@azure/msal-browser 4.7.0 → 4.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (132) hide show
  1. package/dist/app/IPublicClientApplication.mjs +1 -1
  2. package/dist/app/PublicClientApplication.mjs +1 -1
  3. package/dist/app/PublicClientNext.mjs +1 -1
  4. package/dist/broker/nativeBroker/NativeMessageHandler.mjs +1 -1
  5. package/dist/broker/nativeBroker/NativeStatusCodes.mjs +1 -1
  6. package/dist/cache/AccountManager.mjs +1 -1
  7. package/dist/cache/AsyncMemoryStorage.mjs +1 -1
  8. package/dist/cache/BrowserCacheManager.mjs +1 -1
  9. package/dist/cache/CacheHelpers.mjs +1 -1
  10. package/dist/cache/CookieStorage.mjs +1 -1
  11. package/dist/cache/DatabaseStorage.mjs +1 -1
  12. package/dist/cache/LocalStorage.mjs +1 -1
  13. package/dist/cache/MemoryStorage.mjs +1 -1
  14. package/dist/cache/SessionStorage.mjs +1 -1
  15. package/dist/cache/TokenCache.mjs +1 -1
  16. package/dist/config/Configuration.mjs +1 -1
  17. package/dist/controllers/ControllerFactory.mjs +1 -1
  18. package/dist/controllers/NestedAppAuthController.mjs +1 -1
  19. package/dist/controllers/StandardController.mjs +1 -1
  20. package/dist/controllers/UnknownOperatingContextController.mjs +1 -1
  21. package/dist/crypto/BrowserCrypto.mjs +1 -1
  22. package/dist/crypto/CryptoOps.mjs +1 -1
  23. package/dist/crypto/PkceGenerator.mjs +1 -1
  24. package/dist/crypto/SignedHttpRequest.mjs +1 -1
  25. package/dist/encode/Base64Decode.mjs +1 -1
  26. package/dist/encode/Base64Encode.mjs +1 -1
  27. package/dist/error/BrowserAuthError.mjs +1 -1
  28. package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
  29. package/dist/error/BrowserConfigurationAuthError.mjs +1 -1
  30. package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
  31. package/dist/error/NativeAuthError.mjs +1 -1
  32. package/dist/error/NativeAuthErrorCodes.mjs +1 -1
  33. package/dist/error/NestedAppAuthError.mjs +1 -1
  34. package/dist/event/EventHandler.mjs +1 -1
  35. package/dist/event/EventMessage.mjs +1 -1
  36. package/dist/event/EventType.mjs +1 -1
  37. package/dist/index.mjs +1 -1
  38. package/dist/interaction_client/BaseInteractionClient.mjs +1 -1
  39. package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
  40. package/dist/interaction_client/NativeInteractionClient.d.ts.map +1 -1
  41. package/dist/interaction_client/NativeInteractionClient.mjs +9 -2
  42. package/dist/interaction_client/NativeInteractionClient.mjs.map +1 -1
  43. package/dist/interaction_client/PopupClient.d.ts.map +1 -1
  44. package/dist/interaction_client/PopupClient.mjs +16 -8
  45. package/dist/interaction_client/PopupClient.mjs.map +1 -1
  46. package/dist/interaction_client/RedirectClient.d.ts +3 -3
  47. package/dist/interaction_client/RedirectClient.d.ts.map +1 -1
  48. package/dist/interaction_client/RedirectClient.mjs +12 -5
  49. package/dist/interaction_client/RedirectClient.mjs.map +1 -1
  50. package/dist/interaction_client/SilentAuthCodeClient.mjs +1 -1
  51. package/dist/interaction_client/SilentCacheClient.mjs +1 -1
  52. package/dist/interaction_client/SilentIframeClient.d.ts +1 -1
  53. package/dist/interaction_client/SilentIframeClient.d.ts.map +1 -1
  54. package/dist/interaction_client/SilentIframeClient.mjs +19 -9
  55. package/dist/interaction_client/SilentIframeClient.mjs.map +1 -1
  56. package/dist/interaction_client/SilentRefreshClient.mjs +1 -1
  57. package/dist/interaction_client/StandardInteractionClient.d.ts +1 -7
  58. package/dist/interaction_client/StandardInteractionClient.d.ts.map +1 -1
  59. package/dist/interaction_client/StandardInteractionClient.mjs +2 -22
  60. package/dist/interaction_client/StandardInteractionClient.mjs.map +1 -1
  61. package/dist/interaction_handler/InteractionHandler.d.ts +2 -2
  62. package/dist/interaction_handler/InteractionHandler.d.ts.map +1 -1
  63. package/dist/interaction_handler/InteractionHandler.mjs +3 -3
  64. package/dist/interaction_handler/InteractionHandler.mjs.map +1 -1
  65. package/dist/interaction_handler/RedirectHandler.d.ts +2 -2
  66. package/dist/interaction_handler/RedirectHandler.d.ts.map +1 -1
  67. package/dist/interaction_handler/RedirectHandler.mjs +3 -3
  68. package/dist/interaction_handler/RedirectHandler.mjs.map +1 -1
  69. package/dist/interaction_handler/SilentHandler.mjs +1 -1
  70. package/dist/naa/BridgeError.mjs +1 -1
  71. package/dist/naa/BridgeProxy.mjs +1 -1
  72. package/dist/naa/BridgeStatusCode.mjs +1 -1
  73. package/dist/naa/mapping/NestedAppAuthAdapter.d.ts.map +1 -1
  74. package/dist/naa/mapping/NestedAppAuthAdapter.mjs +2 -3
  75. package/dist/naa/mapping/NestedAppAuthAdapter.mjs.map +1 -1
  76. package/dist/navigation/NavigationClient.mjs +1 -1
  77. package/dist/network/FetchClient.mjs +1 -1
  78. package/dist/operatingcontext/BaseOperatingContext.mjs +1 -1
  79. package/dist/operatingcontext/NestedAppOperatingContext.mjs +1 -1
  80. package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
  81. package/dist/operatingcontext/UnknownOperatingContext.mjs +1 -1
  82. package/dist/packageMetadata.d.ts +1 -1
  83. package/dist/packageMetadata.mjs +2 -2
  84. package/dist/protocol/Authorize.d.ts +13 -0
  85. package/dist/protocol/Authorize.d.ts.map +1 -0
  86. package/dist/protocol/Authorize.mjs +74 -0
  87. package/dist/protocol/Authorize.mjs.map +1 -0
  88. package/dist/request/RequestHelpers.mjs +1 -1
  89. package/dist/response/ResponseHandler.d.ts +3 -3
  90. package/dist/response/ResponseHandler.d.ts.map +1 -1
  91. package/dist/response/ResponseHandler.mjs +1 -1
  92. package/dist/response/ResponseHandler.mjs.map +1 -1
  93. package/dist/telemetry/BrowserPerformanceClient.mjs +1 -1
  94. package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
  95. package/dist/utils/BrowserConstants.mjs +1 -1
  96. package/dist/utils/BrowserProtocolUtils.mjs +1 -1
  97. package/dist/utils/BrowserUtils.mjs +1 -1
  98. package/lib/msal-browser.cjs +949 -973
  99. package/lib/msal-browser.cjs.map +1 -1
  100. package/lib/msal-browser.js +949 -973
  101. package/lib/msal-browser.js.map +1 -1
  102. package/lib/msal-browser.min.js +67 -66
  103. package/lib/types/interaction_client/NativeInteractionClient.d.ts.map +1 -1
  104. package/lib/types/interaction_client/PopupClient.d.ts.map +1 -1
  105. package/lib/types/interaction_client/RedirectClient.d.ts +3 -3
  106. package/lib/types/interaction_client/RedirectClient.d.ts.map +1 -1
  107. package/lib/types/interaction_client/SilentIframeClient.d.ts +1 -1
  108. package/lib/types/interaction_client/SilentIframeClient.d.ts.map +1 -1
  109. package/lib/types/interaction_client/StandardInteractionClient.d.ts +1 -7
  110. package/lib/types/interaction_client/StandardInteractionClient.d.ts.map +1 -1
  111. package/lib/types/interaction_handler/InteractionHandler.d.ts +2 -2
  112. package/lib/types/interaction_handler/InteractionHandler.d.ts.map +1 -1
  113. package/lib/types/interaction_handler/RedirectHandler.d.ts +2 -2
  114. package/lib/types/interaction_handler/RedirectHandler.d.ts.map +1 -1
  115. package/lib/types/naa/mapping/NestedAppAuthAdapter.d.ts.map +1 -1
  116. package/lib/types/packageMetadata.d.ts +1 -1
  117. package/lib/types/protocol/Authorize.d.ts +13 -0
  118. package/lib/types/protocol/Authorize.d.ts.map +1 -0
  119. package/lib/types/response/ResponseHandler.d.ts +3 -3
  120. package/lib/types/response/ResponseHandler.d.ts.map +1 -1
  121. package/package.json +2 -2
  122. package/src/interaction_client/NativeInteractionClient.ts +11 -0
  123. package/src/interaction_client/PopupClient.ts +40 -21
  124. package/src/interaction_client/RedirectClient.ts +41 -22
  125. package/src/interaction_client/SilentIframeClient.ts +42 -29
  126. package/src/interaction_client/StandardInteractionClient.ts +0 -40
  127. package/src/interaction_handler/InteractionHandler.ts +4 -3
  128. package/src/interaction_handler/RedirectHandler.ts +4 -3
  129. package/src/naa/mapping/NestedAppAuthAdapter.ts +1 -2
  130. package/src/packageMetadata.ts +1 -1
  131. package/src/protocol/Authorize.ts +136 -0
  132. package/src/response/ResponseHandler.ts +3 -3
@@ -1,4 +1,4 @@
1
- /*! @azure/msal-browser v4.7.0 2025-03-11 */
1
+ /*! @azure/msal-browser v4.8.0 2025-03-20 */
2
2
  'use strict';
3
3
  (function (global, factory) {
4
4
  typeof exports === 'object' && typeof module !== 'undefined' ? factory(exports) :
@@ -6,7 +6,7 @@
6
6
  (global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global.msal = {}));
7
7
  })(this, (function (exports) { 'use strict';
8
8
 
9
- /*! @azure/msal-common v15.2.1 2025-03-11 */
9
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
10
10
  /*
11
11
  * Copyright (c) Microsoft Corporation. All rights reserved.
12
12
  * Licensed under the MIT License.
@@ -254,13 +254,6 @@
254
254
  INVALID_GRANT_ERROR: "invalid_grant",
255
255
  CLIENT_MISMATCH_ERROR: "client_mismatch",
256
256
  };
257
- /**
258
- * Password grant parameters
259
- */
260
- const PasswordGrantConstants = {
261
- username: "username",
262
- password: "password",
263
- };
264
257
  /**
265
258
  * Response codes
266
259
  */
@@ -310,7 +303,7 @@
310
303
  // Token renewal offset default in seconds
311
304
  const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
312
305
 
313
- /*! @azure/msal-common v15.2.1 2025-03-11 */
306
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
314
307
  /*
315
308
  * Copyright (c) Microsoft Corporation. All rights reserved.
316
309
  * Licensed under the MIT License.
@@ -327,7 +320,7 @@
327
320
  unexpectedError: unexpectedError
328
321
  });
329
322
 
330
- /*! @azure/msal-common v15.2.1 2025-03-11 */
323
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
331
324
 
332
325
  /*
333
326
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -376,7 +369,7 @@
376
369
  : AuthErrorMessages[code]);
377
370
  }
378
371
 
379
- /*! @azure/msal-common v15.2.1 2025-03-11 */
372
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
380
373
  /*
381
374
  * Copyright (c) Microsoft Corporation. All rights reserved.
382
375
  * Licensed under the MIT License.
@@ -474,7 +467,7 @@
474
467
  userTimeoutReached: userTimeoutReached
475
468
  });
476
469
 
477
- /*! @azure/msal-common v15.2.1 2025-03-11 */
470
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
478
471
 
479
472
  /*
480
473
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -726,7 +719,7 @@
726
719
  return new ClientAuthError(errorCode, additionalMessage);
727
720
  }
728
721
 
729
- /*! @azure/msal-common v15.2.1 2025-03-11 */
722
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
730
723
 
731
724
  /*
732
725
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -765,7 +758,7 @@
765
758
  },
766
759
  };
767
760
 
768
- /*! @azure/msal-common v15.2.1 2025-03-11 */
761
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
769
762
 
770
763
  /*
771
764
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -956,12 +949,12 @@
956
949
  }
957
950
  }
958
951
 
959
- /*! @azure/msal-common v15.2.1 2025-03-11 */
952
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
960
953
  /* eslint-disable header/header */
961
954
  const name$1 = "@azure/msal-common";
962
- const version$1 = "15.2.1";
955
+ const version$1 = "15.3.0";
963
956
 
964
- /*! @azure/msal-common v15.2.1 2025-03-11 */
957
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
965
958
  /*
966
959
  * Copyright (c) Microsoft Corporation. All rights reserved.
967
960
  * Licensed under the MIT License.
@@ -981,7 +974,7 @@
981
974
  AzureUsGovernment: "https://login.microsoftonline.us",
982
975
  };
983
976
 
984
- /*! @azure/msal-common v15.2.1 2025-03-11 */
977
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
985
978
 
986
979
  /*
987
980
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1042,7 +1035,7 @@
1042
1035
  }
1043
1036
  }
1044
1037
 
1045
- /*! @azure/msal-common v15.2.1 2025-03-11 */
1038
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1046
1039
  /*
1047
1040
  * Copyright (c) Microsoft Corporation. All rights reserved.
1048
1041
  * Licensed under the MIT License.
@@ -1097,7 +1090,7 @@
1097
1090
  return cachedAtSec > nowSeconds();
1098
1091
  }
1099
1092
 
1100
- /*! @azure/msal-common v15.2.1 2025-03-11 */
1093
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1101
1094
 
1102
1095
  /*
1103
1096
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1424,7 +1417,7 @@
1424
1417
  return metadata.expiresAt <= nowSeconds();
1425
1418
  }
1426
1419
 
1427
- /*! @azure/msal-common v15.2.1 2025-03-11 */
1420
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1428
1421
  /*
1429
1422
  * Copyright (c) Microsoft Corporation. All rights reserved.
1430
1423
  * Licensed under the MIT License.
@@ -1478,7 +1471,7 @@
1478
1471
  urlParseError: urlParseError
1479
1472
  });
1480
1473
 
1481
- /*! @azure/msal-common v15.2.1 2025-03-11 */
1474
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1482
1475
 
1483
1476
  /*
1484
1477
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1616,7 +1609,7 @@
1616
1609
  return new ClientConfigurationError(errorCode);
1617
1610
  }
1618
1611
 
1619
- /*! @azure/msal-common v15.2.1 2025-03-11 */
1612
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1620
1613
  /*
1621
1614
  * Copyright (c) Microsoft Corporation. All rights reserved.
1622
1615
  * Licensed under the MIT License.
@@ -1713,7 +1706,7 @@
1713
1706
  }
1714
1707
  }
1715
1708
 
1716
- /*! @azure/msal-common v15.2.1 2025-03-11 */
1709
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1717
1710
 
1718
1711
  /*
1719
1712
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1904,7 +1897,7 @@
1904
1897
  }
1905
1898
  }
1906
1899
 
1907
- /*! @azure/msal-common v15.2.1 2025-03-11 */
1900
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1908
1901
 
1909
1902
  /*
1910
1903
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -1944,7 +1937,7 @@
1944
1937
  };
1945
1938
  }
1946
1939
 
1947
- /*! @azure/msal-common v15.2.1 2025-03-11 */
1940
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
1948
1941
  /*
1949
1942
  * Copyright (c) Microsoft Corporation. All rights reserved.
1950
1943
  * Licensed under the MIT License.
@@ -2023,7 +2016,7 @@
2023
2016
  return updatedAccountInfo;
2024
2017
  }
2025
2018
 
2026
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2019
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2027
2020
  /*
2028
2021
  * Copyright (c) Microsoft Corporation. All rights reserved.
2029
2022
  * Licensed under the MIT License.
@@ -2038,7 +2031,7 @@
2038
2031
  Ciam: 3,
2039
2032
  };
2040
2033
 
2041
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2034
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2042
2035
  /*
2043
2036
  * Copyright (c) Microsoft Corporation. All rights reserved.
2044
2037
  * Licensed under the MIT License.
@@ -2060,7 +2053,7 @@
2060
2053
  return null;
2061
2054
  }
2062
2055
 
2063
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2056
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2064
2057
  /*
2065
2058
  * Copyright (c) Microsoft Corporation. All rights reserved.
2066
2059
  * Licensed under the MIT License.
@@ -2073,7 +2066,7 @@
2073
2066
  OIDC: "OIDC",
2074
2067
  };
2075
2068
 
2076
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2069
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2077
2070
 
2078
2071
  /*
2079
2072
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2316,7 +2309,7 @@
2316
2309
  }
2317
2310
  }
2318
2311
 
2319
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2312
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2320
2313
 
2321
2314
  /*
2322
2315
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2361,9 +2354,19 @@
2361
2354
  throw createClientAuthError(hashNotDeserialized);
2362
2355
  }
2363
2356
  return null;
2357
+ }
2358
+ /**
2359
+ * Utility to create a URL from the params map
2360
+ */
2361
+ function mapToQueryString(parameters) {
2362
+ const queryParameterArray = new Array();
2363
+ parameters.forEach((value, key) => {
2364
+ queryParameterArray.push(`${key}=${encodeURIComponent(value)}`);
2365
+ });
2366
+ return queryParameterArray.join("&");
2364
2367
  }
2365
2368
 
2366
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2369
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2367
2370
 
2368
2371
  /*
2369
2372
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2527,7 +2530,7 @@
2527
2530
  }
2528
2531
  }
2529
2532
 
2530
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2533
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2531
2534
 
2532
2535
  /*
2533
2536
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2667,7 +2670,7 @@
2667
2670
  return null;
2668
2671
  }
2669
2672
 
2670
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2673
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2671
2674
  /*
2672
2675
  * Copyright (c) Microsoft Corporation. All rights reserved.
2673
2676
  * Licensed under the MIT License.
@@ -2675,7 +2678,7 @@
2675
2678
  const cacheQuotaExceededErrorCode = "cache_quota_exceeded";
2676
2679
  const cacheUnknownErrorCode = "cache_error_unknown";
2677
2680
 
2678
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2681
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2679
2682
 
2680
2683
  /*
2681
2684
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -2702,7 +2705,7 @@
2702
2705
  }
2703
2706
  }
2704
2707
 
2705
- /*! @azure/msal-common v15.2.1 2025-03-11 */
2708
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
2706
2709
 
2707
2710
  /*
2708
2711
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3887,7 +3890,7 @@
3887
3890
  }
3888
3891
  }
3889
3892
 
3890
- /*! @azure/msal-common v15.2.1 2025-03-11 */
3893
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
3891
3894
 
3892
3895
  /*
3893
3896
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -3986,7 +3989,7 @@
3986
3989
  return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
3987
3990
  }
3988
3991
 
3989
- /*! @azure/msal-common v15.2.1 2025-03-11 */
3992
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
3990
3993
  /*
3991
3994
  * Copyright (c) Microsoft Corporation. All rights reserved.
3992
3995
  * Licensed under the MIT License.
@@ -3996,7 +3999,7 @@
3996
3999
  UPN: "UPN",
3997
4000
  };
3998
4001
 
3999
- /*! @azure/msal-common v15.2.1 2025-03-11 */
4002
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4000
4003
  /*
4001
4004
  * Copyright (c) Microsoft Corporation. All rights reserved.
4002
4005
  * Licensed under the MIT License.
@@ -4028,14 +4031,11 @@
4028
4031
  const X_APP_VER = "x-app-ver";
4029
4032
  const POST_LOGOUT_URI = "post_logout_redirect_uri";
4030
4033
  const ID_TOKEN_HINT = "id_token_hint";
4031
- const DEVICE_CODE = "device_code";
4032
4034
  const CLIENT_SECRET = "client_secret";
4033
4035
  const CLIENT_ASSERTION = "client_assertion";
4034
4036
  const CLIENT_ASSERTION_TYPE = "client_assertion_type";
4035
4037
  const TOKEN_TYPE = "token_type";
4036
4038
  const REQ_CNF = "req_cnf";
4037
- const OBO_ASSERTION = "assertion";
4038
- const REQUESTED_TOKEN_USE = "requested_token_use";
4039
4039
  const RETURN_SPA_CODE = "return_spa_code";
4040
4040
  const NATIVE_BROKER = "nativebroker";
4041
4041
  const LOGOUT_HINT = "logout_hint";
@@ -4044,76 +4044,10 @@
4044
4044
  const DOMAIN_HINT = "domain_hint";
4045
4045
  const X_CLIENT_EXTRA_SKU = "x-client-xtra-sku";
4046
4046
  const BROKER_CLIENT_ID = "brk_client_id";
4047
- const BROKER_REDIRECT_URI = "brk_redirect_uri";
4048
-
4049
- /*! @azure/msal-common v15.2.1 2025-03-11 */
4050
-
4051
- /*
4052
- * Copyright (c) Microsoft Corporation. All rights reserved.
4053
- * Licensed under the MIT License.
4054
- */
4055
- /**
4056
- * Validates server consumable params from the "request" objects
4057
- */
4058
- class RequestValidator {
4059
- /**
4060
- * Utility to check if the `redirectUri` in the request is a non-null value
4061
- * @param redirectUri
4062
- */
4063
- static validateRedirectUri(redirectUri) {
4064
- if (!redirectUri) {
4065
- throw createClientConfigurationError(redirectUriEmpty);
4066
- }
4067
- }
4068
- /**
4069
- * Utility to validate prompt sent by the user in the request
4070
- * @param prompt
4071
- */
4072
- static validatePrompt(prompt) {
4073
- const promptValues = [];
4074
- for (const value in PromptValue) {
4075
- promptValues.push(PromptValue[value]);
4076
- }
4077
- if (promptValues.indexOf(prompt) < 0) {
4078
- throw createClientConfigurationError(invalidPromptValue);
4079
- }
4080
- }
4081
- static validateClaims(claims) {
4082
- try {
4083
- JSON.parse(claims);
4084
- }
4085
- catch (e) {
4086
- throw createClientConfigurationError(invalidClaims);
4087
- }
4088
- }
4089
- /**
4090
- * Utility to validate code_challenge and code_challenge_method
4091
- * @param codeChallenge
4092
- * @param codeChallengeMethod
4093
- */
4094
- static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
4095
- if (!codeChallenge || !codeChallengeMethod) {
4096
- throw createClientConfigurationError(pkceParamsMissing);
4097
- }
4098
- else {
4099
- this.validateCodeChallengeMethod(codeChallengeMethod);
4100
- }
4101
- }
4102
- /**
4103
- * Utility to validate code_challenge_method
4104
- * @param codeChallengeMethod
4105
- */
4106
- static validateCodeChallengeMethod(codeChallengeMethod) {
4107
- if ([
4108
- CodeChallengeMethodValues.PLAIN,
4109
- CodeChallengeMethodValues.S256,
4110
- ].indexOf(codeChallengeMethod) < 0) {
4111
- throw createClientConfigurationError(invalidCodeChallengeMethod);
4112
- }
4113
- }
4114
- }
4047
+ const BROKER_REDIRECT_URI = "brk_redirect_uri";
4048
+ const INSTANCE_AWARE = "instance_aware";
4115
4049
 
4116
- /*! @azure/msal-common v15.2.1 2025-03-11 */
4050
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4117
4051
 
4118
4052
  /*
4119
4053
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4131,397 +4065,344 @@
4131
4065
  }, correlationId);
4132
4066
  }
4133
4067
  }
4134
- /** @internal */
4135
- class RequestParameterBuilder {
4136
- constructor(correlationId, performanceClient) {
4137
- this.parameters = new Map();
4138
- this.performanceClient = performanceClient;
4139
- this.correlationId = correlationId;
4140
- }
4141
- /**
4142
- * add response_type = code
4143
- */
4144
- addResponseTypeCode() {
4145
- this.parameters.set(RESPONSE_TYPE, encodeURIComponent(Constants.CODE_RESPONSE_TYPE));
4146
- }
4147
- /**
4148
- * add response_type = token id_token
4149
- */
4150
- addResponseTypeForTokenAndIdToken() {
4151
- this.parameters.set(RESPONSE_TYPE, encodeURIComponent(`${Constants.TOKEN_RESPONSE_TYPE} ${Constants.ID_TOKEN_RESPONSE_TYPE}`));
4152
- }
4153
- /**
4154
- * add response_mode. defaults to query.
4155
- * @param responseMode
4156
- */
4157
- addResponseMode(responseMode) {
4158
- this.parameters.set(RESPONSE_MODE, encodeURIComponent(responseMode ? responseMode : ResponseMode.QUERY));
4159
- }
4160
- /**
4161
- * Add flag to indicate STS should attempt to use WAM if available
4162
- */
4163
- addNativeBroker() {
4164
- this.parameters.set(NATIVE_BROKER, encodeURIComponent("1"));
4165
- }
4166
- /**
4167
- * add scopes. set addOidcScopes to false to prevent default scopes in non-user scenarios
4168
- * @param scopeSet
4169
- * @param addOidcScopes
4170
- */
4171
- addScopes(scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
4172
- // Always add openid to the scopes when adding OIDC scopes
4173
- if (addOidcScopes &&
4174
- !defaultScopes.includes("openid") &&
4175
- !scopes.includes("openid")) {
4176
- defaultScopes.push("openid");
4177
- }
4178
- const requestScopes = addOidcScopes
4179
- ? [...(scopes || []), ...defaultScopes]
4180
- : scopes || [];
4181
- const scopeSet = new ScopeSet(requestScopes);
4182
- this.parameters.set(SCOPE, encodeURIComponent(scopeSet.printScopes()));
4068
+ /**
4069
+ * add response_type = code
4070
+ */
4071
+ function addResponseTypeCode(parameters) {
4072
+ parameters.set(RESPONSE_TYPE, Constants.CODE_RESPONSE_TYPE);
4073
+ }
4074
+ /**
4075
+ * add response_mode. defaults to query.
4076
+ * @param responseMode
4077
+ */
4078
+ function addResponseMode(parameters, responseMode) {
4079
+ parameters.set(RESPONSE_MODE, responseMode ? responseMode : ResponseMode.QUERY);
4080
+ }
4081
+ /**
4082
+ * Add flag to indicate STS should attempt to use WAM if available
4083
+ */
4084
+ function addNativeBroker(parameters) {
4085
+ parameters.set(NATIVE_BROKER, "1");
4086
+ }
4087
+ /**
4088
+ * add scopes. set addOidcScopes to false to prevent default scopes in non-user scenarios
4089
+ * @param scopeSet
4090
+ * @param addOidcScopes
4091
+ */
4092
+ function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
4093
+ // Always add openid to the scopes when adding OIDC scopes
4094
+ if (addOidcScopes &&
4095
+ !defaultScopes.includes("openid") &&
4096
+ !scopes.includes("openid")) {
4097
+ defaultScopes.push("openid");
4098
+ }
4099
+ const requestScopes = addOidcScopes
4100
+ ? [...(scopes || []), ...defaultScopes]
4101
+ : scopes || [];
4102
+ const scopeSet = new ScopeSet(requestScopes);
4103
+ parameters.set(SCOPE, scopeSet.printScopes());
4104
+ }
4105
+ /**
4106
+ * add clientId
4107
+ * @param clientId
4108
+ */
4109
+ function addClientId(parameters, clientId) {
4110
+ parameters.set(CLIENT_ID, clientId);
4111
+ }
4112
+ /**
4113
+ * add redirect_uri
4114
+ * @param redirectUri
4115
+ */
4116
+ function addRedirectUri(parameters, redirectUri) {
4117
+ parameters.set(REDIRECT_URI, redirectUri);
4118
+ }
4119
+ /**
4120
+ * add post logout redirectUri
4121
+ * @param redirectUri
4122
+ */
4123
+ function addPostLogoutRedirectUri(parameters, redirectUri) {
4124
+ parameters.set(POST_LOGOUT_URI, redirectUri);
4125
+ }
4126
+ /**
4127
+ * add id_token_hint to logout request
4128
+ * @param idTokenHint
4129
+ */
4130
+ function addIdTokenHint(parameters, idTokenHint) {
4131
+ parameters.set(ID_TOKEN_HINT, idTokenHint);
4132
+ }
4133
+ /**
4134
+ * add domain_hint
4135
+ * @param domainHint
4136
+ */
4137
+ function addDomainHint(parameters, domainHint) {
4138
+ parameters.set(DOMAIN_HINT, domainHint);
4139
+ }
4140
+ /**
4141
+ * add login_hint
4142
+ * @param loginHint
4143
+ */
4144
+ function addLoginHint(parameters, loginHint) {
4145
+ parameters.set(LOGIN_HINT, loginHint);
4146
+ }
4147
+ /**
4148
+ * Adds the CCS (Cache Credential Service) query parameter for login_hint
4149
+ * @param loginHint
4150
+ */
4151
+ function addCcsUpn(parameters, loginHint) {
4152
+ parameters.set(HeaderNames.CCS_HEADER, `UPN:${loginHint}`);
4153
+ }
4154
+ /**
4155
+ * Adds the CCS (Cache Credential Service) query parameter for account object
4156
+ * @param loginHint
4157
+ */
4158
+ function addCcsOid(parameters, clientInfo) {
4159
+ parameters.set(HeaderNames.CCS_HEADER, `Oid:${clientInfo.uid}@${clientInfo.utid}`);
4160
+ }
4161
+ /**
4162
+ * add sid
4163
+ * @param sid
4164
+ */
4165
+ function addSid(parameters, sid) {
4166
+ parameters.set(SID, sid);
4167
+ }
4168
+ /**
4169
+ * add claims
4170
+ * @param claims
4171
+ */
4172
+ function addClaims(parameters, claims, clientCapabilities) {
4173
+ const mergedClaims = addClientCapabilitiesToClaims(claims, clientCapabilities);
4174
+ try {
4175
+ JSON.parse(mergedClaims);
4183
4176
  }
4184
- /**
4185
- * add clientId
4186
- * @param clientId
4187
- */
4188
- addClientId(clientId) {
4189
- this.parameters.set(CLIENT_ID, encodeURIComponent(clientId));
4177
+ catch (e) {
4178
+ throw createClientConfigurationError(invalidClaims);
4190
4179
  }
4191
- /**
4192
- * add redirect_uri
4193
- * @param redirectUri
4194
- */
4195
- addRedirectUri(redirectUri) {
4196
- RequestValidator.validateRedirectUri(redirectUri);
4197
- this.parameters.set(REDIRECT_URI, encodeURIComponent(redirectUri));
4180
+ parameters.set(CLAIMS, mergedClaims);
4181
+ }
4182
+ /**
4183
+ * add correlationId
4184
+ * @param correlationId
4185
+ */
4186
+ function addCorrelationId(parameters, correlationId) {
4187
+ parameters.set(CLIENT_REQUEST_ID, correlationId);
4188
+ }
4189
+ /**
4190
+ * add library info query params
4191
+ * @param libraryInfo
4192
+ */
4193
+ function addLibraryInfo(parameters, libraryInfo) {
4194
+ // Telemetry Info
4195
+ parameters.set(X_CLIENT_SKU, libraryInfo.sku);
4196
+ parameters.set(X_CLIENT_VER, libraryInfo.version);
4197
+ if (libraryInfo.os) {
4198
+ parameters.set(X_CLIENT_OS, libraryInfo.os);
4198
4199
  }
4199
- /**
4200
- * add post logout redirectUri
4201
- * @param redirectUri
4202
- */
4203
- addPostLogoutRedirectUri(redirectUri) {
4204
- RequestValidator.validateRedirectUri(redirectUri);
4205
- this.parameters.set(POST_LOGOUT_URI, encodeURIComponent(redirectUri));
4200
+ if (libraryInfo.cpu) {
4201
+ parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
4206
4202
  }
4207
- /**
4208
- * add id_token_hint to logout request
4209
- * @param idTokenHint
4210
- */
4211
- addIdTokenHint(idTokenHint) {
4212
- this.parameters.set(ID_TOKEN_HINT, encodeURIComponent(idTokenHint));
4203
+ }
4204
+ /**
4205
+ * Add client telemetry parameters
4206
+ * @param appTelemetry
4207
+ */
4208
+ function addApplicationTelemetry(parameters, appTelemetry) {
4209
+ if (appTelemetry?.appName) {
4210
+ parameters.set(X_APP_NAME, appTelemetry.appName);
4213
4211
  }
4214
- /**
4215
- * add domain_hint
4216
- * @param domainHint
4217
- */
4218
- addDomainHint(domainHint) {
4219
- this.parameters.set(DOMAIN_HINT, encodeURIComponent(domainHint));
4212
+ if (appTelemetry?.appVersion) {
4213
+ parameters.set(X_APP_VER, appTelemetry.appVersion);
4220
4214
  }
4221
- /**
4222
- * add login_hint
4223
- * @param loginHint
4224
- */
4225
- addLoginHint(loginHint) {
4226
- this.parameters.set(LOGIN_HINT, encodeURIComponent(loginHint));
4215
+ }
4216
+ /**
4217
+ * add prompt
4218
+ * @param prompt
4219
+ */
4220
+ function addPrompt(parameters, prompt) {
4221
+ parameters.set(PROMPT, prompt);
4222
+ }
4223
+ /**
4224
+ * add state
4225
+ * @param state
4226
+ */
4227
+ function addState(parameters, state) {
4228
+ if (state) {
4229
+ parameters.set(STATE, state);
4227
4230
  }
4228
- /**
4229
- * Adds the CCS (Cache Credential Service) query parameter for login_hint
4230
- * @param loginHint
4231
- */
4232
- addCcsUpn(loginHint) {
4233
- this.parameters.set(HeaderNames.CCS_HEADER, encodeURIComponent(`UPN:${loginHint}`));
4231
+ }
4232
+ /**
4233
+ * add nonce
4234
+ * @param nonce
4235
+ */
4236
+ function addNonce(parameters, nonce) {
4237
+ parameters.set(NONCE, nonce);
4238
+ }
4239
+ /**
4240
+ * add code_challenge and code_challenge_method
4241
+ * - throw if either of them are not passed
4242
+ * @param codeChallenge
4243
+ * @param codeChallengeMethod
4244
+ */
4245
+ function addCodeChallengeParams(parameters, codeChallenge, codeChallengeMethod) {
4246
+ if (codeChallenge && codeChallengeMethod) {
4247
+ parameters.set(CODE_CHALLENGE, codeChallenge);
4248
+ parameters.set(CODE_CHALLENGE_METHOD, codeChallengeMethod);
4234
4249
  }
4235
- /**
4236
- * Adds the CCS (Cache Credential Service) query parameter for account object
4237
- * @param loginHint
4238
- */
4239
- addCcsOid(clientInfo) {
4240
- this.parameters.set(HeaderNames.CCS_HEADER, encodeURIComponent(`Oid:${clientInfo.uid}@${clientInfo.utid}`));
4250
+ else {
4251
+ throw createClientConfigurationError(pkceParamsMissing);
4241
4252
  }
4242
- /**
4243
- * add sid
4244
- * @param sid
4245
- */
4246
- addSid(sid) {
4247
- this.parameters.set(SID, encodeURIComponent(sid));
4253
+ }
4254
+ /**
4255
+ * add the `authorization_code` passed by the user to exchange for a token
4256
+ * @param code
4257
+ */
4258
+ function addAuthorizationCode(parameters, code) {
4259
+ parameters.set(CODE, code);
4260
+ }
4261
+ /**
4262
+ * add the `refreshToken` passed by the user
4263
+ * @param refreshToken
4264
+ */
4265
+ function addRefreshToken(parameters, refreshToken) {
4266
+ parameters.set(REFRESH_TOKEN, refreshToken);
4267
+ }
4268
+ /**
4269
+ * add the `code_verifier` passed by the user to exchange for a token
4270
+ * @param codeVerifier
4271
+ */
4272
+ function addCodeVerifier(parameters, codeVerifier) {
4273
+ parameters.set(CODE_VERIFIER, codeVerifier);
4274
+ }
4275
+ /**
4276
+ * add client_secret
4277
+ * @param clientSecret
4278
+ */
4279
+ function addClientSecret(parameters, clientSecret) {
4280
+ parameters.set(CLIENT_SECRET, clientSecret);
4281
+ }
4282
+ /**
4283
+ * add clientAssertion for confidential client flows
4284
+ * @param clientAssertion
4285
+ */
4286
+ function addClientAssertion(parameters, clientAssertion) {
4287
+ if (clientAssertion) {
4288
+ parameters.set(CLIENT_ASSERTION, clientAssertion);
4248
4289
  }
4249
- /**
4250
- * add claims
4251
- * @param claims
4252
- */
4253
- addClaims(claims, clientCapabilities) {
4254
- const mergedClaims = this.addClientCapabilitiesToClaims(claims, clientCapabilities);
4255
- RequestValidator.validateClaims(mergedClaims);
4256
- this.parameters.set(CLAIMS, encodeURIComponent(mergedClaims));
4290
+ }
4291
+ /**
4292
+ * add clientAssertionType for confidential client flows
4293
+ * @param clientAssertionType
4294
+ */
4295
+ function addClientAssertionType(parameters, clientAssertionType) {
4296
+ if (clientAssertionType) {
4297
+ parameters.set(CLIENT_ASSERTION_TYPE, clientAssertionType);
4257
4298
  }
4258
- /**
4259
- * add correlationId
4260
- * @param correlationId
4261
- */
4262
- addCorrelationId(correlationId) {
4263
- this.parameters.set(CLIENT_REQUEST_ID, encodeURIComponent(correlationId));
4299
+ }
4300
+ /**
4301
+ * add grant type
4302
+ * @param grantType
4303
+ */
4304
+ function addGrantType(parameters, grantType) {
4305
+ parameters.set(GRANT_TYPE, grantType);
4306
+ }
4307
+ /**
4308
+ * add client info
4309
+ *
4310
+ */
4311
+ function addClientInfo(parameters) {
4312
+ parameters.set(CLIENT_INFO, "1");
4313
+ }
4314
+ function addInstanceAware(parameters) {
4315
+ if (!parameters.has(INSTANCE_AWARE)) {
4316
+ parameters.set(INSTANCE_AWARE, "true");
4264
4317
  }
4265
- /**
4266
- * add library info query params
4267
- * @param libraryInfo
4268
- */
4269
- addLibraryInfo(libraryInfo) {
4270
- // Telemetry Info
4271
- this.parameters.set(X_CLIENT_SKU, libraryInfo.sku);
4272
- this.parameters.set(X_CLIENT_VER, libraryInfo.version);
4273
- if (libraryInfo.os) {
4274
- this.parameters.set(X_CLIENT_OS, libraryInfo.os);
4275
- }
4276
- if (libraryInfo.cpu) {
4277
- this.parameters.set(X_CLIENT_CPU, libraryInfo.cpu);
4318
+ }
4319
+ /**
4320
+ * add extraQueryParams
4321
+ * @param eQParams
4322
+ */
4323
+ function addExtraQueryParameters(parameters, eQParams) {
4324
+ Object.entries(eQParams).forEach(([key, value]) => {
4325
+ if (!parameters.has(key) && value) {
4326
+ parameters.set(key, value);
4278
4327
  }
4328
+ });
4329
+ }
4330
+ function addClientCapabilitiesToClaims(claims, clientCapabilities) {
4331
+ let mergedClaims;
4332
+ // Parse provided claims into JSON object or initialize empty object
4333
+ if (!claims) {
4334
+ mergedClaims = {};
4279
4335
  }
4280
- /**
4281
- * Add client telemetry parameters
4282
- * @param appTelemetry
4283
- */
4284
- addApplicationTelemetry(appTelemetry) {
4285
- if (appTelemetry?.appName) {
4286
- this.parameters.set(X_APP_NAME, appTelemetry.appName);
4336
+ else {
4337
+ try {
4338
+ mergedClaims = JSON.parse(claims);
4287
4339
  }
4288
- if (appTelemetry?.appVersion) {
4289
- this.parameters.set(X_APP_VER, appTelemetry.appVersion);
4340
+ catch (e) {
4341
+ throw createClientConfigurationError(invalidClaims);
4290
4342
  }
4291
4343
  }
4292
- /**
4293
- * add prompt
4294
- * @param prompt
4295
- */
4296
- addPrompt(prompt) {
4297
- RequestValidator.validatePrompt(prompt);
4298
- this.parameters.set(`${PROMPT}`, encodeURIComponent(prompt));
4299
- }
4300
- /**
4301
- * add state
4302
- * @param state
4303
- */
4304
- addState(state) {
4305
- if (state) {
4306
- this.parameters.set(STATE, encodeURIComponent(state));
4344
+ if (clientCapabilities && clientCapabilities.length > 0) {
4345
+ if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
4346
+ // Add access_token key to claims object
4347
+ mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
4307
4348
  }
4349
+ // Add xms_cc claim with provided clientCapabilities to access_token key
4350
+ mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] =
4351
+ {
4352
+ values: clientCapabilities,
4353
+ };
4308
4354
  }
4309
- /**
4310
- * add nonce
4311
- * @param nonce
4312
- */
4313
- addNonce(nonce) {
4314
- this.parameters.set(NONCE, encodeURIComponent(nonce));
4355
+ return JSON.stringify(mergedClaims);
4356
+ }
4357
+ /**
4358
+ * add pop_jwk to query params
4359
+ * @param cnfString
4360
+ */
4361
+ function addPopToken(parameters, cnfString) {
4362
+ if (cnfString) {
4363
+ parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
4364
+ parameters.set(REQ_CNF, cnfString);
4315
4365
  }
4316
- /**
4317
- * add code_challenge and code_challenge_method
4318
- * - throw if either of them are not passed
4319
- * @param codeChallenge
4320
- * @param codeChallengeMethod
4321
- */
4322
- addCodeChallengeParams(codeChallenge, codeChallengeMethod) {
4323
- RequestValidator.validateCodeChallengeParams(codeChallenge, codeChallengeMethod);
4324
- if (codeChallenge && codeChallengeMethod) {
4325
- this.parameters.set(CODE_CHALLENGE, encodeURIComponent(codeChallenge));
4326
- this.parameters.set(CODE_CHALLENGE_METHOD, encodeURIComponent(codeChallengeMethod));
4327
- }
4328
- else {
4329
- throw createClientConfigurationError(pkceParamsMissing);
4330
- }
4331
- }
4332
- /**
4333
- * add the `authorization_code` passed by the user to exchange for a token
4334
- * @param code
4335
- */
4336
- addAuthorizationCode(code) {
4337
- this.parameters.set(CODE, encodeURIComponent(code));
4338
- }
4339
- /**
4340
- * add the `authorization_code` passed by the user to exchange for a token
4341
- * @param code
4342
- */
4343
- addDeviceCode(code) {
4344
- this.parameters.set(DEVICE_CODE, encodeURIComponent(code));
4345
- }
4346
- /**
4347
- * add the `refreshToken` passed by the user
4348
- * @param refreshToken
4349
- */
4350
- addRefreshToken(refreshToken) {
4351
- this.parameters.set(REFRESH_TOKEN, encodeURIComponent(refreshToken));
4352
- }
4353
- /**
4354
- * add the `code_verifier` passed by the user to exchange for a token
4355
- * @param codeVerifier
4356
- */
4357
- addCodeVerifier(codeVerifier) {
4358
- this.parameters.set(CODE_VERIFIER, encodeURIComponent(codeVerifier));
4359
- }
4360
- /**
4361
- * add client_secret
4362
- * @param clientSecret
4363
- */
4364
- addClientSecret(clientSecret) {
4365
- this.parameters.set(CLIENT_SECRET, encodeURIComponent(clientSecret));
4366
- }
4367
- /**
4368
- * add clientAssertion for confidential client flows
4369
- * @param clientAssertion
4370
- */
4371
- addClientAssertion(clientAssertion) {
4372
- if (clientAssertion) {
4373
- this.parameters.set(CLIENT_ASSERTION, encodeURIComponent(clientAssertion));
4374
- }
4375
- }
4376
- /**
4377
- * add clientAssertionType for confidential client flows
4378
- * @param clientAssertionType
4379
- */
4380
- addClientAssertionType(clientAssertionType) {
4381
- if (clientAssertionType) {
4382
- this.parameters.set(CLIENT_ASSERTION_TYPE, encodeURIComponent(clientAssertionType));
4383
- }
4384
- }
4385
- /**
4386
- * add OBO assertion for confidential client flows
4387
- * @param clientAssertion
4388
- */
4389
- addOboAssertion(oboAssertion) {
4390
- this.parameters.set(OBO_ASSERTION, encodeURIComponent(oboAssertion));
4391
- }
4392
- /**
4393
- * add grant type
4394
- * @param grantType
4395
- */
4396
- addRequestTokenUse(tokenUse) {
4397
- this.parameters.set(REQUESTED_TOKEN_USE, encodeURIComponent(tokenUse));
4398
- }
4399
- /**
4400
- * add grant type
4401
- * @param grantType
4402
- */
4403
- addGrantType(grantType) {
4404
- this.parameters.set(GRANT_TYPE, encodeURIComponent(grantType));
4405
- }
4406
- /**
4407
- * add client info
4408
- *
4409
- */
4410
- addClientInfo() {
4411
- this.parameters.set(CLIENT_INFO, "1");
4412
- }
4413
- /**
4414
- * add extraQueryParams
4415
- * @param eQParams
4416
- */
4417
- addExtraQueryParameters(eQParams) {
4418
- Object.entries(eQParams).forEach(([key, value]) => {
4419
- if (!this.parameters.has(key) && value) {
4420
- this.parameters.set(key, value);
4421
- }
4422
- });
4423
- }
4424
- addClientCapabilitiesToClaims(claims, clientCapabilities) {
4425
- let mergedClaims;
4426
- // Parse provided claims into JSON object or initialize empty object
4427
- if (!claims) {
4428
- mergedClaims = {};
4429
- }
4430
- else {
4431
- try {
4432
- mergedClaims = JSON.parse(claims);
4433
- }
4434
- catch (e) {
4435
- throw createClientConfigurationError(invalidClaims);
4436
- }
4437
- }
4438
- if (clientCapabilities && clientCapabilities.length > 0) {
4439
- if (!mergedClaims.hasOwnProperty(ClaimsRequestKeys.ACCESS_TOKEN)) {
4440
- // Add access_token key to claims object
4441
- mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
4442
- }
4443
- // Add xms_cc claim with provided clientCapabilities to access_token key
4444
- mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN][ClaimsRequestKeys.XMS_CC] = {
4445
- values: clientCapabilities,
4446
- };
4447
- }
4448
- return JSON.stringify(mergedClaims);
4449
- }
4450
- /**
4451
- * adds `username` for Password Grant flow
4452
- * @param username
4453
- */
4454
- addUsername(username) {
4455
- this.parameters.set(PasswordGrantConstants.username, encodeURIComponent(username));
4456
- }
4457
- /**
4458
- * adds `password` for Password Grant flow
4459
- * @param password
4460
- */
4461
- addPassword(password) {
4462
- this.parameters.set(PasswordGrantConstants.password, encodeURIComponent(password));
4463
- }
4464
- /**
4465
- * add pop_jwk to query params
4466
- * @param cnfString
4467
- */
4468
- addPopToken(cnfString) {
4469
- if (cnfString) {
4470
- this.parameters.set(TOKEN_TYPE, AuthenticationScheme.POP);
4471
- this.parameters.set(REQ_CNF, encodeURIComponent(cnfString));
4472
- }
4473
- }
4474
- /**
4475
- * add SSH JWK and key ID to query params
4476
- */
4477
- addSshJwk(sshJwkString) {
4478
- if (sshJwkString) {
4479
- this.parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
4480
- this.parameters.set(REQ_CNF, encodeURIComponent(sshJwkString));
4481
- }
4482
- }
4483
- /**
4484
- * add server telemetry fields
4485
- * @param serverTelemetryManager
4486
- */
4487
- addServerTelemetry(serverTelemetryManager) {
4488
- this.parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
4489
- this.parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
4490
- }
4491
- /**
4492
- * Adds parameter that indicates to the server that throttling is supported
4493
- */
4494
- addThrottling() {
4495
- this.parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
4496
- }
4497
- /**
4498
- * Adds logout_hint parameter for "silent" logout which prevent server account picker
4499
- */
4500
- addLogoutHint(logoutHint) {
4501
- this.parameters.set(LOGOUT_HINT, encodeURIComponent(logoutHint));
4366
+ }
4367
+ /**
4368
+ * add SSH JWK and key ID to query params
4369
+ */
4370
+ function addSshJwk(parameters, sshJwkString) {
4371
+ if (sshJwkString) {
4372
+ parameters.set(TOKEN_TYPE, AuthenticationScheme.SSH);
4373
+ parameters.set(REQ_CNF, sshJwkString);
4502
4374
  }
4503
- addBrokerParameters(params) {
4504
- const brokerParams = {};
4505
- brokerParams[BROKER_CLIENT_ID] =
4506
- params.brokerClientId;
4507
- brokerParams[BROKER_REDIRECT_URI] =
4508
- params.brokerRedirectUri;
4509
- this.addExtraQueryParameters(brokerParams);
4375
+ }
4376
+ /**
4377
+ * add server telemetry fields
4378
+ * @param serverTelemetryManager
4379
+ */
4380
+ function addServerTelemetry(parameters, serverTelemetryManager) {
4381
+ parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
4382
+ parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
4383
+ }
4384
+ /**
4385
+ * Adds parameter that indicates to the server that throttling is supported
4386
+ */
4387
+ function addThrottling(parameters) {
4388
+ parameters.set(X_MS_LIB_CAPABILITY, ThrottlingConstants.X_MS_LIB_CAPABILITY_VALUE);
4389
+ }
4390
+ /**
4391
+ * Adds logout_hint parameter for "silent" logout which prevent server account picker
4392
+ */
4393
+ function addLogoutHint(parameters, logoutHint) {
4394
+ parameters.set(LOGOUT_HINT, logoutHint);
4395
+ }
4396
+ function addBrokerParameters(parameters, brokerClientId, brokerRedirectUri) {
4397
+ if (!parameters.has(BROKER_CLIENT_ID)) {
4398
+ parameters.set(BROKER_CLIENT_ID, brokerClientId);
4510
4399
  }
4511
- /**
4512
- * Utility to create a URL from the params map
4513
- */
4514
- createQueryString() {
4515
- const queryParameterArray = new Array();
4516
- this.parameters.forEach((value, key) => {
4517
- queryParameterArray.push(`${key}=${value}`);
4518
- });
4519
- instrumentBrokerParams(this.parameters, this.correlationId, this.performanceClient);
4520
- return queryParameterArray.join("&");
4400
+ if (!parameters.has(BROKER_REDIRECT_URI)) {
4401
+ parameters.set(BROKER_REDIRECT_URI, brokerRedirectUri);
4521
4402
  }
4522
4403
  }
4523
4404
 
4524
- /*! @azure/msal-common v15.2.1 2025-03-11 */
4405
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4525
4406
  /*
4526
4407
  * Copyright (c) Microsoft Corporation. All rights reserved.
4527
4408
  * Licensed under the MIT License.
@@ -4533,7 +4414,7 @@
4533
4414
  response.hasOwnProperty("jwks_uri"));
4534
4415
  }
4535
4416
 
4536
- /*! @azure/msal-common v15.2.1 2025-03-11 */
4417
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4537
4418
  /*
4538
4419
  * Copyright (c) Microsoft Corporation. All rights reserved.
4539
4420
  * Licensed under the MIT License.
@@ -4543,7 +4424,7 @@
4543
4424
  response.hasOwnProperty("metadata"));
4544
4425
  }
4545
4426
 
4546
- /*! @azure/msal-common v15.2.1 2025-03-11 */
4427
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4547
4428
  /*
4548
4429
  * Copyright (c) Microsoft Corporation. All rights reserved.
4549
4430
  * Licensed under the MIT License.
@@ -4553,7 +4434,7 @@
4553
4434
  response.hasOwnProperty("error_description"));
4554
4435
  }
4555
4436
 
4556
- /*! @azure/msal-common v15.2.1 2025-03-11 */
4437
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
4557
4438
  /*
4558
4439
  * Copyright (c) Microsoft Corporation. All rights reserved.
4559
4440
  * Licensed under the MIT License.
@@ -4729,11 +4610,11 @@
4729
4610
  StandardInteractionClientCreateAuthCodeClient: "standardInteractionClientCreateAuthCodeClient",
4730
4611
  StandardInteractionClientGetClientConfiguration: "standardInteractionClientGetClientConfiguration",
4731
4612
  StandardInteractionClientInitializeAuthorizationRequest: "standardInteractionClientInitializeAuthorizationRequest",
4732
- StandardInteractionClientInitializeAuthorizationCodeRequest: "standardInteractionClientInitializeAuthorizationCodeRequest",
4733
4613
  /**
4734
4614
  * getAuthCodeUrl API (msal-browser and msal-node).
4735
4615
  */
4736
4616
  GetAuthCodeUrl: "getAuthCodeUrl",
4617
+ GetStandardParams: "getStandardParams",
4737
4618
  /**
4738
4619
  * Functions from InteractionHandler (msal-browser)
4739
4620
  */
@@ -4746,7 +4627,6 @@
4746
4627
  AuthClientAcquireToken: "authClientAcquireToken",
4747
4628
  AuthClientExecuteTokenRequest: "authClientExecuteTokenRequest",
4748
4629
  AuthClientCreateTokenRequestBody: "authClientCreateTokenRequestBody",
4749
- AuthClientCreateQueryString: "authClientCreateQueryString",
4750
4630
  /**
4751
4631
  * Generate functions in PopTokenGenerator (msal-common)
4752
4632
  */
@@ -4917,10 +4797,6 @@
4917
4797
  PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest,
4918
4798
  "StdIntClientInitAuthReq",
4919
4799
  ],
4920
- [
4921
- PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest,
4922
- "StdIntClientInitAuthCodeReq",
4923
- ],
4924
4800
  [PerformanceEvents.GetAuthCodeUrl, "GetAuthCodeUrl"],
4925
4801
  [
4926
4802
  PerformanceEvents.HandleCodeResponseFromServer,
@@ -4934,10 +4810,6 @@
4934
4810
  PerformanceEvents.AuthClientCreateTokenRequestBody,
4935
4811
  "AuthClientCreateTReqBody",
4936
4812
  ],
4937
- [
4938
- PerformanceEvents.AuthClientCreateQueryString,
4939
- "AuthClientCreateQueryStr",
4940
- ],
4941
4813
  [PerformanceEvents.PopTokenGenerateCnf, "PopTGenCnf"],
4942
4814
  [PerformanceEvents.PopTokenGenerateKid, "PopTGenKid"],
4943
4815
  [PerformanceEvents.HandleServerTokenResponse, "HandleServerTRes"],
@@ -5062,7 +4934,7 @@
5062
4934
  "encryptedCacheExpiredCount",
5063
4935
  ]);
5064
4936
 
5065
- /*! @azure/msal-common v15.2.1 2025-03-11 */
4937
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
5066
4938
  /*
5067
4939
  * Copyright (c) Microsoft Corporation. All rights reserved.
5068
4940
  * Licensed under the MIT License.
@@ -5158,7 +5030,7 @@
5158
5030
  };
5159
5031
  };
5160
5032
 
5161
- /*! @azure/msal-common v15.2.1 2025-03-11 */
5033
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
5162
5034
 
5163
5035
  /*
5164
5036
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -5267,7 +5139,7 @@
5267
5139
  },
5268
5140
  };
5269
5141
 
5270
- /*! @azure/msal-common v15.2.1 2025-03-11 */
5142
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
5271
5143
 
5272
5144
  /*
5273
5145
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6106,7 +5978,7 @@
6106
5978
  };
6107
5979
  }
6108
5980
 
6109
- /*! @azure/msal-common v15.2.1 2025-03-11 */
5981
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6110
5982
 
6111
5983
  /*
6112
5984
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6137,7 +6009,7 @@
6137
6009
  }
6138
6010
  }
6139
6011
 
6140
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6012
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6141
6013
 
6142
6014
  /*
6143
6015
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6156,7 +6028,7 @@
6156
6028
  }
6157
6029
  }
6158
6030
 
6159
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6031
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6160
6032
  /*
6161
6033
  * Copyright (c) Microsoft Corporation. All rights reserved.
6162
6034
  * Licensed under the MIT License.
@@ -6177,7 +6049,7 @@
6177
6049
  };
6178
6050
  }
6179
6051
 
6180
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6052
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6181
6053
 
6182
6054
  /*
6183
6055
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6264,7 +6136,7 @@
6264
6136
  }
6265
6137
  }
6266
6138
 
6267
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6139
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6268
6140
 
6269
6141
  /*
6270
6142
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6294,7 +6166,7 @@
6294
6166
  return new NetworkError(error, httpStatus, responseHeaders);
6295
6167
  }
6296
6168
 
6297
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6169
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6298
6170
 
6299
6171
  /*
6300
6172
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6429,22 +6301,20 @@
6429
6301
  * @param request
6430
6302
  */
6431
6303
  createTokenQueryParameters(request) {
6432
- const parameterBuilder = new RequestParameterBuilder(request.correlationId, this.performanceClient);
6304
+ const parameters = new Map();
6433
6305
  if (request.embeddedClientId) {
6434
- parameterBuilder.addBrokerParameters({
6435
- brokerClientId: this.config.authOptions.clientId,
6436
- brokerRedirectUri: this.config.authOptions.redirectUri,
6437
- });
6306
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
6438
6307
  }
6439
6308
  if (request.tokenQueryParameters) {
6440
- parameterBuilder.addExtraQueryParameters(request.tokenQueryParameters);
6309
+ addExtraQueryParameters(parameters, request.tokenQueryParameters);
6441
6310
  }
6442
- parameterBuilder.addCorrelationId(request.correlationId);
6443
- return parameterBuilder.createQueryString();
6311
+ addCorrelationId(parameters, request.correlationId);
6312
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
6313
+ return mapToQueryString(parameters);
6444
6314
  }
6445
6315
  }
6446
6316
 
6447
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6317
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6448
6318
  /*
6449
6319
  * Copyright (c) Microsoft Corporation. All rights reserved.
6450
6320
  * Licensed under the MIT License.
@@ -6470,7 +6340,7 @@
6470
6340
  refreshTokenExpired: refreshTokenExpired
6471
6341
  });
6472
6342
 
6473
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6343
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6474
6344
 
6475
6345
  /*
6476
6346
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6558,7 +6428,7 @@
6558
6428
  return new InteractionRequiredAuthError(errorCode, InteractionRequiredAuthErrorMessages[errorCode]);
6559
6429
  }
6560
6430
 
6561
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6431
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6562
6432
 
6563
6433
  /*
6564
6434
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6630,7 +6500,7 @@
6630
6500
  }
6631
6501
  }
6632
6502
 
6633
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6503
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6634
6504
 
6635
6505
  /*
6636
6506
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -6714,7 +6584,7 @@
6714
6584
  }
6715
6585
  }
6716
6586
 
6717
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6587
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6718
6588
  /*
6719
6589
  * Copyright (c) Microsoft Corporation. All rights reserved.
6720
6590
  * Licensed under the MIT License.
@@ -6741,19 +6611,12 @@
6741
6611
  }
6742
6612
  }
6743
6613
 
6744
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6614
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6745
6615
 
6746
6616
  /*
6747
6617
  * Copyright (c) Microsoft Corporation. All rights reserved.
6748
6618
  * Licensed under the MIT License.
6749
6619
  */
6750
- function parseServerErrorNo(serverResponse) {
6751
- const errorCodePrefix = "code=";
6752
- const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
6753
- return errorCodePrefixIndex && errorCodePrefixIndex >= 0
6754
- ? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
6755
- : undefined;
6756
- }
6757
6620
  /**
6758
6621
  * Class that handles response parsing.
6759
6622
  * @internal
@@ -6768,46 +6631,6 @@
6768
6631
  this.persistencePlugin = persistencePlugin;
6769
6632
  this.performanceClient = performanceClient;
6770
6633
  }
6771
- /**
6772
- * Function which validates server authorization code response.
6773
- * @param serverResponseHash
6774
- * @param requestState
6775
- * @param cryptoObj
6776
- */
6777
- validateServerAuthorizationCodeResponse(serverResponse, requestState) {
6778
- if (!serverResponse.state || !requestState) {
6779
- throw serverResponse.state
6780
- ? createClientAuthError(stateNotFound, "Cached State")
6781
- : createClientAuthError(stateNotFound, "Server State");
6782
- }
6783
- let decodedServerResponseState;
6784
- let decodedRequestState;
6785
- try {
6786
- decodedServerResponseState = decodeURIComponent(serverResponse.state);
6787
- }
6788
- catch (e) {
6789
- throw createClientAuthError(invalidState, serverResponse.state);
6790
- }
6791
- try {
6792
- decodedRequestState = decodeURIComponent(requestState);
6793
- }
6794
- catch (e) {
6795
- throw createClientAuthError(invalidState, serverResponse.state);
6796
- }
6797
- if (decodedServerResponseState !== decodedRequestState) {
6798
- throw createClientAuthError(stateMismatch);
6799
- }
6800
- // Check for error
6801
- if (serverResponse.error ||
6802
- serverResponse.error_description ||
6803
- serverResponse.suberror) {
6804
- const serverErrorNo = parseServerErrorNo(serverResponse);
6805
- if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
6806
- throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
6807
- }
6808
- throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
6809
- }
6810
- }
6811
6634
  /**
6812
6635
  * Function which validates server authorization token response.
6813
6636
  * @param serverResponse
@@ -7119,7 +6942,74 @@
7119
6942
  return baseAccount;
7120
6943
  }
7121
6944
 
7122
- /*! @azure/msal-common v15.2.1 2025-03-11 */
6945
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
6946
+
6947
+ /*
6948
+ * Copyright (c) Microsoft Corporation. All rights reserved.
6949
+ * Licensed under the MIT License.
6950
+ */
6951
+ /**
6952
+ * Validates server consumable params from the "request" objects
6953
+ */
6954
+ class RequestValidator {
6955
+ /**
6956
+ * Utility to check if the `redirectUri` in the request is a non-null value
6957
+ * @param redirectUri
6958
+ */
6959
+ static validateRedirectUri(redirectUri) {
6960
+ if (!redirectUri) {
6961
+ throw createClientConfigurationError(redirectUriEmpty);
6962
+ }
6963
+ }
6964
+ /**
6965
+ * Utility to validate prompt sent by the user in the request
6966
+ * @param prompt
6967
+ */
6968
+ static validatePrompt(prompt) {
6969
+ const promptValues = [];
6970
+ for (const value in PromptValue) {
6971
+ promptValues.push(PromptValue[value]);
6972
+ }
6973
+ if (promptValues.indexOf(prompt) < 0) {
6974
+ throw createClientConfigurationError(invalidPromptValue);
6975
+ }
6976
+ }
6977
+ static validateClaims(claims) {
6978
+ try {
6979
+ JSON.parse(claims);
6980
+ }
6981
+ catch (e) {
6982
+ throw createClientConfigurationError(invalidClaims);
6983
+ }
6984
+ }
6985
+ /**
6986
+ * Utility to validate code_challenge and code_challenge_method
6987
+ * @param codeChallenge
6988
+ * @param codeChallengeMethod
6989
+ */
6990
+ static validateCodeChallengeParams(codeChallenge, codeChallengeMethod) {
6991
+ if (!codeChallenge || !codeChallengeMethod) {
6992
+ throw createClientConfigurationError(pkceParamsMissing);
6993
+ }
6994
+ else {
6995
+ this.validateCodeChallengeMethod(codeChallengeMethod);
6996
+ }
6997
+ }
6998
+ /**
6999
+ * Utility to validate code_challenge_method
7000
+ * @param codeChallengeMethod
7001
+ */
7002
+ static validateCodeChallengeMethod(codeChallengeMethod) {
7003
+ if ([
7004
+ CodeChallengeMethodValues.PLAIN,
7005
+ CodeChallengeMethodValues.S256,
7006
+ ].indexOf(codeChallengeMethod) < 0) {
7007
+ throw createClientConfigurationError(invalidCodeChallengeMethod);
7008
+ }
7009
+ }
7010
+ }
7011
+
7012
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7123
7013
  /*
7124
7014
  * Copyright (c) Microsoft Corporation. All rights reserved.
7125
7015
  * Licensed under the MIT License.
@@ -7137,7 +7027,7 @@
7137
7027
  }
7138
7028
  }
7139
7029
 
7140
- /*! @azure/msal-common v15.2.1 2025-03-11 */
7030
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7141
7031
 
7142
7032
  /*
7143
7033
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7155,21 +7045,6 @@
7155
7045
  this.oidcDefaultScopes =
7156
7046
  this.config.authOptions.authority.options.OIDCOptions?.defaultScopes;
7157
7047
  }
7158
- /**
7159
- * Creates the URL of the authorization request letting the user input credentials and consent to the
7160
- * application. The URL target the /authorize endpoint of the authority configured in the
7161
- * application object.
7162
- *
7163
- * Once the user inputs their credentials and consents, the authority will send a response to the redirect URI
7164
- * sent in the request and should contain an authorization code, which can then be used to acquire tokens via
7165
- * acquireToken(AuthorizationCodeRequest)
7166
- * @param request
7167
- */
7168
- async getAuthCodeUrl(request) {
7169
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.GetAuthCodeUrl, request.correlationId);
7170
- const queryString = await invokeAsync(this.createAuthCodeUrlQueryString.bind(this), PerformanceEvents.AuthClientCreateQueryString, this.logger, this.performanceClient, request.correlationId)(request);
7171
- return UrlString.appendQueryString(this.authority.authorizationEndpoint, queryString);
7172
- }
7173
7048
  /**
7174
7049
  * API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
7175
7050
  * authorization_code_grant
@@ -7189,22 +7064,6 @@
7189
7064
  responseHandler.validateTokenResponse(response.body);
7190
7065
  return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, authCodePayload, undefined, undefined, undefined, requestId);
7191
7066
  }
7192
- /**
7193
- * Handles the hash fragment response from public client code request. Returns a code response used by
7194
- * the client to exchange for a token in acquireToken.
7195
- * @param hashFragment
7196
- */
7197
- handleFragmentResponse(serverParams, cachedState) {
7198
- // Handle responses.
7199
- const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, null, null);
7200
- // Get code response
7201
- responseHandler.validateServerAuthorizationCodeResponse(serverParams, cachedState);
7202
- // throw when there is no auth code in the response
7203
- if (!serverParams.code) {
7204
- throw createClientAuthError(authorizationCodeMissingFromServerResponse);
7205
- }
7206
- return serverParams;
7207
- }
7208
7067
  /**
7209
7068
  * Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
7210
7069
  * Default behaviour is to redirect the user to `window.location.href`.
@@ -7252,8 +7111,8 @@
7252
7111
  */
7253
7112
  async createTokenRequestBody(request) {
7254
7113
  this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateTokenRequestBody, request.correlationId);
7255
- const parameterBuilder = new RequestParameterBuilder(request.correlationId, this.performanceClient);
7256
- parameterBuilder.addClientId(request.embeddedClientId ||
7114
+ const parameters = new Map();
7115
+ addClientId(parameters, request.embeddedClientId ||
7257
7116
  request.tokenBodyParameters?.[CLIENT_ID] ||
7258
7117
  this.config.authOptions.clientId);
7259
7118
  /*
@@ -7266,33 +7125,33 @@
7266
7125
  }
7267
7126
  else {
7268
7127
  // Validate and include redirect uri
7269
- parameterBuilder.addRedirectUri(request.redirectUri);
7128
+ addRedirectUri(parameters, request.redirectUri);
7270
7129
  }
7271
7130
  // Add scope array, parameter builder will add default scopes and dedupe
7272
- parameterBuilder.addScopes(request.scopes, true, this.oidcDefaultScopes);
7131
+ addScopes(parameters, request.scopes, true, this.oidcDefaultScopes);
7273
7132
  // add code: user set, not validated
7274
- parameterBuilder.addAuthorizationCode(request.code);
7133
+ addAuthorizationCode(parameters, request.code);
7275
7134
  // Add library metadata
7276
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
7277
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
7278
- parameterBuilder.addThrottling();
7135
+ addLibraryInfo(parameters, this.config.libraryInfo);
7136
+ addApplicationTelemetry(parameters, this.config.telemetry.application);
7137
+ addThrottling(parameters);
7279
7138
  if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
7280
- parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
7139
+ addServerTelemetry(parameters, this.serverTelemetryManager);
7281
7140
  }
7282
7141
  // add code_verifier if passed
7283
7142
  if (request.codeVerifier) {
7284
- parameterBuilder.addCodeVerifier(request.codeVerifier);
7143
+ addCodeVerifier(parameters, request.codeVerifier);
7285
7144
  }
7286
7145
  if (this.config.clientCredentials.clientSecret) {
7287
- parameterBuilder.addClientSecret(this.config.clientCredentials.clientSecret);
7146
+ addClientSecret(parameters, this.config.clientCredentials.clientSecret);
7288
7147
  }
7289
7148
  if (this.config.clientCredentials.clientAssertion) {
7290
7149
  const clientAssertion = this.config.clientCredentials.clientAssertion;
7291
- parameterBuilder.addClientAssertion(await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7292
- parameterBuilder.addClientAssertionType(clientAssertion.assertionType);
7150
+ addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7151
+ addClientAssertionType(parameters, clientAssertion.assertionType);
7293
7152
  }
7294
- parameterBuilder.addGrantType(GrantType.AUTHORIZATION_CODE_GRANT);
7295
- parameterBuilder.addClientInfo();
7153
+ addGrantType(parameters, GrantType.AUTHORIZATION_CODE_GRANT);
7154
+ addClientInfo(parameters);
7296
7155
  if (request.authenticationScheme === AuthenticationScheme.POP) {
7297
7156
  const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
7298
7157
  let reqCnfData;
@@ -7304,11 +7163,11 @@
7304
7163
  reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
7305
7164
  }
7306
7165
  // SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
7307
- parameterBuilder.addPopToken(reqCnfData);
7166
+ addPopToken(parameters, reqCnfData);
7308
7167
  }
7309
7168
  else if (request.authenticationScheme === AuthenticationScheme.SSH) {
7310
7169
  if (request.sshJwk) {
7311
- parameterBuilder.addSshJwk(request.sshJwk);
7170
+ addSshJwk(parameters, request.sshJwk);
7312
7171
  }
7313
7172
  else {
7314
7173
  throw createClientConfigurationError(missingSshJwk);
@@ -7317,7 +7176,7 @@
7317
7176
  if (!StringUtils.isEmptyObj(request.claims) ||
7318
7177
  (this.config.authOptions.clientCapabilities &&
7319
7178
  this.config.authOptions.clientCapabilities.length > 0)) {
7320
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
7179
+ addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
7321
7180
  }
7322
7181
  let ccsCred = undefined;
7323
7182
  if (request.clientInfo) {
@@ -7341,7 +7200,7 @@
7341
7200
  case CcsCredentialType.HOME_ACCOUNT_ID:
7342
7201
  try {
7343
7202
  const clientInfo = buildClientInfoFromHomeAccountId(ccsCred.credential);
7344
- parameterBuilder.addCcsOid(clientInfo);
7203
+ addCcsOid(parameters, clientInfo);
7345
7204
  }
7346
7205
  catch (e) {
7347
7206
  this.logger.verbose("Could not parse home account ID for CCS Header: " +
@@ -7349,234 +7208,59 @@
7349
7208
  }
7350
7209
  break;
7351
7210
  case CcsCredentialType.UPN:
7352
- parameterBuilder.addCcsUpn(ccsCred.credential);
7211
+ addCcsUpn(parameters, ccsCred.credential);
7353
7212
  break;
7354
7213
  }
7355
7214
  }
7356
7215
  if (request.embeddedClientId) {
7357
- parameterBuilder.addBrokerParameters({
7358
- brokerClientId: this.config.authOptions.clientId,
7359
- brokerRedirectUri: this.config.authOptions.redirectUri,
7360
- });
7216
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
7361
7217
  }
7362
7218
  if (request.tokenBodyParameters) {
7363
- parameterBuilder.addExtraQueryParameters(request.tokenBodyParameters);
7219
+ addExtraQueryParameters(parameters, request.tokenBodyParameters);
7364
7220
  }
7365
7221
  // Add hybrid spa parameters if not already provided
7366
7222
  if (request.enableSpaAuthorizationCode &&
7367
7223
  (!request.tokenBodyParameters ||
7368
7224
  !request.tokenBodyParameters[RETURN_SPA_CODE])) {
7369
- parameterBuilder.addExtraQueryParameters({
7225
+ addExtraQueryParameters(parameters, {
7370
7226
  [RETURN_SPA_CODE]: "1",
7371
7227
  });
7372
7228
  }
7373
- return parameterBuilder.createQueryString();
7374
- }
7375
- /**
7376
- * This API validates the `AuthorizationCodeUrlRequest` and creates a URL
7377
- * @param request
7378
- */
7379
- async createAuthCodeUrlQueryString(request) {
7380
- // generate the correlationId if not set by the user and add
7381
- const correlationId = request.correlationId ||
7382
- this.config.cryptoInterface.createNewGuid();
7383
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateQueryString, correlationId);
7384
- const parameterBuilder = new RequestParameterBuilder(correlationId, this.performanceClient);
7385
- parameterBuilder.addClientId(request.embeddedClientId ||
7386
- request.extraQueryParameters?.[CLIENT_ID] ||
7387
- this.config.authOptions.clientId);
7388
- const requestScopes = [
7389
- ...(request.scopes || []),
7390
- ...(request.extraScopesToConsent || []),
7391
- ];
7392
- parameterBuilder.addScopes(requestScopes, true, this.oidcDefaultScopes);
7393
- // validate the redirectUri (to be a non null value)
7394
- parameterBuilder.addRedirectUri(request.redirectUri);
7395
- parameterBuilder.addCorrelationId(correlationId);
7396
- // add response_mode. If not passed in it defaults to query.
7397
- parameterBuilder.addResponseMode(request.responseMode);
7398
- // add response_type = code
7399
- parameterBuilder.addResponseTypeCode();
7400
- // add library info parameters
7401
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
7402
- if (!isOidcProtocolMode(this.config)) {
7403
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
7404
- }
7405
- // add client_info=1
7406
- parameterBuilder.addClientInfo();
7407
- if (request.codeChallenge && request.codeChallengeMethod) {
7408
- parameterBuilder.addCodeChallengeParams(request.codeChallenge, request.codeChallengeMethod);
7409
- }
7410
- if (request.prompt) {
7411
- parameterBuilder.addPrompt(request.prompt);
7412
- }
7413
- if (request.domainHint) {
7414
- parameterBuilder.addDomainHint(request.domainHint);
7415
- this.performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
7416
- }
7417
- this.performanceClient?.addFields({ prompt: request.prompt }, correlationId);
7418
- // Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
7419
- if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
7420
- // AAD will throw if prompt=select_account is passed with an account hint
7421
- if (request.sid && request.prompt === PromptValue.NONE) {
7422
- // SessionID is only used in silent calls
7423
- this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
7424
- parameterBuilder.addSid(request.sid);
7425
- this.performanceClient?.addFields({ sidFromRequest: true }, correlationId);
7426
- }
7427
- else if (request.account) {
7428
- const accountSid = this.extractAccountSid(request.account);
7429
- let accountLoginHintClaim = this.extractLoginHint(request.account);
7430
- if (accountLoginHintClaim && request.domainHint) {
7431
- this.logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
7432
- accountLoginHintClaim = null;
7433
- }
7434
- // If login_hint claim is present, use it over sid/username
7435
- if (accountLoginHintClaim) {
7436
- this.logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
7437
- parameterBuilder.addLoginHint(accountLoginHintClaim);
7438
- this.performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
7439
- try {
7440
- const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7441
- parameterBuilder.addCcsOid(clientInfo);
7442
- }
7443
- catch (e) {
7444
- this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7445
- }
7446
- }
7447
- else if (accountSid && request.prompt === PromptValue.NONE) {
7448
- /*
7449
- * If account and loginHint are provided, we will check account first for sid before adding loginHint
7450
- * SessionId is only used in silent calls
7451
- */
7452
- this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
7453
- parameterBuilder.addSid(accountSid);
7454
- this.performanceClient?.addFields({ sidFromClaim: true }, correlationId);
7455
- try {
7456
- const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7457
- parameterBuilder.addCcsOid(clientInfo);
7458
- }
7459
- catch (e) {
7460
- this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7461
- }
7462
- }
7463
- else if (request.loginHint) {
7464
- this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
7465
- parameterBuilder.addLoginHint(request.loginHint);
7466
- parameterBuilder.addCcsUpn(request.loginHint);
7467
- this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7468
- }
7469
- else if (request.account.username) {
7470
- // Fallback to account username if provided
7471
- this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
7472
- parameterBuilder.addLoginHint(request.account.username);
7473
- this.performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
7474
- try {
7475
- const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7476
- parameterBuilder.addCcsOid(clientInfo);
7477
- }
7478
- catch (e) {
7479
- this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7480
- }
7481
- }
7482
- }
7483
- else if (request.loginHint) {
7484
- this.logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
7485
- parameterBuilder.addLoginHint(request.loginHint);
7486
- parameterBuilder.addCcsUpn(request.loginHint);
7487
- this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7488
- }
7489
- }
7490
- else {
7491
- this.logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
7492
- }
7493
- if (request.nonce) {
7494
- parameterBuilder.addNonce(request.nonce);
7495
- }
7496
- if (request.state) {
7497
- parameterBuilder.addState(request.state);
7498
- }
7499
- if (request.claims ||
7500
- (this.config.authOptions.clientCapabilities &&
7501
- this.config.authOptions.clientCapabilities.length > 0)) {
7502
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
7503
- }
7504
- if (request.embeddedClientId) {
7505
- parameterBuilder.addBrokerParameters({
7506
- brokerClientId: this.config.authOptions.clientId,
7507
- brokerRedirectUri: this.config.authOptions.redirectUri,
7508
- });
7509
- }
7510
- this.addExtraQueryParams(request, parameterBuilder);
7511
- if (request.platformBroker) {
7512
- // signal ests that this is a WAM call
7513
- parameterBuilder.addNativeBroker();
7514
- // pass the req_cnf for POP
7515
- if (request.authenticationScheme === AuthenticationScheme.POP) {
7516
- const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils);
7517
- // req_cnf is always sent as a string for SPAs
7518
- let reqCnfData;
7519
- if (!request.popKid) {
7520
- const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
7521
- reqCnfData = generatedReqCnfData.reqCnfString;
7522
- }
7523
- else {
7524
- reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
7525
- }
7526
- parameterBuilder.addPopToken(reqCnfData);
7527
- }
7528
- }
7529
- return parameterBuilder.createQueryString();
7229
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
7230
+ return mapToQueryString(parameters);
7530
7231
  }
7531
7232
  /**
7532
7233
  * This API validates the `EndSessionRequest` and creates a URL
7533
7234
  * @param request
7534
7235
  */
7535
7236
  createLogoutUrlQueryString(request) {
7536
- const parameterBuilder = new RequestParameterBuilder(request.correlationId, this.performanceClient);
7237
+ const parameters = new Map();
7537
7238
  if (request.postLogoutRedirectUri) {
7538
- parameterBuilder.addPostLogoutRedirectUri(request.postLogoutRedirectUri);
7239
+ addPostLogoutRedirectUri(parameters, request.postLogoutRedirectUri);
7539
7240
  }
7540
7241
  if (request.correlationId) {
7541
- parameterBuilder.addCorrelationId(request.correlationId);
7242
+ addCorrelationId(parameters, request.correlationId);
7542
7243
  }
7543
7244
  if (request.idTokenHint) {
7544
- parameterBuilder.addIdTokenHint(request.idTokenHint);
7245
+ addIdTokenHint(parameters, request.idTokenHint);
7545
7246
  }
7546
7247
  if (request.state) {
7547
- parameterBuilder.addState(request.state);
7248
+ addState(parameters, request.state);
7548
7249
  }
7549
7250
  if (request.logoutHint) {
7550
- parameterBuilder.addLogoutHint(request.logoutHint);
7551
- }
7552
- this.addExtraQueryParams(request, parameterBuilder);
7553
- return parameterBuilder.createQueryString();
7554
- }
7555
- addExtraQueryParams(request, parameterBuilder) {
7556
- const hasRequestInstanceAware = request.extraQueryParameters &&
7557
- request.extraQueryParameters.hasOwnProperty("instance_aware");
7558
- // Set instance_aware flag if config auth param is set
7559
- if (!hasRequestInstanceAware && this.config.authOptions.instanceAware) {
7560
- request.extraQueryParameters = request.extraQueryParameters || {};
7561
- request.extraQueryParameters["instance_aware"] = "true";
7251
+ addLogoutHint(parameters, request.logoutHint);
7562
7252
  }
7563
7253
  if (request.extraQueryParameters) {
7564
- parameterBuilder.addExtraQueryParameters(request.extraQueryParameters);
7254
+ addExtraQueryParameters(parameters, request.extraQueryParameters);
7565
7255
  }
7566
- }
7567
- /**
7568
- * Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
7569
- * @param account
7570
- */
7571
- extractAccountSid(account) {
7572
- return account.idTokenClaims?.sid || null;
7573
- }
7574
- extractLoginHint(account) {
7575
- return account.idTokenClaims?.login_hint || null;
7256
+ if (this.config.authOptions.instanceAware) {
7257
+ addInstanceAware(parameters);
7258
+ }
7259
+ return mapToQueryString(parameters);
7576
7260
  }
7577
7261
  }
7578
7262
 
7579
- /*! @azure/msal-common v15.2.1 2025-03-11 */
7263
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7580
7264
 
7581
7265
  /*
7582
7266
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7705,31 +7389,30 @@
7705
7389
  */
7706
7390
  async createTokenRequestBody(request) {
7707
7391
  this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, request.correlationId);
7708
- const correlationId = request.correlationId;
7709
- const parameterBuilder = new RequestParameterBuilder(correlationId, this.performanceClient);
7710
- parameterBuilder.addClientId(request.embeddedClientId ||
7392
+ const parameters = new Map();
7393
+ addClientId(parameters, request.embeddedClientId ||
7711
7394
  request.tokenBodyParameters?.[CLIENT_ID] ||
7712
7395
  this.config.authOptions.clientId);
7713
7396
  if (request.redirectUri) {
7714
- parameterBuilder.addRedirectUri(request.redirectUri);
7715
- }
7716
- parameterBuilder.addScopes(request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
7717
- parameterBuilder.addGrantType(GrantType.REFRESH_TOKEN_GRANT);
7718
- parameterBuilder.addClientInfo();
7719
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
7720
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
7721
- parameterBuilder.addThrottling();
7397
+ addRedirectUri(parameters, request.redirectUri);
7398
+ }
7399
+ addScopes(parameters, request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
7400
+ addGrantType(parameters, GrantType.REFRESH_TOKEN_GRANT);
7401
+ addClientInfo(parameters);
7402
+ addLibraryInfo(parameters, this.config.libraryInfo);
7403
+ addApplicationTelemetry(parameters, this.config.telemetry.application);
7404
+ addThrottling(parameters);
7722
7405
  if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
7723
- parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
7406
+ addServerTelemetry(parameters, this.serverTelemetryManager);
7724
7407
  }
7725
- parameterBuilder.addRefreshToken(request.refreshToken);
7408
+ addRefreshToken(parameters, request.refreshToken);
7726
7409
  if (this.config.clientCredentials.clientSecret) {
7727
- parameterBuilder.addClientSecret(this.config.clientCredentials.clientSecret);
7410
+ addClientSecret(parameters, this.config.clientCredentials.clientSecret);
7728
7411
  }
7729
7412
  if (this.config.clientCredentials.clientAssertion) {
7730
7413
  const clientAssertion = this.config.clientCredentials.clientAssertion;
7731
- parameterBuilder.addClientAssertion(await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7732
- parameterBuilder.addClientAssertionType(clientAssertion.assertionType);
7414
+ addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
7415
+ addClientAssertionType(parameters, clientAssertion.assertionType);
7733
7416
  }
7734
7417
  if (request.authenticationScheme === AuthenticationScheme.POP) {
7735
7418
  const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
@@ -7742,11 +7425,11 @@
7742
7425
  reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
7743
7426
  }
7744
7427
  // SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
7745
- parameterBuilder.addPopToken(reqCnfData);
7428
+ addPopToken(parameters, reqCnfData);
7746
7429
  }
7747
7430
  else if (request.authenticationScheme === AuthenticationScheme.SSH) {
7748
7431
  if (request.sshJwk) {
7749
- parameterBuilder.addSshJwk(request.sshJwk);
7432
+ addSshJwk(parameters, request.sshJwk);
7750
7433
  }
7751
7434
  else {
7752
7435
  throw createClientConfigurationError(missingSshJwk);
@@ -7755,7 +7438,7 @@
7755
7438
  if (!StringUtils.isEmptyObj(request.claims) ||
7756
7439
  (this.config.authOptions.clientCapabilities &&
7757
7440
  this.config.authOptions.clientCapabilities.length > 0)) {
7758
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
7441
+ addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
7759
7442
  }
7760
7443
  if (this.config.systemOptions.preventCorsPreflight &&
7761
7444
  request.ccsCredential) {
@@ -7763,7 +7446,7 @@
7763
7446
  case CcsCredentialType.HOME_ACCOUNT_ID:
7764
7447
  try {
7765
7448
  const clientInfo = buildClientInfoFromHomeAccountId(request.ccsCredential.credential);
7766
- parameterBuilder.addCcsOid(clientInfo);
7449
+ addCcsOid(parameters, clientInfo);
7767
7450
  }
7768
7451
  catch (e) {
7769
7452
  this.logger.verbose("Could not parse home account ID for CCS Header: " +
@@ -7771,24 +7454,22 @@
7771
7454
  }
7772
7455
  break;
7773
7456
  case CcsCredentialType.UPN:
7774
- parameterBuilder.addCcsUpn(request.ccsCredential.credential);
7457
+ addCcsUpn(parameters, request.ccsCredential.credential);
7775
7458
  break;
7776
7459
  }
7777
7460
  }
7778
7461
  if (request.embeddedClientId) {
7779
- parameterBuilder.addBrokerParameters({
7780
- brokerClientId: this.config.authOptions.clientId,
7781
- brokerRedirectUri: this.config.authOptions.redirectUri,
7782
- });
7462
+ addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
7783
7463
  }
7784
7464
  if (request.tokenBodyParameters) {
7785
- parameterBuilder.addExtraQueryParameters(request.tokenBodyParameters);
7465
+ addExtraQueryParameters(parameters, request.tokenBodyParameters);
7786
7466
  }
7787
- return parameterBuilder.createQueryString();
7467
+ instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
7468
+ return mapToQueryString(parameters);
7788
7469
  }
7789
7470
  }
7790
7471
 
7791
- /*! @azure/msal-common v15.2.1 2025-03-11 */
7472
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7792
7473
 
7793
7474
  /*
7794
7475
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7863,45 +7544,269 @@
7863
7544
  if (cacheOutcome !== CacheOutcome.NOT_APPLICABLE) {
7864
7545
  this.logger.info(`Token refresh is required due to cache outcome: ${cacheOutcome}`);
7865
7546
  }
7866
- }
7867
- /**
7868
- * Helper function to build response object from the CacheRecord
7869
- * @param cacheRecord
7870
- */
7871
- async generateResultFromCacheRecord(cacheRecord, request) {
7872
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.SilentFlowClientGenerateResultFromCacheRecord, request.correlationId);
7873
- let idTokenClaims;
7874
- if (cacheRecord.idToken) {
7875
- idTokenClaims = extractTokenClaims(cacheRecord.idToken.secret, this.config.cryptoInterface.base64Decode);
7547
+ }
7548
+ /**
7549
+ * Helper function to build response object from the CacheRecord
7550
+ * @param cacheRecord
7551
+ */
7552
+ async generateResultFromCacheRecord(cacheRecord, request) {
7553
+ this.performanceClient?.addQueueMeasurement(PerformanceEvents.SilentFlowClientGenerateResultFromCacheRecord, request.correlationId);
7554
+ let idTokenClaims;
7555
+ if (cacheRecord.idToken) {
7556
+ idTokenClaims = extractTokenClaims(cacheRecord.idToken.secret, this.config.cryptoInterface.base64Decode);
7557
+ }
7558
+ // token max_age check
7559
+ if (request.maxAge || request.maxAge === 0) {
7560
+ const authTime = idTokenClaims?.auth_time;
7561
+ if (!authTime) {
7562
+ throw createClientAuthError(authTimeNotFound);
7563
+ }
7564
+ checkMaxAge(authTime, request.maxAge);
7565
+ }
7566
+ return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, idTokenClaims);
7567
+ }
7568
+ }
7569
+
7570
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7571
+
7572
+ /*
7573
+ * Copyright (c) Microsoft Corporation. All rights reserved.
7574
+ * Licensed under the MIT License.
7575
+ */
7576
+ const StubbedNetworkModule = {
7577
+ sendGetRequestAsync: () => {
7578
+ return Promise.reject(createClientAuthError(methodNotImplemented));
7579
+ },
7580
+ sendPostRequestAsync: () => {
7581
+ return Promise.reject(createClientAuthError(methodNotImplemented));
7582
+ },
7583
+ };
7584
+
7585
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7586
+
7587
+ /*
7588
+ * Copyright (c) Microsoft Corporation. All rights reserved.
7589
+ * Licensed under the MIT License.
7590
+ */
7591
+ /**
7592
+ * Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
7593
+ * @param config
7594
+ * @param request
7595
+ * @param logger
7596
+ * @param performanceClient
7597
+ * @returns
7598
+ */
7599
+ function getStandardAuthorizeRequestParameters(authOptions, request, logger, performanceClient) {
7600
+ // generate the correlationId if not set by the user and add
7601
+ const correlationId = request.correlationId;
7602
+ const parameters = new Map();
7603
+ addClientId(parameters, request.embeddedClientId ||
7604
+ request.extraQueryParameters?.[CLIENT_ID] ||
7605
+ authOptions.clientId);
7606
+ const requestScopes = [
7607
+ ...(request.scopes || []),
7608
+ ...(request.extraScopesToConsent || []),
7609
+ ];
7610
+ addScopes(parameters, requestScopes, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
7611
+ addRedirectUri(parameters, request.redirectUri);
7612
+ addCorrelationId(parameters, correlationId);
7613
+ // add response_mode. If not passed in it defaults to query.
7614
+ addResponseMode(parameters, request.responseMode);
7615
+ // add client_info=1
7616
+ addClientInfo(parameters);
7617
+ if (request.prompt) {
7618
+ addPrompt(parameters, request.prompt);
7619
+ performanceClient?.addFields({ prompt: request.prompt }, correlationId);
7620
+ }
7621
+ if (request.domainHint) {
7622
+ addDomainHint(parameters, request.domainHint);
7623
+ performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
7624
+ }
7625
+ // Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
7626
+ if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
7627
+ // AAD will throw if prompt=select_account is passed with an account hint
7628
+ if (request.sid && request.prompt === PromptValue.NONE) {
7629
+ // SessionID is only used in silent calls
7630
+ logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
7631
+ addSid(parameters, request.sid);
7632
+ performanceClient?.addFields({ sidFromRequest: true }, correlationId);
7633
+ }
7634
+ else if (request.account) {
7635
+ const accountSid = extractAccountSid(request.account);
7636
+ let accountLoginHintClaim = extractLoginHint(request.account);
7637
+ if (accountLoginHintClaim && request.domainHint) {
7638
+ logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
7639
+ accountLoginHintClaim = null;
7640
+ }
7641
+ // If login_hint claim is present, use it over sid/username
7642
+ if (accountLoginHintClaim) {
7643
+ logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
7644
+ addLoginHint(parameters, accountLoginHintClaim);
7645
+ performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
7646
+ try {
7647
+ const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7648
+ addCcsOid(parameters, clientInfo);
7649
+ }
7650
+ catch (e) {
7651
+ logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7652
+ }
7653
+ }
7654
+ else if (accountSid && request.prompt === PromptValue.NONE) {
7655
+ /*
7656
+ * If account and loginHint are provided, we will check account first for sid before adding loginHint
7657
+ * SessionId is only used in silent calls
7658
+ */
7659
+ logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
7660
+ addSid(parameters, accountSid);
7661
+ performanceClient?.addFields({ sidFromClaim: true }, correlationId);
7662
+ try {
7663
+ const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7664
+ addCcsOid(parameters, clientInfo);
7665
+ }
7666
+ catch (e) {
7667
+ logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7668
+ }
7669
+ }
7670
+ else if (request.loginHint) {
7671
+ logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
7672
+ addLoginHint(parameters, request.loginHint);
7673
+ addCcsUpn(parameters, request.loginHint);
7674
+ performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7675
+ }
7676
+ else if (request.account.username) {
7677
+ // Fallback to account username if provided
7678
+ logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
7679
+ addLoginHint(parameters, request.account.username);
7680
+ performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
7681
+ try {
7682
+ const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
7683
+ addCcsOid(parameters, clientInfo);
7684
+ }
7685
+ catch (e) {
7686
+ logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
7687
+ }
7688
+ }
7689
+ }
7690
+ else if (request.loginHint) {
7691
+ logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
7692
+ addLoginHint(parameters, request.loginHint);
7693
+ addCcsUpn(parameters, request.loginHint);
7694
+ performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
7876
7695
  }
7877
- // token max_age check
7878
- if (request.maxAge || request.maxAge === 0) {
7879
- const authTime = idTokenClaims?.auth_time;
7880
- if (!authTime) {
7881
- throw createClientAuthError(authTimeNotFound);
7882
- }
7883
- checkMaxAge(authTime, request.maxAge);
7696
+ }
7697
+ else {
7698
+ logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
7699
+ }
7700
+ if (request.nonce) {
7701
+ addNonce(parameters, request.nonce);
7702
+ }
7703
+ if (request.state) {
7704
+ addState(parameters, request.state);
7705
+ }
7706
+ if (request.claims ||
7707
+ (authOptions.clientCapabilities &&
7708
+ authOptions.clientCapabilities.length > 0)) {
7709
+ addClaims(parameters, request.claims, authOptions.clientCapabilities);
7710
+ }
7711
+ if (request.embeddedClientId) {
7712
+ addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
7713
+ }
7714
+ if (request.extraQueryParameters) {
7715
+ addExtraQueryParameters(parameters, request.extraQueryParameters);
7716
+ }
7717
+ if (authOptions.instanceAware) {
7718
+ addInstanceAware(parameters);
7719
+ }
7720
+ return parameters;
7721
+ }
7722
+ /**
7723
+ * Returns authorize endpoint with given request parameters in the query string
7724
+ * @param authority
7725
+ * @param requestParameters
7726
+ * @returns
7727
+ */
7728
+ function getAuthorizeUrl(authority, requestParameters) {
7729
+ const queryString = mapToQueryString(requestParameters);
7730
+ return UrlString.appendQueryString(authority.authorizationEndpoint, queryString);
7731
+ }
7732
+ /**
7733
+ * Handles the hash fragment response from public client code request. Returns a code response used by
7734
+ * the client to exchange for a token in acquireToken.
7735
+ * @param serverParams
7736
+ * @param cachedState
7737
+ */
7738
+ function getAuthorizationCodePayload(serverParams, cachedState) {
7739
+ // Get code response
7740
+ validateAuthorizationResponse(serverParams, cachedState);
7741
+ // throw when there is no auth code in the response
7742
+ if (!serverParams.code) {
7743
+ throw createClientAuthError(authorizationCodeMissingFromServerResponse);
7744
+ }
7745
+ return serverParams;
7746
+ }
7747
+ /**
7748
+ * Function which validates server authorization code response.
7749
+ * @param serverResponseHash
7750
+ * @param requestState
7751
+ */
7752
+ function validateAuthorizationResponse(serverResponse, requestState) {
7753
+ if (!serverResponse.state || !requestState) {
7754
+ throw serverResponse.state
7755
+ ? createClientAuthError(stateNotFound, "Cached State")
7756
+ : createClientAuthError(stateNotFound, "Server State");
7757
+ }
7758
+ let decodedServerResponseState;
7759
+ let decodedRequestState;
7760
+ try {
7761
+ decodedServerResponseState = decodeURIComponent(serverResponse.state);
7762
+ }
7763
+ catch (e) {
7764
+ throw createClientAuthError(invalidState, serverResponse.state);
7765
+ }
7766
+ try {
7767
+ decodedRequestState = decodeURIComponent(requestState);
7768
+ }
7769
+ catch (e) {
7770
+ throw createClientAuthError(invalidState, serverResponse.state);
7771
+ }
7772
+ if (decodedServerResponseState !== decodedRequestState) {
7773
+ throw createClientAuthError(stateMismatch);
7774
+ }
7775
+ // Check for error
7776
+ if (serverResponse.error ||
7777
+ serverResponse.error_description ||
7778
+ serverResponse.suberror) {
7779
+ const serverErrorNo = parseServerErrorNo(serverResponse);
7780
+ if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
7781
+ throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
7884
7782
  }
7885
- return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, idTokenClaims);
7783
+ throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
7886
7784
  }
7887
- }
7888
-
7889
- /*! @azure/msal-common v15.2.1 2025-03-11 */
7890
-
7891
- /*
7892
- * Copyright (c) Microsoft Corporation. All rights reserved.
7893
- * Licensed under the MIT License.
7785
+ }
7786
+ /**
7787
+ * Get server error No from the error_uri
7788
+ * @param serverResponse
7789
+ * @returns
7894
7790
  */
7895
- const StubbedNetworkModule = {
7896
- sendGetRequestAsync: () => {
7897
- return Promise.reject(createClientAuthError(methodNotImplemented));
7898
- },
7899
- sendPostRequestAsync: () => {
7900
- return Promise.reject(createClientAuthError(methodNotImplemented));
7901
- },
7902
- };
7791
+ function parseServerErrorNo(serverResponse) {
7792
+ const errorCodePrefix = "code=";
7793
+ const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
7794
+ return errorCodePrefixIndex && errorCodePrefixIndex >= 0
7795
+ ? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
7796
+ : undefined;
7797
+ }
7798
+ /**
7799
+ * Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
7800
+ * @param account
7801
+ */
7802
+ function extractAccountSid(account) {
7803
+ return account.idTokenClaims?.sid || null;
7804
+ }
7805
+ function extractLoginHint(account) {
7806
+ return account.idTokenClaims?.login_hint || null;
7807
+ }
7903
7808
 
7904
- /*! @azure/msal-common v15.2.1 2025-03-11 */
7809
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7905
7810
 
7906
7811
  /*
7907
7812
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -7959,7 +7864,7 @@
7959
7864
  }
7960
7865
  }
7961
7866
 
7962
- /*! @azure/msal-common v15.2.1 2025-03-11 */
7867
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
7963
7868
 
7964
7869
  /*
7965
7870
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8222,7 +8127,7 @@
8222
8127
  }
8223
8128
  }
8224
8129
 
8225
- /*! @azure/msal-common v15.2.1 2025-03-11 */
8130
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8226
8131
  /*
8227
8132
  * Copyright (c) Microsoft Corporation. All rights reserved.
8228
8133
  * Licensed under the MIT License.
@@ -8230,7 +8135,7 @@
8230
8135
  const missingKidError = "missing_kid_error";
8231
8136
  const missingAlgError = "missing_alg_error";
8232
8137
 
8233
- /*! @azure/msal-common v15.2.1 2025-03-11 */
8138
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8234
8139
 
8235
8140
  /*
8236
8141
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8255,7 +8160,7 @@
8255
8160
  return new JoseHeaderError(code, JoseHeaderErrorMessages[code]);
8256
8161
  }
8257
8162
 
8258
- /*! @azure/msal-common v15.2.1 2025-03-11 */
8163
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8259
8164
 
8260
8165
  /*
8261
8166
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8295,7 +8200,7 @@
8295
8200
  }
8296
8201
  }
8297
8202
 
8298
- /*! @azure/msal-common v15.2.1 2025-03-11 */
8203
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8299
8204
 
8300
8205
  /*
8301
8206
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -8374,7 +8279,7 @@
8374
8279
  }
8375
8280
  }
8376
8281
 
8377
- /*! @azure/msal-common v15.2.1 2025-03-11 */
8282
+ /*! @azure/msal-common v15.3.0 2025-03-20 */
8378
8283
 
8379
8284
  /*
8380
8285
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -10411,7 +10316,7 @@
10411
10316
 
10412
10317
  /* eslint-disable header/header */
10413
10318
  const name = "@azure/msal-browser";
10414
- const version = "4.7.0";
10319
+ const version = "4.8.0";
10415
10320
 
10416
10321
  /*
10417
10322
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -13115,61 +13020,6 @@
13115
13020
  }
13116
13021
  }
13117
13022
 
13118
- /*
13119
- * Copyright (c) Microsoft Corporation. All rights reserved.
13120
- * Licensed under the MIT License.
13121
- */
13122
- // Constant byte array length
13123
- const RANDOM_BYTE_ARR_LENGTH = 32;
13124
- /**
13125
- * This file defines APIs to generate PKCE codes and code verifiers.
13126
- */
13127
- /**
13128
- * Generates PKCE Codes. See the RFC for more information: https://tools.ietf.org/html/rfc7636
13129
- */
13130
- async function generatePkceCodes(performanceClient, logger, correlationId) {
13131
- performanceClient.addQueueMeasurement(PerformanceEvents.GeneratePkceCodes, correlationId);
13132
- const codeVerifier = invoke(generateCodeVerifier, PerformanceEvents.GenerateCodeVerifier, logger, performanceClient, correlationId)(performanceClient, logger, correlationId);
13133
- const codeChallenge = await invokeAsync(generateCodeChallengeFromVerifier, PerformanceEvents.GenerateCodeChallengeFromVerifier, logger, performanceClient, correlationId)(codeVerifier, performanceClient, logger, correlationId);
13134
- return {
13135
- verifier: codeVerifier,
13136
- challenge: codeChallenge,
13137
- };
13138
- }
13139
- /**
13140
- * Generates a random 32 byte buffer and returns the base64
13141
- * encoded string to be used as a PKCE Code Verifier
13142
- */
13143
- function generateCodeVerifier(performanceClient, logger, correlationId) {
13144
- try {
13145
- // Generate random values as utf-8
13146
- const buffer = new Uint8Array(RANDOM_BYTE_ARR_LENGTH);
13147
- invoke(getRandomValues, PerformanceEvents.GetRandomValues, logger, performanceClient, correlationId)(buffer);
13148
- // encode verifier as base64
13149
- const pkceCodeVerifierB64 = urlEncodeArr(buffer);
13150
- return pkceCodeVerifierB64;
13151
- }
13152
- catch (e) {
13153
- throw createBrowserAuthError(pkceNotCreated);
13154
- }
13155
- }
13156
- /**
13157
- * Creates a base64 encoded PKCE Code Challenge string from the
13158
- * hash created from the PKCE Code Verifier supplied
13159
- */
13160
- async function generateCodeChallengeFromVerifier(pkceCodeVerifier, performanceClient, logger, correlationId) {
13161
- performanceClient.addQueueMeasurement(PerformanceEvents.GenerateCodeChallengeFromVerifier, correlationId);
13162
- try {
13163
- // hashed verifier
13164
- const pkceHashedCodeVerifier = await invokeAsync(sha256Digest, PerformanceEvents.Sha256Digest, logger, performanceClient, correlationId)(pkceCodeVerifier, performanceClient, correlationId);
13165
- // encode hash as base64
13166
- return urlEncodeArr(new Uint8Array(pkceHashedCodeVerifier));
13167
- }
13168
- catch (e) {
13169
- throw createBrowserAuthError(pkceNotCreated);
13170
- }
13171
- }
13172
-
13173
13023
  /*
13174
13024
  * Copyright (c) Microsoft Corporation. All rights reserved.
13175
13025
  * Licensed under the MIT License.
@@ -13232,25 +13082,6 @@
13232
13082
  * Defines the class structure and helper functions used by the "standard", non-brokered auth flows (popup, redirect, silent (RT), silent (iframe))
13233
13083
  */
13234
13084
  class StandardInteractionClient extends BaseInteractionClient {
13235
- /**
13236
- * Generates an auth code request tied to the url request.
13237
- * @param request
13238
- * @param pkceCodes
13239
- */
13240
- async initializeAuthorizationCodeRequest(request, pkceCodes) {
13241
- this.performanceClient.addQueueMeasurement(PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.correlationId);
13242
- const generatedPkceParams = pkceCodes ||
13243
- (await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId));
13244
- const authCodeRequest = {
13245
- ...request,
13246
- redirectUri: request.redirectUri,
13247
- code: Constants.EMPTY_STRING,
13248
- codeVerifier: generatedPkceParams.verifier,
13249
- };
13250
- request.codeChallenge = generatedPkceParams.challenge;
13251
- request.codeChallengeMethod = Constants.S256_CODE_CHALLENGE_METHOD;
13252
- return authCodeRequest;
13253
- }
13254
13085
  /**
13255
13086
  * Initializer for the logout request.
13256
13087
  * @param logoutRequest
@@ -13829,7 +13660,12 @@
13829
13660
  const cachedhomeAccountId = this.browserStorage.getAccountInfoFilteredBy({
13830
13661
  nativeAccountId: request.accountId,
13831
13662
  })?.homeAccountId;
13832
- if (homeAccountIdentifier !== cachedhomeAccountId &&
13663
+ // add exception for double brokering, please note this is temporary and will be fortified in future
13664
+ if (request.extraParameters?.child_client_id &&
13665
+ response.account.id !== request.accountId) {
13666
+ this.logger.info("handleNativeServerResponse: Double broker flow detected, ignoring accountId mismatch");
13667
+ }
13668
+ else if (homeAccountIdentifier !== cachedhomeAccountId &&
13833
13669
  response.account.id !== request.accountId) {
13834
13670
  // User switch in native broker prompt is not supported. All users must first sign in through web flow to ensure server state is in sync
13835
13671
  throw createNativeAuthError(userSwitch);
@@ -13841,6 +13677,8 @@
13841
13677
  const baseAccount = buildAccountToCache(this.browserStorage, authority, homeAccountIdentifier, base64Decode, idTokenClaims, response.client_info, undefined, // environment
13842
13678
  idTokenClaims.tid, undefined, // auth code payload
13843
13679
  response.account.id, this.logger);
13680
+ // Ensure expires_in is in number format
13681
+ response.expires_in = Number(response.expires_in);
13844
13682
  // generate authenticationResult
13845
13683
  const result = await this.generateAuthenticationResult(response, request, idTokenClaims, baseAccount, authority.canonicalAuthority, reqTimestamp);
13846
13684
  // cache accounts and tokens in the appropriate storage
@@ -14488,7 +14326,7 @@
14488
14326
  this.performanceClient.addQueueMeasurement(PerformanceEvents.HandleCodeResponse, request.correlationId);
14489
14327
  let authCodeResponse;
14490
14328
  try {
14491
- authCodeResponse = this.authModule.handleFragmentResponse(response, request.state);
14329
+ authCodeResponse = getAuthorizationCodePayload(response, request.state);
14492
14330
  }
14493
14331
  catch (e) {
14494
14332
  if (e instanceof ServerError &&
@@ -14596,6 +14434,126 @@
14596
14434
  }
14597
14435
  }
14598
14436
 
14437
+ /*
14438
+ * Copyright (c) Microsoft Corporation. All rights reserved.
14439
+ * Licensed under the MIT License.
14440
+ */
14441
+ /**
14442
+ * Returns map of parameters that are applicable to all calls to /authorize whether using PKCE or EAR
14443
+ * @param config
14444
+ * @param authority
14445
+ * @param request
14446
+ * @param logger
14447
+ * @param performanceClient
14448
+ * @returns
14449
+ */
14450
+ async function getStandardParameters(config, authority, request, logger, performanceClient) {
14451
+ const parameters = getStandardAuthorizeRequestParameters({ ...config.auth, authority: authority }, request, logger, performanceClient);
14452
+ addLibraryInfo(parameters, {
14453
+ sku: BrowserConstants.MSAL_SKU,
14454
+ version: version,
14455
+ os: "",
14456
+ cpu: "",
14457
+ });
14458
+ if (config.auth.protocolMode !== ProtocolMode.OIDC) {
14459
+ addApplicationTelemetry(parameters, config.telemetry.application);
14460
+ }
14461
+ if (request.platformBroker) {
14462
+ // signal ests that this is a WAM call
14463
+ addNativeBroker(parameters);
14464
+ // pass the req_cnf for POP
14465
+ if (request.authenticationScheme === AuthenticationScheme.POP) {
14466
+ const cryptoOps = new CryptoOps(logger, performanceClient);
14467
+ const popTokenGenerator = new PopTokenGenerator(cryptoOps);
14468
+ // req_cnf is always sent as a string for SPAs
14469
+ let reqCnfData;
14470
+ if (!request.popKid) {
14471
+ const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, logger, performanceClient, request.correlationId)(request, logger);
14472
+ reqCnfData = generatedReqCnfData.reqCnfString;
14473
+ }
14474
+ else {
14475
+ reqCnfData = cryptoOps.encodeKid(request.popKid);
14476
+ }
14477
+ addPopToken(parameters, reqCnfData);
14478
+ }
14479
+ }
14480
+ instrumentBrokerParams(parameters, request.correlationId, performanceClient);
14481
+ return parameters;
14482
+ }
14483
+ /**
14484
+ * Gets the full /authorize URL with request parameters when using Auth Code + PKCE
14485
+ * @param config
14486
+ * @param authority
14487
+ * @param request
14488
+ * @param logger
14489
+ * @param performanceClient
14490
+ * @returns
14491
+ */
14492
+ async function getAuthCodeRequestUrl(config, authority, request, logger, performanceClient) {
14493
+ if (!request.codeChallenge) {
14494
+ throw createClientConfigurationError(pkceParamsMissing);
14495
+ }
14496
+ const parameters = await invokeAsync(getStandardParameters, PerformanceEvents.GetStandardParams, logger, performanceClient, request.correlationId)(config, authority, request, logger, performanceClient);
14497
+ addResponseTypeCode(parameters);
14498
+ addCodeChallengeParams(parameters, request.codeChallenge, Constants.S256_CODE_CHALLENGE_METHOD);
14499
+ return getAuthorizeUrl(authority, parameters);
14500
+ }
14501
+
14502
+ /*
14503
+ * Copyright (c) Microsoft Corporation. All rights reserved.
14504
+ * Licensed under the MIT License.
14505
+ */
14506
+ // Constant byte array length
14507
+ const RANDOM_BYTE_ARR_LENGTH = 32;
14508
+ /**
14509
+ * This file defines APIs to generate PKCE codes and code verifiers.
14510
+ */
14511
+ /**
14512
+ * Generates PKCE Codes. See the RFC for more information: https://tools.ietf.org/html/rfc7636
14513
+ */
14514
+ async function generatePkceCodes(performanceClient, logger, correlationId) {
14515
+ performanceClient.addQueueMeasurement(PerformanceEvents.GeneratePkceCodes, correlationId);
14516
+ const codeVerifier = invoke(generateCodeVerifier, PerformanceEvents.GenerateCodeVerifier, logger, performanceClient, correlationId)(performanceClient, logger, correlationId);
14517
+ const codeChallenge = await invokeAsync(generateCodeChallengeFromVerifier, PerformanceEvents.GenerateCodeChallengeFromVerifier, logger, performanceClient, correlationId)(codeVerifier, performanceClient, logger, correlationId);
14518
+ return {
14519
+ verifier: codeVerifier,
14520
+ challenge: codeChallenge,
14521
+ };
14522
+ }
14523
+ /**
14524
+ * Generates a random 32 byte buffer and returns the base64
14525
+ * encoded string to be used as a PKCE Code Verifier
14526
+ */
14527
+ function generateCodeVerifier(performanceClient, logger, correlationId) {
14528
+ try {
14529
+ // Generate random values as utf-8
14530
+ const buffer = new Uint8Array(RANDOM_BYTE_ARR_LENGTH);
14531
+ invoke(getRandomValues, PerformanceEvents.GetRandomValues, logger, performanceClient, correlationId)(buffer);
14532
+ // encode verifier as base64
14533
+ const pkceCodeVerifierB64 = urlEncodeArr(buffer);
14534
+ return pkceCodeVerifierB64;
14535
+ }
14536
+ catch (e) {
14537
+ throw createBrowserAuthError(pkceNotCreated);
14538
+ }
14539
+ }
14540
+ /**
14541
+ * Creates a base64 encoded PKCE Code Challenge string from the
14542
+ * hash created from the PKCE Code Verifier supplied
14543
+ */
14544
+ async function generateCodeChallengeFromVerifier(pkceCodeVerifier, performanceClient, logger, correlationId) {
14545
+ performanceClient.addQueueMeasurement(PerformanceEvents.GenerateCodeChallengeFromVerifier, correlationId);
14546
+ try {
14547
+ // hashed verifier
14548
+ const pkceHashedCodeVerifier = await invokeAsync(sha256Digest, PerformanceEvents.Sha256Digest, logger, performanceClient, correlationId)(pkceCodeVerifier, performanceClient, correlationId);
14549
+ // encode hash as base64
14550
+ return urlEncodeArr(new Uint8Array(pkceHashedCodeVerifier));
14551
+ }
14552
+ catch (e) {
14553
+ throw createBrowserAuthError(pkceNotCreated);
14554
+ }
14555
+ }
14556
+
14599
14557
  /*
14600
14558
  * Copyright (c) Microsoft Corporation. All rights reserved.
14601
14559
  * Licensed under the MIT License.
@@ -14683,6 +14641,9 @@
14683
14641
  this.logger.verbose("acquireTokenPopupAsync called");
14684
14642
  const serverTelemetryManager = this.initializeServerTelemetryManager(ApiId.acquireTokenPopup);
14685
14643
  const validRequest = await invokeAsync(this.initializeAuthorizationRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(request, exports.InteractionType.Popup);
14644
+ const pkce = pkceCodes ||
14645
+ (await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId));
14646
+ validRequest.codeChallenge = pkce.challenge;
14686
14647
  /*
14687
14648
  * Skip pre-connect for async popups to reduce time between user interaction and popup window creation to avoid
14688
14649
  * popup from being blocked by browsers with shorter popup timers
@@ -14691,8 +14652,6 @@
14691
14652
  preconnect(validRequest.authority);
14692
14653
  }
14693
14654
  try {
14694
- // Create auth code request and generate PKCE params
14695
- const authCodeRequest = await invokeAsync(this.initializeAuthorizationCodeRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.logger, this.performanceClient, this.correlationId)(validRequest, pkceCodes);
14696
14655
  // Initialize the client
14697
14656
  const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), PerformanceEvents.StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, this.correlationId)({
14698
14657
  serverTelemetryManager,
@@ -14709,12 +14668,10 @@
14709
14668
  this.performanceClient.startMeasurement(PerformanceEvents.FetchAccountIdWithNativeBroker, request.correlationId);
14710
14669
  }
14711
14670
  // Create acquire token url.
14712
- const navigateUrl = await authClient.getAuthCodeUrl({
14671
+ const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, validRequest.correlationId)(this.config, authClient.authority, {
14713
14672
  ...validRequest,
14714
14673
  platformBroker: isPlatformBroker,
14715
- });
14716
- // Create popup interaction handler.
14717
- const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
14674
+ }, this.logger, this.performanceClient);
14718
14675
  // Show the UI once the url has been created. Get the window handle for the popup.
14719
14676
  const popupWindow = this.initiateAuthRequest(navigateUrl, popupParams);
14720
14677
  this.eventHandler.emitEvent(EventType.POPUP_OPENED, exports.InteractionType.Popup, { popupWindow }, null);
@@ -14722,7 +14679,7 @@
14722
14679
  const responseString = await this.monitorPopupForHash(popupWindow, popupParams.popupWindowParent);
14723
14680
  const serverParams = invoke(deserializeResponse, PerformanceEvents.DeserializeResponse, this.logger, this.performanceClient, this.correlationId)(responseString, this.config.auth.OIDCOptions.serverResponseType, this.logger);
14724
14681
  // Remove throttle if it exists
14725
- ThrottlingUtils.removeThrottle(this.browserStorage, this.config.auth.clientId, authCodeRequest);
14682
+ ThrottlingUtils.removeThrottle(this.browserStorage, this.config.auth.clientId, validRequest);
14726
14683
  if (serverParams.accountId) {
14727
14684
  this.logger.verbose("Account id found in hash, calling WAM for token");
14728
14685
  // end measurement for server call with native brokering enabled
@@ -14743,6 +14700,13 @@
14743
14700
  prompt: undefined, // Server should handle the prompt, ideally native broker can do this part silently
14744
14701
  });
14745
14702
  }
14703
+ const authCodeRequest = {
14704
+ ...validRequest,
14705
+ code: serverParams.code || "",
14706
+ codeVerifier: pkce.verifier,
14707
+ };
14708
+ // Create popup interaction handler.
14709
+ const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
14746
14710
  // Handle response from hash string.
14747
14711
  const result = await interactionHandler.handleCodeResponse(serverParams, validRequest);
14748
14712
  return result;
@@ -15118,7 +15082,7 @@
15118
15082
  }
15119
15083
  let authCodeResponse;
15120
15084
  try {
15121
- authCodeResponse = this.authModule.handleFragmentResponse(response, requestState);
15085
+ authCodeResponse = getAuthorizationCodePayload(response, requestState);
15122
15086
  }
15123
15087
  catch (e) {
15124
15088
  if (e instanceof ServerError &&
@@ -15202,6 +15166,8 @@
15202
15166
  */
15203
15167
  async acquireToken(request) {
15204
15168
  const validRequest = await invokeAsync(this.initializeAuthorizationRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(request, exports.InteractionType.Redirect);
15169
+ const pkceCodes = await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId);
15170
+ validRequest.codeChallenge = pkceCodes.challenge;
15205
15171
  this.browserStorage.updateCacheEntries(validRequest.state, validRequest.nonce, validRequest.authority, validRequest.loginHint || "", validRequest.account || null);
15206
15172
  const serverTelemetryManager = this.initializeServerTelemetryManager(ApiId.acquireTokenRedirect);
15207
15173
  const handleBackButton = (event) => {
@@ -15213,8 +15179,6 @@
15213
15179
  }
15214
15180
  };
15215
15181
  try {
15216
- // Create auth code request and generate PKCE params
15217
- const authCodeRequest = await invokeAsync(this.initializeAuthorizationCodeRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.logger, this.performanceClient, this.correlationId)(validRequest);
15218
15182
  // Initialize the client
15219
15183
  const authClient = await invokeAsync(this.createAuthCodeClient.bind(this), PerformanceEvents.StandardInteractionClientCreateAuthCodeClient, this.logger, this.performanceClient, this.correlationId)({
15220
15184
  serverTelemetryManager,
@@ -15223,13 +15187,18 @@
15223
15187
  requestExtraQueryParameters: validRequest.extraQueryParameters,
15224
15188
  account: validRequest.account,
15225
15189
  });
15190
+ const authCodeRequest = {
15191
+ ...validRequest,
15192
+ code: "",
15193
+ codeVerifier: pkceCodes.verifier,
15194
+ };
15226
15195
  // Create redirect interaction handler.
15227
15196
  const interactionHandler = new RedirectHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
15228
15197
  // Create acquire token url.
15229
- const navigateUrl = await authClient.getAuthCodeUrl({
15198
+ const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, validRequest.correlationId)(this.config, authClient.authority, {
15230
15199
  ...validRequest,
15231
15200
  platformBroker: NativeMessageHandler.isPlatformBrokerAvailable(this.config, this.logger, this.nativeMessageHandler, request.authenticationScheme),
15232
- });
15201
+ }, this.logger, this.performanceClient);
15233
15202
  const redirectStartPage = this.getRedirectStartPage(request.redirectStartPage);
15234
15203
  this.logger.verbosePii(`Redirect start page: ${redirectStartPage}`);
15235
15204
  // Clear temporary cache if the back button is clicked during the redirect flow.
@@ -15734,18 +15703,19 @@
15734
15703
  * @param navigateUrl
15735
15704
  * @param userRequestScopes
15736
15705
  */
15737
- async silentTokenHelper(authClient, silentRequest) {
15738
- const correlationId = silentRequest.correlationId;
15706
+ async silentTokenHelper(authClient, request) {
15707
+ const correlationId = request.correlationId;
15739
15708
  this.performanceClient.addQueueMeasurement(PerformanceEvents.SilentIframeClientTokenHelper, correlationId);
15740
- // Create auth code request and generate PKCE params
15741
- const authCodeRequest = await invokeAsync(this.initializeAuthorizationCodeRequest.bind(this), PerformanceEvents.StandardInteractionClientInitializeAuthorizationCodeRequest, this.logger, this.performanceClient, correlationId)(silentRequest);
15709
+ const pkceCodes = await invokeAsync(generatePkceCodes, PerformanceEvents.GeneratePkceCodes, this.logger, this.performanceClient, this.correlationId)(this.performanceClient, this.logger, this.correlationId);
15710
+ const silentRequest = {
15711
+ ...request,
15712
+ codeChallenge: pkceCodes.challenge,
15713
+ };
15742
15714
  // Create authorize request url
15743
- const navigateUrl = await invokeAsync(authClient.getAuthCodeUrl.bind(authClient), PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, correlationId)({
15715
+ const navigateUrl = await invokeAsync(getAuthCodeRequestUrl, PerformanceEvents.GetAuthCodeUrl, this.logger, this.performanceClient, correlationId)(this.config, authClient.authority, {
15744
15716
  ...silentRequest,
15745
15717
  platformBroker: NativeMessageHandler.isPlatformBrokerAvailable(this.config, this.logger, this.nativeMessageHandler, silentRequest.authenticationScheme),
15746
- });
15747
- // Create silent handler
15748
- const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
15718
+ }, this.logger, this.performanceClient);
15749
15719
  // Get the frame handle for the silent request
15750
15720
  const msalFrame = await invokeAsync(initiateAuthRequest, PerformanceEvents.SilentHandlerInitiateAuthRequest, this.logger, this.performanceClient, correlationId)(navigateUrl, this.performanceClient, this.logger, correlationId, this.config.system.navigateFrameWait);
15751
15721
  const responseType = this.config.auth.OIDCOptions.serverResponseType;
@@ -15765,6 +15735,13 @@
15765
15735
  prompt: silentRequest.prompt || PromptValue.NONE,
15766
15736
  });
15767
15737
  }
15738
+ const authCodeRequest = {
15739
+ ...silentRequest,
15740
+ code: serverParams.code || "",
15741
+ codeVerifier: pkceCodes.verifier,
15742
+ };
15743
+ // Create silent handler
15744
+ const interactionHandler = new InteractionHandler(authClient, this.browserStorage, authCodeRequest, this.logger, this.performanceClient);
15768
15745
  // Handle response from hash string
15769
15746
  return invokeAsync(interactionHandler.handleCodeResponse.bind(interactionHandler), PerformanceEvents.HandleCodeResponse, this.logger, this.performanceClient, correlationId)(serverParams, silentRequest);
15770
15747
  }
@@ -17518,8 +17495,7 @@
17518
17495
  extraParams = new Map(Object.entries(request.extraQueryParameters));
17519
17496
  }
17520
17497
  const correlationId = request.correlationId || this.crypto.createNewGuid();
17521
- const requestBuilder = new RequestParameterBuilder(correlationId);
17522
- const claims = requestBuilder.addClientCapabilitiesToClaims(request.claims, this.clientCapabilities);
17498
+ const claims = addClientCapabilitiesToClaims(request.claims, this.clientCapabilities);
17523
17499
  const scopes = request.scopes || OIDC_DEFAULT_SCOPES;
17524
17500
  const tokenRequest = {
17525
17501
  platformBrokerId: request.account?.homeAccountId,