixIndex && errorCodePrefixIndex >= 0
|
|
6726
|
-
? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
|
|
6727
|
-
: undefined;
|
|
6728
|
-
}
|
|
6729
6620
|
/**
|
|
6730
6621
|
* Class that handles response parsing.
|
|
6731
6622
|
* @internal
|
|
@@ -6740,46 +6631,6 @@
|
|
|
6740
6631
|
this.persistencePlugin = persistencePlugin;
|
|
6741
6632
|
this.performanceClient = performanceClient;
|
|
6742
6633
|
}
|
|
6743
|
-
/**
|
|
6744
|
-
* Function which validates server authorization code response.
|
|
6745
|
-
* @param serverResponseHash
|
|
6746
|
-
* @param requestState
|
|
6747
|
-
* @param cryptoObj
|
|
6748
|
-
*/
|
|
6749
|
-
validateServerAuthorizationCodeResponse(serverResponse, requestState) {
|
|
6750
|
-
if (!serverResponse.state || !requestState) {
|
|
6751
|
-
throw serverResponse.state
|
|
6752
|
-
? createClientAuthError(stateNotFound, "Cached State")
|
|
6753
|
-
: createClientAuthError(stateNotFound, "Server State");
|
|
6754
|
-
}
|
|
6755
|
-
let decodedServerResponseState;
|
|
6756
|
-
let decodedRequestState;
|
|
6757
|
-
try {
|
|
6758
|
-
decodedServerResponseState = decodeURIComponent(serverResponse.state);
|
|
6759
|
-
}
|
|
6760
|
-
catch (e) {
|
|
6761
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
6762
|
-
}
|
|
6763
|
-
try {
|
|
6764
|
-
decodedRequestState = decodeURIComponent(requestState);
|
|
6765
|
-
}
|
|
6766
|
-
catch (e) {
|
|
6767
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
6768
|
-
}
|
|
6769
|
-
if (decodedServerResponseState !== decodedRequestState) {
|
|
6770
|
-
throw createClientAuthError(stateMismatch);
|
|
6771
|
-
}
|
|
6772
|
-
// Check for error
|
|
6773
|
-
if (serverResponse.error ||
|
|
6774
|
-
serverResponse.error_description ||
|
|
6775
|
-
serverResponse.suberror) {
|
|
6776
|
-
const serverErrorNo = parseServerErrorNo(serverResponse);
|
|
6777
|
-
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
6778
|
-
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
|
|
6779
|
-
}
|
|
6780
|
-
throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
6781
|
-
}
|
|
6782
|
-
}
|
|
6783
6634
|
/**
|
|
6784
6635
|
* Function which validates server authorization token response.
|
|
6785
6636
|
* @param serverResponse
|
|
@@ -7005,10 +6856,11 @@
|
|
|
7005
6856
|
accessToken = cacheRecord.accessToken.secret;
|
|
7006
6857
|
}
|
|
7007
6858
|
responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target).asArray();
|
|
7008
|
-
expiresOn
|
|
7009
|
-
|
|
6859
|
+
// Access token expiresOn cached in seconds, converting to Date for AuthenticationResult
|
|
6860
|
+
expiresOn = toDateFromSeconds(cacheRecord.accessToken.expiresOn);
|
|
6861
|
+
extExpiresOn = toDateFromSeconds(cacheRecord.accessToken.extendedExpiresOn);
|
|
7010
6862
|
if (cacheRecord.accessToken.refreshOn) {
|
|
7011
|
-
refreshOn =
|
|
6863
|
+
refreshOn = toDateFromSeconds(cacheRecord.accessToken.refreshOn);
|
|
7012
6864
|
}
|
|
7013
6865
|
}
|
|
7014
6866
|
if (cacheRecord.appMetadata) {
|
|
@@ -7090,7 +6942,74 @@
|
|
|
7090
6942
|
return baseAccount;
|
|
7091
6943
|
}
|
|
7092
6944
|
|
|
7093
|
-
/*! @azure/msal-common v15.
|
|
6945
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6946
|
+
|
|
6947
|
+
/*
|
|
6948
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6949
|
+
* Licensed under the MIT License.
|
|
6950
|
+
*/
|
|
6951
|
+
/**
|
|
6952
|
+
* Validates server consumable params from the "request" objects
|
|
6953
|
+
*/
|
|
6954
|
+
class RequestValidator {
|
|
6955
|
+
/**
|
|
6956
|
+
* Utility to check if the `redirectUri` in the request is a non-null value
|
|
6957
|
+
* @param redirectUri
|
|
6958
|
+
*/
|
|
6959
|
+
static validateRedirectUri(redirectUri) {
|
|
6960
|
+
if (!redirectUri) {
|
|
6961
|
+
throw createClientConfigurationError(redirectUriEmpty);
|
|
6962
|
+
}
|
|
6963
|
+
}
|
|
6964
|
+
/**
|
|
6965
|
+
* Utility to validate prompt sent by the user in the request
|
|
6966
|
+
* @param prompt
|
|
6967
|
+
*/
|
|
6968
|
+
static validatePrompt(prompt) {
|
|
6969
|
+
const promptValues = [];
|
|
6970
|
+
for (const value in PromptValue) {
|
|
6971
|
+
promptValues.push(PromptValue[value]);
|
|
6972
|
+
}
|
|
6973
|
+
if (promptValues.indexOf(prompt) < 0) {
|
|
6974
|
+
throw createClientConfigurationError(invalidPromptValue);
|
|
6975
|
+
}
|
|
6976
|
+
}
|
|
6977
|
+
static validateClaims(claims) {
|
|
6978
|
+
try {
|
|
6979
|
+
JSON.parse(claims);
|
|
6980
|
+
}
|
|
6981
|
+
catch (e) {
|
|
6982
|
+
throw createClientConfigurationError(invalidClaims);
|
|
6983
|
+
}
|
|
6984
|
+
}
|
|
6985
|
+
/**
|
|
6986
|
+
* Utility to validate code_challenge and code_challenge_method
|
|
6987
|
+
* @param codeChallenge
|
|
6988
|
+
* @param codeChallengeMethod
|
|
6989
|
+
*/
|
|
6990
|
+
static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
|
|
6991
|
+
if (!codeChallenge || !codeChallengeMethod) {
|
|
6992
|
+
throw createClientConfigurationError(pkceParamsMissing);
|
|
6993
|
+
}
|
|
6994
|
+
else {
|
|
6995
|
+
this.validateCodeChallengeMethod(codeChallengeMethod);
|
|
6996
|
+
}
|
|
6997
|
+
}
|
|
6998
|
+
/**
|
|
6999
|
+
* Utility to validate code_challenge_method
|
|
7000
|
+
* @param codeChallengeMethod
|
|
7001
|
+
*/
|
|
7002
|
+
static validateCodeChallengeMethod(codeChallengeMethod) {
|
|
7003
|
+
if ([
|
|
7004
|
+
CodeChallengeMethodValues.PLAIN,
|
|
7005
|
+
CodeChallengeMethodValues.S256,
|
|
7006
|
+
].indexOf(codeChallengeMethod) < 0) {
|
|
7007
|
+
throw createClientConfigurationError(invalidCodeChallengeMethod);
|
|
7008
|
+
}
|
|
7009
|
+
}
|
|
7010
|
+
}
|
|
7011
|
+
|
|
7012
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7094
7013
|
/*
|
|
7095
7014
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7096
7015
|
* Licensed under the MIT License.
|
|
@@ -7108,7 +7027,7 @@
|
|
|
7108
7027
|
}
|
|
7109
7028
|
}
|
|
7110
7029
|
|
|
7111
|
-
/*! @azure/msal-common v15.
|
|
7030
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7112
7031
|
|
|
7113
7032
|
/*
|
|
7114
7033
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7126,21 +7045,6 @@
|
|
|
7126
7045
|
this.oidcDefaultScopes =
|
|
7127
7046
|
this.config.authOptions.authority.options.OIDCOptions?.defaultScopes;
|
|
7128
7047
|
}
|
|
7129
|
-
/**
|
|
7130
|
-
* Creates the URL of the authorization request letting the user input credentials and consent to the
|
|
7131
|
-
* application. The URL target the /authorize endpoint of the authority configured in the
|
|
7132
|
-
* application object.
|
|
7133
|
-
*
|
|
7134
|
-
* Once the user inputs their credentials and consents, the authority will send a response to the redirect URI
|
|
7135
|
-
* sent in the request and should contain an authorization code, which can then be used to acquire tokens via
|
|
7136
|
-
* acquireToken(AuthorizationCodeRequest)
|
|
7137
|
-
* @param request
|
|
7138
|
-
*/
|
|
7139
|
-
async getAuthCodeUrl(request) {
|
|
7140
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.GetAuthCodeUrl, request.correlationId);
|
|
7141
|
-
const queryString = await invokeAsync(this.createAuthCodeUrlQueryString.bind(this), PerformanceEvents.AuthClientCreateQueryString, this.logger, this.performanceClient, request.correlationId)(request);
|
|
7142
|
-
return UrlString.appendQueryString(this.authority.authorizationEndpoint, queryString);
|
|
7143
|
-
}
|
|
7144
7048
|
/**
|
|
7145
7049
|
* API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
|
|
7146
7050
|
* authorization_code_grant
|
|
@@ -7160,22 +7064,6 @@
|
|
|
7160
7064
|
responseHandler.validateTokenResponse(response.body);
|
|
7161
7065
|
return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, authCodePayload, undefined, undefined, undefined, requestId);
|
|
7162
7066
|
}
|
|
7163
|
-
/**
|
|
7164
|
-
* Handles the hash fragment response from public client code request. Returns a code response used by
|
|
7165
|
-
* the client to exchange for a token in acquireToken.
|
|
7166
|
-
* @param hashFragment
|
|
7167
|
-
*/
|
|
7168
|
-
handleFragmentResponse(serverParams, cachedState) {
|
|
7169
|
-
// Handle responses.
|
|
7170
|
-
const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, null, null);
|
|
7171
|
-
// Get code response
|
|
7172
|
-
responseHandler.validateServerAuthorizationCodeResponse(serverParams, cachedState);
|
|
7173
|
-
// throw when there is no auth code in the response
|
|
7174
|
-
if (!serverParams.code) {
|
|
7175
|
-
throw createClientAuthError(authorizationCodeMissingFromServerResponse);
|
|
7176
|
-
}
|
|
7177
|
-
return serverParams;
|
|
7178
|
-
}
|
|
7179
7067
|
/**
|
|
7180
7068
|
* Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
|
|
7181
7069
|
* Default behaviour is to redirect the user to `window.location.href`.
|
|
@@ -7214,18 +7102,7 @@
|
|
|
7214
7102
|
}
|
|
7215
7103
|
}
|
|
7216
7104
|
const headers = this.createTokenRequestHeaders(ccsCredential || request.ccsCredential);
|
|
7217
|
-
const thumbprint =
|
|
7218
|
-
clientId: request.tokenBodyParameters?.clientId ||
|
|
7219
|
-
this.config.authOptions.clientId,
|
|
7220
|
-
authority: authority.canonicalAuthority,
|
|
7221
|
-
scopes: request.scopes,
|
|
7222
|
-
claims: request.claims,
|
|
7223
|
-
authenticationScheme: request.authenticationScheme,
|
|
7224
|
-
resourceRequestMethod: request.resourceRequestMethod,
|
|
7225
|
-
resourceRequestUri: request.resourceRequestUri,
|
|
7226
|
-
shrClaims: request.shrClaims,
|
|
7227
|
-
sshKid: request.sshKid,
|
|
7228
|
-
};
|
|
7105
|
+
const thumbprint = getRequestThumbprint(this.config.authOptions.clientId, request);
|
|
7229
7106
|
return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.AuthorizationCodeClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.AuthorizationCodeClientExecutePostToTokenEndpoint);
|
|
7230
7107
|
}
|
|
7231
7108
|
/**
|
|
@@ -7234,8 +7111,8 @@
|
|
|
7234
7111
|
*/
|
|
7235
7112
|
async createTokenRequestBody(request) {
|
|
7236
7113
|
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateTokenRequestBody, request.correlationId);
|
|
7237
|
-
const
|
|
7238
|
-
|
|
7114
|
+
const parameters = new Map();
|
|
7115
|
+
addClientId(parameters, request.embeddedClientId ||
|
|
7239
7116
|
request.tokenBodyParameters?.[CLIENT_ID] ||
|
|
7240
7117
|
this.config.authOptions.clientId);
|
|
7241
7118
|
/*
|
|
@@ -7248,33 +7125,33 @@
|
|
|
7248
7125
|
}
|
|
7249
7126
|
else {
|
|
7250
7127
|
// Validate and include redirect uri
|
|
7251
|
-
|
|
7128
|
+
addRedirectUri(parameters, request.redirectUri);
|
|
7252
7129
|
}
|
|
7253
7130
|
// Add scope array, parameter builder will add default scopes and dedupe
|
|
7254
|
-
|
|
7131
|
+
addScopes(parameters, request.scopes, true, this.oidcDefaultScopes);
|
|
7255
7132
|
// add code: user set, not validated
|
|
7256
|
-
|
|
7133
|
+
addAuthorizationCode(parameters, request.code);
|
|
7257
7134
|
// Add library metadata
|
|
7258
|
-
|
|
7259
|
-
|
|
7260
|
-
|
|
7135
|
+
addLibraryInfo(parameters, this.config.libraryInfo);
|
|
7136
|
+
addApplicationTelemetry(parameters, this.config.telemetry.application);
|
|
7137
|
+
addThrottling(parameters);
|
|
7261
7138
|
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
|
|
7262
|
-
|
|
7139
|
+
addServerTelemetry(parameters, this.serverTelemetryManager);
|
|
7263
7140
|
}
|
|
7264
7141
|
// add code_verifier if passed
|
|
7265
7142
|
if (request.codeVerifier) {
|
|
7266
|
-
|
|
7143
|
+
addCodeVerifier(parameters, request.codeVerifier);
|
|
7267
7144
|
}
|
|
7268
7145
|
if (this.config.clientCredentials.clientSecret) {
|
|
7269
|
-
|
|
7146
|
+
addClientSecret(parameters, this.config.clientCredentials.clientSecret);
|
|
7270
7147
|
}
|
|
7271
7148
|
if (this.config.clientCredentials.clientAssertion) {
|
|
7272
7149
|
const clientAssertion = this.config.clientCredentials.clientAssertion;
|
|
7273
|
-
|
|
7274
|
-
|
|
7150
|
+
addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
|
|
7151
|
+
addClientAssertionType(parameters, clientAssertion.assertionType);
|
|
7275
7152
|
}
|
|
7276
|
-
|
|
7277
|
-
|
|
7153
|
+
addGrantType(parameters, GrantType.AUTHORIZATION_CODE_GRANT);
|
|
7154
|
+
addClientInfo(parameters);
|
|
7278
7155
|
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
7279
7156
|
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
|
|
7280
7157
|
let reqCnfData;
|
|
@@ -7286,11 +7163,11 @@
|
|
|
7286
7163
|
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
7287
7164
|
}
|
|
7288
7165
|
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
|
|
7289
|
-
|
|
7166
|
+
addPopToken(parameters, reqCnfData);
|
|
7290
7167
|
}
|
|
7291
7168
|
else if (request.authenticationScheme === AuthenticationScheme.SSH) {
|
|
7292
7169
|
if (request.sshJwk) {
|
|
7293
|
-
|
|
7170
|
+
addSshJwk(parameters, request.sshJwk);
|
|
7294
7171
|
}
|
|
7295
7172
|
else {
|
|
7296
7173
|
throw createClientConfigurationError(missingSshJwk);
|
|
@@ -7299,7 +7176,7 @@
|
|
|
7299
7176
|
if (!StringUtils.isEmptyObj(request.claims) ||
|
|
7300
7177
|
(this.config.authOptions.clientCapabilities &&
|
|
7301
7178
|
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
7302
|
-
|
|
7179
|
+
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
|
|
7303
7180
|
}
|
|
7304
7181
|
let ccsCred = undefined;
|
|
7305
7182
|
if (request.clientInfo) {
|
|
@@ -7323,7 +7200,7 @@
|
|
|
7323
7200
|
case CcsCredentialType.HOME_ACCOUNT_ID:
|
|
7324
7201
|
try {
|
|
7325
7202
|
const clientInfo = buildClientInfoFromHomeAccountId(ccsCred.credential);
|
|
7326
|
-
|
|
7203
|
+
addCcsOid(parameters, clientInfo);
|
|
7327
7204
|
}
|
|
7328
7205
|
catch (e) {
|
|
7329
7206
|
this.logger.verbose("Could not parse home account ID for CCS Header: " +
|
|
@@ -7331,234 +7208,59 @@
|
|
|
7331
7208
|
}
|
|
7332
7209
|
break;
|
|
7333
7210
|
case CcsCredentialType.UPN:
|
|
7334
|
-
|
|
7211
|
+
addCcsUpn(parameters, ccsCred.credential);
|
|
7335
7212
|
break;
|
|
7336
7213
|
}
|
|
7337
7214
|
}
|
|
7338
7215
|
if (request.embeddedClientId) {
|
|
7339
|
-
|
|
7340
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
7341
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
7342
|
-
});
|
|
7216
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
7343
7217
|
}
|
|
7344
7218
|
if (request.tokenBodyParameters) {
|
|
7345
|
-
|
|
7219
|
+
addExtraQueryParameters(parameters, request.tokenBodyParameters);
|
|
7346
7220
|
}
|
|
7347
7221
|
// Add hybrid spa parameters if not already provided
|
|
7348
7222
|
if (request.enableSpaAuthorizationCode &&
|
|
7349
7223
|
(!request.tokenBodyParameters ||
|
|
7350
7224
|
!request.tokenBodyParameters[RETURN_SPA_CODE])) {
|
|
7351
|
-
|
|
7225
|
+
addExtraQueryParameters(parameters, {
|
|
7352
7226
|
[RETURN_SPA_CODE]: "1",
|
|
7353
7227
|
});
|
|
7354
7228
|
}
|
|
7355
|
-
|
|
7356
|
-
|
|
7357
|
-
/**
|
|
7358
|
-
* This API validates the `AuthorizationCodeUrlRequest` and creates a URL
|
|
7359
|
-
* @param request
|
|
7360
|
-
*/
|
|
7361
|
-
async createAuthCodeUrlQueryString(request) {
|
|
7362
|
-
// generate the correlationId if not set by the user and add
|
|
7363
|
-
const correlationId = request.correlationId ||
|
|
7364
|
-
this.config.cryptoInterface.createNewGuid();
|
|
7365
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateQueryString, correlationId);
|
|
7366
|
-
const parameterBuilder = new RequestParameterBuilder(correlationId, this.performanceClient);
|
|
7367
|
-
parameterBuilder.addClientId(request.embeddedClientId ||
|
|
7368
|
-
request.extraQueryParameters?.[CLIENT_ID] ||
|
|
7369
|
-
this.config.authOptions.clientId);
|
|
7370
|
-
const requestScopes = [
|
|
7371
|
-
...(request.scopes || []),
|
|
7372
|
-
...(request.extraScopesToConsent || []),
|
|
7373
|
-
];
|
|
7374
|
-
parameterBuilder.addScopes(requestScopes, true, this.oidcDefaultScopes);
|
|
7375
|
-
// validate the redirectUri (to be a non null value)
|
|
7376
|
-
parameterBuilder.addRedirectUri(request.redirectUri);
|
|
7377
|
-
parameterBuilder.addCorrelationId(correlationId);
|
|
7378
|
-
// add response_mode. If not passed in it defaults to query.
|
|
7379
|
-
parameterBuilder.addResponseMode(request.responseMode);
|
|
7380
|
-
// add response_type = code
|
|
7381
|
-
parameterBuilder.addResponseTypeCode();
|
|
7382
|
-
// add library info parameters
|
|
7383
|
-
parameterBuilder.addLibraryInfo(this.config.libraryInfo);
|
|
7384
|
-
if (!isOidcProtocolMode(this.config)) {
|
|
7385
|
-
parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
|
|
7386
|
-
}
|
|
7387
|
-
// add client_info=1
|
|
7388
|
-
parameterBuilder.addClientInfo();
|
|
7389
|
-
if (request.codeChallenge && request.codeChallengeMethod) {
|
|
7390
|
-
parameterBuilder.addCodeChallengeParams(request.codeChallenge, request.codeChallengeMethod);
|
|
7391
|
-
}
|
|
7392
|
-
if (request.prompt) {
|
|
7393
|
-
parameterBuilder.addPrompt(request.prompt);
|
|
7394
|
-
}
|
|
7395
|
-
if (request.domainHint) {
|
|
7396
|
-
parameterBuilder.addDomainHint(request.domainHint);
|
|
7397
|
-
this.performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
|
|
7398
|
-
}
|
|
7399
|
-
this.performanceClient?.addFields({ prompt: request.prompt }, correlationId);
|
|
7400
|
-
// Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
|
|
7401
|
-
if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
|
|
7402
|
-
// AAD will throw if prompt=select_account is passed with an account hint
|
|
7403
|
-
if (request.sid && request.prompt === PromptValue.NONE) {
|
|
7404
|
-
// SessionID is only used in silent calls
|
|
7405
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
|
|
7406
|
-
parameterBuilder.addSid(request.sid);
|
|
7407
|
-
this.performanceClient?.addFields({ sidFromRequest: true }, correlationId);
|
|
7408
|
-
}
|
|
7409
|
-
else if (request.account) {
|
|
7410
|
-
const accountSid = this.extractAccountSid(request.account);
|
|
7411
|
-
let accountLoginHintClaim = this.extractLoginHint(request.account);
|
|
7412
|
-
if (accountLoginHintClaim && request.domainHint) {
|
|
7413
|
-
this.logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
|
|
7414
|
-
accountLoginHintClaim = null;
|
|
7415
|
-
}
|
|
7416
|
-
// If login_hint claim is present, use it over sid/username
|
|
7417
|
-
if (accountLoginHintClaim) {
|
|
7418
|
-
this.logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
|
|
7419
|
-
parameterBuilder.addLoginHint(accountLoginHintClaim);
|
|
7420
|
-
this.performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
|
|
7421
|
-
try {
|
|
7422
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7423
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
7424
|
-
}
|
|
7425
|
-
catch (e) {
|
|
7426
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7427
|
-
}
|
|
7428
|
-
}
|
|
7429
|
-
else if (accountSid && request.prompt === PromptValue.NONE) {
|
|
7430
|
-
/*
|
|
7431
|
-
* If account and loginHint are provided, we will check account first for sid before adding loginHint
|
|
7432
|
-
* SessionId is only used in silent calls
|
|
7433
|
-
*/
|
|
7434
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
|
|
7435
|
-
parameterBuilder.addSid(accountSid);
|
|
7436
|
-
this.performanceClient?.addFields({ sidFromClaim: true }, correlationId);
|
|
7437
|
-
try {
|
|
7438
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7439
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
7440
|
-
}
|
|
7441
|
-
catch (e) {
|
|
7442
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7443
|
-
}
|
|
7444
|
-
}
|
|
7445
|
-
else if (request.loginHint) {
|
|
7446
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
|
|
7447
|
-
parameterBuilder.addLoginHint(request.loginHint);
|
|
7448
|
-
parameterBuilder.addCcsUpn(request.loginHint);
|
|
7449
|
-
this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7450
|
-
}
|
|
7451
|
-
else if (request.account.username) {
|
|
7452
|
-
// Fallback to account username if provided
|
|
7453
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
|
|
7454
|
-
parameterBuilder.addLoginHint(request.account.username);
|
|
7455
|
-
this.performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
|
|
7456
|
-
try {
|
|
7457
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7458
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
7459
|
-
}
|
|
7460
|
-
catch (e) {
|
|
7461
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7462
|
-
}
|
|
7463
|
-
}
|
|
7464
|
-
}
|
|
7465
|
-
else if (request.loginHint) {
|
|
7466
|
-
this.logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
|
|
7467
|
-
parameterBuilder.addLoginHint(request.loginHint);
|
|
7468
|
-
parameterBuilder.addCcsUpn(request.loginHint);
|
|
7469
|
-
this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7470
|
-
}
|
|
7471
|
-
}
|
|
7472
|
-
else {
|
|
7473
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
|
|
7474
|
-
}
|
|
7475
|
-
if (request.nonce) {
|
|
7476
|
-
parameterBuilder.addNonce(request.nonce);
|
|
7477
|
-
}
|
|
7478
|
-
if (request.state) {
|
|
7479
|
-
parameterBuilder.addState(request.state);
|
|
7480
|
-
}
|
|
7481
|
-
if (request.claims ||
|
|
7482
|
-
(this.config.authOptions.clientCapabilities &&
|
|
7483
|
-
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
7484
|
-
parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
|
|
7485
|
-
}
|
|
7486
|
-
if (request.embeddedClientId) {
|
|
7487
|
-
parameterBuilder.addBrokerParameters({
|
|
7488
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
7489
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
7490
|
-
});
|
|
7491
|
-
}
|
|
7492
|
-
this.addExtraQueryParams(request, parameterBuilder);
|
|
7493
|
-
if (request.platformBroker) {
|
|
7494
|
-
// signal ests that this is a WAM call
|
|
7495
|
-
parameterBuilder.addNativeBroker();
|
|
7496
|
-
// pass the req_cnf for POP
|
|
7497
|
-
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
7498
|
-
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils);
|
|
7499
|
-
// req_cnf is always sent as a string for SPAs
|
|
7500
|
-
let reqCnfData;
|
|
7501
|
-
if (!request.popKid) {
|
|
7502
|
-
const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
|
|
7503
|
-
reqCnfData = generatedReqCnfData.reqCnfString;
|
|
7504
|
-
}
|
|
7505
|
-
else {
|
|
7506
|
-
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
7507
|
-
}
|
|
7508
|
-
parameterBuilder.addPopToken(reqCnfData);
|
|
7509
|
-
}
|
|
7510
|
-
}
|
|
7511
|
-
return parameterBuilder.createQueryString();
|
|
7229
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
7230
|
+
return mapToQueryString(parameters);
|
|
7512
7231
|
}
|
|
7513
7232
|
/**
|
|
7514
7233
|
* This API validates the `EndSessionRequest` and creates a URL
|
|
7515
7234
|
* @param request
|
|
7516
7235
|
*/
|
|
7517
7236
|
createLogoutUrlQueryString(request) {
|
|
7518
|
-
const
|
|
7237
|
+
const parameters = new Map();
|
|
7519
7238
|
if (request.postLogoutRedirectUri) {
|
|
7520
|
-
|
|
7239
|
+
addPostLogoutRedirectUri(parameters, request.postLogoutRedirectUri);
|
|
7521
7240
|
}
|
|
7522
7241
|
if (request.correlationId) {
|
|
7523
|
-
|
|
7242
|
+
addCorrelationId(parameters, request.correlationId);
|
|
7524
7243
|
}
|
|
7525
7244
|
if (request.idTokenHint) {
|
|
7526
|
-
|
|
7245
|
+
addIdTokenHint(parameters, request.idTokenHint);
|
|
7527
7246
|
}
|
|
7528
7247
|
if (request.state) {
|
|
7529
|
-
|
|
7248
|
+
addState(parameters, request.state);
|
|
7530
7249
|
}
|
|
7531
7250
|
if (request.logoutHint) {
|
|
7532
|
-
|
|
7533
|
-
}
|
|
7534
|
-
this.addExtraQueryParams(request, parameterBuilder);
|
|
7535
|
-
return parameterBuilder.createQueryString();
|
|
7536
|
-
}
|
|
7537
|
-
addExtraQueryParams(request, parameterBuilder) {
|
|
7538
|
-
const hasRequestInstanceAware = request.extraQueryParameters &&
|
|
7539
|
-
request.extraQueryParameters.hasOwnProperty("instance_aware");
|
|
7540
|
-
// Set instance_aware flag if config auth param is set
|
|
7541
|
-
if (!hasRequestInstanceAware && this.config.authOptions.instanceAware) {
|
|
7542
|
-
request.extraQueryParameters = request.extraQueryParameters || {};
|
|
7543
|
-
request.extraQueryParameters["instance_aware"] = "true";
|
|
7251
|
+
addLogoutHint(parameters, request.logoutHint);
|
|
7544
7252
|
}
|
|
7545
7253
|
if (request.extraQueryParameters) {
|
|
7546
|
-
|
|
7254
|
+
addExtraQueryParameters(parameters, request.extraQueryParameters);
|
|
7547
7255
|
}
|
|
7548
|
-
|
|
7549
|
-
|
|
7550
|
-
|
|
7551
|
-
|
|
7552
|
-
*/
|
|
7553
|
-
extractAccountSid(account) {
|
|
7554
|
-
return account.idTokenClaims?.sid || null;
|
|
7555
|
-
}
|
|
7556
|
-
extractLoginHint(account) {
|
|
7557
|
-
return account.idTokenClaims?.login_hint || null;
|
|
7256
|
+
if (this.config.authOptions.instanceAware) {
|
|
7257
|
+
addInstanceAware(parameters);
|
|
7258
|
+
}
|
|
7259
|
+
return mapToQueryString(parameters);
|
|
7558
7260
|
}
|
|
7559
7261
|
}
|
|
7560
7262
|
|
|
7561
|
-
/*! @azure/msal-common v15.
|
|
7263
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7562
7264
|
|
|
7563
7265
|
/*
|
|
7564
7266
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7678,18 +7380,7 @@
|
|
|
7678
7380
|
const endpoint = UrlString.appendQueryString(authority.tokenEndpoint, queryParametersString);
|
|
7679
7381
|
const requestBody = await invokeAsync(this.createTokenRequestBody.bind(this), PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, this.logger, this.performanceClient, request.correlationId)(request);
|
|
7680
7382
|
const headers = this.createTokenRequestHeaders(request.ccsCredential);
|
|
7681
|
-
const thumbprint =
|
|
7682
|
-
clientId: request.tokenBodyParameters?.clientId ||
|
|
7683
|
-
this.config.authOptions.clientId,
|
|
7684
|
-
authority: authority.canonicalAuthority,
|
|
7685
|
-
scopes: request.scopes,
|
|
7686
|
-
claims: request.claims,
|
|
7687
|
-
authenticationScheme: request.authenticationScheme,
|
|
7688
|
-
resourceRequestMethod: request.resourceRequestMethod,
|
|
7689
|
-
resourceRequestUri: request.resourceRequestUri,
|
|
7690
|
-
shrClaims: request.shrClaims,
|
|
7691
|
-
sshKid: request.sshKid,
|
|
7692
|
-
};
|
|
7383
|
+
const thumbprint = getRequestThumbprint(this.config.authOptions.clientId, request);
|
|
7693
7384
|
return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint);
|
|
7694
7385
|
}
|
|
7695
7386
|
/**
|
|
@@ -7698,31 +7389,30 @@
|
|
|
7698
7389
|
*/
|
|
7699
7390
|
async createTokenRequestBody(request) {
|
|
7700
7391
|
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, request.correlationId);
|
|
7701
|
-
const
|
|
7702
|
-
|
|
7703
|
-
parameterBuilder.addClientId(request.embeddedClientId ||
|
|
7392
|
+
const parameters = new Map();
|
|
7393
|
+
addClientId(parameters, request.embeddedClientId ||
|
|
7704
7394
|
request.tokenBodyParameters?.[CLIENT_ID] ||
|
|
7705
7395
|
this.config.authOptions.clientId);
|
|
7706
7396
|
if (request.redirectUri) {
|
|
7707
|
-
|
|
7708
|
-
}
|
|
7709
|
-
|
|
7710
|
-
|
|
7711
|
-
|
|
7712
|
-
|
|
7713
|
-
|
|
7714
|
-
|
|
7397
|
+
addRedirectUri(parameters, request.redirectUri);
|
|
7398
|
+
}
|
|
7399
|
+
addScopes(parameters, request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7400
|
+
addGrantType(parameters, GrantType.REFRESH_TOKEN_GRANT);
|
|
7401
|
+
addClientInfo(parameters);
|
|
7402
|
+
addLibraryInfo(parameters, this.config.libraryInfo);
|
|
7403
|
+
addApplicationTelemetry(parameters, this.config.telemetry.application);
|
|
7404
|
+
addThrottling(parameters);
|
|
7715
7405
|
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
|
|
7716
|
-
|
|
7406
|
+
addServerTelemetry(parameters, this.serverTelemetryManager);
|
|
7717
7407
|
}
|
|
7718
|
-
|
|
7408
|
+
addRefreshToken(parameters, request.refreshToken);
|
|
7719
7409
|
if (this.config.clientCredentials.clientSecret) {
|
|
7720
|
-
|
|
7410
|
+
addClientSecret(parameters, this.config.clientCredentials.clientSecret);
|
|
7721
7411
|
}
|
|
7722
7412
|
if (this.config.clientCredentials.clientAssertion) {
|
|
7723
7413
|
const clientAssertion = this.config.clientCredentials.clientAssertion;
|
|
7724
|
-
|
|
7725
|
-
|
|
7414
|
+
addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
|
|
7415
|
+
addClientAssertionType(parameters, clientAssertion.assertionType);
|
|
7726
7416
|
}
|
|
7727
7417
|
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
7728
7418
|
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
|
|
@@ -7735,11 +7425,11 @@
|
|
|
7735
7425
|
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
7736
7426
|
}
|
|
7737
7427
|
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
|
|
7738
|
-
|
|
7428
|
+
addPopToken(parameters, reqCnfData);
|
|
7739
7429
|
}
|
|
7740
7430
|
else if (request.authenticationScheme === AuthenticationScheme.SSH) {
|
|
7741
7431
|
if (request.sshJwk) {
|
|
7742
|
-
|
|
7432
|
+
addSshJwk(parameters, request.sshJwk);
|
|
7743
7433
|
}
|
|
7744
7434
|
else {
|
|
7745
7435
|
throw createClientConfigurationError(missingSshJwk);
|
|
@@ -7748,7 +7438,7 @@
|
|
|
7748
7438
|
if (!StringUtils.isEmptyObj(request.claims) ||
|
|
7749
7439
|
(this.config.authOptions.clientCapabilities &&
|
|
7750
7440
|
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
7751
|
-
|
|
7441
|
+
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
|
|
7752
7442
|
}
|
|
7753
7443
|
if (this.config.systemOptions.preventCorsPreflight &&
|
|
7754
7444
|
request.ccsCredential) {
|
|
@@ -7756,7 +7446,7 @@
|
|
|
7756
7446
|
case CcsCredentialType.HOME_ACCOUNT_ID:
|
|
7757
7447
|
try {
|
|
7758
7448
|
const clientInfo = buildClientInfoFromHomeAccountId(request.ccsCredential.credential);
|
|
7759
|
-
|
|
7449
|
+
addCcsOid(parameters, clientInfo);
|
|
7760
7450
|
}
|
|
7761
7451
|
catch (e) {
|
|
7762
7452
|
this.logger.verbose("Could not parse home account ID for CCS Header: " +
|
|
@@ -7764,24 +7454,22 @@
|
|
|
7764
7454
|
}
|
|
7765
7455
|
break;
|
|
7766
7456
|
case CcsCredentialType.UPN:
|
|
7767
|
-
|
|
7457
|
+
addCcsUpn(parameters, request.ccsCredential.credential);
|
|
7768
7458
|
break;
|
|
7769
7459
|
}
|
|
7770
7460
|
}
|
|
7771
7461
|
if (request.embeddedClientId) {
|
|
7772
|
-
|
|
7773
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
7774
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
7775
|
-
});
|
|
7462
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
7776
7463
|
}
|
|
7777
7464
|
if (request.tokenBodyParameters) {
|
|
7778
|
-
|
|
7465
|
+
addExtraQueryParameters(parameters, request.tokenBodyParameters);
|
|
7779
7466
|
}
|
|
7780
|
-
|
|
7467
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
7468
|
+
return mapToQueryString(parameters);
|
|
7781
7469
|
}
|
|
7782
7470
|
}
|
|
7783
7471
|
|
|
7784
|
-
/*! @azure/msal-common v15.
|
|
7472
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7785
7473
|
|
|
7786
7474
|
/*
|
|
7787
7475
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7875,26 +7563,250 @@
|
|
|
7875
7563
|
}
|
|
7876
7564
|
checkMaxAge(authTime, request.maxAge);
|
|
7877
7565
|
}
|
|
7878
|
-
return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, idTokenClaims);
|
|
7566
|
+
return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, idTokenClaims);
|
|
7567
|
+
}
|
|
7568
|
+
}
|
|
7569
|
+
|
|
7570
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7571
|
+
|
|
7572
|
+
/*
|
|
7573
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7574
|
+
* Licensed under the MIT License.
|
|
7575
|
+
*/
|
|
7576
|
+
const StubbedNetworkModule = {
|
|
7577
|
+
sendGetRequestAsync: () => {
|
|
7578
|
+
return Promise.reject(createClientAuthError(methodNotImplemented));
|
|
7579
|
+
},
|
|
7580
|
+
sendPostRequestAsync: () => {
|
|
7581
|
+
return Promise.reject(createClientAuthError(methodNotImplemented));
|
|
7582
|
+
},
|
|
7583
|
+
};
|
|
7584
|
+
|
|
7585
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7586
|
+
|
|
7587
|
+
/*
|
|
7588
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7589
|
+
* Licensed under the MIT License.
|
|
7590
|
+
*/
|
|
7591
|
+
/**
|
|
7592
|
+
* Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
|
|
7593
|
+
* @param config
|
|
7594
|
+
* @param request
|
|
7595
|
+
* @param logger
|
|
7596
|
+
* @param performanceClient
|
|
7597
|
+
* @returns
|
|
7598
|
+
*/
|
|
7599
|
+
function getStandardAuthorizeRequestParameters(authOptions, request, logger, performanceClient) {
|
|
7600
|
+
// generate the correlationId if not set by the user and add
|
|
7601
|
+
const correlationId = request.correlationId;
|
|
7602
|
+
const parameters = new Map();
|
|
7603
|
+
addClientId(parameters, request.embeddedClientId ||
|
|
7604
|
+
request.extraQueryParameters?.[CLIENT_ID] ||
|
|
7605
|
+
authOptions.clientId);
|
|
7606
|
+
const requestScopes = [
|
|
7607
|
+
...(request.scopes || []),
|
|
7608
|
+
...(request.extraScopesToConsent || []),
|
|
7609
|
+
];
|
|
7610
|
+
addScopes(parameters, requestScopes, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7611
|
+
addRedirectUri(parameters, request.redirectUri);
|
|
7612
|
+
addCorrelationId(parameters, correlationId);
|
|
7613
|
+
// add response_mode. If not passed in it defaults to query.
|
|
7614
|
+
addResponseMode(parameters, request.responseMode);
|
|
7615
|
+
// add client_info=1
|
|
7616
|
+
addClientInfo(parameters);
|
|
7617
|
+
if (request.prompt) {
|
|
7618
|
+
addPrompt(parameters, request.prompt);
|
|
7619
|
+
performanceClient?.addFields({ prompt: request.prompt }, correlationId);
|
|
7620
|
+
}
|
|
7621
|
+
if (request.domainHint) {
|
|
7622
|
+
addDomainHint(parameters, request.domainHint);
|
|
7623
|
+
performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
|
|
7624
|
+
}
|
|
7625
|
+
// Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
|
|
7626
|
+
if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
|
|
7627
|
+
// AAD will throw if prompt=select_account is passed with an account hint
|
|
7628
|
+
if (request.sid && request.prompt === PromptValue.NONE) {
|
|
7629
|
+
// SessionID is only used in silent calls
|
|
7630
|
+
logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
|
|
7631
|
+
addSid(parameters, request.sid);
|
|
7632
|
+
performanceClient?.addFields({ sidFromRequest: true }, correlationId);
|
|
7633
|
+
}
|
|
7634
|
+
else if (request.account) {
|
|
7635
|
+
const accountSid = extractAccountSid(request.account);
|
|
7636
|
+
let accountLoginHintClaim = extractLoginHint(request.account);
|
|
7637
|
+
if (accountLoginHintClaim && request.domainHint) {
|
|
7638
|
+
logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
|
|
7639
|
+
accountLoginHintClaim = null;
|
|
7640
|
+
}
|
|
7641
|
+
// If login_hint claim is present, use it over sid/username
|
|
7642
|
+
if (accountLoginHintClaim) {
|
|
7643
|
+
logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
|
|
7644
|
+
addLoginHint(parameters, accountLoginHintClaim);
|
|
7645
|
+
performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
|
|
7646
|
+
try {
|
|
7647
|
+
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7648
|
+
addCcsOid(parameters, clientInfo);
|
|
7649
|
+
}
|
|
7650
|
+
catch (e) {
|
|
7651
|
+
logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7652
|
+
}
|
|
7653
|
+
}
|
|
7654
|
+
else if (accountSid && request.prompt === PromptValue.NONE) {
|
|
7655
|
+
/*
|
|
7656
|
+
* If account and loginHint are provided, we will check account first for sid before adding loginHint
|
|
7657
|
+
* SessionId is only used in silent calls
|
|
7658
|
+
*/
|
|
7659
|
+
logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
|
|
7660
|
+
addSid(parameters, accountSid);
|
|
7661
|
+
performanceClient?.addFields({ sidFromClaim: true }, correlationId);
|
|
7662
|
+
try {
|
|
7663
|
+
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7664
|
+
addCcsOid(parameters, clientInfo);
|
|
7665
|
+
}
|
|
7666
|
+
catch (e) {
|
|
7667
|
+
logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7668
|
+
}
|
|
7669
|
+
}
|
|
7670
|
+
else if (request.loginHint) {
|
|
7671
|
+
logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
|
|
7672
|
+
addLoginHint(parameters, request.loginHint);
|
|
7673
|
+
addCcsUpn(parameters, request.loginHint);
|
|
7674
|
+
performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7675
|
+
}
|
|
7676
|
+
else if (request.account.username) {
|
|
7677
|
+
// Fallback to account username if provided
|
|
7678
|
+
logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
|
|
7679
|
+
addLoginHint(parameters, request.account.username);
|
|
7680
|
+
performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
|
|
7681
|
+
try {
|
|
7682
|
+
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7683
|
+
addCcsOid(parameters, clientInfo);
|
|
7684
|
+
}
|
|
7685
|
+
catch (e) {
|
|
7686
|
+
logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7687
|
+
}
|
|
7688
|
+
}
|
|
7689
|
+
}
|
|
7690
|
+
else if (request.loginHint) {
|
|
7691
|
+
logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
|
|
7692
|
+
addLoginHint(parameters, request.loginHint);
|
|
7693
|
+
addCcsUpn(parameters, request.loginHint);
|
|
7694
|
+
performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7695
|
+
}
|
|
7696
|
+
}
|
|
7697
|
+
else {
|
|
7698
|
+
logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
|
|
7699
|
+
}
|
|
7700
|
+
if (request.nonce) {
|
|
7701
|
+
addNonce(parameters, request.nonce);
|
|
7702
|
+
}
|
|
7703
|
+
if (request.state) {
|
|
7704
|
+
addState(parameters, request.state);
|
|
7705
|
+
}
|
|
7706
|
+
if (request.claims ||
|
|
7707
|
+
(authOptions.clientCapabilities &&
|
|
7708
|
+
authOptions.clientCapabilities.length > 0)) {
|
|
7709
|
+
addClaims(parameters, request.claims, authOptions.clientCapabilities);
|
|
7710
|
+
}
|
|
7711
|
+
if (request.embeddedClientId) {
|
|
7712
|
+
addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
|
|
7713
|
+
}
|
|
7714
|
+
if (request.extraQueryParameters) {
|
|
7715
|
+
addExtraQueryParameters(parameters, request.extraQueryParameters);
|
|
7716
|
+
}
|
|
7717
|
+
if (authOptions.instanceAware) {
|
|
7718
|
+
addInstanceAware(parameters);
|
|
7719
|
+
}
|
|
7720
|
+
return parameters;
|
|
7721
|
+
}
|
|
7722
|
+
/**
|
|
7723
|
+
* Returns authorize endpoint with given request parameters in the query string
|
|
7724
|
+
* @param authority
|
|
7725
|
+
* @param requestParameters
|
|
7726
|
+
* @returns
|
|
7727
|
+
*/
|
|
7728
|
+
function getAuthorizeUrl(authority, requestParameters) {
|
|
7729
|
+
const queryString = mapToQueryString(requestParameters);
|
|
7730
|
+
return UrlString.appendQueryString(authority.authorizationEndpoint, queryString);
|
|
7731
|
+
}
|
|
7732
|
+
/**
|
|
7733
|
+
* Handles the hash fragment response from public client code request. Returns a code response used by
|
|
7734
|
+
* the client to exchange for a token in acquireToken.
|
|
7735
|
+
* @param serverParams
|
|
7736
|
+
* @param cachedState
|
|
7737
|
+
*/
|
|
7738
|
+
function getAuthorizationCodePayload(serverParams, cachedState) {
|
|
7739
|
+
// Get code response
|
|
7740
|
+
validateAuthorizationResponse(serverParams, cachedState);
|
|
7741
|
+
// throw when there is no auth code in the response
|
|
7742
|
+
if (!serverParams.code) {
|
|
7743
|
+
throw createClientAuthError(authorizationCodeMissingFromServerResponse);
|
|
7744
|
+
}
|
|
7745
|
+
return serverParams;
|
|
7746
|
+
}
|
|
7747
|
+
/**
|
|
7748
|
+
* Function which validates server authorization code response.
|
|
7749
|
+
* @param serverResponseHash
|
|
7750
|
+
* @param requestState
|
|
7751
|
+
*/
|
|
7752
|
+
function validateAuthorizationResponse(serverResponse, requestState) {
|
|
7753
|
+
if (!serverResponse.state || !requestState) {
|
|
7754
|
+
throw serverResponse.state
|
|
7755
|
+
? createClientAuthError(stateNotFound, "Cached State")
|
|
7756
|
+
: createClientAuthError(stateNotFound, "Server State");
|
|
7757
|
+
}
|
|
7758
|
+
let decodedServerResponseState;
|
|
7759
|
+
let decodedRequestState;
|
|
7760
|
+
try {
|
|
7761
|
+
decodedServerResponseState = decodeURIComponent(serverResponse.state);
|
|
7762
|
+
}
|
|
7763
|
+
catch (e) {
|
|
7764
|
+
throw createClientAuthError(invalidState, serverResponse.state);
|
|
7765
|
+
}
|
|
7766
|
+
try {
|
|
7767
|
+
decodedRequestState = decodeURIComponent(requestState);
|
|
7768
|
+
}
|
|
7769
|
+
catch (e) {
|
|
7770
|
+
throw createClientAuthError(invalidState, serverResponse.state);
|
|
7771
|
+
}
|
|
7772
|
+
if (decodedServerResponseState !== decodedRequestState) {
|
|
7773
|
+
throw createClientAuthError(stateMismatch);
|
|
7774
|
+
}
|
|
7775
|
+
// Check for error
|
|
7776
|
+
if (serverResponse.error ||
|
|
7777
|
+
serverResponse.error_description ||
|
|
7778
|
+
serverResponse.suberror) {
|
|
7779
|
+
const serverErrorNo = parseServerErrorNo(serverResponse);
|
|
7780
|
+
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
7781
|
+
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
|
|
7782
|
+
}
|
|
7783
|
+
throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
7879
7784
|
}
|
|
7880
|
-
}
|
|
7881
|
-
|
|
7882
|
-
|
|
7883
|
-
|
|
7884
|
-
|
|
7885
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7886
|
-
* Licensed under the MIT License.
|
|
7785
|
+
}
|
|
7786
|
+
/**
|
|
7787
|
+
* Get server error No from the error_uri
|
|
7788
|
+
* @param serverResponse
|
|
7789
|
+
* @returns
|
|
7887
7790
|
*/
|
|
7888
|
-
|
|
7889
|
-
|
|
7890
|
-
|
|
7891
|
-
|
|
7892
|
-
|
|
7893
|
-
|
|
7894
|
-
|
|
7895
|
-
|
|
7791
|
+
function parseServerErrorNo(serverResponse) {
|
|
7792
|
+
const errorCodePrefix = "code=";
|
|
7793
|
+
const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
|
|
7794
|
+
return errorCodePrefixIndex && errorCodePrefixIndex >= 0
|
|
7795
|
+
? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
|
|
7796
|
+
: undefined;
|
|
7797
|
+
}
|
|
7798
|
+
/**
|
|
7799
|
+
* Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
|
|
7800
|
+
* @param account
|
|
7801
|
+
*/
|
|
7802
|
+
function extractAccountSid(account) {
|
|
7803
|
+
return account.idTokenClaims?.sid || null;
|
|
7804
|
+
}
|
|
7805
|
+
function extractLoginHint(account) {
|
|
7806
|
+
return account.idTokenClaims?.login_hint || null;
|
|
7807
|
+
}
|
|
7896
7808
|
|
|
7897
|
-
/*! @azure/msal-common v15.
|
|
7809
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7898
7810
|
|
|
7899
7811
|
/*
|
|
7900
7812
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7952,7 +7864,7 @@
|
|
|
7952
7864
|
}
|
|
7953
7865
|
}
|
|
7954
7866
|
|
|
7955
|
-
/*! @azure/msal-common v15.
|
|
7867
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7956
7868
|
|
|
7957
7869
|
/*
|
|
7958
7870
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -8215,7 +8127,7 @@
|
|
|
8215
8127
|
}
|
|
8216
8128
|
}
|
|
8217
8129
|
|
|
8218
|
-
/*! @azure/msal-common v15.
|
|
8130
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
8219
8131
|
/*
|
|
8220
8132
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
8221
8133
|
* Licensed under the MIT License.
|
|
@@ -8223,7 +8135,7 @@
|
|
|
8223
8135
|
const missingKidError = "missing_kid_error";
|
|
8224
8136
|
const missingAlgError = "missing_alg_error";
|
|
8225
8137
|
|
|
8226
|
-
/*! @azure/msal-common v15.
|
|
8138
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
8227
8139
|
|
|
8228
8140
|
/*
|
|
8229
8141
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -8248,7 +8160,7 @@
|
|
|
8248
8160
|
return new JoseHeaderError(code, JoseHeaderErrorMessages[code]);
|
|
8249
8161
|
}
|
|
8250
8162
|
|
|
8251
|
-
/*! @azure/msal-common v15.
|
|
8163
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
8252
8164
|
|
|
8253
8165
|
/*
|
|
8254
8166
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -8288,7 +8200,7 @@
|
|
|
8288
8200
|
}
|
|
8289
8201
|
}
|
|
8290
8202
|
|
|
8291
|
-
/*! @azure/msal-common v15.
|
|
8203
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
8292
8204
|
|
|
8293
8205
|
/*
|
|
8294
8206
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -8367,7 +8279,7 @@
|
|
|
8367
8279
|
}
|
|
8368
8280
|
}
|
|
8369
8281
|
|
|
8370
|
-
/*! @azure/msal-common v15.
|
|
8282
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
8371
8283
|
|
|
8372
8284
|
/*
|
|
8373
8285
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -10404,7 +10316,7 @@
|
|
|
10404
10316
|
|
|
10405
10317
|
/* eslint-disable header/header */
|
|
10406
10318
|
const name = "@azure/msal-browser";
|
|
10407
|
-
const version = "4.
|
|
10319
|
+
const version = "4.8.0";
|
|
10408
10320
|
|
|
10409
10321
|
/*
|
|
10410
10322
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -12683,7 +12595,13 @@
|
|
|
12683
12595
|
*
|
|
12684
12596
|
* The next MSAL VFuture should map these both to same value if possible
|
|
12685
12597
|
*/
|
|
12686
|
-
const accessTokenEntity = createAccessTokenEntity(result.account?.homeAccountId, result.account.environment, result.accessToken, this.clientId, result.tenantId, result.scopes.join(" "),
|
|
12598
|
+
const accessTokenEntity = createAccessTokenEntity(result.account?.homeAccountId, result.account.environment, result.accessToken, this.clientId, result.tenantId, result.scopes.join(" "),
|
|
12599
|
+
// Access token expiresOn stored in seconds, converting from AuthenticationResult expiresOn stored as Date
|
|
12600
|
+
result.expiresOn
|
|
12601
|
+
? toSecondsFromDate(result.expiresOn)
|
|
12602
|
+
: 0, result.extExpiresOn
|
|
12603
|
+
? toSecondsFromDate(result.extExpiresOn)
|
|
12604
|
+
: 0, base64Decode, undefined, // refreshOn
|
|
12687
12605
|
result.tokenType, undefined, // userAssertionHash
|
|
12688
12606
|
request.sshKid, request.claims, claimsHash);
|
|
12689
12607
|
const cacheRecord = {
|
|
@@ -12889,7 +12807,9 @@
|
|
|
12889
12807
|
constructor(logger) {
|
|
12890
12808
|
this.eventCallbacks = new Map();
|
|
12891
12809
|
this.logger = logger || new Logger({});
|
|
12892
|
-
|
|
12810
|
+
if (typeof BroadcastChannel !== "undefined") {
|
|
12811
|
+
this.broadcastChannel = new BroadcastChannel(BROADCAST_CHANNEL_NAME);
|
|
12812
|
+
}
|
|
12893
12813
|
this.invokeCrossTabCallbacks = this.invokeCrossTabCallbacks.bind(this);
|
|
12894
12814
|
}
|
|
12895
12815
|
/**
|
|
@@ -12939,7 +12859,7 @@
|
|
|
12939
12859
|
case EventType.ACCOUNT_REMOVED:
|
|
12940
12860
|
case EventType.ACTIVE_ACCOUNT_CHANGED:
|
|
12941
12861
|
// Send event to other open tabs / MSAL instances on same domain
|
|
12942
|
-
this.broadcastChannel
|
|
12862
|
+
this.broadcastChannel?.postMessage(message);
|
|
12943
12863
|
break;
|
|
12944
12864
|
default:
|
|
12945
12865
|
// Emit event to callbacks registered in this instance
|
|
@@ -12972,13 +12892,13 @@
|
|
|
12972
12892
|
* Listen for events broadcasted from other tabs/instances
|
|
12973
12893
|
*/
|
|
12974
12894
|
subscribeCrossTab() {
|
|
12975
|
-
this.broadcastChannel
|
|
12895
|
+
this.broadcastChannel?.addEventListener("message", this.invokeCrossTabCallbacks);
|
|
12976
12896
|
}
|
|
12977
12897
|
/**
|
|
12978
12898
|
* Unsubscribe from broadcast events
|
|
12979
12899
|
*/
|
|
12980
12900
|
unsubscribeCrossTab() {
|
|
12981
|
-
this.broadcastChannel
|
|
12901
|
+
this.broadcastChannel?.removeEventListener("message", this.invokeCrossTabCallbacks);
|
|
12982
12902
|
}
|
|
12983
12903
|
}
|
|
12984
12904
|
|
|
@@ -13100,61 +13020,6 @@
|
|
|
13100
13020
|
}
|
|
13101
13021
|
}
|
|
13102
13022
|
|
|
13103
|
-
/*
|
|
13104
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
13105
|
-
* Licensed under the MIT License.
|
|
13106
|
-
*/
|
|
13107
|
-
// Constant byte array length
|
|
13108
|
-
const RANDOM_BYTE_ARR_LENGTH = 32;
|
|
13109
|
-
/**
|
|
13110
|
-
* This file defines APIs to generate PKCE codes and code verifiers.
|
|
13111
|
-
*/
|
|
13112
|
-
/**
|
|
13113
|
-
* Generates PKCE Codes. See the RFC for more information: https://tools.ietf.org/html/rfc7636
|
|
13114
|
-
*/
|
|
13115
|
-
async function generatePkceCodes(performanceClient, logger, correlationId) {
|
|
13116
|
-
performanceClient.addQueueMeasurement(PerformanceEvents.GeneratePkceCodes, correlationId);
|
|
13117
|
-
const codeVerifier = invoke(generateCodeVerifier, PerformanceEvents.GenerateCodeVerifier, logger, performanceClient, correlationId)(performanceClient, logger, correlationId);
|
|
13118
|
-
const codeChallenge = await invokeAsync(generateCodeChallengeFromVerifier, PerformanceEvents.GenerateCodeChallengeFromVerifier, logger, performanceClient, correlationId)(codeVerifier, performanceClient, logger, correlationId);
|
|
13119
|
-
return {
|
|
13120
|
-
verifier: codeVerifier,
|
|
13121
|
-
challenge: codeChallenge,
|
|
13122
|
-
};
|
|
13123
|
-
}
|
|
13124
|
-
/**
|
|
13125
|
-
* Generates a random 32 byte buffer and returns the base64
|
|
13126
|
-
* encoded string to be used as a PKCE Code Verifier
|
|
13127
|
-
*/
|
|
13128
|
-
function generateCodeVerifier(performanceClient, logger, correlationId) {
|
|
13129
|
-
try {
|
|
13130
|
-
// Generate random values as utf-8
|
|
13131
|
-
const buffer = new Uint8Array(RANDOM_BYTE_ARR_LENGTH);
|
|
13132
|
-
invoke(getRandomValues, PerformanceEvents.GetRandomValues, logger, performanceClient, correlationId)(buffer);
|
|
13133
|
-
// encode verifier as base64
|
|
13134
|
-
const pkceCodeVerifierB64 = urlEncodeArr(buffer);
|
|
13135
|
-
return pkceCodeVerifierB64;
|
|
13136
|
-
}
|
|
13137
|
-
catch (e) {
|
|
13138
|
-
throw createBrowserAuthError(pkceNotCreated);
|
|
13139
|
-
}
|
|
13140
|
-
}
|
|
13141
|
-
/**
|
|
13142
|
-
* Creates a base64 encoded PKCE Code Challenge string from the
|
|
13143
|
-
* hash created from the PKCE Code Verifier supplied
|
|
13144
|
-
*/
|
|
13145
|
-
async function generateCodeChallengeFromVerifier(pkceCodeVerifier, performanceClient, logger, correlationId) {
|
|
13146
|
-
performanceClient.addQueueMeasurement(PerformanceEvents.GenerateCodeChallengeFromVerifier, correlationId);
|
|
13147
|
-
try {
|
|
13148
|
-
// hashed verifier
|
|
13149
|
-
const pkceHashedCodeVerifier = await invokeAsync(sha256Digest, PerformanceEvents.Sha256Digest, logger, performanceClient, correlationId)(pkceCodeVerifier, performanceClient, correlationId);
|
|
13150
|
-
// encode hash as base64
|
|
13151
|
-
return urlEncodeArr(new Uint8Array(pkceHashedCodeVerifier));
|
|
13152
|
-
}
|
|
13153
|
-
catch (e) {
|
|
13154
|
-
throw createBrowserAuthError(pkceNotCreated);
|
|
13155
|
-
}
|
|
13156
|
-
}
|
|
13157
|
-
|
|
13158
13023
|
/*
|
|
13159
13024
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
13160
13025
|
* Licensed under the MIT License.
|
|
@@ -13217,25 +13082,6 @@
|
|
|
13217
13082
|
* Defines the class structure and helper functions used by the "standard", non-brokered auth flows (popup, redirect, silent (RT), silent (iframe))
|
|
13218
13083
|
*/
|
|
13219
13084
|
class StandardInteractionClient extends BaseInteractionClient {
|
|
13220
|
-
/**
|
|
13221
|
-
* Generates an auth code request tied to the url request.
|
|
13222
|
-
* @param request
|
|
13223
|
-
* @param pkceCodes
|
|
13224
|
-
*/
|
|
13225
|
-
async initializeAuthorizationCodeRequest(request, pkceCodes) {
|
|
13226
|
-
this.performanceClient.addQueueMeasurement(PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.correlationId);
|
|
13227
|
-
const generatedPkceParams = pkceCodes ||
|
|
13228
|
-
(await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId));
|
|
13229
|
-
const authCodeRequest = {
|
|
13230
|
-
...request,
|
|
13231
|
-
redirectUri: request.redirectUri,
|
|
13232
|
-
code: Constants.EMPTY_STRING,
|
|
13233
|
-
codeVerifier: generatedPkceParams.verifier,
|
|
13234
|
-
};
|
|
13235
|
-
request.codeChallenge = generatedPkceParams.challenge;
|
|
13236
|
-
request.codeChallengeMethod = Constants.S256_CODE_CHALLENGE_METHOD;
|
|
13237
|
-
return authCodeRequest;
|
|
13238
|
-
}
|
|
13239
13085
|
/**
|
|
13240
13086
|
* Initializer for the logout request.
|
|
13241
13087
|
* @param logoutRequest
|
|
@@ -13814,7 +13660,12 @@
|
|
|
13814
13660
|
const cachedhomeAccountId = this.browserStorage.getAccountInfoFilteredBy({
|
|
13815
13661
|
nativeAccountId: request.accountId,
|
|
13816
13662
|
})?.homeAccountId;
|
|
13817
|
-
|
|
13663
|
+
// add exception for double brokering, please note this is temporary and will be fortified in future
|
|
13664
|
+
if (request.extraParameters?.child_client_id &&
|
|
13665
|
+
response.account.id !== request.accountId) {
|
|
13666
|
+
this.logger.info("handleNativeServerResponse: Double broker flow detected, ignoring accountId mismatch");
|
|
13667
|
+
}
|
|
13668
|
+
else if (homeAccountIdentifier !== cachedhomeAccountId &&
|
|
13818
13669
|
response.account.id !== request.accountId) {
|
|
13819
13670
|
// User switch in native broker prompt is not supported. All users must first sign in through web flow to ensure server state is in sync
|
|
13820
13671
|
throw createNativeAuthError(userSwitch);
|
|
@@ -13826,6 +13677,8 @@
|
|
|
13826
13677
|
const baseAccount = buildAccountToCache(this.browserStorage, authority, homeAccountIdentifier, base64Decode, idTokenClaims, response.client_info, undefined, // environment
|
|
13827
13678
|
idTokenClaims.tid, undefined, // auth code payload
|
|
13828
13679
|
response.account.id, this.logger);
|
|
13680
|
+
// Ensure expires_in is in number format
|
|
13681
|
+
response.expires_in = Number(response.expires_in);
|
|
13829
13682
|
// generate authenticationResult
|
|
13830
13683
|
const result = await this.generateAuthenticationResult(response, request, idTokenClaims, baseAccount, authority.canonicalAuthority, reqTimestamp);
|
|
13831
13684
|
// cache accounts and tokens in the appropriate storage
|
|
@@ -13942,7 +13795,8 @@
|
|
|
13942
13795
|
idTokenClaims: idTokenClaims,
|
|
13943
13796
|
accessToken: responseAccessToken,
|
|
13944
13797
|
fromCache: mats ? this.isResponseFromCache(mats) : false,
|
|
13945
|
-
|
|
13798
|
+
// Request timestamp and NativeResponse expires_in are in seconds, converting to Date for AuthenticationResult
|
|
13799
|
+
expiresOn: toDateFromSeconds(reqTimestamp + response.expires_in),
|
|
13946
13800
|
tokenType: tokenType,
|
|
13947
13801
|
correlationId: this.correlationId,
|
|
13948
13802
|
state: response.state,
|
|
@@ -14472,7 +14326,7 @@
|
|
|
14472
14326
|
this.performanceClient.addQueueMeasurement(PerformanceEvents.HandleCodeResponse, request.correlationId);
|
|
14473
14327
|
let authCodeResponse;
|
|
14474
14328
|
try {
|
|
14475
|
-
authCodeResponse =
|
|
14329
|
+
authCodeResponse = getAuthorizationCodePayload(response, request.state);
|
|
14476
14330
|
}
|
|
14477
14331
|
catch (e) {
|
|
14478
14332
|
if (e instanceof ServerError &&
|
|
@@ -14580,6 +14434,126 @@
|
|
|
14580
14434
|
}
|
|
14581
14435
|
}
|
|
14582
14436
|
|
|
14437
|
+
/*
|
|
14438
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
14439
|
+
* Licensed under the MIT License.
|
|
14440
|
+
*/
|
|
14441
|
+
/**
|
|
14442
|
+
* Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
|
|
14443
|
+
* @param config
|
|
14444
|
+
* @param authority
|
|
14445
|
+
* @param request
|
|
14446
|
+
* @param logger
|
|
14447
|
+
* @param performanceClient
|
|
14448
|
+
* @returns
|
|
14449
|
+
*/
|
|
14450
|
+
async function getStandardParameters(config, authority, request, logger, performanceClient) {
|
|
14451
|
+
const parameters = getStandardAuthorizeRequestParameters({ ...config.auth, authority: authority }, request, logger, performanceClient);
|
|
14452
|
+
addLibraryInfo(parameters, {
|
|
14453
|
+
sku: BrowserConstants.MSAL_SKU,
|
|
14454
|
+
version: version,
|
|
14455
|
+
os: "",
|
|
14456
|
+
cpu: "",
|
|
14457
|
+
});
|
|
14458
|
+
if (config.auth.protocolMode !== ProtocolMode.OIDC) {
|
|
14459
|
+
addApplicationTelemetry(parameters, config.telemetry.application);
|
|
14460
|
+
}
|
|
14461
|
+
if (request.platformBroker) {
|
|
14462
|
+
// signal ests that this is a WAM call
|
|
14463
|
+
addNativeBroker(parameters);
|
|
14464
|
+
// pass the req_cnf for POP
|
|
14465
|
+
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
14466
|
+
const cryptoOps = new CryptoOps(logger, performanceClient);
|
|
14467
|
+
const popTokenGenerator = new PopTokenGenerator(cryptoOps);
|
|
14468
|
+
// req_cnf is always sent as a string for SPAs
|
|
14469
|
+
let reqCnfData;
|
|
14470
|
+
if (!request.popKid) {
|
|
14471
|
+
const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, logger, performanceClient, request.correlationId)(request, logger);
|
|
14472
|
+
reqCnfData = generatedReqCnfData.reqCnfString;
|
|
14473
|
+
}
|
|
14474
|
+
else {
|
|
14475
|
+
reqCnfData = cryptoOps.encodeKid(request.popKid);
|
|
14476
|
+
}
|
|
14477
|
+
addPopToken(parameters, reqCnfData);
|
|
14478
|
+
}
|
|
14479
|
+
}
|
|
14480
|
+
instrumentBrokerParams(parameters, request.correlationId, performanceClient);
|
|
14481
|
+
return parameters;
|
|
14482
|
+
}
|
|
14483
|
+
/**
|
|
14484
|
+
* Gets the full /authorize URL with request parameters when using Auth Code + PKCE
|
|
14485
|
+
* @param config
|
|
14486
|
+
* @param authority
|
|
14487
|
+
* @param request
|
|
14488
|
+
* @param logger
|
|
14489
|
+
* @param performanceClient
|
|
14490
|
+
* @returns
|
|
14491
|
+
*/
|
|
14492
|
+
async function getAuthCodeRequestUrl(config, authority, request, logger, performanceClient) {
|
|
14493
|
+
if (!request.codeChallenge) {
|
|
14494
|
+
throw createClientConfigurationError(pkceParamsMissing);
|
|
14495
|
+
}
|
|
14496
|
+
const parameters = await invokeAsync(getStandardParameters, PerformanceEvents.GetStandardParams, logger, performanceClient, request.correlationId)(config, authority, request, logger, performanceClient);
|
|
14497
|
+
addResponseTypeCode(parameters);
|
|
14498
|
+
addCodeChallengeParams(parameters, request.codeChallenge, Constants.S256_CODE_CHALLENGE_METHOD);
|
|
14499
|
+
return getAuthorizeUrl(authority, parameters);
|
|
14500
|
+
}
|
|
14501
|
+
|
|
14502
|
+
/*
|
|
14503
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
14504
|
+
* Licensed under the MIT License.
|
|
14505
|
+
*/
|
|
14506
|
+
// Constant byte array length
|
|
14507
|
+
const RANDOM_BYTE_ARR_LENGTH = 32;
|
|
14508
|
+
/**
|
|
14509
|
+
* This file defines APIs to generate PKCE codes and code verifiers.
|
|
14510
|
+
*/
|
|
14511
|
+
/**
|
|
14512
|
+
* Generates PKCE Codes. See the RFC for more information: https://tools.ietf.org/html/rfc7636
|
|
14513
|
+
*/
|
|
14514
|
+
async function generatePkceCodes(performanceClient, logger, correlationId) {
|
|
14515
|
+
performanceClient.addQueueMeasurement(PerformanceEvents.GeneratePkceCodes, correlationId);
|
|
14516
|
+
const codeVerifier = invoke(generateCodeVerifier, PerformanceEvents.GenerateCodeVerifier, logger, performanceClient, correlationId)(performanceClient, logger, correlationId);
|
|
14517
|
+
const codeChallenge = await invokeAsync(generateCodeChallengeFromVerifier, PerformanceEvents.GenerateCodeChallengeFromVerifier, logger, performanceClient, correlationId)(codeVerifier, performanceClient, logger, correlationId);
|
|
14518
|
+
return {
|
|
14519
|
+
verifier: codeVerifier,
|
|
14520
|
+
challenge: codeChallenge,
|
|
14521
|
+
};
|
|
14522
|
+
}
|
|
14523
|
+
/**
|
|
14524
|
+
* Generates a random 32 byte buffer and returns the base64
|
|
14525
|
+
* encoded string to be used as a PKCE Code Verifier
|
|
14526
|
+
*/
|
|
14527
|
+
function generateCodeVerifier(performanceClient, logger, correlationId) {
|
|
14528
|
+
try {
|
|
14529
|
+
// Generate random values as utf-8
|
|
14530
|
+
const buffer = new Uint8Array(RANDOM_BYTE_ARR_LENGTH);
|
|
14531
|
+
invoke(getRandomValues, PerformanceEvents.GetRandomValues, logger, performanceClient, correlationId)(buffer);
|
|
14532
|
+
// encode verifier as base64
|
|
14533
|
+
const pkceCodeVerifierB64 = urlEncodeArr(buffer);
|
|
14534
|
+
return pkceCodeVerifierB64;
|
|
14535
|
+
}
|
|
14536
|
+
catch (e) {
|
|
14537
|
+
throw createBrowserAuthError(pkceNotCreated);
|
|
14538
|
+
}
|
|
14539
|
+
}
|
|
14540
|
+
/**
|
|
14541
|
+
* Creates a base64 encoded PKCE Code Challenge string from the
|
|
14542
|
+
* hash created from the PKCE Code Verifier supplied
|
|
14543
|
+
*/
|
|
14544
|
+
async function generateCodeChallengeFromVerifier(pkceCodeVerifier, performanceClient, logger, correlationId) {
|
|
14545
|
+
performanceClient.addQueueMeasurement(PerformanceEvents.GenerateCodeChallengeFromVerifier, correlationId);
|
|
14546
|
+
try {
|
|
14547
|
+
// hashed verifier
|
|
14548
|
+
const pkceHashedCodeVerifier = await invokeAsync(sha256Digest, PerformanceEvents.Sha256Digest, logger, performanceClient, correlationId)(pkceCodeVerifier, performanceClient, correlationId);
|
|
14549
|
+
// encode hash as base64
|
|
14550
|
+
return urlEncodeArr(new Uint8Array(pkceHashedCodeVerifier));
|
|
14551
|
+
}
|
|
14552
|
+
catch (e) {
|
|
14553
|
+
throw createBrowserAuthError(pkceNotCreated);
|
|
14554
|
+
}
|
|
14555
|
+
}
|
|
14556
|
+
|
|
14583
14557
|
/*
|
|
14584
14558
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
14585
14559
|
* Licensed under the MIT License.
|
|
@@ -14667,6 +14641,9 @@
|
|
|
14667
14641
|
this.logger.verbose("acquireTokenPopupAsync called");
|
|
14668
14642
|
const serverTelemetryManager = this.initializeServerTelemetryManager(ApiId.acquireTokenPopup);
|
|
14669
14643
|
const validRequest = await invokeAsync(this.initializeAuthorizationRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(request, exports.InteractionType.Popup);
|
|
14644
|
+
const pkce = pkceCodes ||
|
|
14645
|
+
(await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId));
|
|
14646
|
+
validRequest.codeChallenge = pkce.challenge;
|
|
14670
14647
|
/*
|
|
14671
14648
|
* Skip pre-connect for async popups to reduce time between user interaction and popup window creation to avoid
|
|
14672
14649
|
* popup from being blocked by browsers with shorter popup timers
|
|
@@ -14675,8 +14652,6 @@
|
|
|
14675
14652
|
preconnect(validRequest.authority);
|
|
14676
14653
|
}
|
|
14677
14654
|
try {
|
|
14678
|
-
// Create auth code request and generate PKCE params
|
|
14679
|
-
const authCodeRequest = await invokeAsync(this.initializeAuthorizationCodeRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.logger, this.performanceClient, this.correlationId)(validRequest, pkceCodes);
|
|
14680
14655
|
// Initialize the client
|
|
14681
14656
|
const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), PerformanceEvents.StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, this.correlationId)({
|
|
14682
14657
|
serverTelemetryManager,
|
|
@@ -14693,12 +14668,10 @@
|
|
|
14693
14668
|
this.performanceClient.startMeasurement(PerformanceEvents.FetchAccountIdWithNativeBroker, request.correlationId);
|
|
14694
14669
|
}
|
|
14695
14670
|
// Create acquire token url.
|
|
14696
|
-
const navigateUrl = await authClient.
|
|
14671
|
+
const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, validRequest.correlationId)(this.config, authClient.authority, {
|
|
14697
14672
|
...validRequest,
|
|
14698
14673
|
platformBroker: isPlatformBroker,
|
|
14699
|
-
});
|
|
14700
|
-
// Create popup interaction handler.
|
|
14701
|
-
const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
|
|
14674
|
+
}, this.logger, this.performanceClient);
|
|
14702
14675
|
// Show the UI once the url has been created. Get the window handle for the popup.
|
|
14703
14676
|
const popupWindow = this.initiateAuthRequest(navigateUrl, popupParams);
|
|
14704
14677
|
this.eventHandler.emitEvent(EventType.POPUP_OPENED, exports.InteractionType.Popup, { popupWindow }, null);
|
|
@@ -14706,7 +14679,7 @@
|
|
|
14706
14679
|
const responseString = await this.monitorPopupForHash(popupWindow, popupParams.popupWindowParent);
|
|
14707
14680
|
const serverParams = invoke(deserializeResponse, PerformanceEvents.DeserializeResponse, this.logger, this.performanceClient, this.correlationId)(responseString, this.config.auth.OIDCOptions.serverResponseType, this.logger);
|
|
14708
14681
|
// Remove throttle if it exists
|
|
14709
|
-
ThrottlingUtils.removeThrottle(this.browserStorage, this.config.auth.clientId,
|
|
14682
|
+
ThrottlingUtils.removeThrottle(this.browserStorage, this.config.auth.clientId, validRequest);
|
|
14710
14683
|
if (serverParams.accountId) {
|
|
14711
14684
|
this.logger.verbose("Account id found in hash, calling WAM for token");
|
|
14712
14685
|
// end measurement for server call with native brokering enabled
|
|
@@ -14727,6 +14700,13 @@
|
|
|
14727
14700
|
prompt: undefined, // Server should handle the prompt, ideally native broker can do this part silently
|
|
14728
14701
|
});
|
|
14729
14702
|
}
|
|
14703
|
+
const authCodeRequest = {
|
|
14704
|
+
...validRequest,
|
|
14705
|
+
code: serverParams.code || "",
|
|
14706
|
+
codeVerifier: pkce.verifier,
|
|
14707
|
+
};
|
|
14708
|
+
// Create popup interaction handler.
|
|
14709
|
+
const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
|
|
14730
14710
|
// Handle response from hash string.
|
|
14731
14711
|
const result = await interactionHandler.handleCodeResponse(serverParams, validRequest);
|
|
14732
14712
|
return result;
|
|
@@ -15102,7 +15082,7 @@
|
|
|
15102
15082
|
}
|
|
15103
15083
|
let authCodeResponse;
|
|
15104
15084
|
try {
|
|
15105
|
-
authCodeResponse =
|
|
15085
|
+
authCodeResponse = getAuthorizationCodePayload(response, requestState);
|
|
15106
15086
|
}
|
|
15107
15087
|
catch (e) {
|
|
15108
15088
|
if (e instanceof ServerError &&
|
|
@@ -15186,6 +15166,8 @@
|
|
|
15186
15166
|
*/
|
|
15187
15167
|
async acquireToken(request) {
|
|
15188
15168
|
const validRequest = await invokeAsync(this.initializeAuthorizationRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(request, exports.InteractionType.Redirect);
|
|
15169
|
+
const pkceCodes = await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId);
|
|
15170
|
+
validRequest.codeChallenge = pkceCodes.challenge;
|
|
15189
15171
|
this.browserStorage.updateCacheEntries(validRequest.state, validRequest.nonce, validRequest.authority, validRequest.loginHint || "", validRequest.account || null);
|
|
15190
15172
|
const serverTelemetryManager = this.initializeServerTelemetryManager(ApiId.acquireTokenRedirect);
|
|
15191
15173
|
const handleBackButton = (event) => {
|
|
@@ -15197,8 +15179,6 @@
|
|
|
15197
15179
|
}
|
|
15198
15180
|
};
|
|
15199
15181
|
try {
|
|
15200
|
-
// Create auth code request and generate PKCE params
|
|
15201
|
-
const authCodeRequest = await invokeAsync(this.initializeAuthorizationCodeRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.logger, this.performanceClient, this.correlationId)(validRequest);
|
|
15202
15182
|
// Initialize the client
|
|
15203
15183
|
const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), PerformanceEvents.StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, this.correlationId)({
|
|
15204
15184
|
serverTelemetryManager,
|
|
@@ -15207,13 +15187,18 @@
|
|
|
15207
15187
|
requestExtraQueryParameters: validRequest.extraQueryParameters,
|
|
15208
15188
|
account: validRequest.account,
|
|
15209
15189
|
});
|
|
15190
|
+
const authCodeRequest = {
|
|
15191
|
+
...validRequest,
|
|
15192
|
+
code: "",
|
|
15193
|
+
codeVerifier: pkceCodes.verifier,
|
|
15194
|
+
};
|
|
15210
15195
|
// Create redirect interaction handler.
|
|
15211
15196
|
const interactionHandler = new RedirectHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
|
|
15212
15197
|
// Create acquire token url.
|
|
15213
|
-
const navigateUrl = await authClient.
|
|
15198
|
+
const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, validRequest.correlationId)(this.config, authClient.authority, {
|
|
15214
15199
|
...validRequest,
|
|
15215
15200
|
platformBroker: NativeMessageHandler.isPlatformBrokerAvailable(this.config, this.logger, this.nativeMessageHandler, request.authenticationScheme),
|
|
15216
|
-
});
|
|
15201
|
+
}, this.logger, this.performanceClient);
|
|
15217
15202
|
const redirectStartPage = this.getRedirectStartPage(request.redirectStartPage);
|
|
15218
15203
|
this.logger.verbosePii(`Redirect start page: ${redirectStartPage}`);
|
|
15219
15204
|
// Clear temporary cache if the back button is clicked during the redirect flow.
|
|
@@ -15718,18 +15703,19 @@
|
|
|
15718
15703
|
* @param navigateUrl
|
|
15719
15704
|
* @param userRequestScopes
|
|
15720
15705
|
*/
|
|
15721
|
-
async silentTokenHelper(authClient,
|
|
15722
|
-
const correlationId =
|
|
15706
|
+
async silentTokenHelper(authClient, request) {
|
|
15707
|
+
const correlationId = request.correlationId;
|
|
15723
15708
|
this.performanceClient.addQueueMeasurement(PerformanceEvents.SilentIframeClientTokenHelper, correlationId);
|
|
15724
|
-
|
|
15725
|
-
const
|
|
15709
|
+
const pkceCodes = await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId);
|
|
15710
|
+
const silentRequest = {
|
|
15711
|
+
...request,
|
|
15712
|
+
codeChallenge: pkceCodes.challenge,
|
|
15713
|
+
};
|
|
15726
15714
|
// Create authorize request url
|
|
15727
|
-
const navigateUrl = await invokeAsync(
|
|
15715
|
+
const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, correlationId)(this.config, authClient.authority, {
|
|
15728
15716
|
...silentRequest,
|
|
15729
15717
|
platformBroker: NativeMessageHandler.isPlatformBrokerAvailable(this.config, this.logger, this.nativeMessageHandler, silentRequest.authenticationScheme),
|
|
15730
|
-
});
|
|
15731
|
-
// Create silent handler
|
|
15732
|
-
const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
|
|
15718
|
+
}, this.logger, this.performanceClient);
|
|
15733
15719
|
// Get the frame handle for the silent request
|
|
15734
15720
|
const msalFrame = await invokeAsync(initiateAuthRequest, PerformanceEvents.SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(navigateUrl, this.performanceClient, this.logger, correlationId, this.config.system.navigateFrameWait);
|
|
15735
15721
|
const responseType = this.config.auth.OIDCOptions.serverResponseType;
|
|
@@ -15749,6 +15735,13 @@
|
|
|
15749
15735
|
prompt: silentRequest.prompt || PromptValue.NONE,
|
|
15750
15736
|
});
|
|
15751
15737
|
}
|
|
15738
|
+
const authCodeRequest = {
|
|
15739
|
+
...silentRequest,
|
|
15740
|
+
code: serverParams.code || "",
|
|
15741
|
+
codeVerifier: pkceCodes.verifier,
|
|
15742
|
+
};
|
|
15743
|
+
// Create silent handler
|
|
15744
|
+
const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
|
|
15752
15745
|
// Handle response from hash string
|
|
15753
15746
|
return invokeAsync(interactionHandler.handleCodeResponse.bind(interactionHandler), PerformanceEvents.HandleCodeResponse, this.logger, this.performanceClient, correlationId)(serverParams, silentRequest);
|
|
15754
15747
|
}
|
|
@@ -15943,11 +15936,10 @@
|
|
|
15943
15936
|
const scopes = response.scope
|
|
15944
15937
|
? ScopeSet.fromString(response.scope)
|
|
15945
15938
|
: new ScopeSet(request.scopes);
|
|
15946
|
-
const expiresOn = options.expiresOn ||
|
|
15947
|
-
response.expires_in + new Date().getTime() / 1000;
|
|
15939
|
+
const expiresOn = options.expiresOn || response.expires_in + nowSeconds();
|
|
15948
15940
|
const extendedExpiresOn = options.extendedExpiresOn ||
|
|
15949
15941
|
(response.ext_expires_in || response.expires_in) +
|
|
15950
|
-
|
|
15942
|
+
nowSeconds();
|
|
15951
15943
|
const accessTokenEntity = createAccessTokenEntity(homeAccountId, environment, response.access_token, this.config.auth.clientId, tenantId, scopes.printScopes(), expiresOn, extendedExpiresOn, base64Decode);
|
|
15952
15944
|
await this.storage.setAccessTokenCredential(accessTokenEntity, correlationId);
|
|
15953
15945
|
return accessTokenEntity;
|
|
@@ -15987,8 +15979,9 @@
|
|
|
15987
15979
|
if (cacheRecord?.accessToken) {
|
|
15988
15980
|
accessToken = cacheRecord.accessToken.secret;
|
|
15989
15981
|
responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target).asArray();
|
|
15990
|
-
expiresOn
|
|
15991
|
-
|
|
15982
|
+
// Access token expiresOn stored in seconds, converting to Date for AuthenticationResult
|
|
15983
|
+
expiresOn = toDateFromSeconds(cacheRecord.accessToken.expiresOn);
|
|
15984
|
+
extExpiresOn = toDateFromSeconds(cacheRecord.accessToken.extendedExpiresOn);
|
|
15992
15985
|
}
|
|
15993
15986
|
const accountEntity = cacheRecord.account;
|
|
15994
15987
|
return {
|
|
@@ -17235,60 +17228,63 @@
|
|
|
17235
17228
|
throw createBrowserAuthError(noAccountError);
|
|
17236
17229
|
}
|
|
17237
17230
|
atsMeasurement.add({ accountType: getAccountType(account) });
|
|
17238
|
-
|
|
17239
|
-
|
|
17240
|
-
|
|
17241
|
-
|
|
17242
|
-
|
|
17243
|
-
|
|
17244
|
-
|
|
17245
|
-
|
|
17246
|
-
|
|
17247
|
-
|
|
17248
|
-
|
|
17249
|
-
|
|
17250
|
-
|
|
17231
|
+
return this.acquireTokenSilentDeduped(request, account, correlationId)
|
|
17232
|
+
.then((result) => {
|
|
17233
|
+
atsMeasurement.end({
|
|
17234
|
+
success: true,
|
|
17235
|
+
fromCache: result.fromCache,
|
|
17236
|
+
isNativeBroker: result.fromNativeBroker,
|
|
17237
|
+
accessTokenSize: result.accessToken.length,
|
|
17238
|
+
idTokenSize: result.idToken.length,
|
|
17239
|
+
});
|
|
17240
|
+
return {
|
|
17241
|
+
...result,
|
|
17242
|
+
state: request.state,
|
|
17243
|
+
correlationId: correlationId, // Ensures PWB scenarios can correctly match request to response
|
|
17244
|
+
};
|
|
17245
|
+
})
|
|
17246
|
+
.catch((error) => {
|
|
17247
|
+
if (error instanceof AuthError) {
|
|
17248
|
+
// Ensures PWB scenarios can correctly match request to response
|
|
17249
|
+
error.setCorrelationId(correlationId);
|
|
17250
|
+
}
|
|
17251
|
+
atsMeasurement.end({
|
|
17252
|
+
success: false,
|
|
17253
|
+
}, error);
|
|
17254
|
+
throw error;
|
|
17255
|
+
});
|
|
17256
|
+
}
|
|
17257
|
+
/**
|
|
17258
|
+
* Checks if identical request is already in flight and returns reference to the existing promise or fires off a new one if this is the first
|
|
17259
|
+
* @param request
|
|
17260
|
+
* @param account
|
|
17261
|
+
* @param correlationId
|
|
17262
|
+
* @returns
|
|
17263
|
+
*/
|
|
17264
|
+
async acquireTokenSilentDeduped(request, account, correlationId) {
|
|
17265
|
+
const thumbprint = getRequestThumbprint(this.config.auth.clientId, {
|
|
17266
|
+
...request,
|
|
17267
|
+
authority: request.authority || this.config.auth.authority,
|
|
17268
|
+
correlationId: correlationId,
|
|
17269
|
+
}, account.homeAccountId);
|
|
17251
17270
|
const silentRequestKey = JSON.stringify(thumbprint);
|
|
17252
|
-
const
|
|
17253
|
-
if (typeof
|
|
17271
|
+
const inProgressRequest = this.activeSilentTokenRequests.get(silentRequestKey);
|
|
17272
|
+
if (typeof inProgressRequest === "undefined") {
|
|
17254
17273
|
this.logger.verbose("acquireTokenSilent called for the first time, storing active request", correlationId);
|
|
17255
|
-
|
|
17274
|
+
this.performanceClient.addFields({ deduped: false }, correlationId);
|
|
17275
|
+
const activeRequest = invokeAsync(this.acquireTokenSilentAsync.bind(this), PerformanceEvents.AcquireTokenSilentAsync, this.logger, this.performanceClient, correlationId)({
|
|
17256
17276
|
...request,
|
|
17257
17277
|
correlationId,
|
|
17258
|
-
}, account)
|
|
17259
|
-
|
|
17260
|
-
|
|
17261
|
-
atsMeasurement.end({
|
|
17262
|
-
success: true,
|
|
17263
|
-
fromCache: result.fromCache,
|
|
17264
|
-
isNativeBroker: result.fromNativeBroker,
|
|
17265
|
-
cacheLookupPolicy: request.cacheLookupPolicy,
|
|
17266
|
-
accessTokenSize: result.accessToken.length,
|
|
17267
|
-
idTokenSize: result.idToken.length,
|
|
17268
|
-
});
|
|
17269
|
-
return result;
|
|
17270
|
-
})
|
|
17271
|
-
.catch((error) => {
|
|
17278
|
+
}, account);
|
|
17279
|
+
this.activeSilentTokenRequests.set(silentRequestKey, activeRequest);
|
|
17280
|
+
return activeRequest.finally(() => {
|
|
17272
17281
|
this.activeSilentTokenRequests.delete(silentRequestKey);
|
|
17273
|
-
atsMeasurement.end({
|
|
17274
|
-
success: false,
|
|
17275
|
-
}, error);
|
|
17276
|
-
throw error;
|
|
17277
17282
|
});
|
|
17278
|
-
this.activeSilentTokenRequests.set(silentRequestKey, response);
|
|
17279
|
-
return {
|
|
17280
|
-
...(await response),
|
|
17281
|
-
state: request.state,
|
|
17282
|
-
};
|
|
17283
17283
|
}
|
|
17284
17284
|
else {
|
|
17285
17285
|
this.logger.verbose("acquireTokenSilent has been called previously, returning the result from the first call", correlationId);
|
|
17286
|
-
|
|
17287
|
-
|
|
17288
|
-
return {
|
|
17289
|
-
...(await cachedResponse),
|
|
17290
|
-
state: request.state,
|
|
17291
|
-
};
|
|
17286
|
+
this.performanceClient.addFields({ deduped: true }, correlationId);
|
|
17287
|
+
return inProgressRequest;
|
|
17292
17288
|
}
|
|
17293
17289
|
}
|
|
17294
17290
|
/**
|
|
@@ -17499,8 +17495,7 @@
|
|
|
17499
17495
|
extraParams = new Map(Object.entries(request.extraQueryParameters));
|
|
17500
17496
|
}
|
|
17501
17497
|
const correlationId = request.correlationId || this.crypto.createNewGuid();
|
|
17502
|
-
const
|
|
17503
|
-
const claims = requestBuilder.addClientCapabilitiesToClaims(request.claims, this.clientCapabilities);
|
|
17498
|
+
const claims = addClientCapabilitiesToClaims(request.claims, this.clientCapabilities);
|
|
17504
17499
|
const scopes = request.scopes || OIDC_DEFAULT_SCOPES;
|
|
17505
17500
|
const tokenRequest = {
|
|
17506
17501
|
platformBrokerId: request.account?.homeAccountId,
|
|
@@ -17519,7 +17514,8 @@
|
|
|
17519
17514
|
if (!response.token.id_token || !response.token.access_token) {
|
|
17520
17515
|
throw createClientAuthError(nullOrEmptyToken);
|
|
17521
17516
|
}
|
|
17522
|
-
|
|
17517
|
+
// Request timestamp and AuthResult expires_in are in seconds, converting to Date for AuthenticationResult
|
|
17518
|
+
const expiresOn = toDateFromSeconds(reqTimestamp + (response.token.expires_in || 0));
|
|
17523
17519
|
const idTokenClaims = extractTokenClaims(response.token.id_token, this.crypto.base64Decode);
|
|
17524
17520
|
const account = this.fromNaaAccountInfo(response.account, response.token.id_token, idTokenClaims);
|
|
17525
17521
|
const scopes = response.token.scope || request.scope;
|
|
@@ -17648,10 +17644,10 @@
|
|
|
17648
17644
|
idTokenClaims: idTokenClaims || {},
|
|
17649
17645
|
accessToken: accessToken.secret,
|
|
17650
17646
|
fromCache: true,
|
|
17651
|
-
expiresOn:
|
|
17647
|
+
expiresOn: toDateFromSeconds(accessToken.expiresOn),
|
|
17648
|
+
extExpiresOn: toDateFromSeconds(accessToken.extendedExpiresOn),
|
|
17652
17649
|
tokenType: request.authenticationScheme || AuthenticationScheme.BEARER,
|
|
17653
17650
|
correlationId,
|
|
17654
|
-
extExpiresOn: new Date(Number(accessToken.extendedExpiresOn) * 1000),
|
|
17655
17651
|
state: request.state,
|
|
17656
17652
|
};
|
|
17657
17653
|
return authenticationResult;
|