@azure/msal-browser 4.5.1 → 4.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (172) hide show
  1. package/dist/app/IPublicClientApplication.mjs +1 -1
  2. package/dist/app/PublicClientApplication.mjs +1 -1
  3. package/dist/app/PublicClientNext.mjs +1 -1
  4. package/dist/broker/nativeBroker/NativeMessageHandler.mjs +1 -1
  5. package/dist/broker/nativeBroker/NativeStatusCodes.mjs +1 -1
  6. package/dist/cache/AccountManager.mjs +1 -1
  7. package/dist/cache/AsyncMemoryStorage.mjs +1 -1
  8. package/dist/cache/BrowserCacheManager.d.ts.map +1 -1
  9. package/dist/cache/BrowserCacheManager.mjs +9 -3
  10. package/dist/cache/BrowserCacheManager.mjs.map +1 -1
  11. package/dist/cache/CacheHelpers.mjs +1 -1
  12. package/dist/cache/CookieStorage.mjs +1 -1
  13. package/dist/cache/DatabaseStorage.mjs +1 -1
  14. package/dist/cache/LocalStorage.mjs +1 -1
  15. package/dist/cache/MemoryStorage.mjs +1 -1
  16. package/dist/cache/SessionStorage.mjs +1 -1
  17. package/dist/cache/TokenCache.d.ts.map +1 -1
  18. package/dist/cache/TokenCache.mjs +7 -7
  19. package/dist/cache/TokenCache.mjs.map +1 -1
  20. package/dist/config/Configuration.mjs +1 -1
  21. package/dist/controllers/ControllerFactory.mjs +1 -1
  22. package/dist/controllers/NestedAppAuthController.mjs +1 -1
  23. package/dist/controllers/StandardController.d.ts +8 -0
  24. package/dist/controllers/StandardController.d.ts.map +1 -1
  25. package/dist/controllers/StandardController.mjs +50 -47
  26. package/dist/controllers/StandardController.mjs.map +1 -1
  27. package/dist/controllers/UnknownOperatingContextController.mjs +1 -1
  28. package/dist/crypto/BrowserCrypto.mjs +1 -1
  29. package/dist/crypto/CryptoOps.mjs +1 -1
  30. package/dist/crypto/PkceGenerator.mjs +1 -1
  31. package/dist/crypto/SignedHttpRequest.mjs +1 -1
  32. package/dist/encode/Base64Decode.mjs +1 -1
  33. package/dist/encode/Base64Encode.mjs +1 -1
  34. package/dist/error/BrowserAuthError.mjs +1 -1
  35. package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
  36. package/dist/error/BrowserConfigurationAuthError.mjs +1 -1
  37. package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  38. package/dist/error/NativeAuthError.mjs +1 -1
  39. package/dist/error/NativeAuthErrorCodes.mjs +1 -1
  40. package/dist/error/NestedAppAuthError.mjs +1 -1
  41. package/dist/event/EventHandler.d.ts +1 -1
  42. package/dist/event/EventHandler.d.ts.map +1 -1
  43. package/dist/event/EventHandler.mjs +7 -5
  44. package/dist/event/EventHandler.mjs.map +1 -1
  45. package/dist/event/EventMessage.mjs +1 -1
  46. package/dist/event/EventType.mjs +1 -1
  47. package/dist/index.mjs +1 -1
  48. package/dist/interaction_client/BaseInteractionClient.mjs +1 -1
  49. package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  50. package/dist/interaction_client/NativeInteractionClient.d.ts.map +1 -1
  51. package/dist/interaction_client/NativeInteractionClient.mjs +11 -3
  52. package/dist/interaction_client/NativeInteractionClient.mjs.map +1 -1
  53. package/dist/interaction_client/PopupClient.d.ts.map +1 -1
  54. package/dist/interaction_client/PopupClient.mjs +16 -8
  55. package/dist/interaction_client/PopupClient.mjs.map +1 -1
  56. package/dist/interaction_client/RedirectClient.d.ts +3 -3
  57. package/dist/interaction_client/RedirectClient.d.ts.map +1 -1
  58. package/dist/interaction_client/RedirectClient.mjs +12 -5
  59. package/dist/interaction_client/RedirectClient.mjs.map +1 -1
  60. package/dist/interaction_client/SilentAuthCodeClient.mjs +1 -1
  61. package/dist/interaction_client/SilentCacheClient.mjs +1 -1
  62. package/dist/interaction_client/SilentIframeClient.d.ts +1 -1
  63. package/dist/interaction_client/SilentIframeClient.d.ts.map +1 -1
  64. package/dist/interaction_client/SilentIframeClient.mjs +19 -9
  65. package/dist/interaction_client/SilentIframeClient.mjs.map +1 -1
  66. package/dist/interaction_client/SilentRefreshClient.mjs +1 -1
  67. package/dist/interaction_client/StandardInteractionClient.d.ts +1 -7
  68. package/dist/interaction_client/StandardInteractionClient.d.ts.map +1 -1
  69. package/dist/interaction_client/StandardInteractionClient.mjs +2 -22
  70. package/dist/interaction_client/StandardInteractionClient.mjs.map +1 -1
  71. package/dist/interaction_handler/InteractionHandler.d.ts +2 -2
  72. package/dist/interaction_handler/InteractionHandler.d.ts.map +1 -1
  73. package/dist/interaction_handler/InteractionHandler.mjs +3 -3
  74. package/dist/interaction_handler/InteractionHandler.mjs.map +1 -1
  75. package/dist/interaction_handler/RedirectHandler.d.ts +2 -2
  76. package/dist/interaction_handler/RedirectHandler.d.ts.map +1 -1
  77. package/dist/interaction_handler/RedirectHandler.mjs +3 -3
  78. package/dist/interaction_handler/RedirectHandler.mjs.map +1 -1
  79. package/dist/interaction_handler/SilentHandler.mjs +1 -1
  80. package/dist/naa/BridgeError.mjs +1 -1
  81. package/dist/naa/BridgeProxy.mjs +1 -1
  82. package/dist/naa/BridgeStatusCode.mjs +1 -1
  83. package/dist/naa/mapping/NestedAppAuthAdapter.d.ts.map +1 -1
  84. package/dist/naa/mapping/NestedAppAuthAdapter.mjs +7 -7
  85. package/dist/naa/mapping/NestedAppAuthAdapter.mjs.map +1 -1
  86. package/dist/navigation/NavigationClient.mjs +1 -1
  87. package/dist/network/FetchClient.mjs +1 -1
  88. package/dist/operatingcontext/BaseOperatingContext.mjs +1 -1
  89. package/dist/operatingcontext/NestedAppOperatingContext.mjs +1 -1
  90. package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
  91. package/dist/operatingcontext/UnknownOperatingContext.mjs +1 -1
  92. package/dist/packageMetadata.d.ts +1 -1
  93. package/dist/packageMetadata.mjs +2 -2
  94. package/dist/protocol/Authorize.d.ts +13 -0
  95. package/dist/protocol/Authorize.d.ts.map +1 -0
  96. package/dist/protocol/Authorize.mjs +74 -0
  97. package/dist/protocol/Authorize.mjs.map +1 -0
  98. package/dist/request/PopupRequest.d.ts +1 -2
  99. package/dist/request/PopupRequest.d.ts.map +1 -1
  100. package/dist/request/RedirectRequest.d.ts +1 -2
  101. package/dist/request/RedirectRequest.d.ts.map +1 -1
  102. package/dist/request/RequestHelpers.mjs +1 -1
  103. package/dist/request/SilentRequest.d.ts +0 -1
  104. package/dist/request/SilentRequest.d.ts.map +1 -1
  105. package/dist/request/SsoSilentRequest.d.ts +2 -4
  106. package/dist/request/SsoSilentRequest.d.ts.map +1 -1
  107. package/dist/response/ResponseHandler.d.ts +3 -3
  108. package/dist/response/ResponseHandler.d.ts.map +1 -1
  109. package/dist/response/ResponseHandler.mjs +1 -1
  110. package/dist/response/ResponseHandler.mjs.map +1 -1
  111. package/dist/telemetry/BrowserPerformanceClient.mjs +1 -1
  112. package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
  113. package/dist/utils/BrowserConstants.mjs +1 -1
  114. package/dist/utils/BrowserProtocolUtils.mjs +1 -1
  115. package/dist/utils/BrowserUtils.mjs +1 -1
  116. package/lib/msal-browser.cjs +1049 -1053
  117. package/lib/msal-browser.cjs.map +1 -1
  118. package/lib/msal-browser.js +1049 -1053
  119. package/lib/msal-browser.js.map +1 -1
  120. package/lib/msal-browser.min.js +67 -65
  121. package/lib/types/cache/BrowserCacheManager.d.ts.map +1 -1
  122. package/lib/types/cache/TokenCache.d.ts.map +1 -1
  123. package/lib/types/controllers/StandardController.d.ts +8 -0
  124. package/lib/types/controllers/StandardController.d.ts.map +1 -1
  125. package/lib/types/event/EventHandler.d.ts +1 -1
  126. package/lib/types/event/EventHandler.d.ts.map +1 -1
  127. package/lib/types/interaction_client/NativeInteractionClient.d.ts.map +1 -1
  128. package/lib/types/interaction_client/PopupClient.d.ts.map +1 -1
  129. package/lib/types/interaction_client/RedirectClient.d.ts +3 -3
  130. package/lib/types/interaction_client/RedirectClient.d.ts.map +1 -1
  131. package/lib/types/interaction_client/SilentIframeClient.d.ts +1 -1
  132. package/lib/types/interaction_client/SilentIframeClient.d.ts.map +1 -1
  133. package/lib/types/interaction_client/StandardInteractionClient.d.ts +1 -7
  134. package/lib/types/interaction_client/StandardInteractionClient.d.ts.map +1 -1
  135. package/lib/types/interaction_handler/InteractionHandler.d.ts +2 -2
  136. package/lib/types/interaction_handler/InteractionHandler.d.ts.map +1 -1
  137. package/lib/types/interaction_handler/RedirectHandler.d.ts +2 -2
  138. package/lib/types/interaction_handler/RedirectHandler.d.ts.map +1 -1
  139. package/lib/types/naa/mapping/NestedAppAuthAdapter.d.ts.map +1 -1
  140. package/lib/types/packageMetadata.d.ts +1 -1
  141. package/lib/types/protocol/Authorize.d.ts +13 -0
  142. package/lib/types/protocol/Authorize.d.ts.map +1 -0
  143. package/lib/types/request/PopupRequest.d.ts +1 -2
  144. package/lib/types/request/PopupRequest.d.ts.map +1 -1
  145. package/lib/types/request/RedirectRequest.d.ts +1 -2
  146. package/lib/types/request/RedirectRequest.d.ts.map +1 -1
  147. package/lib/types/request/SilentRequest.d.ts +0 -1
  148. package/lib/types/request/SilentRequest.d.ts.map +1 -1
  149. package/lib/types/request/SsoSilentRequest.d.ts +2 -4
  150. package/lib/types/request/SsoSilentRequest.d.ts.map +1 -1
  151. package/lib/types/response/ResponseHandler.d.ts +3 -3
  152. package/lib/types/response/ResponseHandler.d.ts.map +1 -1
  153. package/package.json +2 -2
  154. package/src/cache/BrowserCacheManager.ts +8 -2
  155. package/src/cache/TokenCache.ts +8 -7
  156. package/src/controllers/StandardController.ts +66 -51
  157. package/src/event/EventHandler.ts +9 -5
  158. package/src/interaction_client/NativeInteractionClient.ts +14 -2
  159. package/src/interaction_client/PopupClient.ts +40 -21
  160. package/src/interaction_client/RedirectClient.ts +41 -22
  161. package/src/interaction_client/SilentIframeClient.ts +42 -29
  162. package/src/interaction_client/StandardInteractionClient.ts +0 -40
  163. package/src/interaction_handler/InteractionHandler.ts +4 -3
  164. package/src/interaction_handler/RedirectHandler.ts +4 -3
  165. package/src/naa/mapping/NestedAppAuthAdapter.ts +9 -8
  166. package/src/packageMetadata.ts +1 -1
  167. package/src/protocol/Authorize.ts +136 -0
  168. package/src/request/PopupRequest.ts +1 -5
  169. package/src/request/RedirectRequest.ts +1 -5
  170. package/src/request/SilentRequest.ts +0 -1
  171. package/src/request/SsoSilentRequest.ts +2 -7
  172. package/src/response/ResponseHandler.ts +3 -3
@@ -1,4 +1,4 @@
1
- /*! @azure/msal-browser v4.5.1 2025-03-04 */
1
+ /*! @azure/msal-browser v4.8.0 2025-03-20 */
2
2
  'use strict';
3
3
  (function (global, factory) {
4
4
  typeof exports === 'object' && typeof module !== 'undefined' ? factory(exports) :
@@ -6,7 +6,7 @@
6
6
  (global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global.msal = {}));
7
7
  })(this, (function (exports) { 'use strict';
8
8
 
9
- /*! @azure/msal-common v15.2.0 2025-03-04 */
9
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
10
10
  /*
11
11
  * Copyright (c) Microsoft Corporation. All rights reserved.
12
12
  * Licensed under the MIT License.
@@ -254,13 +254,6 @@
254
254
  INVALID_GRANT_ERROR: "invalid_grant",
255
255
  CLIENT_MISMATCH_ERROR: "client_mismatch",
256
256
  };
257
- /**
258
- * Password grant parameters
259
- */
260
- const PasswordGrantConstants = {
261
- username: "username",
262
- password: "password",
263
- };
264
257
  /**
265
258
  * Response codes
266
259
  */
@@ -310,7 +303,7 @@
310
303
  // Token renewal offset default in seconds
311
304
  const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
312
305
 
313
- /*! @azure/msal-common v15.2.0 2025-03-04 */
306
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
314
307
  /*
315
308
  * Copyright (c) Microsoft Corporation. All rights reserved.
316
309
  * Licensed under the MIT License.
@@ -327,7 +320,7 @@
327
320
  unexpectedError: unexpectedError
328
321
  });
329
322
 
330
- /*! @azure/msal-common v15.2.0 2025-03-04 */
323
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
331
324
 
332
325
  /*
333
326
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -376,7 +369,7 @@
376
369
  : AuthErrorMessages[code]);
377
370
  }
378
371
 
379
- /*! @azure/msal-common v15.2.0 2025-03-04 */
372
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
380
373
  /*
381
374
  * Copyright (c) Microsoft Corporation. All rights reserved.
382
375
  * Licensed under the MIT License.
@@ -474,7 +467,7 @@
474
467
  userTimeoutReached: userTimeoutReached
475
468
  });
476
469
 
477
- /*! @azure/msal-common v15.2.0 2025-03-04 */
470
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
478
471
 
479
472
  /*
480
473
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -726,7 +719,7 @@
726
719
  return new ClientAuthError(errorCode, additionalMessage);
727
720
  }
728
721
 
729
- /*! @azure/msal-common v15.2.0 2025-03-04 */
722
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
730
723
 
731
724
  /*
732
725
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -765,7 +758,7 @@
765
758
  },
766
759
  };
767
760
 
768
- /*! @azure/msal-common v15.2.0 2025-03-04 */
761
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
769
762
 
770
763
  /*
771
764
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -956,12 +949,12 @@
956
949
  }
957
950
  }
958
951
 
959
- /*! @azure/msal-common v15.2.0 2025-03-04 */
952
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
960
953
  /* eslint-disable header/header */
961
954
  const name$1 = "@azure/msal-common";
962
- const version$1 = "15.2.0";
955
+ const version$1 = "15.3.0";
963
956
 
964
- /*! @azure/msal-common v15.2.0 2025-03-04 */
957
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
965
958
  /*
966
959
  * Copyright (c) Microsoft Corporation. All rights reserved.
967
960
  * Licensed under the MIT License.
@@ -981,7 +974,7 @@
981
974
  AzureUsGovernment: "https://login.microsoftonline.us",
982
975
  };
983
976
 
984
- /*! @azure/msal-common v15.2.0 2025-03-04 */
977
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
985
978
 
986
979
  /*
987
980
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1042,7 +1035,7 @@
1042
1035
  }
1043
1036
  }
1044
1037
 
1045
- /*! @azure/msal-common v15.2.0 2025-03-04 */
1038
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1046
1039
  /*
1047
1040
  * Copyright (c) Microsoft Corporation. All rights reserved.
1048
1041
  * Licensed under the MIT License.
@@ -1057,6 +1050,24 @@
1057
1050
  // Date.getTime() returns in milliseconds.
1058
1051
  return Math.round(new Date().getTime() / 1000.0);
1059
1052
  }
1053
+ /**
1054
+ * Converts JS Date object to seconds
1055
+ * @param date Date
1056
+ */
1057
+ function toSecondsFromDate(date) {
1058
+ // Convert date to seconds
1059
+ return date.getTime() / 1000;
1060
+ }
1061
+ /**
1062
+ * Convert seconds to JS Date object. Seconds can be in a number or string format or undefined (will still return a date).
1063
+ * @param seconds
1064
+ */
1065
+ function toDateFromSeconds(seconds) {
1066
+ if (seconds) {
1067
+ return new Date(Number(seconds) * 1000);
1068
+ }
1069
+ return new Date();
1070
+ }
1060
1071
  /**
1061
1072
  * check if a token is expired based on given UTC time in seconds.
1062
1073
  * @param expiresOn
@@ -1079,7 +1090,7 @@
1079
1090
  return cachedAtSec > nowSeconds();
1080
1091
  }
1081
1092
 
1082
- /*! @azure/msal-common v15.2.0 2025-03-04 */
1093
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1083
1094
 
1084
1095
  /*
1085
1096
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1406,7 +1417,7 @@
1406
1417
  return metadata.expiresAt <= nowSeconds();
1407
1418
  }
1408
1419
 
1409
- /*! @azure/msal-common v15.2.0 2025-03-04 */
1420
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1410
1421
  /*
1411
1422
  * Copyright (c) Microsoft Corporation. All rights reserved.
1412
1423
  * Licensed under the MIT License.
@@ -1460,7 +1471,7 @@
1460
1471
  urlParseError: urlParseError
1461
1472
  });
1462
1473
 
1463
- /*! @azure/msal-common v15.2.0 2025-03-04 */
1474
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1464
1475
 
1465
1476
  /*
1466
1477
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1598,7 +1609,7 @@
1598
1609
  return new ClientConfigurationError(errorCode);
1599
1610
  }
1600
1611
 
1601
- /*! @azure/msal-common v15.2.0 2025-03-04 */
1612
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1602
1613
  /*
1603
1614
  * Copyright (c) Microsoft Corporation. All rights reserved.
1604
1615
  * Licensed under the MIT License.
@@ -1695,7 +1706,7 @@
1695
1706
  }
1696
1707
  }
1697
1708
 
1698
- /*! @azure/msal-common v15.2.0 2025-03-04 */
1709
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1699
1710
 
1700
1711
  /*
1701
1712
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1886,7 +1897,7 @@
1886
1897
  }
1887
1898
  }
1888
1899
 
1889
- /*! @azure/msal-common v15.2.0 2025-03-04 */
1900
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1890
1901
 
1891
1902
  /*
1892
1903
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1926,7 +1937,7 @@
1926
1937
  };
1927
1938
  }
1928
1939
 
1929
- /*! @azure/msal-common v15.2.0 2025-03-04 */
1940
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1930
1941
  /*
1931
1942
  * Copyright (c) Microsoft Corporation. All rights reserved.
1932
1943
  * Licensed under the MIT License.
@@ -2005,7 +2016,7 @@
2005
2016
  return updatedAccountInfo;
2006
2017
  }
2007
2018
 
2008
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2019
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2009
2020
  /*
2010
2021
  * Copyright (c) Microsoft Corporation. All rights reserved.
2011
2022
  * Licensed under the MIT License.
@@ -2020,7 +2031,7 @@
2020
2031
  Ciam: 3,
2021
2032
  };
2022
2033
 
2023
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2034
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2024
2035
  /*
2025
2036
  * Copyright (c) Microsoft Corporation. All rights reserved.
2026
2037
  * Licensed under the MIT License.
@@ -2042,7 +2053,7 @@
2042
2053
  return null;
2043
2054
  }
2044
2055
 
2045
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2056
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2046
2057
  /*
2047
2058
  * Copyright (c) Microsoft Corporation. All rights reserved.
2048
2059
  * Licensed under the MIT License.
@@ -2055,7 +2066,7 @@
2055
2066
  OIDC: "OIDC",
2056
2067
  };
2057
2068
 
2058
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2069
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2059
2070
 
2060
2071
  /*
2061
2072
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2298,7 +2309,7 @@
2298
2309
  }
2299
2310
  }
2300
2311
 
2301
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2312
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2302
2313
 
2303
2314
  /*
2304
2315
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2343,9 +2354,19 @@
2343
2354
  throw createClientAuthError(hashNotDeserialized);
2344
2355
  }
2345
2356
  return null;
2357
+ }
2358
+ /**
2359
+ * Utility to create a URL from the params map
2360
+ */
2361
+ function mapToQueryString(parameters) {
2362
+ const queryParameterArray = new Array();
2363
+ parameters.forEach((value, key) => {
2364
+ queryParameterArray.push(`${key}=${encodeURIComponent(value)}`);
2365
+ });
2366
+ return queryParameterArray.join("&");
2346
2367
  }
2347
2368
 
2348
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2369
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2349
2370
 
2350
2371
  /*
2351
2372
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2509,7 +2530,7 @@
2509
2530
  }
2510
2531
  }
2511
2532
 
2512
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2533
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2513
2534
 
2514
2535
  /*
2515
2536
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2649,7 +2670,7 @@
2649
2670
  return null;
2650
2671
  }
2651
2672
 
2652
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2673
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2653
2674
  /*
2654
2675
  * Copyright (c) Microsoft Corporation. All rights reserved.
2655
2676
  * Licensed under the MIT License.
@@ -2657,7 +2678,7 @@
2657
2678
  const cacheQuotaExceededErrorCode = "cache_quota_exceeded";
2658
2679
  const cacheUnknownErrorCode = "cache_error_unknown";
2659
2680
 
2660
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2681
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2661
2682
 
2662
2683
  /*
2663
2684
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2684,7 +2705,7 @@
2684
2705
  }
2685
2706
  }
2686
2707
 
2687
- /*! @azure/msal-common v15.2.0 2025-03-04 */
2708
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2688
2709
 
2689
2710
  /*
2690
2711
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3869,7 +3890,7 @@
3869
3890
  }
3870
3891
  }
3871
3892
 
3872
- /*! @azure/msal-common v15.2.0 2025-03-04 */
3893
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
3873
3894
 
3874
3895
  /*
3875
3896
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3968,7 +3989,7 @@
3968
3989
  return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
3969
3990
  }
3970
3991
 
3971
- /*! @azure/msal-common v15.2.0 2025-03-04 */
3992
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
3972
3993
  /*
3973
3994
  * Copyright (c) Microsoft Corporation. All rights reserved.
3974
3995
  * Licensed under the MIT License.
@@ -3978,7 +3999,7 @@
3978
3999
  UPN: "UPN",
3979
4000
  };
3980
4001
 
3981
- /*! @azure/msal-common v15.2.0 2025-03-04 */
4002
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
3982
4003
  /*
3983
4004
  * Copyright (c) Microsoft Corporation. All rights reserved.
3984
4005
  * Licensed under the MIT License.
@@ -4010,14 +4031,11 @@
4010
4031
  const X_APP_VER = "x-app-ver";
4011
4032
  const POST_LOGOUT_URI = "post_logout_redirect_uri";
4012
4033
  const ID_TOKEN_HINT = "id_token_hint";
4013
- const DEVICE_CODE = "device_code";
4014
4034
  const CLIENT_SECRET = "client_secret";
4015
4035
  const CLIENT_ASSERTION = "client_assertion";
4016
4036
  const CLIENT_ASSERTION_TYPE = "client_assertion_type";
4017
4037
  const TOKEN_TYPE = "token_type";
4018
4038
  const REQ_CNF = "req_cnf";
4019
- const OBO_ASSERTION = "assertion";
4020
- const REQUESTED_TOKEN_USE = "requested_token_use";
4021
4039
  const RETURN_SPA_CODE = "return_spa_code";
4022
4040
  const NATIVE_BROKER = "nativebroker";
4023
4041
  const LOGOUT_HINT = "logout_hint";
@@ -4026,76 +4044,10 @@
4026
4044
  const DOMAIN_HINT = "domain_hint";
4027
4045
  const X_CLIENT_EXTRA_SKU = "x-client-xtra-sku";
4028
4046
  const BROKER_CLIENT_ID = "brk_client_id";
4029
- const BROKER_REDIRECT_URI = "brk_redirect_uri";
4030
-
4031
- /*! @azure/msal-common v15.2.0 2025-03-04 */
4032
-
4033
- /*
4034
- * Copyright (c) Microsoft Corporation. All rights reserved.
4035
- * Licensed under the MIT License.
4036
- */
4037
- /**
4038
- * Validates server consumable params from the "request" objects
4039
- */
4040
- class RequestValidator {
4041
- /**
4042
- * Utility to check if the `redirectUri` in the request is a non-null value
4043
- * @param redirectUri
4044
- */
4045
- static validateRedirectUri(redirectUri) {
4046
- if (!redirectUri) {
4047
- throw createClientConfigurationError(redirectUriEmpty);
4048
- }
4049
- }
4050
- /**
4051
- * Utility to validate prompt sent by the user in the request
4052
- * @param prompt
4053
- */
4054
- static validatePrompt(prompt) {
4055
- const promptValues = [];
4056
- for (const value in PromptValue) {
4057
- promptValues.push(PromptValue[value]);
4058
- }
4059
- if (promptValues.indexOf(prompt) < 0) {
4060
- throw createClientConfigurationError(invalidPromptValue);
4061
- }
4062
- }
4063
- static validateClaims(claims) {
4064
- try {
4065
- JSON.parse(claims);
4066
- }
4067
- catch (e) {
4068
- throw createClientConfigurationError(invalidClaims);
4069
- }
4070
- }
4071
- /**
4072
- * Utility to validate code_challenge and code_challenge_method
4073
- * @param codeChallenge
4074
- * @param codeChallengeMethod
4075
- */
4076
- static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
4077
- if (!codeChallenge || !codeChallengeMethod) {
4078
- throw createClientConfigurationError(pkceParamsMissing);
4079
- }
4080
- else {
4081
- this.validateCodeChallengeMethod(codeChallengeMethod);
4082
- }
4083
- }
4084
- /**
4085
- * Utility to validate code_challenge_method
4086
- * @param codeChallengeMethod
4087
- */
4088
- static validateCodeChallengeMethod(codeChallengeMethod) {
4089
- if ([
4090
- CodeChallengeMethodValues.PLAIN,
4091
- CodeChallengeMethodValues.S256,
4092
- ].indexOf(codeChallengeMethod) < 0) {
4093
- throw createClientConfigurationError(invalidCodeChallengeMethod);
4094
- }
4095
- }
4096
- }
4047
+ const BROKER_REDIRECT_URI = "brk_redirect_uri";
4048
+ const INSTANCE_AWARE = "instance_aware";
4097
4049
 
4098
- /*! @azure/msal-common v15.2.0 2025-03-04 */
4050
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4099
4051
 
4100
4052
  /*
4101
4053
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4113,397 +4065,344 @@
4113
4065
  }, correlationId);
4114
4066
  }
4115
4067
  }
4116
- /** @internal */
4117
- class RequestParameterBuilder {
4118
- constructor(correlationId, performanceClient) {
4119
- this.parameters = new Map();
4120
- this.performanceClient = performanceClient;
4121
- this.correlationId = correlationId;
4122
- }
4123
- /**
4124
- * add response_type = code
4125
- */
4126
- addResponseTypeCode() {
4127
- this.parameters.set(RESPONSE_TYPE, encodeURIComponent(Constants.CODE_RESPONSE_TYPE));
4128
- }
4129
- /**
4130
- * add response_type = token id_token
4131
- */
4132
- addResponseTypeForTokenAndIdToken() {
4133
- this.parameters.set(RESPONSE_TYPE, encodeURIComponent(`${Constants.TOKEN_RESPONSE_TYPE} ${Constants.ID_TOKEN_RESPONSE_TYPE}`));
4134
- }
4135
- /**
4136
- * add response_mode. defaults to query.
4137
- * @param responseMode
4138
- */
4139
- addResponseMode(responseMode) {
4140
- this.parameters.set(RESPONSE_MODE, encodeURIComponent(responseMode ? responseMode : ResponseMode.QUERY));
4141
- }
4142
- /**
4143
- * Add flag to indicate STS should attempt to use WAM if available
4144
- */
4145
- addNativeBroker() {
4146
- this.parameters.set(NATIVE_BROKER, encodeURIComponent("1"));
4147
- }
4148
- /**
4149
- * add scopes. set addOidcScopes to false to prevent default scopes in non-user scenarios
4150
- * @param scopeSet
4151
- * @param addOidcScopes
4152
- */
4153
- addScopes(scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
4154
- // Always add openid to the scopes when adding OIDC scopes
4155
- if (addOidcScopes &&
4156
- !defaultScopes.includes("openid") &&
4157
- !scopes.includes("openid")) {
4158
- defaultScopes.push("openid");
4159
- }
4160
- const requestScopes = addOidcScopes
4161
- ? [...(scopes || []), ...defaultScopes]
4162
- : scopes || [];
4163
- const scopeSet = new ScopeSet(requestScopes);
4164
- this.parameters.set(SCOPE, encodeURIComponent(scopeSet.printScopes()));
4068
+ /**
4069
+ * add response_type = code
4070
+ */
4071
+ function addResponseTypeCode(parameters) {
4072
+ parameters.set(RESPONSE_TYPE, Constants.CODE_RESPONSE_TYPE);
4073
+ }
4074
+ /**
4075
+ * add response_mode. defaults to query.
4076
+ * @param responseMode
4077
+ */
4078
+ function addResponseMode(parameters, responseMode) {
4079
+ parameters.set(RESPONSE_MODE, responseMode ? responseMode : ResponseMode.QUERY);
4080
+ }
4081
+ /**
4082
+ * Add flag to indicate STS should attempt to use WAM if available
4083
+ */
4084
+ function addNativeBroker(parameters) {
4085
+ parameters.set(NATIVE_BROKER, "1");
4086
+ }
4087
+ /**
4088
+ * add scopes. set addOidcScopes to false to prevent default scopes in non-user scenarios
4089
+ * @param scopeSet
4090
+ * @param addOidcScopes
4091
+ */
4092
+ function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
4093
+ // Always add openid to the scopes when adding OIDC scopes
4094
+ if (addOidcScopes &&
4095
+ !defaultScopes.includes("openid") &&
4096
+ !scopes.includes("openid")) {
4097
+ defaultScopes.push("openid");
4098
+ }
4099
+ const requestScopes = addOidcScopes
4100
+ ? [...(scopes || []), ...defaultScopes]
4101
+ : scopes || [];
4102
+ const scopeSet = new ScopeSet(requestScopes);
4103
+ parameters.set(SCOPE, scopeSet.printScopes());
4104
+ }
4105
+ /**
4106
+ * add clientId
4107
+ * @param clientId
4108
+ */
4109
+ function addClientId(parameters, clientId) {
4110
+ parameters.set(CLIENT_ID, clientId);
4111
+ }
4112
+ /**
4113
+ * add redirect_uri
4114
+ * @param redirectUri
4115
+ */
4116
+ function addRedirectUri(parameters, redirectUri) {
4117
+ parameters.set(REDIRECT_URI, redirectUri);
4118
+ }
4119
+ /**
4120
+ * add post logout redirectUri
4121
+ * @param redirectUri
4122
+ */
4123
+ function addPostLogoutRedirectUri(parameters, redirectUri) {
4124
+ parameters.set(POST_LOGOUT_URI, redirectUri);
4125
+ }
4126
+ /**
4127
+ * add id_token_hint to logout request
4128
+ * @param idTokenHint
4129
+ */
4130
+ function addIdTokenHint(parameters, idTokenHint) {
4131
+ parameters.set(ID_TOKEN_HINT, idTokenHint);
4132
+ }
4133
+ /**
4134
+ * add domain_hint
4135
+ * @param domainHint
4136
+ */
4137
+ function addDomainHint(parameters, domainHint) {
4138
+ parameters.set(DOMAIN_HINT, domainHint);
4139
+ }
4140
+ /**
4141
+ * add login_hint
4142
+ * @param loginHint
4143
+ */
4144
+ function addLoginHint(parameters, loginHint) {
4145
+ parameters.set(LOGIN_HINT, loginHint);
4146
+ }
4147
+ /**
4148
+ * Adds the CCS (Cache Credential Service) query parameter for login_hint
4149
+ * @param loginHint
4150
+ */
4151
+ function addCcsUpn(parameters, loginHint) {
4152
+ parameters.set(HeaderNames.CCS_HEADER, `UPN:${loginHint}`);
4153
+ }
4154
+ /**
4155
+ * Adds the CCS (Cache Credential Service) query parameter for account object
4156
+ * @param loginHint
4157
+ */
4158
+ function addCcsOid(parameters, clientInfo) {
4159
+ parameters.set(HeaderNames.CCS_HEADER, `Oid:${clientInfo.uid}@${clientInfo.utid}`);
4160
+ }
4161
+ /**
4162
+ * add sid
4163
+ * @param sid
4164
+ */
4165
+ function addSid(parameters, sid) {
4166
+ parameters.set(SID, sid);
4167
+ }
4168
+ /**
4169
+ * add claims
4170
+ * @param claims
4171
+ */
4172
+ function addClaims(parameters, claims, clientCapabilities) {
4173
+ const mergedClaims = addClientCapabilitiesToClaims(claims, clientCapabilities);
4174
+ try {
4175
+ JSON.parse(mergedClaims);
4165
4176
  }
4166
- /**
4167
- * add clientId
4168
- * @param clientId
4169
- */
4170
- addClientId(clientId) {
4171
- this.parameters.set(CLIENT_ID, encodeURIComponent(clientId));
4177
+ catch (e) {
4178
+ throw createClientConfigurationError(invalidClaims);
4172
4179
  }
4173
- /**
4174
- * add redirect_uri
4175
- * @param redirectUri
4176
- */
4177
- addRedirectUri(redirectUri) {
4178
- RequestValidator.validateRedirectUri(redirectUri);
4179
- this.parameters.set(REDIRECT_URI, encodeURIComponent(redirectUri));
4180
+ parameters.set(CLAIMS, mergedClaims);
4181
+ }
4182
+ /**
4183
+ * add correlationId
4184
+ * @param correlationId
4185
+ */
4186
+ function addCorrelationId(parameters, correlationId) {
4187
+ parameters.set(CLIENT_REQUEST_ID, correlationId);
4188
+ }
4189
+ /**
4190
+ * add library info query params
4191
+ * @param libraryInfo
4192
+ */
4193
+ function addLibraryInfo(parameters, libraryInfo) {
4194
+ // Telemetry Info
4195
+ parameters.set(X_CLIENT_SKU, libraryInfo.sku);
4196
+ parameters.set(X_CLIENT_VER, libraryInfo.version);
4197
+ if (libraryInfo.os) {
4198
+ parameters.set(X_CLIENT_OS, libraryInfo.os);
4180
4199
  }
4181
- /**
4182
- * add post logout redirectUri
4183
- * @param redirectUri
4184
- */
4185
- addPostLogoutRedirectUri(redirectUri) {
4186
- RequestValidator.validateRedirectUri(redirectUri);
4187
- this.parameters.set(POST_LOGOUT_URI, encodeURIComponent(redirectUri));
4200
+ if (libraryInfo.cpu) {
4201
+ parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
4188
4202
  }
4189
- /**
4190
- * add id_token_hint to logout request
4191
- * @param idTokenHint
4192
- */
4193
- addIdTokenHint(idTokenHint) {
4194
- this.parameters.set(ID_TOKEN_HINT, encodeURIComponent(idTokenHint));
4203
+ }
4204
+ /**
4205
+ * Add client telemetry parameters
4206
+ * @param appTelemetry
4207
+ */
4208
+ function addApplicationTelemetry(parameters, appTelemetry) {
4209
+ if (appTelemetry?.appName) {
4210
+ parameters.set(X_APP_NAME, appTelemetry.appName);
4195
4211
  }
4196
- /**
4197
- * add domain_hint
4198
- * @param domainHint
4199
- */
4200
- addDomainHint(domainHint) {
4201
- this.parameters.set(DOMAIN_HINT, encodeURIComponent(domainHint));
4212
+ if (appTelemetry?.appVersion) {
4213
+ parameters.set(X_APP_VER, appTelemetry.appVersion);
4202
4214
  }
4203
- /**
4204
- * add login_hint
4205
- * @param loginHint
4206
- */
4207
- addLoginHint(loginHint) {
4208
- this.parameters.set(LOGIN_HINT, encodeURIComponent(loginHint));
4215
+ }
4216
+ /**
4217
+ * add prompt
4218
+ * @param prompt
4219
+ */
4220
+ function addPrompt(parameters, prompt) {
4221
+ parameters.set(PROMPT, prompt);
4222
+ }
4223
+ /**
4224
+ * add state
4225
+ * @param state
4226
+ */
4227
+ function addState(parameters, state) {
4228
+ if (state) {
4229
+ parameters.set(STATE, state);
4209
4230
  }
4210
- /**
4211
- * Adds the CCS (Cache Credential Service) query parameter for login_hint
4212
- * @param loginHint
4213
- */
4214
- addCcsUpn(loginHint) {
4215
- this.parameters.set(HeaderNames.CCS_HEADER, encodeURIComponent(`UPN:${loginHint}`));
4231
+ }
4232
+ /**
4233
+ * add nonce
4234
+ * @param nonce
4235
+ */
4236
+ function addNonce(parameters, nonce) {
4237
+ parameters.set(NONCE, nonce);
4238
+ }
4239
+ /**
4240
+ * add code_challenge and code_challenge_method
4241
+ * - throw if either of them are not passed
4242
+ * @param codeChallenge
4243
+ * @param codeChallengeMethod
4244
+ */
4245
+ function addCodeChallengeParams(parameters, codeChallenge, codeChallengeMethod) {
4246
+ if (codeChallenge && codeChallengeMethod) {
4247
+ parameters.set(CODE_CHALLENGE, codeChallenge);
4248
+ parameters.set(CODE_CHALLENGE_METHOD, codeChallengeMethod);
4216
4249
  }
4217
- /**
4218
- * Adds the CCS (Cache Credential Service) query parameter for account object
4219
- * @param loginHint
4220
- */
4221
- addCcsOid(clientInfo) {
4222
- this.parameters.set(HeaderNames.CCS_HEADER, encodeURIComponent(`Oid:${clientInfo.uid}@${clientInfo.utid}`));
4250
+ else {
4251
+ throw createClientConfigurationError(pkceParamsMissing);
4223
4252
  }
4224
- /**
4225
- * add sid
4226
- * @param sid
4227
- */
4228
- addSid(sid) {
4229
- this.parameters.set(SID, encodeURIComponent(sid));
4253
+ }
4254
+ /**
4255
+ * add the `authorization_code` passed by the user to exchange for a token
4256
+ * @param code
4257
+ */
4258
+ function addAuthorizationCode(parameters, code) {
4259
+ parameters.set(CODE, code);
4260
+ }
4261
+ /**
4262
+ * add the `refreshToken` passed by the user
4263
+ * @param refreshToken
4264
+ */
4265
+ function addRefreshToken(parameters, refreshToken) {
4266
+ parameters.set(REFRESH_TOKEN, refreshToken);
4267
+ }
4268
+ /**
4269
+ * add the `code_verifier` passed by the user to exchange for a token
4270
+ * @param codeVerifier
4271
+ */
4272
+ function addCodeVerifier(parameters, codeVerifier) {
4273
+ parameters.set(CODE_VERIFIER, codeVerifier);
4274
+ }
4275
+ /**
4276
+ * add client_secret
4277
+ * @param clientSecret
4278
+ */
4279
+ function addClientSecret(parameters, clientSecret) {
4280
+ parameters.set(CLIENT_SECRET, clientSecret);
4281
+ }
4282
+ /**
4283
+ * add clientAssertion for confidential client flows
4284
+ * @param clientAssertion
4285
+ */
4286
+ function addClientAssertion(parameters, clientAssertion) {
4287
+ if (clientAssertion) {
4288
+ parameters.set(CLIENT_ASSERTION, clientAssertion);
4230
4289
  }
4231
- /**
4232
- * add claims
4233
- * @param claims
4234
- */
4235
- addClaims(claims, clientCapabilities) {
4236
- const mergedClaims = this.addClientCapabilitiesToClaims(claims, clientCapabilities);
4237
- RequestValidator.validateClaims(mergedClaims);
4238
- this.parameters.set(CLAIMS, encodeURIComponent(mergedClaims));
4290
+ }
4291
+ /**
4292
+ * add clientAssertionType for confidential client flows
4293
+ * @param clientAssertionType
4294
+ */
4295
+ function addClientAssertionType(parameters, clientAssertionType) {
4296
+ if (clientAssertionType) {
4297
+ parameters.set(CLIENT_ASSERTION_TYPE, clientAssertionType);
4239
4298
  }
4240
- /**
4241
- * add correlationId
4242
- * @param correlationId
4243
- */
4244
- addCorrelationId(correlationId) {
4245
- this.parameters.set(CLIENT_REQUEST_ID, encodeURIComponent(correlationId));
4299
+ }
4300
+ /**
4301
+ * add grant type
4302
+ * @param grantType
4303
+ */
4304
+ function addGrantType(parameters, grantType) {
4305
+ parameters.set(GRANT_TYPE, grantType);
4306
+ }
4307
+ /**
4308
+ * add client info
4309
+ *
4310
+ */
4311
+ function addClientInfo(parameters) {
4312
+ parameters.set(CLIENT_INFO, "1");
4313
+ }
4314
+ function addInstanceAware(parameters) {
4315
+ if (!parameters.has(INSTANCE_AWARE)) {
4316
+ parameters.set(INSTANCE_AWARE, "true");
4246
4317
  }
4247
- /**
4248
- * add library info query params
4249
- * @param libraryInfo
4250
- */
4251
- addLibraryInfo(libraryInfo) {
4252
- // Telemetry Info
4253
- this.parameters.set(X_CLIENT_SKU, libraryInfo.sku);
4254
- this.parameters.set(X_CLIENT_VER, libraryInfo.version);
4255
- if (libraryInfo.os) {
4256
- this.parameters.set(X_CLIENT_OS, libraryInfo.os);
4257
- }
4258
- if (libraryInfo.cpu) {
4259
- this.parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
4318
+ }
4319
+ /**
4320
+ * add extraQueryParams
4321
+ * @param eQParams
4322
+ */
4323
+ function addExtraQueryParameters(parameters, eQParams) {
4324
+ Object.entries(eQParams).forEach(([key, value]) => {
4325
+ if (!parameters.has(key) && value) {
4326
+ parameters.set(key, value);
4260
4327
  }
4328
+ });
4329
+ }
4330
+ function addClientCapabilitiesToClaims(claims, clientCapabilities) {
4331
+ let mergedClaims;
4332
+ // Parse provided claims into JSON object or initialize empty object
4333
+ if (!claims) {
4334
+ mergedClaims = {};
4261
4335
  }
4262
- /**
4263
- * Add client telemetry parameters
4264
- * @param appTelemetry
4265
- */
4266
- addApplicationTelemetry(appTelemetry) {
4267
- if (appTelemetry?.appName) {
4268
- this.parameters.set(X_APP_NAME, appTelemetry.appName);
4336
+ else {
4337
+ try {
4338
+ mergedClaims = JSON.parse(claims);
4269
4339
  }
4270
- if (appTelemetry?.appVersion) {
4271
- this.parameters.set(X_APP_VER, appTelemetry.appVersion);
4340
+ catch (e) {
4341
+ throw createClientConfigurationError(invalidClaims);
4272
4342
  }
4273
4343
  }
4274
- /**
4275
- * add prompt
4276
- * @param prompt
4277
- */
4278
- addPrompt(prompt) {
4279
- RequestValidator.validatePrompt(prompt);
4280
- this.parameters.set(`${PROMPT}`, encodeURIComponent(prompt));
4281
- }
4282
- /**
4283
- * add state
4284
- * @param state
4285
- */
4286
- addState(state) {
4287
- if (state) {
4288
- this.parameters.set(STATE, encodeURIComponent(state));
4344
+ if (clientCapabilities && clientCapabilities.length > 0) {
4345
+ if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
4346
+ // Add access_token key to claims object
4347
+ mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
4289
4348
  }
4349
+ // Add xms_cc claim with provided clientCapabilities to access_token key
4350
+ mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] =
4351
+ {
4352
+ values: clientCapabilities,
4353
+ };
4290
4354
  }
4291
- /**
4292
- * add nonce
4293
- * @param nonce
4294
- */
4295
- addNonce(nonce) {
4296
- this.parameters.set(NONCE, encodeURIComponent(nonce));
4355
+ return JSON.stringify(mergedClaims);
4356
+ }
4357
+ /**
4358
+ * add pop_jwk to query params
4359
+ * @param cnfString
4360
+ */
4361
+ function addPopToken(parameters, cnfString) {
4362
+ if (cnfString) {
4363
+ parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
4364
+ parameters.set(REQ_CNF, cnfString);
4297
4365
  }
4298
- /**
4299
- * add code_challenge and code_challenge_method
4300
- * - throw if either of them are not passed
4301
- * @param codeChallenge
4302
- * @param codeChallengeMethod
4303
- */
4304
- addCodeChallengeParams(codeChallenge, codeChallengeMethod) {
4305
- RequestValidator.validateCodeChallengeParams(codeChallenge, codeChallengeMethod);
4306
- if (codeChallenge && codeChallengeMethod) {
4307
- this.parameters.set(CODE_CHALLENGE, encodeURIComponent(codeChallenge));
4308
- this.parameters.set(CODE_CHALLENGE_METHOD, encodeURIComponent(codeChallengeMethod));
4309
- }
4310
- else {
4311
- throw createClientConfigurationError(pkceParamsMissing);
4312
- }
4313
- }
4314
- /**
4315
- * add the `authorization_code` passed by the user to exchange for a token
4316
- * @param code
4317
- */
4318
- addAuthorizationCode(code) {
4319
- this.parameters.set(CODE, encodeURIComponent(code));
4320
- }
4321
- /**
4322
- * add the `authorization_code` passed by the user to exchange for a token
4323
- * @param code
4324
- */
4325
- addDeviceCode(code) {
4326
- this.parameters.set(DEVICE_CODE, encodeURIComponent(code));
4327
- }
4328
- /**
4329
- * add the `refreshToken` passed by the user
4330
- * @param refreshToken
4331
- */
4332
- addRefreshToken(refreshToken) {
4333
- this.parameters.set(REFRESH_TOKEN, encodeURIComponent(refreshToken));
4334
- }
4335
- /**
4336
- * add the `code_verifier` passed by the user to exchange for a token
4337
- * @param codeVerifier
4338
- */
4339
- addCodeVerifier(codeVerifier) {
4340
- this.parameters.set(CODE_VERIFIER, encodeURIComponent(codeVerifier));
4341
- }
4342
- /**
4343
- * add client_secret
4344
- * @param clientSecret
4345
- */
4346
- addClientSecret(clientSecret) {
4347
- this.parameters.set(CLIENT_SECRET, encodeURIComponent(clientSecret));
4348
- }
4349
- /**
4350
- * add clientAssertion for confidential client flows
4351
- * @param clientAssertion
4352
- */
4353
- addClientAssertion(clientAssertion) {
4354
- if (clientAssertion) {
4355
- this.parameters.set(CLIENT_ASSERTION, encodeURIComponent(clientAssertion));
4356
- }
4357
- }
4358
- /**
4359
- * add clientAssertionType for confidential client flows
4360
- * @param clientAssertionType
4361
- */
4362
- addClientAssertionType(clientAssertionType) {
4363
- if (clientAssertionType) {
4364
- this.parameters.set(CLIENT_ASSERTION_TYPE, encodeURIComponent(clientAssertionType));
4365
- }
4366
- }
4367
- /**
4368
- * add OBO assertion for confidential client flows
4369
- * @param clientAssertion
4370
- */
4371
- addOboAssertion(oboAssertion) {
4372
- this.parameters.set(OBO_ASSERTION, encodeURIComponent(oboAssertion));
4373
- }
4374
- /**
4375
- * add grant type
4376
- * @param grantType
4377
- */
4378
- addRequestTokenUse(tokenUse) {
4379
- this.parameters.set(REQUESTED_TOKEN_USE, encodeURIComponent(tokenUse));
4380
- }
4381
- /**
4382
- * add grant type
4383
- * @param grantType
4384
- */
4385
- addGrantType(grantType) {
4386
- this.parameters.set(GRANT_TYPE, encodeURIComponent(grantType));
4387
- }
4388
- /**
4389
- * add client info
4390
- *
4391
- */
4392
- addClientInfo() {
4393
- this.parameters.set(CLIENT_INFO, "1");
4394
- }
4395
- /**
4396
- * add extraQueryParams
4397
- * @param eQParams
4398
- */
4399
- addExtraQueryParameters(eQParams) {
4400
- Object.entries(eQParams).forEach(([key, value]) => {
4401
- if (!this.parameters.has(key) && value) {
4402
- this.parameters.set(key, value);
4403
- }
4404
- });
4405
- }
4406
- addClientCapabilitiesToClaims(claims, clientCapabilities) {
4407
- let mergedClaims;
4408
- // Parse provided claims into JSON object or initialize empty object
4409
- if (!claims) {
4410
- mergedClaims = {};
4411
- }
4412
- else {
4413
- try {
4414
- mergedClaims = JSON.parse(claims);
4415
- }
4416
- catch (e) {
4417
- throw createClientConfigurationError(invalidClaims);
4418
- }
4419
- }
4420
- if (clientCapabilities && clientCapabilities.length > 0) {
4421
- if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
4422
- // Add access_token key to claims object
4423
- mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
4424
- }
4425
- // Add xms_cc claim with provided clientCapabilities to access_token key
4426
- mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] = {
4427
- values: clientCapabilities,
4428
- };
4429
- }
4430
- return JSON.stringify(mergedClaims);
4431
- }
4432
- /**
4433
- * adds `username` for Password Grant flow
4434
- * @param username
4435
- */
4436
- addUsername(username) {
4437
- this.parameters.set(PasswordGrantConstants.username, encodeURIComponent(username));
4438
- }
4439
- /**
4440
- * adds `password` for Password Grant flow
4441
- * @param password
4442
- */
4443
- addPassword(password) {
4444
- this.parameters.set(PasswordGrantConstants.password, encodeURIComponent(password));
4445
- }
4446
- /**
4447
- * add pop_jwk to query params
4448
- * @param cnfString
4449
- */
4450
- addPopToken(cnfString) {
4451
- if (cnfString) {
4452
- this.parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
4453
- this.parameters.set(REQ_CNF, encodeURIComponent(cnfString));
4454
- }
4455
- }
4456
- /**
4457
- * add SSH JWK and key ID to query params
4458
- */
4459
- addSshJwk(sshJwkString) {
4460
- if (sshJwkString) {
4461
- this.parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
4462
- this.parameters.set(REQ_CNF, encodeURIComponent(sshJwkString));
4463
- }
4464
- }
4465
- /**
4466
- * add server telemetry fields
4467
- * @param serverTelemetryManager
4468
- */
4469
- addServerTelemetry(serverTelemetryManager) {
4470
- this.parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
4471
- this.parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
4472
- }
4473
- /**
4474
- * Adds parameter that indicates to the server that throttling is supported
4475
- */
4476
- addThrottling() {
4477
- this.parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
4478
- }
4479
- /**
4480
- * Adds logout_hint parameter for "silent" logout which prevent server account picker
4481
- */
4482
- addLogoutHint(logoutHint) {
4483
- this.parameters.set(LOGOUT_HINT, encodeURIComponent(logoutHint));
4366
+ }
4367
+ /**
4368
+ * add SSH JWK and key ID to query params
4369
+ */
4370
+ function addSshJwk(parameters, sshJwkString) {
4371
+ if (sshJwkString) {
4372
+ parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
4373
+ parameters.set(REQ_CNF, sshJwkString);
4484
4374
  }
4485
- addBrokerParameters(params) {
4486
- const brokerParams = {};
4487
- brokerParams[BROKER_CLIENT_ID] =
4488
- params.brokerClientId;
4489
- brokerParams[BROKER_REDIRECT_URI] =
4490
- params.brokerRedirectUri;
4491
- this.addExtraQueryParameters(brokerParams);
4375
+ }
4376
+ /**
4377
+ * add server telemetry fields
4378
+ * @param serverTelemetryManager
4379
+ */
4380
+ function addServerTelemetry(parameters, serverTelemetryManager) {
4381
+ parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
4382
+ parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
4383
+ }
4384
+ /**
4385
+ * Adds parameter that indicates to the server that throttling is supported
4386
+ */
4387
+ function addThrottling(parameters) {
4388
+ parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
4389
+ }
4390
+ /**
4391
+ * Adds logout_hint parameter for "silent" logout which prevent server account picker
4392
+ */
4393
+ function addLogoutHint(parameters, logoutHint) {
4394
+ parameters.set(LOGOUT_HINT, logoutHint);
4395
+ }
4396
+ function addBrokerParameters(parameters, brokerClientId, brokerRedirectUri) {
4397
+ if (!parameters.has(BROKER_CLIENT_ID)) {
4398
+ parameters.set(BROKER_CLIENT_ID, brokerClientId);
4492
4399
  }
4493
- /**
4494
- * Utility to create a URL from the params map
4495
- */
4496
- createQueryString() {
4497
- const queryParameterArray = new Array();
4498
- this.parameters.forEach((value, key) => {
4499
- queryParameterArray.push(`${key}=${value}`);
4500
- });
4501
- instrumentBrokerParams(this.parameters, this.correlationId, this.performanceClient);
4502
- return queryParameterArray.join("&");
4400
+ if (!parameters.has(BROKER_REDIRECT_URI)) {
4401
+ parameters.set(BROKER_REDIRECT_URI, brokerRedirectUri);
4503
4402
  }
4504
4403
  }
4505
4404
 
4506
- /*! @azure/msal-common v15.2.0 2025-03-04 */
4405
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4507
4406
  /*
4508
4407
  * Copyright (c) Microsoft Corporation. All rights reserved.
4509
4408
  * Licensed under the MIT License.
@@ -4515,7 +4414,7 @@
4515
4414
  response.hasOwnProperty("jwks_uri"));
4516
4415
  }
4517
4416
 
4518
- /*! @azure/msal-common v15.2.0 2025-03-04 */
4417
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4519
4418
  /*
4520
4419
  * Copyright (c) Microsoft Corporation. All rights reserved.
4521
4420
  * Licensed under the MIT License.
@@ -4525,7 +4424,7 @@
4525
4424
  response.hasOwnProperty("metadata"));
4526
4425
  }
4527
4426
 
4528
- /*! @azure/msal-common v15.2.0 2025-03-04 */
4427
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4529
4428
  /*
4530
4429
  * Copyright (c) Microsoft Corporation. All rights reserved.
4531
4430
  * Licensed under the MIT License.
@@ -4535,7 +4434,7 @@
4535
4434
  response.hasOwnProperty("error_description"));
4536
4435
  }
4537
4436
 
4538
- /*! @azure/msal-common v15.2.0 2025-03-04 */
4437
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4539
4438
  /*
4540
4439
  * Copyright (c) Microsoft Corporation. All rights reserved.
4541
4440
  * Licensed under the MIT License.
@@ -4711,11 +4610,11 @@
4711
4610
  StandardInteractionClientCreateAuthCodeClient: "standardInteractionClientCreateAuthCodeClient",
4712
4611
  StandardInteractionClientGetClientConfiguration: "standardInteractionClientGetClientConfiguration",
4713
4612
  StandardInteractionClientInitializeAuthorizationRequest: "standardInteractionClientInitializeAuthorizationRequest",
4714
- StandardInteractionClientInitializeAuthorizationCodeRequest: "standardInteractionClientInitializeAuthorizationCodeRequest",
4715
4613
  /**
4716
4614
  * getAuthCodeUrl API (msal-browser and msal-node).
4717
4615
  */
4718
4616
  GetAuthCodeUrl: "getAuthCodeUrl",
4617
+ GetStandardParams: "getStandardParams",
4719
4618
  /**
4720
4619
  * Functions from InteractionHandler (msal-browser)
4721
4620
  */
@@ -4728,7 +4627,6 @@
4728
4627
  AuthClientAcquireToken: "authClientAcquireToken",
4729
4628
  AuthClientExecuteTokenRequest: "authClientExecuteTokenRequest",
4730
4629
  AuthClientCreateTokenRequestBody: "authClientCreateTokenRequestBody",
4731
- AuthClientCreateQueryString: "authClientCreateQueryString",
4732
4630
  /**
4733
4631
  * Generate functions in PopTokenGenerator (msal-common)
4734
4632
  */
@@ -4899,10 +4797,6 @@
4899
4797
  PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest,
4900
4798
  "StdIntClientInitAuthReq",
4901
4799
  ],
4902
- [
4903
- PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest,
4904
- "StdIntClientInitAuthCodeReq",
4905
- ],
4906
4800
  [PerformanceEvents.GetAuthCodeUrl, "GetAuthCodeUrl"],
4907
4801
  [
4908
4802
  PerformanceEvents.HandleCodeResponseFromServer,
@@ -4916,10 +4810,6 @@
4916
4810
  PerformanceEvents.AuthClientCreateTokenRequestBody,
4917
4811
  "AuthClientCreateTReqBody",
4918
4812
  ],
4919
- [
4920
- PerformanceEvents.AuthClientCreateQueryString,
4921
- "AuthClientCreateQueryStr",
4922
- ],
4923
4813
  [PerformanceEvents.PopTokenGenerateCnf, "PopTGenCnf"],
4924
4814
  [PerformanceEvents.PopTokenGenerateKid, "PopTGenKid"],
4925
4815
  [PerformanceEvents.HandleServerTokenResponse, "HandleServerTRes"],
@@ -5044,7 +4934,7 @@
5044
4934
  "encryptedCacheExpiredCount",
5045
4935
  ]);
5046
4936
 
5047
- /*! @azure/msal-common v15.2.0 2025-03-04 */
4937
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
5048
4938
  /*
5049
4939
  * Copyright (c) Microsoft Corporation. All rights reserved.
5050
4940
  * Licensed under the MIT License.
@@ -5140,7 +5030,7 @@
5140
5030
  };
5141
5031
  };
5142
5032
 
5143
- /*! @azure/msal-common v15.2.0 2025-03-04 */
5033
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
5144
5034
 
5145
5035
  /*
5146
5036
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5249,7 +5139,7 @@
5249
5139
  },
5250
5140
  };
5251
5141
 
5252
- /*! @azure/msal-common v15.2.0 2025-03-04 */
5142
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
5253
5143
 
5254
5144
  /*
5255
5145
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6088,7 +5978,7 @@
6088
5978
  };
6089
5979
  }
6090
5980
 
6091
- /*! @azure/msal-common v15.2.0 2025-03-04 */
5981
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6092
5982
 
6093
5983
  /*
6094
5984
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6119,7 +6009,7 @@
6119
6009
  }
6120
6010
  }
6121
6011
 
6122
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6012
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6123
6013
 
6124
6014
  /*
6125
6015
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6138,7 +6028,28 @@
6138
6028
  }
6139
6029
  }
6140
6030
 
6141
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6031
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6032
+ /*
6033
+ * Copyright (c) Microsoft Corporation. All rights reserved.
6034
+ * Licensed under the MIT License.
6035
+ */
6036
+ function getRequestThumbprint(clientId, request, homeAccountId) {
6037
+ return {
6038
+ clientId: clientId,
6039
+ authority: request.authority,
6040
+ scopes: request.scopes,
6041
+ homeAccountIdentifier: homeAccountId,
6042
+ claims: request.claims,
6043
+ authenticationScheme: request.authenticationScheme,
6044
+ resourceRequestMethod: request.resourceRequestMethod,
6045
+ resourceRequestUri: request.resourceRequestUri,
6046
+ shrClaims: request.shrClaims,
6047
+ sshKid: request.sshKid,
6048
+ embeddedClientId: request.embeddedClientId || request.tokenBodyParameters?.clientId,
6049
+ };
6050
+ }
6051
+
6052
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6142
6053
 
6143
6054
  /*
6144
6055
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6219,24 +6130,13 @@
6219
6130
  ThrottlingConstants.DEFAULT_MAX_THROTTLE_TIME_SECONDS) * 1000);
6220
6131
  }
6221
6132
  static removeThrottle(cacheManager, clientId, request, homeAccountIdentifier) {
6222
- const thumbprint = {
6223
- clientId: clientId,
6224
- authority: request.authority,
6225
- scopes: request.scopes,
6226
- homeAccountIdentifier: homeAccountIdentifier,
6227
- claims: request.claims,
6228
- authenticationScheme: request.authenticationScheme,
6229
- resourceRequestMethod: request.resourceRequestMethod,
6230
- resourceRequestUri: request.resourceRequestUri,
6231
- shrClaims: request.shrClaims,
6232
- sshKid: request.sshKid,
6233
- };
6133
+ const thumbprint = getRequestThumbprint(clientId, request, homeAccountIdentifier);
6234
6134
  const key = this.generateThrottlingStorageKey(thumbprint);
6235
6135
  cacheManager.removeItem(key);
6236
6136
  }
6237
6137
  }
6238
6138
 
6239
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6139
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6240
6140
 
6241
6141
  /*
6242
6142
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6266,7 +6166,7 @@
6266
6166
  return new NetworkError(error, httpStatus, responseHeaders);
6267
6167
  }
6268
6168
 
6269
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6169
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6270
6170
 
6271
6171
  /*
6272
6172
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6401,22 +6301,20 @@
6401
6301
  * @param request
6402
6302
  */
6403
6303
  createTokenQueryParameters(request) {
6404
- const parameterBuilder = new RequestParameterBuilder(request.correlationId, this.performanceClient);
6304
+ const parameters = new Map();
6405
6305
  if (request.embeddedClientId) {
6406
- parameterBuilder.addBrokerParameters({
6407
- brokerClientId: this.config.authOptions.clientId,
6408
- brokerRedirectUri: this.config.authOptions.redirectUri,
6409
- });
6306
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
6410
6307
  }
6411
6308
  if (request.tokenQueryParameters) {
6412
- parameterBuilder.addExtraQueryParameters(request.tokenQueryParameters);
6309
+ addExtraQueryParameters(parameters, request.tokenQueryParameters);
6413
6310
  }
6414
- parameterBuilder.addCorrelationId(request.correlationId);
6415
- return parameterBuilder.createQueryString();
6311
+ addCorrelationId(parameters, request.correlationId);
6312
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
6313
+ return mapToQueryString(parameters);
6416
6314
  }
6417
6315
  }
6418
6316
 
6419
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6317
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6420
6318
  /*
6421
6319
  * Copyright (c) Microsoft Corporation. All rights reserved.
6422
6320
  * Licensed under the MIT License.
@@ -6442,7 +6340,7 @@
6442
6340
  refreshTokenExpired: refreshTokenExpired
6443
6341
  });
6444
6342
 
6445
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6343
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6446
6344
 
6447
6345
  /*
6448
6346
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6530,7 +6428,7 @@
6530
6428
  return new InteractionRequiredAuthError(errorCode, InteractionRequiredAuthErrorMessages[errorCode]);
6531
6429
  }
6532
6430
 
6533
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6431
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6534
6432
 
6535
6433
  /*
6536
6434
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6602,7 +6500,7 @@
6602
6500
  }
6603
6501
  }
6604
6502
 
6605
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6503
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6606
6504
 
6607
6505
  /*
6608
6506
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6686,7 +6584,7 @@
6686
6584
  }
6687
6585
  }
6688
6586
 
6689
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6587
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6690
6588
  /*
6691
6589
  * Copyright (c) Microsoft Corporation. All rights reserved.
6692
6590
  * Licensed under the MIT License.
@@ -6713,19 +6611,12 @@
6713
6611
  }
6714
6612
  }
6715
6613
 
6716
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6614
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6717
6615
 
6718
6616
  /*
6719
6617
  * Copyright (c) Microsoft Corporation. All rights reserved.
6720
6618
  * Licensed under the MIT License.
6721
6619
  */
6722
- function parseServerErrorNo(serverResponse) {
6723
- const errorCodePrefix = "code=";
6724
- const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
6725
- return errorCodePrefixIndex && errorCodePrefixIndex >= 0
6726
- ? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
6727
- : undefined;
6728
- }
6729
6620
  /**
6730
6621
  * Class that handles response parsing.
6731
6622
  * @internal
@@ -6740,46 +6631,6 @@
6740
6631
  this.persistencePlugin = persistencePlugin;
6741
6632
  this.performanceClient = performanceClient;
6742
6633
  }
6743
- /**
6744
- * Function which validates server authorization code response.
6745
- * @param serverResponseHash
6746
- * @param requestState
6747
- * @param cryptoObj
6748
- */
6749
- validateServerAuthorizationCodeResponse(serverResponse, requestState) {
6750
- if (!serverResponse.state || !requestState) {
6751
- throw serverResponse.state
6752
- ? createClientAuthError(stateNotFound, "Cached State")
6753
- : createClientAuthError(stateNotFound, "Server State");
6754
- }
6755
- let decodedServerResponseState;
6756
- let decodedRequestState;
6757
- try {
6758
- decodedServerResponseState = decodeURIComponent(serverResponse.state);
6759
- }
6760
- catch (e) {
6761
- throw createClientAuthError(invalidState, serverResponse.state);
6762
- }
6763
- try {
6764
- decodedRequestState = decodeURIComponent(requestState);
6765
- }
6766
- catch (e) {
6767
- throw createClientAuthError(invalidState, serverResponse.state);
6768
- }
6769
- if (decodedServerResponseState !== decodedRequestState) {
6770
- throw createClientAuthError(stateMismatch);
6771
- }
6772
- // Check for error
6773
- if (serverResponse.error ||
6774
- serverResponse.error_description ||
6775
- serverResponse.suberror) {
6776
- const serverErrorNo = parseServerErrorNo(serverResponse);
6777
- if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
6778
- throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
6779
- }
6780
- throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
6781
- }
6782
- }
6783
6634
  /**
6784
6635
  * Function which validates server authorization token response.
6785
6636
  * @param serverResponse
@@ -7005,10 +6856,11 @@
7005
6856
  accessToken = cacheRecord.accessToken.secret;
7006
6857
  }
7007
6858
  responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target).asArray();
7008
- expiresOn = new Date(Number(cacheRecord.accessToken.expiresOn) * 1000);
7009
- extExpiresOn = new Date(Number(cacheRecord.accessToken.extendedExpiresOn) * 1000);
6859
+ // Access token expiresOn cached in seconds, converting to Date for AuthenticationResult
6860
+ expiresOn = toDateFromSeconds(cacheRecord.accessToken.expiresOn);
6861
+ extExpiresOn = toDateFromSeconds(cacheRecord.accessToken.extendedExpiresOn);
7010
6862
  if (cacheRecord.accessToken.refreshOn) {
7011
- refreshOn = new Date(Number(cacheRecord.accessToken.refreshOn) * 1000);
6863
+ refreshOn = toDateFromSeconds(cacheRecord.accessToken.refreshOn);
7012
6864
  }
7013
6865
  }
7014
6866
  if (cacheRecord.appMetadata) {
@@ -7090,7 +6942,74 @@
7090
6942
  return baseAccount;
7091
6943
  }
7092
6944
 
7093
- /*! @azure/msal-common v15.2.0 2025-03-04 */
6945
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6946
+
6947
+ /*
6948
+ * Copyright (c) Microsoft Corporation. All rights reserved.
6949
+ * Licensed under the MIT License.
6950
+ */
6951
+ /**
6952
+ * Validates server consumable params from the "request" objects
6953
+ */
6954
+ class RequestValidator {
6955
+ /**
6956
+ * Utility to check if the `redirectUri` in the request is a non-null value
6957
+ * @param redirectUri
6958
+ */
6959
+ static validateRedirectUri(redirectUri) {
6960
+ if (!redirectUri) {
6961
+ throw createClientConfigurationError(redirectUriEmpty);
6962
+ }
6963
+ }
6964
+ /**
6965
+ * Utility to validate prompt sent by the user in the request
6966
+ * @param prompt
6967
+ */
6968
+ static validatePrompt(prompt) {
6969
+ const promptValues = [];
6970
+ for (const value in PromptValue) {
6971
+ promptValues.push(PromptValue[value]);
6972
+ }
6973
+ if (promptValues.indexOf(prompt) < 0) {
6974
+ throw createClientConfigurationError(invalidPromptValue);
6975
+ }
6976
+ }
6977
+ static validateClaims(claims) {
6978
+ try {
6979
+ JSON.parse(claims);
6980
+ }
6981
+ catch (e) {
6982
+ throw createClientConfigurationError(invalidClaims);
6983
+ }
6984
+ }
6985
+ /**
6986
+ * Utility to validate code_challenge and code_challenge_method
6987
+ * @param codeChallenge
6988
+ * @param codeChallengeMethod
6989
+ */
6990
+ static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
6991
+ if (!codeChallenge || !codeChallengeMethod) {
6992
+ throw createClientConfigurationError(pkceParamsMissing);
6993
+ }
6994
+ else {
6995
+ this.validateCodeChallengeMethod(codeChallengeMethod);
6996
+ }
6997
+ }
6998
+ /**
6999
+ * Utility to validate code_challenge_method
7000
+ * @param codeChallengeMethod
7001
+ */
7002
+ static validateCodeChallengeMethod(codeChallengeMethod) {
7003
+ if ([
7004
+ CodeChallengeMethodValues.PLAIN,
7005
+ CodeChallengeMethodValues.S256,
7006
+ ].indexOf(codeChallengeMethod) < 0) {
7007
+ throw createClientConfigurationError(invalidCodeChallengeMethod);
7008
+ }
7009
+ }
7010
+ }
7011
+
7012
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7094
7013
  /*
7095
7014
  * Copyright (c) Microsoft Corporation. All rights reserved.
7096
7015
  * Licensed under the MIT License.
@@ -7108,7 +7027,7 @@
7108
7027
  }
7109
7028
  }
7110
7029
 
7111
- /*! @azure/msal-common v15.2.0 2025-03-04 */
7030
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7112
7031
 
7113
7032
  /*
7114
7033
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7126,21 +7045,6 @@
7126
7045
  this.oidcDefaultScopes =
7127
7046
  this.config.authOptions.authority.options.OIDCOptions?.defaultScopes;
7128
7047
  }
7129
- /**
7130
- * Creates the URL of the authorization request letting the user input credentials and consent to the
7131
- * application. The URL target the /authorize endpoint of the authority configured in the
7132
- * application object.
7133
- *
7134
- * Once the user inputs their credentials and consents, the authority will send a response to the redirect URI
7135
- * sent in the request and should contain an authorization code, which can then be used to acquire tokens via
7136
- * acquireToken(AuthorizationCodeRequest)
7137
- * @param request
7138
- */
7139
- async getAuthCodeUrl(request) {
7140
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.GetAuthCodeUrl, request.correlationId);
7141
- const queryString = await invokeAsync(this.createAuthCodeUrlQueryString.bind(this), PerformanceEvents.AuthClientCreateQueryString, this.logger, this.performanceClient, request.correlationId)(request);
7142
- return UrlString.appendQueryString(this.authority.authorizationEndpoint, queryString);
7143
- }
7144
7048
  /**
7145
7049
  * API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
7146
7050
  * authorization_code_grant
@@ -7160,22 +7064,6 @@
7160
7064
  responseHandler.validateTokenResponse(response.body);
7161
7065
  return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, authCodePayload, undefined, undefined, undefined, requestId);
7162
7066
  }
7163
- /**
7164
- * Handles the hash fragment response from public client code request. Returns a code response used by
7165
- * the client to exchange for a token in acquireToken.
7166
- * @param hashFragment
7167
- */
7168
- handleFragmentResponse(serverParams, cachedState) {
7169
- // Handle responses.
7170
- const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, null, null);
7171
- // Get code response
7172
- responseHandler.validateServerAuthorizationCodeResponse(serverParams, cachedState);
7173
- // throw when there is no auth code in the response
7174
- if (!serverParams.code) {
7175
- throw createClientAuthError(authorizationCodeMissingFromServerResponse);
7176
- }
7177
- return serverParams;
7178
- }
7179
7067
  /**
7180
7068
  * Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
7181
7069
  * Default behaviour is to redirect the user to `window.location.href`.
@@ -7214,18 +7102,7 @@
7214
7102
  }
7215
7103
  }
7216
7104
  const headers = this.createTokenRequestHeaders(ccsCredential || request.ccsCredential);
7217
- const thumbprint = {
7218
- clientId: request.tokenBodyParameters?.clientId ||
7219
- this.config.authOptions.clientId,
7220
- authority: authority.canonicalAuthority,
7221
- scopes: request.scopes,
7222
- claims: request.claims,
7223
- authenticationScheme: request.authenticationScheme,
7224
- resourceRequestMethod: request.resourceRequestMethod,
7225
- resourceRequestUri: request.resourceRequestUri,
7226
- shrClaims: request.shrClaims,
7227
- sshKid: request.sshKid,
7228
- };
7105
+ const thumbprint = getRequestThumbprint(this.config.authOptions.clientId, request);
7229
7106
  return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.AuthorizationCodeClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.AuthorizationCodeClientExecutePostToTokenEndpoint);
7230
7107
  }
7231
7108
  /**
@@ -7234,8 +7111,8 @@
7234
7111
  */
7235
7112
  async createTokenRequestBody(request) {
7236
7113
  this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateTokenRequestBody, request.correlationId);
7237
- const parameterBuilder = new RequestParameterBuilder(request.correlationId, this.performanceClient);
7238
- parameterBuilder.addClientId(request.embeddedClientId ||
7114
+ const parameters = new Map();
7115
+ addClientId(parameters, request.embeddedClientId ||
7239
7116
  request.tokenBodyParameters?.[CLIENT_ID] ||
7240
7117
  this.config.authOptions.clientId);
7241
7118
  /*
@@ -7248,33 +7125,33 @@
7248
7125
  }
7249
7126
  else {
7250
7127
  // Validate and include redirect uri
7251
- parameterBuilder.addRedirectUri(request.redirectUri);
7128
+ addRedirectUri(parameters, request.redirectUri);
7252
7129
  }
7253
7130
  // Add scope array, parameter builder will add default scopes and dedupe
7254
- parameterBuilder.addScopes(request.scopes, true, this.oidcDefaultScopes);
7131
+ addScopes(parameters, request.scopes, true, this.oidcDefaultScopes);
7255
7132
  // add code: user set, not validated
7256
- parameterBuilder.addAuthorizationCode(request.code);
7133
+ addAuthorizationCode(parameters, request.code);
7257
7134
  // Add library metadata
7258
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
7259
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
7260
- parameterBuilder.addThrottling();
7135
+ addLibraryInfo(parameters, this.config.libraryInfo);
7136
+ addApplicationTelemetry(parameters, this.config.telemetry.application);
7137
+ addThrottling(parameters);
7261
7138
  if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
7262
- parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
7139
+ addServerTelemetry(parameters, this.serverTelemetryManager);
7263
7140
  }
7264
7141
  // add code_verifier if passed
7265
7142
  if (request.codeVerifier) {
7266
- parameterBuilder.addCodeVerifier(request.codeVerifier);
7143
+ addCodeVerifier(parameters, request.codeVerifier);
7267
7144
  }
7268
7145
  if (this.config.clientCredentials.clientSecret) {
7269
- parameterBuilder.addClientSecret(this.config.clientCredentials.clientSecret);
7146
+ addClientSecret(parameters, this.config.clientCredentials.clientSecret);
7270
7147
  }
7271
7148
  if (this.config.clientCredentials.clientAssertion) {
7272
7149
  const clientAssertion = this.config.clientCredentials.clientAssertion;
7273
- parameterBuilder.addClientAssertion(await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7274
- parameterBuilder.addClientAssertionType(clientAssertion.assertionType);
7150
+ addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7151
+ addClientAssertionType(parameters, clientAssertion.assertionType);
7275
7152
  }
7276
- parameterBuilder.addGrantType(GrantType.AUTHORIZATION_CODE_GRANT);
7277
- parameterBuilder.addClientInfo();
7153
+ addGrantType(parameters, GrantType.AUTHORIZATION_CODE_GRANT);
7154
+ addClientInfo(parameters);
7278
7155
  if (request.authenticationScheme === AuthenticationScheme.POP) {
7279
7156
  const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
7280
7157
  let reqCnfData;
@@ -7286,11 +7163,11 @@
7286
7163
  reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
7287
7164
  }
7288
7165
  // SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
7289
- parameterBuilder.addPopToken(reqCnfData);
7166
+ addPopToken(parameters, reqCnfData);
7290
7167
  }
7291
7168
  else if (request.authenticationScheme === AuthenticationScheme.SSH) {
7292
7169
  if (request.sshJwk) {
7293
- parameterBuilder.addSshJwk(request.sshJwk);
7170
+ addSshJwk(parameters, request.sshJwk);
7294
7171
  }
7295
7172
  else {
7296
7173
  throw createClientConfigurationError(missingSshJwk);
@@ -7299,7 +7176,7 @@
7299
7176
  if (!StringUtils.isEmptyObj(request.claims) ||
7300
7177
  (this.config.authOptions.clientCapabilities &&
7301
7178
  this.config.authOptions.clientCapabilities.length > 0)) {
7302
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
7179
+ addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
7303
7180
  }
7304
7181
  let ccsCred = undefined;
7305
7182
  if (request.clientInfo) {
@@ -7323,7 +7200,7 @@
7323
7200
  case CcsCredentialType.HOME_ACCOUNT_ID:
7324
7201
  try {
7325
7202
  const clientInfo = buildClientInfoFromHomeAccountId(ccsCred.credential);
7326
- parameterBuilder.addCcsOid(clientInfo);
7203
+ addCcsOid(parameters, clientInfo);
7327
7204
  }
7328
7205
  catch (e) {
7329
7206
  this.logger.verbose("Could not parse home account ID for CCS Header: " +
@@ -7331,234 +7208,59 @@
7331
7208
  }
7332
7209
  break;
7333
7210
  case CcsCredentialType.UPN:
7334
- parameterBuilder.addCcsUpn(ccsCred.credential);
7211
+ addCcsUpn(parameters, ccsCred.credential);
7335
7212
  break;
7336
7213
  }
7337
7214
  }
7338
7215
  if (request.embeddedClientId) {
7339
- parameterBuilder.addBrokerParameters({
7340
- brokerClientId: this.config.authOptions.clientId,
7341
- brokerRedirectUri: this.config.authOptions.redirectUri,
7342
- });
7216
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
7343
7217
  }
7344
7218
  if (request.tokenBodyParameters) {
7345
- parameterBuilder.addExtraQueryParameters(request.tokenBodyParameters);
7219
+ addExtraQueryParameters(parameters, request.tokenBodyParameters);
7346
7220
  }
7347
7221
  // Add hybrid spa parameters if not already provided
7348
7222
  if (request.enableSpaAuthorizationCode &&
7349
7223
  (!request.tokenBodyParameters ||
7350
7224
  !request.tokenBodyParameters[RETURN_SPA_CODE])) {
7351
- parameterBuilder.addExtraQueryParameters({
7225
+ addExtraQueryParameters(parameters, {
7352
7226
  [RETURN_SPA_CODE]: "1",
7353
7227
  });
7354
7228
  }
7355
- return parameterBuilder.createQueryString();
7356
- }
7357
- /**
7358
- * This API validates the `AuthorizationCodeUrlRequest` and creates a URL
7359
- * @param request
7360
- */
7361
- async createAuthCodeUrlQueryString(request) {
7362
- // generate the correlationId if not set by the user and add
7363
- const correlationId = request.correlationId ||
7364
- this.config.cryptoInterface.createNewGuid();
7365
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateQueryString, correlationId);
7366
- const parameterBuilder = new RequestParameterBuilder(correlationId, this.performanceClient);
7367
- parameterBuilder.addClientId(request.embeddedClientId ||
7368
- request.extraQueryParameters?.[CLIENT_ID] ||
7369
- this.config.authOptions.clientId);
7370
- const requestScopes = [
7371
- ...(request.scopes || []),
7372
- ...(request.extraScopesToConsent || []),
7373
- ];
7374
- parameterBuilder.addScopes(requestScopes, true, this.oidcDefaultScopes);
7375
- // validate the redirectUri (to be a non null value)
7376
- parameterBuilder.addRedirectUri(request.redirectUri);
7377
- parameterBuilder.addCorrelationId(correlationId);
7378
- // add response_mode. If not passed in it defaults to query.
7379
- parameterBuilder.addResponseMode(request.responseMode);
7380
- // add response_type = code
7381
- parameterBuilder.addResponseTypeCode();
7382
- // add library info parameters
7383
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
7384
- if (!isOidcProtocolMode(this.config)) {
7385
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
7386
- }
7387
- // add client_info=1
7388
- parameterBuilder.addClientInfo();
7389
- if (request.codeChallenge && request.codeChallengeMethod) {
7390
- parameterBuilder.addCodeChallengeParams(request.codeChallenge, request.codeChallengeMethod);
7391
- }
7392
- if (request.prompt) {
7393
- parameterBuilder.addPrompt(request.prompt);
7394
- }
7395
- if (request.domainHint) {
7396
- parameterBuilder.addDomainHint(request.domainHint);
7397
- this.performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
7398
- }
7399
- this.performanceClient?.addFields({ prompt: request.prompt }, correlationId);
7400
- // Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
7401
- if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
7402
- // AAD will throw if prompt=select_account is passed with an account hint
7403
- if (request.sid && request.prompt === PromptValue.NONE) {
7404
- // SessionID is only used in silent calls
7405
- this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
7406
- parameterBuilder.addSid(request.sid);
7407
- this.performanceClient?.addFields({ sidFromRequest: true }, correlationId);
7408
- }
7409
- else if (request.account) {
7410
- const accountSid = this.extractAccountSid(request.account);
7411
- let accountLoginHintClaim = this.extractLoginHint(request.account);
7412
- if (accountLoginHintClaim && request.domainHint) {
7413
- this.logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
7414
- accountLoginHintClaim = null;
7415
- }
7416
- // If login_hint claim is present, use it over sid/username
7417
- if (accountLoginHintClaim) {
7418
- this.logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
7419
- parameterBuilder.addLoginHint(accountLoginHintClaim);
7420
- this.performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
7421
- try {
7422
- const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7423
- parameterBuilder.addCcsOid(clientInfo);
7424
- }
7425
- catch (e) {
7426
- this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7427
- }
7428
- }
7429
- else if (accountSid && request.prompt === PromptValue.NONE) {
7430
- /*
7431
- * If account and loginHint are provided, we will check account first for sid before adding loginHint
7432
- * SessionId is only used in silent calls
7433
- */
7434
- this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
7435
- parameterBuilder.addSid(accountSid);
7436
- this.performanceClient?.addFields({ sidFromClaim: true }, correlationId);
7437
- try {
7438
- const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7439
- parameterBuilder.addCcsOid(clientInfo);
7440
- }
7441
- catch (e) {
7442
- this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7443
- }
7444
- }
7445
- else if (request.loginHint) {
7446
- this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
7447
- parameterBuilder.addLoginHint(request.loginHint);
7448
- parameterBuilder.addCcsUpn(request.loginHint);
7449
- this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7450
- }
7451
- else if (request.account.username) {
7452
- // Fallback to account username if provided
7453
- this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
7454
- parameterBuilder.addLoginHint(request.account.username);
7455
- this.performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
7456
- try {
7457
- const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7458
- parameterBuilder.addCcsOid(clientInfo);
7459
- }
7460
- catch (e) {
7461
- this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7462
- }
7463
- }
7464
- }
7465
- else if (request.loginHint) {
7466
- this.logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
7467
- parameterBuilder.addLoginHint(request.loginHint);
7468
- parameterBuilder.addCcsUpn(request.loginHint);
7469
- this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7470
- }
7471
- }
7472
- else {
7473
- this.logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
7474
- }
7475
- if (request.nonce) {
7476
- parameterBuilder.addNonce(request.nonce);
7477
- }
7478
- if (request.state) {
7479
- parameterBuilder.addState(request.state);
7480
- }
7481
- if (request.claims ||
7482
- (this.config.authOptions.clientCapabilities &&
7483
- this.config.authOptions.clientCapabilities.length > 0)) {
7484
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
7485
- }
7486
- if (request.embeddedClientId) {
7487
- parameterBuilder.addBrokerParameters({
7488
- brokerClientId: this.config.authOptions.clientId,
7489
- brokerRedirectUri: this.config.authOptions.redirectUri,
7490
- });
7491
- }
7492
- this.addExtraQueryParams(request, parameterBuilder);
7493
- if (request.platformBroker) {
7494
- // signal ests that this is a WAM call
7495
- parameterBuilder.addNativeBroker();
7496
- // pass the req_cnf for POP
7497
- if (request.authenticationScheme === AuthenticationScheme.POP) {
7498
- const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils);
7499
- // req_cnf is always sent as a string for SPAs
7500
- let reqCnfData;
7501
- if (!request.popKid) {
7502
- const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
7503
- reqCnfData = generatedReqCnfData.reqCnfString;
7504
- }
7505
- else {
7506
- reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
7507
- }
7508
- parameterBuilder.addPopToken(reqCnfData);
7509
- }
7510
- }
7511
- return parameterBuilder.createQueryString();
7229
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
7230
+ return mapToQueryString(parameters);
7512
7231
  }
7513
7232
  /**
7514
7233
  * This API validates the `EndSessionRequest` and creates a URL
7515
7234
  * @param request
7516
7235
  */
7517
7236
  createLogoutUrlQueryString(request) {
7518
- const parameterBuilder = new RequestParameterBuilder(request.correlationId, this.performanceClient);
7237
+ const parameters = new Map();
7519
7238
  if (request.postLogoutRedirectUri) {
7520
- parameterBuilder.addPostLogoutRedirectUri(request.postLogoutRedirectUri);
7239
+ addPostLogoutRedirectUri(parameters, request.postLogoutRedirectUri);
7521
7240
  }
7522
7241
  if (request.correlationId) {
7523
- parameterBuilder.addCorrelationId(request.correlationId);
7242
+ addCorrelationId(parameters, request.correlationId);
7524
7243
  }
7525
7244
  if (request.idTokenHint) {
7526
- parameterBuilder.addIdTokenHint(request.idTokenHint);
7245
+ addIdTokenHint(parameters, request.idTokenHint);
7527
7246
  }
7528
7247
  if (request.state) {
7529
- parameterBuilder.addState(request.state);
7248
+ addState(parameters, request.state);
7530
7249
  }
7531
7250
  if (request.logoutHint) {
7532
- parameterBuilder.addLogoutHint(request.logoutHint);
7533
- }
7534
- this.addExtraQueryParams(request, parameterBuilder);
7535
- return parameterBuilder.createQueryString();
7536
- }
7537
- addExtraQueryParams(request, parameterBuilder) {
7538
- const hasRequestInstanceAware = request.extraQueryParameters &&
7539
- request.extraQueryParameters.hasOwnProperty("instance_aware");
7540
- // Set instance_aware flag if config auth param is set
7541
- if (!hasRequestInstanceAware && this.config.authOptions.instanceAware) {
7542
- request.extraQueryParameters = request.extraQueryParameters || {};
7543
- request.extraQueryParameters["instance_aware"] = "true";
7251
+ addLogoutHint(parameters, request.logoutHint);
7544
7252
  }
7545
7253
  if (request.extraQueryParameters) {
7546
- parameterBuilder.addExtraQueryParameters(request.extraQueryParameters);
7254
+ addExtraQueryParameters(parameters, request.extraQueryParameters);
7547
7255
  }
7548
- }
7549
- /**
7550
- * Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
7551
- * @param account
7552
- */
7553
- extractAccountSid(account) {
7554
- return account.idTokenClaims?.sid || null;
7555
- }
7556
- extractLoginHint(account) {
7557
- return account.idTokenClaims?.login_hint || null;
7256
+ if (this.config.authOptions.instanceAware) {
7257
+ addInstanceAware(parameters);
7258
+ }
7259
+ return mapToQueryString(parameters);
7558
7260
  }
7559
7261
  }
7560
7262
 
7561
- /*! @azure/msal-common v15.2.0 2025-03-04 */
7263
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7562
7264
 
7563
7265
  /*
7564
7266
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7678,18 +7380,7 @@
7678
7380
  const endpoint = UrlString.appendQueryString(authority.tokenEndpoint, queryParametersString);
7679
7381
  const requestBody = await invokeAsync(this.createTokenRequestBody.bind(this), PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, this.logger, this.performanceClient, request.correlationId)(request);
7680
7382
  const headers = this.createTokenRequestHeaders(request.ccsCredential);
7681
- const thumbprint = {
7682
- clientId: request.tokenBodyParameters?.clientId ||
7683
- this.config.authOptions.clientId,
7684
- authority: authority.canonicalAuthority,
7685
- scopes: request.scopes,
7686
- claims: request.claims,
7687
- authenticationScheme: request.authenticationScheme,
7688
- resourceRequestMethod: request.resourceRequestMethod,
7689
- resourceRequestUri: request.resourceRequestUri,
7690
- shrClaims: request.shrClaims,
7691
- sshKid: request.sshKid,
7692
- };
7383
+ const thumbprint = getRequestThumbprint(this.config.authOptions.clientId, request);
7693
7384
  return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint);
7694
7385
  }
7695
7386
  /**
@@ -7698,31 +7389,30 @@
7698
7389
  */
7699
7390
  async createTokenRequestBody(request) {
7700
7391
  this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, request.correlationId);
7701
- const correlationId = request.correlationId;
7702
- const parameterBuilder = new RequestParameterBuilder(correlationId, this.performanceClient);
7703
- parameterBuilder.addClientId(request.embeddedClientId ||
7392
+ const parameters = new Map();
7393
+ addClientId(parameters, request.embeddedClientId ||
7704
7394
  request.tokenBodyParameters?.[CLIENT_ID] ||
7705
7395
  this.config.authOptions.clientId);
7706
7396
  if (request.redirectUri) {
7707
- parameterBuilder.addRedirectUri(request.redirectUri);
7708
- }
7709
- parameterBuilder.addScopes(request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
7710
- parameterBuilder.addGrantType(GrantType.REFRESH_TOKEN_GRANT);
7711
- parameterBuilder.addClientInfo();
7712
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
7713
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
7714
- parameterBuilder.addThrottling();
7397
+ addRedirectUri(parameters, request.redirectUri);
7398
+ }
7399
+ addScopes(parameters, request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
7400
+ addGrantType(parameters, GrantType.REFRESH_TOKEN_GRANT);
7401
+ addClientInfo(parameters);
7402
+ addLibraryInfo(parameters, this.config.libraryInfo);
7403
+ addApplicationTelemetry(parameters, this.config.telemetry.application);
7404
+ addThrottling(parameters);
7715
7405
  if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
7716
- parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
7406
+ addServerTelemetry(parameters, this.serverTelemetryManager);
7717
7407
  }
7718
- parameterBuilder.addRefreshToken(request.refreshToken);
7408
+ addRefreshToken(parameters, request.refreshToken);
7719
7409
  if (this.config.clientCredentials.clientSecret) {
7720
- parameterBuilder.addClientSecret(this.config.clientCredentials.clientSecret);
7410
+ addClientSecret(parameters, this.config.clientCredentials.clientSecret);
7721
7411
  }
7722
7412
  if (this.config.clientCredentials.clientAssertion) {
7723
7413
  const clientAssertion = this.config.clientCredentials.clientAssertion;
7724
- parameterBuilder.addClientAssertion(await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7725
- parameterBuilder.addClientAssertionType(clientAssertion.assertionType);
7414
+ addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7415
+ addClientAssertionType(parameters, clientAssertion.assertionType);
7726
7416
  }
7727
7417
  if (request.authenticationScheme === AuthenticationScheme.POP) {
7728
7418
  const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
@@ -7735,11 +7425,11 @@
7735
7425
  reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
7736
7426
  }
7737
7427
  // SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
7738
- parameterBuilder.addPopToken(reqCnfData);
7428
+ addPopToken(parameters, reqCnfData);
7739
7429
  }
7740
7430
  else if (request.authenticationScheme === AuthenticationScheme.SSH) {
7741
7431
  if (request.sshJwk) {
7742
- parameterBuilder.addSshJwk(request.sshJwk);
7432
+ addSshJwk(parameters, request.sshJwk);
7743
7433
  }
7744
7434
  else {
7745
7435
  throw createClientConfigurationError(missingSshJwk);
@@ -7748,7 +7438,7 @@
7748
7438
  if (!StringUtils.isEmptyObj(request.claims) ||
7749
7439
  (this.config.authOptions.clientCapabilities &&
7750
7440
  this.config.authOptions.clientCapabilities.length > 0)) {
7751
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
7441
+ addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
7752
7442
  }
7753
7443
  if (this.config.systemOptions.preventCorsPreflight &&
7754
7444
  request.ccsCredential) {
@@ -7756,7 +7446,7 @@
7756
7446
  case CcsCredentialType.HOME_ACCOUNT_ID:
7757
7447
  try {
7758
7448
  const clientInfo = buildClientInfoFromHomeAccountId(request.ccsCredential.credential);
7759
- parameterBuilder.addCcsOid(clientInfo);
7449
+ addCcsOid(parameters, clientInfo);
7760
7450
  }
7761
7451
  catch (e) {
7762
7452
  this.logger.verbose("Could not parse home account ID for CCS Header: " +
@@ -7764,24 +7454,22 @@
7764
7454
  }
7765
7455
  break;
7766
7456
  case CcsCredentialType.UPN:
7767
- parameterBuilder.addCcsUpn(request.ccsCredential.credential);
7457
+ addCcsUpn(parameters, request.ccsCredential.credential);
7768
7458
  break;
7769
7459
  }
7770
7460
  }
7771
7461
  if (request.embeddedClientId) {
7772
- parameterBuilder.addBrokerParameters({
7773
- brokerClientId: this.config.authOptions.clientId,
7774
- brokerRedirectUri: this.config.authOptions.redirectUri,
7775
- });
7462
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
7776
7463
  }
7777
7464
  if (request.tokenBodyParameters) {
7778
- parameterBuilder.addExtraQueryParameters(request.tokenBodyParameters);
7465
+ addExtraQueryParameters(parameters, request.tokenBodyParameters);
7779
7466
  }
7780
- return parameterBuilder.createQueryString();
7467
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
7468
+ return mapToQueryString(parameters);
7781
7469
  }
7782
7470
  }
7783
7471
 
7784
- /*! @azure/msal-common v15.2.0 2025-03-04 */
7472
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7785
7473
 
7786
7474
  /*
7787
7475
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7875,26 +7563,250 @@
7875
7563
  }
7876
7564
  checkMaxAge(authTime, request.maxAge);
7877
7565
  }
7878
- return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, idTokenClaims);
7566
+ return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, idTokenClaims);
7567
+ }
7568
+ }
7569
+
7570
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7571
+
7572
+ /*
7573
+ * Copyright (c) Microsoft Corporation. All rights reserved.
7574
+ * Licensed under the MIT License.
7575
+ */
7576
+ const StubbedNetworkModule = {
7577
+ sendGetRequestAsync: () => {
7578
+ return Promise.reject(createClientAuthError(methodNotImplemented));
7579
+ },
7580
+ sendPostRequestAsync: () => {
7581
+ return Promise.reject(createClientAuthError(methodNotImplemented));
7582
+ },
7583
+ };
7584
+
7585
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7586
+
7587
+ /*
7588
+ * Copyright (c) Microsoft Corporation. All rights reserved.
7589
+ * Licensed under the MIT License.
7590
+ */
7591
+ /**
7592
+ * Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
7593
+ * @param config
7594
+ * @param request
7595
+ * @param logger
7596
+ * @param performanceClient
7597
+ * @returns
7598
+ */
7599
+ function getStandardAuthorizeRequestParameters(authOptions, request, logger, performanceClient) {
7600
+ // generate the correlationId if not set by the user and add
7601
+ const correlationId = request.correlationId;
7602
+ const parameters = new Map();
7603
+ addClientId(parameters, request.embeddedClientId ||
7604
+ request.extraQueryParameters?.[CLIENT_ID] ||
7605
+ authOptions.clientId);
7606
+ const requestScopes = [
7607
+ ...(request.scopes || []),
7608
+ ...(request.extraScopesToConsent || []),
7609
+ ];
7610
+ addScopes(parameters, requestScopes, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
7611
+ addRedirectUri(parameters, request.redirectUri);
7612
+ addCorrelationId(parameters, correlationId);
7613
+ // add response_mode. If not passed in it defaults to query.
7614
+ addResponseMode(parameters, request.responseMode);
7615
+ // add client_info=1
7616
+ addClientInfo(parameters);
7617
+ if (request.prompt) {
7618
+ addPrompt(parameters, request.prompt);
7619
+ performanceClient?.addFields({ prompt: request.prompt }, correlationId);
7620
+ }
7621
+ if (request.domainHint) {
7622
+ addDomainHint(parameters, request.domainHint);
7623
+ performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
7624
+ }
7625
+ // Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
7626
+ if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
7627
+ // AAD will throw if prompt=select_account is passed with an account hint
7628
+ if (request.sid && request.prompt === PromptValue.NONE) {
7629
+ // SessionID is only used in silent calls
7630
+ logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
7631
+ addSid(parameters, request.sid);
7632
+ performanceClient?.addFields({ sidFromRequest: true }, correlationId);
7633
+ }
7634
+ else if (request.account) {
7635
+ const accountSid = extractAccountSid(request.account);
7636
+ let accountLoginHintClaim = extractLoginHint(request.account);
7637
+ if (accountLoginHintClaim && request.domainHint) {
7638
+ logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
7639
+ accountLoginHintClaim = null;
7640
+ }
7641
+ // If login_hint claim is present, use it over sid/username
7642
+ if (accountLoginHintClaim) {
7643
+ logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
7644
+ addLoginHint(parameters, accountLoginHintClaim);
7645
+ performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
7646
+ try {
7647
+ const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7648
+ addCcsOid(parameters, clientInfo);
7649
+ }
7650
+ catch (e) {
7651
+ logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7652
+ }
7653
+ }
7654
+ else if (accountSid && request.prompt === PromptValue.NONE) {
7655
+ /*
7656
+ * If account and loginHint are provided, we will check account first for sid before adding loginHint
7657
+ * SessionId is only used in silent calls
7658
+ */
7659
+ logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
7660
+ addSid(parameters, accountSid);
7661
+ performanceClient?.addFields({ sidFromClaim: true }, correlationId);
7662
+ try {
7663
+ const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7664
+ addCcsOid(parameters, clientInfo);
7665
+ }
7666
+ catch (e) {
7667
+ logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7668
+ }
7669
+ }
7670
+ else if (request.loginHint) {
7671
+ logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
7672
+ addLoginHint(parameters, request.loginHint);
7673
+ addCcsUpn(parameters, request.loginHint);
7674
+ performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7675
+ }
7676
+ else if (request.account.username) {
7677
+ // Fallback to account username if provided
7678
+ logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
7679
+ addLoginHint(parameters, request.account.username);
7680
+ performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
7681
+ try {
7682
+ const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7683
+ addCcsOid(parameters, clientInfo);
7684
+ }
7685
+ catch (e) {
7686
+ logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7687
+ }
7688
+ }
7689
+ }
7690
+ else if (request.loginHint) {
7691
+ logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
7692
+ addLoginHint(parameters, request.loginHint);
7693
+ addCcsUpn(parameters, request.loginHint);
7694
+ performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7695
+ }
7696
+ }
7697
+ else {
7698
+ logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
7699
+ }
7700
+ if (request.nonce) {
7701
+ addNonce(parameters, request.nonce);
7702
+ }
7703
+ if (request.state) {
7704
+ addState(parameters, request.state);
7705
+ }
7706
+ if (request.claims ||
7707
+ (authOptions.clientCapabilities &&
7708
+ authOptions.clientCapabilities.length > 0)) {
7709
+ addClaims(parameters, request.claims, authOptions.clientCapabilities);
7710
+ }
7711
+ if (request.embeddedClientId) {
7712
+ addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
7713
+ }
7714
+ if (request.extraQueryParameters) {
7715
+ addExtraQueryParameters(parameters, request.extraQueryParameters);
7716
+ }
7717
+ if (authOptions.instanceAware) {
7718
+ addInstanceAware(parameters);
7719
+ }
7720
+ return parameters;
7721
+ }
7722
+ /**
7723
+ * Returns authorize endpoint with given request parameters in the query string
7724
+ * @param authority
7725
+ * @param requestParameters
7726
+ * @returns
7727
+ */
7728
+ function getAuthorizeUrl(authority, requestParameters) {
7729
+ const queryString = mapToQueryString(requestParameters);
7730
+ return UrlString.appendQueryString(authority.authorizationEndpoint, queryString);
7731
+ }
7732
+ /**
7733
+ * Handles the hash fragment response from public client code request. Returns a code response used by
7734
+ * the client to exchange for a token in acquireToken.
7735
+ * @param serverParams
7736
+ * @param cachedState
7737
+ */
7738
+ function getAuthorizationCodePayload(serverParams, cachedState) {
7739
+ // Get code response
7740
+ validateAuthorizationResponse(serverParams, cachedState);
7741
+ // throw when there is no auth code in the response
7742
+ if (!serverParams.code) {
7743
+ throw createClientAuthError(authorizationCodeMissingFromServerResponse);
7744
+ }
7745
+ return serverParams;
7746
+ }
7747
+ /**
7748
+ * Function which validates server authorization code response.
7749
+ * @param serverResponseHash
7750
+ * @param requestState
7751
+ */
7752
+ function validateAuthorizationResponse(serverResponse, requestState) {
7753
+ if (!serverResponse.state || !requestState) {
7754
+ throw serverResponse.state
7755
+ ? createClientAuthError(stateNotFound, "Cached State")
7756
+ : createClientAuthError(stateNotFound, "Server State");
7757
+ }
7758
+ let decodedServerResponseState;
7759
+ let decodedRequestState;
7760
+ try {
7761
+ decodedServerResponseState = decodeURIComponent(serverResponse.state);
7762
+ }
7763
+ catch (e) {
7764
+ throw createClientAuthError(invalidState, serverResponse.state);
7765
+ }
7766
+ try {
7767
+ decodedRequestState = decodeURIComponent(requestState);
7768
+ }
7769
+ catch (e) {
7770
+ throw createClientAuthError(invalidState, serverResponse.state);
7771
+ }
7772
+ if (decodedServerResponseState !== decodedRequestState) {
7773
+ throw createClientAuthError(stateMismatch);
7774
+ }
7775
+ // Check for error
7776
+ if (serverResponse.error ||
7777
+ serverResponse.error_description ||
7778
+ serverResponse.suberror) {
7779
+ const serverErrorNo = parseServerErrorNo(serverResponse);
7780
+ if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
7781
+ throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
7782
+ }
7783
+ throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
7879
7784
  }
7880
- }
7881
-
7882
- /*! @azure/msal-common v15.2.0 2025-03-04 */
7883
-
7884
- /*
7885
- * Copyright (c) Microsoft Corporation. All rights reserved.
7886
- * Licensed under the MIT License.
7785
+ }
7786
+ /**
7787
+ * Get server error No from the error_uri
7788
+ * @param serverResponse
7789
+ * @returns
7887
7790
  */
7888
- const StubbedNetworkModule = {
7889
- sendGetRequestAsync: () => {
7890
- return Promise.reject(createClientAuthError(methodNotImplemented));
7891
- },
7892
- sendPostRequestAsync: () => {
7893
- return Promise.reject(createClientAuthError(methodNotImplemented));
7894
- },
7895
- };
7791
+ function parseServerErrorNo(serverResponse) {
7792
+ const errorCodePrefix = "code=";
7793
+ const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
7794
+ return errorCodePrefixIndex && errorCodePrefixIndex >= 0
7795
+ ? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
7796
+ : undefined;
7797
+ }
7798
+ /**
7799
+ * Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
7800
+ * @param account
7801
+ */
7802
+ function extractAccountSid(account) {
7803
+ return account.idTokenClaims?.sid || null;
7804
+ }
7805
+ function extractLoginHint(account) {
7806
+ return account.idTokenClaims?.login_hint || null;
7807
+ }
7896
7808
 
7897
- /*! @azure/msal-common v15.2.0 2025-03-04 */
7809
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7898
7810
 
7899
7811
  /*
7900
7812
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7952,7 +7864,7 @@
7952
7864
  }
7953
7865
  }
7954
7866
 
7955
- /*! @azure/msal-common v15.2.0 2025-03-04 */
7867
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7956
7868
 
7957
7869
  /*
7958
7870
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8215,7 +8127,7 @@
8215
8127
  }
8216
8128
  }
8217
8129
 
8218
- /*! @azure/msal-common v15.2.0 2025-03-04 */
8130
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8219
8131
  /*
8220
8132
  * Copyright (c) Microsoft Corporation. All rights reserved.
8221
8133
  * Licensed under the MIT License.
@@ -8223,7 +8135,7 @@
8223
8135
  const missingKidError = "missing_kid_error";
8224
8136
  const missingAlgError = "missing_alg_error";
8225
8137
 
8226
- /*! @azure/msal-common v15.2.0 2025-03-04 */
8138
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8227
8139
 
8228
8140
  /*
8229
8141
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8248,7 +8160,7 @@
8248
8160
  return new JoseHeaderError(code, JoseHeaderErrorMessages[code]);
8249
8161
  }
8250
8162
 
8251
- /*! @azure/msal-common v15.2.0 2025-03-04 */
8163
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8252
8164
 
8253
8165
  /*
8254
8166
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8288,7 +8200,7 @@
8288
8200
  }
8289
8201
  }
8290
8202
 
8291
- /*! @azure/msal-common v15.2.0 2025-03-04 */
8203
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8292
8204
 
8293
8205
  /*
8294
8206
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8367,7 +8279,7 @@
8367
8279
  }
8368
8280
  }
8369
8281
 
8370
- /*! @azure/msal-common v15.2.0 2025-03-04 */
8282
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8371
8283
 
8372
8284
  /*
8373
8285
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -10404,7 +10316,7 @@
10404
10316
 
10405
10317
  /* eslint-disable header/header */
10406
10318
  const name = "@azure/msal-browser";
10407
- const version = "4.5.1";
10319
+ const version = "4.8.0";
10408
10320
 
10409
10321
  /*
10410
10322
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -12683,7 +12595,13 @@
12683
12595
  *
12684
12596
  * The next MSAL VFuture should map these both to same value if possible
12685
12597
  */
12686
- const accessTokenEntity = createAccessTokenEntity(result.account?.homeAccountId, result.account.environment, result.accessToken, this.clientId, result.tenantId, result.scopes.join(" "), result.expiresOn ? result.expiresOn.getTime() / 1000 : 0, result.extExpiresOn ? result.extExpiresOn.getTime() / 1000 : 0, base64Decode, undefined, // refreshOn
12598
+ const accessTokenEntity = createAccessTokenEntity(result.account?.homeAccountId, result.account.environment, result.accessToken, this.clientId, result.tenantId, result.scopes.join(" "),
12599
+ // Access token expiresOn stored in seconds, converting from AuthenticationResult expiresOn stored as Date
12600
+ result.expiresOn
12601
+ ? toSecondsFromDate(result.expiresOn)
12602
+ : 0, result.extExpiresOn
12603
+ ? toSecondsFromDate(result.extExpiresOn)
12604
+ : 0, base64Decode, undefined, // refreshOn
12687
12605
  result.tokenType, undefined, // userAssertionHash
12688
12606
  request.sshKid, request.claims, claimsHash);
12689
12607
  const cacheRecord = {
@@ -12889,7 +12807,9 @@
12889
12807
  constructor(logger) {
12890
12808
  this.eventCallbacks = new Map();
12891
12809
  this.logger = logger || new Logger({});
12892
- this.broadcastChannel = new BroadcastChannel(BROADCAST_CHANNEL_NAME);
12810
+ if (typeof BroadcastChannel !== "undefined") {
12811
+ this.broadcastChannel = new BroadcastChannel(BROADCAST_CHANNEL_NAME);
12812
+ }
12893
12813
  this.invokeCrossTabCallbacks = this.invokeCrossTabCallbacks.bind(this);
12894
12814
  }
12895
12815
  /**
@@ -12939,7 +12859,7 @@
12939
12859
  case EventType.ACCOUNT_REMOVED:
12940
12860
  case EventType.ACTIVE_ACCOUNT_CHANGED:
12941
12861
  // Send event to other open tabs / MSAL instances on same domain
12942
- this.broadcastChannel.postMessage(message);
12862
+ this.broadcastChannel?.postMessage(message);
12943
12863
  break;
12944
12864
  default:
12945
12865
  // Emit event to callbacks registered in this instance
@@ -12972,13 +12892,13 @@
12972
12892
  * Listen for events broadcasted from other tabs/instances
12973
12893
  */
12974
12894
  subscribeCrossTab() {
12975
- this.broadcastChannel.addEventListener("message", this.invokeCrossTabCallbacks);
12895
+ this.broadcastChannel?.addEventListener("message", this.invokeCrossTabCallbacks);
12976
12896
  }
12977
12897
  /**
12978
12898
  * Unsubscribe from broadcast events
12979
12899
  */
12980
12900
  unsubscribeCrossTab() {
12981
- this.broadcastChannel.removeEventListener("message", this.invokeCrossTabCallbacks);
12901
+ this.broadcastChannel?.removeEventListener("message", this.invokeCrossTabCallbacks);
12982
12902
  }
12983
12903
  }
12984
12904
 
@@ -13100,61 +13020,6 @@
13100
13020
  }
13101
13021
  }
13102
13022
 
13103
- /*
13104
- * Copyright (c) Microsoft Corporation. All rights reserved.
13105
- * Licensed under the MIT License.
13106
- */
13107
- // Constant byte array length
13108
- const RANDOM_BYTE_ARR_LENGTH = 32;
13109
- /**
13110
- * This file defines APIs to generate PKCE codes and code verifiers.
13111
- */
13112
- /**
13113
- * Generates PKCE Codes. See the RFC for more information: https://tools.ietf.org/html/rfc7636
13114
- */
13115
- async function generatePkceCodes(performanceClient, logger, correlationId) {
13116
- performanceClient.addQueueMeasurement(PerformanceEvents.GeneratePkceCodes, correlationId);
13117
- const codeVerifier = invoke(generateCodeVerifier, PerformanceEvents.GenerateCodeVerifier, logger, performanceClient, correlationId)(performanceClient, logger, correlationId);
13118
- const codeChallenge = await invokeAsync(generateCodeChallengeFromVerifier, PerformanceEvents.GenerateCodeChallengeFromVerifier, logger, performanceClient, correlationId)(codeVerifier, performanceClient, logger, correlationId);
13119
- return {
13120
- verifier: codeVerifier,
13121
- challenge: codeChallenge,
13122
- };
13123
- }
13124
- /**
13125
- * Generates a random 32 byte buffer and returns the base64
13126
- * encoded string to be used as a PKCE Code Verifier
13127
- */
13128
- function generateCodeVerifier(performanceClient, logger, correlationId) {
13129
- try {
13130
- // Generate random values as utf-8
13131
- const buffer = new Uint8Array(RANDOM_BYTE_ARR_LENGTH);
13132
- invoke(getRandomValues, PerformanceEvents.GetRandomValues, logger, performanceClient, correlationId)(buffer);
13133
- // encode verifier as base64
13134
- const pkceCodeVerifierB64 = urlEncodeArr(buffer);
13135
- return pkceCodeVerifierB64;
13136
- }
13137
- catch (e) {
13138
- throw createBrowserAuthError(pkceNotCreated);
13139
- }
13140
- }
13141
- /**
13142
- * Creates a base64 encoded PKCE Code Challenge string from the
13143
- * hash created from the PKCE Code Verifier supplied
13144
- */
13145
- async function generateCodeChallengeFromVerifier(pkceCodeVerifier, performanceClient, logger, correlationId) {
13146
- performanceClient.addQueueMeasurement(PerformanceEvents.GenerateCodeChallengeFromVerifier, correlationId);
13147
- try {
13148
- // hashed verifier
13149
- const pkceHashedCodeVerifier = await invokeAsync(sha256Digest, PerformanceEvents.Sha256Digest, logger, performanceClient, correlationId)(pkceCodeVerifier, performanceClient, correlationId);
13150
- // encode hash as base64
13151
- return urlEncodeArr(new Uint8Array(pkceHashedCodeVerifier));
13152
- }
13153
- catch (e) {
13154
- throw createBrowserAuthError(pkceNotCreated);
13155
- }
13156
- }
13157
-
13158
13023
  /*
13159
13024
  * Copyright (c) Microsoft Corporation. All rights reserved.
13160
13025
  * Licensed under the MIT License.
@@ -13217,25 +13082,6 @@
13217
13082
  * Defines the class structure and helper functions used by the "standard", non-brokered auth flows (popup, redirect, silent (RT), silent (iframe))
13218
13083
  */
13219
13084
  class StandardInteractionClient extends BaseInteractionClient {
13220
- /**
13221
- * Generates an auth code request tied to the url request.
13222
- * @param request
13223
- * @param pkceCodes
13224
- */
13225
- async initializeAuthorizationCodeRequest(request, pkceCodes) {
13226
- this.performanceClient.addQueueMeasurement(PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.correlationId);
13227
- const generatedPkceParams = pkceCodes ||
13228
- (await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId));
13229
- const authCodeRequest = {
13230
- ...request,
13231
- redirectUri: request.redirectUri,
13232
- code: Constants.EMPTY_STRING,
13233
- codeVerifier: generatedPkceParams.verifier,
13234
- };
13235
- request.codeChallenge = generatedPkceParams.challenge;
13236
- request.codeChallengeMethod = Constants.S256_CODE_CHALLENGE_METHOD;
13237
- return authCodeRequest;
13238
- }
13239
13085
  /**
13240
13086
  * Initializer for the logout request.
13241
13087
  * @param logoutRequest
@@ -13814,7 +13660,12 @@
13814
13660
  const cachedhomeAccountId = this.browserStorage.getAccountInfoFilteredBy({
13815
13661
  nativeAccountId: request.accountId,
13816
13662
  })?.homeAccountId;
13817
- if (homeAccountIdentifier !== cachedhomeAccountId &&
13663
+ // add exception for double brokering, please note this is temporary and will be fortified in future
13664
+ if (request.extraParameters?.child_client_id &&
13665
+ response.account.id !== request.accountId) {
13666
+ this.logger.info("handleNativeServerResponse: Double broker flow detected, ignoring accountId mismatch");
13667
+ }
13668
+ else if (homeAccountIdentifier !== cachedhomeAccountId &&
13818
13669
  response.account.id !== request.accountId) {
13819
13670
  // User switch in native broker prompt is not supported. All users must first sign in through web flow to ensure server state is in sync
13820
13671
  throw createNativeAuthError(userSwitch);
@@ -13826,6 +13677,8 @@
13826
13677
  const baseAccount = buildAccountToCache(this.browserStorage, authority, homeAccountIdentifier, base64Decode, idTokenClaims, response.client_info, undefined, // environment
13827
13678
  idTokenClaims.tid, undefined, // auth code payload
13828
13679
  response.account.id, this.logger);
13680
+ // Ensure expires_in is in number format
13681
+ response.expires_in = Number(response.expires_in);
13829
13682
  // generate authenticationResult
13830
13683
  const result = await this.generateAuthenticationResult(response, request, idTokenClaims, baseAccount, authority.canonicalAuthority, reqTimestamp);
13831
13684
  // cache accounts and tokens in the appropriate storage
@@ -13942,7 +13795,8 @@
13942
13795
  idTokenClaims: idTokenClaims,
13943
13796
  accessToken: responseAccessToken,
13944
13797
  fromCache: mats ? this.isResponseFromCache(mats) : false,
13945
- expiresOn: new Date(Number(reqTimestamp + response.expires_in) * 1000),
13798
+ // Request timestamp and NativeResponse expires_in are in seconds, converting to Date for AuthenticationResult
13799
+ expiresOn: toDateFromSeconds(reqTimestamp + response.expires_in),
13946
13800
  tokenType: tokenType,
13947
13801
  correlationId: this.correlationId,
13948
13802
  state: response.state,
@@ -14472,7 +14326,7 @@
14472
14326
  this.performanceClient.addQueueMeasurement(PerformanceEvents.HandleCodeResponse, request.correlationId);
14473
14327
  let authCodeResponse;
14474
14328
  try {
14475
- authCodeResponse = this.authModule.handleFragmentResponse(response, request.state);
14329
+ authCodeResponse = getAuthorizationCodePayload(response, request.state);
14476
14330
  }
14477
14331
  catch (e) {
14478
14332
  if (e instanceof ServerError &&
@@ -14580,6 +14434,126 @@
14580
14434
  }
14581
14435
  }
14582
14436
 
14437
+ /*
14438
+ * Copyright (c) Microsoft Corporation. All rights reserved.
14439
+ * Licensed under the MIT License.
14440
+ */
14441
+ /**
14442
+ * Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
14443
+ * @param config
14444
+ * @param authority
14445
+ * @param request
14446
+ * @param logger
14447
+ * @param performanceClient
14448
+ * @returns
14449
+ */
14450
+ async function getStandardParameters(config, authority, request, logger, performanceClient) {
14451
+ const parameters = getStandardAuthorizeRequestParameters({ ...config.auth, authority: authority }, request, logger, performanceClient);
14452
+ addLibraryInfo(parameters, {
14453
+ sku: BrowserConstants.MSAL_SKU,
14454
+ version: version,
14455
+ os: "",
14456
+ cpu: "",
14457
+ });
14458
+ if (config.auth.protocolMode !== ProtocolMode.OIDC) {
14459
+ addApplicationTelemetry(parameters, config.telemetry.application);
14460
+ }
14461
+ if (request.platformBroker) {
14462
+ // signal ests that this is a WAM call
14463
+ addNativeBroker(parameters);
14464
+ // pass the req_cnf for POP
14465
+ if (request.authenticationScheme === AuthenticationScheme.POP) {
14466
+ const cryptoOps = new CryptoOps(logger, performanceClient);
14467
+ const popTokenGenerator = new PopTokenGenerator(cryptoOps);
14468
+ // req_cnf is always sent as a string for SPAs
14469
+ let reqCnfData;
14470
+ if (!request.popKid) {
14471
+ const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, logger, performanceClient, request.correlationId)(request, logger);
14472
+ reqCnfData = generatedReqCnfData.reqCnfString;
14473
+ }
14474
+ else {
14475
+ reqCnfData = cryptoOps.encodeKid(request.popKid);
14476
+ }
14477
+ addPopToken(parameters, reqCnfData);
14478
+ }
14479
+ }
14480
+ instrumentBrokerParams(parameters, request.correlationId, performanceClient);
14481
+ return parameters;
14482
+ }
14483
+ /**
14484
+ * Gets the full /authorize URL with request parameters when using Auth Code + PKCE
14485
+ * @param config
14486
+ * @param authority
14487
+ * @param request
14488
+ * @param logger
14489
+ * @param performanceClient
14490
+ * @returns
14491
+ */
14492
+ async function getAuthCodeRequestUrl(config, authority, request, logger, performanceClient) {
14493
+ if (!request.codeChallenge) {
14494
+ throw createClientConfigurationError(pkceParamsMissing);
14495
+ }
14496
+ const parameters = await invokeAsync(getStandardParameters, PerformanceEvents.GetStandardParams, logger, performanceClient, request.correlationId)(config, authority, request, logger, performanceClient);
14497
+ addResponseTypeCode(parameters);
14498
+ addCodeChallengeParams(parameters, request.codeChallenge, Constants.S256_CODE_CHALLENGE_METHOD);
14499
+ return getAuthorizeUrl(authority, parameters);
14500
+ }
14501
+
14502
+ /*
14503
+ * Copyright (c) Microsoft Corporation. All rights reserved.
14504
+ * Licensed under the MIT License.
14505
+ */
14506
+ // Constant byte array length
14507
+ const RANDOM_BYTE_ARR_LENGTH = 32;
14508
+ /**
14509
+ * This file defines APIs to generate PKCE codes and code verifiers.
14510
+ */
14511
+ /**
14512
+ * Generates PKCE Codes. See the RFC for more information: https://tools.ietf.org/html/rfc7636
14513
+ */
14514
+ async function generatePkceCodes(performanceClient, logger, correlationId) {
14515
+ performanceClient.addQueueMeasurement(PerformanceEvents.GeneratePkceCodes, correlationId);
14516
+ const codeVerifier = invoke(generateCodeVerifier, PerformanceEvents.GenerateCodeVerifier, logger, performanceClient, correlationId)(performanceClient, logger, correlationId);
14517
+ const codeChallenge = await invokeAsync(generateCodeChallengeFromVerifier, PerformanceEvents.GenerateCodeChallengeFromVerifier, logger, performanceClient, correlationId)(codeVerifier, performanceClient, logger, correlationId);
14518
+ return {
14519
+ verifier: codeVerifier,
14520
+ challenge: codeChallenge,
14521
+ };
14522
+ }
14523
+ /**
14524
+ * Generates a random 32 byte buffer and returns the base64
14525
+ * encoded string to be used as a PKCE Code Verifier
14526
+ */
14527
+ function generateCodeVerifier(performanceClient, logger, correlationId) {
14528
+ try {
14529
+ // Generate random values as utf-8
14530
+ const buffer = new Uint8Array(RANDOM_BYTE_ARR_LENGTH);
14531
+ invoke(getRandomValues, PerformanceEvents.GetRandomValues, logger, performanceClient, correlationId)(buffer);
14532
+ // encode verifier as base64
14533
+ const pkceCodeVerifierB64 = urlEncodeArr(buffer);
14534
+ return pkceCodeVerifierB64;
14535
+ }
14536
+ catch (e) {
14537
+ throw createBrowserAuthError(pkceNotCreated);
14538
+ }
14539
+ }
14540
+ /**
14541
+ * Creates a base64 encoded PKCE Code Challenge string from the
14542
+ * hash created from the PKCE Code Verifier supplied
14543
+ */
14544
+ async function generateCodeChallengeFromVerifier(pkceCodeVerifier, performanceClient, logger, correlationId) {
14545
+ performanceClient.addQueueMeasurement(PerformanceEvents.GenerateCodeChallengeFromVerifier, correlationId);
14546
+ try {
14547
+ // hashed verifier
14548
+ const pkceHashedCodeVerifier = await invokeAsync(sha256Digest, PerformanceEvents.Sha256Digest, logger, performanceClient, correlationId)(pkceCodeVerifier, performanceClient, correlationId);
14549
+ // encode hash as base64
14550
+ return urlEncodeArr(new Uint8Array(pkceHashedCodeVerifier));
14551
+ }
14552
+ catch (e) {
14553
+ throw createBrowserAuthError(pkceNotCreated);
14554
+ }
14555
+ }
14556
+
14583
14557
  /*
14584
14558
  * Copyright (c) Microsoft Corporation. All rights reserved.
14585
14559
  * Licensed under the MIT License.
@@ -14667,6 +14641,9 @@
14667
14641
  this.logger.verbose("acquireTokenPopupAsync called");
14668
14642
  const serverTelemetryManager = this.initializeServerTelemetryManager(ApiId.acquireTokenPopup);
14669
14643
  const validRequest = await invokeAsync(this.initializeAuthorizationRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(request, exports.InteractionType.Popup);
14644
+ const pkce = pkceCodes ||
14645
+ (await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId));
14646
+ validRequest.codeChallenge = pkce.challenge;
14670
14647
  /*
14671
14648
  * Skip pre-connect for async popups to reduce time between user interaction and popup window creation to avoid
14672
14649
  * popup from being blocked by browsers with shorter popup timers
@@ -14675,8 +14652,6 @@
14675
14652
  preconnect(validRequest.authority);
14676
14653
  }
14677
14654
  try {
14678
- // Create auth code request and generate PKCE params
14679
- const authCodeRequest = await invokeAsync(this.initializeAuthorizationCodeRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.logger, this.performanceClient, this.correlationId)(validRequest, pkceCodes);
14680
14655
  // Initialize the client
14681
14656
  const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), PerformanceEvents.StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, this.correlationId)({
14682
14657
  serverTelemetryManager,
@@ -14693,12 +14668,10 @@
14693
14668
  this.performanceClient.startMeasurement(PerformanceEvents.FetchAccountIdWithNativeBroker, request.correlationId);
14694
14669
  }
14695
14670
  // Create acquire token url.
14696
- const navigateUrl = await authClient.getAuthCodeUrl({
14671
+ const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, validRequest.correlationId)(this.config, authClient.authority, {
14697
14672
  ...validRequest,
14698
14673
  platformBroker: isPlatformBroker,
14699
- });
14700
- // Create popup interaction handler.
14701
- const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
14674
+ }, this.logger, this.performanceClient);
14702
14675
  // Show the UI once the url has been created. Get the window handle for the popup.
14703
14676
  const popupWindow = this.initiateAuthRequest(navigateUrl, popupParams);
14704
14677
  this.eventHandler.emitEvent(EventType.POPUP_OPENED, exports.InteractionType.Popup, { popupWindow }, null);
@@ -14706,7 +14679,7 @@
14706
14679
  const responseString = await this.monitorPopupForHash(popupWindow, popupParams.popupWindowParent);
14707
14680
  const serverParams = invoke(deserializeResponse, PerformanceEvents.DeserializeResponse, this.logger, this.performanceClient, this.correlationId)(responseString, this.config.auth.OIDCOptions.serverResponseType, this.logger);
14708
14681
  // Remove throttle if it exists
14709
- ThrottlingUtils.removeThrottle(this.browserStorage, this.config.auth.clientId, authCodeRequest);
14682
+ ThrottlingUtils.removeThrottle(this.browserStorage, this.config.auth.clientId, validRequest);
14710
14683
  if (serverParams.accountId) {
14711
14684
  this.logger.verbose("Account id found in hash, calling WAM for token");
14712
14685
  // end measurement for server call with native brokering enabled
@@ -14727,6 +14700,13 @@
14727
14700
  prompt: undefined, // Server should handle the prompt, ideally native broker can do this part silently
14728
14701
  });
14729
14702
  }
14703
+ const authCodeRequest = {
14704
+ ...validRequest,
14705
+ code: serverParams.code || "",
14706
+ codeVerifier: pkce.verifier,
14707
+ };
14708
+ // Create popup interaction handler.
14709
+ const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
14730
14710
  // Handle response from hash string.
14731
14711
  const result = await interactionHandler.handleCodeResponse(serverParams, validRequest);
14732
14712
  return result;
@@ -15102,7 +15082,7 @@
15102
15082
  }
15103
15083
  let authCodeResponse;
15104
15084
  try {
15105
- authCodeResponse = this.authModule.handleFragmentResponse(response, requestState);
15085
+ authCodeResponse = getAuthorizationCodePayload(response, requestState);
15106
15086
  }
15107
15087
  catch (e) {
15108
15088
  if (e instanceof ServerError &&
@@ -15186,6 +15166,8 @@
15186
15166
  */
15187
15167
  async acquireToken(request) {
15188
15168
  const validRequest = await invokeAsync(this.initializeAuthorizationRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(request, exports.InteractionType.Redirect);
15169
+ const pkceCodes = await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId);
15170
+ validRequest.codeChallenge = pkceCodes.challenge;
15189
15171
  this.browserStorage.updateCacheEntries(validRequest.state, validRequest.nonce, validRequest.authority, validRequest.loginHint || "", validRequest.account || null);
15190
15172
  const serverTelemetryManager = this.initializeServerTelemetryManager(ApiId.acquireTokenRedirect);
15191
15173
  const handleBackButton = (event) => {
@@ -15197,8 +15179,6 @@
15197
15179
  }
15198
15180
  };
15199
15181
  try {
15200
- // Create auth code request and generate PKCE params
15201
- const authCodeRequest = await invokeAsync(this.initializeAuthorizationCodeRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.logger, this.performanceClient, this.correlationId)(validRequest);
15202
15182
  // Initialize the client
15203
15183
  const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), PerformanceEvents.StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, this.correlationId)({
15204
15184
  serverTelemetryManager,
@@ -15207,13 +15187,18 @@
15207
15187
  requestExtraQueryParameters: validRequest.extraQueryParameters,
15208
15188
  account: validRequest.account,
15209
15189
  });
15190
+ const authCodeRequest = {
15191
+ ...validRequest,
15192
+ code: "",
15193
+ codeVerifier: pkceCodes.verifier,
15194
+ };
15210
15195
  // Create redirect interaction handler.
15211
15196
  const interactionHandler = new RedirectHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
15212
15197
  // Create acquire token url.
15213
- const navigateUrl = await authClient.getAuthCodeUrl({
15198
+ const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, validRequest.correlationId)(this.config, authClient.authority, {
15214
15199
  ...validRequest,
15215
15200
  platformBroker: NativeMessageHandler.isPlatformBrokerAvailable(this.config, this.logger, this.nativeMessageHandler, request.authenticationScheme),
15216
- });
15201
+ }, this.logger, this.performanceClient);
15217
15202
  const redirectStartPage = this.getRedirectStartPage(request.redirectStartPage);
15218
15203
  this.logger.verbosePii(`Redirect start page: ${redirectStartPage}`);
15219
15204
  // Clear temporary cache if the back button is clicked during the redirect flow.
@@ -15718,18 +15703,19 @@
15718
15703
  * @param navigateUrl
15719
15704
  * @param userRequestScopes
15720
15705
  */
15721
- async silentTokenHelper(authClient, silentRequest) {
15722
- const correlationId = silentRequest.correlationId;
15706
+ async silentTokenHelper(authClient, request) {
15707
+ const correlationId = request.correlationId;
15723
15708
  this.performanceClient.addQueueMeasurement(PerformanceEvents.SilentIframeClientTokenHelper, correlationId);
15724
- // Create auth code request and generate PKCE params
15725
- const authCodeRequest = await invokeAsync(this.initializeAuthorizationCodeRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.logger, this.performanceClient, correlationId)(silentRequest);
15709
+ const pkceCodes = await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId);
15710
+ const silentRequest = {
15711
+ ...request,
15712
+ codeChallenge: pkceCodes.challenge,
15713
+ };
15726
15714
  // Create authorize request url
15727
- const navigateUrl = await invokeAsync(authClient.getAuthCodeUrl.bind(authClient), PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, correlationId)({
15715
+ const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, correlationId)(this.config, authClient.authority, {
15728
15716
  ...silentRequest,
15729
15717
  platformBroker: NativeMessageHandler.isPlatformBrokerAvailable(this.config, this.logger, this.nativeMessageHandler, silentRequest.authenticationScheme),
15730
- });
15731
- // Create silent handler
15732
- const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
15718
+ }, this.logger, this.performanceClient);
15733
15719
  // Get the frame handle for the silent request
15734
15720
  const msalFrame = await invokeAsync(initiateAuthRequest, PerformanceEvents.SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(navigateUrl, this.performanceClient, this.logger, correlationId, this.config.system.navigateFrameWait);
15735
15721
  const responseType = this.config.auth.OIDCOptions.serverResponseType;
@@ -15749,6 +15735,13 @@
15749
15735
  prompt: silentRequest.prompt || PromptValue.NONE,
15750
15736
  });
15751
15737
  }
15738
+ const authCodeRequest = {
15739
+ ...silentRequest,
15740
+ code: serverParams.code || "",
15741
+ codeVerifier: pkceCodes.verifier,
15742
+ };
15743
+ // Create silent handler
15744
+ const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
15752
15745
  // Handle response from hash string
15753
15746
  return invokeAsync(interactionHandler.handleCodeResponse.bind(interactionHandler), PerformanceEvents.HandleCodeResponse, this.logger, this.performanceClient, correlationId)(serverParams, silentRequest);
15754
15747
  }
@@ -15943,11 +15936,10 @@
15943
15936
  const scopes = response.scope
15944
15937
  ? ScopeSet.fromString(response.scope)
15945
15938
  : new ScopeSet(request.scopes);
15946
- const expiresOn = options.expiresOn ||
15947
- response.expires_in + new Date().getTime() / 1000;
15939
+ const expiresOn = options.expiresOn || response.expires_in + nowSeconds();
15948
15940
  const extendedExpiresOn = options.extendedExpiresOn ||
15949
15941
  (response.ext_expires_in || response.expires_in) +
15950
- new Date().getTime() / 1000;
15942
+ nowSeconds();
15951
15943
  const accessTokenEntity = createAccessTokenEntity(homeAccountId, environment, response.access_token, this.config.auth.clientId, tenantId, scopes.printScopes(), expiresOn, extendedExpiresOn, base64Decode);
15952
15944
  await this.storage.setAccessTokenCredential(accessTokenEntity, correlationId);
15953
15945
  return accessTokenEntity;
@@ -15987,8 +15979,9 @@
15987
15979
  if (cacheRecord?.accessToken) {
15988
15980
  accessToken = cacheRecord.accessToken.secret;
15989
15981
  responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target).asArray();
15990
- expiresOn = new Date(Number(cacheRecord.accessToken.expiresOn) * 1000);
15991
- extExpiresOn = new Date(Number(cacheRecord.accessToken.extendedExpiresOn) * 1000);
15982
+ // Access token expiresOn stored in seconds, converting to Date for AuthenticationResult
15983
+ expiresOn = toDateFromSeconds(cacheRecord.accessToken.expiresOn);
15984
+ extExpiresOn = toDateFromSeconds(cacheRecord.accessToken.extendedExpiresOn);
15992
15985
  }
15993
15986
  const accountEntity = cacheRecord.account;
15994
15987
  return {
@@ -17235,60 +17228,63 @@
17235
17228
  throw createBrowserAuthError(noAccountError);
17236
17229
  }
17237
17230
  atsMeasurement.add({ accountType: getAccountType(account) });
17238
- const thumbprint = {
17239
- clientId: this.config.auth.clientId,
17240
- authority: request.authority || Constants.EMPTY_STRING,
17241
- scopes: request.scopes,
17242
- homeAccountIdentifier: account.homeAccountId,
17243
- claims: request.claims,
17244
- authenticationScheme: request.authenticationScheme,
17245
- resourceRequestMethod: request.resourceRequestMethod,
17246
- resourceRequestUri: request.resourceRequestUri,
17247
- shrClaims: request.shrClaims,
17248
- sshKid: request.sshKid,
17249
- shrOptions: request.shrOptions,
17250
- };
17231
+ return this.acquireTokenSilentDeduped(request, account, correlationId)
17232
+ .then((result) => {
17233
+ atsMeasurement.end({
17234
+ success: true,
17235
+ fromCache: result.fromCache,
17236
+ isNativeBroker: result.fromNativeBroker,
17237
+ accessTokenSize: result.accessToken.length,
17238
+ idTokenSize: result.idToken.length,
17239
+ });
17240
+ return {
17241
+ ...result,
17242
+ state: request.state,
17243
+ correlationId: correlationId, // Ensures PWB scenarios can correctly match request to response
17244
+ };
17245
+ })
17246
+ .catch((error) => {
17247
+ if (error instanceof AuthError) {
17248
+ // Ensures PWB scenarios can correctly match request to response
17249
+ error.setCorrelationId(correlationId);
17250
+ }
17251
+ atsMeasurement.end({
17252
+ success: false,
17253
+ }, error);
17254
+ throw error;
17255
+ });
17256
+ }
17257
+ /**
17258
+ * Checks if identical request is already in flight and returns reference to the existing promise or fires off a new one if this is the first
17259
+ * @param request
17260
+ * @param account
17261
+ * @param correlationId
17262
+ * @returns
17263
+ */
17264
+ async acquireTokenSilentDeduped(request, account, correlationId) {
17265
+ const thumbprint = getRequestThumbprint(this.config.auth.clientId, {
17266
+ ...request,
17267
+ authority: request.authority || this.config.auth.authority,
17268
+ correlationId: correlationId,
17269
+ }, account.homeAccountId);
17251
17270
  const silentRequestKey = JSON.stringify(thumbprint);
17252
- const cachedResponse = this.activeSilentTokenRequests.get(silentRequestKey);
17253
- if (typeof cachedResponse === "undefined") {
17271
+ const inProgressRequest = this.activeSilentTokenRequests.get(silentRequestKey);
17272
+ if (typeof inProgressRequest === "undefined") {
17254
17273
  this.logger.verbose("acquireTokenSilent called for the first time, storing active request", correlationId);
17255
- const response = invokeAsync(this.acquireTokenSilentAsync.bind(this), PerformanceEvents.AcquireTokenSilentAsync, this.logger, this.performanceClient, correlationId)({
17274
+ this.performanceClient.addFields({ deduped: false }, correlationId);
17275
+ const activeRequest = invokeAsync(this.acquireTokenSilentAsync.bind(this), PerformanceEvents.AcquireTokenSilentAsync, this.logger, this.performanceClient, correlationId)({
17256
17276
  ...request,
17257
17277
  correlationId,
17258
- }, account)
17259
- .then((result) => {
17260
- this.activeSilentTokenRequests.delete(silentRequestKey);
17261
- atsMeasurement.end({
17262
- success: true,
17263
- fromCache: result.fromCache,
17264
- isNativeBroker: result.fromNativeBroker,
17265
- cacheLookupPolicy: request.cacheLookupPolicy,
17266
- accessTokenSize: result.accessToken.length,
17267
- idTokenSize: result.idToken.length,
17268
- });
17269
- return result;
17270
- })
17271
- .catch((error) => {
17278
+ }, account);
17279
+ this.activeSilentTokenRequests.set(silentRequestKey, activeRequest);
17280
+ return activeRequest.finally(() => {
17272
17281
  this.activeSilentTokenRequests.delete(silentRequestKey);
17273
- atsMeasurement.end({
17274
- success: false,
17275
- }, error);
17276
- throw error;
17277
17282
  });
17278
- this.activeSilentTokenRequests.set(silentRequestKey, response);
17279
- return {
17280
- ...(await response),
17281
- state: request.state,
17282
- };
17283
17283
  }
17284
17284
  else {
17285
17285
  this.logger.verbose("acquireTokenSilent has been called previously, returning the result from the first call", correlationId);
17286
- // Discard measurements for memoized calls, as they are usually only a couple of ms and will artificially deflate metrics
17287
- atsMeasurement.discard();
17288
- return {
17289
- ...(await cachedResponse),
17290
- state: request.state,
17291
- };
17286
+ this.performanceClient.addFields({ deduped: true }, correlationId);
17287
+ return inProgressRequest;
17292
17288
  }
17293
17289
  }
17294
17290
  /**
@@ -17499,8 +17495,7 @@
17499
17495
  extraParams = new Map(Object.entries(request.extraQueryParameters));
17500
17496
  }
17501
17497
  const correlationId = request.correlationId || this.crypto.createNewGuid();
17502
- const requestBuilder = new RequestParameterBuilder(correlationId);
17503
- const claims = requestBuilder.addClientCapabilitiesToClaims(request.claims, this.clientCapabilities);
17498
+ const claims = addClientCapabilitiesToClaims(request.claims, this.clientCapabilities);
17504
17499
  const scopes = request.scopes || OIDC_DEFAULT_SCOPES;
17505
17500
  const tokenRequest = {
17506
17501
  platformBrokerId: request.account?.homeAccountId,
@@ -17519,7 +17514,8 @@
17519
17514
  if (!response.token.id_token || !response.token.access_token) {
17520
17515
  throw createClientAuthError(nullOrEmptyToken);
17521
17516
  }
17522
- const expiresOn = new Date((reqTimestamp + (response.token.expires_in || 0)) * 1000);
17517
+ // Request timestamp and AuthResult expires_in are in seconds, converting to Date for AuthenticationResult
17518
+ const expiresOn = toDateFromSeconds(reqTimestamp + (response.token.expires_in || 0));
17523
17519
  const idTokenClaims = extractTokenClaims(response.token.id_token, this.crypto.base64Decode);
17524
17520
  const account = this.fromNaaAccountInfo(response.account, response.token.id_token, idTokenClaims);
17525
17521
  const scopes = response.token.scope || request.scope;
@@ -17648,10 +17644,10 @@
17648
17644
  idTokenClaims: idTokenClaims || {},
17649
17645
  accessToken: accessToken.secret,
17650
17646
  fromCache: true,
17651
- expiresOn: new Date(Number(accessToken.expiresOn) * 1000),
17647
+ expiresOn: toDateFromSeconds(accessToken.expiresOn),
17648
+ extExpiresOn: toDateFromSeconds(accessToken.extendedExpiresOn),
17652
17649
  tokenType: request.authenticationScheme || AuthenticationScheme.BEARER,
17653
17650
  correlationId,
17654
- extExpiresOn: new Date(Number(accessToken.extendedExpiresOn) * 1000),
17655
17651
  state: request.state,
17656
17652
  };
17657
17653
  return authenticationResult;