@azure/msal-browser 4.7.0 → 4.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (132) hide show
  1. package/dist/app/IPublicClientApplication.mjs +1 -1
  2. package/dist/app/PublicClientApplication.mjs +1 -1
  3. package/dist/app/PublicClientNext.mjs +1 -1
  4. package/dist/broker/nativeBroker/NativeMessageHandler.mjs +1 -1
  5. package/dist/broker/nativeBroker/NativeStatusCodes.mjs +1 -1
  6. package/dist/cache/AccountManager.mjs +1 -1
  7. package/dist/cache/AsyncMemoryStorage.mjs +1 -1
  8. package/dist/cache/BrowserCacheManager.mjs +1 -1
  9. package/dist/cache/CacheHelpers.mjs +1 -1
  10. package/dist/cache/CookieStorage.mjs +1 -1
  11. package/dist/cache/DatabaseStorage.mjs +1 -1
  12. package/dist/cache/LocalStorage.mjs +1 -1
  13. package/dist/cache/MemoryStorage.mjs +1 -1
  14. package/dist/cache/SessionStorage.mjs +1 -1
  15. package/dist/cache/TokenCache.mjs +1 -1
  16. package/dist/config/Configuration.mjs +1 -1
  17. package/dist/controllers/ControllerFactory.mjs +1 -1
  18. package/dist/controllers/NestedAppAuthController.mjs +1 -1
  19. package/dist/controllers/StandardController.mjs +1 -1
  20. package/dist/controllers/UnknownOperatingContextController.mjs +1 -1
  21. package/dist/crypto/BrowserCrypto.mjs +1 -1
  22. package/dist/crypto/CryptoOps.mjs +1 -1
  23. package/dist/crypto/PkceGenerator.mjs +1 -1
  24. package/dist/crypto/SignedHttpRequest.mjs +1 -1
  25. package/dist/encode/Base64Decode.mjs +1 -1
  26. package/dist/encode/Base64Encode.mjs +1 -1
  27. package/dist/error/BrowserAuthError.mjs +1 -1
  28. package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
  29. package/dist/error/BrowserConfigurationAuthError.mjs +1 -1
  30. package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  31. package/dist/error/NativeAuthError.mjs +1 -1
  32. package/dist/error/NativeAuthErrorCodes.mjs +1 -1
  33. package/dist/error/NestedAppAuthError.mjs +1 -1
  34. package/dist/event/EventHandler.mjs +1 -1
  35. package/dist/event/EventMessage.mjs +1 -1
  36. package/dist/event/EventType.mjs +1 -1
  37. package/dist/index.mjs +1 -1
  38. package/dist/interaction_client/BaseInteractionClient.mjs +1 -1
  39. package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  40. package/dist/interaction_client/NativeInteractionClient.d.ts.map +1 -1
  41. package/dist/interaction_client/NativeInteractionClient.mjs +9 -2
  42. package/dist/interaction_client/NativeInteractionClient.mjs.map +1 -1
  43. package/dist/interaction_client/PopupClient.d.ts.map +1 -1
  44. package/dist/interaction_client/PopupClient.mjs +16 -8
  45. package/dist/interaction_client/PopupClient.mjs.map +1 -1
  46. package/dist/interaction_client/RedirectClient.d.ts +3 -3
  47. package/dist/interaction_client/RedirectClient.d.ts.map +1 -1
  48. package/dist/interaction_client/RedirectClient.mjs +12 -5
  49. package/dist/interaction_client/RedirectClient.mjs.map +1 -1
  50. package/dist/interaction_client/SilentAuthCodeClient.mjs +1 -1
  51. package/dist/interaction_client/SilentCacheClient.mjs +1 -1
  52. package/dist/interaction_client/SilentIframeClient.d.ts +1 -1
  53. package/dist/interaction_client/SilentIframeClient.d.ts.map +1 -1
  54. package/dist/interaction_client/SilentIframeClient.mjs +19 -9
  55. package/dist/interaction_client/SilentIframeClient.mjs.map +1 -1
  56. package/dist/interaction_client/SilentRefreshClient.mjs +1 -1
  57. package/dist/interaction_client/StandardInteractionClient.d.ts +1 -7
  58. package/dist/interaction_client/StandardInteractionClient.d.ts.map +1 -1
  59. package/dist/interaction_client/StandardInteractionClient.mjs +2 -22
  60. package/dist/interaction_client/StandardInteractionClient.mjs.map +1 -1
  61. package/dist/interaction_handler/InteractionHandler.d.ts +2 -2
  62. package/dist/interaction_handler/InteractionHandler.d.ts.map +1 -1
  63. package/dist/interaction_handler/InteractionHandler.mjs +3 -3
  64. package/dist/interaction_handler/InteractionHandler.mjs.map +1 -1
  65. package/dist/interaction_handler/RedirectHandler.d.ts +2 -2
  66. package/dist/interaction_handler/RedirectHandler.d.ts.map +1 -1
  67. package/dist/interaction_handler/RedirectHandler.mjs +3 -3
  68. package/dist/interaction_handler/RedirectHandler.mjs.map +1 -1
  69. package/dist/interaction_handler/SilentHandler.mjs +1 -1
  70. package/dist/naa/BridgeError.mjs +1 -1
  71. package/dist/naa/BridgeProxy.mjs +1 -1
  72. package/dist/naa/BridgeStatusCode.mjs +1 -1
  73. package/dist/naa/mapping/NestedAppAuthAdapter.d.ts.map +1 -1
  74. package/dist/naa/mapping/NestedAppAuthAdapter.mjs +2 -3
  75. package/dist/naa/mapping/NestedAppAuthAdapter.mjs.map +1 -1
  76. package/dist/navigation/NavigationClient.mjs +1 -1
  77. package/dist/network/FetchClient.mjs +1 -1
  78. package/dist/operatingcontext/BaseOperatingContext.mjs +1 -1
  79. package/dist/operatingcontext/NestedAppOperatingContext.mjs +1 -1
  80. package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
  81. package/dist/operatingcontext/UnknownOperatingContext.mjs +1 -1
  82. package/dist/packageMetadata.d.ts +1 -1
  83. package/dist/packageMetadata.mjs +2 -2
  84. package/dist/protocol/Authorize.d.ts +13 -0
  85. package/dist/protocol/Authorize.d.ts.map +1 -0
  86. package/dist/protocol/Authorize.mjs +74 -0
  87. package/dist/protocol/Authorize.mjs.map +1 -0
  88. package/dist/request/RequestHelpers.mjs +1 -1
  89. package/dist/response/ResponseHandler.d.ts +3 -3
  90. package/dist/response/ResponseHandler.d.ts.map +1 -1
  91. package/dist/response/ResponseHandler.mjs +1 -1
  92. package/dist/response/ResponseHandler.mjs.map +1 -1
  93. package/dist/telemetry/BrowserPerformanceClient.mjs +1 -1
  94. package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
  95. package/dist/utils/BrowserConstants.mjs +1 -1
  96. package/dist/utils/BrowserProtocolUtils.mjs +1 -1
  97. package/dist/utils/BrowserUtils.mjs +1 -1
  98. package/lib/msal-browser.cjs +949 -973
  99. package/lib/msal-browser.cjs.map +1 -1
  100. package/lib/msal-browser.js +949 -973
  101. package/lib/msal-browser.js.map +1 -1
  102. package/lib/msal-browser.min.js +67 -66
  103. package/lib/types/interaction_client/NativeInteractionClient.d.ts.map +1 -1
  104. package/lib/types/interaction_client/PopupClient.d.ts.map +1 -1
  105. package/lib/types/interaction_client/RedirectClient.d.ts +3 -3
  106. package/lib/types/interaction_client/RedirectClient.d.ts.map +1 -1
  107. package/lib/types/interaction_client/SilentIframeClient.d.ts +1 -1
  108. package/lib/types/interaction_client/SilentIframeClient.d.ts.map +1 -1
  109. package/lib/types/interaction_client/StandardInteractionClient.d.ts +1 -7
  110. package/lib/types/interaction_client/StandardInteractionClient.d.ts.map +1 -1
  111. package/lib/types/interaction_handler/InteractionHandler.d.ts +2 -2
  112. package/lib/types/interaction_handler/InteractionHandler.d.ts.map +1 -1
  113. package/lib/types/interaction_handler/RedirectHandler.d.ts +2 -2
  114. package/lib/types/interaction_handler/RedirectHandler.d.ts.map +1 -1
  115. package/lib/types/naa/mapping/NestedAppAuthAdapter.d.ts.map +1 -1
  116. package/lib/types/packageMetadata.d.ts +1 -1
  117. package/lib/types/protocol/Authorize.d.ts +13 -0
  118. package/lib/types/protocol/Authorize.d.ts.map +1 -0
  119. package/lib/types/response/ResponseHandler.d.ts +3 -3
  120. package/lib/types/response/ResponseHandler.d.ts.map +1 -1
  121. package/package.json +2 -2
  122. package/src/interaction_client/NativeInteractionClient.ts +11 -0
  123. package/src/interaction_client/PopupClient.ts +40 -21
  124. package/src/interaction_client/RedirectClient.ts +41 -22
  125. package/src/interaction_client/SilentIframeClient.ts +42 -29
  126. package/src/interaction_client/StandardInteractionClient.ts +0 -40
  127. package/src/interaction_handler/InteractionHandler.ts +4 -3
  128. package/src/interaction_handler/RedirectHandler.ts +4 -3
  129. package/src/naa/mapping/NestedAppAuthAdapter.ts +1 -2
  130. package/src/packageMetadata.ts +1 -1
  131. package/src/protocol/Authorize.ts +136 -0
  132. package/src/response/ResponseHandler.ts +3 -3
@@ -1,8 +1,8 @@
1
- /*! @azure/msal-browser v4.7.0 2025-03-11 */
1
+ /*! @azure/msal-browser v4.8.0 2025-03-20 */
2
2
  'use strict';
3
3
  'use strict';
4
4
 
5
- /*! @azure/msal-common v15.2.1 2025-03-11 */
5
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6
6
  /*
7
7
  * Copyright (c) Microsoft Corporation. All rights reserved.
8
8
  * Licensed under the MIT License.
@@ -250,13 +250,6 @@ const Errors = {
250
250
  INVALID_GRANT_ERROR: "invalid_grant",
251
251
  CLIENT_MISMATCH_ERROR: "client_mismatch",
252
252
  };
253
- /**
254
- * Password grant parameters
255
- */
256
- const PasswordGrantConstants = {
257
- username: "username",
258
- password: "password",
259
- };
260
253
  /**
261
254
  * Response codes
262
255
  */
@@ -306,7 +299,7 @@ const JsonWebTokenTypes = {
306
299
  // Token renewal offset default in seconds
307
300
  const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
308
301
 
309
- /*! @azure/msal-common v15.2.1 2025-03-11 */
302
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
310
303
  /*
311
304
  * Copyright (c) Microsoft Corporation. All rights reserved.
312
305
  * Licensed under the MIT License.
@@ -323,7 +316,7 @@ var AuthErrorCodes = /*#__PURE__*/Object.freeze({
323
316
  unexpectedError: unexpectedError
324
317
  });
325
318
 
326
- /*! @azure/msal-common v15.2.1 2025-03-11 */
319
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
327
320
 
328
321
  /*
329
322
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -372,7 +365,7 @@ function createAuthError(code, additionalMessage) {
372
365
  : AuthErrorMessages[code]);
373
366
  }
374
367
 
375
- /*! @azure/msal-common v15.2.1 2025-03-11 */
368
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
376
369
  /*
377
370
  * Copyright (c) Microsoft Corporation. All rights reserved.
378
371
  * Licensed under the MIT License.
@@ -470,7 +463,7 @@ var ClientAuthErrorCodes = /*#__PURE__*/Object.freeze({
470
463
  userTimeoutReached: userTimeoutReached
471
464
  });
472
465
 
473
- /*! @azure/msal-common v15.2.1 2025-03-11 */
466
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
474
467
 
475
468
  /*
476
469
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -722,7 +715,7 @@ function createClientAuthError(errorCode, additionalMessage) {
722
715
  return new ClientAuthError(errorCode, additionalMessage);
723
716
  }
724
717
 
725
- /*! @azure/msal-common v15.2.1 2025-03-11 */
718
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
726
719
 
727
720
  /*
728
721
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -761,7 +754,7 @@ const DEFAULT_CRYPTO_IMPLEMENTATION = {
761
754
  },
762
755
  };
763
756
 
764
- /*! @azure/msal-common v15.2.1 2025-03-11 */
757
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
765
758
 
766
759
  /*
767
760
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -952,12 +945,12 @@ class Logger {
952
945
  }
953
946
  }
954
947
 
955
- /*! @azure/msal-common v15.2.1 2025-03-11 */
948
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
956
949
  /* eslint-disable header/header */
957
950
  const name$1 = "@azure/msal-common";
958
- const version$1 = "15.2.1";
951
+ const version$1 = "15.3.0";
959
952
 
960
- /*! @azure/msal-common v15.2.1 2025-03-11 */
953
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
961
954
  /*
962
955
  * Copyright (c) Microsoft Corporation. All rights reserved.
963
956
  * Licensed under the MIT License.
@@ -977,7 +970,7 @@ const AzureCloudInstance = {
977
970
  AzureUsGovernment: "https://login.microsoftonline.us",
978
971
  };
979
972
 
980
- /*! @azure/msal-common v15.2.1 2025-03-11 */
973
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
981
974
 
982
975
  /*
983
976
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1038,7 +1031,7 @@ function checkMaxAge(authTime, maxAge) {
1038
1031
  }
1039
1032
  }
1040
1033
 
1041
- /*! @azure/msal-common v15.2.1 2025-03-11 */
1034
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1042
1035
  /*
1043
1036
  * Copyright (c) Microsoft Corporation. All rights reserved.
1044
1037
  * Licensed under the MIT License.
@@ -1093,7 +1086,7 @@ function wasClockTurnedBack(cachedAt) {
1093
1086
  return cachedAtSec > nowSeconds();
1094
1087
  }
1095
1088
 
1096
- /*! @azure/msal-common v15.2.1 2025-03-11 */
1089
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1097
1090
 
1098
1091
  /*
1099
1092
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1420,7 +1413,7 @@ function isAuthorityMetadataExpired(metadata) {
1420
1413
  return metadata.expiresAt <= nowSeconds();
1421
1414
  }
1422
1415
 
1423
- /*! @azure/msal-common v15.2.1 2025-03-11 */
1416
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1424
1417
  /*
1425
1418
  * Copyright (c) Microsoft Corporation. All rights reserved.
1426
1419
  * Licensed under the MIT License.
@@ -1474,7 +1467,7 @@ var ClientConfigurationErrorCodes = /*#__PURE__*/Object.freeze({
1474
1467
  urlParseError: urlParseError
1475
1468
  });
1476
1469
 
1477
- /*! @azure/msal-common v15.2.1 2025-03-11 */
1470
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1478
1471
 
1479
1472
  /*
1480
1473
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1612,7 +1605,7 @@ function createClientConfigurationError(errorCode) {
1612
1605
  return new ClientConfigurationError(errorCode);
1613
1606
  }
1614
1607
 
1615
- /*! @azure/msal-common v15.2.1 2025-03-11 */
1608
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1616
1609
  /*
1617
1610
  * Copyright (c) Microsoft Corporation. All rights reserved.
1618
1611
  * Licensed under the MIT License.
@@ -1709,7 +1702,7 @@ class StringUtils {
1709
1702
  }
1710
1703
  }
1711
1704
 
1712
- /*! @azure/msal-common v15.2.1 2025-03-11 */
1705
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1713
1706
 
1714
1707
  /*
1715
1708
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1900,7 +1893,7 @@ class ScopeSet {
1900
1893
  }
1901
1894
  }
1902
1895
 
1903
- /*! @azure/msal-common v15.2.1 2025-03-11 */
1896
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1904
1897
 
1905
1898
  /*
1906
1899
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1940,7 +1933,7 @@ function buildClientInfoFromHomeAccountId(homeAccountId) {
1940
1933
  };
1941
1934
  }
1942
1935
 
1943
- /*! @azure/msal-common v15.2.1 2025-03-11 */
1936
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1944
1937
  /*
1945
1938
  * Copyright (c) Microsoft Corporation. All rights reserved.
1946
1939
  * Licensed under the MIT License.
@@ -2019,7 +2012,7 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
2019
2012
  return updatedAccountInfo;
2020
2013
  }
2021
2014
 
2022
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2015
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2023
2016
  /*
2024
2017
  * Copyright (c) Microsoft Corporation. All rights reserved.
2025
2018
  * Licensed under the MIT License.
@@ -2034,7 +2027,7 @@ const AuthorityType = {
2034
2027
  Ciam: 3,
2035
2028
  };
2036
2029
 
2037
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2030
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2038
2031
  /*
2039
2032
  * Copyright (c) Microsoft Corporation. All rights reserved.
2040
2033
  * Licensed under the MIT License.
@@ -2056,7 +2049,7 @@ function getTenantIdFromIdTokenClaims(idTokenClaims) {
2056
2049
  return null;
2057
2050
  }
2058
2051
 
2059
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2052
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2060
2053
  /*
2061
2054
  * Copyright (c) Microsoft Corporation. All rights reserved.
2062
2055
  * Licensed under the MIT License.
@@ -2069,7 +2062,7 @@ const ProtocolMode = {
2069
2062
  OIDC: "OIDC",
2070
2063
  };
2071
2064
 
2072
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2065
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2073
2066
 
2074
2067
  /*
2075
2068
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2312,7 +2305,7 @@ class AccountEntity {
2312
2305
  }
2313
2306
  }
2314
2307
 
2315
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2308
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2316
2309
 
2317
2310
  /*
2318
2311
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2357,9 +2350,19 @@ function getDeserializedResponse(responseString) {
2357
2350
  throw createClientAuthError(hashNotDeserialized);
2358
2351
  }
2359
2352
  return null;
2353
+ }
2354
+ /**
2355
+ * Utility to create a URL from the params map
2356
+ */
2357
+ function mapToQueryString(parameters) {
2358
+ const queryParameterArray = new Array();
2359
+ parameters.forEach((value, key) => {
2360
+ queryParameterArray.push(`${key}=${encodeURIComponent(value)}`);
2361
+ });
2362
+ return queryParameterArray.join("&");
2360
2363
  }
2361
2364
 
2362
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2365
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2363
2366
 
2364
2367
  /*
2365
2368
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2523,7 +2526,7 @@ class UrlString {
2523
2526
  }
2524
2527
  }
2525
2528
 
2526
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2529
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2527
2530
 
2528
2531
  /*
2529
2532
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2663,7 +2666,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
2663
2666
  return null;
2664
2667
  }
2665
2668
 
2666
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2669
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2667
2670
  /*
2668
2671
  * Copyright (c) Microsoft Corporation. All rights reserved.
2669
2672
  * Licensed under the MIT License.
@@ -2671,7 +2674,7 @@ function getCloudDiscoveryMetadataFromNetworkResponse(response, authorityHost) {
2671
2674
  const cacheQuotaExceededErrorCode = "cache_quota_exceeded";
2672
2675
  const cacheUnknownErrorCode = "cache_error_unknown";
2673
2676
 
2674
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2677
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2675
2678
 
2676
2679
  /*
2677
2680
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2698,7 +2701,7 @@ class CacheError extends Error {
2698
2701
  }
2699
2702
  }
2700
2703
 
2701
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2704
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2702
2705
 
2703
2706
  /*
2704
2707
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3883,7 +3886,7 @@ class DefaultStorageClass extends CacheManager {
3883
3886
  }
3884
3887
  }
3885
3888
 
3886
- /*! @azure/msal-common v15.2.1 2025-03-11 */
3889
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
3887
3890
 
3888
3891
  /*
3889
3892
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3982,7 +3985,7 @@ function isOidcProtocolMode(config) {
3982
3985
  return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
3983
3986
  }
3984
3987
 
3985
- /*! @azure/msal-common v15.2.1 2025-03-11 */
3988
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
3986
3989
  /*
3987
3990
  * Copyright (c) Microsoft Corporation. All rights reserved.
3988
3991
  * Licensed under the MIT License.
@@ -3992,7 +3995,7 @@ const CcsCredentialType = {
3992
3995
  UPN: "UPN",
3993
3996
  };
3994
3997
 
3995
- /*! @azure/msal-common v15.2.1 2025-03-11 */
3998
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
3996
3999
  /*
3997
4000
  * Copyright (c) Microsoft Corporation. All rights reserved.
3998
4001
  * Licensed under the MIT License.
@@ -4024,14 +4027,11 @@ const X_APP_NAME = "x-app-name";
4024
4027
  const X_APP_VER = "x-app-ver";
4025
4028
  const POST_LOGOUT_URI = "post_logout_redirect_uri";
4026
4029
  const ID_TOKEN_HINT = "id_token_hint";
4027
- const DEVICE_CODE = "device_code";
4028
4030
  const CLIENT_SECRET = "client_secret";
4029
4031
  const CLIENT_ASSERTION = "client_assertion";
4030
4032
  const CLIENT_ASSERTION_TYPE = "client_assertion_type";
4031
4033
  const TOKEN_TYPE = "token_type";
4032
4034
  const REQ_CNF = "req_cnf";
4033
- const OBO_ASSERTION = "assertion";
4034
- const REQUESTED_TOKEN_USE = "requested_token_use";
4035
4035
  const RETURN_SPA_CODE = "return_spa_code";
4036
4036
  const NATIVE_BROKER = "nativebroker";
4037
4037
  const LOGOUT_HINT = "logout_hint";
@@ -4040,76 +4040,10 @@ const LOGIN_HINT = "login_hint";
4040
4040
  const DOMAIN_HINT = "domain_hint";
4041
4041
  const X_CLIENT_EXTRA_SKU = "x-client-xtra-sku";
4042
4042
  const BROKER_CLIENT_ID = "brk_client_id";
4043
- const BROKER_REDIRECT_URI = "brk_redirect_uri";
4044
-
4045
- /*! @azure/msal-common v15.2.1 2025-03-11 */
4046
-
4047
- /*
4048
- * Copyright (c) Microsoft Corporation. All rights reserved.
4049
- * Licensed under the MIT License.
4050
- */
4051
- /**
4052
- * Validates server consumable params from the "request" objects
4053
- */
4054
- class RequestValidator {
4055
- /**
4056
- * Utility to check if the `redirectUri` in the request is a non-null value
4057
- * @param redirectUri
4058
- */
4059
- static validateRedirectUri(redirectUri) {
4060
- if (!redirectUri) {
4061
- throw createClientConfigurationError(redirectUriEmpty);
4062
- }
4063
- }
4064
- /**
4065
- * Utility to validate prompt sent by the user in the request
4066
- * @param prompt
4067
- */
4068
- static validatePrompt(prompt) {
4069
- const promptValues = [];
4070
- for (const value in PromptValue) {
4071
- promptValues.push(PromptValue[value]);
4072
- }
4073
- if (promptValues.indexOf(prompt) < 0) {
4074
- throw createClientConfigurationError(invalidPromptValue);
4075
- }
4076
- }
4077
- static validateClaims(claims) {
4078
- try {
4079
- JSON.parse(claims);
4080
- }
4081
- catch (e) {
4082
- throw createClientConfigurationError(invalidClaims);
4083
- }
4084
- }
4085
- /**
4086
- * Utility to validate code_challenge and code_challenge_method
4087
- * @param codeChallenge
4088
- * @param codeChallengeMethod
4089
- */
4090
- static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
4091
- if (!codeChallenge || !codeChallengeMethod) {
4092
- throw createClientConfigurationError(pkceParamsMissing);
4093
- }
4094
- else {
4095
- this.validateCodeChallengeMethod(codeChallengeMethod);
4096
- }
4097
- }
4098
- /**
4099
- * Utility to validate code_challenge_method
4100
- * @param codeChallengeMethod
4101
- */
4102
- static validateCodeChallengeMethod(codeChallengeMethod) {
4103
- if ([
4104
- CodeChallengeMethodValues.PLAIN,
4105
- CodeChallengeMethodValues.S256,
4106
- ].indexOf(codeChallengeMethod) < 0) {
4107
- throw createClientConfigurationError(invalidCodeChallengeMethod);
4108
- }
4109
- }
4110
- }
4043
+ const BROKER_REDIRECT_URI = "brk_redirect_uri";
4044
+ const INSTANCE_AWARE = "instance_aware";
4111
4045
 
4112
- /*! @azure/msal-common v15.2.1 2025-03-11 */
4046
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4113
4047
 
4114
4048
  /*
4115
4049
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4127,397 +4061,344 @@ function instrumentBrokerParams(parameters, correlationId, performanceClient) {
4127
4061
  }, correlationId);
4128
4062
  }
4129
4063
  }
4130
- /** @internal */
4131
- class RequestParameterBuilder {
4132
- constructor(correlationId, performanceClient) {
4133
- this.parameters = new Map();
4134
- this.performanceClient = performanceClient;
4135
- this.correlationId = correlationId;
4136
- }
4137
- /**
4138
- * add response_type = code
4139
- */
4140
- addResponseTypeCode() {
4141
- this.parameters.set(RESPONSE_TYPE, encodeURIComponent(Constants.CODE_RESPONSE_TYPE));
4142
- }
4143
- /**
4144
- * add response_type = token id_token
4145
- */
4146
- addResponseTypeForTokenAndIdToken() {
4147
- this.parameters.set(RESPONSE_TYPE, encodeURIComponent(`${Constants.TOKEN_RESPONSE_TYPE} ${Constants.ID_TOKEN_RESPONSE_TYPE}`));
4148
- }
4149
- /**
4150
- * add response_mode. defaults to query.
4151
- * @param responseMode
4152
- */
4153
- addResponseMode(responseMode) {
4154
- this.parameters.set(RESPONSE_MODE, encodeURIComponent(responseMode ? responseMode : ResponseMode.QUERY));
4155
- }
4156
- /**
4157
- * Add flag to indicate STS should attempt to use WAM if available
4158
- */
4159
- addNativeBroker() {
4160
- this.parameters.set(NATIVE_BROKER, encodeURIComponent("1"));
4161
- }
4162
- /**
4163
- * add scopes. set addOidcScopes to false to prevent default scopes in non-user scenarios
4164
- * @param scopeSet
4165
- * @param addOidcScopes
4166
- */
4167
- addScopes(scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
4168
- // Always add openid to the scopes when adding OIDC scopes
4169
- if (addOidcScopes &&
4170
- !defaultScopes.includes("openid") &&
4171
- !scopes.includes("openid")) {
4172
- defaultScopes.push("openid");
4173
- }
4174
- const requestScopes = addOidcScopes
4175
- ? [...(scopes || []), ...defaultScopes]
4176
- : scopes || [];
4177
- const scopeSet = new ScopeSet(requestScopes);
4178
- this.parameters.set(SCOPE, encodeURIComponent(scopeSet.printScopes()));
4064
+ /**
4065
+ * add response_type = code
4066
+ */
4067
+ function addResponseTypeCode(parameters) {
4068
+ parameters.set(RESPONSE_TYPE, Constants.CODE_RESPONSE_TYPE);
4069
+ }
4070
+ /**
4071
+ * add response_mode. defaults to query.
4072
+ * @param responseMode
4073
+ */
4074
+ function addResponseMode(parameters, responseMode) {
4075
+ parameters.set(RESPONSE_MODE, responseMode ? responseMode : ResponseMode.QUERY);
4076
+ }
4077
+ /**
4078
+ * Add flag to indicate STS should attempt to use WAM if available
4079
+ */
4080
+ function addNativeBroker(parameters) {
4081
+ parameters.set(NATIVE_BROKER, "1");
4082
+ }
4083
+ /**
4084
+ * add scopes. set addOidcScopes to false to prevent default scopes in non-user scenarios
4085
+ * @param scopeSet
4086
+ * @param addOidcScopes
4087
+ */
4088
+ function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
4089
+ // Always add openid to the scopes when adding OIDC scopes
4090
+ if (addOidcScopes &&
4091
+ !defaultScopes.includes("openid") &&
4092
+ !scopes.includes("openid")) {
4093
+ defaultScopes.push("openid");
4094
+ }
4095
+ const requestScopes = addOidcScopes
4096
+ ? [...(scopes || []), ...defaultScopes]
4097
+ : scopes || [];
4098
+ const scopeSet = new ScopeSet(requestScopes);
4099
+ parameters.set(SCOPE, scopeSet.printScopes());
4100
+ }
4101
+ /**
4102
+ * add clientId
4103
+ * @param clientId
4104
+ */
4105
+ function addClientId(parameters, clientId) {
4106
+ parameters.set(CLIENT_ID, clientId);
4107
+ }
4108
+ /**
4109
+ * add redirect_uri
4110
+ * @param redirectUri
4111
+ */
4112
+ function addRedirectUri(parameters, redirectUri) {
4113
+ parameters.set(REDIRECT_URI, redirectUri);
4114
+ }
4115
+ /**
4116
+ * add post logout redirectUri
4117
+ * @param redirectUri
4118
+ */
4119
+ function addPostLogoutRedirectUri(parameters, redirectUri) {
4120
+ parameters.set(POST_LOGOUT_URI, redirectUri);
4121
+ }
4122
+ /**
4123
+ * add id_token_hint to logout request
4124
+ * @param idTokenHint
4125
+ */
4126
+ function addIdTokenHint(parameters, idTokenHint) {
4127
+ parameters.set(ID_TOKEN_HINT, idTokenHint);
4128
+ }
4129
+ /**
4130
+ * add domain_hint
4131
+ * @param domainHint
4132
+ */
4133
+ function addDomainHint(parameters, domainHint) {
4134
+ parameters.set(DOMAIN_HINT, domainHint);
4135
+ }
4136
+ /**
4137
+ * add login_hint
4138
+ * @param loginHint
4139
+ */
4140
+ function addLoginHint(parameters, loginHint) {
4141
+ parameters.set(LOGIN_HINT, loginHint);
4142
+ }
4143
+ /**
4144
+ * Adds the CCS (Cache Credential Service) query parameter for login_hint
4145
+ * @param loginHint
4146
+ */
4147
+ function addCcsUpn(parameters, loginHint) {
4148
+ parameters.set(HeaderNames.CCS_HEADER, `UPN:${loginHint}`);
4149
+ }
4150
+ /**
4151
+ * Adds the CCS (Cache Credential Service) query parameter for account object
4152
+ * @param loginHint
4153
+ */
4154
+ function addCcsOid(parameters, clientInfo) {
4155
+ parameters.set(HeaderNames.CCS_HEADER, `Oid:${clientInfo.uid}@${clientInfo.utid}`);
4156
+ }
4157
+ /**
4158
+ * add sid
4159
+ * @param sid
4160
+ */
4161
+ function addSid(parameters, sid) {
4162
+ parameters.set(SID, sid);
4163
+ }
4164
+ /**
4165
+ * add claims
4166
+ * @param claims
4167
+ */
4168
+ function addClaims(parameters, claims, clientCapabilities) {
4169
+ const mergedClaims = addClientCapabilitiesToClaims(claims, clientCapabilities);
4170
+ try {
4171
+ JSON.parse(mergedClaims);
4179
4172
  }
4180
- /**
4181
- * add clientId
4182
- * @param clientId
4183
- */
4184
- addClientId(clientId) {
4185
- this.parameters.set(CLIENT_ID, encodeURIComponent(clientId));
4173
+ catch (e) {
4174
+ throw createClientConfigurationError(invalidClaims);
4186
4175
  }
4187
- /**
4188
- * add redirect_uri
4189
- * @param redirectUri
4190
- */
4191
- addRedirectUri(redirectUri) {
4192
- RequestValidator.validateRedirectUri(redirectUri);
4193
- this.parameters.set(REDIRECT_URI, encodeURIComponent(redirectUri));
4176
+ parameters.set(CLAIMS, mergedClaims);
4177
+ }
4178
+ /**
4179
+ * add correlationId
4180
+ * @param correlationId
4181
+ */
4182
+ function addCorrelationId(parameters, correlationId) {
4183
+ parameters.set(CLIENT_REQUEST_ID, correlationId);
4184
+ }
4185
+ /**
4186
+ * add library info query params
4187
+ * @param libraryInfo
4188
+ */
4189
+ function addLibraryInfo(parameters, libraryInfo) {
4190
+ // Telemetry Info
4191
+ parameters.set(X_CLIENT_SKU, libraryInfo.sku);
4192
+ parameters.set(X_CLIENT_VER, libraryInfo.version);
4193
+ if (libraryInfo.os) {
4194
+ parameters.set(X_CLIENT_OS, libraryInfo.os);
4194
4195
  }
4195
- /**
4196
- * add post logout redirectUri
4197
- * @param redirectUri
4198
- */
4199
- addPostLogoutRedirectUri(redirectUri) {
4200
- RequestValidator.validateRedirectUri(redirectUri);
4201
- this.parameters.set(POST_LOGOUT_URI, encodeURIComponent(redirectUri));
4196
+ if (libraryInfo.cpu) {
4197
+ parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
4202
4198
  }
4203
- /**
4204
- * add id_token_hint to logout request
4205
- * @param idTokenHint
4206
- */
4207
- addIdTokenHint(idTokenHint) {
4208
- this.parameters.set(ID_TOKEN_HINT, encodeURIComponent(idTokenHint));
4199
+ }
4200
+ /**
4201
+ * Add client telemetry parameters
4202
+ * @param appTelemetry
4203
+ */
4204
+ function addApplicationTelemetry(parameters, appTelemetry) {
4205
+ if (appTelemetry?.appName) {
4206
+ parameters.set(X_APP_NAME, appTelemetry.appName);
4209
4207
  }
4210
- /**
4211
- * add domain_hint
4212
- * @param domainHint
4213
- */
4214
- addDomainHint(domainHint) {
4215
- this.parameters.set(DOMAIN_HINT, encodeURIComponent(domainHint));
4208
+ if (appTelemetry?.appVersion) {
4209
+ parameters.set(X_APP_VER, appTelemetry.appVersion);
4216
4210
  }
4217
- /**
4218
- * add login_hint
4219
- * @param loginHint
4220
- */
4221
- addLoginHint(loginHint) {
4222
- this.parameters.set(LOGIN_HINT, encodeURIComponent(loginHint));
4211
+ }
4212
+ /**
4213
+ * add prompt
4214
+ * @param prompt
4215
+ */
4216
+ function addPrompt(parameters, prompt) {
4217
+ parameters.set(PROMPT, prompt);
4218
+ }
4219
+ /**
4220
+ * add state
4221
+ * @param state
4222
+ */
4223
+ function addState(parameters, state) {
4224
+ if (state) {
4225
+ parameters.set(STATE, state);
4223
4226
  }
4224
- /**
4225
- * Adds the CCS (Cache Credential Service) query parameter for login_hint
4226
- * @param loginHint
4227
- */
4228
- addCcsUpn(loginHint) {
4229
- this.parameters.set(HeaderNames.CCS_HEADER, encodeURIComponent(`UPN:${loginHint}`));
4227
+ }
4228
+ /**
4229
+ * add nonce
4230
+ * @param nonce
4231
+ */
4232
+ function addNonce(parameters, nonce) {
4233
+ parameters.set(NONCE, nonce);
4234
+ }
4235
+ /**
4236
+ * add code_challenge and code_challenge_method
4237
+ * - throw if either of them are not passed
4238
+ * @param codeChallenge
4239
+ * @param codeChallengeMethod
4240
+ */
4241
+ function addCodeChallengeParams(parameters, codeChallenge, codeChallengeMethod) {
4242
+ if (codeChallenge && codeChallengeMethod) {
4243
+ parameters.set(CODE_CHALLENGE, codeChallenge);
4244
+ parameters.set(CODE_CHALLENGE_METHOD, codeChallengeMethod);
4230
4245
  }
4231
- /**
4232
- * Adds the CCS (Cache Credential Service) query parameter for account object
4233
- * @param loginHint
4234
- */
4235
- addCcsOid(clientInfo) {
4236
- this.parameters.set(HeaderNames.CCS_HEADER, encodeURIComponent(`Oid:${clientInfo.uid}@${clientInfo.utid}`));
4246
+ else {
4247
+ throw createClientConfigurationError(pkceParamsMissing);
4237
4248
  }
4238
- /**
4239
- * add sid
4240
- * @param sid
4241
- */
4242
- addSid(sid) {
4243
- this.parameters.set(SID, encodeURIComponent(sid));
4249
+ }
4250
+ /**
4251
+ * add the `authorization_code` passed by the user to exchange for a token
4252
+ * @param code
4253
+ */
4254
+ function addAuthorizationCode(parameters, code) {
4255
+ parameters.set(CODE, code);
4256
+ }
4257
+ /**
4258
+ * add the `refreshToken` passed by the user
4259
+ * @param refreshToken
4260
+ */
4261
+ function addRefreshToken(parameters, refreshToken) {
4262
+ parameters.set(REFRESH_TOKEN, refreshToken);
4263
+ }
4264
+ /**
4265
+ * add the `code_verifier` passed by the user to exchange for a token
4266
+ * @param codeVerifier
4267
+ */
4268
+ function addCodeVerifier(parameters, codeVerifier) {
4269
+ parameters.set(CODE_VERIFIER, codeVerifier);
4270
+ }
4271
+ /**
4272
+ * add client_secret
4273
+ * @param clientSecret
4274
+ */
4275
+ function addClientSecret(parameters, clientSecret) {
4276
+ parameters.set(CLIENT_SECRET, clientSecret);
4277
+ }
4278
+ /**
4279
+ * add clientAssertion for confidential client flows
4280
+ * @param clientAssertion
4281
+ */
4282
+ function addClientAssertion(parameters, clientAssertion) {
4283
+ if (clientAssertion) {
4284
+ parameters.set(CLIENT_ASSERTION, clientAssertion);
4244
4285
  }
4245
- /**
4246
- * add claims
4247
- * @param claims
4248
- */
4249
- addClaims(claims, clientCapabilities) {
4250
- const mergedClaims = this.addClientCapabilitiesToClaims(claims, clientCapabilities);
4251
- RequestValidator.validateClaims(mergedClaims);
4252
- this.parameters.set(CLAIMS, encodeURIComponent(mergedClaims));
4286
+ }
4287
+ /**
4288
+ * add clientAssertionType for confidential client flows
4289
+ * @param clientAssertionType
4290
+ */
4291
+ function addClientAssertionType(parameters, clientAssertionType) {
4292
+ if (clientAssertionType) {
4293
+ parameters.set(CLIENT_ASSERTION_TYPE, clientAssertionType);
4253
4294
  }
4254
- /**
4255
- * add correlationId
4256
- * @param correlationId
4257
- */
4258
- addCorrelationId(correlationId) {
4259
- this.parameters.set(CLIENT_REQUEST_ID, encodeURIComponent(correlationId));
4295
+ }
4296
+ /**
4297
+ * add grant type
4298
+ * @param grantType
4299
+ */
4300
+ function addGrantType(parameters, grantType) {
4301
+ parameters.set(GRANT_TYPE, grantType);
4302
+ }
4303
+ /**
4304
+ * add client info
4305
+ *
4306
+ */
4307
+ function addClientInfo(parameters) {
4308
+ parameters.set(CLIENT_INFO, "1");
4309
+ }
4310
+ function addInstanceAware(parameters) {
4311
+ if (!parameters.has(INSTANCE_AWARE)) {
4312
+ parameters.set(INSTANCE_AWARE, "true");
4260
4313
  }
4261
- /**
4262
- * add library info query params
4263
- * @param libraryInfo
4264
- */
4265
- addLibraryInfo(libraryInfo) {
4266
- // Telemetry Info
4267
- this.parameters.set(X_CLIENT_SKU, libraryInfo.sku);
4268
- this.parameters.set(X_CLIENT_VER, libraryInfo.version);
4269
- if (libraryInfo.os) {
4270
- this.parameters.set(X_CLIENT_OS, libraryInfo.os);
4271
- }
4272
- if (libraryInfo.cpu) {
4273
- this.parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
4314
+ }
4315
+ /**
4316
+ * add extraQueryParams
4317
+ * @param eQParams
4318
+ */
4319
+ function addExtraQueryParameters(parameters, eQParams) {
4320
+ Object.entries(eQParams).forEach(([key, value]) => {
4321
+ if (!parameters.has(key) && value) {
4322
+ parameters.set(key, value);
4274
4323
  }
4324
+ });
4325
+ }
4326
+ function addClientCapabilitiesToClaims(claims, clientCapabilities) {
4327
+ let mergedClaims;
4328
+ // Parse provided claims into JSON object or initialize empty object
4329
+ if (!claims) {
4330
+ mergedClaims = {};
4275
4331
  }
4276
- /**
4277
- * Add client telemetry parameters
4278
- * @param appTelemetry
4279
- */
4280
- addApplicationTelemetry(appTelemetry) {
4281
- if (appTelemetry?.appName) {
4282
- this.parameters.set(X_APP_NAME, appTelemetry.appName);
4332
+ else {
4333
+ try {
4334
+ mergedClaims = JSON.parse(claims);
4283
4335
  }
4284
- if (appTelemetry?.appVersion) {
4285
- this.parameters.set(X_APP_VER, appTelemetry.appVersion);
4336
+ catch (e) {
4337
+ throw createClientConfigurationError(invalidClaims);
4286
4338
  }
4287
4339
  }
4288
- /**
4289
- * add prompt
4290
- * @param prompt
4291
- */
4292
- addPrompt(prompt) {
4293
- RequestValidator.validatePrompt(prompt);
4294
- this.parameters.set(`${PROMPT}`, encodeURIComponent(prompt));
4295
- }
4296
- /**
4297
- * add state
4298
- * @param state
4299
- */
4300
- addState(state) {
4301
- if (state) {
4302
- this.parameters.set(STATE, encodeURIComponent(state));
4340
+ if (clientCapabilities && clientCapabilities.length > 0) {
4341
+ if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
4342
+ // Add access_token key to claims object
4343
+ mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
4303
4344
  }
4345
+ // Add xms_cc claim with provided clientCapabilities to access_token key
4346
+ mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] =
4347
+ {
4348
+ values: clientCapabilities,
4349
+ };
4304
4350
  }
4305
- /**
4306
- * add nonce
4307
- * @param nonce
4308
- */
4309
- addNonce(nonce) {
4310
- this.parameters.set(NONCE, encodeURIComponent(nonce));
4351
+ return JSON.stringify(mergedClaims);
4352
+ }
4353
+ /**
4354
+ * add pop_jwk to query params
4355
+ * @param cnfString
4356
+ */
4357
+ function addPopToken(parameters, cnfString) {
4358
+ if (cnfString) {
4359
+ parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
4360
+ parameters.set(REQ_CNF, cnfString);
4311
4361
  }
4312
- /**
4313
- * add code_challenge and code_challenge_method
4314
- * - throw if either of them are not passed
4315
- * @param codeChallenge
4316
- * @param codeChallengeMethod
4317
- */
4318
- addCodeChallengeParams(codeChallenge, codeChallengeMethod) {
4319
- RequestValidator.validateCodeChallengeParams(codeChallenge, codeChallengeMethod);
4320
- if (codeChallenge && codeChallengeMethod) {
4321
- this.parameters.set(CODE_CHALLENGE, encodeURIComponent(codeChallenge));
4322
- this.parameters.set(CODE_CHALLENGE_METHOD, encodeURIComponent(codeChallengeMethod));
4323
- }
4324
- else {
4325
- throw createClientConfigurationError(pkceParamsMissing);
4326
- }
4327
- }
4328
- /**
4329
- * add the `authorization_code` passed by the user to exchange for a token
4330
- * @param code
4331
- */
4332
- addAuthorizationCode(code) {
4333
- this.parameters.set(CODE, encodeURIComponent(code));
4334
- }
4335
- /**
4336
- * add the `authorization_code` passed by the user to exchange for a token
4337
- * @param code
4338
- */
4339
- addDeviceCode(code) {
4340
- this.parameters.set(DEVICE_CODE, encodeURIComponent(code));
4341
- }
4342
- /**
4343
- * add the `refreshToken` passed by the user
4344
- * @param refreshToken
4345
- */
4346
- addRefreshToken(refreshToken) {
4347
- this.parameters.set(REFRESH_TOKEN, encodeURIComponent(refreshToken));
4348
- }
4349
- /**
4350
- * add the `code_verifier` passed by the user to exchange for a token
4351
- * @param codeVerifier
4352
- */
4353
- addCodeVerifier(codeVerifier) {
4354
- this.parameters.set(CODE_VERIFIER, encodeURIComponent(codeVerifier));
4355
- }
4356
- /**
4357
- * add client_secret
4358
- * @param clientSecret
4359
- */
4360
- addClientSecret(clientSecret) {
4361
- this.parameters.set(CLIENT_SECRET, encodeURIComponent(clientSecret));
4362
- }
4363
- /**
4364
- * add clientAssertion for confidential client flows
4365
- * @param clientAssertion
4366
- */
4367
- addClientAssertion(clientAssertion) {
4368
- if (clientAssertion) {
4369
- this.parameters.set(CLIENT_ASSERTION, encodeURIComponent(clientAssertion));
4370
- }
4371
- }
4372
- /**
4373
- * add clientAssertionType for confidential client flows
4374
- * @param clientAssertionType
4375
- */
4376
- addClientAssertionType(clientAssertionType) {
4377
- if (clientAssertionType) {
4378
- this.parameters.set(CLIENT_ASSERTION_TYPE, encodeURIComponent(clientAssertionType));
4379
- }
4380
- }
4381
- /**
4382
- * add OBO assertion for confidential client flows
4383
- * @param clientAssertion
4384
- */
4385
- addOboAssertion(oboAssertion) {
4386
- this.parameters.set(OBO_ASSERTION, encodeURIComponent(oboAssertion));
4387
- }
4388
- /**
4389
- * add grant type
4390
- * @param grantType
4391
- */
4392
- addRequestTokenUse(tokenUse) {
4393
- this.parameters.set(REQUESTED_TOKEN_USE, encodeURIComponent(tokenUse));
4394
- }
4395
- /**
4396
- * add grant type
4397
- * @param grantType
4398
- */
4399
- addGrantType(grantType) {
4400
- this.parameters.set(GRANT_TYPE, encodeURIComponent(grantType));
4401
- }
4402
- /**
4403
- * add client info
4404
- *
4405
- */
4406
- addClientInfo() {
4407
- this.parameters.set(CLIENT_INFO, "1");
4408
- }
4409
- /**
4410
- * add extraQueryParams
4411
- * @param eQParams
4412
- */
4413
- addExtraQueryParameters(eQParams) {
4414
- Object.entries(eQParams).forEach(([key, value]) => {
4415
- if (!this.parameters.has(key) && value) {
4416
- this.parameters.set(key, value);
4417
- }
4418
- });
4419
- }
4420
- addClientCapabilitiesToClaims(claims, clientCapabilities) {
4421
- let mergedClaims;
4422
- // Parse provided claims into JSON object or initialize empty object
4423
- if (!claims) {
4424
- mergedClaims = {};
4425
- }
4426
- else {
4427
- try {
4428
- mergedClaims = JSON.parse(claims);
4429
- }
4430
- catch (e) {
4431
- throw createClientConfigurationError(invalidClaims);
4432
- }
4433
- }
4434
- if (clientCapabilities && clientCapabilities.length > 0) {
4435
- if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
4436
- // Add access_token key to claims object
4437
- mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
4438
- }
4439
- // Add xms_cc claim with provided clientCapabilities to access_token key
4440
- mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] = {
4441
- values: clientCapabilities,
4442
- };
4443
- }
4444
- return JSON.stringify(mergedClaims);
4445
- }
4446
- /**
4447
- * adds `username` for Password Grant flow
4448
- * @param username
4449
- */
4450
- addUsername(username) {
4451
- this.parameters.set(PasswordGrantConstants.username, encodeURIComponent(username));
4452
- }
4453
- /**
4454
- * adds `password` for Password Grant flow
4455
- * @param password
4456
- */
4457
- addPassword(password) {
4458
- this.parameters.set(PasswordGrantConstants.password, encodeURIComponent(password));
4459
- }
4460
- /**
4461
- * add pop_jwk to query params
4462
- * @param cnfString
4463
- */
4464
- addPopToken(cnfString) {
4465
- if (cnfString) {
4466
- this.parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
4467
- this.parameters.set(REQ_CNF, encodeURIComponent(cnfString));
4468
- }
4469
- }
4470
- /**
4471
- * add SSH JWK and key ID to query params
4472
- */
4473
- addSshJwk(sshJwkString) {
4474
- if (sshJwkString) {
4475
- this.parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
4476
- this.parameters.set(REQ_CNF, encodeURIComponent(sshJwkString));
4477
- }
4478
- }
4479
- /**
4480
- * add server telemetry fields
4481
- * @param serverTelemetryManager
4482
- */
4483
- addServerTelemetry(serverTelemetryManager) {
4484
- this.parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
4485
- this.parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
4486
- }
4487
- /**
4488
- * Adds parameter that indicates to the server that throttling is supported
4489
- */
4490
- addThrottling() {
4491
- this.parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
4492
- }
4493
- /**
4494
- * Adds logout_hint parameter for "silent" logout which prevent server account picker
4495
- */
4496
- addLogoutHint(logoutHint) {
4497
- this.parameters.set(LOGOUT_HINT, encodeURIComponent(logoutHint));
4362
+ }
4363
+ /**
4364
+ * add SSH JWK and key ID to query params
4365
+ */
4366
+ function addSshJwk(parameters, sshJwkString) {
4367
+ if (sshJwkString) {
4368
+ parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
4369
+ parameters.set(REQ_CNF, sshJwkString);
4498
4370
  }
4499
- addBrokerParameters(params) {
4500
- const brokerParams = {};
4501
- brokerParams[BROKER_CLIENT_ID] =
4502
- params.brokerClientId;
4503
- brokerParams[BROKER_REDIRECT_URI] =
4504
- params.brokerRedirectUri;
4505
- this.addExtraQueryParameters(brokerParams);
4371
+ }
4372
+ /**
4373
+ * add server telemetry fields
4374
+ * @param serverTelemetryManager
4375
+ */
4376
+ function addServerTelemetry(parameters, serverTelemetryManager) {
4377
+ parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
4378
+ parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
4379
+ }
4380
+ /**
4381
+ * Adds parameter that indicates to the server that throttling is supported
4382
+ */
4383
+ function addThrottling(parameters) {
4384
+ parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
4385
+ }
4386
+ /**
4387
+ * Adds logout_hint parameter for "silent" logout which prevent server account picker
4388
+ */
4389
+ function addLogoutHint(parameters, logoutHint) {
4390
+ parameters.set(LOGOUT_HINT, logoutHint);
4391
+ }
4392
+ function addBrokerParameters(parameters, brokerClientId, brokerRedirectUri) {
4393
+ if (!parameters.has(BROKER_CLIENT_ID)) {
4394
+ parameters.set(BROKER_CLIENT_ID, brokerClientId);
4506
4395
  }
4507
- /**
4508
- * Utility to create a URL from the params map
4509
- */
4510
- createQueryString() {
4511
- const queryParameterArray = new Array();
4512
- this.parameters.forEach((value, key) => {
4513
- queryParameterArray.push(`${key}=${value}`);
4514
- });
4515
- instrumentBrokerParams(this.parameters, this.correlationId, this.performanceClient);
4516
- return queryParameterArray.join("&");
4396
+ if (!parameters.has(BROKER_REDIRECT_URI)) {
4397
+ parameters.set(BROKER_REDIRECT_URI, brokerRedirectUri);
4517
4398
  }
4518
4399
  }
4519
4400
 
4520
- /*! @azure/msal-common v15.2.1 2025-03-11 */
4401
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4521
4402
  /*
4522
4403
  * Copyright (c) Microsoft Corporation. All rights reserved.
4523
4404
  * Licensed under the MIT License.
@@ -4529,7 +4410,7 @@ function isOpenIdConfigResponse(response) {
4529
4410
  response.hasOwnProperty("jwks_uri"));
4530
4411
  }
4531
4412
 
4532
- /*! @azure/msal-common v15.2.1 2025-03-11 */
4413
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4533
4414
  /*
4534
4415
  * Copyright (c) Microsoft Corporation. All rights reserved.
4535
4416
  * Licensed under the MIT License.
@@ -4539,7 +4420,7 @@ function isCloudInstanceDiscoveryResponse(response) {
4539
4420
  response.hasOwnProperty("metadata"));
4540
4421
  }
4541
4422
 
4542
- /*! @azure/msal-common v15.2.1 2025-03-11 */
4423
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4543
4424
  /*
4544
4425
  * Copyright (c) Microsoft Corporation. All rights reserved.
4545
4426
  * Licensed under the MIT License.
@@ -4549,7 +4430,7 @@ function isCloudInstanceDiscoveryErrorResponse(response) {
4549
4430
  response.hasOwnProperty("error_description"));
4550
4431
  }
4551
4432
 
4552
- /*! @azure/msal-common v15.2.1 2025-03-11 */
4433
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4553
4434
  /*
4554
4435
  * Copyright (c) Microsoft Corporation. All rights reserved.
4555
4436
  * Licensed under the MIT License.
@@ -4725,11 +4606,11 @@ const PerformanceEvents = {
4725
4606
  StandardInteractionClientCreateAuthCodeClient: "standardInteractionClientCreateAuthCodeClient",
4726
4607
  StandardInteractionClientGetClientConfiguration: "standardInteractionClientGetClientConfiguration",
4727
4608
  StandardInteractionClientInitializeAuthorizationRequest: "standardInteractionClientInitializeAuthorizationRequest",
4728
- StandardInteractionClientInitializeAuthorizationCodeRequest: "standardInteractionClientInitializeAuthorizationCodeRequest",
4729
4609
  /**
4730
4610
  * getAuthCodeUrl API (msal-browser and msal-node).
4731
4611
  */
4732
4612
  GetAuthCodeUrl: "getAuthCodeUrl",
4613
+ GetStandardParams: "getStandardParams",
4733
4614
  /**
4734
4615
  * Functions from InteractionHandler (msal-browser)
4735
4616
  */
@@ -4742,7 +4623,6 @@ const PerformanceEvents = {
4742
4623
  AuthClientAcquireToken: "authClientAcquireToken",
4743
4624
  AuthClientExecuteTokenRequest: "authClientExecuteTokenRequest",
4744
4625
  AuthClientCreateTokenRequestBody: "authClientCreateTokenRequestBody",
4745
- AuthClientCreateQueryString: "authClientCreateQueryString",
4746
4626
  /**
4747
4627
  * Generate functions in PopTokenGenerator (msal-common)
4748
4628
  */
@@ -4913,10 +4793,6 @@ const PerformanceEventAbbreviations = new Map([
4913
4793
  PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest,
4914
4794
  "StdIntClientInitAuthReq",
4915
4795
  ],
4916
- [
4917
- PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest,
4918
- "StdIntClientInitAuthCodeReq",
4919
- ],
4920
4796
  [PerformanceEvents.GetAuthCodeUrl, "GetAuthCodeUrl"],
4921
4797
  [
4922
4798
  PerformanceEvents.HandleCodeResponseFromServer,
@@ -4930,10 +4806,6 @@ const PerformanceEventAbbreviations = new Map([
4930
4806
  PerformanceEvents.AuthClientCreateTokenRequestBody,
4931
4807
  "AuthClientCreateTReqBody",
4932
4808
  ],
4933
- [
4934
- PerformanceEvents.AuthClientCreateQueryString,
4935
- "AuthClientCreateQueryStr",
4936
- ],
4937
4809
  [PerformanceEvents.PopTokenGenerateCnf, "PopTGenCnf"],
4938
4810
  [PerformanceEvents.PopTokenGenerateKid, "PopTGenKid"],
4939
4811
  [PerformanceEvents.HandleServerTokenResponse, "HandleServerTRes"],
@@ -5058,7 +4930,7 @@ const IntFields = new Set([
5058
4930
  "encryptedCacheExpiredCount",
5059
4931
  ]);
5060
4932
 
5061
- /*! @azure/msal-common v15.2.1 2025-03-11 */
4933
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
5062
4934
  /*
5063
4935
  * Copyright (c) Microsoft Corporation. All rights reserved.
5064
4936
  * Licensed under the MIT License.
@@ -5154,7 +5026,7 @@ const invokeAsync = (callback, eventName, logger, telemetryClient, correlationId
5154
5026
  };
5155
5027
  };
5156
5028
 
5157
- /*! @azure/msal-common v15.2.1 2025-03-11 */
5029
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
5158
5030
 
5159
5031
  /*
5160
5032
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5263,7 +5135,7 @@ RegionDiscovery.IMDS_OPTIONS = {
5263
5135
  },
5264
5136
  };
5265
5137
 
5266
- /*! @azure/msal-common v15.2.1 2025-03-11 */
5138
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
5267
5139
 
5268
5140
  /*
5269
5141
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6102,7 +5974,7 @@ function buildStaticAuthorityOptions(authOptions) {
6102
5974
  };
6103
5975
  }
6104
5976
 
6105
- /*! @azure/msal-common v15.2.1 2025-03-11 */
5977
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6106
5978
 
6107
5979
  /*
6108
5980
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6133,7 +6005,7 @@ async function createDiscoveredInstance(authorityUri, networkClient, cacheManage
6133
6005
  }
6134
6006
  }
6135
6007
 
6136
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6008
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6137
6009
 
6138
6010
  /*
6139
6011
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6152,7 +6024,7 @@ class ServerError extends AuthError {
6152
6024
  }
6153
6025
  }
6154
6026
 
6155
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6027
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6156
6028
  /*
6157
6029
  * Copyright (c) Microsoft Corporation. All rights reserved.
6158
6030
  * Licensed under the MIT License.
@@ -6173,7 +6045,7 @@ function getRequestThumbprint(clientId, request, homeAccountId) {
6173
6045
  };
6174
6046
  }
6175
6047
 
6176
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6048
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6177
6049
 
6178
6050
  /*
6179
6051
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6260,7 +6132,7 @@ class ThrottlingUtils {
6260
6132
  }
6261
6133
  }
6262
6134
 
6263
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6135
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6264
6136
 
6265
6137
  /*
6266
6138
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6290,7 +6162,7 @@ function createNetworkError(error, httpStatus, responseHeaders) {
6290
6162
  return new NetworkError(error, httpStatus, responseHeaders);
6291
6163
  }
6292
6164
 
6293
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6165
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6294
6166
 
6295
6167
  /*
6296
6168
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6425,22 +6297,20 @@ class BaseClient {
6425
6297
  * @param request
6426
6298
  */
6427
6299
  createTokenQueryParameters(request) {
6428
- const parameterBuilder = new RequestParameterBuilder(request.correlationId, this.performanceClient);
6300
+ const parameters = new Map();
6429
6301
  if (request.embeddedClientId) {
6430
- parameterBuilder.addBrokerParameters({
6431
- brokerClientId: this.config.authOptions.clientId,
6432
- brokerRedirectUri: this.config.authOptions.redirectUri,
6433
- });
6302
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
6434
6303
  }
6435
6304
  if (request.tokenQueryParameters) {
6436
- parameterBuilder.addExtraQueryParameters(request.tokenQueryParameters);
6305
+ addExtraQueryParameters(parameters, request.tokenQueryParameters);
6437
6306
  }
6438
- parameterBuilder.addCorrelationId(request.correlationId);
6439
- return parameterBuilder.createQueryString();
6307
+ addCorrelationId(parameters, request.correlationId);
6308
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
6309
+ return mapToQueryString(parameters);
6440
6310
  }
6441
6311
  }
6442
6312
 
6443
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6313
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6444
6314
  /*
6445
6315
  * Copyright (c) Microsoft Corporation. All rights reserved.
6446
6316
  * Licensed under the MIT License.
@@ -6466,7 +6336,7 @@ var InteractionRequiredAuthErrorCodes = /*#__PURE__*/Object.freeze({
6466
6336
  refreshTokenExpired: refreshTokenExpired
6467
6337
  });
6468
6338
 
6469
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6339
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6470
6340
 
6471
6341
  /*
6472
6342
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6554,7 +6424,7 @@ function createInteractionRequiredAuthError(errorCode) {
6554
6424
  return new InteractionRequiredAuthError(errorCode, InteractionRequiredAuthErrorMessages[errorCode]);
6555
6425
  }
6556
6426
 
6557
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6427
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6558
6428
 
6559
6429
  /*
6560
6430
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6626,7 +6496,7 @@ class ProtocolUtils {
6626
6496
  }
6627
6497
  }
6628
6498
 
6629
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6499
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6630
6500
 
6631
6501
  /*
6632
6502
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6710,7 +6580,7 @@ class PopTokenGenerator {
6710
6580
  }
6711
6581
  }
6712
6582
 
6713
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6583
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6714
6584
  /*
6715
6585
  * Copyright (c) Microsoft Corporation. All rights reserved.
6716
6586
  * Licensed under the MIT License.
@@ -6737,19 +6607,12 @@ class PopTokenGenerator {
6737
6607
  }
6738
6608
  }
6739
6609
 
6740
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6610
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6741
6611
 
6742
6612
  /*
6743
6613
  * Copyright (c) Microsoft Corporation. All rights reserved.
6744
6614
  * Licensed under the MIT License.
6745
6615
  */
6746
- function parseServerErrorNo(serverResponse) {
6747
- const errorCodePrefix = "code=";
6748
- const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
6749
- return errorCodePrefixIndex && errorCodePrefixIndex >= 0
6750
- ? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
6751
- : undefined;
6752
- }
6753
6616
  /**
6754
6617
  * Class that handles response parsing.
6755
6618
  * @internal
@@ -6764,46 +6627,6 @@ class ResponseHandler {
6764
6627
  this.persistencePlugin = persistencePlugin;
6765
6628
  this.performanceClient = performanceClient;
6766
6629
  }
6767
- /**
6768
- * Function which validates server authorization code response.
6769
- * @param serverResponseHash
6770
- * @param requestState
6771
- * @param cryptoObj
6772
- */
6773
- validateServerAuthorizationCodeResponse(serverResponse, requestState) {
6774
- if (!serverResponse.state || !requestState) {
6775
- throw serverResponse.state
6776
- ? createClientAuthError(stateNotFound, "Cached State")
6777
- : createClientAuthError(stateNotFound, "Server State");
6778
- }
6779
- let decodedServerResponseState;
6780
- let decodedRequestState;
6781
- try {
6782
- decodedServerResponseState = decodeURIComponent(serverResponse.state);
6783
- }
6784
- catch (e) {
6785
- throw createClientAuthError(invalidState, serverResponse.state);
6786
- }
6787
- try {
6788
- decodedRequestState = decodeURIComponent(requestState);
6789
- }
6790
- catch (e) {
6791
- throw createClientAuthError(invalidState, serverResponse.state);
6792
- }
6793
- if (decodedServerResponseState !== decodedRequestState) {
6794
- throw createClientAuthError(stateMismatch);
6795
- }
6796
- // Check for error
6797
- if (serverResponse.error ||
6798
- serverResponse.error_description ||
6799
- serverResponse.suberror) {
6800
- const serverErrorNo = parseServerErrorNo(serverResponse);
6801
- if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
6802
- throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
6803
- }
6804
- throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
6805
- }
6806
- }
6807
6630
  /**
6808
6631
  * Function which validates server authorization token response.
6809
6632
  * @param serverResponse
@@ -7115,7 +6938,74 @@ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decod
7115
6938
  return baseAccount;
7116
6939
  }
7117
6940
 
7118
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6941
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6942
+
6943
+ /*
6944
+ * Copyright (c) Microsoft Corporation. All rights reserved.
6945
+ * Licensed under the MIT License.
6946
+ */
6947
+ /**
6948
+ * Validates server consumable params from the "request" objects
6949
+ */
6950
+ class RequestValidator {
6951
+ /**
6952
+ * Utility to check if the `redirectUri` in the request is a non-null value
6953
+ * @param redirectUri
6954
+ */
6955
+ static validateRedirectUri(redirectUri) {
6956
+ if (!redirectUri) {
6957
+ throw createClientConfigurationError(redirectUriEmpty);
6958
+ }
6959
+ }
6960
+ /**
6961
+ * Utility to validate prompt sent by the user in the request
6962
+ * @param prompt
6963
+ */
6964
+ static validatePrompt(prompt) {
6965
+ const promptValues = [];
6966
+ for (const value in PromptValue) {
6967
+ promptValues.push(PromptValue[value]);
6968
+ }
6969
+ if (promptValues.indexOf(prompt) < 0) {
6970
+ throw createClientConfigurationError(invalidPromptValue);
6971
+ }
6972
+ }
6973
+ static validateClaims(claims) {
6974
+ try {
6975
+ JSON.parse(claims);
6976
+ }
6977
+ catch (e) {
6978
+ throw createClientConfigurationError(invalidClaims);
6979
+ }
6980
+ }
6981
+ /**
6982
+ * Utility to validate code_challenge and code_challenge_method
6983
+ * @param codeChallenge
6984
+ * @param codeChallengeMethod
6985
+ */
6986
+ static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
6987
+ if (!codeChallenge || !codeChallengeMethod) {
6988
+ throw createClientConfigurationError(pkceParamsMissing);
6989
+ }
6990
+ else {
6991
+ this.validateCodeChallengeMethod(codeChallengeMethod);
6992
+ }
6993
+ }
6994
+ /**
6995
+ * Utility to validate code_challenge_method
6996
+ * @param codeChallengeMethod
6997
+ */
6998
+ static validateCodeChallengeMethod(codeChallengeMethod) {
6999
+ if ([
7000
+ CodeChallengeMethodValues.PLAIN,
7001
+ CodeChallengeMethodValues.S256,
7002
+ ].indexOf(codeChallengeMethod) < 0) {
7003
+ throw createClientConfigurationError(invalidCodeChallengeMethod);
7004
+ }
7005
+ }
7006
+ }
7007
+
7008
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7119
7009
  /*
7120
7010
  * Copyright (c) Microsoft Corporation. All rights reserved.
7121
7011
  * Licensed under the MIT License.
@@ -7133,7 +7023,7 @@ async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
7133
7023
  }
7134
7024
  }
7135
7025
 
7136
- /*! @azure/msal-common v15.2.1 2025-03-11 */
7026
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7137
7027
 
7138
7028
  /*
7139
7029
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7151,21 +7041,6 @@ class AuthorizationCodeClient extends BaseClient {
7151
7041
  this.oidcDefaultScopes =
7152
7042
  this.config.authOptions.authority.options.OIDCOptions?.defaultScopes;
7153
7043
  }
7154
- /**
7155
- * Creates the URL of the authorization request letting the user input credentials and consent to the
7156
- * application. The URL target the /authorize endpoint of the authority configured in the
7157
- * application object.
7158
- *
7159
- * Once the user inputs their credentials and consents, the authority will send a response to the redirect URI
7160
- * sent in the request and should contain an authorization code, which can then be used to acquire tokens via
7161
- * acquireToken(AuthorizationCodeRequest)
7162
- * @param request
7163
- */
7164
- async getAuthCodeUrl(request) {
7165
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.GetAuthCodeUrl, request.correlationId);
7166
- const queryString = await invokeAsync(this.createAuthCodeUrlQueryString.bind(this), PerformanceEvents.AuthClientCreateQueryString, this.logger, this.performanceClient, request.correlationId)(request);
7167
- return UrlString.appendQueryString(this.authority.authorizationEndpoint, queryString);
7168
- }
7169
7044
  /**
7170
7045
  * API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
7171
7046
  * authorization_code_grant
@@ -7185,22 +7060,6 @@ class AuthorizationCodeClient extends BaseClient {
7185
7060
  responseHandler.validateTokenResponse(response.body);
7186
7061
  return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, authCodePayload, undefined, undefined, undefined, requestId);
7187
7062
  }
7188
- /**
7189
- * Handles the hash fragment response from public client code request. Returns a code response used by
7190
- * the client to exchange for a token in acquireToken.
7191
- * @param hashFragment
7192
- */
7193
- handleFragmentResponse(serverParams, cachedState) {
7194
- // Handle responses.
7195
- const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, null, null);
7196
- // Get code response
7197
- responseHandler.validateServerAuthorizationCodeResponse(serverParams, cachedState);
7198
- // throw when there is no auth code in the response
7199
- if (!serverParams.code) {
7200
- throw createClientAuthError(authorizationCodeMissingFromServerResponse);
7201
- }
7202
- return serverParams;
7203
- }
7204
7063
  /**
7205
7064
  * Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
7206
7065
  * Default behaviour is to redirect the user to `window.location.href`.
@@ -7248,8 +7107,8 @@ class AuthorizationCodeClient extends BaseClient {
7248
7107
  */
7249
7108
  async createTokenRequestBody(request) {
7250
7109
  this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateTokenRequestBody, request.correlationId);
7251
- const parameterBuilder = new RequestParameterBuilder(request.correlationId, this.performanceClient);
7252
- parameterBuilder.addClientId(request.embeddedClientId ||
7110
+ const parameters = new Map();
7111
+ addClientId(parameters, request.embeddedClientId ||
7253
7112
  request.tokenBodyParameters?.[CLIENT_ID] ||
7254
7113
  this.config.authOptions.clientId);
7255
7114
  /*
@@ -7262,33 +7121,33 @@ class AuthorizationCodeClient extends BaseClient {
7262
7121
  }
7263
7122
  else {
7264
7123
  // Validate and include redirect uri
7265
- parameterBuilder.addRedirectUri(request.redirectUri);
7124
+ addRedirectUri(parameters, request.redirectUri);
7266
7125
  }
7267
7126
  // Add scope array, parameter builder will add default scopes and dedupe
7268
- parameterBuilder.addScopes(request.scopes, true, this.oidcDefaultScopes);
7127
+ addScopes(parameters, request.scopes, true, this.oidcDefaultScopes);
7269
7128
  // add code: user set, not validated
7270
- parameterBuilder.addAuthorizationCode(request.code);
7129
+ addAuthorizationCode(parameters, request.code);
7271
7130
  // Add library metadata
7272
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
7273
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
7274
- parameterBuilder.addThrottling();
7131
+ addLibraryInfo(parameters, this.config.libraryInfo);
7132
+ addApplicationTelemetry(parameters, this.config.telemetry.application);
7133
+ addThrottling(parameters);
7275
7134
  if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
7276
- parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
7135
+ addServerTelemetry(parameters, this.serverTelemetryManager);
7277
7136
  }
7278
7137
  // add code_verifier if passed
7279
7138
  if (request.codeVerifier) {
7280
- parameterBuilder.addCodeVerifier(request.codeVerifier);
7139
+ addCodeVerifier(parameters, request.codeVerifier);
7281
7140
  }
7282
7141
  if (this.config.clientCredentials.clientSecret) {
7283
- parameterBuilder.addClientSecret(this.config.clientCredentials.clientSecret);
7142
+ addClientSecret(parameters, this.config.clientCredentials.clientSecret);
7284
7143
  }
7285
7144
  if (this.config.clientCredentials.clientAssertion) {
7286
7145
  const clientAssertion = this.config.clientCredentials.clientAssertion;
7287
- parameterBuilder.addClientAssertion(await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7288
- parameterBuilder.addClientAssertionType(clientAssertion.assertionType);
7146
+ addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7147
+ addClientAssertionType(parameters, clientAssertion.assertionType);
7289
7148
  }
7290
- parameterBuilder.addGrantType(GrantType.AUTHORIZATION_CODE_GRANT);
7291
- parameterBuilder.addClientInfo();
7149
+ addGrantType(parameters, GrantType.AUTHORIZATION_CODE_GRANT);
7150
+ addClientInfo(parameters);
7292
7151
  if (request.authenticationScheme === AuthenticationScheme.POP) {
7293
7152
  const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
7294
7153
  let reqCnfData;
@@ -7300,11 +7159,11 @@ class AuthorizationCodeClient extends BaseClient {
7300
7159
  reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
7301
7160
  }
7302
7161
  // SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
7303
- parameterBuilder.addPopToken(reqCnfData);
7162
+ addPopToken(parameters, reqCnfData);
7304
7163
  }
7305
7164
  else if (request.authenticationScheme === AuthenticationScheme.SSH) {
7306
7165
  if (request.sshJwk) {
7307
- parameterBuilder.addSshJwk(request.sshJwk);
7166
+ addSshJwk(parameters, request.sshJwk);
7308
7167
  }
7309
7168
  else {
7310
7169
  throw createClientConfigurationError(missingSshJwk);
@@ -7313,7 +7172,7 @@ class AuthorizationCodeClient extends BaseClient {
7313
7172
  if (!StringUtils.isEmptyObj(request.claims) ||
7314
7173
  (this.config.authOptions.clientCapabilities &&
7315
7174
  this.config.authOptions.clientCapabilities.length > 0)) {
7316
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
7175
+ addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
7317
7176
  }
7318
7177
  let ccsCred = undefined;
7319
7178
  if (request.clientInfo) {
@@ -7337,7 +7196,7 @@ class AuthorizationCodeClient extends BaseClient {
7337
7196
  case CcsCredentialType.HOME_ACCOUNT_ID:
7338
7197
  try {
7339
7198
  const clientInfo = buildClientInfoFromHomeAccountId(ccsCred.credential);
7340
- parameterBuilder.addCcsOid(clientInfo);
7199
+ addCcsOid(parameters, clientInfo);
7341
7200
  }
7342
7201
  catch (e) {
7343
7202
  this.logger.verbose("Could not parse home account ID for CCS Header: " +
@@ -7345,234 +7204,59 @@ class AuthorizationCodeClient extends BaseClient {
7345
7204
  }
7346
7205
  break;
7347
7206
  case CcsCredentialType.UPN:
7348
- parameterBuilder.addCcsUpn(ccsCred.credential);
7207
+ addCcsUpn(parameters, ccsCred.credential);
7349
7208
  break;
7350
7209
  }
7351
7210
  }
7352
7211
  if (request.embeddedClientId) {
7353
- parameterBuilder.addBrokerParameters({
7354
- brokerClientId: this.config.authOptions.clientId,
7355
- brokerRedirectUri: this.config.authOptions.redirectUri,
7356
- });
7212
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
7357
7213
  }
7358
7214
  if (request.tokenBodyParameters) {
7359
- parameterBuilder.addExtraQueryParameters(request.tokenBodyParameters);
7215
+ addExtraQueryParameters(parameters, request.tokenBodyParameters);
7360
7216
  }
7361
7217
  // Add hybrid spa parameters if not already provided
7362
7218
  if (request.enableSpaAuthorizationCode &&
7363
7219
  (!request.tokenBodyParameters ||
7364
7220
  !request.tokenBodyParameters[RETURN_SPA_CODE])) {
7365
- parameterBuilder.addExtraQueryParameters({
7221
+ addExtraQueryParameters(parameters, {
7366
7222
  [RETURN_SPA_CODE]: "1",
7367
7223
  });
7368
7224
  }
7369
- return parameterBuilder.createQueryString();
7370
- }
7371
- /**
7372
- * This API validates the `AuthorizationCodeUrlRequest` and creates a URL
7373
- * @param request
7374
- */
7375
- async createAuthCodeUrlQueryString(request) {
7376
- // generate the correlationId if not set by the user and add
7377
- const correlationId = request.correlationId ||
7378
- this.config.cryptoInterface.createNewGuid();
7379
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateQueryString, correlationId);
7380
- const parameterBuilder = new RequestParameterBuilder(correlationId, this.performanceClient);
7381
- parameterBuilder.addClientId(request.embeddedClientId ||
7382
- request.extraQueryParameters?.[CLIENT_ID] ||
7383
- this.config.authOptions.clientId);
7384
- const requestScopes = [
7385
- ...(request.scopes || []),
7386
- ...(request.extraScopesToConsent || []),
7387
- ];
7388
- parameterBuilder.addScopes(requestScopes, true, this.oidcDefaultScopes);
7389
- // validate the redirectUri (to be a non null value)
7390
- parameterBuilder.addRedirectUri(request.redirectUri);
7391
- parameterBuilder.addCorrelationId(correlationId);
7392
- // add response_mode. If not passed in it defaults to query.
7393
- parameterBuilder.addResponseMode(request.responseMode);
7394
- // add response_type = code
7395
- parameterBuilder.addResponseTypeCode();
7396
- // add library info parameters
7397
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
7398
- if (!isOidcProtocolMode(this.config)) {
7399
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
7400
- }
7401
- // add client_info=1
7402
- parameterBuilder.addClientInfo();
7403
- if (request.codeChallenge && request.codeChallengeMethod) {
7404
- parameterBuilder.addCodeChallengeParams(request.codeChallenge, request.codeChallengeMethod);
7405
- }
7406
- if (request.prompt) {
7407
- parameterBuilder.addPrompt(request.prompt);
7408
- }
7409
- if (request.domainHint) {
7410
- parameterBuilder.addDomainHint(request.domainHint);
7411
- this.performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
7412
- }
7413
- this.performanceClient?.addFields({ prompt: request.prompt }, correlationId);
7414
- // Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
7415
- if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
7416
- // AAD will throw if prompt=select_account is passed with an account hint
7417
- if (request.sid && request.prompt === PromptValue.NONE) {
7418
- // SessionID is only used in silent calls
7419
- this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
7420
- parameterBuilder.addSid(request.sid);
7421
- this.performanceClient?.addFields({ sidFromRequest: true }, correlationId);
7422
- }
7423
- else if (request.account) {
7424
- const accountSid = this.extractAccountSid(request.account);
7425
- let accountLoginHintClaim = this.extractLoginHint(request.account);
7426
- if (accountLoginHintClaim && request.domainHint) {
7427
- this.logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
7428
- accountLoginHintClaim = null;
7429
- }
7430
- // If login_hint claim is present, use it over sid/username
7431
- if (accountLoginHintClaim) {
7432
- this.logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
7433
- parameterBuilder.addLoginHint(accountLoginHintClaim);
7434
- this.performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
7435
- try {
7436
- const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7437
- parameterBuilder.addCcsOid(clientInfo);
7438
- }
7439
- catch (e) {
7440
- this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7441
- }
7442
- }
7443
- else if (accountSid && request.prompt === PromptValue.NONE) {
7444
- /*
7445
- * If account and loginHint are provided, we will check account first for sid before adding loginHint
7446
- * SessionId is only used in silent calls
7447
- */
7448
- this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
7449
- parameterBuilder.addSid(accountSid);
7450
- this.performanceClient?.addFields({ sidFromClaim: true }, correlationId);
7451
- try {
7452
- const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7453
- parameterBuilder.addCcsOid(clientInfo);
7454
- }
7455
- catch (e) {
7456
- this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7457
- }
7458
- }
7459
- else if (request.loginHint) {
7460
- this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
7461
- parameterBuilder.addLoginHint(request.loginHint);
7462
- parameterBuilder.addCcsUpn(request.loginHint);
7463
- this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7464
- }
7465
- else if (request.account.username) {
7466
- // Fallback to account username if provided
7467
- this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
7468
- parameterBuilder.addLoginHint(request.account.username);
7469
- this.performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
7470
- try {
7471
- const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7472
- parameterBuilder.addCcsOid(clientInfo);
7473
- }
7474
- catch (e) {
7475
- this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7476
- }
7477
- }
7478
- }
7479
- else if (request.loginHint) {
7480
- this.logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
7481
- parameterBuilder.addLoginHint(request.loginHint);
7482
- parameterBuilder.addCcsUpn(request.loginHint);
7483
- this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7484
- }
7485
- }
7486
- else {
7487
- this.logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
7488
- }
7489
- if (request.nonce) {
7490
- parameterBuilder.addNonce(request.nonce);
7491
- }
7492
- if (request.state) {
7493
- parameterBuilder.addState(request.state);
7494
- }
7495
- if (request.claims ||
7496
- (this.config.authOptions.clientCapabilities &&
7497
- this.config.authOptions.clientCapabilities.length > 0)) {
7498
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
7499
- }
7500
- if (request.embeddedClientId) {
7501
- parameterBuilder.addBrokerParameters({
7502
- brokerClientId: this.config.authOptions.clientId,
7503
- brokerRedirectUri: this.config.authOptions.redirectUri,
7504
- });
7505
- }
7506
- this.addExtraQueryParams(request, parameterBuilder);
7507
- if (request.platformBroker) {
7508
- // signal ests that this is a WAM call
7509
- parameterBuilder.addNativeBroker();
7510
- // pass the req_cnf for POP
7511
- if (request.authenticationScheme === AuthenticationScheme.POP) {
7512
- const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils);
7513
- // req_cnf is always sent as a string for SPAs
7514
- let reqCnfData;
7515
- if (!request.popKid) {
7516
- const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
7517
- reqCnfData = generatedReqCnfData.reqCnfString;
7518
- }
7519
- else {
7520
- reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
7521
- }
7522
- parameterBuilder.addPopToken(reqCnfData);
7523
- }
7524
- }
7525
- return parameterBuilder.createQueryString();
7225
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
7226
+ return mapToQueryString(parameters);
7526
7227
  }
7527
7228
  /**
7528
7229
  * This API validates the `EndSessionRequest` and creates a URL
7529
7230
  * @param request
7530
7231
  */
7531
7232
  createLogoutUrlQueryString(request) {
7532
- const parameterBuilder = new RequestParameterBuilder(request.correlationId, this.performanceClient);
7233
+ const parameters = new Map();
7533
7234
  if (request.postLogoutRedirectUri) {
7534
- parameterBuilder.addPostLogoutRedirectUri(request.postLogoutRedirectUri);
7235
+ addPostLogoutRedirectUri(parameters, request.postLogoutRedirectUri);
7535
7236
  }
7536
7237
  if (request.correlationId) {
7537
- parameterBuilder.addCorrelationId(request.correlationId);
7238
+ addCorrelationId(parameters, request.correlationId);
7538
7239
  }
7539
7240
  if (request.idTokenHint) {
7540
- parameterBuilder.addIdTokenHint(request.idTokenHint);
7241
+ addIdTokenHint(parameters, request.idTokenHint);
7541
7242
  }
7542
7243
  if (request.state) {
7543
- parameterBuilder.addState(request.state);
7244
+ addState(parameters, request.state);
7544
7245
  }
7545
7246
  if (request.logoutHint) {
7546
- parameterBuilder.addLogoutHint(request.logoutHint);
7547
- }
7548
- this.addExtraQueryParams(request, parameterBuilder);
7549
- return parameterBuilder.createQueryString();
7550
- }
7551
- addExtraQueryParams(request, parameterBuilder) {
7552
- const hasRequestInstanceAware = request.extraQueryParameters &&
7553
- request.extraQueryParameters.hasOwnProperty("instance_aware");
7554
- // Set instance_aware flag if config auth param is set
7555
- if (!hasRequestInstanceAware && this.config.authOptions.instanceAware) {
7556
- request.extraQueryParameters = request.extraQueryParameters || {};
7557
- request.extraQueryParameters["instance_aware"] = "true";
7247
+ addLogoutHint(parameters, request.logoutHint);
7558
7248
  }
7559
7249
  if (request.extraQueryParameters) {
7560
- parameterBuilder.addExtraQueryParameters(request.extraQueryParameters);
7250
+ addExtraQueryParameters(parameters, request.extraQueryParameters);
7561
7251
  }
7562
- }
7563
- /**
7564
- * Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
7565
- * @param account
7566
- */
7567
- extractAccountSid(account) {
7568
- return account.idTokenClaims?.sid || null;
7569
- }
7570
- extractLoginHint(account) {
7571
- return account.idTokenClaims?.login_hint || null;
7252
+ if (this.config.authOptions.instanceAware) {
7253
+ addInstanceAware(parameters);
7254
+ }
7255
+ return mapToQueryString(parameters);
7572
7256
  }
7573
7257
  }
7574
7258
 
7575
- /*! @azure/msal-common v15.2.1 2025-03-11 */
7259
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7576
7260
 
7577
7261
  /*
7578
7262
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7701,31 +7385,30 @@ class RefreshTokenClient extends BaseClient {
7701
7385
  */
7702
7386
  async createTokenRequestBody(request) {
7703
7387
  this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, request.correlationId);
7704
- const correlationId = request.correlationId;
7705
- const parameterBuilder = new RequestParameterBuilder(correlationId, this.performanceClient);
7706
- parameterBuilder.addClientId(request.embeddedClientId ||
7388
+ const parameters = new Map();
7389
+ addClientId(parameters, request.embeddedClientId ||
7707
7390
  request.tokenBodyParameters?.[CLIENT_ID] ||
7708
7391
  this.config.authOptions.clientId);
7709
7392
  if (request.redirectUri) {
7710
- parameterBuilder.addRedirectUri(request.redirectUri);
7711
- }
7712
- parameterBuilder.addScopes(request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
7713
- parameterBuilder.addGrantType(GrantType.REFRESH_TOKEN_GRANT);
7714
- parameterBuilder.addClientInfo();
7715
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
7716
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
7717
- parameterBuilder.addThrottling();
7393
+ addRedirectUri(parameters, request.redirectUri);
7394
+ }
7395
+ addScopes(parameters, request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
7396
+ addGrantType(parameters, GrantType.REFRESH_TOKEN_GRANT);
7397
+ addClientInfo(parameters);
7398
+ addLibraryInfo(parameters, this.config.libraryInfo);
7399
+ addApplicationTelemetry(parameters, this.config.telemetry.application);
7400
+ addThrottling(parameters);
7718
7401
  if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
7719
- parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
7402
+ addServerTelemetry(parameters, this.serverTelemetryManager);
7720
7403
  }
7721
- parameterBuilder.addRefreshToken(request.refreshToken);
7404
+ addRefreshToken(parameters, request.refreshToken);
7722
7405
  if (this.config.clientCredentials.clientSecret) {
7723
- parameterBuilder.addClientSecret(this.config.clientCredentials.clientSecret);
7406
+ addClientSecret(parameters, this.config.clientCredentials.clientSecret);
7724
7407
  }
7725
7408
  if (this.config.clientCredentials.clientAssertion) {
7726
7409
  const clientAssertion = this.config.clientCredentials.clientAssertion;
7727
- parameterBuilder.addClientAssertion(await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7728
- parameterBuilder.addClientAssertionType(clientAssertion.assertionType);
7410
+ addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7411
+ addClientAssertionType(parameters, clientAssertion.assertionType);
7729
7412
  }
7730
7413
  if (request.authenticationScheme === AuthenticationScheme.POP) {
7731
7414
  const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
@@ -7738,11 +7421,11 @@ class RefreshTokenClient extends BaseClient {
7738
7421
  reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
7739
7422
  }
7740
7423
  // SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
7741
- parameterBuilder.addPopToken(reqCnfData);
7424
+ addPopToken(parameters, reqCnfData);
7742
7425
  }
7743
7426
  else if (request.authenticationScheme === AuthenticationScheme.SSH) {
7744
7427
  if (request.sshJwk) {
7745
- parameterBuilder.addSshJwk(request.sshJwk);
7428
+ addSshJwk(parameters, request.sshJwk);
7746
7429
  }
7747
7430
  else {
7748
7431
  throw createClientConfigurationError(missingSshJwk);
@@ -7751,7 +7434,7 @@ class RefreshTokenClient extends BaseClient {
7751
7434
  if (!StringUtils.isEmptyObj(request.claims) ||
7752
7435
  (this.config.authOptions.clientCapabilities &&
7753
7436
  this.config.authOptions.clientCapabilities.length > 0)) {
7754
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
7437
+ addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
7755
7438
  }
7756
7439
  if (this.config.systemOptions.preventCorsPreflight &&
7757
7440
  request.ccsCredential) {
@@ -7759,7 +7442,7 @@ class RefreshTokenClient extends BaseClient {
7759
7442
  case CcsCredentialType.HOME_ACCOUNT_ID:
7760
7443
  try {
7761
7444
  const clientInfo = buildClientInfoFromHomeAccountId(request.ccsCredential.credential);
7762
- parameterBuilder.addCcsOid(clientInfo);
7445
+ addCcsOid(parameters, clientInfo);
7763
7446
  }
7764
7447
  catch (e) {
7765
7448
  this.logger.verbose("Could not parse home account ID for CCS Header: " +
@@ -7767,24 +7450,22 @@ class RefreshTokenClient extends BaseClient {
7767
7450
  }
7768
7451
  break;
7769
7452
  case CcsCredentialType.UPN:
7770
- parameterBuilder.addCcsUpn(request.ccsCredential.credential);
7453
+ addCcsUpn(parameters, request.ccsCredential.credential);
7771
7454
  break;
7772
7455
  }
7773
7456
  }
7774
7457
  if (request.embeddedClientId) {
7775
- parameterBuilder.addBrokerParameters({
7776
- brokerClientId: this.config.authOptions.clientId,
7777
- brokerRedirectUri: this.config.authOptions.redirectUri,
7778
- });
7458
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
7779
7459
  }
7780
7460
  if (request.tokenBodyParameters) {
7781
- parameterBuilder.addExtraQueryParameters(request.tokenBodyParameters);
7461
+ addExtraQueryParameters(parameters, request.tokenBodyParameters);
7782
7462
  }
7783
- return parameterBuilder.createQueryString();
7463
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
7464
+ return mapToQueryString(parameters);
7784
7465
  }
7785
7466
  }
7786
7467
 
7787
- /*! @azure/msal-common v15.2.1 2025-03-11 */
7468
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7788
7469
 
7789
7470
  /*
7790
7471
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7859,45 +7540,269 @@ class SilentFlowClient extends BaseClient {
7859
7540
  if (cacheOutcome !== CacheOutcome.NOT_APPLICABLE) {
7860
7541
  this.logger.info(`Token refresh is required due to cache outcome: ${cacheOutcome}`);
7861
7542
  }
7862
- }
7863
- /**
7864
- * Helper function to build response object from the CacheRecord
7865
- * @param cacheRecord
7866
- */
7867
- async generateResultFromCacheRecord(cacheRecord, request) {
7868
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.SilentFlowClientGenerateResultFromCacheRecord, request.correlationId);
7869
- let idTokenClaims;
7870
- if (cacheRecord.idToken) {
7871
- idTokenClaims = extractTokenClaims(cacheRecord.idToken.secret, this.config.cryptoInterface.base64Decode);
7543
+ }
7544
+ /**
7545
+ * Helper function to build response object from the CacheRecord
7546
+ * @param cacheRecord
7547
+ */
7548
+ async generateResultFromCacheRecord(cacheRecord, request) {
7549
+ this.performanceClient?.addQueueMeasurement(PerformanceEvents.SilentFlowClientGenerateResultFromCacheRecord, request.correlationId);
7550
+ let idTokenClaims;
7551
+ if (cacheRecord.idToken) {
7552
+ idTokenClaims = extractTokenClaims(cacheRecord.idToken.secret, this.config.cryptoInterface.base64Decode);
7553
+ }
7554
+ // token max_age check
7555
+ if (request.maxAge || request.maxAge === 0) {
7556
+ const authTime = idTokenClaims?.auth_time;
7557
+ if (!authTime) {
7558
+ throw createClientAuthError(authTimeNotFound);
7559
+ }
7560
+ checkMaxAge(authTime, request.maxAge);
7561
+ }
7562
+ return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, idTokenClaims);
7563
+ }
7564
+ }
7565
+
7566
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7567
+
7568
+ /*
7569
+ * Copyright (c) Microsoft Corporation. All rights reserved.
7570
+ * Licensed under the MIT License.
7571
+ */
7572
+ const StubbedNetworkModule = {
7573
+ sendGetRequestAsync: () => {
7574
+ return Promise.reject(createClientAuthError(methodNotImplemented));
7575
+ },
7576
+ sendPostRequestAsync: () => {
7577
+ return Promise.reject(createClientAuthError(methodNotImplemented));
7578
+ },
7579
+ };
7580
+
7581
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7582
+
7583
+ /*
7584
+ * Copyright (c) Microsoft Corporation. All rights reserved.
7585
+ * Licensed under the MIT License.
7586
+ */
7587
+ /**
7588
+ * Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
7589
+ * @param config
7590
+ * @param request
7591
+ * @param logger
7592
+ * @param performanceClient
7593
+ * @returns
7594
+ */
7595
+ function getStandardAuthorizeRequestParameters(authOptions, request, logger, performanceClient) {
7596
+ // generate the correlationId if not set by the user and add
7597
+ const correlationId = request.correlationId;
7598
+ const parameters = new Map();
7599
+ addClientId(parameters, request.embeddedClientId ||
7600
+ request.extraQueryParameters?.[CLIENT_ID] ||
7601
+ authOptions.clientId);
7602
+ const requestScopes = [
7603
+ ...(request.scopes || []),
7604
+ ...(request.extraScopesToConsent || []),
7605
+ ];
7606
+ addScopes(parameters, requestScopes, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
7607
+ addRedirectUri(parameters, request.redirectUri);
7608
+ addCorrelationId(parameters, correlationId);
7609
+ // add response_mode. If not passed in it defaults to query.
7610
+ addResponseMode(parameters, request.responseMode);
7611
+ // add client_info=1
7612
+ addClientInfo(parameters);
7613
+ if (request.prompt) {
7614
+ addPrompt(parameters, request.prompt);
7615
+ performanceClient?.addFields({ prompt: request.prompt }, correlationId);
7616
+ }
7617
+ if (request.domainHint) {
7618
+ addDomainHint(parameters, request.domainHint);
7619
+ performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
7620
+ }
7621
+ // Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
7622
+ if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
7623
+ // AAD will throw if prompt=select_account is passed with an account hint
7624
+ if (request.sid && request.prompt === PromptValue.NONE) {
7625
+ // SessionID is only used in silent calls
7626
+ logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
7627
+ addSid(parameters, request.sid);
7628
+ performanceClient?.addFields({ sidFromRequest: true }, correlationId);
7629
+ }
7630
+ else if (request.account) {
7631
+ const accountSid = extractAccountSid(request.account);
7632
+ let accountLoginHintClaim = extractLoginHint(request.account);
7633
+ if (accountLoginHintClaim && request.domainHint) {
7634
+ logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
7635
+ accountLoginHintClaim = null;
7636
+ }
7637
+ // If login_hint claim is present, use it over sid/username
7638
+ if (accountLoginHintClaim) {
7639
+ logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
7640
+ addLoginHint(parameters, accountLoginHintClaim);
7641
+ performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
7642
+ try {
7643
+ const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7644
+ addCcsOid(parameters, clientInfo);
7645
+ }
7646
+ catch (e) {
7647
+ logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7648
+ }
7649
+ }
7650
+ else if (accountSid && request.prompt === PromptValue.NONE) {
7651
+ /*
7652
+ * If account and loginHint are provided, we will check account first for sid before adding loginHint
7653
+ * SessionId is only used in silent calls
7654
+ */
7655
+ logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
7656
+ addSid(parameters, accountSid);
7657
+ performanceClient?.addFields({ sidFromClaim: true }, correlationId);
7658
+ try {
7659
+ const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7660
+ addCcsOid(parameters, clientInfo);
7661
+ }
7662
+ catch (e) {
7663
+ logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7664
+ }
7665
+ }
7666
+ else if (request.loginHint) {
7667
+ logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
7668
+ addLoginHint(parameters, request.loginHint);
7669
+ addCcsUpn(parameters, request.loginHint);
7670
+ performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7671
+ }
7672
+ else if (request.account.username) {
7673
+ // Fallback to account username if provided
7674
+ logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
7675
+ addLoginHint(parameters, request.account.username);
7676
+ performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
7677
+ try {
7678
+ const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7679
+ addCcsOid(parameters, clientInfo);
7680
+ }
7681
+ catch (e) {
7682
+ logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7683
+ }
7684
+ }
7685
+ }
7686
+ else if (request.loginHint) {
7687
+ logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
7688
+ addLoginHint(parameters, request.loginHint);
7689
+ addCcsUpn(parameters, request.loginHint);
7690
+ performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7872
7691
  }
7873
- // token max_age check
7874
- if (request.maxAge || request.maxAge === 0) {
7875
- const authTime = idTokenClaims?.auth_time;
7876
- if (!authTime) {
7877
- throw createClientAuthError(authTimeNotFound);
7878
- }
7879
- checkMaxAge(authTime, request.maxAge);
7692
+ }
7693
+ else {
7694
+ logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
7695
+ }
7696
+ if (request.nonce) {
7697
+ addNonce(parameters, request.nonce);
7698
+ }
7699
+ if (request.state) {
7700
+ addState(parameters, request.state);
7701
+ }
7702
+ if (request.claims ||
7703
+ (authOptions.clientCapabilities &&
7704
+ authOptions.clientCapabilities.length > 0)) {
7705
+ addClaims(parameters, request.claims, authOptions.clientCapabilities);
7706
+ }
7707
+ if (request.embeddedClientId) {
7708
+ addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
7709
+ }
7710
+ if (request.extraQueryParameters) {
7711
+ addExtraQueryParameters(parameters, request.extraQueryParameters);
7712
+ }
7713
+ if (authOptions.instanceAware) {
7714
+ addInstanceAware(parameters);
7715
+ }
7716
+ return parameters;
7717
+ }
7718
+ /**
7719
+ * Returns authorize endpoint with given request parameters in the query string
7720
+ * @param authority
7721
+ * @param requestParameters
7722
+ * @returns
7723
+ */
7724
+ function getAuthorizeUrl(authority, requestParameters) {
7725
+ const queryString = mapToQueryString(requestParameters);
7726
+ return UrlString.appendQueryString(authority.authorizationEndpoint, queryString);
7727
+ }
7728
+ /**
7729
+ * Handles the hash fragment response from public client code request. Returns a code response used by
7730
+ * the client to exchange for a token in acquireToken.
7731
+ * @param serverParams
7732
+ * @param cachedState
7733
+ */
7734
+ function getAuthorizationCodePayload(serverParams, cachedState) {
7735
+ // Get code response
7736
+ validateAuthorizationResponse(serverParams, cachedState);
7737
+ // throw when there is no auth code in the response
7738
+ if (!serverParams.code) {
7739
+ throw createClientAuthError(authorizationCodeMissingFromServerResponse);
7740
+ }
7741
+ return serverParams;
7742
+ }
7743
+ /**
7744
+ * Function which validates server authorization code response.
7745
+ * @param serverResponseHash
7746
+ * @param requestState
7747
+ */
7748
+ function validateAuthorizationResponse(serverResponse, requestState) {
7749
+ if (!serverResponse.state || !requestState) {
7750
+ throw serverResponse.state
7751
+ ? createClientAuthError(stateNotFound, "Cached State")
7752
+ : createClientAuthError(stateNotFound, "Server State");
7753
+ }
7754
+ let decodedServerResponseState;
7755
+ let decodedRequestState;
7756
+ try {
7757
+ decodedServerResponseState = decodeURIComponent(serverResponse.state);
7758
+ }
7759
+ catch (e) {
7760
+ throw createClientAuthError(invalidState, serverResponse.state);
7761
+ }
7762
+ try {
7763
+ decodedRequestState = decodeURIComponent(requestState);
7764
+ }
7765
+ catch (e) {
7766
+ throw createClientAuthError(invalidState, serverResponse.state);
7767
+ }
7768
+ if (decodedServerResponseState !== decodedRequestState) {
7769
+ throw createClientAuthError(stateMismatch);
7770
+ }
7771
+ // Check for error
7772
+ if (serverResponse.error ||
7773
+ serverResponse.error_description ||
7774
+ serverResponse.suberror) {
7775
+ const serverErrorNo = parseServerErrorNo(serverResponse);
7776
+ if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
7777
+ throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
7880
7778
  }
7881
- return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, idTokenClaims);
7779
+ throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
7882
7780
  }
7883
- }
7884
-
7885
- /*! @azure/msal-common v15.2.1 2025-03-11 */
7886
-
7887
- /*
7888
- * Copyright (c) Microsoft Corporation. All rights reserved.
7889
- * Licensed under the MIT License.
7781
+ }
7782
+ /**
7783
+ * Get server error No from the error_uri
7784
+ * @param serverResponse
7785
+ * @returns
7890
7786
  */
7891
- const StubbedNetworkModule = {
7892
- sendGetRequestAsync: () => {
7893
- return Promise.reject(createClientAuthError(methodNotImplemented));
7894
- },
7895
- sendPostRequestAsync: () => {
7896
- return Promise.reject(createClientAuthError(methodNotImplemented));
7897
- },
7898
- };
7787
+ function parseServerErrorNo(serverResponse) {
7788
+ const errorCodePrefix = "code=";
7789
+ const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
7790
+ return errorCodePrefixIndex && errorCodePrefixIndex >= 0
7791
+ ? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
7792
+ : undefined;
7793
+ }
7794
+ /**
7795
+ * Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
7796
+ * @param account
7797
+ */
7798
+ function extractAccountSid(account) {
7799
+ return account.idTokenClaims?.sid || null;
7800
+ }
7801
+ function extractLoginHint(account) {
7802
+ return account.idTokenClaims?.login_hint || null;
7803
+ }
7899
7804
 
7900
- /*! @azure/msal-common v15.2.1 2025-03-11 */
7805
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7901
7806
 
7902
7807
  /*
7903
7808
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7955,7 +7860,7 @@ class AuthenticationHeaderParser {
7955
7860
  }
7956
7861
  }
7957
7862
 
7958
- /*! @azure/msal-common v15.2.1 2025-03-11 */
7863
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7959
7864
 
7960
7865
  /*
7961
7866
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8218,7 +8123,7 @@ class ServerTelemetryManager {
8218
8123
  }
8219
8124
  }
8220
8125
 
8221
- /*! @azure/msal-common v15.2.1 2025-03-11 */
8126
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8222
8127
  /*
8223
8128
  * Copyright (c) Microsoft Corporation. All rights reserved.
8224
8129
  * Licensed under the MIT License.
@@ -8226,7 +8131,7 @@ class ServerTelemetryManager {
8226
8131
  const missingKidError = "missing_kid_error";
8227
8132
  const missingAlgError = "missing_alg_error";
8228
8133
 
8229
- /*! @azure/msal-common v15.2.1 2025-03-11 */
8134
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8230
8135
 
8231
8136
  /*
8232
8137
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8251,7 +8156,7 @@ function createJoseHeaderError(code) {
8251
8156
  return new JoseHeaderError(code, JoseHeaderErrorMessages[code]);
8252
8157
  }
8253
8158
 
8254
- /*! @azure/msal-common v15.2.1 2025-03-11 */
8159
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8255
8160
 
8256
8161
  /*
8257
8162
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8291,7 +8196,7 @@ class JoseHeader {
8291
8196
  }
8292
8197
  }
8293
8198
 
8294
- /*! @azure/msal-common v15.2.1 2025-03-11 */
8199
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8295
8200
 
8296
8201
  /*
8297
8202
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8370,7 +8275,7 @@ class StubPerformanceClient {
8370
8275
  }
8371
8276
  }
8372
8277
 
8373
- /*! @azure/msal-common v15.2.1 2025-03-11 */
8278
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8374
8279
 
8375
8280
  /*
8376
8281
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -10407,7 +10312,7 @@ function buildConfiguration({ auth: userInputAuth, cache: userInputCache, system
10407
10312
 
10408
10313
  /* eslint-disable header/header */
10409
10314
  const name = "@azure/msal-browser";
10410
- const version = "4.7.0";
10315
+ const version = "4.8.0";
10411
10316
 
10412
10317
  /*
10413
10318
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -13111,61 +13016,6 @@ class BaseInteractionClient {
13111
13016
  }
13112
13017
  }
13113
13018
 
13114
- /*
13115
- * Copyright (c) Microsoft Corporation. All rights reserved.
13116
- * Licensed under the MIT License.
13117
- */
13118
- // Constant byte array length
13119
- const RANDOM_BYTE_ARR_LENGTH = 32;
13120
- /**
13121
- * This file defines APIs to generate PKCE codes and code verifiers.
13122
- */
13123
- /**
13124
- * Generates PKCE Codes. See the RFC for more information: https://tools.ietf.org/html/rfc7636
13125
- */
13126
- async function generatePkceCodes(performanceClient, logger, correlationId) {
13127
- performanceClient.addQueueMeasurement(PerformanceEvents.GeneratePkceCodes, correlationId);
13128
- const codeVerifier = invoke(generateCodeVerifier, PerformanceEvents.GenerateCodeVerifier, logger, performanceClient, correlationId)(performanceClient, logger, correlationId);
13129
- const codeChallenge = await invokeAsync(generateCodeChallengeFromVerifier, PerformanceEvents.GenerateCodeChallengeFromVerifier, logger, performanceClient, correlationId)(codeVerifier, performanceClient, logger, correlationId);
13130
- return {
13131
- verifier: codeVerifier,
13132
- challenge: codeChallenge,
13133
- };
13134
- }
13135
- /**
13136
- * Generates a random 32 byte buffer and returns the base64
13137
- * encoded string to be used as a PKCE Code Verifier
13138
- */
13139
- function generateCodeVerifier(performanceClient, logger, correlationId) {
13140
- try {
13141
- // Generate random values as utf-8
13142
- const buffer = new Uint8Array(RANDOM_BYTE_ARR_LENGTH);
13143
- invoke(getRandomValues, PerformanceEvents.GetRandomValues, logger, performanceClient, correlationId)(buffer);
13144
- // encode verifier as base64
13145
- const pkceCodeVerifierB64 = urlEncodeArr(buffer);
13146
- return pkceCodeVerifierB64;
13147
- }
13148
- catch (e) {
13149
- throw createBrowserAuthError(pkceNotCreated);
13150
- }
13151
- }
13152
- /**
13153
- * Creates a base64 encoded PKCE Code Challenge string from the
13154
- * hash created from the PKCE Code Verifier supplied
13155
- */
13156
- async function generateCodeChallengeFromVerifier(pkceCodeVerifier, performanceClient, logger, correlationId) {
13157
- performanceClient.addQueueMeasurement(PerformanceEvents.GenerateCodeChallengeFromVerifier, correlationId);
13158
- try {
13159
- // hashed verifier
13160
- const pkceHashedCodeVerifier = await invokeAsync(sha256Digest, PerformanceEvents.Sha256Digest, logger, performanceClient, correlationId)(pkceCodeVerifier, performanceClient, correlationId);
13161
- // encode hash as base64
13162
- return urlEncodeArr(new Uint8Array(pkceHashedCodeVerifier));
13163
- }
13164
- catch (e) {
13165
- throw createBrowserAuthError(pkceNotCreated);
13166
- }
13167
- }
13168
-
13169
13019
  /*
13170
13020
  * Copyright (c) Microsoft Corporation. All rights reserved.
13171
13021
  * Licensed under the MIT License.
@@ -13228,25 +13078,6 @@ async function initializeSilentRequest(request, account, config, performanceClie
13228
13078
  * Defines the class structure and helper functions used by the "standard", non-brokered auth flows (popup, redirect, silent (RT), silent (iframe))
13229
13079
  */
13230
13080
  class StandardInteractionClient extends BaseInteractionClient {
13231
- /**
13232
- * Generates an auth code request tied to the url request.
13233
- * @param request
13234
- * @param pkceCodes
13235
- */
13236
- async initializeAuthorizationCodeRequest(request, pkceCodes) {
13237
- this.performanceClient.addQueueMeasurement(PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.correlationId);
13238
- const generatedPkceParams = pkceCodes ||
13239
- (await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId));
13240
- const authCodeRequest = {
13241
- ...request,
13242
- redirectUri: request.redirectUri,
13243
- code: Constants.EMPTY_STRING,
13244
- codeVerifier: generatedPkceParams.verifier,
13245
- };
13246
- request.codeChallenge = generatedPkceParams.challenge;
13247
- request.codeChallengeMethod = Constants.S256_CODE_CHALLENGE_METHOD;
13248
- return authCodeRequest;
13249
- }
13250
13081
  /**
13251
13082
  * Initializer for the logout request.
13252
13083
  * @param logoutRequest
@@ -13825,7 +13656,12 @@ class NativeInteractionClient extends BaseInteractionClient {
13825
13656
  const cachedhomeAccountId = this.browserStorage.getAccountInfoFilteredBy({
13826
13657
  nativeAccountId: request.accountId,
13827
13658
  })?.homeAccountId;
13828
- if (homeAccountIdentifier !== cachedhomeAccountId &&
13659
+ // add exception for double brokering, please note this is temporary and will be fortified in future
13660
+ if (request.extraParameters?.child_client_id &&
13661
+ response.account.id !== request.accountId) {
13662
+ this.logger.info("handleNativeServerResponse: Double broker flow detected, ignoring accountId mismatch");
13663
+ }
13664
+ else if (homeAccountIdentifier !== cachedhomeAccountId &&
13829
13665
  response.account.id !== request.accountId) {
13830
13666
  // User switch in native broker prompt is not supported. All users must first sign in through web flow to ensure server state is in sync
13831
13667
  throw createNativeAuthError(userSwitch);
@@ -13837,6 +13673,8 @@ class NativeInteractionClient extends BaseInteractionClient {
13837
13673
  const baseAccount = buildAccountToCache(this.browserStorage, authority, homeAccountIdentifier, base64Decode, idTokenClaims, response.client_info, undefined, // environment
13838
13674
  idTokenClaims.tid, undefined, // auth code payload
13839
13675
  response.account.id, this.logger);
13676
+ // Ensure expires_in is in number format
13677
+ response.expires_in = Number(response.expires_in);
13840
13678
  // generate authenticationResult
13841
13679
  const result = await this.generateAuthenticationResult(response, request, idTokenClaims, baseAccount, authority.canonicalAuthority, reqTimestamp);
13842
13680
  // cache accounts and tokens in the appropriate storage
@@ -14484,7 +14322,7 @@ class InteractionHandler {
14484
14322
  this.performanceClient.addQueueMeasurement(PerformanceEvents.HandleCodeResponse, request.correlationId);
14485
14323
  let authCodeResponse;
14486
14324
  try {
14487
- authCodeResponse = this.authModule.handleFragmentResponse(response, request.state);
14325
+ authCodeResponse = getAuthorizationCodePayload(response, request.state);
14488
14326
  }
14489
14327
  catch (e) {
14490
14328
  if (e instanceof ServerError &&
@@ -14592,6 +14430,126 @@ function validateInteractionType(response, browserCrypto, interactionType) {
14592
14430
  }
14593
14431
  }
14594
14432
 
14433
+ /*
14434
+ * Copyright (c) Microsoft Corporation. All rights reserved.
14435
+ * Licensed under the MIT License.
14436
+ */
14437
+ /**
14438
+ * Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
14439
+ * @param config
14440
+ * @param authority
14441
+ * @param request
14442
+ * @param logger
14443
+ * @param performanceClient
14444
+ * @returns
14445
+ */
14446
+ async function getStandardParameters(config, authority, request, logger, performanceClient) {
14447
+ const parameters = getStandardAuthorizeRequestParameters({ ...config.auth, authority: authority }, request, logger, performanceClient);
14448
+ addLibraryInfo(parameters, {
14449
+ sku: BrowserConstants.MSAL_SKU,
14450
+ version: version,
14451
+ os: "",
14452
+ cpu: "",
14453
+ });
14454
+ if (config.auth.protocolMode !== ProtocolMode.OIDC) {
14455
+ addApplicationTelemetry(parameters, config.telemetry.application);
14456
+ }
14457
+ if (request.platformBroker) {
14458
+ // signal ests that this is a WAM call
14459
+ addNativeBroker(parameters);
14460
+ // pass the req_cnf for POP
14461
+ if (request.authenticationScheme === AuthenticationScheme.POP) {
14462
+ const cryptoOps = new CryptoOps(logger, performanceClient);
14463
+ const popTokenGenerator = new PopTokenGenerator(cryptoOps);
14464
+ // req_cnf is always sent as a string for SPAs
14465
+ let reqCnfData;
14466
+ if (!request.popKid) {
14467
+ const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, logger, performanceClient, request.correlationId)(request, logger);
14468
+ reqCnfData = generatedReqCnfData.reqCnfString;
14469
+ }
14470
+ else {
14471
+ reqCnfData = cryptoOps.encodeKid(request.popKid);
14472
+ }
14473
+ addPopToken(parameters, reqCnfData);
14474
+ }
14475
+ }
14476
+ instrumentBrokerParams(parameters, request.correlationId, performanceClient);
14477
+ return parameters;
14478
+ }
14479
+ /**
14480
+ * Gets the full /authorize URL with request parameters when using Auth Code + PKCE
14481
+ * @param config
14482
+ * @param authority
14483
+ * @param request
14484
+ * @param logger
14485
+ * @param performanceClient
14486
+ * @returns
14487
+ */
14488
+ async function getAuthCodeRequestUrl(config, authority, request, logger, performanceClient) {
14489
+ if (!request.codeChallenge) {
14490
+ throw createClientConfigurationError(pkceParamsMissing);
14491
+ }
14492
+ const parameters = await invokeAsync(getStandardParameters, PerformanceEvents.GetStandardParams, logger, performanceClient, request.correlationId)(config, authority, request, logger, performanceClient);
14493
+ addResponseTypeCode(parameters);
14494
+ addCodeChallengeParams(parameters, request.codeChallenge, Constants.S256_CODE_CHALLENGE_METHOD);
14495
+ return getAuthorizeUrl(authority, parameters);
14496
+ }
14497
+
14498
+ /*
14499
+ * Copyright (c) Microsoft Corporation. All rights reserved.
14500
+ * Licensed under the MIT License.
14501
+ */
14502
+ // Constant byte array length
14503
+ const RANDOM_BYTE_ARR_LENGTH = 32;
14504
+ /**
14505
+ * This file defines APIs to generate PKCE codes and code verifiers.
14506
+ */
14507
+ /**
14508
+ * Generates PKCE Codes. See the RFC for more information: https://tools.ietf.org/html/rfc7636
14509
+ */
14510
+ async function generatePkceCodes(performanceClient, logger, correlationId) {
14511
+ performanceClient.addQueueMeasurement(PerformanceEvents.GeneratePkceCodes, correlationId);
14512
+ const codeVerifier = invoke(generateCodeVerifier, PerformanceEvents.GenerateCodeVerifier, logger, performanceClient, correlationId)(performanceClient, logger, correlationId);
14513
+ const codeChallenge = await invokeAsync(generateCodeChallengeFromVerifier, PerformanceEvents.GenerateCodeChallengeFromVerifier, logger, performanceClient, correlationId)(codeVerifier, performanceClient, logger, correlationId);
14514
+ return {
14515
+ verifier: codeVerifier,
14516
+ challenge: codeChallenge,
14517
+ };
14518
+ }
14519
+ /**
14520
+ * Generates a random 32 byte buffer and returns the base64
14521
+ * encoded string to be used as a PKCE Code Verifier
14522
+ */
14523
+ function generateCodeVerifier(performanceClient, logger, correlationId) {
14524
+ try {
14525
+ // Generate random values as utf-8
14526
+ const buffer = new Uint8Array(RANDOM_BYTE_ARR_LENGTH);
14527
+ invoke(getRandomValues, PerformanceEvents.GetRandomValues, logger, performanceClient, correlationId)(buffer);
14528
+ // encode verifier as base64
14529
+ const pkceCodeVerifierB64 = urlEncodeArr(buffer);
14530
+ return pkceCodeVerifierB64;
14531
+ }
14532
+ catch (e) {
14533
+ throw createBrowserAuthError(pkceNotCreated);
14534
+ }
14535
+ }
14536
+ /**
14537
+ * Creates a base64 encoded PKCE Code Challenge string from the
14538
+ * hash created from the PKCE Code Verifier supplied
14539
+ */
14540
+ async function generateCodeChallengeFromVerifier(pkceCodeVerifier, performanceClient, logger, correlationId) {
14541
+ performanceClient.addQueueMeasurement(PerformanceEvents.GenerateCodeChallengeFromVerifier, correlationId);
14542
+ try {
14543
+ // hashed verifier
14544
+ const pkceHashedCodeVerifier = await invokeAsync(sha256Digest, PerformanceEvents.Sha256Digest, logger, performanceClient, correlationId)(pkceCodeVerifier, performanceClient, correlationId);
14545
+ // encode hash as base64
14546
+ return urlEncodeArr(new Uint8Array(pkceHashedCodeVerifier));
14547
+ }
14548
+ catch (e) {
14549
+ throw createBrowserAuthError(pkceNotCreated);
14550
+ }
14551
+ }
14552
+
14595
14553
  /*
14596
14554
  * Copyright (c) Microsoft Corporation. All rights reserved.
14597
14555
  * Licensed under the MIT License.
@@ -14679,6 +14637,9 @@ class PopupClient extends StandardInteractionClient {
14679
14637
  this.logger.verbose("acquireTokenPopupAsync called");
14680
14638
  const serverTelemetryManager = this.initializeServerTelemetryManager(ApiId.acquireTokenPopup);
14681
14639
  const validRequest = await invokeAsync(this.initializeAuthorizationRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(request, exports.InteractionType.Popup);
14640
+ const pkce = pkceCodes ||
14641
+ (await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId));
14642
+ validRequest.codeChallenge = pkce.challenge;
14682
14643
  /*
14683
14644
  * Skip pre-connect for async popups to reduce time between user interaction and popup window creation to avoid
14684
14645
  * popup from being blocked by browsers with shorter popup timers
@@ -14687,8 +14648,6 @@ class PopupClient extends StandardInteractionClient {
14687
14648
  preconnect(validRequest.authority);
14688
14649
  }
14689
14650
  try {
14690
- // Create auth code request and generate PKCE params
14691
- const authCodeRequest = await invokeAsync(this.initializeAuthorizationCodeRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.logger, this.performanceClient, this.correlationId)(validRequest, pkceCodes);
14692
14651
  // Initialize the client
14693
14652
  const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), PerformanceEvents.StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, this.correlationId)({
14694
14653
  serverTelemetryManager,
@@ -14705,12 +14664,10 @@ class PopupClient extends StandardInteractionClient {
14705
14664
  this.performanceClient.startMeasurement(PerformanceEvents.FetchAccountIdWithNativeBroker, request.correlationId);
14706
14665
  }
14707
14666
  // Create acquire token url.
14708
- const navigateUrl = await authClient.getAuthCodeUrl({
14667
+ const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, validRequest.correlationId)(this.config, authClient.authority, {
14709
14668
  ...validRequest,
14710
14669
  platformBroker: isPlatformBroker,
14711
- });
14712
- // Create popup interaction handler.
14713
- const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
14670
+ }, this.logger, this.performanceClient);
14714
14671
  // Show the UI once the url has been created. Get the window handle for the popup.
14715
14672
  const popupWindow = this.initiateAuthRequest(navigateUrl, popupParams);
14716
14673
  this.eventHandler.emitEvent(EventType.POPUP_OPENED, exports.InteractionType.Popup, { popupWindow }, null);
@@ -14718,7 +14675,7 @@ class PopupClient extends StandardInteractionClient {
14718
14675
  const responseString = await this.monitorPopupForHash(popupWindow, popupParams.popupWindowParent);
14719
14676
  const serverParams = invoke(deserializeResponse, PerformanceEvents.DeserializeResponse, this.logger, this.performanceClient, this.correlationId)(responseString, this.config.auth.OIDCOptions.serverResponseType, this.logger);
14720
14677
  // Remove throttle if it exists
14721
- ThrottlingUtils.removeThrottle(this.browserStorage, this.config.auth.clientId, authCodeRequest);
14678
+ ThrottlingUtils.removeThrottle(this.browserStorage, this.config.auth.clientId, validRequest);
14722
14679
  if (serverParams.accountId) {
14723
14680
  this.logger.verbose("Account id found in hash, calling WAM for token");
14724
14681
  // end measurement for server call with native brokering enabled
@@ -14739,6 +14696,13 @@ class PopupClient extends StandardInteractionClient {
14739
14696
  prompt: undefined, // Server should handle the prompt, ideally native broker can do this part silently
14740
14697
  });
14741
14698
  }
14699
+ const authCodeRequest = {
14700
+ ...validRequest,
14701
+ code: serverParams.code || "",
14702
+ codeVerifier: pkce.verifier,
14703
+ };
14704
+ // Create popup interaction handler.
14705
+ const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
14742
14706
  // Handle response from hash string.
14743
14707
  const result = await interactionHandler.handleCodeResponse(serverParams, validRequest);
14744
14708
  return result;
@@ -15114,7 +15078,7 @@ class RedirectHandler {
15114
15078
  }
15115
15079
  let authCodeResponse;
15116
15080
  try {
15117
- authCodeResponse = this.authModule.handleFragmentResponse(response, requestState);
15081
+ authCodeResponse = getAuthorizationCodePayload(response, requestState);
15118
15082
  }
15119
15083
  catch (e) {
15120
15084
  if (e instanceof ServerError &&
@@ -15198,6 +15162,8 @@ class RedirectClient extends StandardInteractionClient {
15198
15162
  */
15199
15163
  async acquireToken(request) {
15200
15164
  const validRequest = await invokeAsync(this.initializeAuthorizationRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(request, exports.InteractionType.Redirect);
15165
+ const pkceCodes = await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId);
15166
+ validRequest.codeChallenge = pkceCodes.challenge;
15201
15167
  this.browserStorage.updateCacheEntries(validRequest.state, validRequest.nonce, validRequest.authority, validRequest.loginHint || "", validRequest.account || null);
15202
15168
  const serverTelemetryManager = this.initializeServerTelemetryManager(ApiId.acquireTokenRedirect);
15203
15169
  const handleBackButton = (event) => {
@@ -15209,8 +15175,6 @@ class RedirectClient extends StandardInteractionClient {
15209
15175
  }
15210
15176
  };
15211
15177
  try {
15212
- // Create auth code request and generate PKCE params
15213
- const authCodeRequest = await invokeAsync(this.initializeAuthorizationCodeRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.logger, this.performanceClient, this.correlationId)(validRequest);
15214
15178
  // Initialize the client
15215
15179
  const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), PerformanceEvents.StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, this.correlationId)({
15216
15180
  serverTelemetryManager,
@@ -15219,13 +15183,18 @@ class RedirectClient extends StandardInteractionClient {
15219
15183
  requestExtraQueryParameters: validRequest.extraQueryParameters,
15220
15184
  account: validRequest.account,
15221
15185
  });
15186
+ const authCodeRequest = {
15187
+ ...validRequest,
15188
+ code: "",
15189
+ codeVerifier: pkceCodes.verifier,
15190
+ };
15222
15191
  // Create redirect interaction handler.
15223
15192
  const interactionHandler = new RedirectHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
15224
15193
  // Create acquire token url.
15225
- const navigateUrl = await authClient.getAuthCodeUrl({
15194
+ const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, validRequest.correlationId)(this.config, authClient.authority, {
15226
15195
  ...validRequest,
15227
15196
  platformBroker: NativeMessageHandler.isPlatformBrokerAvailable(this.config, this.logger, this.nativeMessageHandler, request.authenticationScheme),
15228
- });
15197
+ }, this.logger, this.performanceClient);
15229
15198
  const redirectStartPage = this.getRedirectStartPage(request.redirectStartPage);
15230
15199
  this.logger.verbosePii(`Redirect start page: ${redirectStartPage}`);
15231
15200
  // Clear temporary cache if the back button is clicked during the redirect flow.
@@ -15730,18 +15699,19 @@ class SilentIframeClient extends StandardInteractionClient {
15730
15699
  * @param navigateUrl
15731
15700
  * @param userRequestScopes
15732
15701
  */
15733
- async silentTokenHelper(authClient, silentRequest) {
15734
- const correlationId = silentRequest.correlationId;
15702
+ async silentTokenHelper(authClient, request) {
15703
+ const correlationId = request.correlationId;
15735
15704
  this.performanceClient.addQueueMeasurement(PerformanceEvents.SilentIframeClientTokenHelper, correlationId);
15736
- // Create auth code request and generate PKCE params
15737
- const authCodeRequest = await invokeAsync(this.initializeAuthorizationCodeRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.logger, this.performanceClient, correlationId)(silentRequest);
15705
+ const pkceCodes = await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId);
15706
+ const silentRequest = {
15707
+ ...request,
15708
+ codeChallenge: pkceCodes.challenge,
15709
+ };
15738
15710
  // Create authorize request url
15739
- const navigateUrl = await invokeAsync(authClient.getAuthCodeUrl.bind(authClient), PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, correlationId)({
15711
+ const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, correlationId)(this.config, authClient.authority, {
15740
15712
  ...silentRequest,
15741
15713
  platformBroker: NativeMessageHandler.isPlatformBrokerAvailable(this.config, this.logger, this.nativeMessageHandler, silentRequest.authenticationScheme),
15742
- });
15743
- // Create silent handler
15744
- const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
15714
+ }, this.logger, this.performanceClient);
15745
15715
  // Get the frame handle for the silent request
15746
15716
  const msalFrame = await invokeAsync(initiateAuthRequest, PerformanceEvents.SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(navigateUrl, this.performanceClient, this.logger, correlationId, this.config.system.navigateFrameWait);
15747
15717
  const responseType = this.config.auth.OIDCOptions.serverResponseType;
@@ -15761,6 +15731,13 @@ class SilentIframeClient extends StandardInteractionClient {
15761
15731
  prompt: silentRequest.prompt || PromptValue.NONE,
15762
15732
  });
15763
15733
  }
15734
+ const authCodeRequest = {
15735
+ ...silentRequest,
15736
+ code: serverParams.code || "",
15737
+ codeVerifier: pkceCodes.verifier,
15738
+ };
15739
+ // Create silent handler
15740
+ const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
15764
15741
  // Handle response from hash string
15765
15742
  return invokeAsync(interactionHandler.handleCodeResponse.bind(interactionHandler), PerformanceEvents.HandleCodeResponse, this.logger, this.performanceClient, correlationId)(serverParams, silentRequest);
15766
15743
  }
@@ -17514,8 +17491,7 @@ class NestedAppAuthAdapter {
17514
17491
  extraParams = new Map(Object.entries(request.extraQueryParameters));
17515
17492
  }
17516
17493
  const correlationId = request.correlationId || this.crypto.createNewGuid();
17517
- const requestBuilder = new RequestParameterBuilder(correlationId);
17518
- const claims = requestBuilder.addClientCapabilitiesToClaims(request.claims, this.clientCapabilities);
17494
+ const claims = addClientCapabilitiesToClaims(request.claims, this.clientCapabilities);
17519
17495
  const scopes = request.scopes || OIDC_DEFAULT_SCOPES;
17520
17496
  const tokenRequest = {
17521
17497
  platformBrokerId: request.account?.homeAccountId,