@azure/msal-browser 4.7.0 → 4.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/app/IPublicClientApplication.mjs +1 -1
- package/dist/app/PublicClientApplication.mjs +1 -1
- package/dist/app/PublicClientNext.mjs +1 -1
- package/dist/broker/nativeBroker/NativeMessageHandler.mjs +1 -1
- package/dist/broker/nativeBroker/NativeStatusCodes.mjs +1 -1
- package/dist/cache/AccountManager.mjs +1 -1
- package/dist/cache/AsyncMemoryStorage.mjs +1 -1
- package/dist/cache/BrowserCacheManager.mjs +1 -1
- package/dist/cache/CacheHelpers.mjs +1 -1
- package/dist/cache/CookieStorage.mjs +1 -1
- package/dist/cache/DatabaseStorage.mjs +1 -1
- package/dist/cache/LocalStorage.mjs +1 -1
- package/dist/cache/MemoryStorage.mjs +1 -1
- package/dist/cache/SessionStorage.mjs +1 -1
- package/dist/cache/TokenCache.mjs +1 -1
- package/dist/config/Configuration.mjs +1 -1
- package/dist/controllers/ControllerFactory.mjs +1 -1
- package/dist/controllers/NestedAppAuthController.mjs +1 -1
- package/dist/controllers/StandardController.mjs +1 -1
- package/dist/controllers/UnknownOperatingContextController.mjs +1 -1
- package/dist/crypto/BrowserCrypto.mjs +1 -1
- package/dist/crypto/CryptoOps.mjs +1 -1
- package/dist/crypto/PkceGenerator.mjs +1 -1
- package/dist/crypto/SignedHttpRequest.mjs +1 -1
- package/dist/encode/Base64Decode.mjs +1 -1
- package/dist/encode/Base64Encode.mjs +1 -1
- package/dist/error/BrowserAuthError.mjs +1 -1
- package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
- package/dist/error/BrowserConfigurationAuthError.mjs +1 -1
- package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
- package/dist/error/NativeAuthError.mjs +1 -1
- package/dist/error/NativeAuthErrorCodes.mjs +1 -1
- package/dist/error/NestedAppAuthError.mjs +1 -1
- package/dist/event/EventHandler.mjs +1 -1
- package/dist/event/EventMessage.mjs +1 -1
- package/dist/event/EventType.mjs +1 -1
- package/dist/index.mjs +1 -1
- package/dist/interaction_client/BaseInteractionClient.mjs +1 -1
- package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
- package/dist/interaction_client/NativeInteractionClient.d.ts.map +1 -1
- package/dist/interaction_client/NativeInteractionClient.mjs +9 -2
- package/dist/interaction_client/NativeInteractionClient.mjs.map +1 -1
- package/dist/interaction_client/PopupClient.d.ts.map +1 -1
- package/dist/interaction_client/PopupClient.mjs +16 -8
- package/dist/interaction_client/PopupClient.mjs.map +1 -1
- package/dist/interaction_client/RedirectClient.d.ts +3 -3
- package/dist/interaction_client/RedirectClient.d.ts.map +1 -1
- package/dist/interaction_client/RedirectClient.mjs +12 -5
- package/dist/interaction_client/RedirectClient.mjs.map +1 -1
- package/dist/interaction_client/SilentAuthCodeClient.mjs +1 -1
- package/dist/interaction_client/SilentCacheClient.mjs +1 -1
- package/dist/interaction_client/SilentIframeClient.d.ts +1 -1
- package/dist/interaction_client/SilentIframeClient.d.ts.map +1 -1
- package/dist/interaction_client/SilentIframeClient.mjs +19 -9
- package/dist/interaction_client/SilentIframeClient.mjs.map +1 -1
- package/dist/interaction_client/SilentRefreshClient.mjs +1 -1
- package/dist/interaction_client/StandardInteractionClient.d.ts +1 -7
- package/dist/interaction_client/StandardInteractionClient.d.ts.map +1 -1
- package/dist/interaction_client/StandardInteractionClient.mjs +2 -22
- package/dist/interaction_client/StandardInteractionClient.mjs.map +1 -1
- package/dist/interaction_handler/InteractionHandler.d.ts +2 -2
- package/dist/interaction_handler/InteractionHandler.d.ts.map +1 -1
- package/dist/interaction_handler/InteractionHandler.mjs +3 -3
- package/dist/interaction_handler/InteractionHandler.mjs.map +1 -1
- package/dist/interaction_handler/RedirectHandler.d.ts +2 -2
- package/dist/interaction_handler/RedirectHandler.d.ts.map +1 -1
- package/dist/interaction_handler/RedirectHandler.mjs +3 -3
- package/dist/interaction_handler/RedirectHandler.mjs.map +1 -1
- package/dist/interaction_handler/SilentHandler.mjs +1 -1
- package/dist/naa/BridgeError.mjs +1 -1
- package/dist/naa/BridgeProxy.mjs +1 -1
- package/dist/naa/BridgeStatusCode.mjs +1 -1
- package/dist/naa/mapping/NestedAppAuthAdapter.d.ts.map +1 -1
- package/dist/naa/mapping/NestedAppAuthAdapter.mjs +2 -3
- package/dist/naa/mapping/NestedAppAuthAdapter.mjs.map +1 -1
- package/dist/navigation/NavigationClient.mjs +1 -1
- package/dist/network/FetchClient.mjs +1 -1
- package/dist/operatingcontext/BaseOperatingContext.mjs +1 -1
- package/dist/operatingcontext/NestedAppOperatingContext.mjs +1 -1
- package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
- package/dist/operatingcontext/UnknownOperatingContext.mjs +1 -1
- package/dist/packageMetadata.d.ts +1 -1
- package/dist/packageMetadata.mjs +2 -2
- package/dist/protocol/Authorize.d.ts +13 -0
- package/dist/protocol/Authorize.d.ts.map +1 -0
- package/dist/protocol/Authorize.mjs +74 -0
- package/dist/protocol/Authorize.mjs.map +1 -0
- package/dist/request/RequestHelpers.mjs +1 -1
- package/dist/response/ResponseHandler.d.ts +3 -3
- package/dist/response/ResponseHandler.d.ts.map +1 -1
- package/dist/response/ResponseHandler.mjs +1 -1
- package/dist/response/ResponseHandler.mjs.map +1 -1
- package/dist/telemetry/BrowserPerformanceClient.mjs +1 -1
- package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
- package/dist/utils/BrowserConstants.mjs +1 -1
- package/dist/utils/BrowserProtocolUtils.mjs +1 -1
- package/dist/utils/BrowserUtils.mjs +1 -1
- package/lib/msal-browser.cjs +949 -973
- package/lib/msal-browser.cjs.map +1 -1
- package/lib/msal-browser.js +949 -973
- package/lib/msal-browser.js.map +1 -1
- package/lib/msal-browser.min.js +67 -66
- package/lib/types/interaction_client/NativeInteractionClient.d.ts.map +1 -1
- package/lib/types/interaction_client/PopupClient.d.ts.map +1 -1
- package/lib/types/interaction_client/RedirectClient.d.ts +3 -3
- package/lib/types/interaction_client/RedirectClient.d.ts.map +1 -1
- package/lib/types/interaction_client/SilentIframeClient.d.ts +1 -1
- package/lib/types/interaction_client/SilentIframeClient.d.ts.map +1 -1
- package/lib/types/interaction_client/StandardInteractionClient.d.ts +1 -7
- package/lib/types/interaction_client/StandardInteractionClient.d.ts.map +1 -1
- package/lib/types/interaction_handler/InteractionHandler.d.ts +2 -2
- package/lib/types/interaction_handler/InteractionHandler.d.ts.map +1 -1
- package/lib/types/interaction_handler/RedirectHandler.d.ts +2 -2
- package/lib/types/interaction_handler/RedirectHandler.d.ts.map +1 -1
- package/lib/types/naa/mapping/NestedAppAuthAdapter.d.ts.map +1 -1
- package/lib/types/packageMetadata.d.ts +1 -1
- package/lib/types/protocol/Authorize.d.ts +13 -0
- package/lib/types/protocol/Authorize.d.ts.map +1 -0
- package/lib/types/response/ResponseHandler.d.ts +3 -3
- package/lib/types/response/ResponseHandler.d.ts.map +1 -1
- package/package.json +2 -2
- package/src/interaction_client/NativeInteractionClient.ts +11 -0
- package/src/interaction_client/PopupClient.ts +40 -21
- package/src/interaction_client/RedirectClient.ts +41 -22
- package/src/interaction_client/SilentIframeClient.ts +42 -29
- package/src/interaction_client/StandardInteractionClient.ts +0 -40
- package/src/interaction_handler/InteractionHandler.ts +4 -3
- package/src/interaction_handler/RedirectHandler.ts +4 -3
- package/src/naa/mapping/NestedAppAuthAdapter.ts +1 -2
- package/src/packageMetadata.ts +1 -1
- package/src/protocol/Authorize.ts +136 -0
- package/src/response/ResponseHandler.ts +3 -3
package/lib/msal-browser.cjs
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
|
-
/*! @azure/msal-browser v4.
|
|
1
|
+
/*! @azure/msal-browser v4.8.0 2025-03-20 */
|
|
2
2
|
'use strict';
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
5
|
-
/*! @azure/msal-common v15.
|
|
5
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6
6
|
/*
|
|
7
7
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
8
8
|
* Licensed under the MIT License.
|
|
@@ -250,13 +250,6 @@ const Errors = {
|
|
|
250
250
|
INVALID_GRANT_ERROR: "invalid_grant",
|
|
251
251
|
CLIENT_MISMATCH_ERROR: "client_mismatch",
|
|
252
252
|
};
|
|
253
|
-
/**
|
|
254
|
-
* Password grant parameters
|
|
255
|
-
*/
|
|
256
|
-
const PasswordGrantConstants = {
|
|
257
|
-
username: "username",
|
|
258
|
-
password: "password",
|
|
259
|
-
};
|
|
260
253
|
/**
|
|
261
254
|
* Response codes
|
|
262
255
|
*/
|
|
@@ -306,7 +299,7 @@ const JsonWebTokenTypes = {
|
|
|
306
299
|
// Token renewal offset default in seconds
|
|
307
300
|
const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
|
|
308
301
|
|
|
309
|
-
/*! @azure/msal-common v15.
|
|
302
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
310
303
|
/*
|
|
311
304
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
312
305
|
* Licensed under the MIT License.
|
|
@@ -323,7 +316,7 @@ var AuthErrorCodes = /*#__PURE__*/Object.freeze({
|
|
|
323
316
|
unexpectedError: unexpectedError
|
|
324
317
|
});
|
|
325
318
|
|
|
326
|
-
/*! @azure/msal-common v15.
|
|
319
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
327
320
|
|
|
328
321
|
/*
|
|
329
322
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -372,7 +365,7 @@ function createAuthError(code, additionalMessage) {
|
|
|
372
365
|
: AuthErrorMessages[code]);
|
|
373
366
|
}
|
|
374
367
|
|
|
375
|
-
/*! @azure/msal-common v15.
|
|
368
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
376
369
|
/*
|
|
377
370
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
378
371
|
* Licensed under the MIT License.
|
|
@@ -470,7 +463,7 @@ var ClientAuthErrorCodes = /*#__PURE__*/Object.freeze({
|
|
|
470
463
|
userTimeoutReached: userTimeoutReached
|
|
471
464
|
});
|
|
472
465
|
|
|
473
|
-
/*! @azure/msal-common v15.
|
|
466
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
474
467
|
|
|
475
468
|
/*
|
|
476
469
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -722,7 +715,7 @@ function createClientAuthError(errorCode, additionalMessage) {
|
|
|
722
715
|
return new ClientAuthError(errorCode, additionalMessage);
|
|
723
716
|
}
|
|
724
717
|
|
|
725
|
-
/*! @azure/msal-common v15.
|
|
718
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
726
719
|
|
|
727
720
|
/*
|
|
728
721
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -761,7 +754,7 @@ const DEFAULT_CRYPTO_IMPLEMENTATION = {
|
|
|
761
754
|
},
|
|
762
755
|
};
|
|
763
756
|
|
|
764
|
-
/*! @azure/msal-common v15.
|
|
757
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
765
758
|
|
|
766
759
|
/*
|
|
767
760
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -952,12 +945,12 @@ class Logger {
|
|
|
952
945
|
}
|
|
953
946
|
}
|
|
954
947
|
|
|
955
|
-
/*! @azure/msal-common v15.
|
|
948
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
956
949
|
/* eslint-disable header/header */
|
|
957
950
|
const name$1 = "@azure/msal-common";
|
|
958
|
-
const version$1 = "15.
|
|
951
|
+
const version$1 = "15.3.0";
|
|
959
952
|
|
|
960
|
-
/*! @azure/msal-common v15.
|
|
953
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
961
954
|
/*
|
|
962
955
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
963
956
|
* Licensed under the MIT License.
|
|
@@ -977,7 +970,7 @@ const AzureCloudInstance = {
|
|
|
977
970
|
AzureUsGovernment: "https://login.microsoftonline.us",
|
|
978
971
|
};
|
|
979
972
|
|
|
980
|
-
/*! @azure/msal-common v15.
|
|
973
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
981
974
|
|
|
982
975
|
/*
|
|
983
976
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1038,7 +1031,7 @@ function checkMaxAge(authTime, maxAge) {
|
|
|
1038
1031
|
}
|
|
1039
1032
|
}
|
|
1040
1033
|
|
|
1041
|
-
/*! @azure/msal-common v15.
|
|
1034
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1042
1035
|
/*
|
|
1043
1036
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1044
1037
|
* Licensed under the MIT License.
|
|
@@ -1093,7 +1086,7 @@ function wasClockTurnedBack(cachedAt) {
|
|
|
1093
1086
|
return cachedAtSec > nowSeconds();
|
|
1094
1087
|
}
|
|
1095
1088
|
|
|
1096
|
-
/*! @azure/msal-common v15.
|
|
1089
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1097
1090
|
|
|
1098
1091
|
/*
|
|
1099
1092
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1420,7 +1413,7 @@ function isAuthorityMetadataExpired(metadata) {
|
|
|
1420
1413
|
return metadata.expiresAt <= nowSeconds();
|
|
1421
1414
|
}
|
|
1422
1415
|
|
|
1423
|
-
/*! @azure/msal-common v15.
|
|
1416
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1424
1417
|
/*
|
|
1425
1418
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1426
1419
|
* Licensed under the MIT License.
|
|
@@ -1474,7 +1467,7 @@ var ClientConfigurationErrorCodes = /*#__PURE__*/Object.freeze({
|
|
|
1474
1467
|
urlParseError: urlParseError
|
|
1475
1468
|
});
|
|
1476
1469
|
|
|
1477
|
-
/*! @azure/msal-common v15.
|
|
1470
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1478
1471
|
|
|
1479
1472
|
/*
|
|
1480
1473
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1612,7 +1605,7 @@ function createClientConfigurationError(errorCode) {
|
|
|
1612
1605
|
return new ClientConfigurationError(errorCode);
|
|
1613
1606
|
}
|
|
1614
1607
|
|
|
1615
|
-
/*! @azure/msal-common v15.
|
|
1608
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1616
1609
|
/*
|
|
1617
1610
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1618
1611
|
* Licensed under the MIT License.
|
|
@@ -1709,7 +1702,7 @@ class StringUtils {
|
|
|
1709
1702
|
}
|
|
1710
1703
|
}
|
|
1711
1704
|
|
|
1712
|
-
/*! @azure/msal-common v15.
|
|
1705
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1713
1706
|
|
|
1714
1707
|
/*
|
|
1715
1708
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1900,7 +1893,7 @@ class ScopeSet {
|
|
|
1900
1893
|
}
|
|
1901
1894
|
}
|
|
1902
1895
|
|
|
1903
|
-
/*! @azure/msal-common v15.
|
|
1896
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1904
1897
|
|
|
1905
1898
|
/*
|
|
1906
1899
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1940,7 +1933,7 @@ function buildClientInfoFromHomeAccountId(homeAccountId) {
|
|
|
1940
1933
|
};
|
|
1941
1934
|
}
|
|
1942
1935
|
|
|
1943
|
-
/*! @azure/msal-common v15.
|
|
1936
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
1944
1937
|
/*
|
|
1945
1938
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1946
1939
|
* Licensed under the MIT License.
|
|
@@ -2019,7 +2012,7 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
|
|
|
2019
2012
|
return updatedAccountInfo;
|
|
2020
2013
|
}
|
|
2021
2014
|
|
|
2022
|
-
/*! @azure/msal-common v15.
|
|
2015
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2023
2016
|
/*
|
|
2024
2017
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
2025
2018
|
* Licensed under the MIT License.
|
|
@@ -2034,7 +2027,7 @@ const AuthorityType = {
|
|
|
2034
2027
|
Ciam: 3,
|
|
2035
2028
|
};
|
|
2036
2029
|
|
|
2037
|
-
/*! @azure/msal-common v15.
|
|
2030
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2038
2031
|
/*
|
|
2039
2032
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
2040
2033
|
* Licensed under the MIT License.
|
|
@@ -2056,7 +2049,7 @@ function getTenantIdFromIdTokenClaims(idTokenClaims) {
|
|
|
2056
2049
|
return null;
|
|
2057
2050
|
}
|
|
2058
2051
|
|
|
2059
|
-
/*! @azure/msal-common v15.
|
|
2052
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2060
2053
|
/*
|
|
2061
2054
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
2062
2055
|
* Licensed under the MIT License.
|
|
@@ -2069,7 +2062,7 @@ const ProtocolMode = {
|
|
|
2069
2062
|
OIDC: "OIDC",
|
|
2070
2063
|
};
|
|
2071
2064
|
|
|
2072
|
-
/*! @azure/msal-common v15.
|
|
2065
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2073
2066
|
|
|
2074
2067
|
/*
|
|
2075
2068
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2312,7 +2305,7 @@ class AccountEntity {
|
|
|
2312
2305
|
}
|
|
2313
2306
|
}
|
|
2314
2307
|
|
|
2315
|
-
/*! @azure/msal-common v15.
|
|
2308
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2316
2309
|
|
|
2317
2310
|
/*
|
|
2318
2311
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2357,9 +2350,19 @@ function getDeserializedResponse(responseString) {
|
|
|
2357
2350
|
throw createClientAuthError(hashNotDeserialized);
|
|
2358
2351
|
}
|
|
2359
2352
|
return null;
|
|
2353
|
+
}
|
|
2354
|
+
/**
|
|
2355
|
+
* Utility to create a URL from the params map
|
|
2356
|
+
*/
|
|
2357
|
+
function mapToQueryString(parameters) {
|
|
2358
|
+
const queryParameterArray = new Array();
|
|
2359
|
+
parameters.forEach((value, key) => {
|
|
2360
|
+
queryParameterArray.push(`${key}=${encodeURIComponent(value)}`);
|
|
2361
|
+
});
|
|
2362
|
+
return queryParameterArray.join("&");
|
|
2360
2363
|
}
|
|
2361
2364
|
|
|
2362
|
-
/*! @azure/msal-common v15.
|
|
2365
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2363
2366
|
|
|
2364
2367
|
/*
|
|
2365
2368
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2523,7 +2526,7 @@ class UrlString {
|
|
|
2523
2526
|
}
|
|
2524
2527
|
}
|
|
2525
2528
|
|
|
2526
|
-
/*! @azure/msal-common v15.
|
|
2529
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2527
2530
|
|
|
2528
2531
|
/*
|
|
2529
2532
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2663,7 +2666,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
|
|
|
2663
2666
|
return null;
|
|
2664
2667
|
}
|
|
2665
2668
|
|
|
2666
|
-
/*! @azure/msal-common v15.
|
|
2669
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2667
2670
|
/*
|
|
2668
2671
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
2669
2672
|
* Licensed under the MIT License.
|
|
@@ -2671,7 +2674,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
|
|
|
2671
2674
|
const cacheQuotaExceededErrorCode = "cache_quota_exceeded";
|
|
2672
2675
|
const cacheUnknownErrorCode = "cache_error_unknown";
|
|
2673
2676
|
|
|
2674
|
-
/*! @azure/msal-common v15.
|
|
2677
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2675
2678
|
|
|
2676
2679
|
/*
|
|
2677
2680
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2698,7 +2701,7 @@ class CacheError extends Error {
|
|
|
2698
2701
|
}
|
|
2699
2702
|
}
|
|
2700
2703
|
|
|
2701
|
-
/*! @azure/msal-common v15.
|
|
2704
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2702
2705
|
|
|
2703
2706
|
/*
|
|
2704
2707
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -3883,7 +3886,7 @@ class DefaultStorageClass extends CacheManager {
|
|
|
3883
3886
|
}
|
|
3884
3887
|
}
|
|
3885
3888
|
|
|
3886
|
-
/*! @azure/msal-common v15.
|
|
3889
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
3887
3890
|
|
|
3888
3891
|
/*
|
|
3889
3892
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -3982,7 +3985,7 @@ function isOidcProtocolMode(config) {
|
|
|
3982
3985
|
return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
|
|
3983
3986
|
}
|
|
3984
3987
|
|
|
3985
|
-
/*! @azure/msal-common v15.
|
|
3988
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
3986
3989
|
/*
|
|
3987
3990
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
3988
3991
|
* Licensed under the MIT License.
|
|
@@ -3992,7 +3995,7 @@ const CcsCredentialType = {
|
|
|
3992
3995
|
UPN: "UPN",
|
|
3993
3996
|
};
|
|
3994
3997
|
|
|
3995
|
-
/*! @azure/msal-common v15.
|
|
3998
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
3996
3999
|
/*
|
|
3997
4000
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
3998
4001
|
* Licensed under the MIT License.
|
|
@@ -4024,14 +4027,11 @@ const X_APP_NAME = "x-app-name";
|
|
|
4024
4027
|
const X_APP_VER = "x-app-ver";
|
|
4025
4028
|
const POST_LOGOUT_URI = "post_logout_redirect_uri";
|
|
4026
4029
|
const ID_TOKEN_HINT = "id_token_hint";
|
|
4027
|
-
const DEVICE_CODE = "device_code";
|
|
4028
4030
|
const CLIENT_SECRET = "client_secret";
|
|
4029
4031
|
const CLIENT_ASSERTION = "client_assertion";
|
|
4030
4032
|
const CLIENT_ASSERTION_TYPE = "client_assertion_type";
|
|
4031
4033
|
const TOKEN_TYPE = "token_type";
|
|
4032
4034
|
const REQ_CNF = "req_cnf";
|
|
4033
|
-
const OBO_ASSERTION = "assertion";
|
|
4034
|
-
const REQUESTED_TOKEN_USE = "requested_token_use";
|
|
4035
4035
|
const RETURN_SPA_CODE = "return_spa_code";
|
|
4036
4036
|
const NATIVE_BROKER = "nativebroker";
|
|
4037
4037
|
const LOGOUT_HINT = "logout_hint";
|
|
@@ -4040,76 +4040,10 @@ const LOGIN_HINT = "login_hint";
|
|
|
4040
4040
|
const DOMAIN_HINT = "domain_hint";
|
|
4041
4041
|
const X_CLIENT_EXTRA_SKU = "x-client-xtra-sku";
|
|
4042
4042
|
const BROKER_CLIENT_ID = "brk_client_id";
|
|
4043
|
-
const BROKER_REDIRECT_URI = "brk_redirect_uri";
|
|
4044
|
-
|
|
4045
|
-
/*! @azure/msal-common v15.2.1 2025-03-11 */
|
|
4046
|
-
|
|
4047
|
-
/*
|
|
4048
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4049
|
-
* Licensed under the MIT License.
|
|
4050
|
-
*/
|
|
4051
|
-
/**
|
|
4052
|
-
* Validates server consumable params from the "request" objects
|
|
4053
|
-
*/
|
|
4054
|
-
class RequestValidator {
|
|
4055
|
-
/**
|
|
4056
|
-
* Utility to check if the `redirectUri` in the request is a non-null value
|
|
4057
|
-
* @param redirectUri
|
|
4058
|
-
*/
|
|
4059
|
-
static validateRedirectUri(redirectUri) {
|
|
4060
|
-
if (!redirectUri) {
|
|
4061
|
-
throw createClientConfigurationError(redirectUriEmpty);
|
|
4062
|
-
}
|
|
4063
|
-
}
|
|
4064
|
-
/**
|
|
4065
|
-
* Utility to validate prompt sent by the user in the request
|
|
4066
|
-
* @param prompt
|
|
4067
|
-
*/
|
|
4068
|
-
static validatePrompt(prompt) {
|
|
4069
|
-
const promptValues = [];
|
|
4070
|
-
for (const value in PromptValue) {
|
|
4071
|
-
promptValues.push(PromptValue[value]);
|
|
4072
|
-
}
|
|
4073
|
-
if (promptValues.indexOf(prompt) < 0) {
|
|
4074
|
-
throw createClientConfigurationError(invalidPromptValue);
|
|
4075
|
-
}
|
|
4076
|
-
}
|
|
4077
|
-
static validateClaims(claims) {
|
|
4078
|
-
try {
|
|
4079
|
-
JSON.parse(claims);
|
|
4080
|
-
}
|
|
4081
|
-
catch (e) {
|
|
4082
|
-
throw createClientConfigurationError(invalidClaims);
|
|
4083
|
-
}
|
|
4084
|
-
}
|
|
4085
|
-
/**
|
|
4086
|
-
* Utility to validate code_challenge and code_challenge_method
|
|
4087
|
-
* @param codeChallenge
|
|
4088
|
-
* @param codeChallengeMethod
|
|
4089
|
-
*/
|
|
4090
|
-
static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
|
|
4091
|
-
if (!codeChallenge || !codeChallengeMethod) {
|
|
4092
|
-
throw createClientConfigurationError(pkceParamsMissing);
|
|
4093
|
-
}
|
|
4094
|
-
else {
|
|
4095
|
-
this.validateCodeChallengeMethod(codeChallengeMethod);
|
|
4096
|
-
}
|
|
4097
|
-
}
|
|
4098
|
-
/**
|
|
4099
|
-
* Utility to validate code_challenge_method
|
|
4100
|
-
* @param codeChallengeMethod
|
|
4101
|
-
*/
|
|
4102
|
-
static validateCodeChallengeMethod(codeChallengeMethod) {
|
|
4103
|
-
if ([
|
|
4104
|
-
CodeChallengeMethodValues.PLAIN,
|
|
4105
|
-
CodeChallengeMethodValues.S256,
|
|
4106
|
-
].indexOf(codeChallengeMethod) < 0) {
|
|
4107
|
-
throw createClientConfigurationError(invalidCodeChallengeMethod);
|
|
4108
|
-
}
|
|
4109
|
-
}
|
|
4110
|
-
}
|
|
4043
|
+
const BROKER_REDIRECT_URI = "brk_redirect_uri";
|
|
4044
|
+
const INSTANCE_AWARE = "instance_aware";
|
|
4111
4045
|
|
|
4112
|
-
/*! @azure/msal-common v15.
|
|
4046
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
4113
4047
|
|
|
4114
4048
|
/*
|
|
4115
4049
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -4127,397 +4061,344 @@ function instrumentBrokerParams(parameters, correlationId, performanceClient) {
|
|
|
4127
4061
|
}, correlationId);
|
|
4128
4062
|
}
|
|
4129
4063
|
}
|
|
4130
|
-
/**
|
|
4131
|
-
|
|
4132
|
-
|
|
4133
|
-
|
|
4134
|
-
|
|
4135
|
-
|
|
4136
|
-
|
|
4137
|
-
|
|
4138
|
-
|
|
4139
|
-
|
|
4140
|
-
|
|
4141
|
-
|
|
4142
|
-
|
|
4143
|
-
|
|
4144
|
-
|
|
4145
|
-
|
|
4146
|
-
|
|
4147
|
-
|
|
4148
|
-
|
|
4149
|
-
|
|
4150
|
-
|
|
4151
|
-
|
|
4152
|
-
|
|
4153
|
-
|
|
4154
|
-
|
|
4155
|
-
|
|
4156
|
-
|
|
4157
|
-
|
|
4158
|
-
|
|
4159
|
-
|
|
4160
|
-
|
|
4161
|
-
|
|
4162
|
-
|
|
4163
|
-
|
|
4164
|
-
|
|
4165
|
-
|
|
4166
|
-
|
|
4167
|
-
|
|
4168
|
-
|
|
4169
|
-
|
|
4170
|
-
|
|
4171
|
-
|
|
4172
|
-
|
|
4173
|
-
|
|
4174
|
-
|
|
4175
|
-
|
|
4176
|
-
|
|
4177
|
-
|
|
4178
|
-
|
|
4064
|
+
/**
|
|
4065
|
+
* add response_type = code
|
|
4066
|
+
*/
|
|
4067
|
+
function addResponseTypeCode(parameters) {
|
|
4068
|
+
parameters.set(RESPONSE_TYPE, Constants.CODE_RESPONSE_TYPE);
|
|
4069
|
+
}
|
|
4070
|
+
/**
|
|
4071
|
+
* add response_mode. defaults to query.
|
|
4072
|
+
* @param responseMode
|
|
4073
|
+
*/
|
|
4074
|
+
function addResponseMode(parameters, responseMode) {
|
|
4075
|
+
parameters.set(RESPONSE_MODE, responseMode ? responseMode : ResponseMode.QUERY);
|
|
4076
|
+
}
|
|
4077
|
+
/**
|
|
4078
|
+
* Add flag to indicate STS should attempt to use WAM if available
|
|
4079
|
+
*/
|
|
4080
|
+
function addNativeBroker(parameters) {
|
|
4081
|
+
parameters.set(NATIVE_BROKER, "1");
|
|
4082
|
+
}
|
|
4083
|
+
/**
|
|
4084
|
+
* add scopes. set addOidcScopes to false to prevent default scopes in non-user scenarios
|
|
4085
|
+
* @param scopeSet
|
|
4086
|
+
* @param addOidcScopes
|
|
4087
|
+
*/
|
|
4088
|
+
function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
|
|
4089
|
+
// Always add openid to the scopes when adding OIDC scopes
|
|
4090
|
+
if (addOidcScopes &&
|
|
4091
|
+
!defaultScopes.includes("openid") &&
|
|
4092
|
+
!scopes.includes("openid")) {
|
|
4093
|
+
defaultScopes.push("openid");
|
|
4094
|
+
}
|
|
4095
|
+
const requestScopes = addOidcScopes
|
|
4096
|
+
? [...(scopes || []), ...defaultScopes]
|
|
4097
|
+
: scopes || [];
|
|
4098
|
+
const scopeSet = new ScopeSet(requestScopes);
|
|
4099
|
+
parameters.set(SCOPE, scopeSet.printScopes());
|
|
4100
|
+
}
|
|
4101
|
+
/**
|
|
4102
|
+
* add clientId
|
|
4103
|
+
* @param clientId
|
|
4104
|
+
*/
|
|
4105
|
+
function addClientId(parameters, clientId) {
|
|
4106
|
+
parameters.set(CLIENT_ID, clientId);
|
|
4107
|
+
}
|
|
4108
|
+
/**
|
|
4109
|
+
* add redirect_uri
|
|
4110
|
+
* @param redirectUri
|
|
4111
|
+
*/
|
|
4112
|
+
function addRedirectUri(parameters, redirectUri) {
|
|
4113
|
+
parameters.set(REDIRECT_URI, redirectUri);
|
|
4114
|
+
}
|
|
4115
|
+
/**
|
|
4116
|
+
* add post logout redirectUri
|
|
4117
|
+
* @param redirectUri
|
|
4118
|
+
*/
|
|
4119
|
+
function addPostLogoutRedirectUri(parameters, redirectUri) {
|
|
4120
|
+
parameters.set(POST_LOGOUT_URI, redirectUri);
|
|
4121
|
+
}
|
|
4122
|
+
/**
|
|
4123
|
+
* add id_token_hint to logout request
|
|
4124
|
+
* @param idTokenHint
|
|
4125
|
+
*/
|
|
4126
|
+
function addIdTokenHint(parameters, idTokenHint) {
|
|
4127
|
+
parameters.set(ID_TOKEN_HINT, idTokenHint);
|
|
4128
|
+
}
|
|
4129
|
+
/**
|
|
4130
|
+
* add domain_hint
|
|
4131
|
+
* @param domainHint
|
|
4132
|
+
*/
|
|
4133
|
+
function addDomainHint(parameters, domainHint) {
|
|
4134
|
+
parameters.set(DOMAIN_HINT, domainHint);
|
|
4135
|
+
}
|
|
4136
|
+
/**
|
|
4137
|
+
* add login_hint
|
|
4138
|
+
* @param loginHint
|
|
4139
|
+
*/
|
|
4140
|
+
function addLoginHint(parameters, loginHint) {
|
|
4141
|
+
parameters.set(LOGIN_HINT, loginHint);
|
|
4142
|
+
}
|
|
4143
|
+
/**
|
|
4144
|
+
* Adds the CCS (Cache Credential Service) query parameter for login_hint
|
|
4145
|
+
* @param loginHint
|
|
4146
|
+
*/
|
|
4147
|
+
function addCcsUpn(parameters, loginHint) {
|
|
4148
|
+
parameters.set(HeaderNames.CCS_HEADER, `UPN:${loginHint}`);
|
|
4149
|
+
}
|
|
4150
|
+
/**
|
|
4151
|
+
* Adds the CCS (Cache Credential Service) query parameter for account object
|
|
4152
|
+
* @param loginHint
|
|
4153
|
+
*/
|
|
4154
|
+
function addCcsOid(parameters, clientInfo) {
|
|
4155
|
+
parameters.set(HeaderNames.CCS_HEADER, `Oid:${clientInfo.uid}@${clientInfo.utid}`);
|
|
4156
|
+
}
|
|
4157
|
+
/**
|
|
4158
|
+
* add sid
|
|
4159
|
+
* @param sid
|
|
4160
|
+
*/
|
|
4161
|
+
function addSid(parameters, sid) {
|
|
4162
|
+
parameters.set(SID, sid);
|
|
4163
|
+
}
|
|
4164
|
+
/**
|
|
4165
|
+
* add claims
|
|
4166
|
+
* @param claims
|
|
4167
|
+
*/
|
|
4168
|
+
function addClaims(parameters, claims, clientCapabilities) {
|
|
4169
|
+
const mergedClaims = addClientCapabilitiesToClaims(claims, clientCapabilities);
|
|
4170
|
+
try {
|
|
4171
|
+
JSON.parse(mergedClaims);
|
|
4179
4172
|
}
|
|
4180
|
-
|
|
4181
|
-
|
|
4182
|
-
* @param clientId
|
|
4183
|
-
*/
|
|
4184
|
-
addClientId(clientId) {
|
|
4185
|
-
this.parameters.set(CLIENT_ID, encodeURIComponent(clientId));
|
|
4173
|
+
catch (e) {
|
|
4174
|
+
throw createClientConfigurationError(invalidClaims);
|
|
4186
4175
|
}
|
|
4187
|
-
|
|
4188
|
-
|
|
4189
|
-
|
|
4190
|
-
|
|
4191
|
-
|
|
4192
|
-
|
|
4193
|
-
|
|
4176
|
+
parameters.set(CLAIMS, mergedClaims);
|
|
4177
|
+
}
|
|
4178
|
+
/**
|
|
4179
|
+
* add correlationId
|
|
4180
|
+
* @param correlationId
|
|
4181
|
+
*/
|
|
4182
|
+
function addCorrelationId(parameters, correlationId) {
|
|
4183
|
+
parameters.set(CLIENT_REQUEST_ID, correlationId);
|
|
4184
|
+
}
|
|
4185
|
+
/**
|
|
4186
|
+
* add library info query params
|
|
4187
|
+
* @param libraryInfo
|
|
4188
|
+
*/
|
|
4189
|
+
function addLibraryInfo(parameters, libraryInfo) {
|
|
4190
|
+
// Telemetry Info
|
|
4191
|
+
parameters.set(X_CLIENT_SKU, libraryInfo.sku);
|
|
4192
|
+
parameters.set(X_CLIENT_VER, libraryInfo.version);
|
|
4193
|
+
if (libraryInfo.os) {
|
|
4194
|
+
parameters.set(X_CLIENT_OS, libraryInfo.os);
|
|
4194
4195
|
}
|
|
4195
|
-
|
|
4196
|
-
|
|
4197
|
-
* @param redirectUri
|
|
4198
|
-
*/
|
|
4199
|
-
addPostLogoutRedirectUri(redirectUri) {
|
|
4200
|
-
RequestValidator.validateRedirectUri(redirectUri);
|
|
4201
|
-
this.parameters.set(POST_LOGOUT_URI, encodeURIComponent(redirectUri));
|
|
4196
|
+
if (libraryInfo.cpu) {
|
|
4197
|
+
parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
|
|
4202
4198
|
}
|
|
4203
|
-
|
|
4204
|
-
|
|
4205
|
-
|
|
4206
|
-
|
|
4207
|
-
|
|
4208
|
-
|
|
4199
|
+
}
|
|
4200
|
+
/**
|
|
4201
|
+
* Add client telemetry parameters
|
|
4202
|
+
* @param appTelemetry
|
|
4203
|
+
*/
|
|
4204
|
+
function addApplicationTelemetry(parameters, appTelemetry) {
|
|
4205
|
+
if (appTelemetry?.appName) {
|
|
4206
|
+
parameters.set(X_APP_NAME, appTelemetry.appName);
|
|
4209
4207
|
}
|
|
4210
|
-
|
|
4211
|
-
|
|
4212
|
-
* @param domainHint
|
|
4213
|
-
*/
|
|
4214
|
-
addDomainHint(domainHint) {
|
|
4215
|
-
this.parameters.set(DOMAIN_HINT, encodeURIComponent(domainHint));
|
|
4208
|
+
if (appTelemetry?.appVersion) {
|
|
4209
|
+
parameters.set(X_APP_VER, appTelemetry.appVersion);
|
|
4216
4210
|
}
|
|
4217
|
-
|
|
4218
|
-
|
|
4219
|
-
|
|
4220
|
-
|
|
4221
|
-
|
|
4222
|
-
|
|
4211
|
+
}
|
|
4212
|
+
/**
|
|
4213
|
+
* add prompt
|
|
4214
|
+
* @param prompt
|
|
4215
|
+
*/
|
|
4216
|
+
function addPrompt(parameters, prompt) {
|
|
4217
|
+
parameters.set(PROMPT, prompt);
|
|
4218
|
+
}
|
|
4219
|
+
/**
|
|
4220
|
+
* add state
|
|
4221
|
+
* @param state
|
|
4222
|
+
*/
|
|
4223
|
+
function addState(parameters, state) {
|
|
4224
|
+
if (state) {
|
|
4225
|
+
parameters.set(STATE, state);
|
|
4223
4226
|
}
|
|
4224
|
-
|
|
4225
|
-
|
|
4226
|
-
|
|
4227
|
-
|
|
4228
|
-
|
|
4229
|
-
|
|
4227
|
+
}
|
|
4228
|
+
/**
|
|
4229
|
+
* add nonce
|
|
4230
|
+
* @param nonce
|
|
4231
|
+
*/
|
|
4232
|
+
function addNonce(parameters, nonce) {
|
|
4233
|
+
parameters.set(NONCE, nonce);
|
|
4234
|
+
}
|
|
4235
|
+
/**
|
|
4236
|
+
* add code_challenge and code_challenge_method
|
|
4237
|
+
* - throw if either of them are not passed
|
|
4238
|
+
* @param codeChallenge
|
|
4239
|
+
* @param codeChallengeMethod
|
|
4240
|
+
*/
|
|
4241
|
+
function addCodeChallengeParams(parameters, codeChallenge, codeChallengeMethod) {
|
|
4242
|
+
if (codeChallenge && codeChallengeMethod) {
|
|
4243
|
+
parameters.set(CODE_CHALLENGE, codeChallenge);
|
|
4244
|
+
parameters.set(CODE_CHALLENGE_METHOD, codeChallengeMethod);
|
|
4230
4245
|
}
|
|
4231
|
-
|
|
4232
|
-
|
|
4233
|
-
* @param loginHint
|
|
4234
|
-
*/
|
|
4235
|
-
addCcsOid(clientInfo) {
|
|
4236
|
-
this.parameters.set(HeaderNames.CCS_HEADER, encodeURIComponent(`Oid:${clientInfo.uid}@${clientInfo.utid}`));
|
|
4246
|
+
else {
|
|
4247
|
+
throw createClientConfigurationError(pkceParamsMissing);
|
|
4237
4248
|
}
|
|
4238
|
-
|
|
4239
|
-
|
|
4240
|
-
|
|
4241
|
-
|
|
4242
|
-
|
|
4243
|
-
|
|
4249
|
+
}
|
|
4250
|
+
/**
|
|
4251
|
+
* add the `authorization_code` passed by the user to exchange for a token
|
|
4252
|
+
* @param code
|
|
4253
|
+
*/
|
|
4254
|
+
function addAuthorizationCode(parameters, code) {
|
|
4255
|
+
parameters.set(CODE, code);
|
|
4256
|
+
}
|
|
4257
|
+
/**
|
|
4258
|
+
* add the `refreshToken` passed by the user
|
|
4259
|
+
* @param refreshToken
|
|
4260
|
+
*/
|
|
4261
|
+
function addRefreshToken(parameters, refreshToken) {
|
|
4262
|
+
parameters.set(REFRESH_TOKEN, refreshToken);
|
|
4263
|
+
}
|
|
4264
|
+
/**
|
|
4265
|
+
* add the `code_verifier` passed by the user to exchange for a token
|
|
4266
|
+
* @param codeVerifier
|
|
4267
|
+
*/
|
|
4268
|
+
function addCodeVerifier(parameters, codeVerifier) {
|
|
4269
|
+
parameters.set(CODE_VERIFIER, codeVerifier);
|
|
4270
|
+
}
|
|
4271
|
+
/**
|
|
4272
|
+
* add client_secret
|
|
4273
|
+
* @param clientSecret
|
|
4274
|
+
*/
|
|
4275
|
+
function addClientSecret(parameters, clientSecret) {
|
|
4276
|
+
parameters.set(CLIENT_SECRET, clientSecret);
|
|
4277
|
+
}
|
|
4278
|
+
/**
|
|
4279
|
+
* add clientAssertion for confidential client flows
|
|
4280
|
+
* @param clientAssertion
|
|
4281
|
+
*/
|
|
4282
|
+
function addClientAssertion(parameters, clientAssertion) {
|
|
4283
|
+
if (clientAssertion) {
|
|
4284
|
+
parameters.set(CLIENT_ASSERTION, clientAssertion);
|
|
4244
4285
|
}
|
|
4245
|
-
|
|
4246
|
-
|
|
4247
|
-
|
|
4248
|
-
|
|
4249
|
-
|
|
4250
|
-
|
|
4251
|
-
|
|
4252
|
-
|
|
4286
|
+
}
|
|
4287
|
+
/**
|
|
4288
|
+
* add clientAssertionType for confidential client flows
|
|
4289
|
+
* @param clientAssertionType
|
|
4290
|
+
*/
|
|
4291
|
+
function addClientAssertionType(parameters, clientAssertionType) {
|
|
4292
|
+
if (clientAssertionType) {
|
|
4293
|
+
parameters.set(CLIENT_ASSERTION_TYPE, clientAssertionType);
|
|
4253
4294
|
}
|
|
4254
|
-
|
|
4255
|
-
|
|
4256
|
-
|
|
4257
|
-
|
|
4258
|
-
|
|
4259
|
-
|
|
4295
|
+
}
|
|
4296
|
+
/**
|
|
4297
|
+
* add grant type
|
|
4298
|
+
* @param grantType
|
|
4299
|
+
*/
|
|
4300
|
+
function addGrantType(parameters, grantType) {
|
|
4301
|
+
parameters.set(GRANT_TYPE, grantType);
|
|
4302
|
+
}
|
|
4303
|
+
/**
|
|
4304
|
+
* add client info
|
|
4305
|
+
*
|
|
4306
|
+
*/
|
|
4307
|
+
function addClientInfo(parameters) {
|
|
4308
|
+
parameters.set(CLIENT_INFO, "1");
|
|
4309
|
+
}
|
|
4310
|
+
function addInstanceAware(parameters) {
|
|
4311
|
+
if (!parameters.has(INSTANCE_AWARE)) {
|
|
4312
|
+
parameters.set(INSTANCE_AWARE, "true");
|
|
4260
4313
|
}
|
|
4261
|
-
|
|
4262
|
-
|
|
4263
|
-
|
|
4264
|
-
|
|
4265
|
-
|
|
4266
|
-
|
|
4267
|
-
|
|
4268
|
-
|
|
4269
|
-
|
|
4270
|
-
this.parameters.set(X_CLIENT_OS, libraryInfo.os);
|
|
4271
|
-
}
|
|
4272
|
-
if (libraryInfo.cpu) {
|
|
4273
|
-
this.parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
|
|
4314
|
+
}
|
|
4315
|
+
/**
|
|
4316
|
+
* add extraQueryParams
|
|
4317
|
+
* @param eQParams
|
|
4318
|
+
*/
|
|
4319
|
+
function addExtraQueryParameters(parameters, eQParams) {
|
|
4320
|
+
Object.entries(eQParams).forEach(([key, value]) => {
|
|
4321
|
+
if (!parameters.has(key) && value) {
|
|
4322
|
+
parameters.set(key, value);
|
|
4274
4323
|
}
|
|
4324
|
+
});
|
|
4325
|
+
}
|
|
4326
|
+
function addClientCapabilitiesToClaims(claims, clientCapabilities) {
|
|
4327
|
+
let mergedClaims;
|
|
4328
|
+
// Parse provided claims into JSON object or initialize empty object
|
|
4329
|
+
if (!claims) {
|
|
4330
|
+
mergedClaims = {};
|
|
4275
4331
|
}
|
|
4276
|
-
|
|
4277
|
-
|
|
4278
|
-
|
|
4279
|
-
*/
|
|
4280
|
-
addApplicationTelemetry(appTelemetry) {
|
|
4281
|
-
if (appTelemetry?.appName) {
|
|
4282
|
-
this.parameters.set(X_APP_NAME, appTelemetry.appName);
|
|
4332
|
+
else {
|
|
4333
|
+
try {
|
|
4334
|
+
mergedClaims = JSON.parse(claims);
|
|
4283
4335
|
}
|
|
4284
|
-
|
|
4285
|
-
|
|
4336
|
+
catch (e) {
|
|
4337
|
+
throw createClientConfigurationError(invalidClaims);
|
|
4286
4338
|
}
|
|
4287
4339
|
}
|
|
4288
|
-
|
|
4289
|
-
|
|
4290
|
-
|
|
4291
|
-
|
|
4292
|
-
addPrompt(prompt) {
|
|
4293
|
-
RequestValidator.validatePrompt(prompt);
|
|
4294
|
-
this.parameters.set(`${PROMPT}`, encodeURIComponent(prompt));
|
|
4295
|
-
}
|
|
4296
|
-
/**
|
|
4297
|
-
* add state
|
|
4298
|
-
* @param state
|
|
4299
|
-
*/
|
|
4300
|
-
addState(state) {
|
|
4301
|
-
if (state) {
|
|
4302
|
-
this.parameters.set(STATE, encodeURIComponent(state));
|
|
4340
|
+
if (clientCapabilities && clientCapabilities.length > 0) {
|
|
4341
|
+
if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
|
|
4342
|
+
// Add access_token key to claims object
|
|
4343
|
+
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
|
|
4303
4344
|
}
|
|
4345
|
+
// Add xms_cc claim with provided clientCapabilities to access_token key
|
|
4346
|
+
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] =
|
|
4347
|
+
{
|
|
4348
|
+
values: clientCapabilities,
|
|
4349
|
+
};
|
|
4304
4350
|
}
|
|
4305
|
-
|
|
4306
|
-
|
|
4307
|
-
|
|
4308
|
-
|
|
4309
|
-
|
|
4310
|
-
|
|
4351
|
+
return JSON.stringify(mergedClaims);
|
|
4352
|
+
}
|
|
4353
|
+
/**
|
|
4354
|
+
* add pop_jwk to query params
|
|
4355
|
+
* @param cnfString
|
|
4356
|
+
*/
|
|
4357
|
+
function addPopToken(parameters, cnfString) {
|
|
4358
|
+
if (cnfString) {
|
|
4359
|
+
parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
|
|
4360
|
+
parameters.set(REQ_CNF, cnfString);
|
|
4311
4361
|
}
|
|
4312
|
-
|
|
4313
|
-
|
|
4314
|
-
|
|
4315
|
-
|
|
4316
|
-
|
|
4317
|
-
|
|
4318
|
-
|
|
4319
|
-
|
|
4320
|
-
if (codeChallenge && codeChallengeMethod) {
|
|
4321
|
-
this.parameters.set(CODE_CHALLENGE, encodeURIComponent(codeChallenge));
|
|
4322
|
-
this.parameters.set(CODE_CHALLENGE_METHOD, encodeURIComponent(codeChallengeMethod));
|
|
4323
|
-
}
|
|
4324
|
-
else {
|
|
4325
|
-
throw createClientConfigurationError(pkceParamsMissing);
|
|
4326
|
-
}
|
|
4327
|
-
}
|
|
4328
|
-
/**
|
|
4329
|
-
* add the `authorization_code` passed by the user to exchange for a token
|
|
4330
|
-
* @param code
|
|
4331
|
-
*/
|
|
4332
|
-
addAuthorizationCode(code) {
|
|
4333
|
-
this.parameters.set(CODE, encodeURIComponent(code));
|
|
4334
|
-
}
|
|
4335
|
-
/**
|
|
4336
|
-
* add the `authorization_code` passed by the user to exchange for a token
|
|
4337
|
-
* @param code
|
|
4338
|
-
*/
|
|
4339
|
-
addDeviceCode(code) {
|
|
4340
|
-
this.parameters.set(DEVICE_CODE, encodeURIComponent(code));
|
|
4341
|
-
}
|
|
4342
|
-
/**
|
|
4343
|
-
* add the `refreshToken` passed by the user
|
|
4344
|
-
* @param refreshToken
|
|
4345
|
-
*/
|
|
4346
|
-
addRefreshToken(refreshToken) {
|
|
4347
|
-
this.parameters.set(REFRESH_TOKEN, encodeURIComponent(refreshToken));
|
|
4348
|
-
}
|
|
4349
|
-
/**
|
|
4350
|
-
* add the `code_verifier` passed by the user to exchange for a token
|
|
4351
|
-
* @param codeVerifier
|
|
4352
|
-
*/
|
|
4353
|
-
addCodeVerifier(codeVerifier) {
|
|
4354
|
-
this.parameters.set(CODE_VERIFIER, encodeURIComponent(codeVerifier));
|
|
4355
|
-
}
|
|
4356
|
-
/**
|
|
4357
|
-
* add client_secret
|
|
4358
|
-
* @param clientSecret
|
|
4359
|
-
*/
|
|
4360
|
-
addClientSecret(clientSecret) {
|
|
4361
|
-
this.parameters.set(CLIENT_SECRET, encodeURIComponent(clientSecret));
|
|
4362
|
-
}
|
|
4363
|
-
/**
|
|
4364
|
-
* add clientAssertion for confidential client flows
|
|
4365
|
-
* @param clientAssertion
|
|
4366
|
-
*/
|
|
4367
|
-
addClientAssertion(clientAssertion) {
|
|
4368
|
-
if (clientAssertion) {
|
|
4369
|
-
this.parameters.set(CLIENT_ASSERTION, encodeURIComponent(clientAssertion));
|
|
4370
|
-
}
|
|
4371
|
-
}
|
|
4372
|
-
/**
|
|
4373
|
-
* add clientAssertionType for confidential client flows
|
|
4374
|
-
* @param clientAssertionType
|
|
4375
|
-
*/
|
|
4376
|
-
addClientAssertionType(clientAssertionType) {
|
|
4377
|
-
if (clientAssertionType) {
|
|
4378
|
-
this.parameters.set(CLIENT_ASSERTION_TYPE, encodeURIComponent(clientAssertionType));
|
|
4379
|
-
}
|
|
4380
|
-
}
|
|
4381
|
-
/**
|
|
4382
|
-
* add OBO assertion for confidential client flows
|
|
4383
|
-
* @param clientAssertion
|
|
4384
|
-
*/
|
|
4385
|
-
addOboAssertion(oboAssertion) {
|
|
4386
|
-
this.parameters.set(OBO_ASSERTION, encodeURIComponent(oboAssertion));
|
|
4387
|
-
}
|
|
4388
|
-
/**
|
|
4389
|
-
* add grant type
|
|
4390
|
-
* @param grantType
|
|
4391
|
-
*/
|
|
4392
|
-
addRequestTokenUse(tokenUse) {
|
|
4393
|
-
this.parameters.set(REQUESTED_TOKEN_USE, encodeURIComponent(tokenUse));
|
|
4394
|
-
}
|
|
4395
|
-
/**
|
|
4396
|
-
* add grant type
|
|
4397
|
-
* @param grantType
|
|
4398
|
-
*/
|
|
4399
|
-
addGrantType(grantType) {
|
|
4400
|
-
this.parameters.set(GRANT_TYPE, encodeURIComponent(grantType));
|
|
4401
|
-
}
|
|
4402
|
-
/**
|
|
4403
|
-
* add client info
|
|
4404
|
-
*
|
|
4405
|
-
*/
|
|
4406
|
-
addClientInfo() {
|
|
4407
|
-
this.parameters.set(CLIENT_INFO, "1");
|
|
4408
|
-
}
|
|
4409
|
-
/**
|
|
4410
|
-
* add extraQueryParams
|
|
4411
|
-
* @param eQParams
|
|
4412
|
-
*/
|
|
4413
|
-
addExtraQueryParameters(eQParams) {
|
|
4414
|
-
Object.entries(eQParams).forEach(([key, value]) => {
|
|
4415
|
-
if (!this.parameters.has(key) && value) {
|
|
4416
|
-
this.parameters.set(key, value);
|
|
4417
|
-
}
|
|
4418
|
-
});
|
|
4419
|
-
}
|
|
4420
|
-
addClientCapabilitiesToClaims(claims, clientCapabilities) {
|
|
4421
|
-
let mergedClaims;
|
|
4422
|
-
// Parse provided claims into JSON object or initialize empty object
|
|
4423
|
-
if (!claims) {
|
|
4424
|
-
mergedClaims = {};
|
|
4425
|
-
}
|
|
4426
|
-
else {
|
|
4427
|
-
try {
|
|
4428
|
-
mergedClaims = JSON.parse(claims);
|
|
4429
|
-
}
|
|
4430
|
-
catch (e) {
|
|
4431
|
-
throw createClientConfigurationError(invalidClaims);
|
|
4432
|
-
}
|
|
4433
|
-
}
|
|
4434
|
-
if (clientCapabilities && clientCapabilities.length > 0) {
|
|
4435
|
-
if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
|
|
4436
|
-
// Add access_token key to claims object
|
|
4437
|
-
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
|
|
4438
|
-
}
|
|
4439
|
-
// Add xms_cc claim with provided clientCapabilities to access_token key
|
|
4440
|
-
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] = {
|
|
4441
|
-
values: clientCapabilities,
|
|
4442
|
-
};
|
|
4443
|
-
}
|
|
4444
|
-
return JSON.stringify(mergedClaims);
|
|
4445
|
-
}
|
|
4446
|
-
/**
|
|
4447
|
-
* adds `username` for Password Grant flow
|
|
4448
|
-
* @param username
|
|
4449
|
-
*/
|
|
4450
|
-
addUsername(username) {
|
|
4451
|
-
this.parameters.set(PasswordGrantConstants.username, encodeURIComponent(username));
|
|
4452
|
-
}
|
|
4453
|
-
/**
|
|
4454
|
-
* adds `password` for Password Grant flow
|
|
4455
|
-
* @param password
|
|
4456
|
-
*/
|
|
4457
|
-
addPassword(password) {
|
|
4458
|
-
this.parameters.set(PasswordGrantConstants.password, encodeURIComponent(password));
|
|
4459
|
-
}
|
|
4460
|
-
/**
|
|
4461
|
-
* add pop_jwk to query params
|
|
4462
|
-
* @param cnfString
|
|
4463
|
-
*/
|
|
4464
|
-
addPopToken(cnfString) {
|
|
4465
|
-
if (cnfString) {
|
|
4466
|
-
this.parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
|
|
4467
|
-
this.parameters.set(REQ_CNF, encodeURIComponent(cnfString));
|
|
4468
|
-
}
|
|
4469
|
-
}
|
|
4470
|
-
/**
|
|
4471
|
-
* add SSH JWK and key ID to query params
|
|
4472
|
-
*/
|
|
4473
|
-
addSshJwk(sshJwkString) {
|
|
4474
|
-
if (sshJwkString) {
|
|
4475
|
-
this.parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
|
|
4476
|
-
this.parameters.set(REQ_CNF, encodeURIComponent(sshJwkString));
|
|
4477
|
-
}
|
|
4478
|
-
}
|
|
4479
|
-
/**
|
|
4480
|
-
* add server telemetry fields
|
|
4481
|
-
* @param serverTelemetryManager
|
|
4482
|
-
*/
|
|
4483
|
-
addServerTelemetry(serverTelemetryManager) {
|
|
4484
|
-
this.parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
|
|
4485
|
-
this.parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
|
|
4486
|
-
}
|
|
4487
|
-
/**
|
|
4488
|
-
* Adds parameter that indicates to the server that throttling is supported
|
|
4489
|
-
*/
|
|
4490
|
-
addThrottling() {
|
|
4491
|
-
this.parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
|
|
4492
|
-
}
|
|
4493
|
-
/**
|
|
4494
|
-
* Adds logout_hint parameter for "silent" logout which prevent server account picker
|
|
4495
|
-
*/
|
|
4496
|
-
addLogoutHint(logoutHint) {
|
|
4497
|
-
this.parameters.set(LOGOUT_HINT, encodeURIComponent(logoutHint));
|
|
4362
|
+
}
|
|
4363
|
+
/**
|
|
4364
|
+
* add SSH JWK and key ID to query params
|
|
4365
|
+
*/
|
|
4366
|
+
function addSshJwk(parameters, sshJwkString) {
|
|
4367
|
+
if (sshJwkString) {
|
|
4368
|
+
parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
|
|
4369
|
+
parameters.set(REQ_CNF, sshJwkString);
|
|
4498
4370
|
}
|
|
4499
|
-
|
|
4500
|
-
|
|
4501
|
-
|
|
4502
|
-
|
|
4503
|
-
|
|
4504
|
-
|
|
4505
|
-
|
|
4371
|
+
}
|
|
4372
|
+
/**
|
|
4373
|
+
* add server telemetry fields
|
|
4374
|
+
* @param serverTelemetryManager
|
|
4375
|
+
*/
|
|
4376
|
+
function addServerTelemetry(parameters, serverTelemetryManager) {
|
|
4377
|
+
parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
|
|
4378
|
+
parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
|
|
4379
|
+
}
|
|
4380
|
+
/**
|
|
4381
|
+
* Adds parameter that indicates to the server that throttling is supported
|
|
4382
|
+
*/
|
|
4383
|
+
function addThrottling(parameters) {
|
|
4384
|
+
parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
|
|
4385
|
+
}
|
|
4386
|
+
/**
|
|
4387
|
+
* Adds logout_hint parameter for "silent" logout which prevent server account picker
|
|
4388
|
+
*/
|
|
4389
|
+
function addLogoutHint(parameters, logoutHint) {
|
|
4390
|
+
parameters.set(LOGOUT_HINT, logoutHint);
|
|
4391
|
+
}
|
|
4392
|
+
function addBrokerParameters(parameters, brokerClientId, brokerRedirectUri) {
|
|
4393
|
+
if (!parameters.has(BROKER_CLIENT_ID)) {
|
|
4394
|
+
parameters.set(BROKER_CLIENT_ID, brokerClientId);
|
|
4506
4395
|
}
|
|
4507
|
-
|
|
4508
|
-
|
|
4509
|
-
*/
|
|
4510
|
-
createQueryString() {
|
|
4511
|
-
const queryParameterArray = new Array();
|
|
4512
|
-
this.parameters.forEach((value, key) => {
|
|
4513
|
-
queryParameterArray.push(`${key}=${value}`);
|
|
4514
|
-
});
|
|
4515
|
-
instrumentBrokerParams(this.parameters, this.correlationId, this.performanceClient);
|
|
4516
|
-
return queryParameterArray.join("&");
|
|
4396
|
+
if (!parameters.has(BROKER_REDIRECT_URI)) {
|
|
4397
|
+
parameters.set(BROKER_REDIRECT_URI, brokerRedirectUri);
|
|
4517
4398
|
}
|
|
4518
4399
|
}
|
|
4519
4400
|
|
|
4520
|
-
/*! @azure/msal-common v15.
|
|
4401
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
4521
4402
|
/*
|
|
4522
4403
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4523
4404
|
* Licensed under the MIT License.
|
|
@@ -4529,7 +4410,7 @@ function isOpenIdConfigResponse(response) {
|
|
|
4529
4410
|
response.hasOwnProperty("jwks_uri"));
|
|
4530
4411
|
}
|
|
4531
4412
|
|
|
4532
|
-
/*! @azure/msal-common v15.
|
|
4413
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
4533
4414
|
/*
|
|
4534
4415
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4535
4416
|
* Licensed under the MIT License.
|
|
@@ -4539,7 +4420,7 @@ function isCloudInstanceDiscoveryResponse(response) {
|
|
|
4539
4420
|
response.hasOwnProperty("metadata"));
|
|
4540
4421
|
}
|
|
4541
4422
|
|
|
4542
|
-
/*! @azure/msal-common v15.
|
|
4423
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
4543
4424
|
/*
|
|
4544
4425
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4545
4426
|
* Licensed under the MIT License.
|
|
@@ -4549,7 +4430,7 @@ function isCloudInstanceDiscoveryErrorResponse(response) {
|
|
|
4549
4430
|
response.hasOwnProperty("error_description"));
|
|
4550
4431
|
}
|
|
4551
4432
|
|
|
4552
|
-
/*! @azure/msal-common v15.
|
|
4433
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
4553
4434
|
/*
|
|
4554
4435
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4555
4436
|
* Licensed under the MIT License.
|
|
@@ -4725,11 +4606,11 @@ const PerformanceEvents = {
|
|
|
4725
4606
|
StandardInteractionClientCreateAuthCodeClient: "standardInteractionClientCreateAuthCodeClient",
|
|
4726
4607
|
StandardInteractionClientGetClientConfiguration: "standardInteractionClientGetClientConfiguration",
|
|
4727
4608
|
StandardInteractionClientInitializeAuthorizationRequest: "standardInteractionClientInitializeAuthorizationRequest",
|
|
4728
|
-
StandardInteractionClientInitializeAuthorizationCodeRequest: "standardInteractionClientInitializeAuthorizationCodeRequest",
|
|
4729
4609
|
/**
|
|
4730
4610
|
* getAuthCodeUrl API (msal-browser and msal-node).
|
|
4731
4611
|
*/
|
|
4732
4612
|
GetAuthCodeUrl: "getAuthCodeUrl",
|
|
4613
|
+
GetStandardParams: "getStandardParams",
|
|
4733
4614
|
/**
|
|
4734
4615
|
* Functions from InteractionHandler (msal-browser)
|
|
4735
4616
|
*/
|
|
@@ -4742,7 +4623,6 @@ const PerformanceEvents = {
|
|
|
4742
4623
|
AuthClientAcquireToken: "authClientAcquireToken",
|
|
4743
4624
|
AuthClientExecuteTokenRequest: "authClientExecuteTokenRequest",
|
|
4744
4625
|
AuthClientCreateTokenRequestBody: "authClientCreateTokenRequestBody",
|
|
4745
|
-
AuthClientCreateQueryString: "authClientCreateQueryString",
|
|
4746
4626
|
/**
|
|
4747
4627
|
* Generate functions in PopTokenGenerator (msal-common)
|
|
4748
4628
|
*/
|
|
@@ -4913,10 +4793,6 @@ const PerformanceEventAbbreviations = new Map([
|
|
|
4913
4793
|
PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest,
|
|
4914
4794
|
"StdIntClientInitAuthReq",
|
|
4915
4795
|
],
|
|
4916
|
-
[
|
|
4917
|
-
PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest,
|
|
4918
|
-
"StdIntClientInitAuthCodeReq",
|
|
4919
|
-
],
|
|
4920
4796
|
[PerformanceEvents.GetAuthCodeUrl, "GetAuthCodeUrl"],
|
|
4921
4797
|
[
|
|
4922
4798
|
PerformanceEvents.HandleCodeResponseFromServer,
|
|
@@ -4930,10 +4806,6 @@ const PerformanceEventAbbreviations = new Map([
|
|
|
4930
4806
|
PerformanceEvents.AuthClientCreateTokenRequestBody,
|
|
4931
4807
|
"AuthClientCreateTReqBody",
|
|
4932
4808
|
],
|
|
4933
|
-
[
|
|
4934
|
-
PerformanceEvents.AuthClientCreateQueryString,
|
|
4935
|
-
"AuthClientCreateQueryStr",
|
|
4936
|
-
],
|
|
4937
4809
|
[PerformanceEvents.PopTokenGenerateCnf, "PopTGenCnf"],
|
|
4938
4810
|
[PerformanceEvents.PopTokenGenerateKid, "PopTGenKid"],
|
|
4939
4811
|
[PerformanceEvents.HandleServerTokenResponse, "HandleServerTRes"],
|
|
@@ -5058,7 +4930,7 @@ const IntFields = new Set([
|
|
|
5058
4930
|
"encryptedCacheExpiredCount",
|
|
5059
4931
|
]);
|
|
5060
4932
|
|
|
5061
|
-
/*! @azure/msal-common v15.
|
|
4933
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
5062
4934
|
/*
|
|
5063
4935
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
5064
4936
|
* Licensed under the MIT License.
|
|
@@ -5154,7 +5026,7 @@ const invokeAsync = (callback, eventName, logger, telemetryClient, correlationId
|
|
|
5154
5026
|
};
|
|
5155
5027
|
};
|
|
5156
5028
|
|
|
5157
|
-
/*! @azure/msal-common v15.
|
|
5029
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
5158
5030
|
|
|
5159
5031
|
/*
|
|
5160
5032
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -5263,7 +5135,7 @@ RegionDiscovery.IMDS_OPTIONS = {
|
|
|
5263
5135
|
},
|
|
5264
5136
|
};
|
|
5265
5137
|
|
|
5266
|
-
/*! @azure/msal-common v15.
|
|
5138
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
5267
5139
|
|
|
5268
5140
|
/*
|
|
5269
5141
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6102,7 +5974,7 @@ function buildStaticAuthorityOptions(authOptions) {
|
|
|
6102
5974
|
};
|
|
6103
5975
|
}
|
|
6104
5976
|
|
|
6105
|
-
/*! @azure/msal-common v15.
|
|
5977
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6106
5978
|
|
|
6107
5979
|
/*
|
|
6108
5980
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6133,7 +6005,7 @@ async function createDiscoveredInstance(authorityUri, networkClient, cacheManage
|
|
|
6133
6005
|
}
|
|
6134
6006
|
}
|
|
6135
6007
|
|
|
6136
|
-
/*! @azure/msal-common v15.
|
|
6008
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6137
6009
|
|
|
6138
6010
|
/*
|
|
6139
6011
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6152,7 +6024,7 @@ class ServerError extends AuthError {
|
|
|
6152
6024
|
}
|
|
6153
6025
|
}
|
|
6154
6026
|
|
|
6155
|
-
/*! @azure/msal-common v15.
|
|
6027
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6156
6028
|
/*
|
|
6157
6029
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6158
6030
|
* Licensed under the MIT License.
|
|
@@ -6173,7 +6045,7 @@ function getRequestThumbprint(clientId, request, homeAccountId) {
|
|
|
6173
6045
|
};
|
|
6174
6046
|
}
|
|
6175
6047
|
|
|
6176
|
-
/*! @azure/msal-common v15.
|
|
6048
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6177
6049
|
|
|
6178
6050
|
/*
|
|
6179
6051
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6260,7 +6132,7 @@ class ThrottlingUtils {
|
|
|
6260
6132
|
}
|
|
6261
6133
|
}
|
|
6262
6134
|
|
|
6263
|
-
/*! @azure/msal-common v15.
|
|
6135
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6264
6136
|
|
|
6265
6137
|
/*
|
|
6266
6138
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6290,7 +6162,7 @@ function createNetworkError(error, httpStatus, responseHeaders) {
|
|
|
6290
6162
|
return new NetworkError(error, httpStatus, responseHeaders);
|
|
6291
6163
|
}
|
|
6292
6164
|
|
|
6293
|
-
/*! @azure/msal-common v15.
|
|
6165
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6294
6166
|
|
|
6295
6167
|
/*
|
|
6296
6168
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6425,22 +6297,20 @@ class BaseClient {
|
|
|
6425
6297
|
* @param request
|
|
6426
6298
|
*/
|
|
6427
6299
|
createTokenQueryParameters(request) {
|
|
6428
|
-
const
|
|
6300
|
+
const parameters = new Map();
|
|
6429
6301
|
if (request.embeddedClientId) {
|
|
6430
|
-
|
|
6431
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
6432
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
6433
|
-
});
|
|
6302
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
6434
6303
|
}
|
|
6435
6304
|
if (request.tokenQueryParameters) {
|
|
6436
|
-
|
|
6305
|
+
addExtraQueryParameters(parameters, request.tokenQueryParameters);
|
|
6437
6306
|
}
|
|
6438
|
-
|
|
6439
|
-
|
|
6307
|
+
addCorrelationId(parameters, request.correlationId);
|
|
6308
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
6309
|
+
return mapToQueryString(parameters);
|
|
6440
6310
|
}
|
|
6441
6311
|
}
|
|
6442
6312
|
|
|
6443
|
-
/*! @azure/msal-common v15.
|
|
6313
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6444
6314
|
/*
|
|
6445
6315
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6446
6316
|
* Licensed under the MIT License.
|
|
@@ -6466,7 +6336,7 @@ var InteractionRequiredAuthErrorCodes = /*#__PURE__*/Object.freeze({
|
|
|
6466
6336
|
refreshTokenExpired: refreshTokenExpired
|
|
6467
6337
|
});
|
|
6468
6338
|
|
|
6469
|
-
/*! @azure/msal-common v15.
|
|
6339
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6470
6340
|
|
|
6471
6341
|
/*
|
|
6472
6342
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6554,7 +6424,7 @@ function createInteractionRequiredAuthError(errorCode) {
|
|
|
6554
6424
|
return new InteractionRequiredAuthError(errorCode, InteractionRequiredAuthErrorMessages[errorCode]);
|
|
6555
6425
|
}
|
|
6556
6426
|
|
|
6557
|
-
/*! @azure/msal-common v15.
|
|
6427
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6558
6428
|
|
|
6559
6429
|
/*
|
|
6560
6430
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6626,7 +6496,7 @@ class ProtocolUtils {
|
|
|
6626
6496
|
}
|
|
6627
6497
|
}
|
|
6628
6498
|
|
|
6629
|
-
/*! @azure/msal-common v15.
|
|
6499
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6630
6500
|
|
|
6631
6501
|
/*
|
|
6632
6502
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6710,7 +6580,7 @@ class PopTokenGenerator {
|
|
|
6710
6580
|
}
|
|
6711
6581
|
}
|
|
6712
6582
|
|
|
6713
|
-
/*! @azure/msal-common v15.
|
|
6583
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6714
6584
|
/*
|
|
6715
6585
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6716
6586
|
* Licensed under the MIT License.
|
|
@@ -6737,19 +6607,12 @@ class PopTokenGenerator {
|
|
|
6737
6607
|
}
|
|
6738
6608
|
}
|
|
6739
6609
|
|
|
6740
|
-
/*! @azure/msal-common v15.
|
|
6610
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6741
6611
|
|
|
6742
6612
|
/*
|
|
6743
6613
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6744
6614
|
* Licensed under the MIT License.
|
|
6745
6615
|
*/
|
|
6746
|
-
function parseServerErrorNo(serverResponse) {
|
|
6747
|
-
const errorCodePrefix = "code=";
|
|
6748
|
-
const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
|
|
6749
|
-
return errorCodePrefixIndex && errorCodePrefixIndex >= 0
|
|
6750
|
-
? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
|
|
6751
|
-
: undefined;
|
|
6752
|
-
}
|
|
6753
6616
|
/**
|
|
6754
6617
|
* Class that handles response parsing.
|
|
6755
6618
|
* @internal
|
|
@@ -6764,46 +6627,6 @@ class ResponseHandler {
|
|
|
6764
6627
|
this.persistencePlugin = persistencePlugin;
|
|
6765
6628
|
this.performanceClient = performanceClient;
|
|
6766
6629
|
}
|
|
6767
|
-
/**
|
|
6768
|
-
* Function which validates server authorization code response.
|
|
6769
|
-
* @param serverResponseHash
|
|
6770
|
-
* @param requestState
|
|
6771
|
-
* @param cryptoObj
|
|
6772
|
-
*/
|
|
6773
|
-
validateServerAuthorizationCodeResponse(serverResponse, requestState) {
|
|
6774
|
-
if (!serverResponse.state || !requestState) {
|
|
6775
|
-
throw serverResponse.state
|
|
6776
|
-
? createClientAuthError(stateNotFound, "Cached State")
|
|
6777
|
-
: createClientAuthError(stateNotFound, "Server State");
|
|
6778
|
-
}
|
|
6779
|
-
let decodedServerResponseState;
|
|
6780
|
-
let decodedRequestState;
|
|
6781
|
-
try {
|
|
6782
|
-
decodedServerResponseState = decodeURIComponent(serverResponse.state);
|
|
6783
|
-
}
|
|
6784
|
-
catch (e) {
|
|
6785
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
6786
|
-
}
|
|
6787
|
-
try {
|
|
6788
|
-
decodedRequestState = decodeURIComponent(requestState);
|
|
6789
|
-
}
|
|
6790
|
-
catch (e) {
|
|
6791
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
6792
|
-
}
|
|
6793
|
-
if (decodedServerResponseState !== decodedRequestState) {
|
|
6794
|
-
throw createClientAuthError(stateMismatch);
|
|
6795
|
-
}
|
|
6796
|
-
// Check for error
|
|
6797
|
-
if (serverResponse.error ||
|
|
6798
|
-
serverResponse.error_description ||
|
|
6799
|
-
serverResponse.suberror) {
|
|
6800
|
-
const serverErrorNo = parseServerErrorNo(serverResponse);
|
|
6801
|
-
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
6802
|
-
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
|
|
6803
|
-
}
|
|
6804
|
-
throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
6805
|
-
}
|
|
6806
|
-
}
|
|
6807
6630
|
/**
|
|
6808
6631
|
* Function which validates server authorization token response.
|
|
6809
6632
|
* @param serverResponse
|
|
@@ -7115,7 +6938,74 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
|
|
|
7115
6938
|
return baseAccount;
|
|
7116
6939
|
}
|
|
7117
6940
|
|
|
7118
|
-
/*! @azure/msal-common v15.
|
|
6941
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
6942
|
+
|
|
6943
|
+
/*
|
|
6944
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6945
|
+
* Licensed under the MIT License.
|
|
6946
|
+
*/
|
|
6947
|
+
/**
|
|
6948
|
+
* Validates server consumable params from the "request" objects
|
|
6949
|
+
*/
|
|
6950
|
+
class RequestValidator {
|
|
6951
|
+
/**
|
|
6952
|
+
* Utility to check if the `redirectUri` in the request is a non-null value
|
|
6953
|
+
* @param redirectUri
|
|
6954
|
+
*/
|
|
6955
|
+
static validateRedirectUri(redirectUri) {
|
|
6956
|
+
if (!redirectUri) {
|
|
6957
|
+
throw createClientConfigurationError(redirectUriEmpty);
|
|
6958
|
+
}
|
|
6959
|
+
}
|
|
6960
|
+
/**
|
|
6961
|
+
* Utility to validate prompt sent by the user in the request
|
|
6962
|
+
* @param prompt
|
|
6963
|
+
*/
|
|
6964
|
+
static validatePrompt(prompt) {
|
|
6965
|
+
const promptValues = [];
|
|
6966
|
+
for (const value in PromptValue) {
|
|
6967
|
+
promptValues.push(PromptValue[value]);
|
|
6968
|
+
}
|
|
6969
|
+
if (promptValues.indexOf(prompt) < 0) {
|
|
6970
|
+
throw createClientConfigurationError(invalidPromptValue);
|
|
6971
|
+
}
|
|
6972
|
+
}
|
|
6973
|
+
static validateClaims(claims) {
|
|
6974
|
+
try {
|
|
6975
|
+
JSON.parse(claims);
|
|
6976
|
+
}
|
|
6977
|
+
catch (e) {
|
|
6978
|
+
throw createClientConfigurationError(invalidClaims);
|
|
6979
|
+
}
|
|
6980
|
+
}
|
|
6981
|
+
/**
|
|
6982
|
+
* Utility to validate code_challenge and code_challenge_method
|
|
6983
|
+
* @param codeChallenge
|
|
6984
|
+
* @param codeChallengeMethod
|
|
6985
|
+
*/
|
|
6986
|
+
static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
|
|
6987
|
+
if (!codeChallenge || !codeChallengeMethod) {
|
|
6988
|
+
throw createClientConfigurationError(pkceParamsMissing);
|
|
6989
|
+
}
|
|
6990
|
+
else {
|
|
6991
|
+
this.validateCodeChallengeMethod(codeChallengeMethod);
|
|
6992
|
+
}
|
|
6993
|
+
}
|
|
6994
|
+
/**
|
|
6995
|
+
* Utility to validate code_challenge_method
|
|
6996
|
+
* @param codeChallengeMethod
|
|
6997
|
+
*/
|
|
6998
|
+
static validateCodeChallengeMethod(codeChallengeMethod) {
|
|
6999
|
+
if ([
|
|
7000
|
+
CodeChallengeMethodValues.PLAIN,
|
|
7001
|
+
CodeChallengeMethodValues.S256,
|
|
7002
|
+
].indexOf(codeChallengeMethod) < 0) {
|
|
7003
|
+
throw createClientConfigurationError(invalidCodeChallengeMethod);
|
|
7004
|
+
}
|
|
7005
|
+
}
|
|
7006
|
+
}
|
|
7007
|
+
|
|
7008
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7119
7009
|
/*
|
|
7120
7010
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7121
7011
|
* Licensed under the MIT License.
|
|
@@ -7133,7 +7023,7 @@ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
|
|
|
7133
7023
|
}
|
|
7134
7024
|
}
|
|
7135
7025
|
|
|
7136
|
-
/*! @azure/msal-common v15.
|
|
7026
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7137
7027
|
|
|
7138
7028
|
/*
|
|
7139
7029
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7151,21 +7041,6 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7151
7041
|
this.oidcDefaultScopes =
|
|
7152
7042
|
this.config.authOptions.authority.options.OIDCOptions?.defaultScopes;
|
|
7153
7043
|
}
|
|
7154
|
-
/**
|
|
7155
|
-
* Creates the URL of the authorization request letting the user input credentials and consent to the
|
|
7156
|
-
* application. The URL target the /authorize endpoint of the authority configured in the
|
|
7157
|
-
* application object.
|
|
7158
|
-
*
|
|
7159
|
-
* Once the user inputs their credentials and consents, the authority will send a response to the redirect URI
|
|
7160
|
-
* sent in the request and should contain an authorization code, which can then be used to acquire tokens via
|
|
7161
|
-
* acquireToken(AuthorizationCodeRequest)
|
|
7162
|
-
* @param request
|
|
7163
|
-
*/
|
|
7164
|
-
async getAuthCodeUrl(request) {
|
|
7165
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.GetAuthCodeUrl, request.correlationId);
|
|
7166
|
-
const queryString = await invokeAsync(this.createAuthCodeUrlQueryString.bind(this), PerformanceEvents.AuthClientCreateQueryString, this.logger, this.performanceClient, request.correlationId)(request);
|
|
7167
|
-
return UrlString.appendQueryString(this.authority.authorizationEndpoint, queryString);
|
|
7168
|
-
}
|
|
7169
7044
|
/**
|
|
7170
7045
|
* API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
|
|
7171
7046
|
* authorization_code_grant
|
|
@@ -7185,22 +7060,6 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7185
7060
|
responseHandler.validateTokenResponse(response.body);
|
|
7186
7061
|
return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, authCodePayload, undefined, undefined, undefined, requestId);
|
|
7187
7062
|
}
|
|
7188
|
-
/**
|
|
7189
|
-
* Handles the hash fragment response from public client code request. Returns a code response used by
|
|
7190
|
-
* the client to exchange for a token in acquireToken.
|
|
7191
|
-
* @param hashFragment
|
|
7192
|
-
*/
|
|
7193
|
-
handleFragmentResponse(serverParams, cachedState) {
|
|
7194
|
-
// Handle responses.
|
|
7195
|
-
const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, null, null);
|
|
7196
|
-
// Get code response
|
|
7197
|
-
responseHandler.validateServerAuthorizationCodeResponse(serverParams, cachedState);
|
|
7198
|
-
// throw when there is no auth code in the response
|
|
7199
|
-
if (!serverParams.code) {
|
|
7200
|
-
throw createClientAuthError(authorizationCodeMissingFromServerResponse);
|
|
7201
|
-
}
|
|
7202
|
-
return serverParams;
|
|
7203
|
-
}
|
|
7204
7063
|
/**
|
|
7205
7064
|
* Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
|
|
7206
7065
|
* Default behaviour is to redirect the user to `window.location.href`.
|
|
@@ -7248,8 +7107,8 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7248
7107
|
*/
|
|
7249
7108
|
async createTokenRequestBody(request) {
|
|
7250
7109
|
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateTokenRequestBody, request.correlationId);
|
|
7251
|
-
const
|
|
7252
|
-
|
|
7110
|
+
const parameters = new Map();
|
|
7111
|
+
addClientId(parameters, request.embeddedClientId ||
|
|
7253
7112
|
request.tokenBodyParameters?.[CLIENT_ID] ||
|
|
7254
7113
|
this.config.authOptions.clientId);
|
|
7255
7114
|
/*
|
|
@@ -7262,33 +7121,33 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7262
7121
|
}
|
|
7263
7122
|
else {
|
|
7264
7123
|
// Validate and include redirect uri
|
|
7265
|
-
|
|
7124
|
+
addRedirectUri(parameters, request.redirectUri);
|
|
7266
7125
|
}
|
|
7267
7126
|
// Add scope array, parameter builder will add default scopes and dedupe
|
|
7268
|
-
|
|
7127
|
+
addScopes(parameters, request.scopes, true, this.oidcDefaultScopes);
|
|
7269
7128
|
// add code: user set, not validated
|
|
7270
|
-
|
|
7129
|
+
addAuthorizationCode(parameters, request.code);
|
|
7271
7130
|
// Add library metadata
|
|
7272
|
-
|
|
7273
|
-
|
|
7274
|
-
|
|
7131
|
+
addLibraryInfo(parameters, this.config.libraryInfo);
|
|
7132
|
+
addApplicationTelemetry(parameters, this.config.telemetry.application);
|
|
7133
|
+
addThrottling(parameters);
|
|
7275
7134
|
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
|
|
7276
|
-
|
|
7135
|
+
addServerTelemetry(parameters, this.serverTelemetryManager);
|
|
7277
7136
|
}
|
|
7278
7137
|
// add code_verifier if passed
|
|
7279
7138
|
if (request.codeVerifier) {
|
|
7280
|
-
|
|
7139
|
+
addCodeVerifier(parameters, request.codeVerifier);
|
|
7281
7140
|
}
|
|
7282
7141
|
if (this.config.clientCredentials.clientSecret) {
|
|
7283
|
-
|
|
7142
|
+
addClientSecret(parameters, this.config.clientCredentials.clientSecret);
|
|
7284
7143
|
}
|
|
7285
7144
|
if (this.config.clientCredentials.clientAssertion) {
|
|
7286
7145
|
const clientAssertion = this.config.clientCredentials.clientAssertion;
|
|
7287
|
-
|
|
7288
|
-
|
|
7146
|
+
addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
|
|
7147
|
+
addClientAssertionType(parameters, clientAssertion.assertionType);
|
|
7289
7148
|
}
|
|
7290
|
-
|
|
7291
|
-
|
|
7149
|
+
addGrantType(parameters, GrantType.AUTHORIZATION_CODE_GRANT);
|
|
7150
|
+
addClientInfo(parameters);
|
|
7292
7151
|
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
7293
7152
|
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
|
|
7294
7153
|
let reqCnfData;
|
|
@@ -7300,11 +7159,11 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7300
7159
|
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
7301
7160
|
}
|
|
7302
7161
|
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
|
|
7303
|
-
|
|
7162
|
+
addPopToken(parameters, reqCnfData);
|
|
7304
7163
|
}
|
|
7305
7164
|
else if (request.authenticationScheme === AuthenticationScheme.SSH) {
|
|
7306
7165
|
if (request.sshJwk) {
|
|
7307
|
-
|
|
7166
|
+
addSshJwk(parameters, request.sshJwk);
|
|
7308
7167
|
}
|
|
7309
7168
|
else {
|
|
7310
7169
|
throw createClientConfigurationError(missingSshJwk);
|
|
@@ -7313,7 +7172,7 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7313
7172
|
if (!StringUtils.isEmptyObj(request.claims) ||
|
|
7314
7173
|
(this.config.authOptions.clientCapabilities &&
|
|
7315
7174
|
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
7316
|
-
|
|
7175
|
+
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
|
|
7317
7176
|
}
|
|
7318
7177
|
let ccsCred = undefined;
|
|
7319
7178
|
if (request.clientInfo) {
|
|
@@ -7337,7 +7196,7 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7337
7196
|
case CcsCredentialType.HOME_ACCOUNT_ID:
|
|
7338
7197
|
try {
|
|
7339
7198
|
const clientInfo = buildClientInfoFromHomeAccountId(ccsCred.credential);
|
|
7340
|
-
|
|
7199
|
+
addCcsOid(parameters, clientInfo);
|
|
7341
7200
|
}
|
|
7342
7201
|
catch (e) {
|
|
7343
7202
|
this.logger.verbose("Could not parse home account ID for CCS Header: " +
|
|
@@ -7345,234 +7204,59 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
7345
7204
|
}
|
|
7346
7205
|
break;
|
|
7347
7206
|
case CcsCredentialType.UPN:
|
|
7348
|
-
|
|
7207
|
+
addCcsUpn(parameters, ccsCred.credential);
|
|
7349
7208
|
break;
|
|
7350
7209
|
}
|
|
7351
7210
|
}
|
|
7352
7211
|
if (request.embeddedClientId) {
|
|
7353
|
-
|
|
7354
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
7355
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
7356
|
-
});
|
|
7212
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
7357
7213
|
}
|
|
7358
7214
|
if (request.tokenBodyParameters) {
|
|
7359
|
-
|
|
7215
|
+
addExtraQueryParameters(parameters, request.tokenBodyParameters);
|
|
7360
7216
|
}
|
|
7361
7217
|
// Add hybrid spa parameters if not already provided
|
|
7362
7218
|
if (request.enableSpaAuthorizationCode &&
|
|
7363
7219
|
(!request.tokenBodyParameters ||
|
|
7364
7220
|
!request.tokenBodyParameters[RETURN_SPA_CODE])) {
|
|
7365
|
-
|
|
7221
|
+
addExtraQueryParameters(parameters, {
|
|
7366
7222
|
[RETURN_SPA_CODE]: "1",
|
|
7367
7223
|
});
|
|
7368
7224
|
}
|
|
7369
|
-
|
|
7370
|
-
|
|
7371
|
-
/**
|
|
7372
|
-
* This API validates the `AuthorizationCodeUrlRequest` and creates a URL
|
|
7373
|
-
* @param request
|
|
7374
|
-
*/
|
|
7375
|
-
async createAuthCodeUrlQueryString(request) {
|
|
7376
|
-
// generate the correlationId if not set by the user and add
|
|
7377
|
-
const correlationId = request.correlationId ||
|
|
7378
|
-
this.config.cryptoInterface.createNewGuid();
|
|
7379
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateQueryString, correlationId);
|
|
7380
|
-
const parameterBuilder = new RequestParameterBuilder(correlationId, this.performanceClient);
|
|
7381
|
-
parameterBuilder.addClientId(request.embeddedClientId ||
|
|
7382
|
-
request.extraQueryParameters?.[CLIENT_ID] ||
|
|
7383
|
-
this.config.authOptions.clientId);
|
|
7384
|
-
const requestScopes = [
|
|
7385
|
-
...(request.scopes || []),
|
|
7386
|
-
...(request.extraScopesToConsent || []),
|
|
7387
|
-
];
|
|
7388
|
-
parameterBuilder.addScopes(requestScopes, true, this.oidcDefaultScopes);
|
|
7389
|
-
// validate the redirectUri (to be a non null value)
|
|
7390
|
-
parameterBuilder.addRedirectUri(request.redirectUri);
|
|
7391
|
-
parameterBuilder.addCorrelationId(correlationId);
|
|
7392
|
-
// add response_mode. If not passed in it defaults to query.
|
|
7393
|
-
parameterBuilder.addResponseMode(request.responseMode);
|
|
7394
|
-
// add response_type = code
|
|
7395
|
-
parameterBuilder.addResponseTypeCode();
|
|
7396
|
-
// add library info parameters
|
|
7397
|
-
parameterBuilder.addLibraryInfo(this.config.libraryInfo);
|
|
7398
|
-
if (!isOidcProtocolMode(this.config)) {
|
|
7399
|
-
parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
|
|
7400
|
-
}
|
|
7401
|
-
// add client_info=1
|
|
7402
|
-
parameterBuilder.addClientInfo();
|
|
7403
|
-
if (request.codeChallenge && request.codeChallengeMethod) {
|
|
7404
|
-
parameterBuilder.addCodeChallengeParams(request.codeChallenge, request.codeChallengeMethod);
|
|
7405
|
-
}
|
|
7406
|
-
if (request.prompt) {
|
|
7407
|
-
parameterBuilder.addPrompt(request.prompt);
|
|
7408
|
-
}
|
|
7409
|
-
if (request.domainHint) {
|
|
7410
|
-
parameterBuilder.addDomainHint(request.domainHint);
|
|
7411
|
-
this.performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
|
|
7412
|
-
}
|
|
7413
|
-
this.performanceClient?.addFields({ prompt: request.prompt }, correlationId);
|
|
7414
|
-
// Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
|
|
7415
|
-
if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
|
|
7416
|
-
// AAD will throw if prompt=select_account is passed with an account hint
|
|
7417
|
-
if (request.sid && request.prompt === PromptValue.NONE) {
|
|
7418
|
-
// SessionID is only used in silent calls
|
|
7419
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
|
|
7420
|
-
parameterBuilder.addSid(request.sid);
|
|
7421
|
-
this.performanceClient?.addFields({ sidFromRequest: true }, correlationId);
|
|
7422
|
-
}
|
|
7423
|
-
else if (request.account) {
|
|
7424
|
-
const accountSid = this.extractAccountSid(request.account);
|
|
7425
|
-
let accountLoginHintClaim = this.extractLoginHint(request.account);
|
|
7426
|
-
if (accountLoginHintClaim && request.domainHint) {
|
|
7427
|
-
this.logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
|
|
7428
|
-
accountLoginHintClaim = null;
|
|
7429
|
-
}
|
|
7430
|
-
// If login_hint claim is present, use it over sid/username
|
|
7431
|
-
if (accountLoginHintClaim) {
|
|
7432
|
-
this.logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
|
|
7433
|
-
parameterBuilder.addLoginHint(accountLoginHintClaim);
|
|
7434
|
-
this.performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
|
|
7435
|
-
try {
|
|
7436
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7437
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
7438
|
-
}
|
|
7439
|
-
catch (e) {
|
|
7440
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7441
|
-
}
|
|
7442
|
-
}
|
|
7443
|
-
else if (accountSid && request.prompt === PromptValue.NONE) {
|
|
7444
|
-
/*
|
|
7445
|
-
* If account and loginHint are provided, we will check account first for sid before adding loginHint
|
|
7446
|
-
* SessionId is only used in silent calls
|
|
7447
|
-
*/
|
|
7448
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
|
|
7449
|
-
parameterBuilder.addSid(accountSid);
|
|
7450
|
-
this.performanceClient?.addFields({ sidFromClaim: true }, correlationId);
|
|
7451
|
-
try {
|
|
7452
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7453
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
7454
|
-
}
|
|
7455
|
-
catch (e) {
|
|
7456
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7457
|
-
}
|
|
7458
|
-
}
|
|
7459
|
-
else if (request.loginHint) {
|
|
7460
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
|
|
7461
|
-
parameterBuilder.addLoginHint(request.loginHint);
|
|
7462
|
-
parameterBuilder.addCcsUpn(request.loginHint);
|
|
7463
|
-
this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7464
|
-
}
|
|
7465
|
-
else if (request.account.username) {
|
|
7466
|
-
// Fallback to account username if provided
|
|
7467
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
|
|
7468
|
-
parameterBuilder.addLoginHint(request.account.username);
|
|
7469
|
-
this.performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
|
|
7470
|
-
try {
|
|
7471
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7472
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
7473
|
-
}
|
|
7474
|
-
catch (e) {
|
|
7475
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7476
|
-
}
|
|
7477
|
-
}
|
|
7478
|
-
}
|
|
7479
|
-
else if (request.loginHint) {
|
|
7480
|
-
this.logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
|
|
7481
|
-
parameterBuilder.addLoginHint(request.loginHint);
|
|
7482
|
-
parameterBuilder.addCcsUpn(request.loginHint);
|
|
7483
|
-
this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7484
|
-
}
|
|
7485
|
-
}
|
|
7486
|
-
else {
|
|
7487
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
|
|
7488
|
-
}
|
|
7489
|
-
if (request.nonce) {
|
|
7490
|
-
parameterBuilder.addNonce(request.nonce);
|
|
7491
|
-
}
|
|
7492
|
-
if (request.state) {
|
|
7493
|
-
parameterBuilder.addState(request.state);
|
|
7494
|
-
}
|
|
7495
|
-
if (request.claims ||
|
|
7496
|
-
(this.config.authOptions.clientCapabilities &&
|
|
7497
|
-
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
7498
|
-
parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
|
|
7499
|
-
}
|
|
7500
|
-
if (request.embeddedClientId) {
|
|
7501
|
-
parameterBuilder.addBrokerParameters({
|
|
7502
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
7503
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
7504
|
-
});
|
|
7505
|
-
}
|
|
7506
|
-
this.addExtraQueryParams(request, parameterBuilder);
|
|
7507
|
-
if (request.platformBroker) {
|
|
7508
|
-
// signal ests that this is a WAM call
|
|
7509
|
-
parameterBuilder.addNativeBroker();
|
|
7510
|
-
// pass the req_cnf for POP
|
|
7511
|
-
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
7512
|
-
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils);
|
|
7513
|
-
// req_cnf is always sent as a string for SPAs
|
|
7514
|
-
let reqCnfData;
|
|
7515
|
-
if (!request.popKid) {
|
|
7516
|
-
const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
|
|
7517
|
-
reqCnfData = generatedReqCnfData.reqCnfString;
|
|
7518
|
-
}
|
|
7519
|
-
else {
|
|
7520
|
-
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
7521
|
-
}
|
|
7522
|
-
parameterBuilder.addPopToken(reqCnfData);
|
|
7523
|
-
}
|
|
7524
|
-
}
|
|
7525
|
-
return parameterBuilder.createQueryString();
|
|
7225
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
7226
|
+
return mapToQueryString(parameters);
|
|
7526
7227
|
}
|
|
7527
7228
|
/**
|
|
7528
7229
|
* This API validates the `EndSessionRequest` and creates a URL
|
|
7529
7230
|
* @param request
|
|
7530
7231
|
*/
|
|
7531
7232
|
createLogoutUrlQueryString(request) {
|
|
7532
|
-
const
|
|
7233
|
+
const parameters = new Map();
|
|
7533
7234
|
if (request.postLogoutRedirectUri) {
|
|
7534
|
-
|
|
7235
|
+
addPostLogoutRedirectUri(parameters, request.postLogoutRedirectUri);
|
|
7535
7236
|
}
|
|
7536
7237
|
if (request.correlationId) {
|
|
7537
|
-
|
|
7238
|
+
addCorrelationId(parameters, request.correlationId);
|
|
7538
7239
|
}
|
|
7539
7240
|
if (request.idTokenHint) {
|
|
7540
|
-
|
|
7241
|
+
addIdTokenHint(parameters, request.idTokenHint);
|
|
7541
7242
|
}
|
|
7542
7243
|
if (request.state) {
|
|
7543
|
-
|
|
7244
|
+
addState(parameters, request.state);
|
|
7544
7245
|
}
|
|
7545
7246
|
if (request.logoutHint) {
|
|
7546
|
-
|
|
7547
|
-
}
|
|
7548
|
-
this.addExtraQueryParams(request, parameterBuilder);
|
|
7549
|
-
return parameterBuilder.createQueryString();
|
|
7550
|
-
}
|
|
7551
|
-
addExtraQueryParams(request, parameterBuilder) {
|
|
7552
|
-
const hasRequestInstanceAware = request.extraQueryParameters &&
|
|
7553
|
-
request.extraQueryParameters.hasOwnProperty("instance_aware");
|
|
7554
|
-
// Set instance_aware flag if config auth param is set
|
|
7555
|
-
if (!hasRequestInstanceAware && this.config.authOptions.instanceAware) {
|
|
7556
|
-
request.extraQueryParameters = request.extraQueryParameters || {};
|
|
7557
|
-
request.extraQueryParameters["instance_aware"] = "true";
|
|
7247
|
+
addLogoutHint(parameters, request.logoutHint);
|
|
7558
7248
|
}
|
|
7559
7249
|
if (request.extraQueryParameters) {
|
|
7560
|
-
|
|
7250
|
+
addExtraQueryParameters(parameters, request.extraQueryParameters);
|
|
7561
7251
|
}
|
|
7562
|
-
|
|
7563
|
-
|
|
7564
|
-
|
|
7565
|
-
|
|
7566
|
-
*/
|
|
7567
|
-
extractAccountSid(account) {
|
|
7568
|
-
return account.idTokenClaims?.sid || null;
|
|
7569
|
-
}
|
|
7570
|
-
extractLoginHint(account) {
|
|
7571
|
-
return account.idTokenClaims?.login_hint || null;
|
|
7252
|
+
if (this.config.authOptions.instanceAware) {
|
|
7253
|
+
addInstanceAware(parameters);
|
|
7254
|
+
}
|
|
7255
|
+
return mapToQueryString(parameters);
|
|
7572
7256
|
}
|
|
7573
7257
|
}
|
|
7574
7258
|
|
|
7575
|
-
/*! @azure/msal-common v15.
|
|
7259
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7576
7260
|
|
|
7577
7261
|
/*
|
|
7578
7262
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7701,31 +7385,30 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7701
7385
|
*/
|
|
7702
7386
|
async createTokenRequestBody(request) {
|
|
7703
7387
|
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, request.correlationId);
|
|
7704
|
-
const
|
|
7705
|
-
|
|
7706
|
-
parameterBuilder.addClientId(request.embeddedClientId ||
|
|
7388
|
+
const parameters = new Map();
|
|
7389
|
+
addClientId(parameters, request.embeddedClientId ||
|
|
7707
7390
|
request.tokenBodyParameters?.[CLIENT_ID] ||
|
|
7708
7391
|
this.config.authOptions.clientId);
|
|
7709
7392
|
if (request.redirectUri) {
|
|
7710
|
-
|
|
7711
|
-
}
|
|
7712
|
-
|
|
7713
|
-
|
|
7714
|
-
|
|
7715
|
-
|
|
7716
|
-
|
|
7717
|
-
|
|
7393
|
+
addRedirectUri(parameters, request.redirectUri);
|
|
7394
|
+
}
|
|
7395
|
+
addScopes(parameters, request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7396
|
+
addGrantType(parameters, GrantType.REFRESH_TOKEN_GRANT);
|
|
7397
|
+
addClientInfo(parameters);
|
|
7398
|
+
addLibraryInfo(parameters, this.config.libraryInfo);
|
|
7399
|
+
addApplicationTelemetry(parameters, this.config.telemetry.application);
|
|
7400
|
+
addThrottling(parameters);
|
|
7718
7401
|
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
|
|
7719
|
-
|
|
7402
|
+
addServerTelemetry(parameters, this.serverTelemetryManager);
|
|
7720
7403
|
}
|
|
7721
|
-
|
|
7404
|
+
addRefreshToken(parameters, request.refreshToken);
|
|
7722
7405
|
if (this.config.clientCredentials.clientSecret) {
|
|
7723
|
-
|
|
7406
|
+
addClientSecret(parameters, this.config.clientCredentials.clientSecret);
|
|
7724
7407
|
}
|
|
7725
7408
|
if (this.config.clientCredentials.clientAssertion) {
|
|
7726
7409
|
const clientAssertion = this.config.clientCredentials.clientAssertion;
|
|
7727
|
-
|
|
7728
|
-
|
|
7410
|
+
addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
|
|
7411
|
+
addClientAssertionType(parameters, clientAssertion.assertionType);
|
|
7729
7412
|
}
|
|
7730
7413
|
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
7731
7414
|
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
|
|
@@ -7738,11 +7421,11 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7738
7421
|
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
7739
7422
|
}
|
|
7740
7423
|
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
|
|
7741
|
-
|
|
7424
|
+
addPopToken(parameters, reqCnfData);
|
|
7742
7425
|
}
|
|
7743
7426
|
else if (request.authenticationScheme === AuthenticationScheme.SSH) {
|
|
7744
7427
|
if (request.sshJwk) {
|
|
7745
|
-
|
|
7428
|
+
addSshJwk(parameters, request.sshJwk);
|
|
7746
7429
|
}
|
|
7747
7430
|
else {
|
|
7748
7431
|
throw createClientConfigurationError(missingSshJwk);
|
|
@@ -7751,7 +7434,7 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7751
7434
|
if (!StringUtils.isEmptyObj(request.claims) ||
|
|
7752
7435
|
(this.config.authOptions.clientCapabilities &&
|
|
7753
7436
|
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
7754
|
-
|
|
7437
|
+
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
|
|
7755
7438
|
}
|
|
7756
7439
|
if (this.config.systemOptions.preventCorsPreflight &&
|
|
7757
7440
|
request.ccsCredential) {
|
|
@@ -7759,7 +7442,7 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7759
7442
|
case CcsCredentialType.HOME_ACCOUNT_ID:
|
|
7760
7443
|
try {
|
|
7761
7444
|
const clientInfo = buildClientInfoFromHomeAccountId(request.ccsCredential.credential);
|
|
7762
|
-
|
|
7445
|
+
addCcsOid(parameters, clientInfo);
|
|
7763
7446
|
}
|
|
7764
7447
|
catch (e) {
|
|
7765
7448
|
this.logger.verbose("Could not parse home account ID for CCS Header: " +
|
|
@@ -7767,24 +7450,22 @@ class RefreshTokenClient extends BaseClient {
|
|
|
7767
7450
|
}
|
|
7768
7451
|
break;
|
|
7769
7452
|
case CcsCredentialType.UPN:
|
|
7770
|
-
|
|
7453
|
+
addCcsUpn(parameters, request.ccsCredential.credential);
|
|
7771
7454
|
break;
|
|
7772
7455
|
}
|
|
7773
7456
|
}
|
|
7774
7457
|
if (request.embeddedClientId) {
|
|
7775
|
-
|
|
7776
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
7777
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
7778
|
-
});
|
|
7458
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
7779
7459
|
}
|
|
7780
7460
|
if (request.tokenBodyParameters) {
|
|
7781
|
-
|
|
7461
|
+
addExtraQueryParameters(parameters, request.tokenBodyParameters);
|
|
7782
7462
|
}
|
|
7783
|
-
|
|
7463
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
7464
|
+
return mapToQueryString(parameters);
|
|
7784
7465
|
}
|
|
7785
7466
|
}
|
|
7786
7467
|
|
|
7787
|
-
/*! @azure/msal-common v15.
|
|
7468
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7788
7469
|
|
|
7789
7470
|
/*
|
|
7790
7471
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7859,45 +7540,269 @@ class SilentFlowClient extends BaseClient {
|
|
|
7859
7540
|
if (cacheOutcome !== CacheOutcome.NOT_APPLICABLE) {
|
|
7860
7541
|
this.logger.info(`Token refresh is required due to cache outcome: ${cacheOutcome}`);
|
|
7861
7542
|
}
|
|
7862
|
-
}
|
|
7863
|
-
/**
|
|
7864
|
-
* Helper function to build response object from the CacheRecord
|
|
7865
|
-
* @param cacheRecord
|
|
7866
|
-
*/
|
|
7867
|
-
async generateResultFromCacheRecord(cacheRecord, request) {
|
|
7868
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.SilentFlowClientGenerateResultFromCacheRecord, request.correlationId);
|
|
7869
|
-
let idTokenClaims;
|
|
7870
|
-
if (cacheRecord.idToken) {
|
|
7871
|
-
idTokenClaims = extractTokenClaims(cacheRecord.idToken.secret, this.config.cryptoInterface.base64Decode);
|
|
7543
|
+
}
|
|
7544
|
+
/**
|
|
7545
|
+
* Helper function to build response object from the CacheRecord
|
|
7546
|
+
* @param cacheRecord
|
|
7547
|
+
*/
|
|
7548
|
+
async generateResultFromCacheRecord(cacheRecord, request) {
|
|
7549
|
+
this.performanceClient?.addQueueMeasurement(PerformanceEvents.SilentFlowClientGenerateResultFromCacheRecord, request.correlationId);
|
|
7550
|
+
let idTokenClaims;
|
|
7551
|
+
if (cacheRecord.idToken) {
|
|
7552
|
+
idTokenClaims = extractTokenClaims(cacheRecord.idToken.secret, this.config.cryptoInterface.base64Decode);
|
|
7553
|
+
}
|
|
7554
|
+
// token max_age check
|
|
7555
|
+
if (request.maxAge || request.maxAge === 0) {
|
|
7556
|
+
const authTime = idTokenClaims?.auth_time;
|
|
7557
|
+
if (!authTime) {
|
|
7558
|
+
throw createClientAuthError(authTimeNotFound);
|
|
7559
|
+
}
|
|
7560
|
+
checkMaxAge(authTime, request.maxAge);
|
|
7561
|
+
}
|
|
7562
|
+
return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, idTokenClaims);
|
|
7563
|
+
}
|
|
7564
|
+
}
|
|
7565
|
+
|
|
7566
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7567
|
+
|
|
7568
|
+
/*
|
|
7569
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7570
|
+
* Licensed under the MIT License.
|
|
7571
|
+
*/
|
|
7572
|
+
const StubbedNetworkModule = {
|
|
7573
|
+
sendGetRequestAsync: () => {
|
|
7574
|
+
return Promise.reject(createClientAuthError(methodNotImplemented));
|
|
7575
|
+
},
|
|
7576
|
+
sendPostRequestAsync: () => {
|
|
7577
|
+
return Promise.reject(createClientAuthError(methodNotImplemented));
|
|
7578
|
+
},
|
|
7579
|
+
};
|
|
7580
|
+
|
|
7581
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7582
|
+
|
|
7583
|
+
/*
|
|
7584
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7585
|
+
* Licensed under the MIT License.
|
|
7586
|
+
*/
|
|
7587
|
+
/**
|
|
7588
|
+
* Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
|
|
7589
|
+
* @param config
|
|
7590
|
+
* @param request
|
|
7591
|
+
* @param logger
|
|
7592
|
+
* @param performanceClient
|
|
7593
|
+
* @returns
|
|
7594
|
+
*/
|
|
7595
|
+
function getStandardAuthorizeRequestParameters(authOptions, request, logger, performanceClient) {
|
|
7596
|
+
// generate the correlationId if not set by the user and add
|
|
7597
|
+
const correlationId = request.correlationId;
|
|
7598
|
+
const parameters = new Map();
|
|
7599
|
+
addClientId(parameters, request.embeddedClientId ||
|
|
7600
|
+
request.extraQueryParameters?.[CLIENT_ID] ||
|
|
7601
|
+
authOptions.clientId);
|
|
7602
|
+
const requestScopes = [
|
|
7603
|
+
...(request.scopes || []),
|
|
7604
|
+
...(request.extraScopesToConsent || []),
|
|
7605
|
+
];
|
|
7606
|
+
addScopes(parameters, requestScopes, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
7607
|
+
addRedirectUri(parameters, request.redirectUri);
|
|
7608
|
+
addCorrelationId(parameters, correlationId);
|
|
7609
|
+
// add response_mode. If not passed in it defaults to query.
|
|
7610
|
+
addResponseMode(parameters, request.responseMode);
|
|
7611
|
+
// add client_info=1
|
|
7612
|
+
addClientInfo(parameters);
|
|
7613
|
+
if (request.prompt) {
|
|
7614
|
+
addPrompt(parameters, request.prompt);
|
|
7615
|
+
performanceClient?.addFields({ prompt: request.prompt }, correlationId);
|
|
7616
|
+
}
|
|
7617
|
+
if (request.domainHint) {
|
|
7618
|
+
addDomainHint(parameters, request.domainHint);
|
|
7619
|
+
performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
|
|
7620
|
+
}
|
|
7621
|
+
// Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
|
|
7622
|
+
if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
|
|
7623
|
+
// AAD will throw if prompt=select_account is passed with an account hint
|
|
7624
|
+
if (request.sid && request.prompt === PromptValue.NONE) {
|
|
7625
|
+
// SessionID is only used in silent calls
|
|
7626
|
+
logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
|
|
7627
|
+
addSid(parameters, request.sid);
|
|
7628
|
+
performanceClient?.addFields({ sidFromRequest: true }, correlationId);
|
|
7629
|
+
}
|
|
7630
|
+
else if (request.account) {
|
|
7631
|
+
const accountSid = extractAccountSid(request.account);
|
|
7632
|
+
let accountLoginHintClaim = extractLoginHint(request.account);
|
|
7633
|
+
if (accountLoginHintClaim && request.domainHint) {
|
|
7634
|
+
logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
|
|
7635
|
+
accountLoginHintClaim = null;
|
|
7636
|
+
}
|
|
7637
|
+
// If login_hint claim is present, use it over sid/username
|
|
7638
|
+
if (accountLoginHintClaim) {
|
|
7639
|
+
logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
|
|
7640
|
+
addLoginHint(parameters, accountLoginHintClaim);
|
|
7641
|
+
performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
|
|
7642
|
+
try {
|
|
7643
|
+
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7644
|
+
addCcsOid(parameters, clientInfo);
|
|
7645
|
+
}
|
|
7646
|
+
catch (e) {
|
|
7647
|
+
logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7648
|
+
}
|
|
7649
|
+
}
|
|
7650
|
+
else if (accountSid && request.prompt === PromptValue.NONE) {
|
|
7651
|
+
/*
|
|
7652
|
+
* If account and loginHint are provided, we will check account first for sid before adding loginHint
|
|
7653
|
+
* SessionId is only used in silent calls
|
|
7654
|
+
*/
|
|
7655
|
+
logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
|
|
7656
|
+
addSid(parameters, accountSid);
|
|
7657
|
+
performanceClient?.addFields({ sidFromClaim: true }, correlationId);
|
|
7658
|
+
try {
|
|
7659
|
+
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7660
|
+
addCcsOid(parameters, clientInfo);
|
|
7661
|
+
}
|
|
7662
|
+
catch (e) {
|
|
7663
|
+
logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7664
|
+
}
|
|
7665
|
+
}
|
|
7666
|
+
else if (request.loginHint) {
|
|
7667
|
+
logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
|
|
7668
|
+
addLoginHint(parameters, request.loginHint);
|
|
7669
|
+
addCcsUpn(parameters, request.loginHint);
|
|
7670
|
+
performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7671
|
+
}
|
|
7672
|
+
else if (request.account.username) {
|
|
7673
|
+
// Fallback to account username if provided
|
|
7674
|
+
logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
|
|
7675
|
+
addLoginHint(parameters, request.account.username);
|
|
7676
|
+
performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
|
|
7677
|
+
try {
|
|
7678
|
+
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
7679
|
+
addCcsOid(parameters, clientInfo);
|
|
7680
|
+
}
|
|
7681
|
+
catch (e) {
|
|
7682
|
+
logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
7683
|
+
}
|
|
7684
|
+
}
|
|
7685
|
+
}
|
|
7686
|
+
else if (request.loginHint) {
|
|
7687
|
+
logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
|
|
7688
|
+
addLoginHint(parameters, request.loginHint);
|
|
7689
|
+
addCcsUpn(parameters, request.loginHint);
|
|
7690
|
+
performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
7872
7691
|
}
|
|
7873
|
-
|
|
7874
|
-
|
|
7875
|
-
|
|
7876
|
-
|
|
7877
|
-
|
|
7878
|
-
|
|
7879
|
-
|
|
7692
|
+
}
|
|
7693
|
+
else {
|
|
7694
|
+
logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
|
|
7695
|
+
}
|
|
7696
|
+
if (request.nonce) {
|
|
7697
|
+
addNonce(parameters, request.nonce);
|
|
7698
|
+
}
|
|
7699
|
+
if (request.state) {
|
|
7700
|
+
addState(parameters, request.state);
|
|
7701
|
+
}
|
|
7702
|
+
if (request.claims ||
|
|
7703
|
+
(authOptions.clientCapabilities &&
|
|
7704
|
+
authOptions.clientCapabilities.length > 0)) {
|
|
7705
|
+
addClaims(parameters, request.claims, authOptions.clientCapabilities);
|
|
7706
|
+
}
|
|
7707
|
+
if (request.embeddedClientId) {
|
|
7708
|
+
addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
|
|
7709
|
+
}
|
|
7710
|
+
if (request.extraQueryParameters) {
|
|
7711
|
+
addExtraQueryParameters(parameters, request.extraQueryParameters);
|
|
7712
|
+
}
|
|
7713
|
+
if (authOptions.instanceAware) {
|
|
7714
|
+
addInstanceAware(parameters);
|
|
7715
|
+
}
|
|
7716
|
+
return parameters;
|
|
7717
|
+
}
|
|
7718
|
+
/**
|
|
7719
|
+
* Returns authorize endpoint with given request parameters in the query string
|
|
7720
|
+
* @param authority
|
|
7721
|
+
* @param requestParameters
|
|
7722
|
+
* @returns
|
|
7723
|
+
*/
|
|
7724
|
+
function getAuthorizeUrl(authority, requestParameters) {
|
|
7725
|
+
const queryString = mapToQueryString(requestParameters);
|
|
7726
|
+
return UrlString.appendQueryString(authority.authorizationEndpoint, queryString);
|
|
7727
|
+
}
|
|
7728
|
+
/**
|
|
7729
|
+
* Handles the hash fragment response from public client code request. Returns a code response used by
|
|
7730
|
+
* the client to exchange for a token in acquireToken.
|
|
7731
|
+
* @param serverParams
|
|
7732
|
+
* @param cachedState
|
|
7733
|
+
*/
|
|
7734
|
+
function getAuthorizationCodePayload(serverParams, cachedState) {
|
|
7735
|
+
// Get code response
|
|
7736
|
+
validateAuthorizationResponse(serverParams, cachedState);
|
|
7737
|
+
// throw when there is no auth code in the response
|
|
7738
|
+
if (!serverParams.code) {
|
|
7739
|
+
throw createClientAuthError(authorizationCodeMissingFromServerResponse);
|
|
7740
|
+
}
|
|
7741
|
+
return serverParams;
|
|
7742
|
+
}
|
|
7743
|
+
/**
|
|
7744
|
+
* Function which validates server authorization code response.
|
|
7745
|
+
* @param serverResponseHash
|
|
7746
|
+
* @param requestState
|
|
7747
|
+
*/
|
|
7748
|
+
function validateAuthorizationResponse(serverResponse, requestState) {
|
|
7749
|
+
if (!serverResponse.state || !requestState) {
|
|
7750
|
+
throw serverResponse.state
|
|
7751
|
+
? createClientAuthError(stateNotFound, "Cached State")
|
|
7752
|
+
: createClientAuthError(stateNotFound, "Server State");
|
|
7753
|
+
}
|
|
7754
|
+
let decodedServerResponseState;
|
|
7755
|
+
let decodedRequestState;
|
|
7756
|
+
try {
|
|
7757
|
+
decodedServerResponseState = decodeURIComponent(serverResponse.state);
|
|
7758
|
+
}
|
|
7759
|
+
catch (e) {
|
|
7760
|
+
throw createClientAuthError(invalidState, serverResponse.state);
|
|
7761
|
+
}
|
|
7762
|
+
try {
|
|
7763
|
+
decodedRequestState = decodeURIComponent(requestState);
|
|
7764
|
+
}
|
|
7765
|
+
catch (e) {
|
|
7766
|
+
throw createClientAuthError(invalidState, serverResponse.state);
|
|
7767
|
+
}
|
|
7768
|
+
if (decodedServerResponseState !== decodedRequestState) {
|
|
7769
|
+
throw createClientAuthError(stateMismatch);
|
|
7770
|
+
}
|
|
7771
|
+
// Check for error
|
|
7772
|
+
if (serverResponse.error ||
|
|
7773
|
+
serverResponse.error_description ||
|
|
7774
|
+
serverResponse.suberror) {
|
|
7775
|
+
const serverErrorNo = parseServerErrorNo(serverResponse);
|
|
7776
|
+
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
7777
|
+
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
|
|
7880
7778
|
}
|
|
7881
|
-
|
|
7779
|
+
throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
7882
7780
|
}
|
|
7883
|
-
}
|
|
7884
|
-
|
|
7885
|
-
|
|
7886
|
-
|
|
7887
|
-
|
|
7888
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7889
|
-
* Licensed under the MIT License.
|
|
7781
|
+
}
|
|
7782
|
+
/**
|
|
7783
|
+
* Get server error No from the error_uri
|
|
7784
|
+
* @param serverResponse
|
|
7785
|
+
* @returns
|
|
7890
7786
|
*/
|
|
7891
|
-
|
|
7892
|
-
|
|
7893
|
-
|
|
7894
|
-
|
|
7895
|
-
|
|
7896
|
-
|
|
7897
|
-
|
|
7898
|
-
|
|
7787
|
+
function parseServerErrorNo(serverResponse) {
|
|
7788
|
+
const errorCodePrefix = "code=";
|
|
7789
|
+
const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
|
|
7790
|
+
return errorCodePrefixIndex && errorCodePrefixIndex >= 0
|
|
7791
|
+
? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
|
|
7792
|
+
: undefined;
|
|
7793
|
+
}
|
|
7794
|
+
/**
|
|
7795
|
+
* Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
|
|
7796
|
+
* @param account
|
|
7797
|
+
*/
|
|
7798
|
+
function extractAccountSid(account) {
|
|
7799
|
+
return account.idTokenClaims?.sid || null;
|
|
7800
|
+
}
|
|
7801
|
+
function extractLoginHint(account) {
|
|
7802
|
+
return account.idTokenClaims?.login_hint || null;
|
|
7803
|
+
}
|
|
7899
7804
|
|
|
7900
|
-
/*! @azure/msal-common v15.
|
|
7805
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7901
7806
|
|
|
7902
7807
|
/*
|
|
7903
7808
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7955,7 +7860,7 @@ class AuthenticationHeaderParser {
|
|
|
7955
7860
|
}
|
|
7956
7861
|
}
|
|
7957
7862
|
|
|
7958
|
-
/*! @azure/msal-common v15.
|
|
7863
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
7959
7864
|
|
|
7960
7865
|
/*
|
|
7961
7866
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -8218,7 +8123,7 @@ class ServerTelemetryManager {
|
|
|
8218
8123
|
}
|
|
8219
8124
|
}
|
|
8220
8125
|
|
|
8221
|
-
/*! @azure/msal-common v15.
|
|
8126
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
8222
8127
|
/*
|
|
8223
8128
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
8224
8129
|
* Licensed under the MIT License.
|
|
@@ -8226,7 +8131,7 @@ class ServerTelemetryManager {
|
|
|
8226
8131
|
const missingKidError = "missing_kid_error";
|
|
8227
8132
|
const missingAlgError = "missing_alg_error";
|
|
8228
8133
|
|
|
8229
|
-
/*! @azure/msal-common v15.
|
|
8134
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
8230
8135
|
|
|
8231
8136
|
/*
|
|
8232
8137
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -8251,7 +8156,7 @@ function createJoseHeaderError(code) {
|
|
|
8251
8156
|
return new JoseHeaderError(code, JoseHeaderErrorMessages[code]);
|
|
8252
8157
|
}
|
|
8253
8158
|
|
|
8254
|
-
/*! @azure/msal-common v15.
|
|
8159
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
8255
8160
|
|
|
8256
8161
|
/*
|
|
8257
8162
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -8291,7 +8196,7 @@ class JoseHeader {
|
|
|
8291
8196
|
}
|
|
8292
8197
|
}
|
|
8293
8198
|
|
|
8294
|
-
/*! @azure/msal-common v15.
|
|
8199
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
8295
8200
|
|
|
8296
8201
|
/*
|
|
8297
8202
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -8370,7 +8275,7 @@ class StubPerformanceClient {
|
|
|
8370
8275
|
}
|
|
8371
8276
|
}
|
|
8372
8277
|
|
|
8373
|
-
/*! @azure/msal-common v15.
|
|
8278
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
8374
8279
|
|
|
8375
8280
|
/*
|
|
8376
8281
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -10407,7 +10312,7 @@ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system
|
|
|
10407
10312
|
|
|
10408
10313
|
/* eslint-disable header/header */
|
|
10409
10314
|
const name = "@azure/msal-browser";
|
|
10410
|
-
const version = "4.
|
|
10315
|
+
const version = "4.8.0";
|
|
10411
10316
|
|
|
10412
10317
|
/*
|
|
10413
10318
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -13111,61 +13016,6 @@ class BaseInteractionClient {
|
|
|
13111
13016
|
}
|
|
13112
13017
|
}
|
|
13113
13018
|
|
|
13114
|
-
/*
|
|
13115
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
13116
|
-
* Licensed under the MIT License.
|
|
13117
|
-
*/
|
|
13118
|
-
// Constant byte array length
|
|
13119
|
-
const RANDOM_BYTE_ARR_LENGTH = 32;
|
|
13120
|
-
/**
|
|
13121
|
-
* This file defines APIs to generate PKCE codes and code verifiers.
|
|
13122
|
-
*/
|
|
13123
|
-
/**
|
|
13124
|
-
* Generates PKCE Codes. See the RFC for more information: https://tools.ietf.org/html/rfc7636
|
|
13125
|
-
*/
|
|
13126
|
-
async function generatePkceCodes(performanceClient, logger, correlationId) {
|
|
13127
|
-
performanceClient.addQueueMeasurement(PerformanceEvents.GeneratePkceCodes, correlationId);
|
|
13128
|
-
const codeVerifier = invoke(generateCodeVerifier, PerformanceEvents.GenerateCodeVerifier, logger, performanceClient, correlationId)(performanceClient, logger, correlationId);
|
|
13129
|
-
const codeChallenge = await invokeAsync(generateCodeChallengeFromVerifier, PerformanceEvents.GenerateCodeChallengeFromVerifier, logger, performanceClient, correlationId)(codeVerifier, performanceClient, logger, correlationId);
|
|
13130
|
-
return {
|
|
13131
|
-
verifier: codeVerifier,
|
|
13132
|
-
challenge: codeChallenge,
|
|
13133
|
-
};
|
|
13134
|
-
}
|
|
13135
|
-
/**
|
|
13136
|
-
* Generates a random 32 byte buffer and returns the base64
|
|
13137
|
-
* encoded string to be used as a PKCE Code Verifier
|
|
13138
|
-
*/
|
|
13139
|
-
function generateCodeVerifier(performanceClient, logger, correlationId) {
|
|
13140
|
-
try {
|
|
13141
|
-
// Generate random values as utf-8
|
|
13142
|
-
const buffer = new Uint8Array(RANDOM_BYTE_ARR_LENGTH);
|
|
13143
|
-
invoke(getRandomValues, PerformanceEvents.GetRandomValues, logger, performanceClient, correlationId)(buffer);
|
|
13144
|
-
// encode verifier as base64
|
|
13145
|
-
const pkceCodeVerifierB64 = urlEncodeArr(buffer);
|
|
13146
|
-
return pkceCodeVerifierB64;
|
|
13147
|
-
}
|
|
13148
|
-
catch (e) {
|
|
13149
|
-
throw createBrowserAuthError(pkceNotCreated);
|
|
13150
|
-
}
|
|
13151
|
-
}
|
|
13152
|
-
/**
|
|
13153
|
-
* Creates a base64 encoded PKCE Code Challenge string from the
|
|
13154
|
-
* hash created from the PKCE Code Verifier supplied
|
|
13155
|
-
*/
|
|
13156
|
-
async function generateCodeChallengeFromVerifier(pkceCodeVerifier, performanceClient, logger, correlationId) {
|
|
13157
|
-
performanceClient.addQueueMeasurement(PerformanceEvents.GenerateCodeChallengeFromVerifier, correlationId);
|
|
13158
|
-
try {
|
|
13159
|
-
// hashed verifier
|
|
13160
|
-
const pkceHashedCodeVerifier = await invokeAsync(sha256Digest, PerformanceEvents.Sha256Digest, logger, performanceClient, correlationId)(pkceCodeVerifier, performanceClient, correlationId);
|
|
13161
|
-
// encode hash as base64
|
|
13162
|
-
return urlEncodeArr(new Uint8Array(pkceHashedCodeVerifier));
|
|
13163
|
-
}
|
|
13164
|
-
catch (e) {
|
|
13165
|
-
throw createBrowserAuthError(pkceNotCreated);
|
|
13166
|
-
}
|
|
13167
|
-
}
|
|
13168
|
-
|
|
13169
13019
|
/*
|
|
13170
13020
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
13171
13021
|
* Licensed under the MIT License.
|
|
@@ -13228,25 +13078,6 @@ async function initializeSilentRequest(request, account, config, performanceClie
|
|
|
13228
13078
|
* Defines the class structure and helper functions used by the "standard", non-brokered auth flows (popup, redirect, silent (RT), silent (iframe))
|
|
13229
13079
|
*/
|
|
13230
13080
|
class StandardInteractionClient extends BaseInteractionClient {
|
|
13231
|
-
/**
|
|
13232
|
-
* Generates an auth code request tied to the url request.
|
|
13233
|
-
* @param request
|
|
13234
|
-
* @param pkceCodes
|
|
13235
|
-
*/
|
|
13236
|
-
async initializeAuthorizationCodeRequest(request, pkceCodes) {
|
|
13237
|
-
this.performanceClient.addQueueMeasurement(PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.correlationId);
|
|
13238
|
-
const generatedPkceParams = pkceCodes ||
|
|
13239
|
-
(await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId));
|
|
13240
|
-
const authCodeRequest = {
|
|
13241
|
-
...request,
|
|
13242
|
-
redirectUri: request.redirectUri,
|
|
13243
|
-
code: Constants.EMPTY_STRING,
|
|
13244
|
-
codeVerifier: generatedPkceParams.verifier,
|
|
13245
|
-
};
|
|
13246
|
-
request.codeChallenge = generatedPkceParams.challenge;
|
|
13247
|
-
request.codeChallengeMethod = Constants.S256_CODE_CHALLENGE_METHOD;
|
|
13248
|
-
return authCodeRequest;
|
|
13249
|
-
}
|
|
13250
13081
|
/**
|
|
13251
13082
|
* Initializer for the logout request.
|
|
13252
13083
|
* @param logoutRequest
|
|
@@ -13825,7 +13656,12 @@ class NativeInteractionClient extends BaseInteractionClient {
|
|
|
13825
13656
|
const cachedhomeAccountId = this.browserStorage.getAccountInfoFilteredBy({
|
|
13826
13657
|
nativeAccountId: request.accountId,
|
|
13827
13658
|
})?.homeAccountId;
|
|
13828
|
-
|
|
13659
|
+
// add exception for double brokering, please note this is temporary and will be fortified in future
|
|
13660
|
+
if (request.extraParameters?.child_client_id &&
|
|
13661
|
+
response.account.id !== request.accountId) {
|
|
13662
|
+
this.logger.info("handleNativeServerResponse: Double broker flow detected, ignoring accountId mismatch");
|
|
13663
|
+
}
|
|
13664
|
+
else if (homeAccountIdentifier !== cachedhomeAccountId &&
|
|
13829
13665
|
response.account.id !== request.accountId) {
|
|
13830
13666
|
// User switch in native broker prompt is not supported. All users must first sign in through web flow to ensure server state is in sync
|
|
13831
13667
|
throw createNativeAuthError(userSwitch);
|
|
@@ -13837,6 +13673,8 @@ class NativeInteractionClient extends BaseInteractionClient {
|
|
|
13837
13673
|
const baseAccount = buildAccountToCache(this.browserStorage, authority, homeAccountIdentifier, base64Decode, idTokenClaims, response.client_info, undefined, // environment
|
|
13838
13674
|
idTokenClaims.tid, undefined, // auth code payload
|
|
13839
13675
|
response.account.id, this.logger);
|
|
13676
|
+
// Ensure expires_in is in number format
|
|
13677
|
+
response.expires_in = Number(response.expires_in);
|
|
13840
13678
|
// generate authenticationResult
|
|
13841
13679
|
const result = await this.generateAuthenticationResult(response, request, idTokenClaims, baseAccount, authority.canonicalAuthority, reqTimestamp);
|
|
13842
13680
|
// cache accounts and tokens in the appropriate storage
|
|
@@ -14484,7 +14322,7 @@ class InteractionHandler {
|
|
|
14484
14322
|
this.performanceClient.addQueueMeasurement(PerformanceEvents.HandleCodeResponse, request.correlationId);
|
|
14485
14323
|
let authCodeResponse;
|
|
14486
14324
|
try {
|
|
14487
|
-
authCodeResponse =
|
|
14325
|
+
authCodeResponse = getAuthorizationCodePayload(response, request.state);
|
|
14488
14326
|
}
|
|
14489
14327
|
catch (e) {
|
|
14490
14328
|
if (e instanceof ServerError &&
|
|
@@ -14592,6 +14430,126 @@ function validateInteractionType(response, browserCrypto, interactionType) {
|
|
|
14592
14430
|
}
|
|
14593
14431
|
}
|
|
14594
14432
|
|
|
14433
|
+
/*
|
|
14434
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
14435
|
+
* Licensed under the MIT License.
|
|
14436
|
+
*/
|
|
14437
|
+
/**
|
|
14438
|
+
* Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
|
|
14439
|
+
* @param config
|
|
14440
|
+
* @param authority
|
|
14441
|
+
* @param request
|
|
14442
|
+
* @param logger
|
|
14443
|
+
* @param performanceClient
|
|
14444
|
+
* @returns
|
|
14445
|
+
*/
|
|
14446
|
+
async function getStandardParameters(config, authority, request, logger, performanceClient) {
|
|
14447
|
+
const parameters = getStandardAuthorizeRequestParameters({ ...config.auth, authority: authority }, request, logger, performanceClient);
|
|
14448
|
+
addLibraryInfo(parameters, {
|
|
14449
|
+
sku: BrowserConstants.MSAL_SKU,
|
|
14450
|
+
version: version,
|
|
14451
|
+
os: "",
|
|
14452
|
+
cpu: "",
|
|
14453
|
+
});
|
|
14454
|
+
if (config.auth.protocolMode !== ProtocolMode.OIDC) {
|
|
14455
|
+
addApplicationTelemetry(parameters, config.telemetry.application);
|
|
14456
|
+
}
|
|
14457
|
+
if (request.platformBroker) {
|
|
14458
|
+
// signal ests that this is a WAM call
|
|
14459
|
+
addNativeBroker(parameters);
|
|
14460
|
+
// pass the req_cnf for POP
|
|
14461
|
+
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
14462
|
+
const cryptoOps = new CryptoOps(logger, performanceClient);
|
|
14463
|
+
const popTokenGenerator = new PopTokenGenerator(cryptoOps);
|
|
14464
|
+
// req_cnf is always sent as a string for SPAs
|
|
14465
|
+
let reqCnfData;
|
|
14466
|
+
if (!request.popKid) {
|
|
14467
|
+
const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, logger, performanceClient, request.correlationId)(request, logger);
|
|
14468
|
+
reqCnfData = generatedReqCnfData.reqCnfString;
|
|
14469
|
+
}
|
|
14470
|
+
else {
|
|
14471
|
+
reqCnfData = cryptoOps.encodeKid(request.popKid);
|
|
14472
|
+
}
|
|
14473
|
+
addPopToken(parameters, reqCnfData);
|
|
14474
|
+
}
|
|
14475
|
+
}
|
|
14476
|
+
instrumentBrokerParams(parameters, request.correlationId, performanceClient);
|
|
14477
|
+
return parameters;
|
|
14478
|
+
}
|
|
14479
|
+
/**
|
|
14480
|
+
* Gets the full /authorize URL with request parameters when using Auth Code + PKCE
|
|
14481
|
+
* @param config
|
|
14482
|
+
* @param authority
|
|
14483
|
+
* @param request
|
|
14484
|
+
* @param logger
|
|
14485
|
+
* @param performanceClient
|
|
14486
|
+
* @returns
|
|
14487
|
+
*/
|
|
14488
|
+
async function getAuthCodeRequestUrl(config, authority, request, logger, performanceClient) {
|
|
14489
|
+
if (!request.codeChallenge) {
|
|
14490
|
+
throw createClientConfigurationError(pkceParamsMissing);
|
|
14491
|
+
}
|
|
14492
|
+
const parameters = await invokeAsync(getStandardParameters, PerformanceEvents.GetStandardParams, logger, performanceClient, request.correlationId)(config, authority, request, logger, performanceClient);
|
|
14493
|
+
addResponseTypeCode(parameters);
|
|
14494
|
+
addCodeChallengeParams(parameters, request.codeChallenge, Constants.S256_CODE_CHALLENGE_METHOD);
|
|
14495
|
+
return getAuthorizeUrl(authority, parameters);
|
|
14496
|
+
}
|
|
14497
|
+
|
|
14498
|
+
/*
|
|
14499
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
14500
|
+
* Licensed under the MIT License.
|
|
14501
|
+
*/
|
|
14502
|
+
// Constant byte array length
|
|
14503
|
+
const RANDOM_BYTE_ARR_LENGTH = 32;
|
|
14504
|
+
/**
|
|
14505
|
+
* This file defines APIs to generate PKCE codes and code verifiers.
|
|
14506
|
+
*/
|
|
14507
|
+
/**
|
|
14508
|
+
* Generates PKCE Codes. See the RFC for more information: https://tools.ietf.org/html/rfc7636
|
|
14509
|
+
*/
|
|
14510
|
+
async function generatePkceCodes(performanceClient, logger, correlationId) {
|
|
14511
|
+
performanceClient.addQueueMeasurement(PerformanceEvents.GeneratePkceCodes, correlationId);
|
|
14512
|
+
const codeVerifier = invoke(generateCodeVerifier, PerformanceEvents.GenerateCodeVerifier, logger, performanceClient, correlationId)(performanceClient, logger, correlationId);
|
|
14513
|
+
const codeChallenge = await invokeAsync(generateCodeChallengeFromVerifier, PerformanceEvents.GenerateCodeChallengeFromVerifier, logger, performanceClient, correlationId)(codeVerifier, performanceClient, logger, correlationId);
|
|
14514
|
+
return {
|
|
14515
|
+
verifier: codeVerifier,
|
|
14516
|
+
challenge: codeChallenge,
|
|
14517
|
+
};
|
|
14518
|
+
}
|
|
14519
|
+
/**
|
|
14520
|
+
* Generates a random 32 byte buffer and returns the base64
|
|
14521
|
+
* encoded string to be used as a PKCE Code Verifier
|
|
14522
|
+
*/
|
|
14523
|
+
function generateCodeVerifier(performanceClient, logger, correlationId) {
|
|
14524
|
+
try {
|
|
14525
|
+
// Generate random values as utf-8
|
|
14526
|
+
const buffer = new Uint8Array(RANDOM_BYTE_ARR_LENGTH);
|
|
14527
|
+
invoke(getRandomValues, PerformanceEvents.GetRandomValues, logger, performanceClient, correlationId)(buffer);
|
|
14528
|
+
// encode verifier as base64
|
|
14529
|
+
const pkceCodeVerifierB64 = urlEncodeArr(buffer);
|
|
14530
|
+
return pkceCodeVerifierB64;
|
|
14531
|
+
}
|
|
14532
|
+
catch (e) {
|
|
14533
|
+
throw createBrowserAuthError(pkceNotCreated);
|
|
14534
|
+
}
|
|
14535
|
+
}
|
|
14536
|
+
/**
|
|
14537
|
+
* Creates a base64 encoded PKCE Code Challenge string from the
|
|
14538
|
+
* hash created from the PKCE Code Verifier supplied
|
|
14539
|
+
*/
|
|
14540
|
+
async function generateCodeChallengeFromVerifier(pkceCodeVerifier, performanceClient, logger, correlationId) {
|
|
14541
|
+
performanceClient.addQueueMeasurement(PerformanceEvents.GenerateCodeChallengeFromVerifier, correlationId);
|
|
14542
|
+
try {
|
|
14543
|
+
// hashed verifier
|
|
14544
|
+
const pkceHashedCodeVerifier = await invokeAsync(sha256Digest, PerformanceEvents.Sha256Digest, logger, performanceClient, correlationId)(pkceCodeVerifier, performanceClient, correlationId);
|
|
14545
|
+
// encode hash as base64
|
|
14546
|
+
return urlEncodeArr(new Uint8Array(pkceHashedCodeVerifier));
|
|
14547
|
+
}
|
|
14548
|
+
catch (e) {
|
|
14549
|
+
throw createBrowserAuthError(pkceNotCreated);
|
|
14550
|
+
}
|
|
14551
|
+
}
|
|
14552
|
+
|
|
14595
14553
|
/*
|
|
14596
14554
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
14597
14555
|
* Licensed under the MIT License.
|
|
@@ -14679,6 +14637,9 @@ class PopupClient extends StandardInteractionClient {
|
|
|
14679
14637
|
this.logger.verbose("acquireTokenPopupAsync called");
|
|
14680
14638
|
const serverTelemetryManager = this.initializeServerTelemetryManager(ApiId.acquireTokenPopup);
|
|
14681
14639
|
const validRequest = await invokeAsync(this.initializeAuthorizationRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(request, exports.InteractionType.Popup);
|
|
14640
|
+
const pkce = pkceCodes ||
|
|
14641
|
+
(await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId));
|
|
14642
|
+
validRequest.codeChallenge = pkce.challenge;
|
|
14682
14643
|
/*
|
|
14683
14644
|
* Skip pre-connect for async popups to reduce time between user interaction and popup window creation to avoid
|
|
14684
14645
|
* popup from being blocked by browsers with shorter popup timers
|
|
@@ -14687,8 +14648,6 @@ class PopupClient extends StandardInteractionClient {
|
|
|
14687
14648
|
preconnect(validRequest.authority);
|
|
14688
14649
|
}
|
|
14689
14650
|
try {
|
|
14690
|
-
// Create auth code request and generate PKCE params
|
|
14691
|
-
const authCodeRequest = await invokeAsync(this.initializeAuthorizationCodeRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.logger, this.performanceClient, this.correlationId)(validRequest, pkceCodes);
|
|
14692
14651
|
// Initialize the client
|
|
14693
14652
|
const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), PerformanceEvents.StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, this.correlationId)({
|
|
14694
14653
|
serverTelemetryManager,
|
|
@@ -14705,12 +14664,10 @@ class PopupClient extends StandardInteractionClient {
|
|
|
14705
14664
|
this.performanceClient.startMeasurement(PerformanceEvents.FetchAccountIdWithNativeBroker, request.correlationId);
|
|
14706
14665
|
}
|
|
14707
14666
|
// Create acquire token url.
|
|
14708
|
-
const navigateUrl = await authClient.
|
|
14667
|
+
const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, validRequest.correlationId)(this.config, authClient.authority, {
|
|
14709
14668
|
...validRequest,
|
|
14710
14669
|
platformBroker: isPlatformBroker,
|
|
14711
|
-
});
|
|
14712
|
-
// Create popup interaction handler.
|
|
14713
|
-
const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
|
|
14670
|
+
}, this.logger, this.performanceClient);
|
|
14714
14671
|
// Show the UI once the url has been created. Get the window handle for the popup.
|
|
14715
14672
|
const popupWindow = this.initiateAuthRequest(navigateUrl, popupParams);
|
|
14716
14673
|
this.eventHandler.emitEvent(EventType.POPUP_OPENED, exports.InteractionType.Popup, { popupWindow }, null);
|
|
@@ -14718,7 +14675,7 @@ class PopupClient extends StandardInteractionClient {
|
|
|
14718
14675
|
const responseString = await this.monitorPopupForHash(popupWindow, popupParams.popupWindowParent);
|
|
14719
14676
|
const serverParams = invoke(deserializeResponse, PerformanceEvents.DeserializeResponse, this.logger, this.performanceClient, this.correlationId)(responseString, this.config.auth.OIDCOptions.serverResponseType, this.logger);
|
|
14720
14677
|
// Remove throttle if it exists
|
|
14721
|
-
ThrottlingUtils.removeThrottle(this.browserStorage, this.config.auth.clientId,
|
|
14678
|
+
ThrottlingUtils.removeThrottle(this.browserStorage, this.config.auth.clientId, validRequest);
|
|
14722
14679
|
if (serverParams.accountId) {
|
|
14723
14680
|
this.logger.verbose("Account id found in hash, calling WAM for token");
|
|
14724
14681
|
// end measurement for server call with native brokering enabled
|
|
@@ -14739,6 +14696,13 @@ class PopupClient extends StandardInteractionClient {
|
|
|
14739
14696
|
prompt: undefined, // Server should handle the prompt, ideally native broker can do this part silently
|
|
14740
14697
|
});
|
|
14741
14698
|
}
|
|
14699
|
+
const authCodeRequest = {
|
|
14700
|
+
...validRequest,
|
|
14701
|
+
code: serverParams.code || "",
|
|
14702
|
+
codeVerifier: pkce.verifier,
|
|
14703
|
+
};
|
|
14704
|
+
// Create popup interaction handler.
|
|
14705
|
+
const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
|
|
14742
14706
|
// Handle response from hash string.
|
|
14743
14707
|
const result = await interactionHandler.handleCodeResponse(serverParams, validRequest);
|
|
14744
14708
|
return result;
|
|
@@ -15114,7 +15078,7 @@ class RedirectHandler {
|
|
|
15114
15078
|
}
|
|
15115
15079
|
let authCodeResponse;
|
|
15116
15080
|
try {
|
|
15117
|
-
authCodeResponse =
|
|
15081
|
+
authCodeResponse = getAuthorizationCodePayload(response, requestState);
|
|
15118
15082
|
}
|
|
15119
15083
|
catch (e) {
|
|
15120
15084
|
if (e instanceof ServerError &&
|
|
@@ -15198,6 +15162,8 @@ class RedirectClient extends StandardInteractionClient {
|
|
|
15198
15162
|
*/
|
|
15199
15163
|
async acquireToken(request) {
|
|
15200
15164
|
const validRequest = await invokeAsync(this.initializeAuthorizationRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(request, exports.InteractionType.Redirect);
|
|
15165
|
+
const pkceCodes = await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId);
|
|
15166
|
+
validRequest.codeChallenge = pkceCodes.challenge;
|
|
15201
15167
|
this.browserStorage.updateCacheEntries(validRequest.state, validRequest.nonce, validRequest.authority, validRequest.loginHint || "", validRequest.account || null);
|
|
15202
15168
|
const serverTelemetryManager = this.initializeServerTelemetryManager(ApiId.acquireTokenRedirect);
|
|
15203
15169
|
const handleBackButton = (event) => {
|
|
@@ -15209,8 +15175,6 @@ class RedirectClient extends StandardInteractionClient {
|
|
|
15209
15175
|
}
|
|
15210
15176
|
};
|
|
15211
15177
|
try {
|
|
15212
|
-
// Create auth code request and generate PKCE params
|
|
15213
|
-
const authCodeRequest = await invokeAsync(this.initializeAuthorizationCodeRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.logger, this.performanceClient, this.correlationId)(validRequest);
|
|
15214
15178
|
// Initialize the client
|
|
15215
15179
|
const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), PerformanceEvents.StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, this.correlationId)({
|
|
15216
15180
|
serverTelemetryManager,
|
|
@@ -15219,13 +15183,18 @@ class RedirectClient extends StandardInteractionClient {
|
|
|
15219
15183
|
requestExtraQueryParameters: validRequest.extraQueryParameters,
|
|
15220
15184
|
account: validRequest.account,
|
|
15221
15185
|
});
|
|
15186
|
+
const authCodeRequest = {
|
|
15187
|
+
...validRequest,
|
|
15188
|
+
code: "",
|
|
15189
|
+
codeVerifier: pkceCodes.verifier,
|
|
15190
|
+
};
|
|
15222
15191
|
// Create redirect interaction handler.
|
|
15223
15192
|
const interactionHandler = new RedirectHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
|
|
15224
15193
|
// Create acquire token url.
|
|
15225
|
-
const navigateUrl = await authClient.
|
|
15194
|
+
const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, validRequest.correlationId)(this.config, authClient.authority, {
|
|
15226
15195
|
...validRequest,
|
|
15227
15196
|
platformBroker: NativeMessageHandler.isPlatformBrokerAvailable(this.config, this.logger, this.nativeMessageHandler, request.authenticationScheme),
|
|
15228
|
-
});
|
|
15197
|
+
}, this.logger, this.performanceClient);
|
|
15229
15198
|
const redirectStartPage = this.getRedirectStartPage(request.redirectStartPage);
|
|
15230
15199
|
this.logger.verbosePii(`Redirect start page: ${redirectStartPage}`);
|
|
15231
15200
|
// Clear temporary cache if the back button is clicked during the redirect flow.
|
|
@@ -15730,18 +15699,19 @@ class SilentIframeClient extends StandardInteractionClient {
|
|
|
15730
15699
|
* @param navigateUrl
|
|
15731
15700
|
* @param userRequestScopes
|
|
15732
15701
|
*/
|
|
15733
|
-
async silentTokenHelper(authClient,
|
|
15734
|
-
const correlationId =
|
|
15702
|
+
async silentTokenHelper(authClient, request) {
|
|
15703
|
+
const correlationId = request.correlationId;
|
|
15735
15704
|
this.performanceClient.addQueueMeasurement(PerformanceEvents.SilentIframeClientTokenHelper, correlationId);
|
|
15736
|
-
|
|
15737
|
-
const
|
|
15705
|
+
const pkceCodes = await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId);
|
|
15706
|
+
const silentRequest = {
|
|
15707
|
+
...request,
|
|
15708
|
+
codeChallenge: pkceCodes.challenge,
|
|
15709
|
+
};
|
|
15738
15710
|
// Create authorize request url
|
|
15739
|
-
const navigateUrl = await invokeAsync(
|
|
15711
|
+
const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, correlationId)(this.config, authClient.authority, {
|
|
15740
15712
|
...silentRequest,
|
|
15741
15713
|
platformBroker: NativeMessageHandler.isPlatformBrokerAvailable(this.config, this.logger, this.nativeMessageHandler, silentRequest.authenticationScheme),
|
|
15742
|
-
});
|
|
15743
|
-
// Create silent handler
|
|
15744
|
-
const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
|
|
15714
|
+
}, this.logger, this.performanceClient);
|
|
15745
15715
|
// Get the frame handle for the silent request
|
|
15746
15716
|
const msalFrame = await invokeAsync(initiateAuthRequest, PerformanceEvents.SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(navigateUrl, this.performanceClient, this.logger, correlationId, this.config.system.navigateFrameWait);
|
|
15747
15717
|
const responseType = this.config.auth.OIDCOptions.serverResponseType;
|
|
@@ -15761,6 +15731,13 @@ class SilentIframeClient extends StandardInteractionClient {
|
|
|
15761
15731
|
prompt: silentRequest.prompt || PromptValue.NONE,
|
|
15762
15732
|
});
|
|
15763
15733
|
}
|
|
15734
|
+
const authCodeRequest = {
|
|
15735
|
+
...silentRequest,
|
|
15736
|
+
code: serverParams.code || "",
|
|
15737
|
+
codeVerifier: pkceCodes.verifier,
|
|
15738
|
+
};
|
|
15739
|
+
// Create silent handler
|
|
15740
|
+
const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
|
|
15764
15741
|
// Handle response from hash string
|
|
15765
15742
|
return invokeAsync(interactionHandler.handleCodeResponse.bind(interactionHandler), PerformanceEvents.HandleCodeResponse, this.logger, this.performanceClient, correlationId)(serverParams, silentRequest);
|
|
15766
15743
|
}
|
|
@@ -17514,8 +17491,7 @@ class NestedAppAuthAdapter {
|
|
|
17514
17491
|
extraParams = new Map(Object.entries(request.extraQueryParameters));
|
|
17515
17492
|
}
|
|
17516
17493
|
const correlationId = request.correlationId || this.crypto.createNewGuid();
|
|
17517
|
-
const
|
|
17518
|
-
const claims = requestBuilder.addClientCapabilitiesToClaims(request.claims, this.clientCapabilities);
|
|
17494
|
+
const claims = addClientCapabilitiesToClaims(request.claims, this.clientCapabilities);
|
|
17519
17495
|
const scopes = request.scopes || OIDC_DEFAULT_SCOPES;
|
|
17520
17496
|
const tokenRequest = {
|
|
17521
17497
|
platformBrokerId: request.account?.homeAccountId,
|