@azure/msal-browser 5.13.0 → 5.15.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/app/IPublicClientApplication.mjs +16 -16
- package/dist/app/IPublicClientApplication.mjs.map +1 -1
- package/dist/app/PublicClientApplication.mjs +1 -1
- package/dist/broker/nativeBroker/NativeStatusCodes.mjs +1 -1
- package/dist/broker/nativeBroker/PlatformAuthDOMHandler.mjs +11 -11
- package/dist/broker/nativeBroker/PlatformAuthDOMHandler.mjs.map +1 -1
- package/dist/broker/nativeBroker/PlatformAuthExtensionHandler.mjs +21 -21
- package/dist/broker/nativeBroker/PlatformAuthExtensionHandler.mjs.map +1 -1
- package/dist/broker/nativeBroker/PlatformAuthProvider.mjs +3 -3
- package/dist/broker/nativeBroker/PlatformAuthProvider.mjs.map +1 -1
- package/dist/cache/AccountManager.mjs +1 -1
- package/dist/cache/AsyncMemoryStorage.mjs +1 -1
- package/dist/cache/BrowserCacheManager.mjs +18 -18
- package/dist/cache/BrowserCacheManager.mjs.map +1 -1
- package/dist/cache/CacheHelpers.mjs +1 -1
- package/dist/cache/CacheKeys.mjs +1 -1
- package/dist/cache/CookieStorage.mjs +4 -4
- package/dist/cache/CookieStorage.mjs.map +1 -1
- package/dist/cache/DatabaseStorage.mjs +7 -7
- package/dist/cache/DatabaseStorage.mjs.map +1 -1
- package/dist/cache/EncryptedData.mjs +1 -1
- package/dist/cache/LocalStorage.mjs +6 -6
- package/dist/cache/LocalStorage.mjs.map +1 -1
- package/dist/cache/MemoryStorage.mjs +1 -1
- package/dist/cache/SessionStorage.mjs +2 -2
- package/dist/cache/SessionStorage.mjs.map +1 -1
- package/dist/cache/TokenCache.mjs +10 -8
- package/dist/cache/TokenCache.mjs.map +1 -1
- package/dist/config/Configuration.mjs +5 -4
- package/dist/config/Configuration.mjs.map +1 -1
- package/dist/controllers/NestedAppAuthController.mjs +16 -17
- package/dist/controllers/NestedAppAuthController.mjs.map +1 -1
- package/dist/controllers/StandardController.mjs +24 -24
- package/dist/controllers/StandardController.mjs.map +1 -1
- package/dist/crypto/BrowserCrypto.mjs +7 -7
- package/dist/crypto/BrowserCrypto.mjs.map +1 -1
- package/dist/crypto/CryptoOps.mjs +4 -4
- package/dist/crypto/CryptoOps.mjs.map +1 -1
- package/dist/crypto/PkceGenerator.mjs +3 -3
- package/dist/crypto/PkceGenerator.mjs.map +1 -1
- package/dist/crypto/SignedHttpRequest.mjs +1 -1
- package/dist/custom_auth/CustomAuthConstants.mjs +1 -1
- package/dist/custom_auth/CustomAuthPublicClientApplication.mjs +1 -1
- package/dist/custom_auth/controller/CustomAuthStandardController.mjs +13 -8
- package/dist/custom_auth/controller/CustomAuthStandardController.mjs.map +1 -1
- package/dist/custom_auth/core/CustomAuthAuthority.mjs +2 -2
- package/dist/custom_auth/core/CustomAuthAuthority.mjs.map +1 -1
- package/dist/custom_auth/core/auth_flow/AuthFlowErrorBase.mjs +1 -1
- package/dist/custom_auth/core/auth_flow/AuthFlowResultBase.mjs +1 -1
- package/dist/custom_auth/core/auth_flow/AuthFlowState.mjs +1 -1
- package/dist/custom_auth/core/auth_flow/AuthFlowStateTypes.mjs +1 -1
- package/dist/custom_auth/core/auth_flow/jit/error_type/AuthMethodRegistrationError.mjs +1 -1
- package/dist/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationChallengeMethodResult.mjs +1 -1
- package/dist/custom_auth/core/auth_flow/jit/result/AuthMethodRegistrationSubmitChallengeResult.mjs +1 -1
- package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationCompletedState.mjs +1 -1
- package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationFailedState.mjs +1 -1
- package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationState.mjs +4 -4
- package/dist/custom_auth/core/auth_flow/jit/state/AuthMethodRegistrationState.mjs.map +1 -1
- package/dist/custom_auth/core/auth_flow/mfa/error_type/MfaError.mjs +1 -1
- package/dist/custom_auth/core/auth_flow/mfa/result/MfaRequestChallengeResult.mjs +1 -1
- package/dist/custom_auth/core/auth_flow/mfa/result/MfaSubmitChallengeResult.mjs +1 -1
- package/dist/custom_auth/core/auth_flow/mfa/state/MfaCompletedState.mjs +1 -1
- package/dist/custom_auth/core/auth_flow/mfa/state/MfaFailedState.mjs +1 -1
- package/dist/custom_auth/core/auth_flow/mfa/state/MfaState.mjs +4 -4
- package/dist/custom_auth/core/auth_flow/mfa/state/MfaState.mjs.map +1 -1
- package/dist/custom_auth/core/error/CustomAuthApiError.mjs +1 -1
- package/dist/custom_auth/core/error/CustomAuthError.mjs +1 -1
- package/dist/custom_auth/core/error/HttpError.mjs +1 -1
- package/dist/custom_auth/core/error/HttpErrorCodes.mjs +1 -1
- package/dist/custom_auth/core/error/InvalidArgumentError.mjs +1 -1
- package/dist/custom_auth/core/error/InvalidConfigurationError.mjs +1 -1
- package/dist/custom_auth/core/error/InvalidConfigurationErrorCodes.mjs +1 -1
- package/dist/custom_auth/core/error/MethodNotImplementedError.mjs +1 -1
- package/dist/custom_auth/core/error/MsalCustomAuthError.mjs +1 -1
- package/dist/custom_auth/core/error/NoCachedAccountFoundError.mjs +1 -1
- package/dist/custom_auth/core/error/ParsedUrlError.mjs +1 -1
- package/dist/custom_auth/core/error/ParsedUrlErrorCodes.mjs +1 -1
- package/dist/custom_auth/core/error/UnexpectedError.mjs +1 -1
- package/dist/custom_auth/core/error/UnsupportedEnvironmentError.mjs +1 -1
- package/dist/custom_auth/core/error/UserAccountAttributeError.mjs +1 -1
- package/dist/custom_auth/core/error/UserAlreadySignedInError.mjs +1 -1
- package/dist/custom_auth/core/interaction_client/CustomAuthInteractionClientBase.mjs +1 -1
- package/dist/custom_auth/core/interaction_client/CustomAuthInterationClientFactory.mjs +1 -1
- package/dist/custom_auth/core/interaction_client/jit/JitClient.mjs +1 -1
- package/dist/custom_auth/core/interaction_client/jit/result/JitActionResult.mjs +1 -1
- package/dist/custom_auth/core/interaction_client/mfa/MfaClient.mjs +2 -2
- package/dist/custom_auth/core/interaction_client/mfa/MfaClient.mjs.map +1 -1
- package/dist/custom_auth/core/interaction_client/mfa/result/MfaActionResult.mjs +1 -1
- package/dist/custom_auth/core/network_client/custom_auth_api/BaseApiClient.mjs +2 -2
- package/dist/custom_auth/core/network_client/custom_auth_api/BaseApiClient.mjs.map +1 -1
- package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiClient.mjs +1 -1
- package/dist/custom_auth/core/network_client/custom_auth_api/CustomAuthApiEndpoint.mjs +1 -1
- package/dist/custom_auth/core/network_client/custom_auth_api/RegisterApiClient.mjs +1 -1
- package/dist/custom_auth/core/network_client/custom_auth_api/ResetPasswordApiClient.mjs +1 -1
- package/dist/custom_auth/core/network_client/custom_auth_api/SignInApiClient.mjs +1 -1
- package/dist/custom_auth/core/network_client/custom_auth_api/SignupApiClient.mjs +1 -1
- package/dist/custom_auth/core/network_client/custom_auth_api/types/ApiErrorCodes.mjs +1 -1
- package/dist/custom_auth/core/network_client/custom_auth_api/types/ApiSuberrors.mjs +1 -1
- package/dist/custom_auth/core/network_client/http_client/FetchHttpClient.mjs +4 -4
- package/dist/custom_auth/core/network_client/http_client/FetchHttpClient.mjs.map +1 -1
- package/dist/custom_auth/core/network_client/http_client/IHttpClient.mjs +1 -1
- package/dist/custom_auth/core/telemetry/PublicApiId.mjs +1 -1
- package/dist/custom_auth/core/utils/ArgumentValidator.mjs +1 -1
- package/dist/custom_auth/core/utils/CustomHeaderUtils.mjs +3 -3
- package/dist/custom_auth/core/utils/CustomHeaderUtils.mjs.map +1 -1
- package/dist/custom_auth/core/utils/UrlUtils.mjs +1 -1
- package/dist/custom_auth/get_account/auth_flow/CustomAuthAccountData.mjs +2 -2
- package/dist/custom_auth/get_account/auth_flow/CustomAuthAccountData.mjs.map +1 -1
- package/dist/custom_auth/get_account/auth_flow/error_type/GetAccountError.mjs +1 -1
- package/dist/custom_auth/get_account/auth_flow/result/GetAccessTokenResult.mjs +1 -1
- package/dist/custom_auth/get_account/auth_flow/result/GetAccountResult.mjs +1 -1
- package/dist/custom_auth/get_account/auth_flow/result/SignOutResult.mjs +1 -1
- package/dist/custom_auth/get_account/auth_flow/state/GetAccessTokenState.mjs +1 -1
- package/dist/custom_auth/get_account/auth_flow/state/GetAccountState.mjs +1 -1
- package/dist/custom_auth/get_account/auth_flow/state/SignOutState.mjs +1 -1
- package/dist/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.mjs +2 -2
- package/dist/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.mjs.map +1 -1
- package/dist/custom_auth/index.mjs +1 -1
- package/dist/custom_auth/operating_context/CustomAuthOperatingContext.mjs +1 -1
- package/dist/custom_auth/reset_password/auth_flow/error_type/ResetPasswordError.mjs +1 -1
- package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordResendCodeResult.mjs +1 -1
- package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordStartResult.mjs +1 -1
- package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitCodeResult.mjs +1 -1
- package/dist/custom_auth/reset_password/auth_flow/result/ResetPasswordSubmitPasswordResult.mjs +1 -1
- package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCodeRequiredState.mjs +3 -3
- package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCodeRequiredState.mjs.map +1 -1
- package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordCompletedState.mjs +1 -1
- package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordFailedState.mjs +1 -1
- package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordPasswordRequiredState.mjs +2 -2
- package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordPasswordRequiredState.mjs.map +1 -1
- package/dist/custom_auth/reset_password/auth_flow/state/ResetPasswordState.mjs +1 -1
- package/dist/custom_auth/reset_password/interaction_client/ResetPasswordClient.mjs +3 -3
- package/dist/custom_auth/reset_password/interaction_client/ResetPasswordClient.mjs.map +1 -1
- package/dist/custom_auth/sign_in/auth_flow/SignInScenario.mjs +1 -1
- package/dist/custom_auth/sign_in/auth_flow/error_type/SignInError.mjs +1 -1
- package/dist/custom_auth/sign_in/auth_flow/result/SignInResendCodeResult.mjs +1 -1
- package/dist/custom_auth/sign_in/auth_flow/result/SignInResult.mjs +1 -1
- package/dist/custom_auth/sign_in/auth_flow/result/SignInSubmitCodeResult.mjs +1 -1
- package/dist/custom_auth/sign_in/auth_flow/result/SignInSubmitPasswordResult.mjs +1 -1
- package/dist/custom_auth/sign_in/auth_flow/state/SignInCodeRequiredState.mjs +2 -2
- package/dist/custom_auth/sign_in/auth_flow/state/SignInCodeRequiredState.mjs.map +1 -1
- package/dist/custom_auth/sign_in/auth_flow/state/SignInCompletedState.mjs +1 -1
- package/dist/custom_auth/sign_in/auth_flow/state/SignInContinuationState.mjs +2 -2
- package/dist/custom_auth/sign_in/auth_flow/state/SignInContinuationState.mjs.map +1 -1
- package/dist/custom_auth/sign_in/auth_flow/state/SignInFailedState.mjs +1 -1
- package/dist/custom_auth/sign_in/auth_flow/state/SignInPasswordRequiredState.mjs +2 -2
- package/dist/custom_auth/sign_in/auth_flow/state/SignInPasswordRequiredState.mjs.map +1 -1
- package/dist/custom_auth/sign_in/auth_flow/state/SignInState.mjs +1 -1
- package/dist/custom_auth/sign_in/interaction_client/SignInClient.mjs +2 -2
- package/dist/custom_auth/sign_in/interaction_client/SignInClient.mjs.map +1 -1
- package/dist/custom_auth/sign_in/interaction_client/result/SignInActionResult.mjs +1 -1
- package/dist/custom_auth/sign_up/auth_flow/error_type/SignUpError.mjs +1 -1
- package/dist/custom_auth/sign_up/auth_flow/result/SignUpResendCodeResult.mjs +1 -1
- package/dist/custom_auth/sign_up/auth_flow/result/SignUpResult.mjs +1 -1
- package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitAttributesResult.mjs +1 -1
- package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitCodeResult.mjs +1 -1
- package/dist/custom_auth/sign_up/auth_flow/result/SignUpSubmitPasswordResult.mjs +1 -1
- package/dist/custom_auth/sign_up/auth_flow/state/SignUpAttributesRequiredState.mjs +2 -2
- package/dist/custom_auth/sign_up/auth_flow/state/SignUpAttributesRequiredState.mjs.map +1 -1
- package/dist/custom_auth/sign_up/auth_flow/state/SignUpCodeRequiredState.mjs +3 -3
- package/dist/custom_auth/sign_up/auth_flow/state/SignUpCodeRequiredState.mjs.map +1 -1
- package/dist/custom_auth/sign_up/auth_flow/state/SignUpCompletedState.mjs +1 -1
- package/dist/custom_auth/sign_up/auth_flow/state/SignUpFailedState.mjs +1 -1
- package/dist/custom_auth/sign_up/auth_flow/state/SignUpPasswordRequiredState.mjs +2 -2
- package/dist/custom_auth/sign_up/auth_flow/state/SignUpPasswordRequiredState.mjs.map +1 -1
- package/dist/custom_auth/sign_up/auth_flow/state/SignUpState.mjs +1 -1
- package/dist/custom_auth/sign_up/interaction_client/SignUpClient.mjs +5 -5
- package/dist/custom_auth/sign_up/interaction_client/SignUpClient.mjs.map +1 -1
- package/dist/custom_auth/sign_up/interaction_client/result/SignUpActionResult.mjs +1 -1
- package/dist/encode/Base64Decode.mjs +2 -2
- package/dist/encode/Base64Decode.mjs.map +1 -1
- package/dist/encode/Base64Encode.mjs +1 -1
- package/dist/error/BrowserAuthError.mjs +5 -5
- package/dist/error/BrowserAuthError.mjs.map +1 -1
- package/dist/error/BrowserAuthErrorCodes.mjs +1 -1
- package/dist/error/BrowserConfigurationAuthError.mjs +5 -5
- package/dist/error/BrowserConfigurationAuthError.mjs.map +1 -1
- package/dist/error/BrowserConfigurationAuthErrorCodes.mjs +1 -1
- package/dist/error/NativeAuthError.mjs +20 -10
- package/dist/error/NativeAuthError.mjs.map +1 -1
- package/dist/error/NativeAuthErrorCodes.mjs +1 -1
- package/dist/error/NestedAppAuthError.mjs +9 -5
- package/dist/error/NestedAppAuthError.mjs.map +1 -1
- package/dist/event/EventHandler.mjs +7 -6
- package/dist/event/EventHandler.mjs.map +1 -1
- package/dist/event/EventMessage.mjs +1 -1
- package/dist/event/EventType.mjs +1 -1
- package/dist/index.mjs +1 -1
- package/dist/interaction_client/BaseInteractionClient.mjs +6 -7
- package/dist/interaction_client/BaseInteractionClient.mjs.map +1 -1
- package/dist/interaction_client/HybridSpaAuthorizationCodeClient.mjs +1 -1
- package/dist/interaction_client/PlatformAuthInteractionClient.mjs +24 -20
- package/dist/interaction_client/PlatformAuthInteractionClient.mjs.map +1 -1
- package/dist/interaction_client/PopupClient.mjs +14 -14
- package/dist/interaction_client/PopupClient.mjs.map +1 -1
- package/dist/interaction_client/RedirectClient.mjs +17 -17
- package/dist/interaction_client/RedirectClient.mjs.map +1 -1
- package/dist/interaction_client/SilentAuthCodeClient.mjs +4 -4
- package/dist/interaction_client/SilentAuthCodeClient.mjs.map +1 -1
- package/dist/interaction_client/SilentCacheClient.mjs +1 -1
- package/dist/interaction_client/SilentIframeClient.mjs +5 -5
- package/dist/interaction_client/SilentIframeClient.mjs.map +1 -1
- package/dist/interaction_client/SilentRefreshClient.mjs +3 -3
- package/dist/interaction_client/SilentRefreshClient.mjs.map +1 -1
- package/dist/interaction_client/StandardInteractionClient.mjs +6 -6
- package/dist/interaction_client/StandardInteractionClient.mjs.map +1 -1
- package/dist/interaction_handler/InteractionHandler.mjs +3 -3
- package/dist/interaction_handler/InteractionHandler.mjs.map +1 -1
- package/dist/interaction_handler/SilentHandler.mjs +2 -2
- package/dist/interaction_handler/SilentHandler.mjs.map +1 -1
- package/dist/log-strings-mapping.json +1200 -1200
- package/dist/naa/BridgeError.mjs +1 -1
- package/dist/naa/BridgeProxy.mjs +1 -1
- package/dist/naa/BridgeStatusCode.mjs +1 -1
- package/dist/naa/mapping/NestedAppAuthAdapter.mjs +18 -17
- package/dist/naa/mapping/NestedAppAuthAdapter.mjs.map +1 -1
- package/dist/navigation/NavigationClient.mjs +2 -2
- package/dist/navigation/NavigationClient.mjs.map +1 -1
- package/dist/network/FetchClient.mjs +7 -7
- package/dist/network/FetchClient.mjs.map +1 -1
- package/dist/operatingcontext/BaseOperatingContext.mjs +1 -1
- package/dist/operatingcontext/NestedAppOperatingContext.mjs +3 -3
- package/dist/operatingcontext/NestedAppOperatingContext.mjs.map +1 -1
- package/dist/operatingcontext/StandardOperatingContext.mjs +1 -1
- package/dist/packageMetadata.mjs +2 -2
- package/dist/protocol/Authorize.mjs +8 -8
- package/dist/protocol/Authorize.mjs.map +1 -1
- package/dist/redirect_bridge/index.mjs +1 -1
- package/dist/request/RequestHelpers.mjs +5 -5
- package/dist/request/RequestHelpers.mjs.map +1 -1
- package/dist/response/ResponseHandler.mjs +11 -11
- package/dist/response/ResponseHandler.mjs.map +1 -1
- package/dist/telemetry/BrowserPerformanceClient.mjs +1 -1
- package/dist/telemetry/BrowserPerformanceEvents.mjs +1 -1
- package/dist/telemetry/BrowserPerformanceMeasurement.mjs +1 -1
- package/dist/telemetry/BrowserRootPerformanceEvents.mjs +1 -1
- package/dist/utils/BrowserConstants.mjs +1 -1
- package/dist/utils/BrowserProtocolUtils.mjs +4 -4
- package/dist/utils/BrowserProtocolUtils.mjs.map +1 -1
- package/dist/utils/BrowserUtils.mjs +26 -20
- package/dist/utils/BrowserUtils.mjs.map +1 -1
- package/dist/utils/Helpers.mjs +1 -1
- package/dist/utils/MsalFrameStatsUtils.mjs +1 -1
- package/lib/custom-auth-path/log-strings-mapping.json +2 -2
- package/lib/custom-auth-path/msal-custom-auth.cjs +969 -866
- package/lib/custom-auth-path/msal-custom-auth.cjs.map +1 -1
- package/lib/custom-auth-path/msal-custom-auth.js +860 -761
- package/lib/custom-auth-path/msal-custom-auth.js.map +1 -1
- package/lib/log-strings-mapping.json +2 -2
- package/lib/msal-browser.cjs +898 -796
- package/lib/msal-browser.cjs.map +1 -1
- package/lib/msal-browser.js +898 -796
- package/lib/msal-browser.js.map +1 -1
- package/lib/msal-browser.min.js +2 -2
- package/lib/redirect-bridge/msal-redirect-bridge.cjs +55 -51
- package/lib/redirect-bridge/msal-redirect-bridge.cjs.map +1 -1
- package/lib/redirect-bridge/msal-redirect-bridge.js +55 -51
- package/lib/redirect-bridge/msal-redirect-bridge.js.map +1 -1
- package/lib/redirect-bridge/msal-redirect-bridge.min.js +2 -2
- package/package.json +5 -6
- package/src/app/IPublicClientApplication.ts +30 -15
- package/src/broker/nativeBroker/PlatformAuthDOMHandler.ts +2 -0
- package/src/broker/nativeBroker/PlatformAuthExtensionHandler.ts +8 -2
- package/src/broker/nativeBroker/PlatformAuthProvider.ts +2 -1
- package/src/cache/BrowserCacheManager.ts +19 -7
- package/src/cache/CookieStorage.ts +13 -3
- package/src/cache/DatabaseStorage.ts +12 -6
- package/src/cache/LocalStorage.ts +8 -4
- package/src/cache/SessionStorage.ts +2 -1
- package/src/cache/TokenCache.ts +22 -7
- package/src/config/Configuration.ts +15 -4
- package/src/controllers/NestedAppAuthController.ts +19 -11
- package/src/controllers/StandardController.ts +20 -9
- package/src/crypto/BrowserCrypto.ts +10 -2
- package/src/crypto/CryptoOps.ts +4 -2
- package/src/crypto/PkceGenerator.ts +8 -2
- package/src/custom_auth/controller/CustomAuthStandardController.ts +2 -4
- package/src/custom_auth/core/CustomAuthAuthority.ts +4 -2
- package/src/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.ts +2 -1
- package/src/encode/Base64Decode.ts +2 -1
- package/src/error/BrowserAuthError.ts +9 -3
- package/src/error/BrowserConfigurationAuthError.ts +9 -3
- package/src/error/NativeAuthError.ts +44 -11
- package/src/error/NestedAppAuthError.ts +14 -4
- package/src/event/EventHandler.ts +2 -1
- package/src/interaction_client/BaseInteractionClient.ts +10 -6
- package/src/interaction_client/PlatformAuthInteractionClient.ts +49 -21
- package/src/interaction_client/PopupClient.ts +14 -8
- package/src/interaction_client/RedirectClient.ts +21 -10
- package/src/interaction_client/SilentAuthCodeClient.ts +5 -3
- package/src/interaction_client/SilentIframeClient.ts +5 -3
- package/src/interaction_client/SilentRefreshClient.ts +3 -2
- package/src/interaction_client/StandardInteractionClient.ts +8 -4
- package/src/interaction_handler/InteractionHandler.ts +4 -2
- package/src/interaction_handler/SilentHandler.ts +4 -1
- package/src/naa/mapping/NestedAppAuthAdapter.ts +43 -14
- package/src/navigation/NavigationClient.ts +1 -0
- package/src/network/FetchClient.ts +14 -6
- package/src/packageMetadata.ts +1 -1
- package/src/protocol/Authorize.ts +23 -7
- package/src/request/RequestHelpers.ts +6 -3
- package/src/response/ResponseHandler.ts +20 -7
- package/src/utils/BrowserProtocolUtils.ts +11 -3
- package/src/utils/BrowserUtils.ts +44 -17
- package/types/app/IPublicClientApplication.d.ts.map +1 -1
- package/types/broker/nativeBroker/PlatformAuthDOMHandler.d.ts.map +1 -1
- package/types/broker/nativeBroker/PlatformAuthExtensionHandler.d.ts.map +1 -1
- package/types/broker/nativeBroker/PlatformAuthProvider.d.ts.map +1 -1
- package/types/cache/BrowserCacheManager.d.ts.map +1 -1
- package/types/cache/CookieStorage.d.ts +1 -1
- package/types/cache/CookieStorage.d.ts.map +1 -1
- package/types/cache/DatabaseStorage.d.ts.map +1 -1
- package/types/cache/LocalStorage.d.ts.map +1 -1
- package/types/cache/SessionStorage.d.ts.map +1 -1
- package/types/cache/TokenCache.d.ts.map +1 -1
- package/types/config/Configuration.d.ts +5 -1
- package/types/config/Configuration.d.ts.map +1 -1
- package/types/controllers/NestedAppAuthController.d.ts.map +1 -1
- package/types/controllers/StandardController.d.ts.map +1 -1
- package/types/crypto/BrowserCrypto.d.ts.map +1 -1
- package/types/crypto/CryptoOps.d.ts.map +1 -1
- package/types/custom_auth/CustomAuthConstants.d.ts +1 -1
- package/types/custom_auth/controller/CustomAuthStandardController.d.ts.map +1 -1
- package/types/custom_auth/core/CustomAuthAuthority.d.ts.map +1 -1
- package/types/custom_auth/get_account/interaction_client/CustomAuthSilentCacheClient.d.ts.map +1 -1
- package/types/encode/Base64Decode.d.ts.map +1 -1
- package/types/error/BrowserAuthError.d.ts +2 -2
- package/types/error/BrowserAuthError.d.ts.map +1 -1
- package/types/error/BrowserConfigurationAuthError.d.ts +2 -2
- package/types/error/BrowserConfigurationAuthError.d.ts.map +1 -1
- package/types/error/NativeAuthError.d.ts +2 -2
- package/types/error/NativeAuthError.d.ts.map +1 -1
- package/types/error/NestedAppAuthError.d.ts +2 -2
- package/types/error/NestedAppAuthError.d.ts.map +1 -1
- package/types/event/EventHandler.d.ts.map +1 -1
- package/types/interaction_client/BaseInteractionClient.d.ts.map +1 -1
- package/types/interaction_client/PlatformAuthInteractionClient.d.ts.map +1 -1
- package/types/interaction_client/PopupClient.d.ts.map +1 -1
- package/types/interaction_client/RedirectClient.d.ts.map +1 -1
- package/types/interaction_client/SilentAuthCodeClient.d.ts.map +1 -1
- package/types/interaction_client/SilentIframeClient.d.ts.map +1 -1
- package/types/interaction_client/SilentRefreshClient.d.ts.map +1 -1
- package/types/interaction_client/StandardInteractionClient.d.ts.map +1 -1
- package/types/interaction_handler/InteractionHandler.d.ts.map +1 -1
- package/types/interaction_handler/SilentHandler.d.ts.map +1 -1
- package/types/naa/mapping/NestedAppAuthAdapter.d.ts.map +1 -1
- package/types/navigation/NavigationClient.d.ts.map +1 -1
- package/types/network/FetchClient.d.ts.map +1 -1
- package/types/packageMetadata.d.ts +1 -1
- package/types/protocol/Authorize.d.ts.map +1 -1
- package/types/request/RequestHelpers.d.ts.map +1 -1
- package/types/response/ResponseHandler.d.ts +1 -1
- package/types/response/ResponseHandler.d.ts.map +1 -1
- package/types/utils/BrowserProtocolUtils.d.ts +1 -1
- package/types/utils/BrowserProtocolUtils.d.ts.map +1 -1
- package/types/utils/BrowserUtils.d.ts +5 -3
- package/types/utils/BrowserUtils.d.ts.map +1 -1
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @azure/msal-browser v5.
|
|
1
|
+
/*! @azure/msal-browser v5.15.0 2026-06-23 */
|
|
2
2
|
'use strict';
|
|
3
3
|
(function (global, factory) {
|
|
4
4
|
typeof exports === 'object' && typeof module !== 'undefined' ? factory(exports) :
|
|
@@ -6,7 +6,7 @@
|
|
|
6
6
|
(global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global.msalCustomAuth = {}));
|
|
7
7
|
})(this, (function (exports) { 'use strict';
|
|
8
8
|
|
|
9
|
-
/*! @azure/msal-common v16.
|
|
9
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
10
10
|
/*
|
|
11
11
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
12
12
|
* Licensed under the MIT License.
|
|
@@ -33,10 +33,11 @@
|
|
|
33
33
|
const EMAIL_SCOPE = "email";
|
|
34
34
|
const S256_CODE_CHALLENGE_METHOD = "S256";
|
|
35
35
|
const URL_FORM_CONTENT_TYPE = "application/x-www-form-urlencoded;charset=utf-8";
|
|
36
|
+
const NOT_APPLICABLE = "N/A";
|
|
36
37
|
const NOT_AVAILABLE = "Not Available";
|
|
37
38
|
const FORWARD_SLASH = "/";
|
|
38
|
-
const IMDS_ENDPOINT = "http://169.254.169.254/metadata/instance/compute
|
|
39
|
-
const IMDS_VERSION = "
|
|
39
|
+
const IMDS_ENDPOINT = "http://169.254.169.254/metadata/instance/compute";
|
|
40
|
+
const IMDS_VERSION = "2021-02-01";
|
|
40
41
|
const IMDS_TIMEOUT = 2000;
|
|
41
42
|
const AZURE_REGION_AUTO_DISCOVER_FLAG = "TryAutoDetect";
|
|
42
43
|
const REGIONAL_AUTH_PUBLIC_CLOUD_SUFFIX = "login.microsoft.com";
|
|
@@ -97,6 +98,9 @@
|
|
|
97
98
|
const ClaimsRequestKeys = {
|
|
98
99
|
ACCESS_TOKEN: "access_token",
|
|
99
100
|
XMS_CC: "xms_cc",
|
|
101
|
+
ID_TOKEN: "id_token",
|
|
102
|
+
SIGNIN_STATE: "signin_state",
|
|
103
|
+
LOGIN_HINT: "login_hint",
|
|
100
104
|
};
|
|
101
105
|
/**
|
|
102
106
|
* we considered making this "enum" in the request instead of string, however it looks like the allowed list of
|
|
@@ -233,7 +237,7 @@
|
|
|
233
237
|
// Token renewal offset default in seconds
|
|
234
238
|
const DEFAULT_TOKEN_RENEWAL_OFFSET_SEC = 300;
|
|
235
239
|
|
|
236
|
-
/*! @azure/msal-common v16.
|
|
240
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
237
241
|
/*
|
|
238
242
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
239
243
|
* Licensed under the MIT License.
|
|
@@ -285,7 +289,7 @@
|
|
|
285
289
|
const RESOURCE = "resource";
|
|
286
290
|
const CLI_DATA = "clidata";
|
|
287
291
|
|
|
288
|
-
/*! @azure/msal-common v16.
|
|
292
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
289
293
|
/*
|
|
290
294
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
291
295
|
* Licensed under the MIT License.
|
|
@@ -297,7 +301,7 @@
|
|
|
297
301
|
* General error class thrown by the MSAL.js library.
|
|
298
302
|
*/
|
|
299
303
|
class AuthError extends Error {
|
|
300
|
-
constructor(errorCode, errorMessage, suberror) {
|
|
304
|
+
constructor(errorCode, correlationId, errorMessage, suberror) {
|
|
301
305
|
const message = errorMessage ||
|
|
302
306
|
(errorCode ? getDefaultErrorMessage$1(errorCode) : "");
|
|
303
307
|
const errorString = message ? `${errorCode}: ${message}` : errorCode;
|
|
@@ -306,17 +310,15 @@
|
|
|
306
310
|
this.errorCode = errorCode || "";
|
|
307
311
|
this.errorMessage = message || "";
|
|
308
312
|
this.subError = suberror || "";
|
|
309
|
-
this.name = "AuthError";
|
|
310
|
-
}
|
|
311
|
-
setCorrelationId(correlationId) {
|
|
312
313
|
this.correlationId = correlationId;
|
|
314
|
+
this.name = "AuthError";
|
|
313
315
|
}
|
|
314
316
|
}
|
|
315
|
-
function createAuthError(code, additionalMessage) {
|
|
316
|
-
return new AuthError(code, additionalMessage || getDefaultErrorMessage$1(code));
|
|
317
|
+
function createAuthError(code, correlationId, additionalMessage) {
|
|
318
|
+
return new AuthError(code, correlationId, additionalMessage || getDefaultErrorMessage$1(code));
|
|
317
319
|
}
|
|
318
320
|
|
|
319
|
-
/*! @azure/msal-common v16.
|
|
321
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
320
322
|
|
|
321
323
|
/*
|
|
322
324
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -326,17 +328,17 @@
|
|
|
326
328
|
* Error thrown when there is an error in configuration of the MSAL.js library.
|
|
327
329
|
*/
|
|
328
330
|
class ClientConfigurationError extends AuthError {
|
|
329
|
-
constructor(errorCode) {
|
|
330
|
-
super(errorCode);
|
|
331
|
+
constructor(errorCode, correlationId) {
|
|
332
|
+
super(errorCode, correlationId);
|
|
331
333
|
this.name = "ClientConfigurationError";
|
|
332
334
|
Object.setPrototypeOf(this, ClientConfigurationError.prototype);
|
|
333
335
|
}
|
|
334
336
|
}
|
|
335
|
-
function createClientConfigurationError(errorCode) {
|
|
336
|
-
return new ClientConfigurationError(errorCode);
|
|
337
|
+
function createClientConfigurationError(errorCode, correlationId) {
|
|
338
|
+
return new ClientConfigurationError(errorCode, correlationId);
|
|
337
339
|
}
|
|
338
340
|
|
|
339
|
-
/*! @azure/msal-common v16.
|
|
341
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
340
342
|
/*
|
|
341
343
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
342
344
|
* Licensed under the MIT License.
|
|
@@ -416,7 +418,7 @@
|
|
|
416
418
|
}
|
|
417
419
|
}
|
|
418
420
|
|
|
419
|
-
/*! @azure/msal-common v16.
|
|
421
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
420
422
|
|
|
421
423
|
/*
|
|
422
424
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -429,17 +431,17 @@
|
|
|
429
431
|
* Error thrown when there is an error in the client code running on the browser.
|
|
430
432
|
*/
|
|
431
433
|
class ClientAuthError extends AuthError {
|
|
432
|
-
constructor(errorCode, additionalMessage) {
|
|
433
|
-
super(errorCode, additionalMessage);
|
|
434
|
+
constructor(errorCode, correlationId, additionalMessage) {
|
|
435
|
+
super(errorCode, correlationId, additionalMessage);
|
|
434
436
|
this.name = "ClientAuthError";
|
|
435
437
|
Object.setPrototypeOf(this, ClientAuthError.prototype);
|
|
436
438
|
}
|
|
437
439
|
}
|
|
438
|
-
function createClientAuthError(errorCode, additionalMessage) {
|
|
439
|
-
return new ClientAuthError(errorCode, additionalMessage);
|
|
440
|
+
function createClientAuthError(errorCode, correlationId, additionalMessage) {
|
|
441
|
+
return new ClientAuthError(errorCode, correlationId, additionalMessage);
|
|
440
442
|
}
|
|
441
443
|
|
|
442
|
-
/*! @azure/msal-common v16.
|
|
444
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
443
445
|
/*
|
|
444
446
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
445
447
|
* Licensed under the MIT License.
|
|
@@ -465,7 +467,7 @@
|
|
|
465
467
|
const invalidPlatformBrokerConfiguration = "invalid_platform_broker_configuration";
|
|
466
468
|
const issuerValidationFailed = "issuer_validation_failed";
|
|
467
469
|
|
|
468
|
-
/*! @azure/msal-common v16.
|
|
470
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
469
471
|
/*
|
|
470
472
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
471
473
|
* Licensed under the MIT License.
|
|
@@ -482,8 +484,6 @@
|
|
|
482
484
|
const stateMismatch = "state_mismatch";
|
|
483
485
|
const stateNotFound = "state_not_found";
|
|
484
486
|
const nonceMismatch = "nonce_mismatch";
|
|
485
|
-
const authTimeNotFound = "auth_time_not_found";
|
|
486
|
-
const maxAgeTranspired = "max_age_transpired";
|
|
487
487
|
const multipleMatchingAppMetadata = "multiple_matching_appMetadata";
|
|
488
488
|
const requestCannotBeMade = "request_cannot_be_made";
|
|
489
489
|
const cannotRemoveEmptyScope = "cannot_remove_empty_scope";
|
|
@@ -504,7 +504,7 @@
|
|
|
504
504
|
const resourceParameterRequired = "resource_parameter_required";
|
|
505
505
|
const misplacedResourceParam = "misplaced_resource_parameter";
|
|
506
506
|
|
|
507
|
-
/*! @azure/msal-common v16.
|
|
507
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
508
508
|
|
|
509
509
|
/*
|
|
510
510
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -516,7 +516,8 @@
|
|
|
516
516
|
* to ensure uniqueness of strings.
|
|
517
517
|
*/
|
|
518
518
|
class ScopeSet {
|
|
519
|
-
constructor(inputScopes) {
|
|
519
|
+
constructor(inputScopes, correlationId) {
|
|
520
|
+
this.correlationId = correlationId;
|
|
520
521
|
// Filter empty string and null/undefined array items
|
|
521
522
|
const scopeArr = inputScopes
|
|
522
523
|
? StringUtils.trimArrayEntries([...inputScopes])
|
|
@@ -526,7 +527,7 @@
|
|
|
526
527
|
: [];
|
|
527
528
|
// Check if scopes array has at least one member
|
|
528
529
|
if (!filteredInput || !filteredInput.length) {
|
|
529
|
-
throw createClientConfigurationError(emptyInputScopesError);
|
|
530
|
+
throw createClientConfigurationError(emptyInputScopesError, correlationId);
|
|
530
531
|
}
|
|
531
532
|
this.scopes = new Set(); // Iterator in constructor not supported by IE11
|
|
532
533
|
filteredInput.forEach((scope) => this.scopes.add(scope));
|
|
@@ -537,22 +538,22 @@
|
|
|
537
538
|
* @param appClientId
|
|
538
539
|
* @param scopesRequired
|
|
539
540
|
*/
|
|
540
|
-
static fromString(inputScopeString) {
|
|
541
|
+
static fromString(inputScopeString, correlationId) {
|
|
541
542
|
const scopeString = inputScopeString || "";
|
|
542
543
|
const inputScopes = scopeString.split(" ");
|
|
543
|
-
return new ScopeSet(inputScopes);
|
|
544
|
+
return new ScopeSet(inputScopes, correlationId);
|
|
544
545
|
}
|
|
545
546
|
/**
|
|
546
547
|
* Creates the set of scopes to search for in cache lookups
|
|
547
548
|
* @param inputScopeString
|
|
548
549
|
* @returns
|
|
549
550
|
*/
|
|
550
|
-
static createSearchScopes(inputScopeString) {
|
|
551
|
+
static createSearchScopes(inputScopeString, correlationId) {
|
|
551
552
|
// Handle empty scopes by using default OIDC scopes for cache lookup
|
|
552
553
|
const scopesToUse = inputScopeString && inputScopeString.length > 0
|
|
553
554
|
? inputScopeString
|
|
554
555
|
: [...OIDC_DEFAULT_SCOPES];
|
|
555
|
-
const scopeSet = new ScopeSet(scopesToUse);
|
|
556
|
+
const scopeSet = new ScopeSet(scopesToUse, correlationId);
|
|
556
557
|
if (!scopeSet.containsOnlyOIDCScopes()) {
|
|
557
558
|
scopeSet.removeOIDCScopes();
|
|
558
559
|
}
|
|
@@ -567,7 +568,7 @@
|
|
|
567
568
|
*/
|
|
568
569
|
containsScope(scope) {
|
|
569
570
|
const lowerCaseScopes = this.printScopesLowerCase().split(" ");
|
|
570
|
-
const lowerCaseScopesSet = new ScopeSet(lowerCaseScopes);
|
|
571
|
+
const lowerCaseScopesSet = new ScopeSet(lowerCaseScopes, this.correlationId);
|
|
571
572
|
// compare lowercase scopes
|
|
572
573
|
return scope
|
|
573
574
|
? lowerCaseScopesSet.scopes.has(scope.toLowerCase())
|
|
@@ -614,7 +615,7 @@
|
|
|
614
615
|
newScopes.forEach((newScope) => this.appendScope(newScope));
|
|
615
616
|
}
|
|
616
617
|
catch (e) {
|
|
617
|
-
throw createClientAuthError(cannotAppendScopeSet);
|
|
618
|
+
throw createClientAuthError(cannotAppendScopeSet, this.correlationId);
|
|
618
619
|
}
|
|
619
620
|
}
|
|
620
621
|
/**
|
|
@@ -623,7 +624,7 @@
|
|
|
623
624
|
*/
|
|
624
625
|
removeScope(scope) {
|
|
625
626
|
if (!scope) {
|
|
626
|
-
throw createClientAuthError(cannotRemoveEmptyScope);
|
|
627
|
+
throw createClientAuthError(cannotRemoveEmptyScope, this.correlationId);
|
|
627
628
|
}
|
|
628
629
|
this.scopes.delete(scope.trim());
|
|
629
630
|
}
|
|
@@ -642,7 +643,7 @@
|
|
|
642
643
|
*/
|
|
643
644
|
unionScopeSets(otherScopes) {
|
|
644
645
|
if (!otherScopes) {
|
|
645
|
-
throw createClientAuthError(emptyInputScopeSet);
|
|
646
|
+
throw createClientAuthError(emptyInputScopeSet, this.correlationId);
|
|
646
647
|
}
|
|
647
648
|
const unionScopes = new Set(); // Iterator in constructor not supported in IE11
|
|
648
649
|
otherScopes.scopes.forEach((scope) => unionScopes.add(scope.toLowerCase()));
|
|
@@ -655,7 +656,7 @@
|
|
|
655
656
|
*/
|
|
656
657
|
intersectingScopeSets(otherScopes) {
|
|
657
658
|
if (!otherScopes) {
|
|
658
|
-
throw createClientAuthError(emptyInputScopeSet);
|
|
659
|
+
throw createClientAuthError(emptyInputScopeSet, this.correlationId);
|
|
659
660
|
}
|
|
660
661
|
// Do not allow OIDC scopes to be the only intersecting scopes
|
|
661
662
|
if (!otherScopes.containsOnlyOIDCScopes()) {
|
|
@@ -699,7 +700,7 @@
|
|
|
699
700
|
}
|
|
700
701
|
}
|
|
701
702
|
|
|
702
|
-
/*! @azure/msal-common v16.
|
|
703
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
703
704
|
|
|
704
705
|
/*
|
|
705
706
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -743,7 +744,7 @@
|
|
|
743
744
|
* @param scopeSet
|
|
744
745
|
* @param addOidcScopes
|
|
745
746
|
*/
|
|
746
|
-
function addScopes(parameters, scopes, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
|
|
747
|
+
function addScopes(parameters, scopes, correlationId, addOidcScopes = true, defaultScopes = OIDC_DEFAULT_SCOPES) {
|
|
747
748
|
// Always add openid to the scopes when adding OIDC scopes
|
|
748
749
|
if (addOidcScopes &&
|
|
749
750
|
!defaultScopes.includes("openid") &&
|
|
@@ -753,7 +754,7 @@
|
|
|
753
754
|
const requestScopes = addOidcScopes
|
|
754
755
|
? [...(scopes || []), ...defaultScopes]
|
|
755
756
|
: scopes || [];
|
|
756
|
-
const scopeSet = new ScopeSet(requestScopes);
|
|
757
|
+
const scopeSet = new ScopeSet(requestScopes, correlationId);
|
|
757
758
|
parameters.set(SCOPE, scopeSet.printScopes());
|
|
758
759
|
}
|
|
759
760
|
/**
|
|
@@ -823,26 +824,18 @@
|
|
|
823
824
|
* Adds claims to request parameters, conditionally excluding clientCapabilities
|
|
824
825
|
* when skipBrokerClaims is true and a brokered flow is in effect.
|
|
825
826
|
* @param parameters - The request parameters map
|
|
827
|
+
* @param correlationId - The request correlation id
|
|
826
828
|
* @param claims - The claims string from the request
|
|
827
829
|
* @param clientCapabilities - The client capabilities from configuration
|
|
828
830
|
* @param skipBrokerClaims - When true and BROKER_CLIENT_ID is present, excludes clientCapabilities from claims
|
|
829
831
|
*/
|
|
830
|
-
function addClaims(parameters, claims, clientCapabilities, skipBrokerClaims) {
|
|
832
|
+
function addClaims(parameters, correlationId, claims, clientCapabilities, skipBrokerClaims) {
|
|
831
833
|
// Skip clientCapabilities if skipBrokerClaims is set to true and this is a brokered authentication flow
|
|
832
834
|
const configClaims = skipBrokerClaims && parameters.has(BROKER_CLIENT_ID)
|
|
833
835
|
? undefined
|
|
834
836
|
: clientCapabilities;
|
|
835
|
-
|
|
836
|
-
|
|
837
|
-
const mergedClaims = addClientCapabilitiesToClaims(claims, configClaims);
|
|
838
|
-
try {
|
|
839
|
-
JSON.parse(mergedClaims);
|
|
840
|
-
}
|
|
841
|
-
catch (e) {
|
|
842
|
-
throw createClientConfigurationError(invalidClaims);
|
|
843
|
-
}
|
|
844
|
-
parameters.set(CLAIMS, mergedClaims);
|
|
845
|
-
}
|
|
837
|
+
const mergedClaims = buildMergedClaims(claims, configClaims, correlationId);
|
|
838
|
+
parameters.set(CLAIMS, mergedClaims);
|
|
846
839
|
}
|
|
847
840
|
/**
|
|
848
841
|
* add correlationId
|
|
@@ -913,7 +906,7 @@
|
|
|
913
906
|
parameters.set(CODE_CHALLENGE_METHOD, codeChallengeMethod);
|
|
914
907
|
}
|
|
915
908
|
else {
|
|
916
|
-
throw createClientConfigurationError(pkceParamsMissing);
|
|
909
|
+
throw createClientConfigurationError(pkceParamsMissing, "");
|
|
917
910
|
}
|
|
918
911
|
}
|
|
919
912
|
/**
|
|
@@ -998,7 +991,23 @@
|
|
|
998
991
|
}
|
|
999
992
|
});
|
|
1000
993
|
}
|
|
1001
|
-
|
|
994
|
+
/**
|
|
995
|
+
* Default optional idToken claims requested on all auth requests.
|
|
996
|
+
* signin_state enables KMSI detection; login_hint enables login hint propagation.
|
|
997
|
+
*/
|
|
998
|
+
const DEFAULT_ID_TOKEN_CLAIMS = {
|
|
999
|
+
[ClaimsRequestKeys.SIGNIN_STATE]: { essential: false },
|
|
1000
|
+
[ClaimsRequestKeys.LOGIN_HINT]: { essential: false },
|
|
1001
|
+
};
|
|
1002
|
+
/**
|
|
1003
|
+
* Parses claims JSON, merges default optional idToken claims (signin_state, login_hint),
|
|
1004
|
+
* and appends client capabilities (xms_cc) to the access_token section.
|
|
1005
|
+
* Does not overwrite idToken claims already specified by the caller.
|
|
1006
|
+
* @param claims - Existing claims JSON string from the request (may be undefined)
|
|
1007
|
+
* @param clientCapabilities - Client capabilities array from configuration
|
|
1008
|
+
* @returns Merged claims JSON string
|
|
1009
|
+
*/
|
|
1010
|
+
function buildMergedClaims(claims, clientCapabilities, correlationId = "") {
|
|
1002
1011
|
let mergedClaims;
|
|
1003
1012
|
// Parse provided claims into JSON object or initialize empty object
|
|
1004
1013
|
if (!claims) {
|
|
@@ -1006,14 +1015,31 @@
|
|
|
1006
1015
|
}
|
|
1007
1016
|
else {
|
|
1008
1017
|
try {
|
|
1009
|
-
|
|
1018
|
+
const parsed = JSON.parse(claims);
|
|
1019
|
+
if (typeof parsed !== "object" ||
|
|
1020
|
+
parsed === null ||
|
|
1021
|
+
Array.isArray(parsed)) {
|
|
1022
|
+
throw new Error("Claims must be a JSON object");
|
|
1023
|
+
}
|
|
1024
|
+
mergedClaims = parsed;
|
|
1010
1025
|
}
|
|
1011
1026
|
catch (e) {
|
|
1012
|
-
throw createClientConfigurationError(invalidClaims);
|
|
1027
|
+
throw createClientConfigurationError(invalidClaims, correlationId);
|
|
1028
|
+
}
|
|
1029
|
+
}
|
|
1030
|
+
// Add default optional idToken claims
|
|
1031
|
+
if (!Object.prototype.hasOwnProperty.call(mergedClaims, ClaimsRequestKeys.ID_TOKEN)) {
|
|
1032
|
+
mergedClaims[ClaimsRequestKeys.ID_TOKEN] = {};
|
|
1033
|
+
}
|
|
1034
|
+
const idTokenClaims = mergedClaims[ClaimsRequestKeys.ID_TOKEN];
|
|
1035
|
+
for (const [key, value] of Object.entries(DEFAULT_ID_TOKEN_CLAIMS)) {
|
|
1036
|
+
if (!(key in idTokenClaims)) {
|
|
1037
|
+
idTokenClaims[key] = value;
|
|
1013
1038
|
}
|
|
1014
1039
|
}
|
|
1040
|
+
// Add client capabilities
|
|
1015
1041
|
if (clientCapabilities && clientCapabilities.length > 0) {
|
|
1016
|
-
if (!
|
|
1042
|
+
if (!Object.prototype.hasOwnProperty.call(mergedClaims, ClaimsRequestKeys.ACCESS_TOKEN)) {
|
|
1017
1043
|
// Add access_token key to claims object
|
|
1018
1044
|
mergedClaims[ClaimsRequestKeys.ACCESS_TOKEN] = {};
|
|
1019
1045
|
}
|
|
@@ -1046,16 +1072,11 @@
|
|
|
1046
1072
|
/**
|
|
1047
1073
|
* add server telemetry fields
|
|
1048
1074
|
* @param serverTelemetryManager
|
|
1075
|
+
* @internal
|
|
1049
1076
|
*/
|
|
1050
1077
|
function addServerTelemetry(parameters, serverTelemetryManager) {
|
|
1051
|
-
|
|
1052
|
-
|
|
1053
|
-
if (currentTelemetryHeader) {
|
|
1054
|
-
parameters.set(X_CLIENT_CURR_TELEM, currentTelemetryHeader);
|
|
1055
|
-
}
|
|
1056
|
-
if (lastTelemetryHeader) {
|
|
1057
|
-
parameters.set(X_CLIENT_LAST_TELEM, lastTelemetryHeader);
|
|
1058
|
-
}
|
|
1078
|
+
parameters.set(X_CLIENT_CURR_TELEM, serverTelemetryManager.generateCurrentRequestHeaderValue());
|
|
1079
|
+
parameters.set(X_CLIENT_LAST_TELEM, serverTelemetryManager.generateLastRequestHeaderValue());
|
|
1059
1080
|
}
|
|
1060
1081
|
/**
|
|
1061
1082
|
* Adds parameter that indicates to the server that throttling is supported
|
|
@@ -1094,7 +1115,7 @@
|
|
|
1094
1115
|
}
|
|
1095
1116
|
}
|
|
1096
1117
|
|
|
1097
|
-
/*! @azure/msal-common v16.
|
|
1118
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
1098
1119
|
|
|
1099
1120
|
/*
|
|
1100
1121
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1137,7 +1158,7 @@
|
|
|
1137
1158
|
}
|
|
1138
1159
|
}
|
|
1139
1160
|
catch (e) {
|
|
1140
|
-
throw createClientAuthError(hashNotDeserialized);
|
|
1161
|
+
throw createClientAuthError(hashNotDeserialized, "");
|
|
1141
1162
|
}
|
|
1142
1163
|
return null;
|
|
1143
1164
|
}
|
|
@@ -1193,8 +1214,8 @@
|
|
|
1193
1214
|
return urlObj.href;
|
|
1194
1215
|
}
|
|
1195
1216
|
catch (e) {
|
|
1196
|
-
logger?.error(
|
|
1197
|
-
throw createClientConfigurationError(urlParseError);
|
|
1217
|
+
logger?.error(`15apdm ${e}`, correlationId || "");
|
|
1218
|
+
throw createClientConfigurationError(urlParseError, correlationId || "");
|
|
1198
1219
|
}
|
|
1199
1220
|
}
|
|
1200
1221
|
/**
|
|
@@ -1211,12 +1232,12 @@
|
|
|
1211
1232
|
new URL(url);
|
|
1212
1233
|
}
|
|
1213
1234
|
catch (e) {
|
|
1214
|
-
logger?.error(
|
|
1215
|
-
throw createClientConfigurationError(urlParseError);
|
|
1235
|
+
logger?.error(`1lrjz7 ${e}`, correlationId || "");
|
|
1236
|
+
throw createClientConfigurationError(urlParseError, correlationId || "");
|
|
1216
1237
|
}
|
|
1217
1238
|
}
|
|
1218
1239
|
|
|
1219
|
-
/*! @azure/msal-common v16.
|
|
1240
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
1220
1241
|
|
|
1221
1242
|
/*
|
|
1222
1243
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1224,38 +1245,38 @@
|
|
|
1224
1245
|
*/
|
|
1225
1246
|
const DEFAULT_CRYPTO_IMPLEMENTATION = {
|
|
1226
1247
|
createNewGuid: () => {
|
|
1227
|
-
throw createClientAuthError(methodNotImplemented);
|
|
1248
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
1228
1249
|
},
|
|
1229
1250
|
base64Decode: () => {
|
|
1230
|
-
throw createClientAuthError(methodNotImplemented);
|
|
1251
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
1231
1252
|
},
|
|
1232
1253
|
base64Encode: () => {
|
|
1233
|
-
throw createClientAuthError(methodNotImplemented);
|
|
1254
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
1234
1255
|
},
|
|
1235
1256
|
base64UrlEncode: () => {
|
|
1236
|
-
throw createClientAuthError(methodNotImplemented);
|
|
1257
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
1237
1258
|
},
|
|
1238
1259
|
encodeKid: () => {
|
|
1239
|
-
throw createClientAuthError(methodNotImplemented);
|
|
1260
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
1240
1261
|
},
|
|
1241
1262
|
async getPublicKeyThumbprint() {
|
|
1242
|
-
throw createClientAuthError(methodNotImplemented);
|
|
1263
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
1243
1264
|
},
|
|
1244
1265
|
async removeTokenBindingKey() {
|
|
1245
|
-
throw createClientAuthError(methodNotImplemented);
|
|
1266
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
1246
1267
|
},
|
|
1247
1268
|
async clearKeystore() {
|
|
1248
|
-
throw createClientAuthError(methodNotImplemented);
|
|
1269
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
1249
1270
|
},
|
|
1250
1271
|
async signJwt() {
|
|
1251
|
-
throw createClientAuthError(methodNotImplemented);
|
|
1272
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
1252
1273
|
},
|
|
1253
1274
|
async hashString() {
|
|
1254
|
-
throw createClientAuthError(methodNotImplemented);
|
|
1275
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
1255
1276
|
},
|
|
1256
1277
|
};
|
|
1257
1278
|
|
|
1258
|
-
/*! @azure/msal-common v16.
|
|
1279
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
1259
1280
|
/*
|
|
1260
1281
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1261
1282
|
* Licensed under the MIT License.
|
|
@@ -1318,22 +1339,36 @@
|
|
|
1318
1339
|
}
|
|
1319
1340
|
}
|
|
1320
1341
|
/**
|
|
1321
|
-
*
|
|
1322
|
-
|
|
1323
|
-
|
|
1324
|
-
|
|
1325
|
-
|
|
1342
|
+
* Extracts the leading minification hash from a log message, if present.
|
|
1343
|
+
*
|
|
1344
|
+
* Minified messages are produced by the logger-minify rollup plugin and are
|
|
1345
|
+
* either a bare 6-character alphanumeric hash, or that hash followed by a space
|
|
1346
|
+
* and runtime variables appended for local (console) logging, e.g.
|
|
1347
|
+
* "abc123 user-1 popup". Only the leading hash is returned so that telemetry
|
|
1348
|
+
* never captures the appended variables. Returns null when the message is not
|
|
1349
|
+
* a minified message.
|
|
1350
|
+
*/
|
|
1351
|
+
function getMessageHash(str) {
|
|
1352
|
+
if (str.length < 6) {
|
|
1353
|
+
return null;
|
|
1326
1354
|
}
|
|
1327
|
-
|
|
1355
|
+
/*
|
|
1356
|
+
* If the message is longer than the hash, the hash must be delimited by a
|
|
1357
|
+
* space (the separator the plugin inserts before appended variables).
|
|
1358
|
+
*/
|
|
1359
|
+
if (str.length > 6 && str[6] !== " ") {
|
|
1360
|
+
return null;
|
|
1361
|
+
}
|
|
1362
|
+
for (let i = 0; i < 6; i++) {
|
|
1328
1363
|
const char = str[i];
|
|
1329
1364
|
const isAlphaNumeric = (char >= "a" && char <= "z") ||
|
|
1330
1365
|
(char >= "A" && char <= "Z") ||
|
|
1331
1366
|
(char >= "0" && char <= "9");
|
|
1332
1367
|
if (!isAlphaNumeric) {
|
|
1333
|
-
return
|
|
1368
|
+
return null;
|
|
1334
1369
|
}
|
|
1335
1370
|
}
|
|
1336
|
-
return
|
|
1371
|
+
return str.substring(0, 6);
|
|
1337
1372
|
}
|
|
1338
1373
|
/**
|
|
1339
1374
|
* Class which facilitates logging of messages to a specific place.
|
|
@@ -1380,10 +1415,10 @@
|
|
|
1380
1415
|
*/
|
|
1381
1416
|
logMessage(logMessage, options) {
|
|
1382
1417
|
const correlationId = options.correlationId;
|
|
1383
|
-
const
|
|
1384
|
-
if (
|
|
1418
|
+
const messageHash = getMessageHash(logMessage);
|
|
1419
|
+
if (messageHash) {
|
|
1385
1420
|
const loggedMessage = {
|
|
1386
|
-
hash:
|
|
1421
|
+
hash: messageHash,
|
|
1387
1422
|
level: options.logLevel,
|
|
1388
1423
|
containsPii: options.containsPii || false,
|
|
1389
1424
|
milliseconds: 0, // Will be calculated in addLogToCache
|
|
@@ -1516,12 +1551,12 @@
|
|
|
1516
1551
|
}
|
|
1517
1552
|
}
|
|
1518
1553
|
|
|
1519
|
-
/*! @azure/msal-common v16.
|
|
1554
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
1520
1555
|
/* eslint-disable header/header */
|
|
1521
1556
|
const name$1 = "@azure/msal-common";
|
|
1522
|
-
const version$1 = "16.
|
|
1557
|
+
const version$1 = "16.10.0";
|
|
1523
1558
|
|
|
1524
|
-
/*! @azure/msal-common v16.
|
|
1559
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
1525
1560
|
/*
|
|
1526
1561
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1527
1562
|
* Licensed under the MIT License.
|
|
@@ -1530,7 +1565,74 @@
|
|
|
1530
1565
|
// AzureCloudInstance is not specified.
|
|
1531
1566
|
None: "none"};
|
|
1532
1567
|
|
|
1533
|
-
/*! @azure/msal-common v16.
|
|
1568
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
1569
|
+
|
|
1570
|
+
/*
|
|
1571
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1572
|
+
* Licensed under the MIT License.
|
|
1573
|
+
*/
|
|
1574
|
+
/**
|
|
1575
|
+
* Extract token by decoding the rawToken
|
|
1576
|
+
*
|
|
1577
|
+
* @param encodedToken
|
|
1578
|
+
*/
|
|
1579
|
+
function extractTokenClaims(encodedToken, base64Decode, correlationId) {
|
|
1580
|
+
const jswPayload = getJWSPayload(encodedToken, correlationId);
|
|
1581
|
+
// token will be decoded to get the username
|
|
1582
|
+
try {
|
|
1583
|
+
// base64Decode() should throw an error if there is an issue
|
|
1584
|
+
const base64Decoded = base64Decode(jswPayload);
|
|
1585
|
+
return JSON.parse(base64Decoded);
|
|
1586
|
+
}
|
|
1587
|
+
catch (err) {
|
|
1588
|
+
throw createClientAuthError(tokenParsingError, correlationId);
|
|
1589
|
+
}
|
|
1590
|
+
}
|
|
1591
|
+
/**
|
|
1592
|
+
* Check if the signin_state claim contains "kmsi"
|
|
1593
|
+
* @param idTokenClaims
|
|
1594
|
+
* @returns
|
|
1595
|
+
*/
|
|
1596
|
+
function isKmsi(idTokenClaims) {
|
|
1597
|
+
if (!idTokenClaims.signin_state) {
|
|
1598
|
+
return false;
|
|
1599
|
+
}
|
|
1600
|
+
/**
|
|
1601
|
+
* Signin_state claim known values:
|
|
1602
|
+
* dvc_mngd - device is managed
|
|
1603
|
+
* dvc_dmjd - device is domain joined
|
|
1604
|
+
* kmsi - user opted to "keep me signed in"
|
|
1605
|
+
* inknownntwk - Request made inside a known network. Don't use this, use CAE instead.
|
|
1606
|
+
*/
|
|
1607
|
+
const kmsiClaims = ["kmsi", "dvc_dmjd"]; // There are some cases where kmsi may not be returned but persistent storage is still OK - allow dvc_dmjd as well
|
|
1608
|
+
return idTokenClaims.signin_state.some((value) => kmsiClaims.includes(value.trim().toLowerCase()));
|
|
1609
|
+
}
|
|
1610
|
+
/**
|
|
1611
|
+
* decode a JWT
|
|
1612
|
+
*
|
|
1613
|
+
* @param authToken
|
|
1614
|
+
*/
|
|
1615
|
+
function getJWSPayload(authToken, correlationId) {
|
|
1616
|
+
if (!authToken) {
|
|
1617
|
+
throw createClientAuthError(nullOrEmptyToken, correlationId);
|
|
1618
|
+
}
|
|
1619
|
+
const tokenPartsRegex = /^([^\.\s]*)\.([^\.\s]+)\.([^\.\s]*)$/;
|
|
1620
|
+
const matches = tokenPartsRegex.exec(authToken);
|
|
1621
|
+
if (!matches || matches.length < 4) {
|
|
1622
|
+
throw createClientAuthError(tokenParsingError, correlationId);
|
|
1623
|
+
}
|
|
1624
|
+
/**
|
|
1625
|
+
* const crackedToken = {
|
|
1626
|
+
* header: matches[1],
|
|
1627
|
+
* JWSPayload: matches[2],
|
|
1628
|
+
* JWSSig: matches[3],
|
|
1629
|
+
* };
|
|
1630
|
+
*/
|
|
1631
|
+
return matches[2];
|
|
1632
|
+
}
|
|
1633
|
+
|
|
1634
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
1635
|
+
|
|
1534
1636
|
/*
|
|
1535
1637
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1536
1638
|
* Licensed under the MIT License.
|
|
@@ -1551,10 +1653,11 @@
|
|
|
1551
1653
|
* @param homeAccountId - Home account identifier for this account object
|
|
1552
1654
|
* @param localAccountId - Local account identifer for this account object
|
|
1553
1655
|
* @param tenantId - Full tenant or organizational id that this account belongs to
|
|
1656
|
+
* @param nativeAccountId - Native account identifier for this tenant
|
|
1554
1657
|
* @param idTokenClaims - Claims from the ID token
|
|
1555
1658
|
* @returns
|
|
1556
1659
|
*/
|
|
1557
|
-
function buildTenantProfile(homeAccountId, localAccountId, tenantId, idTokenClaims) {
|
|
1660
|
+
function buildTenantProfile(homeAccountId, localAccountId, tenantId, nativeAccountId, idTokenClaims) {
|
|
1558
1661
|
if (idTokenClaims) {
|
|
1559
1662
|
const { oid, sub, tid, name, tfp, acr, preferred_username, upn, login_hint, } = idTokenClaims;
|
|
1560
1663
|
/**
|
|
@@ -1572,6 +1675,7 @@
|
|
|
1572
1675
|
loginHint: login_hint,
|
|
1573
1676
|
isHomeTenant: tenantIdMatchesHomeTenant(tenantId, homeAccountId),
|
|
1574
1677
|
upn: upn,
|
|
1678
|
+
...(nativeAccountId && { nativeAccountId }),
|
|
1575
1679
|
};
|
|
1576
1680
|
}
|
|
1577
1681
|
else {
|
|
@@ -1580,6 +1684,7 @@
|
|
|
1580
1684
|
localAccountId,
|
|
1581
1685
|
username: "",
|
|
1582
1686
|
isHomeTenant: tenantIdMatchesHomeTenant(tenantId, homeAccountId),
|
|
1687
|
+
...(nativeAccountId && { nativeAccountId }),
|
|
1583
1688
|
};
|
|
1584
1689
|
}
|
|
1585
1690
|
}
|
|
@@ -1601,99 +1706,20 @@
|
|
|
1601
1706
|
if (idTokenClaims) {
|
|
1602
1707
|
// Ignore isHomeTenant which is a utility property of tenant profile but not required in base account info
|
|
1603
1708
|
// eslint-disable-next-line @typescript-eslint/no-unused-vars
|
|
1604
|
-
const { isHomeTenant, ...claimsSourcedTenantProfile } = buildTenantProfile(baseAccountInfo.homeAccountId, baseAccountInfo.localAccountId, baseAccountInfo.tenantId, idTokenClaims);
|
|
1709
|
+
const { isHomeTenant, ...claimsSourcedTenantProfile } = buildTenantProfile(baseAccountInfo.homeAccountId, baseAccountInfo.localAccountId, baseAccountInfo.tenantId, updatedAccountInfo.nativeAccountId, idTokenClaims);
|
|
1605
1710
|
updatedAccountInfo = {
|
|
1606
1711
|
...updatedAccountInfo,
|
|
1607
1712
|
...claimsSourcedTenantProfile,
|
|
1608
1713
|
idTokenClaims: idTokenClaims,
|
|
1609
1714
|
idToken: idTokenSecret,
|
|
1715
|
+
kmsi: isKmsi(idTokenClaims),
|
|
1610
1716
|
};
|
|
1611
1717
|
return updatedAccountInfo;
|
|
1612
1718
|
}
|
|
1613
1719
|
return updatedAccountInfo;
|
|
1614
1720
|
}
|
|
1615
1721
|
|
|
1616
|
-
/*! @azure/msal-common v16.
|
|
1617
|
-
|
|
1618
|
-
/*
|
|
1619
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
1620
|
-
* Licensed under the MIT License.
|
|
1621
|
-
*/
|
|
1622
|
-
/**
|
|
1623
|
-
* Extract token by decoding the rawToken
|
|
1624
|
-
*
|
|
1625
|
-
* @param encodedToken
|
|
1626
|
-
*/
|
|
1627
|
-
function extractTokenClaims(encodedToken, base64Decode) {
|
|
1628
|
-
const jswPayload = getJWSPayload(encodedToken);
|
|
1629
|
-
// token will be decoded to get the username
|
|
1630
|
-
try {
|
|
1631
|
-
// base64Decode() should throw an error if there is an issue
|
|
1632
|
-
const base64Decoded = base64Decode(jswPayload);
|
|
1633
|
-
return JSON.parse(base64Decoded);
|
|
1634
|
-
}
|
|
1635
|
-
catch (err) {
|
|
1636
|
-
throw createClientAuthError(tokenParsingError);
|
|
1637
|
-
}
|
|
1638
|
-
}
|
|
1639
|
-
/**
|
|
1640
|
-
* Check if the signin_state claim contains "kmsi"
|
|
1641
|
-
* @param idTokenClaims
|
|
1642
|
-
* @returns
|
|
1643
|
-
*/
|
|
1644
|
-
function isKmsi(idTokenClaims) {
|
|
1645
|
-
if (!idTokenClaims.signin_state) {
|
|
1646
|
-
return false;
|
|
1647
|
-
}
|
|
1648
|
-
/**
|
|
1649
|
-
* Signin_state claim known values:
|
|
1650
|
-
* dvc_mngd - device is managed
|
|
1651
|
-
* dvc_dmjd - device is domain joined
|
|
1652
|
-
* kmsi - user opted to "keep me signed in"
|
|
1653
|
-
* inknownntwk - Request made inside a known network. Don't use this, use CAE instead.
|
|
1654
|
-
*/
|
|
1655
|
-
const kmsiClaims = ["kmsi", "dvc_dmjd"]; // There are some cases where kmsi may not be returned but persistent storage is still OK - allow dvc_dmjd as well
|
|
1656
|
-
return idTokenClaims.signin_state.some((value) => kmsiClaims.includes(value.trim().toLowerCase()));
|
|
1657
|
-
}
|
|
1658
|
-
/**
|
|
1659
|
-
* decode a JWT
|
|
1660
|
-
*
|
|
1661
|
-
* @param authToken
|
|
1662
|
-
*/
|
|
1663
|
-
function getJWSPayload(authToken) {
|
|
1664
|
-
if (!authToken) {
|
|
1665
|
-
throw createClientAuthError(nullOrEmptyToken);
|
|
1666
|
-
}
|
|
1667
|
-
const tokenPartsRegex = /^([^\.\s]*)\.([^\.\s]+)\.([^\.\s]*)$/;
|
|
1668
|
-
const matches = tokenPartsRegex.exec(authToken);
|
|
1669
|
-
if (!matches || matches.length < 4) {
|
|
1670
|
-
throw createClientAuthError(tokenParsingError);
|
|
1671
|
-
}
|
|
1672
|
-
/**
|
|
1673
|
-
* const crackedToken = {
|
|
1674
|
-
* header: matches[1],
|
|
1675
|
-
* JWSPayload: matches[2],
|
|
1676
|
-
* JWSSig: matches[3],
|
|
1677
|
-
* };
|
|
1678
|
-
*/
|
|
1679
|
-
return matches[2];
|
|
1680
|
-
}
|
|
1681
|
-
/**
|
|
1682
|
-
* Determine if the token's max_age has transpired
|
|
1683
|
-
*/
|
|
1684
|
-
function checkMaxAge(authTime, maxAge) {
|
|
1685
|
-
/*
|
|
1686
|
-
* per https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
|
|
1687
|
-
* To force an immediate re-authentication: If an app requires that a user re-authenticate prior to access,
|
|
1688
|
-
* provide a value of 0 for the max_age parameter and the AS will force a fresh login.
|
|
1689
|
-
*/
|
|
1690
|
-
const fiveMinuteSkew = 300000; // five minutes in milliseconds
|
|
1691
|
-
if (maxAge === 0 || Date.now() - fiveMinuteSkew > authTime + maxAge) {
|
|
1692
|
-
throw createClientAuthError(maxAgeTranspired);
|
|
1693
|
-
}
|
|
1694
|
-
}
|
|
1695
|
-
|
|
1696
|
-
/*! @azure/msal-common v16.8.0 2026-06-10 */
|
|
1722
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
1697
1723
|
|
|
1698
1724
|
/*
|
|
1699
1725
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1706,11 +1732,12 @@
|
|
|
1706
1732
|
get urlString() {
|
|
1707
1733
|
return this._urlString;
|
|
1708
1734
|
}
|
|
1709
|
-
constructor(url) {
|
|
1735
|
+
constructor(url, correlationId) {
|
|
1710
1736
|
this._urlString = url;
|
|
1737
|
+
this.correlationId = correlationId;
|
|
1711
1738
|
if (!this._urlString) {
|
|
1712
1739
|
// Throws error if url is empty
|
|
1713
|
-
throw createClientConfigurationError(urlEmptyError);
|
|
1740
|
+
throw createClientConfigurationError(urlEmptyError, correlationId);
|
|
1714
1741
|
}
|
|
1715
1742
|
if (!url.includes("#")) {
|
|
1716
1743
|
this._urlString = UrlString.canonicalizeUri(url);
|
|
@@ -1746,16 +1773,16 @@
|
|
|
1746
1773
|
components = this.getUrlComponents();
|
|
1747
1774
|
}
|
|
1748
1775
|
catch (e) {
|
|
1749
|
-
throw createClientConfigurationError(urlParseError);
|
|
1776
|
+
throw createClientConfigurationError(urlParseError, this.correlationId);
|
|
1750
1777
|
}
|
|
1751
1778
|
// Throw error if URI or path segments are not parseable.
|
|
1752
1779
|
if (!components.HostNameAndPort || !components.PathSegments) {
|
|
1753
|
-
throw createClientConfigurationError(urlParseError);
|
|
1780
|
+
throw createClientConfigurationError(urlParseError, this.correlationId);
|
|
1754
1781
|
}
|
|
1755
1782
|
// Throw error if uri is insecure.
|
|
1756
1783
|
if (!components.Protocol ||
|
|
1757
1784
|
components.Protocol.toLowerCase() !== "https:") {
|
|
1758
|
-
throw createClientConfigurationError(authorityUriInsecure);
|
|
1785
|
+
throw createClientConfigurationError(authorityUriInsecure, this.correlationId);
|
|
1759
1786
|
}
|
|
1760
1787
|
}
|
|
1761
1788
|
/**
|
|
@@ -1792,7 +1819,7 @@
|
|
|
1792
1819
|
pathArray[0] === AADAuthority.ORGANIZATIONS)) {
|
|
1793
1820
|
pathArray[0] = tenantId;
|
|
1794
1821
|
}
|
|
1795
|
-
return UrlString.constructAuthorityUriFromObject(urlObject);
|
|
1822
|
+
return UrlString.constructAuthorityUriFromObject(urlObject, this.correlationId);
|
|
1796
1823
|
}
|
|
1797
1824
|
/**
|
|
1798
1825
|
* Parses out the components from a url string.
|
|
@@ -1804,7 +1831,7 @@
|
|
|
1804
1831
|
// If url string does not match regEx, we throw an error
|
|
1805
1832
|
const match = this.urlString.match(regEx);
|
|
1806
1833
|
if (!match) {
|
|
1807
|
-
throw createClientConfigurationError(urlParseError);
|
|
1834
|
+
throw createClientConfigurationError(urlParseError, this.correlationId);
|
|
1808
1835
|
}
|
|
1809
1836
|
// Url component object
|
|
1810
1837
|
const urlComponents = {
|
|
@@ -1822,17 +1849,17 @@
|
|
|
1822
1849
|
}
|
|
1823
1850
|
return urlComponents;
|
|
1824
1851
|
}
|
|
1825
|
-
static getDomainFromUrl(url) {
|
|
1852
|
+
static getDomainFromUrl(url, correlationId) {
|
|
1826
1853
|
const regEx = RegExp("^([^:/?#]+://)?([^/?#]*)");
|
|
1827
1854
|
const match = url.match(regEx);
|
|
1828
1855
|
if (!match) {
|
|
1829
|
-
throw createClientConfigurationError(urlParseError);
|
|
1856
|
+
throw createClientConfigurationError(urlParseError, correlationId);
|
|
1830
1857
|
}
|
|
1831
1858
|
return match[2];
|
|
1832
1859
|
}
|
|
1833
|
-
static getAbsoluteUrl(relativeUrl, baseUrl) {
|
|
1860
|
+
static getAbsoluteUrl(relativeUrl, baseUrl, correlationId) {
|
|
1834
1861
|
if (relativeUrl[0] === FORWARD_SLASH) {
|
|
1835
|
-
const url = new UrlString(baseUrl);
|
|
1862
|
+
const url = new UrlString(baseUrl, correlationId);
|
|
1836
1863
|
const baseComponents = url.getUrlComponents();
|
|
1837
1864
|
return (baseComponents.Protocol +
|
|
1838
1865
|
"//" +
|
|
@@ -1841,16 +1868,16 @@
|
|
|
1841
1868
|
}
|
|
1842
1869
|
return relativeUrl;
|
|
1843
1870
|
}
|
|
1844
|
-
static constructAuthorityUriFromObject(urlObject) {
|
|
1871
|
+
static constructAuthorityUriFromObject(urlObject, correlationId) {
|
|
1845
1872
|
return new UrlString(urlObject.Protocol +
|
|
1846
1873
|
"//" +
|
|
1847
1874
|
urlObject.HostNameAndPort +
|
|
1848
1875
|
"/" +
|
|
1849
|
-
urlObject.PathSegments.join("/"));
|
|
1876
|
+
urlObject.PathSegments.join("/"), correlationId);
|
|
1850
1877
|
}
|
|
1851
1878
|
}
|
|
1852
1879
|
|
|
1853
|
-
/*! @azure/msal-common v16.
|
|
1880
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
1854
1881
|
|
|
1855
1882
|
/*
|
|
1856
1883
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -1966,10 +1993,10 @@
|
|
|
1966
1993
|
let staticAliases;
|
|
1967
1994
|
const canonicalAuthority = staticAuthorityOptions.canonicalAuthority;
|
|
1968
1995
|
if (canonicalAuthority) {
|
|
1969
|
-
const authorityHost = new UrlString(canonicalAuthority).getUrlComponents().HostNameAndPort;
|
|
1996
|
+
const authorityHost = new UrlString(canonicalAuthority, correlationId).getUrlComponents().HostNameAndPort;
|
|
1970
1997
|
staticAliases =
|
|
1971
|
-
getAliasesFromMetadata(logger, correlationId, authorityHost, staticAuthorityOptions.cloudDiscoveryMetadata?.metadata) ||
|
|
1972
|
-
getAliasesFromMetadata(logger, correlationId, authorityHost, InstanceDiscoveryMetadata.metadata) ||
|
|
1998
|
+
getAliasesFromMetadata(logger, correlationId, authorityHost, staticAuthorityOptions.cloudDiscoveryMetadata?.metadata, AuthorityMetadataSource.CONFIG) ||
|
|
1999
|
+
getAliasesFromMetadata(logger, correlationId, authorityHost, InstanceDiscoveryMetadata.metadata, AuthorityMetadataSource.HARDCODED_VALUES) ||
|
|
1973
2000
|
staticAuthorityOptions.knownAuthorities;
|
|
1974
2001
|
}
|
|
1975
2002
|
return staticAliases || [];
|
|
@@ -1981,15 +2008,15 @@
|
|
|
1981
2008
|
* @returns
|
|
1982
2009
|
*/
|
|
1983
2010
|
function getAliasesFromMetadata(logger, correlationId, authorityHost, cloudDiscoveryMetadata, source) {
|
|
1984
|
-
logger.trace(
|
|
2011
|
+
logger.trace(`1bmquz ${source}`, correlationId);
|
|
1985
2012
|
if (authorityHost && cloudDiscoveryMetadata) {
|
|
1986
2013
|
const metadata = getCloudDiscoveryMetadataFromNetworkResponse(cloudDiscoveryMetadata, authorityHost);
|
|
1987
2014
|
if (metadata) {
|
|
1988
|
-
logger.trace(
|
|
2015
|
+
logger.trace(`1fotbt ${source}`, correlationId);
|
|
1989
2016
|
return metadata.aliases;
|
|
1990
2017
|
}
|
|
1991
2018
|
else {
|
|
1992
|
-
logger.trace(
|
|
2019
|
+
logger.trace(`14avvj ${source}`, correlationId);
|
|
1993
2020
|
}
|
|
1994
2021
|
}
|
|
1995
2022
|
return null;
|
|
@@ -2016,7 +2043,7 @@
|
|
|
2016
2043
|
return null;
|
|
2017
2044
|
}
|
|
2018
2045
|
|
|
2019
|
-
/*! @azure/msal-common v16.
|
|
2046
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
2020
2047
|
/*
|
|
2021
2048
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
2022
2049
|
* Licensed under the MIT License.
|
|
@@ -2024,7 +2051,7 @@
|
|
|
2024
2051
|
const cacheQuotaExceeded = "cache_quota_exceeded";
|
|
2025
2052
|
const cacheErrorUnknown = "cache_error_unknown";
|
|
2026
2053
|
|
|
2027
|
-
/*! @azure/msal-common v16.
|
|
2054
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
2028
2055
|
|
|
2029
2056
|
/*
|
|
2030
2057
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2062,7 +2089,7 @@
|
|
|
2062
2089
|
}
|
|
2063
2090
|
}
|
|
2064
2091
|
|
|
2065
|
-
/*! @azure/msal-common v16.
|
|
2092
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
2066
2093
|
|
|
2067
2094
|
/*
|
|
2068
2095
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2075,14 +2102,14 @@
|
|
|
2075
2102
|
*/
|
|
2076
2103
|
function buildClientInfo(rawClientInfo, base64Decode) {
|
|
2077
2104
|
if (!rawClientInfo) {
|
|
2078
|
-
throw createClientAuthError(clientInfoEmptyError);
|
|
2105
|
+
throw createClientAuthError(clientInfoEmptyError, "");
|
|
2079
2106
|
}
|
|
2080
2107
|
try {
|
|
2081
2108
|
const decodedClientInfo = base64Decode(rawClientInfo);
|
|
2082
2109
|
return JSON.parse(decodedClientInfo);
|
|
2083
2110
|
}
|
|
2084
2111
|
catch (e) {
|
|
2085
|
-
throw createClientAuthError(clientInfoDecodingError);
|
|
2112
|
+
throw createClientAuthError(clientInfoDecodingError, "");
|
|
2086
2113
|
}
|
|
2087
2114
|
}
|
|
2088
2115
|
/**
|
|
@@ -2091,7 +2118,7 @@
|
|
|
2091
2118
|
*/
|
|
2092
2119
|
function buildClientInfoFromHomeAccountId(homeAccountId) {
|
|
2093
2120
|
if (!homeAccountId) {
|
|
2094
|
-
throw createClientAuthError(clientInfoDecodingError);
|
|
2121
|
+
throw createClientAuthError(clientInfoDecodingError, "");
|
|
2095
2122
|
}
|
|
2096
2123
|
const clientInfoParts = homeAccountId.split(CLIENT_INFO_SEPARATOR, 2);
|
|
2097
2124
|
return {
|
|
@@ -2100,7 +2127,7 @@
|
|
|
2100
2127
|
};
|
|
2101
2128
|
}
|
|
2102
2129
|
|
|
2103
|
-
/*! @azure/msal-common v16.
|
|
2130
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
2104
2131
|
/*
|
|
2105
2132
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
2106
2133
|
* Licensed under the MIT License.
|
|
@@ -2115,7 +2142,7 @@
|
|
|
2115
2142
|
Ciam: 3,
|
|
2116
2143
|
};
|
|
2117
2144
|
|
|
2118
|
-
/*! @azure/msal-common v16.
|
|
2145
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
2119
2146
|
/*
|
|
2120
2147
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
2121
2148
|
* Licensed under the MIT License.
|
|
@@ -2137,7 +2164,7 @@
|
|
|
2137
2164
|
return null;
|
|
2138
2165
|
}
|
|
2139
2166
|
|
|
2140
|
-
/*! @azure/msal-common v16.
|
|
2167
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
2141
2168
|
/*
|
|
2142
2169
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
2143
2170
|
* Licensed under the MIT License.
|
|
@@ -2161,9 +2188,10 @@
|
|
|
2161
2188
|
EAR: "EAR",
|
|
2162
2189
|
};
|
|
2163
2190
|
|
|
2164
|
-
/*! @azure/msal-common v16.
|
|
2191
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
2165
2192
|
/**
|
|
2166
2193
|
* Returns the AccountInfo interface for this account.
|
|
2194
|
+
* @internal
|
|
2167
2195
|
*/
|
|
2168
2196
|
function getAccountInfo(accountEntity) {
|
|
2169
2197
|
const tenantProfiles = accountEntity.tenantProfiles || [];
|
|
@@ -2171,8 +2199,11 @@
|
|
|
2171
2199
|
if (tenantProfiles.length === 0 &&
|
|
2172
2200
|
accountEntity.realm &&
|
|
2173
2201
|
accountEntity.localAccountId) {
|
|
2174
|
-
tenantProfiles.push(buildTenantProfile(accountEntity.homeAccountId, accountEntity.localAccountId, accountEntity.realm));
|
|
2202
|
+
tenantProfiles.push(buildTenantProfile(accountEntity.homeAccountId, accountEntity.localAccountId, accountEntity.realm, accountEntity.nativeAccountId));
|
|
2175
2203
|
}
|
|
2204
|
+
// Resolve nativeAccountId from the home tenant profile first, fall back to top-level (deprecated) for old cache entries
|
|
2205
|
+
const homeTenantProfile = tenantProfiles.find((tp) => tp.tenantId === accountEntity.realm);
|
|
2206
|
+
const nativeAccountId = homeTenantProfile?.nativeAccountId || accountEntity.nativeAccountId;
|
|
2176
2207
|
return {
|
|
2177
2208
|
homeAccountId: accountEntity.homeAccountId,
|
|
2178
2209
|
environment: accountEntity.environment,
|
|
@@ -2181,7 +2212,7 @@
|
|
|
2181
2212
|
localAccountId: accountEntity.localAccountId,
|
|
2182
2213
|
loginHint: accountEntity.loginHint,
|
|
2183
2214
|
name: accountEntity.name,
|
|
2184
|
-
nativeAccountId:
|
|
2215
|
+
nativeAccountId: nativeAccountId,
|
|
2185
2216
|
authorityType: accountEntity.authorityType,
|
|
2186
2217
|
// Deserialize tenant profiles array into a Map
|
|
2187
2218
|
tenantProfiles: new Map(tenantProfiles.map((tenantProfile) => {
|
|
@@ -2193,8 +2224,9 @@
|
|
|
2193
2224
|
/**
|
|
2194
2225
|
* Build Account cache from IdToken, clientInfo and authority/policy. Associated with AAD.
|
|
2195
2226
|
* @param accountDetails
|
|
2227
|
+
* @internal
|
|
2196
2228
|
*/
|
|
2197
|
-
function createAccountEntity(accountDetails, authority, base64Decode) {
|
|
2229
|
+
function createAccountEntity(accountDetails, authority, correlationId, base64Decode) {
|
|
2198
2230
|
let authorityType;
|
|
2199
2231
|
if (authority.authorityType === AuthorityType.Adfs) {
|
|
2200
2232
|
authorityType = CACHE_ACCOUNT_TYPE_ADFS;
|
|
@@ -2216,7 +2248,7 @@
|
|
|
2216
2248
|
const env = accountDetails.environment ||
|
|
2217
2249
|
(authority && authority.getPreferredCache());
|
|
2218
2250
|
if (!env) {
|
|
2219
|
-
throw createClientAuthError(invalidCacheEnvironment);
|
|
2251
|
+
throw createClientAuthError(invalidCacheEnvironment, correlationId);
|
|
2220
2252
|
}
|
|
2221
2253
|
/*
|
|
2222
2254
|
* In B2C scenarios the emails claim is used instead of preferred_username and it is an array.
|
|
@@ -2243,7 +2275,7 @@
|
|
|
2243
2275
|
tenantProfiles = accountDetails.tenantProfiles;
|
|
2244
2276
|
}
|
|
2245
2277
|
else {
|
|
2246
|
-
const tenantProfile = buildTenantProfile(accountDetails.homeAccountId, localAccountId, realm, accountDetails.idTokenClaims);
|
|
2278
|
+
const tenantProfile = buildTenantProfile(accountDetails.homeAccountId, localAccountId, realm, accountDetails.nativeAccountId, accountDetails.idTokenClaims);
|
|
2247
2279
|
tenantProfiles = [tenantProfile];
|
|
2248
2280
|
}
|
|
2249
2281
|
return {
|
|
@@ -2271,6 +2303,7 @@
|
|
|
2271
2303
|
* @param cloudGraphHostName
|
|
2272
2304
|
* @param msGraphHost
|
|
2273
2305
|
* @returns
|
|
2306
|
+
* @internal
|
|
2274
2307
|
*/
|
|
2275
2308
|
function createAccountEntityFromAccountInfo(accountInfo, cloudGraphHostName, msGraphHost) {
|
|
2276
2309
|
// Serialize tenant profiles map into an array
|
|
@@ -2279,7 +2312,14 @@
|
|
|
2279
2312
|
if (tenantProfiles.length === 0 &&
|
|
2280
2313
|
accountInfo.tenantId &&
|
|
2281
2314
|
accountInfo.localAccountId) {
|
|
2282
|
-
tenantProfiles.push(buildTenantProfile(accountInfo.homeAccountId, accountInfo.localAccountId, accountInfo.tenantId, accountInfo.idTokenClaims));
|
|
2315
|
+
tenantProfiles.push(buildTenantProfile(accountInfo.homeAccountId, accountInfo.localAccountId, accountInfo.tenantId, accountInfo.nativeAccountId, accountInfo.idTokenClaims));
|
|
2316
|
+
}
|
|
2317
|
+
else if (accountInfo.nativeAccountId) {
|
|
2318
|
+
// Ensure nativeAccountId is set on the matching tenant profile
|
|
2319
|
+
const matchingProfile = tenantProfiles.find((tp) => tp.tenantId === accountInfo.tenantId);
|
|
2320
|
+
if (matchingProfile && !matchingProfile.nativeAccountId) {
|
|
2321
|
+
matchingProfile.nativeAccountId = accountInfo.nativeAccountId;
|
|
2322
|
+
}
|
|
2283
2323
|
}
|
|
2284
2324
|
return {
|
|
2285
2325
|
authorityType: accountInfo.authorityType || CACHE_ACCOUNT_TYPE_GENERIC,
|
|
@@ -2323,6 +2363,7 @@
|
|
|
2323
2363
|
/**
|
|
2324
2364
|
* Validates an entity: checks for all expected params
|
|
2325
2365
|
* @param entity
|
|
2366
|
+
* @internal
|
|
2326
2367
|
*/
|
|
2327
2368
|
function isAccountEntity(entity) {
|
|
2328
2369
|
if (!entity) {
|
|
@@ -2336,7 +2377,7 @@
|
|
|
2336
2377
|
entity.hasOwnProperty("authorityType"));
|
|
2337
2378
|
}
|
|
2338
2379
|
|
|
2339
|
-
/*! @azure/msal-common v16.
|
|
2380
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
2340
2381
|
|
|
2341
2382
|
/*
|
|
2342
2383
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -2425,7 +2466,7 @@
|
|
|
2425
2466
|
}
|
|
2426
2467
|
const idToken = this.getIdToken(accountInfo, correlationId, tokenKeys, tenantProfile.tenantId);
|
|
2427
2468
|
if (idToken) {
|
|
2428
|
-
idTokenClaims = extractTokenClaims(idToken.secret, this.cryptoImpl.base64Decode);
|
|
2469
|
+
idTokenClaims = extractTokenClaims(idToken.secret, this.cryptoImpl.base64Decode, correlationId);
|
|
2429
2470
|
if (!this.idTokenClaimsMatchTenantProfileFilter(idTokenClaims, tenantProfileFilter)) {
|
|
2430
2471
|
// ID token sourced claims don't match so this tenant profile is not a match
|
|
2431
2472
|
return null;
|
|
@@ -2488,6 +2529,11 @@
|
|
|
2488
2529
|
!(tenantProfile.upn === tenantProfileFilter.upn)) {
|
|
2489
2530
|
return false;
|
|
2490
2531
|
}
|
|
2532
|
+
if (!!tenantProfileFilter.nativeAccountId &&
|
|
2533
|
+
tenantProfile.nativeAccountId !==
|
|
2534
|
+
tenantProfileFilter.nativeAccountId) {
|
|
2535
|
+
return false;
|
|
2536
|
+
}
|
|
2491
2537
|
return true;
|
|
2492
2538
|
}
|
|
2493
2539
|
idTokenClaimsMatchTenantProfileFilter(idTokenClaims, tenantProfileFilter) {
|
|
@@ -2525,7 +2571,7 @@
|
|
|
2525
2571
|
*/
|
|
2526
2572
|
async saveCacheRecord(cacheRecord, correlationId, kmsi, apiId, storeInCache) {
|
|
2527
2573
|
if (!cacheRecord) {
|
|
2528
|
-
throw createClientAuthError(invalidCacheRecord);
|
|
2574
|
+
throw createClientAuthError(invalidCacheRecord, correlationId);
|
|
2529
2575
|
}
|
|
2530
2576
|
try {
|
|
2531
2577
|
if (!!cacheRecord.account) {
|
|
@@ -2570,7 +2616,7 @@
|
|
|
2570
2616
|
tokenType: credential.tokenType,
|
|
2571
2617
|
};
|
|
2572
2618
|
const tokenKeys = this.getTokenKeys();
|
|
2573
|
-
const currentScopes = ScopeSet.fromString(credential.target);
|
|
2619
|
+
const currentScopes = ScopeSet.fromString(credential.target, correlationId);
|
|
2574
2620
|
tokenKeys.accessToken.forEach((key) => {
|
|
2575
2621
|
if (!this.accessTokenKeyMatchesFilter(key, accessTokenFilter, false)) {
|
|
2576
2622
|
return;
|
|
@@ -2578,7 +2624,7 @@
|
|
|
2578
2624
|
const tokenEntity = this.getAccessTokenCredential(key, correlationId);
|
|
2579
2625
|
if (tokenEntity &&
|
|
2580
2626
|
this.credentialMatchesFilter(tokenEntity, accessTokenFilter, correlationId)) {
|
|
2581
|
-
const tokenScopeSet = ScopeSet.fromString(tokenEntity.target);
|
|
2627
|
+
const tokenScopeSet = ScopeSet.fromString(tokenEntity.target, correlationId);
|
|
2582
2628
|
if (tokenScopeSet.intersectingScopeSets(currentScopes)) {
|
|
2583
2629
|
this.removeAccessToken(key, correlationId);
|
|
2584
2630
|
}
|
|
@@ -2612,10 +2658,6 @@
|
|
|
2612
2658
|
!this.matchRealm(entity, accountFilter.realm)) {
|
|
2613
2659
|
return;
|
|
2614
2660
|
}
|
|
2615
|
-
if (!!accountFilter.nativeAccountId &&
|
|
2616
|
-
!this.matchNativeAccountId(entity, accountFilter.nativeAccountId)) {
|
|
2617
|
-
return;
|
|
2618
|
-
}
|
|
2619
2661
|
if (!!accountFilter.authorityType &&
|
|
2620
2662
|
!this.matchAuthorityType(entity, accountFilter.authorityType)) {
|
|
2621
2663
|
return;
|
|
@@ -2627,6 +2669,7 @@
|
|
|
2627
2669
|
username: accountFilter?.username,
|
|
2628
2670
|
loginHint: accountFilter?.loginHint,
|
|
2629
2671
|
upn: accountFilter?.upn,
|
|
2672
|
+
nativeAccountId: accountFilter?.nativeAccountId,
|
|
2630
2673
|
};
|
|
2631
2674
|
const matchingTenantProfiles = entity.tenantProfiles?.filter((tenantProfile) => {
|
|
2632
2675
|
return this.tenantProfileMatchesFilter(tenantProfile, tenantProfileFilter);
|
|
@@ -2680,7 +2723,8 @@
|
|
|
2680
2723
|
* idTokens do not have "target", target specific refreshTokens do exist for some types of authentication
|
|
2681
2724
|
* Resource specific refresh tokens case will be added when the support is deemed necessary
|
|
2682
2725
|
*/
|
|
2683
|
-
if (!!filter.target &&
|
|
2726
|
+
if (!!filter.target &&
|
|
2727
|
+
!this.matchTarget(entity, filter.target, correlationId)) {
|
|
2684
2728
|
return false;
|
|
2685
2729
|
}
|
|
2686
2730
|
// Access Token with Auth Scheme specific matching
|
|
@@ -2697,6 +2741,28 @@
|
|
|
2697
2741
|
}
|
|
2698
2742
|
}
|
|
2699
2743
|
}
|
|
2744
|
+
// Additional cache key components matching (bidirectional isolation)
|
|
2745
|
+
const entityComponents = entity.additionalCacheKeyComponents;
|
|
2746
|
+
const filterComponents = filter.additionalCacheKeyComponents;
|
|
2747
|
+
const entityHasComponents = !!entityComponents && Object.keys(entityComponents).length > 0;
|
|
2748
|
+
const filterHasComponents = !!filterComponents && Object.keys(filterComponents).length > 0;
|
|
2749
|
+
if (entityHasComponents !== filterHasComponents) {
|
|
2750
|
+
return false;
|
|
2751
|
+
}
|
|
2752
|
+
if (entityHasComponents && filterHasComponents) {
|
|
2753
|
+
const entityKeys = Object.keys(entityComponents).sort();
|
|
2754
|
+
const filterKeys = Object.keys(filterComponents).sort();
|
|
2755
|
+
if (entityKeys.length !== filterKeys.length) {
|
|
2756
|
+
return false;
|
|
2757
|
+
}
|
|
2758
|
+
for (let i = 0; i < entityKeys.length; i++) {
|
|
2759
|
+
if (entityKeys[i] !== filterKeys[i] ||
|
|
2760
|
+
entityComponents[entityKeys[i]] !==
|
|
2761
|
+
filterComponents[filterKeys[i]]) {
|
|
2762
|
+
return false;
|
|
2763
|
+
}
|
|
2764
|
+
}
|
|
2765
|
+
}
|
|
2700
2766
|
return true;
|
|
2701
2767
|
}
|
|
2702
2768
|
/**
|
|
@@ -2822,7 +2888,7 @@
|
|
|
2822
2888
|
void this.cryptoImpl
|
|
2823
2889
|
.removeTokenBindingKey(kid, correlationId)
|
|
2824
2890
|
.catch(() => {
|
|
2825
|
-
this.commonLogger.error(
|
|
2891
|
+
this.commonLogger.error(`0cx291 ${kid}`, correlationId);
|
|
2826
2892
|
this.performanceClient?.incrementFields({ removeTokenBindingKeyFailure: 1 }, correlationId);
|
|
2827
2893
|
});
|
|
2828
2894
|
}
|
|
@@ -2964,7 +3030,7 @@
|
|
|
2964
3030
|
getAccessToken(account, request, tokenKeys, targetRealm) {
|
|
2965
3031
|
const correlationId = request.correlationId;
|
|
2966
3032
|
this.commonLogger.trace("1t7hz1", correlationId);
|
|
2967
|
-
const scopes = ScopeSet.createSearchScopes(request.scopes);
|
|
3033
|
+
const scopes = ScopeSet.createSearchScopes(request.scopes, correlationId);
|
|
2968
3034
|
const authScheme = request.authenticationScheme ||
|
|
2969
3035
|
AuthenticationScheme.BEARER;
|
|
2970
3036
|
/*
|
|
@@ -3154,7 +3220,7 @@
|
|
|
3154
3220
|
return null;
|
|
3155
3221
|
}
|
|
3156
3222
|
else if (numAppMetadata > 1) {
|
|
3157
|
-
throw createClientAuthError(multipleMatchingAppMetadata);
|
|
3223
|
+
throw createClientAuthError(multipleMatchingAppMetadata, correlationId);
|
|
3158
3224
|
}
|
|
3159
3225
|
return appMetadataEntries[0];
|
|
3160
3226
|
}
|
|
@@ -3284,15 +3350,6 @@
|
|
|
3284
3350
|
matchRealm(entity, realm) {
|
|
3285
3351
|
return !!(entity.realm?.toLowerCase() === realm.toLowerCase());
|
|
3286
3352
|
}
|
|
3287
|
-
/**
|
|
3288
|
-
* helper to match nativeAccountId
|
|
3289
|
-
* @param entity
|
|
3290
|
-
* @param nativeAccountId
|
|
3291
|
-
* @returns boolean indicating the match result
|
|
3292
|
-
*/
|
|
3293
|
-
matchNativeAccountId(entity, nativeAccountId) {
|
|
3294
|
-
return !!(entity.nativeAccountId && nativeAccountId === entity.nativeAccountId);
|
|
3295
|
-
}
|
|
3296
3353
|
/**
|
|
3297
3354
|
* helper to match loginHint which can be either:
|
|
3298
3355
|
* 1. login_hint ID token claim
|
|
@@ -3336,14 +3393,14 @@
|
|
|
3336
3393
|
* @param entity
|
|
3337
3394
|
* @param target
|
|
3338
3395
|
*/
|
|
3339
|
-
matchTarget(entity, target) {
|
|
3396
|
+
matchTarget(entity, target, correlationId) {
|
|
3340
3397
|
const isNotAccessTokenCredential = entity.credentialType !== CredentialType.ACCESS_TOKEN &&
|
|
3341
3398
|
entity.credentialType !==
|
|
3342
3399
|
CredentialType.ACCESS_TOKEN_WITH_AUTH_SCHEME;
|
|
3343
3400
|
if (isNotAccessTokenCredential || !entity.target) {
|
|
3344
3401
|
return false;
|
|
3345
3402
|
}
|
|
3346
|
-
const entityScopeSet = ScopeSet.fromString(entity.target);
|
|
3403
|
+
const entityScopeSet = ScopeSet.fromString(entity.target, correlationId);
|
|
3347
3404
|
return entityScopeSet.containsScopeSet(target);
|
|
3348
3405
|
}
|
|
3349
3406
|
/**
|
|
@@ -3397,77 +3454,77 @@
|
|
|
3397
3454
|
/** @internal */
|
|
3398
3455
|
class DefaultStorageClass extends CacheManager {
|
|
3399
3456
|
async setAccount() {
|
|
3400
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3457
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3401
3458
|
}
|
|
3402
3459
|
getAccount() {
|
|
3403
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3460
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3404
3461
|
}
|
|
3405
3462
|
async setIdTokenCredential() {
|
|
3406
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3463
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3407
3464
|
}
|
|
3408
3465
|
getIdTokenCredential() {
|
|
3409
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3466
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3410
3467
|
}
|
|
3411
3468
|
async setAccessTokenCredential() {
|
|
3412
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3469
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3413
3470
|
}
|
|
3414
3471
|
getAccessTokenCredential() {
|
|
3415
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3472
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3416
3473
|
}
|
|
3417
3474
|
async setRefreshTokenCredential() {
|
|
3418
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3475
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3419
3476
|
}
|
|
3420
3477
|
getRefreshTokenCredential() {
|
|
3421
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3478
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3422
3479
|
}
|
|
3423
3480
|
setAppMetadata() {
|
|
3424
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3481
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3425
3482
|
}
|
|
3426
3483
|
getAppMetadata() {
|
|
3427
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3484
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3428
3485
|
}
|
|
3429
3486
|
setServerTelemetry() {
|
|
3430
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3487
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3431
3488
|
}
|
|
3432
3489
|
getServerTelemetry() {
|
|
3433
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3490
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3434
3491
|
}
|
|
3435
3492
|
setAuthorityMetadata() {
|
|
3436
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3493
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3437
3494
|
}
|
|
3438
3495
|
getAuthorityMetadata() {
|
|
3439
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3496
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3440
3497
|
}
|
|
3441
3498
|
getAuthorityMetadataKeys() {
|
|
3442
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3499
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3443
3500
|
}
|
|
3444
3501
|
setThrottlingCache() {
|
|
3445
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3502
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3446
3503
|
}
|
|
3447
3504
|
getThrottlingCache() {
|
|
3448
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3505
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3449
3506
|
}
|
|
3450
3507
|
removeItem() {
|
|
3451
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3508
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3452
3509
|
}
|
|
3453
3510
|
getKeys() {
|
|
3454
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3511
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3455
3512
|
}
|
|
3456
3513
|
getAccountKeys() {
|
|
3457
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3514
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3458
3515
|
}
|
|
3459
3516
|
getTokenKeys() {
|
|
3460
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3517
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3461
3518
|
}
|
|
3462
3519
|
generateCredentialKey() {
|
|
3463
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3520
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3464
3521
|
}
|
|
3465
3522
|
generateAccountKey() {
|
|
3466
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3523
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3467
3524
|
}
|
|
3468
3525
|
}
|
|
3469
3526
|
|
|
3470
|
-
/*! @azure/msal-common v16.
|
|
3527
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
3471
3528
|
/*
|
|
3472
3529
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
3473
3530
|
* Licensed under the MIT License.
|
|
@@ -3481,7 +3538,7 @@
|
|
|
3481
3538
|
const PerformanceEventStatus = {
|
|
3482
3539
|
InProgress: 1};
|
|
3483
3540
|
|
|
3484
|
-
/*! @azure/msal-common v16.
|
|
3541
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
3485
3542
|
|
|
3486
3543
|
/*
|
|
3487
3544
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -3536,7 +3593,7 @@
|
|
|
3536
3593
|
}
|
|
3537
3594
|
}
|
|
3538
3595
|
|
|
3539
|
-
/*! @azure/msal-common v16.
|
|
3596
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
3540
3597
|
|
|
3541
3598
|
/*
|
|
3542
3599
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -3556,10 +3613,10 @@
|
|
|
3556
3613
|
};
|
|
3557
3614
|
const DEFAULT_NETWORK_IMPLEMENTATION = {
|
|
3558
3615
|
async sendGetRequestAsync() {
|
|
3559
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3616
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3560
3617
|
},
|
|
3561
3618
|
async sendPostRequestAsync() {
|
|
3562
|
-
throw createClientAuthError(methodNotImplemented);
|
|
3619
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
3563
3620
|
},
|
|
3564
3621
|
};
|
|
3565
3622
|
const DEFAULT_LIBRARY_INFO = {
|
|
@@ -3588,6 +3645,7 @@
|
|
|
3588
3645
|
* @param Configuration
|
|
3589
3646
|
*
|
|
3590
3647
|
* @returns Configuration
|
|
3648
|
+
* @internal
|
|
3591
3649
|
*/
|
|
3592
3650
|
function buildClientConfiguration({ authOptions: userAuthOptions, systemOptions: userSystemOptions, loggerOptions: userLoggerOption, storageInterface: storageImplementation, networkInterface: networkImplementation, cryptoInterface: cryptoImplementation, clientCredentials: clientCredentials, libraryInfo: libraryInfo, telemetry: telemetry, serverTelemetryManager: serverTelemetryManager, persistencePlugin: persistencePlugin, serializableCache: serializableCache, }) {
|
|
3593
3651
|
const loggerOptions = {
|
|
@@ -3599,7 +3657,7 @@
|
|
|
3599
3657
|
systemOptions: { ...DEFAULT_SYSTEM_OPTIONS, ...userSystemOptions },
|
|
3600
3658
|
loggerOptions: loggerOptions,
|
|
3601
3659
|
storageInterface: storageImplementation ||
|
|
3602
|
-
new DefaultStorageClass(userAuthOptions.clientId, DEFAULT_CRYPTO_IMPLEMENTATION, new Logger(loggerOptions), new StubPerformanceClient()),
|
|
3660
|
+
new DefaultStorageClass(userAuthOptions.clientId, DEFAULT_CRYPTO_IMPLEMENTATION, new Logger(loggerOptions, name$1, version$1), new StubPerformanceClient()),
|
|
3603
3661
|
networkInterface: networkImplementation || DEFAULT_NETWORK_IMPLEMENTATION,
|
|
3604
3662
|
cryptoInterface: cryptoImplementation || DEFAULT_CRYPTO_IMPLEMENTATION,
|
|
3605
3663
|
clientCredentials: clientCredentials || DEFAULT_CLIENT_CREDENTIALS,
|
|
@@ -3631,7 +3689,7 @@
|
|
|
3631
3689
|
return (config.authOptions.authority.options.protocolMode === ProtocolMode.OIDC);
|
|
3632
3690
|
}
|
|
3633
3691
|
|
|
3634
|
-
/*! @azure/msal-common v16.
|
|
3692
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
3635
3693
|
/*
|
|
3636
3694
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
3637
3695
|
* Licensed under the MIT License.
|
|
@@ -3658,7 +3716,7 @@
|
|
|
3658
3716
|
}
|
|
3659
3717
|
}
|
|
3660
3718
|
|
|
3661
|
-
/*! @azure/msal-common v16.
|
|
3719
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
3662
3720
|
/*
|
|
3663
3721
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
3664
3722
|
* Licensed under the MIT License.
|
|
@@ -3723,7 +3781,7 @@
|
|
|
3723
3781
|
return cachedAtSec > nowSeconds();
|
|
3724
3782
|
}
|
|
3725
3783
|
|
|
3726
|
-
/*! @azure/msal-common v16.
|
|
3784
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
3727
3785
|
|
|
3728
3786
|
/*
|
|
3729
3787
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -3759,7 +3817,7 @@
|
|
|
3759
3817
|
* @param expiresOn
|
|
3760
3818
|
* @param extExpiresOn
|
|
3761
3819
|
*/
|
|
3762
|
-
function createAccessTokenEntity(homeAccountId, environment, accessToken, clientId, tenantId, scopes, expiresOn, extExpiresOn, base64Decode, refreshOn, tokenType, userAssertionHash, keyId) {
|
|
3820
|
+
function createAccessTokenEntity(homeAccountId, environment, accessToken, clientId, tenantId, scopes, expiresOn, extExpiresOn, base64Decode, correlationId, refreshOn, tokenType, userAssertionHash, keyId, additionalCacheKeyComponents) {
|
|
3763
3821
|
const atEntity = {
|
|
3764
3822
|
homeAccountId: homeAccountId,
|
|
3765
3823
|
credentialType: CredentialType.ACCESS_TOKEN,
|
|
@@ -3791,9 +3849,9 @@
|
|
|
3791
3849
|
switch (atEntity.tokenType) {
|
|
3792
3850
|
case AuthenticationScheme.POP:
|
|
3793
3851
|
// Make sure keyId is present and add it to credential
|
|
3794
|
-
const tokenClaims = extractTokenClaims(accessToken, base64Decode);
|
|
3852
|
+
const tokenClaims = extractTokenClaims(accessToken, base64Decode, correlationId);
|
|
3795
3853
|
if (!tokenClaims?.cnf?.kid) {
|
|
3796
|
-
throw createClientAuthError(tokenClaimsCnfRequiredForSignedJwt);
|
|
3854
|
+
throw createClientAuthError(tokenClaimsCnfRequiredForSignedJwt, correlationId);
|
|
3797
3855
|
}
|
|
3798
3856
|
atEntity.keyId = tokenClaims.cnf.kid;
|
|
3799
3857
|
break;
|
|
@@ -3801,6 +3859,11 @@
|
|
|
3801
3859
|
atEntity.keyId = keyId;
|
|
3802
3860
|
}
|
|
3803
3861
|
}
|
|
3862
|
+
/* Additional cache key components for cache isolation (e.g., FMI path) */
|
|
3863
|
+
if (additionalCacheKeyComponents &&
|
|
3864
|
+
Object.keys(additionalCacheKeyComponents).length > 0) {
|
|
3865
|
+
atEntity.additionalCacheKeyComponents = additionalCacheKeyComponents;
|
|
3866
|
+
}
|
|
3804
3867
|
return atEntity;
|
|
3805
3868
|
}
|
|
3806
3869
|
/**
|
|
@@ -3960,6 +4023,7 @@
|
|
|
3960
4023
|
return (nowSeconds() +
|
|
3961
4024
|
AUTHORITY_METADATA_REFRESH_TIME_SECONDS);
|
|
3962
4025
|
}
|
|
4026
|
+
/** @internal */
|
|
3963
4027
|
function updateAuthorityEndpointMetadata(authorityMetadata, updatedValues, fromNetwork) {
|
|
3964
4028
|
authorityMetadata.authorization_endpoint =
|
|
3965
4029
|
updatedValues.authorization_endpoint;
|
|
@@ -3969,6 +4033,7 @@
|
|
|
3969
4033
|
authorityMetadata.endpointsFromNetwork = fromNetwork;
|
|
3970
4034
|
authorityMetadata.jwks_uri = updatedValues.jwks_uri;
|
|
3971
4035
|
}
|
|
4036
|
+
/** @internal */
|
|
3972
4037
|
function updateCloudDiscoveryMetadata(authorityMetadata, updatedValues, fromNetwork) {
|
|
3973
4038
|
authorityMetadata.aliases = updatedValues.aliases;
|
|
3974
4039
|
authorityMetadata.preferred_cache = updatedValues.preferred_cache;
|
|
@@ -3977,12 +4042,13 @@
|
|
|
3977
4042
|
}
|
|
3978
4043
|
/**
|
|
3979
4044
|
* Returns whether or not the data needs to be refreshed
|
|
4045
|
+
* @internal
|
|
3980
4046
|
*/
|
|
3981
4047
|
function isAuthorityMetadataExpired(metadata) {
|
|
3982
4048
|
return metadata.expiresAt <= nowSeconds();
|
|
3983
4049
|
}
|
|
3984
4050
|
|
|
3985
|
-
/*! @azure/msal-common v16.
|
|
4051
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
3986
4052
|
/*
|
|
3987
4053
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
3988
4054
|
* Licensed under the MIT License.
|
|
@@ -4053,7 +4119,7 @@
|
|
|
4053
4119
|
const CacheManagerGetRefreshToken = "cacheManagerGetRefreshToken";
|
|
4054
4120
|
const SetUserData = "setUserData";
|
|
4055
4121
|
|
|
4056
|
-
/*! @azure/msal-common v16.
|
|
4122
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
4057
4123
|
/*
|
|
4058
4124
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4059
4125
|
* Licensed under the MIT License.
|
|
@@ -4072,7 +4138,7 @@
|
|
|
4072
4138
|
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
4073
4139
|
const invoke = (callback, eventName, logger, telemetryClient, correlationId) => {
|
|
4074
4140
|
return (...args) => {
|
|
4075
|
-
logger.trace(
|
|
4141
|
+
logger.trace(`1plfzx ${eventName}`, correlationId);
|
|
4076
4142
|
const inProgressEvent = telemetryClient.startMeasurement(eventName, correlationId);
|
|
4077
4143
|
if (correlationId) {
|
|
4078
4144
|
// Track number of times this API is called in a single request
|
|
@@ -4083,11 +4149,11 @@
|
|
|
4083
4149
|
inProgressEvent.end({
|
|
4084
4150
|
success: true,
|
|
4085
4151
|
});
|
|
4086
|
-
logger.trace(
|
|
4152
|
+
logger.trace(`1g8n6a ${eventName}`, correlationId);
|
|
4087
4153
|
return result;
|
|
4088
4154
|
}
|
|
4089
4155
|
catch (e) {
|
|
4090
|
-
logger.trace(
|
|
4156
|
+
logger.trace(`0cfd8i ${eventName}`, correlationId);
|
|
4091
4157
|
try {
|
|
4092
4158
|
logger.trace(JSON.stringify(e), correlationId);
|
|
4093
4159
|
}
|
|
@@ -4116,7 +4182,7 @@
|
|
|
4116
4182
|
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
4117
4183
|
const invokeAsync = (callback, eventName, logger, telemetryClient, correlationId) => {
|
|
4118
4184
|
return (...args) => {
|
|
4119
|
-
logger.trace(
|
|
4185
|
+
logger.trace(`1plfzx ${eventName}`, correlationId);
|
|
4120
4186
|
const inProgressEvent = telemetryClient.startMeasurement(eventName, correlationId);
|
|
4121
4187
|
if (correlationId) {
|
|
4122
4188
|
// Track number of times this API is called in a single request
|
|
@@ -4124,14 +4190,14 @@
|
|
|
4124
4190
|
}
|
|
4125
4191
|
return callback(...args)
|
|
4126
4192
|
.then((response) => {
|
|
4127
|
-
logger.trace(
|
|
4193
|
+
logger.trace(`1g8n6a ${eventName}`, correlationId);
|
|
4128
4194
|
inProgressEvent.end({
|
|
4129
4195
|
success: true,
|
|
4130
4196
|
});
|
|
4131
4197
|
return response;
|
|
4132
4198
|
})
|
|
4133
4199
|
.catch((e) => {
|
|
4134
|
-
logger.trace(
|
|
4200
|
+
logger.trace(`0cfd8i ${eventName}`, correlationId);
|
|
4135
4201
|
try {
|
|
4136
4202
|
logger.trace(JSON.stringify(e), correlationId);
|
|
4137
4203
|
}
|
|
@@ -4146,7 +4212,7 @@
|
|
|
4146
4212
|
};
|
|
4147
4213
|
};
|
|
4148
4214
|
|
|
4149
|
-
/*! @azure/msal-common v16.
|
|
4215
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
4150
4216
|
|
|
4151
4217
|
/*
|
|
4152
4218
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -4207,7 +4273,7 @@
|
|
|
4207
4273
|
// Deconstruct request to extract SHR parameters
|
|
4208
4274
|
const { resourceRequestMethod, resourceRequestUri, shrClaims, shrNonce, shrOptions, } = request;
|
|
4209
4275
|
const resourceUrlString = resourceRequestUri
|
|
4210
|
-
? new UrlString(resourceRequestUri)
|
|
4276
|
+
? new UrlString(resourceRequestUri, request.correlationId)
|
|
4211
4277
|
: undefined;
|
|
4212
4278
|
const resourceUrlComponents = resourceUrlString?.getUrlComponents();
|
|
4213
4279
|
return this.cryptoUtils.signJwt({
|
|
@@ -4226,7 +4292,7 @@
|
|
|
4226
4292
|
}
|
|
4227
4293
|
}
|
|
4228
4294
|
|
|
4229
|
-
/*! @azure/msal-common v16.
|
|
4295
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
4230
4296
|
/*
|
|
4231
4297
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4232
4298
|
* Licensed under the MIT License.
|
|
@@ -4277,7 +4343,7 @@
|
|
|
4277
4343
|
*/
|
|
4278
4344
|
const interruptedUser = "interrupted_user";
|
|
4279
4345
|
|
|
4280
|
-
/*! @azure/msal-common v16.
|
|
4346
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
4281
4347
|
|
|
4282
4348
|
/*
|
|
4283
4349
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -4308,12 +4374,11 @@
|
|
|
4308
4374
|
* Error thrown when user interaction is required.
|
|
4309
4375
|
*/
|
|
4310
4376
|
class InteractionRequiredAuthError extends AuthError {
|
|
4311
|
-
constructor(errorCode, errorMessage, subError, timestamp, traceId,
|
|
4312
|
-
super(errorCode, errorMessage, subError);
|
|
4377
|
+
constructor(errorCode, correlationId, errorMessage, subError, timestamp, traceId, claims, errorNo) {
|
|
4378
|
+
super(errorCode, correlationId, errorMessage, subError);
|
|
4313
4379
|
Object.setPrototypeOf(this, InteractionRequiredAuthError.prototype);
|
|
4314
4380
|
this.timestamp = timestamp || "";
|
|
4315
4381
|
this.traceId = traceId || "";
|
|
4316
|
-
this.correlationId = correlationId || "";
|
|
4317
4382
|
this.claims = claims || "";
|
|
4318
4383
|
this.name = "InteractionRequiredAuthError";
|
|
4319
4384
|
this.errorNo = errorNo;
|
|
@@ -4341,11 +4406,11 @@
|
|
|
4341
4406
|
/**
|
|
4342
4407
|
* Creates an InteractionRequiredAuthError
|
|
4343
4408
|
*/
|
|
4344
|
-
function createInteractionRequiredAuthError(errorCode, errorMessage) {
|
|
4345
|
-
return new InteractionRequiredAuthError(errorCode, errorMessage);
|
|
4409
|
+
function createInteractionRequiredAuthError(errorCode, correlationId, errorMessage) {
|
|
4410
|
+
return new InteractionRequiredAuthError(errorCode, correlationId, errorMessage);
|
|
4346
4411
|
}
|
|
4347
4412
|
|
|
4348
|
-
/*! @azure/msal-common v16.
|
|
4413
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
4349
4414
|
|
|
4350
4415
|
/*
|
|
4351
4416
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -4355,8 +4420,8 @@
|
|
|
4355
4420
|
* Error thrown when there is an error with the server code, for example, unavailability.
|
|
4356
4421
|
*/
|
|
4357
4422
|
class ServerError extends AuthError {
|
|
4358
|
-
constructor(errorCode, errorMessage, subError, errorNo, status) {
|
|
4359
|
-
super(errorCode, errorMessage, subError);
|
|
4423
|
+
constructor(errorCode, correlationId, errorMessage, subError, errorNo, status) {
|
|
4424
|
+
super(errorCode, correlationId, errorMessage, subError);
|
|
4360
4425
|
this.name = "ServerError";
|
|
4361
4426
|
this.errorNo = errorNo;
|
|
4362
4427
|
this.status = status;
|
|
@@ -4364,7 +4429,7 @@
|
|
|
4364
4429
|
}
|
|
4365
4430
|
}
|
|
4366
4431
|
|
|
4367
|
-
/*! @azure/msal-common v16.
|
|
4432
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
4368
4433
|
|
|
4369
4434
|
/*
|
|
4370
4435
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -4375,9 +4440,10 @@
|
|
|
4375
4440
|
* @param cryptoObj
|
|
4376
4441
|
* @param userState
|
|
4377
4442
|
* @param meta
|
|
4443
|
+
* @param correlationId
|
|
4378
4444
|
*/
|
|
4379
|
-
function setRequestState(cryptoObj, userState, meta) {
|
|
4380
|
-
const libraryState = generateLibraryState(cryptoObj, meta);
|
|
4445
|
+
function setRequestState(cryptoObj, userState, meta, correlationId) {
|
|
4446
|
+
const libraryState = generateLibraryState(cryptoObj, correlationId, meta);
|
|
4381
4447
|
return userState
|
|
4382
4448
|
? `${libraryState}${RESOURCE_DELIM}${userState}`
|
|
4383
4449
|
: libraryState;
|
|
@@ -4385,11 +4451,12 @@
|
|
|
4385
4451
|
/**
|
|
4386
4452
|
* Generates the state value used by the common library.
|
|
4387
4453
|
* @param cryptoObj
|
|
4454
|
+
* @param correlationId
|
|
4388
4455
|
* @param meta
|
|
4389
4456
|
*/
|
|
4390
|
-
function generateLibraryState(cryptoObj, meta) {
|
|
4457
|
+
function generateLibraryState(cryptoObj, correlationId, meta) {
|
|
4391
4458
|
if (!cryptoObj) {
|
|
4392
|
-
throw createClientAuthError(noCryptoObject);
|
|
4459
|
+
throw createClientAuthError(noCryptoObject, correlationId);
|
|
4393
4460
|
}
|
|
4394
4461
|
// Create a state object containing a unique id and the timestamp of the request creation
|
|
4395
4462
|
const stateObj = {
|
|
@@ -4405,13 +4472,14 @@
|
|
|
4405
4472
|
* Parses the state into the RequestStateObject, which contains the LibraryState info and the state passed by the user.
|
|
4406
4473
|
* @param base64Decode
|
|
4407
4474
|
* @param state
|
|
4475
|
+
* @param correlationId
|
|
4408
4476
|
*/
|
|
4409
|
-
function parseRequestState(base64Decode, state) {
|
|
4477
|
+
function parseRequestState(base64Decode, state, correlationId) {
|
|
4410
4478
|
if (!base64Decode) {
|
|
4411
|
-
throw createClientAuthError(noCryptoObject);
|
|
4479
|
+
throw createClientAuthError(noCryptoObject, correlationId);
|
|
4412
4480
|
}
|
|
4413
4481
|
if (!state) {
|
|
4414
|
-
throw createClientAuthError(invalidState);
|
|
4482
|
+
throw createClientAuthError(invalidState, correlationId);
|
|
4415
4483
|
}
|
|
4416
4484
|
try {
|
|
4417
4485
|
// Split the state between library state and user passed state and decode them separately
|
|
@@ -4428,11 +4496,11 @@
|
|
|
4428
4496
|
};
|
|
4429
4497
|
}
|
|
4430
4498
|
catch (e) {
|
|
4431
|
-
throw createClientAuthError(invalidState);
|
|
4499
|
+
throw createClientAuthError(invalidState, correlationId);
|
|
4432
4500
|
}
|
|
4433
4501
|
}
|
|
4434
4502
|
|
|
4435
|
-
/*! @azure/msal-common v16.
|
|
4503
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
4436
4504
|
|
|
4437
4505
|
/*
|
|
4438
4506
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -4467,14 +4535,14 @@
|
|
|
4467
4535
|
const serverErrorNo = serverResponse.error_codes?.length
|
|
4468
4536
|
? serverResponse.error_codes[0]
|
|
4469
4537
|
: undefined;
|
|
4470
|
-
const serverError = new ServerError(serverResponse.error, errString, serverResponse.suberror, serverErrorNo, serverResponse.status);
|
|
4538
|
+
const serverError = new ServerError(serverResponse.error || "", serverResponse.correlation_id || "", errString, serverResponse.suberror, serverErrorNo, serverResponse.status);
|
|
4471
4539
|
// check if 500 error
|
|
4472
4540
|
if (refreshAccessToken &&
|
|
4473
4541
|
serverResponse.status &&
|
|
4474
4542
|
serverResponse.status >=
|
|
4475
4543
|
HTTP_SERVER_ERROR_RANGE_START &&
|
|
4476
4544
|
serverResponse.status <= HTTP_SERVER_ERROR_RANGE_END) {
|
|
4477
|
-
this.logger.warning(
|
|
4545
|
+
this.logger.warning(`16ks7j ${serverError}`, correlationId);
|
|
4478
4546
|
// don't throw an exception, but alert the user via a log that the token was unable to be refreshed
|
|
4479
4547
|
return;
|
|
4480
4548
|
// check if 400 error
|
|
@@ -4484,12 +4552,12 @@
|
|
|
4484
4552
|
serverResponse.status >=
|
|
4485
4553
|
HTTP_CLIENT_ERROR_RANGE_START &&
|
|
4486
4554
|
serverResponse.status <= HTTP_CLIENT_ERROR_RANGE_END) {
|
|
4487
|
-
this.logger.warning(
|
|
4555
|
+
this.logger.warning(`0g61x3 ${serverError}`, correlationId);
|
|
4488
4556
|
// don't throw an exception, but alert the user via a log that the token was unable to be refreshed
|
|
4489
4557
|
return;
|
|
4490
4558
|
}
|
|
4491
4559
|
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
4492
|
-
throw new InteractionRequiredAuthError(serverResponse.error, serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.
|
|
4560
|
+
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.correlation_id || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.claims || "", serverErrorNo);
|
|
4493
4561
|
}
|
|
4494
4562
|
throw serverError;
|
|
4495
4563
|
}
|
|
@@ -4499,24 +4567,16 @@
|
|
|
4499
4567
|
* @param serverTokenResponse
|
|
4500
4568
|
* @param authority
|
|
4501
4569
|
*/
|
|
4502
|
-
async handleServerTokenResponse(serverTokenResponse, authority, reqTimestamp, request, apiId, authCodePayload, userAssertionHash, handlingRefreshTokenResponse, forceCacheRefreshTokenResponse, serverRequestId) {
|
|
4570
|
+
async handleServerTokenResponse(serverTokenResponse, authority, reqTimestamp, request, apiId, authCodePayload, userAssertionHash, handlingRefreshTokenResponse, forceCacheRefreshTokenResponse, serverRequestId, additionalCacheKeyComponents) {
|
|
4503
4571
|
// create an idToken object (not entity)
|
|
4504
4572
|
let idTokenClaims;
|
|
4505
4573
|
if (serverTokenResponse.id_token) {
|
|
4506
|
-
idTokenClaims = extractTokenClaims(serverTokenResponse.id_token || "", this.cryptoObj.base64Decode);
|
|
4574
|
+
idTokenClaims = extractTokenClaims(serverTokenResponse.id_token || "", this.cryptoObj.base64Decode, request.correlationId);
|
|
4507
4575
|
// token nonce check (TODO: Add a warning if no nonce is given?)
|
|
4508
4576
|
if (authCodePayload && authCodePayload.nonce) {
|
|
4509
4577
|
if (idTokenClaims.nonce !== authCodePayload.nonce) {
|
|
4510
|
-
throw createClientAuthError(nonceMismatch);
|
|
4511
|
-
}
|
|
4512
|
-
}
|
|
4513
|
-
// token max_age check
|
|
4514
|
-
if (request.maxAge || request.maxAge === 0) {
|
|
4515
|
-
const authTime = idTokenClaims.auth_time;
|
|
4516
|
-
if (!authTime) {
|
|
4517
|
-
throw createClientAuthError(authTimeNotFound);
|
|
4578
|
+
throw createClientAuthError(nonceMismatch, request.correlationId);
|
|
4518
4579
|
}
|
|
4519
|
-
checkMaxAge(authTime, request.maxAge);
|
|
4520
4580
|
}
|
|
4521
4581
|
}
|
|
4522
4582
|
// generate homeAccountId
|
|
@@ -4524,12 +4584,12 @@
|
|
|
4524
4584
|
// save the response tokens
|
|
4525
4585
|
let requestStateObj;
|
|
4526
4586
|
if (!!authCodePayload && !!authCodePayload.state) {
|
|
4527
|
-
requestStateObj = parseRequestState(this.cryptoObj.base64Decode, authCodePayload.state);
|
|
4587
|
+
requestStateObj = parseRequestState(this.cryptoObj.base64Decode, authCodePayload.state, request.correlationId);
|
|
4528
4588
|
}
|
|
4529
4589
|
// Add keyId from request to serverTokenResponse if defined
|
|
4530
4590
|
serverTokenResponse.key_id =
|
|
4531
4591
|
serverTokenResponse.key_id || request.sshKid || undefined;
|
|
4532
|
-
const cacheRecord = this.generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload);
|
|
4592
|
+
const cacheRecord = this.generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload, additionalCacheKeyComponents);
|
|
4533
4593
|
let cacheContext;
|
|
4534
4594
|
try {
|
|
4535
4595
|
if (this.persistencePlugin && this.serializableCache) {
|
|
@@ -4576,10 +4636,10 @@
|
|
|
4576
4636
|
* @param idTokenObj
|
|
4577
4637
|
* @param authority
|
|
4578
4638
|
*/
|
|
4579
|
-
generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload) {
|
|
4639
|
+
generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload, additionalCacheKeyComponents) {
|
|
4580
4640
|
const env = authority.getPreferredCache();
|
|
4581
4641
|
if (!env) {
|
|
4582
|
-
throw createClientAuthError(invalidCacheEnvironment);
|
|
4642
|
+
throw createClientAuthError(invalidCacheEnvironment, request.correlationId);
|
|
4583
4643
|
}
|
|
4584
4644
|
const claimsTenantId = getTenantIdFromIdTokenClaims(idTokenClaims);
|
|
4585
4645
|
// IdToken: non AAD scenarios can have empty realm
|
|
@@ -4595,8 +4655,8 @@
|
|
|
4595
4655
|
if (serverTokenResponse.access_token) {
|
|
4596
4656
|
// If scopes not returned in server response, use request scopes
|
|
4597
4657
|
const responseScopes = serverTokenResponse.scope
|
|
4598
|
-
? ScopeSet.fromString(serverTokenResponse.scope)
|
|
4599
|
-
: new ScopeSet(request.scopes || []);
|
|
4658
|
+
? ScopeSet.fromString(serverTokenResponse.scope, request.correlationId)
|
|
4659
|
+
: new ScopeSet(request.scopes || [], request.correlationId);
|
|
4600
4660
|
/*
|
|
4601
4661
|
* Use timestamp calculated before request
|
|
4602
4662
|
* Server may return timestamps as strings, parse to numbers if so.
|
|
@@ -4616,7 +4676,7 @@
|
|
|
4616
4676
|
? reqTimestamp + refreshIn
|
|
4617
4677
|
: undefined;
|
|
4618
4678
|
// non AAD scenarios can have empty realm
|
|
4619
|
-
cachedAccessToken = createAccessTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.access_token, this.clientId, claimsTenantId || authority.tenant || "", responseScopes.printScopes(), tokenExpirationSeconds, extendedTokenExpirationSeconds, this.cryptoObj.base64Decode, refreshOnSeconds, serverTokenResponse.token_type, userAssertionHash, serverTokenResponse.key_id);
|
|
4679
|
+
cachedAccessToken = createAccessTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.access_token, this.clientId, claimsTenantId || authority.tenant || "", responseScopes.printScopes(), tokenExpirationSeconds, extendedTokenExpirationSeconds, this.cryptoObj.base64Decode, request.correlationId, refreshOnSeconds, serverTokenResponse.token_type, userAssertionHash, serverTokenResponse.key_id, additionalCacheKeyComponents);
|
|
4620
4680
|
// Set resource (to be used for MCP scenarios)
|
|
4621
4681
|
const resource = request.resource || null;
|
|
4622
4682
|
if (resource) {
|
|
@@ -4682,14 +4742,14 @@
|
|
|
4682
4742
|
const popTokenGenerator = new PopTokenGenerator(cryptoObj, performanceClient);
|
|
4683
4743
|
const { secret, keyId } = cacheRecord.accessToken;
|
|
4684
4744
|
if (!keyId) {
|
|
4685
|
-
throw createClientAuthError(keyIdMissing);
|
|
4745
|
+
throw createClientAuthError(keyIdMissing, request.correlationId);
|
|
4686
4746
|
}
|
|
4687
4747
|
accessToken = await popTokenGenerator.signPopToken(secret, keyId, request);
|
|
4688
4748
|
}
|
|
4689
4749
|
else {
|
|
4690
4750
|
accessToken = cacheRecord.accessToken.secret;
|
|
4691
4751
|
}
|
|
4692
|
-
responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target).asArray();
|
|
4752
|
+
responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target, request.correlationId).asArray();
|
|
4693
4753
|
// Access token expiresOn cached in seconds, converting to Date for AuthenticationResult
|
|
4694
4754
|
expiresOn = toDateFromSeconds(cacheRecord.accessToken.expiresOn);
|
|
4695
4755
|
extExpiresOn = toDateFromSeconds(cacheRecord.accessToken.extendedExpiresOn);
|
|
@@ -4707,8 +4767,18 @@
|
|
|
4707
4767
|
const tid = idTokenClaims?.tid || "";
|
|
4708
4768
|
// for hybrid + native bridge enablement, send back the native account Id
|
|
4709
4769
|
if (serverTokenResponse?.spa_accountid && !!cacheRecord.account) {
|
|
4770
|
+
// Set on deprecated top-level for downgrade compat
|
|
4710
4771
|
cacheRecord.account.nativeAccountId =
|
|
4711
4772
|
serverTokenResponse?.spa_accountid;
|
|
4773
|
+
// Set on the matching tenant profile (source of truth)
|
|
4774
|
+
const targetTenantId = tid || cacheRecord.account.realm;
|
|
4775
|
+
if (cacheRecord.account.tenantProfiles) {
|
|
4776
|
+
const matchingProfile = cacheRecord.account.tenantProfiles.find((tp) => tp.tenantId === targetTenantId);
|
|
4777
|
+
if (matchingProfile) {
|
|
4778
|
+
matchingProfile.nativeAccountId =
|
|
4779
|
+
serverTokenResponse.spa_accountid;
|
|
4780
|
+
}
|
|
4781
|
+
}
|
|
4712
4782
|
}
|
|
4713
4783
|
const accountInfo = cacheRecord.account
|
|
4714
4784
|
? updateAccountTenantProfileData(getAccountInfo(cacheRecord.account), undefined, // tenantProfile optional
|
|
@@ -4739,6 +4809,7 @@
|
|
|
4739
4809
|
};
|
|
4740
4810
|
}
|
|
4741
4811
|
}
|
|
4812
|
+
/** @internal */
|
|
4742
4813
|
function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decode, correlationId, idTokenClaims, clientInfo, environment, claimsTenantId, authCodePayload, nativeAccountId, logger, performanceClient) {
|
|
4743
4814
|
logger?.verbose("09jz0t", correlationId);
|
|
4744
4815
|
/*
|
|
@@ -4766,21 +4837,21 @@
|
|
|
4766
4837
|
cloudGraphHostName: authCodePayload?.cloud_graph_host_name,
|
|
4767
4838
|
msGraphHost: authCodePayload?.msgraph_host,
|
|
4768
4839
|
nativeAccountId: nativeAccountId,
|
|
4769
|
-
}, authority, base64Decode);
|
|
4840
|
+
}, authority, correlationId, base64Decode);
|
|
4770
4841
|
const tenantProfiles = baseAccount.tenantProfiles || [];
|
|
4771
4842
|
const tenantId = claimsTenantId || baseAccount.realm;
|
|
4772
4843
|
if (tenantId &&
|
|
4773
4844
|
!tenantProfiles.find((tenantProfile) => {
|
|
4774
4845
|
return tenantProfile.tenantId === tenantId;
|
|
4775
4846
|
})) {
|
|
4776
|
-
const newTenantProfile = buildTenantProfile(homeAccountId, baseAccount.localAccountId, tenantId, idTokenClaims);
|
|
4847
|
+
const newTenantProfile = buildTenantProfile(homeAccountId, baseAccount.localAccountId, tenantId, nativeAccountId, idTokenClaims);
|
|
4777
4848
|
tenantProfiles.push(newTenantProfile);
|
|
4778
4849
|
}
|
|
4779
4850
|
baseAccount.tenantProfiles = tenantProfiles;
|
|
4780
4851
|
return baseAccount;
|
|
4781
4852
|
}
|
|
4782
4853
|
|
|
4783
|
-
/*! @azure/msal-common v16.
|
|
4854
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
4784
4855
|
/*
|
|
4785
4856
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4786
4857
|
* Licensed under the MIT License.
|
|
@@ -4790,12 +4861,12 @@
|
|
|
4790
4861
|
UPN: "UPN",
|
|
4791
4862
|
};
|
|
4792
4863
|
|
|
4793
|
-
/*! @azure/msal-common v16.
|
|
4864
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
4794
4865
|
/*
|
|
4795
4866
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4796
4867
|
* Licensed under the MIT License.
|
|
4797
4868
|
*/
|
|
4798
|
-
async function getClientAssertion(clientAssertion, clientId, tokenEndpoint) {
|
|
4869
|
+
async function getClientAssertion(clientAssertion, clientId, tokenEndpoint, fmiPath) {
|
|
4799
4870
|
if (typeof clientAssertion === "string") {
|
|
4800
4871
|
return clientAssertion;
|
|
4801
4872
|
}
|
|
@@ -4803,12 +4874,13 @@
|
|
|
4803
4874
|
const config = {
|
|
4804
4875
|
clientId: clientId,
|
|
4805
4876
|
tokenEndpoint: tokenEndpoint,
|
|
4877
|
+
fmiPath: fmiPath,
|
|
4806
4878
|
};
|
|
4807
4879
|
return clientAssertion(config);
|
|
4808
4880
|
}
|
|
4809
4881
|
}
|
|
4810
4882
|
|
|
4811
|
-
/*! @azure/msal-common v16.
|
|
4883
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
4812
4884
|
/*
|
|
4813
4885
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
4814
4886
|
* Licensed under the MIT License.
|
|
@@ -4829,7 +4901,7 @@
|
|
|
4829
4901
|
};
|
|
4830
4902
|
}
|
|
4831
4903
|
|
|
4832
|
-
/*! @azure/msal-common v16.
|
|
4904
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
4833
4905
|
|
|
4834
4906
|
/*
|
|
4835
4907
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -4857,7 +4929,7 @@
|
|
|
4857
4929
|
cacheManager.removeItem(key, correlationId);
|
|
4858
4930
|
return;
|
|
4859
4931
|
}
|
|
4860
|
-
throw new ServerError(value.errorCodes?.join(" ") || "", value.errorMessage, value.subError);
|
|
4932
|
+
throw new ServerError(value.errorCodes?.join(" ") || "", correlationId, value.errorMessage, value.subError);
|
|
4861
4933
|
}
|
|
4862
4934
|
}
|
|
4863
4935
|
/**
|
|
@@ -4915,7 +4987,7 @@
|
|
|
4915
4987
|
}
|
|
4916
4988
|
}
|
|
4917
4989
|
|
|
4918
|
-
/*! @azure/msal-common v16.
|
|
4990
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
4919
4991
|
|
|
4920
4992
|
/*
|
|
4921
4993
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -4926,7 +4998,7 @@
|
|
|
4926
4998
|
*/
|
|
4927
4999
|
class NetworkError extends AuthError {
|
|
4928
5000
|
constructor(error, httpStatus, responseHeaders) {
|
|
4929
|
-
super(error.errorCode, error.errorMessage, error.subError);
|
|
5001
|
+
super(error.errorCode, error.correlationId, error.errorMessage, error.subError);
|
|
4930
5002
|
Object.setPrototypeOf(this, NetworkError.prototype);
|
|
4931
5003
|
this.name = "NetworkError";
|
|
4932
5004
|
this.error = error;
|
|
@@ -4946,7 +5018,7 @@
|
|
|
4946
5018
|
return new NetworkError(error, httpStatus, responseHeaders);
|
|
4947
5019
|
}
|
|
4948
5020
|
|
|
4949
|
-
/*! @azure/msal-common v16.
|
|
5021
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
4950
5022
|
|
|
4951
5023
|
/*
|
|
4952
5024
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -4966,7 +5038,7 @@
|
|
|
4966
5038
|
headers[HeaderNames.CCS_HEADER] = `Oid:${clientInfo.uid}@${clientInfo.utid}`;
|
|
4967
5039
|
}
|
|
4968
5040
|
catch (e) {
|
|
4969
|
-
logger.verbose(
|
|
5041
|
+
logger.verbose(`1qhtee ${e}`, "");
|
|
4970
5042
|
}
|
|
4971
5043
|
break;
|
|
4972
5044
|
case CcsCredentialType.UPN:
|
|
@@ -4998,6 +5070,7 @@
|
|
|
4998
5070
|
* @param queryString
|
|
4999
5071
|
* @param headers
|
|
5000
5072
|
* @param thumbprint
|
|
5073
|
+
* @internal
|
|
5001
5074
|
*/
|
|
5002
5075
|
async function executePostToTokenEndpoint(tokenEndpoint, queryString, headers, thumbprint, correlationId, cacheManager, networkClient, logger, performanceClient, serverTelemetryManager) {
|
|
5003
5076
|
const response = await sendPostRequest(thumbprint, tokenEndpoint, { body: queryString, headers: headers }, correlationId, cacheManager, networkClient, logger, performanceClient);
|
|
@@ -5019,6 +5092,7 @@
|
|
|
5019
5092
|
* @param networkClient - Network module instance
|
|
5020
5093
|
* @param logger - Logger instance
|
|
5021
5094
|
* @param performanceClient - Performance client instance
|
|
5095
|
+
* @internal
|
|
5022
5096
|
*/
|
|
5023
5097
|
async function sendPostRequest(thumbprint, tokenEndpoint, options, correlationId, cacheManager, networkClient, logger, performanceClient) {
|
|
5024
5098
|
ThrottlingUtils.preProcess(cacheManager, thumbprint, correlationId);
|
|
@@ -5053,14 +5127,14 @@
|
|
|
5053
5127
|
throw e;
|
|
5054
5128
|
}
|
|
5055
5129
|
else {
|
|
5056
|
-
throw createClientAuthError(networkError);
|
|
5130
|
+
throw createClientAuthError(networkError, correlationId);
|
|
5057
5131
|
}
|
|
5058
5132
|
}
|
|
5059
5133
|
ThrottlingUtils.postProcess(cacheManager, thumbprint, response, correlationId);
|
|
5060
5134
|
return response;
|
|
5061
5135
|
}
|
|
5062
5136
|
|
|
5063
|
-
/*! @azure/msal-common v16.
|
|
5137
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
5064
5138
|
/*
|
|
5065
5139
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
5066
5140
|
* Licensed under the MIT License.
|
|
@@ -5072,7 +5146,7 @@
|
|
|
5072
5146
|
response.hasOwnProperty("jwks_uri"));
|
|
5073
5147
|
}
|
|
5074
5148
|
|
|
5075
|
-
/*! @azure/msal-common v16.
|
|
5149
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
5076
5150
|
/*
|
|
5077
5151
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
5078
5152
|
* Licensed under the MIT License.
|
|
@@ -5082,7 +5156,7 @@
|
|
|
5082
5156
|
response.hasOwnProperty("metadata"));
|
|
5083
5157
|
}
|
|
5084
5158
|
|
|
5085
|
-
/*! @azure/msal-common v16.
|
|
5159
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
5086
5160
|
/*
|
|
5087
5161
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
5088
5162
|
* Licensed under the MIT License.
|
|
@@ -5092,7 +5166,7 @@
|
|
|
5092
5166
|
response.hasOwnProperty("error_description"));
|
|
5093
5167
|
}
|
|
5094
5168
|
|
|
5095
|
-
/*! @azure/msal-common v16.
|
|
5169
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
5096
5170
|
|
|
5097
5171
|
/*
|
|
5098
5172
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -5119,9 +5193,12 @@
|
|
|
5119
5193
|
try {
|
|
5120
5194
|
const localIMDSVersionResponse = await invokeAsync(this.getRegionFromIMDS.bind(this), RegionDiscoveryGetRegionFromIMDS, this.logger, this.performanceClient, this.correlationId)(IMDS_VERSION, options);
|
|
5121
5195
|
if (localIMDSVersionResponse.status === HTTP_SUCCESS) {
|
|
5122
|
-
autodetectedRegionName =
|
|
5123
|
-
|
|
5124
|
-
|
|
5196
|
+
autodetectedRegionName =
|
|
5197
|
+
localIMDSVersionResponse.body?.location;
|
|
5198
|
+
if (autodetectedRegionName) {
|
|
5199
|
+
regionDiscoveryMetadata.region_source =
|
|
5200
|
+
RegionDiscoverySources.IMDS;
|
|
5201
|
+
}
|
|
5125
5202
|
}
|
|
5126
5203
|
// If the response using the local IMDS version failed, try to fetch the current version of IMDS and retry.
|
|
5127
5204
|
if (localIMDSVersionResponse.status ===
|
|
@@ -5136,9 +5213,11 @@
|
|
|
5136
5213
|
if (currentIMDSVersionResponse.status ===
|
|
5137
5214
|
HTTP_SUCCESS) {
|
|
5138
5215
|
autodetectedRegionName =
|
|
5139
|
-
currentIMDSVersionResponse.body;
|
|
5140
|
-
|
|
5141
|
-
|
|
5216
|
+
currentIMDSVersionResponse.body?.location;
|
|
5217
|
+
if (autodetectedRegionName) {
|
|
5218
|
+
regionDiscoveryMetadata.region_source =
|
|
5219
|
+
RegionDiscoverySources.IMDS;
|
|
5220
|
+
}
|
|
5142
5221
|
}
|
|
5143
5222
|
}
|
|
5144
5223
|
}
|
|
@@ -5162,11 +5241,12 @@
|
|
|
5162
5241
|
/**
|
|
5163
5242
|
* Make the call to the IMDS endpoint
|
|
5164
5243
|
*
|
|
5165
|
-
* @param
|
|
5166
|
-
* @
|
|
5244
|
+
* @param version
|
|
5245
|
+
* @param options
|
|
5246
|
+
* @returns Promise<NetworkResponse<ImdsComputeResponse>>
|
|
5167
5247
|
*/
|
|
5168
5248
|
async getRegionFromIMDS(version, options) {
|
|
5169
|
-
return this.networkInterface.sendGetRequestAsync(`${IMDS_ENDPOINT}?api-version=${version}
|
|
5249
|
+
return this.networkInterface.sendGetRequestAsync(`${IMDS_ENDPOINT}?api-version=${version}`, options, IMDS_TIMEOUT);
|
|
5170
5250
|
}
|
|
5171
5251
|
/**
|
|
5172
5252
|
* Get the most recent version of the IMDS endpoint available
|
|
@@ -5197,7 +5277,7 @@
|
|
|
5197
5277
|
},
|
|
5198
5278
|
};
|
|
5199
5279
|
|
|
5200
|
-
/*! @azure/msal-common v16.
|
|
5280
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
5201
5281
|
|
|
5202
5282
|
/*
|
|
5203
5283
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -5227,7 +5307,7 @@
|
|
|
5227
5307
|
this.regionDiscovery = new RegionDiscovery(networkInterface, this.logger, this.performanceClient, this.correlationId);
|
|
5228
5308
|
}
|
|
5229
5309
|
/**
|
|
5230
|
-
* Get {@link AuthorityType}
|
|
5310
|
+
* Get {@link AuthorityType:type}
|
|
5231
5311
|
* @param authorityUri {@link IUri}
|
|
5232
5312
|
* @private
|
|
5233
5313
|
*/
|
|
@@ -5273,7 +5353,7 @@
|
|
|
5273
5353
|
* Sets canonical authority.
|
|
5274
5354
|
*/
|
|
5275
5355
|
set canonicalAuthority(url) {
|
|
5276
|
-
this._canonicalAuthority = new UrlString(url);
|
|
5356
|
+
this._canonicalAuthority = new UrlString(url, this.correlationId);
|
|
5277
5357
|
this._canonicalAuthority.validateAsUri();
|
|
5278
5358
|
this._canonicalAuthorityUrlComponents = null;
|
|
5279
5359
|
}
|
|
@@ -5307,7 +5387,7 @@
|
|
|
5307
5387
|
return this.replacePath(this.metadata.authorization_endpoint);
|
|
5308
5388
|
}
|
|
5309
5389
|
else {
|
|
5310
|
-
throw createClientAuthError(endpointResolutionError);
|
|
5390
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
5311
5391
|
}
|
|
5312
5392
|
}
|
|
5313
5393
|
/**
|
|
@@ -5318,7 +5398,7 @@
|
|
|
5318
5398
|
return this.replacePath(this.metadata.token_endpoint);
|
|
5319
5399
|
}
|
|
5320
5400
|
else {
|
|
5321
|
-
throw createClientAuthError(endpointResolutionError);
|
|
5401
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
5322
5402
|
}
|
|
5323
5403
|
}
|
|
5324
5404
|
get deviceCodeEndpoint() {
|
|
@@ -5326,7 +5406,7 @@
|
|
|
5326
5406
|
return this.replacePath(this.metadata.token_endpoint.replace("/token", "/devicecode"));
|
|
5327
5407
|
}
|
|
5328
5408
|
else {
|
|
5329
|
-
throw createClientAuthError(endpointResolutionError);
|
|
5409
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
5330
5410
|
}
|
|
5331
5411
|
}
|
|
5332
5412
|
/**
|
|
@@ -5336,12 +5416,12 @@
|
|
|
5336
5416
|
if (this.discoveryComplete()) {
|
|
5337
5417
|
// ROPC policies may not have end_session_endpoint set
|
|
5338
5418
|
if (!this.metadata.end_session_endpoint) {
|
|
5339
|
-
throw createClientAuthError(endSessionEndpointNotSupported);
|
|
5419
|
+
throw createClientAuthError(endSessionEndpointNotSupported, this.correlationId);
|
|
5340
5420
|
}
|
|
5341
5421
|
return this.replacePath(this.metadata.end_session_endpoint);
|
|
5342
5422
|
}
|
|
5343
5423
|
else {
|
|
5344
|
-
throw createClientAuthError(endpointResolutionError);
|
|
5424
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
5345
5425
|
}
|
|
5346
5426
|
}
|
|
5347
5427
|
/**
|
|
@@ -5352,7 +5432,7 @@
|
|
|
5352
5432
|
return this.replacePath(this.metadata.issuer);
|
|
5353
5433
|
}
|
|
5354
5434
|
else {
|
|
5355
|
-
throw createClientAuthError(endpointResolutionError);
|
|
5435
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
5356
5436
|
}
|
|
5357
5437
|
}
|
|
5358
5438
|
/**
|
|
@@ -5363,7 +5443,7 @@
|
|
|
5363
5443
|
return this.replacePath(this.metadata.jwks_uri);
|
|
5364
5444
|
}
|
|
5365
5445
|
else {
|
|
5366
|
-
throw createClientAuthError(endpointResolutionError);
|
|
5446
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
5367
5447
|
}
|
|
5368
5448
|
}
|
|
5369
5449
|
/**
|
|
@@ -5390,7 +5470,7 @@
|
|
|
5390
5470
|
*/
|
|
5391
5471
|
replacePath(urlString) {
|
|
5392
5472
|
let endpoint = urlString;
|
|
5393
|
-
const cachedAuthorityUrl = new UrlString(this.metadata.canonical_authority);
|
|
5473
|
+
const cachedAuthorityUrl = new UrlString(this.metadata.canonical_authority, this.correlationId);
|
|
5394
5474
|
const cachedAuthorityUrlComponents = cachedAuthorityUrl.getUrlComponents();
|
|
5395
5475
|
const cachedAuthorityParts = cachedAuthorityUrlComponents.PathSegments;
|
|
5396
5476
|
const currentAuthorityParts = this.canonicalAuthorityUrlComponents.PathSegments;
|
|
@@ -5398,14 +5478,14 @@
|
|
|
5398
5478
|
let cachedPart = cachedAuthorityParts[index];
|
|
5399
5479
|
if (index === 0 &&
|
|
5400
5480
|
this.canReplaceTenant(cachedAuthorityUrlComponents)) {
|
|
5401
|
-
const tenantId = new UrlString(this.metadata.authorization_endpoint).getUrlComponents().PathSegments[0];
|
|
5481
|
+
const tenantId = new UrlString(this.metadata.authorization_endpoint, this.correlationId).getUrlComponents().PathSegments[0];
|
|
5402
5482
|
/**
|
|
5403
5483
|
* Check if AAD canonical authority contains tenant domain name, for example "testdomain.onmicrosoft.com",
|
|
5404
5484
|
* by comparing its first path segment to the corresponding authorization endpoint path segment, which is
|
|
5405
5485
|
* always resolved with tenant id by OIDC.
|
|
5406
5486
|
*/
|
|
5407
5487
|
if (cachedPart !== tenantId) {
|
|
5408
|
-
this.logger.verbose(
|
|
5488
|
+
this.logger.verbose(`1q3g2x ${cachedPart} ${tenantId}`, this.correlationId);
|
|
5409
5489
|
cachedPart = tenantId;
|
|
5410
5490
|
}
|
|
5411
5491
|
}
|
|
@@ -5532,7 +5612,7 @@
|
|
|
5532
5612
|
}
|
|
5533
5613
|
else {
|
|
5534
5614
|
// Metadata could not be obtained from the config, cache, network or hardcoded values
|
|
5535
|
-
throw createClientAuthError(openIdConfigError, this.defaultOpenIdConfigurationEndpoint);
|
|
5615
|
+
throw createClientAuthError(openIdConfigError, this.defaultOpenIdConfigurationEndpoint, this.correlationId);
|
|
5536
5616
|
}
|
|
5537
5617
|
}
|
|
5538
5618
|
/**
|
|
@@ -5584,7 +5664,7 @@
|
|
|
5584
5664
|
* @param metadataEntity
|
|
5585
5665
|
*/
|
|
5586
5666
|
isAuthoritySameType(metadataEntity) {
|
|
5587
|
-
const cachedAuthorityUrl = new UrlString(metadataEntity.canonical_authority);
|
|
5667
|
+
const cachedAuthorityUrl = new UrlString(metadataEntity.canonical_authority, this.correlationId);
|
|
5588
5668
|
const cachedParts = cachedAuthorityUrl.getUrlComponents().PathSegments;
|
|
5589
5669
|
return (cachedParts.length ===
|
|
5590
5670
|
this.canonicalAuthorityUrlComponents.PathSegments.length);
|
|
@@ -5598,7 +5678,7 @@
|
|
|
5598
5678
|
return JSON.parse(this.authorityOptions.authorityMetadata);
|
|
5599
5679
|
}
|
|
5600
5680
|
catch (e) {
|
|
5601
|
-
throw createClientConfigurationError(invalidAuthorityMetadata);
|
|
5681
|
+
throw createClientConfigurationError(invalidAuthorityMetadata, this.correlationId);
|
|
5602
5682
|
}
|
|
5603
5683
|
}
|
|
5604
5684
|
return null;
|
|
@@ -5615,7 +5695,7 @@
|
|
|
5615
5695
|
* hardcoded list of metadata
|
|
5616
5696
|
*/
|
|
5617
5697
|
const openIdConfigurationEndpoint = this.defaultOpenIdConfigurationEndpoint;
|
|
5618
|
-
this.logger.verbose(
|
|
5698
|
+
this.logger.verbose(`1y65x6 ${openIdConfigurationEndpoint}`, this.correlationId);
|
|
5619
5699
|
try {
|
|
5620
5700
|
const response = await this.networkInterface.sendGetRequestAsync(openIdConfigurationEndpoint, options);
|
|
5621
5701
|
const isValidResponse = isOpenIdConfigResponse(response.body);
|
|
@@ -5628,7 +5708,7 @@
|
|
|
5628
5708
|
}
|
|
5629
5709
|
}
|
|
5630
5710
|
catch (e) {
|
|
5631
|
-
this.logger.verbose(
|
|
5711
|
+
this.logger.verbose(`0a9wik ${e}`, this.correlationId);
|
|
5632
5712
|
return null;
|
|
5633
5713
|
}
|
|
5634
5714
|
}
|
|
@@ -5654,7 +5734,7 @@
|
|
|
5654
5734
|
RegionDiscoveryOutcomes.CONFIGURED_NO_AUTO_DETECTION;
|
|
5655
5735
|
this.regionDiscoveryMetadata.region_used =
|
|
5656
5736
|
userConfiguredAzureRegion;
|
|
5657
|
-
return Authority.replaceWithRegionalInformation(metadata, userConfiguredAzureRegion);
|
|
5737
|
+
return Authority.replaceWithRegionalInformation(metadata, userConfiguredAzureRegion, this.correlationId);
|
|
5658
5738
|
}
|
|
5659
5739
|
const autodetectedRegionName = await invokeAsync(this.regionDiscovery.detectRegion.bind(this.regionDiscovery), RegionDiscoveryDetectRegion, this.logger, this.performanceClient, this.correlationId)(this.authorityOptions.azureRegionConfiguration
|
|
5660
5740
|
?.environmentRegion, this.regionDiscoveryMetadata);
|
|
@@ -5663,7 +5743,7 @@
|
|
|
5663
5743
|
RegionDiscoveryOutcomes.AUTO_DETECTION_REQUESTED_SUCCESSFUL;
|
|
5664
5744
|
this.regionDiscoveryMetadata.region_used =
|
|
5665
5745
|
autodetectedRegionName;
|
|
5666
|
-
return Authority.replaceWithRegionalInformation(metadata, autodetectedRegionName);
|
|
5746
|
+
return Authority.replaceWithRegionalInformation(metadata, autodetectedRegionName, this.correlationId);
|
|
5667
5747
|
}
|
|
5668
5748
|
this.regionDiscoveryMetadata.region_outcome =
|
|
5669
5749
|
RegionDiscoveryOutcomes.AUTO_DETECTION_REQUESTED_FAILED;
|
|
@@ -5688,13 +5768,15 @@
|
|
|
5688
5768
|
return AuthorityMetadataSource.NETWORK;
|
|
5689
5769
|
}
|
|
5690
5770
|
// Metadata could not be obtained from the config, cache, network or hardcoded values
|
|
5691
|
-
throw createClientConfigurationError(untrustedAuthority);
|
|
5771
|
+
throw createClientConfigurationError(untrustedAuthority, this.correlationId);
|
|
5692
5772
|
}
|
|
5693
5773
|
updateCloudDiscoveryMetadataFromLocalSources(metadataEntity) {
|
|
5694
5774
|
this.logger.verbose("1tpqlr", this.correlationId);
|
|
5695
|
-
this.logger.verbosePii(
|
|
5696
|
-
|
|
5697
|
-
this.logger.verbosePii(
|
|
5775
|
+
this.logger.verbosePii(`1fy7uz ${this.authorityOptions.knownAuthorities ||
|
|
5776
|
+
NOT_APPLICABLE}`, this.correlationId);
|
|
5777
|
+
this.logger.verbosePii(`08zabj ${this.authorityOptions.authorityMetadata ||
|
|
5778
|
+
NOT_APPLICABLE}`, this.correlationId);
|
|
5779
|
+
this.logger.verbosePii(`1o1kv3 ${metadataEntity.canonical_authority || NOT_APPLICABLE}`, this.correlationId);
|
|
5698
5780
|
const metadata = this.getCloudDiscoveryMetadataFromConfig();
|
|
5699
5781
|
if (metadata) {
|
|
5700
5782
|
this.logger.verbose("1nakio", this.correlationId);
|
|
@@ -5750,7 +5832,7 @@
|
|
|
5750
5832
|
}
|
|
5751
5833
|
catch (e) {
|
|
5752
5834
|
this.logger.verbose("1wq5tu", this.correlationId);
|
|
5753
|
-
throw createClientConfigurationError(invalidCloudDiscoveryMetadata);
|
|
5835
|
+
throw createClientConfigurationError(invalidCloudDiscoveryMetadata, this.correlationId);
|
|
5754
5836
|
}
|
|
5755
5837
|
}
|
|
5756
5838
|
// If cloudDiscoveryMetadata is empty or does not contain the host, check knownAuthorities
|
|
@@ -5781,18 +5863,18 @@
|
|
|
5781
5863
|
typedResponseBody =
|
|
5782
5864
|
response.body;
|
|
5783
5865
|
metadata = typedResponseBody.metadata;
|
|
5784
|
-
this.logger.verbosePii(
|
|
5866
|
+
this.logger.verbosePii(`1vglyt ${typedResponseBody.tenant_discovery_endpoint}`, this.correlationId);
|
|
5785
5867
|
}
|
|
5786
5868
|
else if (isCloudInstanceDiscoveryErrorResponse(response.body)) {
|
|
5787
|
-
this.logger.warning(
|
|
5869
|
+
this.logger.warning(`062uto ${response.status}`, this.correlationId);
|
|
5788
5870
|
typedResponseBody =
|
|
5789
5871
|
response.body;
|
|
5790
5872
|
if (typedResponseBody.error === INVALID_INSTANCE) {
|
|
5791
5873
|
this.logger.error("1x90tm", this.correlationId);
|
|
5792
5874
|
return null;
|
|
5793
5875
|
}
|
|
5794
|
-
this.logger.warning(
|
|
5795
|
-
this.logger.warning(
|
|
5876
|
+
this.logger.warning(`0wchdm ${typedResponseBody.error}`, this.correlationId);
|
|
5877
|
+
this.logger.warning(`1s5mpv ${typedResponseBody.error_description}`, this.correlationId);
|
|
5796
5878
|
this.logger.warning("1yhqpw", this.correlationId);
|
|
5797
5879
|
metadata = [];
|
|
5798
5880
|
}
|
|
@@ -5805,10 +5887,11 @@
|
|
|
5805
5887
|
}
|
|
5806
5888
|
catch (error) {
|
|
5807
5889
|
if (error instanceof AuthError) {
|
|
5808
|
-
this.logger.error(
|
|
5890
|
+
this.logger.error(`0vwhc7 ${error.errorCode} ${error.errorMessage}`, this.correlationId);
|
|
5809
5891
|
}
|
|
5810
5892
|
else {
|
|
5811
|
-
|
|
5893
|
+
const typedError = error;
|
|
5894
|
+
this.logger.error(`0s2z41 ${typedError.name} ${typedError.message}`, this.correlationId);
|
|
5812
5895
|
}
|
|
5813
5896
|
return null;
|
|
5814
5897
|
}
|
|
@@ -5827,8 +5910,7 @@
|
|
|
5827
5910
|
const normalizedHost = host.toLowerCase();
|
|
5828
5911
|
const matches = this.authorityOptions.knownAuthorities.filter((authority) => {
|
|
5829
5912
|
return (authority &&
|
|
5830
|
-
UrlString.getDomainFromUrl(authority).toLowerCase() ===
|
|
5831
|
-
normalizedHost);
|
|
5913
|
+
UrlString.getDomainFromUrl(authority, this.correlationId).toLowerCase() === normalizedHost);
|
|
5832
5914
|
});
|
|
5833
5915
|
return matches.length > 0;
|
|
5834
5916
|
}
|
|
@@ -5872,7 +5954,7 @@
|
|
|
5872
5954
|
return this.metadata.preferred_cache;
|
|
5873
5955
|
}
|
|
5874
5956
|
else {
|
|
5875
|
-
throw createClientAuthError(endpointResolutionError);
|
|
5957
|
+
throw createClientAuthError(endpointResolutionError, this.correlationId);
|
|
5876
5958
|
}
|
|
5877
5959
|
}
|
|
5878
5960
|
/**
|
|
@@ -5915,7 +5997,7 @@
|
|
|
5915
5997
|
*/
|
|
5916
5998
|
validateIssuer(issuer) {
|
|
5917
5999
|
if (!issuer) {
|
|
5918
|
-
throw createClientConfigurationError(issuerValidationFailed);
|
|
6000
|
+
throw createClientConfigurationError(issuerValidationFailed, this.correlationId);
|
|
5919
6001
|
}
|
|
5920
6002
|
// Parse with the WHATWG URL API. URL normalizes scheme + host to lowercase per RFC 3986.
|
|
5921
6003
|
let issuerUrl;
|
|
@@ -5923,7 +6005,7 @@
|
|
|
5923
6005
|
issuerUrl = new URL(issuer);
|
|
5924
6006
|
}
|
|
5925
6007
|
catch {
|
|
5926
|
-
throw createClientConfigurationError(issuerValidationFailed);
|
|
6008
|
+
throw createClientConfigurationError(issuerValidationFailed, this.correlationId);
|
|
5927
6009
|
}
|
|
5928
6010
|
const issuerScheme = issuerUrl.protocol;
|
|
5929
6011
|
const issuerHost = issuerUrl.host;
|
|
@@ -5961,7 +6043,7 @@
|
|
|
5961
6043
|
return;
|
|
5962
6044
|
}
|
|
5963
6045
|
// issuer validation fails if none of the above rules are satisfied
|
|
5964
|
-
throw createClientConfigurationError(issuerValidationFailed);
|
|
6046
|
+
throw createClientConfigurationError(issuerValidationFailed, this.correlationId);
|
|
5965
6047
|
}
|
|
5966
6048
|
/**
|
|
5967
6049
|
* Rule 1: The issuer scheme + host (and port) match the authority's. Path
|
|
@@ -6049,9 +6131,9 @@
|
|
|
6049
6131
|
* @param host string
|
|
6050
6132
|
* @param region string
|
|
6051
6133
|
*/
|
|
6052
|
-
static buildRegionalAuthorityString(host, region, queryString) {
|
|
6134
|
+
static buildRegionalAuthorityString(host, region, correlationId, queryString) {
|
|
6053
6135
|
// Create and validate a Url string object with the initial authority string
|
|
6054
|
-
const authorityUrlInstance = new UrlString(host);
|
|
6136
|
+
const authorityUrlInstance = new UrlString(host, correlationId);
|
|
6055
6137
|
authorityUrlInstance.validateAsUri();
|
|
6056
6138
|
const authorityUrlParts = authorityUrlInstance.getUrlComponents();
|
|
6057
6139
|
let hostNameAndPort = `${region}.${authorityUrlParts.HostNameAndPort}`;
|
|
@@ -6062,7 +6144,7 @@
|
|
|
6062
6144
|
const url = UrlString.constructAuthorityUriFromObject({
|
|
6063
6145
|
...authorityUrlInstance.getUrlComponents(),
|
|
6064
6146
|
HostNameAndPort: hostNameAndPort,
|
|
6065
|
-
}).urlString;
|
|
6147
|
+
}, correlationId).urlString;
|
|
6066
6148
|
// Add the query string if a query string was provided
|
|
6067
6149
|
if (queryString)
|
|
6068
6150
|
return `${url}?${queryString}`;
|
|
@@ -6074,15 +6156,15 @@
|
|
|
6074
6156
|
* @param metadata OpenIdConfigResponse
|
|
6075
6157
|
* @param azureRegion string
|
|
6076
6158
|
*/
|
|
6077
|
-
static replaceWithRegionalInformation(metadata, azureRegion) {
|
|
6159
|
+
static replaceWithRegionalInformation(metadata, azureRegion, correlationId) {
|
|
6078
6160
|
const regionalMetadata = { ...metadata };
|
|
6079
6161
|
regionalMetadata.authorization_endpoint =
|
|
6080
|
-
Authority.buildRegionalAuthorityString(regionalMetadata.authorization_endpoint, azureRegion);
|
|
6162
|
+
Authority.buildRegionalAuthorityString(regionalMetadata.authorization_endpoint, azureRegion, correlationId);
|
|
6081
6163
|
regionalMetadata.token_endpoint =
|
|
6082
|
-
Authority.buildRegionalAuthorityString(regionalMetadata.token_endpoint, azureRegion);
|
|
6164
|
+
Authority.buildRegionalAuthorityString(regionalMetadata.token_endpoint, azureRegion, correlationId);
|
|
6083
6165
|
if (regionalMetadata.end_session_endpoint) {
|
|
6084
6166
|
regionalMetadata.end_session_endpoint =
|
|
6085
|
-
Authority.buildRegionalAuthorityString(regionalMetadata.end_session_endpoint, azureRegion);
|
|
6167
|
+
Authority.buildRegionalAuthorityString(regionalMetadata.end_session_endpoint, azureRegion, correlationId);
|
|
6086
6168
|
}
|
|
6087
6169
|
return regionalMetadata;
|
|
6088
6170
|
}
|
|
@@ -6095,9 +6177,9 @@
|
|
|
6095
6177
|
*
|
|
6096
6178
|
* @param authority
|
|
6097
6179
|
*/
|
|
6098
|
-
static transformCIAMAuthority(authority) {
|
|
6180
|
+
static transformCIAMAuthority(authority, correlationId) {
|
|
6099
6181
|
let ciamAuthority = authority;
|
|
6100
|
-
const authorityUrl = new UrlString(authority);
|
|
6182
|
+
const authorityUrl = new UrlString(authority, correlationId);
|
|
6101
6183
|
const authorityUrlComponents = authorityUrl.getUrlComponents();
|
|
6102
6184
|
// check if transformation is needed
|
|
6103
6185
|
if (authorityUrlComponents.PathSegments.length === 0 &&
|
|
@@ -6119,8 +6201,8 @@
|
|
|
6119
6201
|
/**
|
|
6120
6202
|
* Extract tenantId from authority
|
|
6121
6203
|
*/
|
|
6122
|
-
function getTenantFromAuthorityString(authority) {
|
|
6123
|
-
const authorityUrl = new UrlString(authority);
|
|
6204
|
+
function getTenantFromAuthorityString(authority, correlationId) {
|
|
6205
|
+
const authorityUrl = new UrlString(authority, correlationId);
|
|
6124
6206
|
const authorityUrlComponents = authorityUrl.getUrlComponents();
|
|
6125
6207
|
/**
|
|
6126
6208
|
* For credential matching purposes, tenantId is the last path segment of the authority URL:
|
|
@@ -6153,7 +6235,7 @@
|
|
|
6153
6235
|
cloudDiscoveryMetadata = JSON.parse(rawCloudDiscoveryMetadata);
|
|
6154
6236
|
}
|
|
6155
6237
|
catch (e) {
|
|
6156
|
-
throw createClientConfigurationError(invalidCloudDiscoveryMetadata);
|
|
6238
|
+
throw createClientConfigurationError(invalidCloudDiscoveryMetadata, "");
|
|
6157
6239
|
}
|
|
6158
6240
|
}
|
|
6159
6241
|
return {
|
|
@@ -6165,7 +6247,7 @@
|
|
|
6165
6247
|
};
|
|
6166
6248
|
}
|
|
6167
6249
|
|
|
6168
|
-
/*! @azure/msal-common v16.
|
|
6250
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
6169
6251
|
|
|
6170
6252
|
/*
|
|
6171
6253
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6187,7 +6269,7 @@
|
|
|
6187
6269
|
* @internal
|
|
6188
6270
|
*/
|
|
6189
6271
|
async function createDiscoveredInstance(authorityUri, networkClient, cacheManager, authorityOptions, logger, correlationId, performanceClient) {
|
|
6190
|
-
const authorityUriFinal = Authority.transformCIAMAuthority(formatAuthorityUri(authorityUri));
|
|
6272
|
+
const authorityUriFinal = Authority.transformCIAMAuthority(formatAuthorityUri(authorityUri), correlationId);
|
|
6191
6273
|
// Initialize authority and perform discovery endpoint check.
|
|
6192
6274
|
const acquireTokenAuthority = new Authority(authorityUriFinal, networkClient, cacheManager, authorityOptions, logger, correlationId, performanceClient);
|
|
6193
6275
|
try {
|
|
@@ -6195,11 +6277,11 @@
|
|
|
6195
6277
|
return acquireTokenAuthority;
|
|
6196
6278
|
}
|
|
6197
6279
|
catch (e) {
|
|
6198
|
-
throw createClientAuthError(endpointResolutionError);
|
|
6280
|
+
throw createClientAuthError(endpointResolutionError, correlationId);
|
|
6199
6281
|
}
|
|
6200
6282
|
}
|
|
6201
6283
|
|
|
6202
|
-
/*! @azure/msal-common v16.
|
|
6284
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
6203
6285
|
|
|
6204
6286
|
/*
|
|
6205
6287
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6239,7 +6321,7 @@
|
|
|
6239
6321
|
*/
|
|
6240
6322
|
async acquireToken(request, apiId, authCodePayload) {
|
|
6241
6323
|
if (!request.code) {
|
|
6242
|
-
throw createClientAuthError(requestCannotBeMade);
|
|
6324
|
+
throw createClientAuthError(requestCannotBeMade, request.correlationId);
|
|
6243
6325
|
}
|
|
6244
6326
|
// Check for new cloud instance
|
|
6245
6327
|
if (authCodePayload && authCodePayload.cloud_instance_host_name) {
|
|
@@ -6262,7 +6344,7 @@
|
|
|
6262
6344
|
getLogoutUri(logoutRequest) {
|
|
6263
6345
|
// Throw error if logoutRequest is null/undefined
|
|
6264
6346
|
if (!logoutRequest) {
|
|
6265
|
-
throw createClientConfigurationError(logoutRequestEmpty);
|
|
6347
|
+
throw createClientConfigurationError(logoutRequestEmpty, "");
|
|
6266
6348
|
}
|
|
6267
6349
|
const queryString = this.createLogoutUrlQueryString(logoutRequest);
|
|
6268
6350
|
// Construct logout URI
|
|
@@ -6287,7 +6369,7 @@
|
|
|
6287
6369
|
};
|
|
6288
6370
|
}
|
|
6289
6371
|
catch (e) {
|
|
6290
|
-
this.logger.verbose(
|
|
6372
|
+
this.logger.verbose(`0wznt3 ${e}`, request.correlationId);
|
|
6291
6373
|
}
|
|
6292
6374
|
}
|
|
6293
6375
|
const headers = createTokenRequestHeaders(this.logger, this.config.systemOptions.preventCorsPreflight, ccsCredential || request.ccsCredential);
|
|
@@ -6310,7 +6392,7 @@
|
|
|
6310
6392
|
if (!this.includeRedirectUri) {
|
|
6311
6393
|
// Just validate
|
|
6312
6394
|
if (!request.redirectUri) {
|
|
6313
|
-
throw createClientConfigurationError(redirectUriEmpty);
|
|
6395
|
+
throw createClientConfigurationError(redirectUriEmpty, request.correlationId);
|
|
6314
6396
|
}
|
|
6315
6397
|
}
|
|
6316
6398
|
else {
|
|
@@ -6318,7 +6400,7 @@
|
|
|
6318
6400
|
addRedirectUri(parameters, request.redirectUri);
|
|
6319
6401
|
}
|
|
6320
6402
|
// Add scope array, parameter builder will add default scopes and dedupe
|
|
6321
|
-
addScopes(parameters, request.scopes, true, this.oidcDefaultScopes);
|
|
6403
|
+
addScopes(parameters, request.scopes, request.correlationId, true, this.oidcDefaultScopes);
|
|
6322
6404
|
addResource(parameters, request.resource);
|
|
6323
6405
|
// add code: user set, not validated
|
|
6324
6406
|
addAuthorizationCode(parameters, request.code);
|
|
@@ -6361,7 +6443,7 @@
|
|
|
6361
6443
|
addSshJwk(parameters, request.sshJwk);
|
|
6362
6444
|
}
|
|
6363
6445
|
else {
|
|
6364
|
-
throw createClientConfigurationError(missingSshJwk);
|
|
6446
|
+
throw createClientConfigurationError(missingSshJwk, request.correlationId);
|
|
6365
6447
|
}
|
|
6366
6448
|
}
|
|
6367
6449
|
let ccsCred = undefined;
|
|
@@ -6374,7 +6456,7 @@
|
|
|
6374
6456
|
};
|
|
6375
6457
|
}
|
|
6376
6458
|
catch (e) {
|
|
6377
|
-
this.logger.verbose(
|
|
6459
|
+
this.logger.verbose(`0wznt3 ${e}`, request.correlationId);
|
|
6378
6460
|
}
|
|
6379
6461
|
}
|
|
6380
6462
|
else {
|
|
@@ -6389,7 +6471,7 @@
|
|
|
6389
6471
|
addCcsOid(parameters, clientInfo);
|
|
6390
6472
|
}
|
|
6391
6473
|
catch (e) {
|
|
6392
|
-
this.logger.verbose(
|
|
6474
|
+
this.logger.verbose(`1qhtee ${e}`, request.correlationId);
|
|
6393
6475
|
}
|
|
6394
6476
|
break;
|
|
6395
6477
|
case CcsCredentialType.UPN:
|
|
@@ -6412,7 +6494,7 @@
|
|
|
6412
6494
|
});
|
|
6413
6495
|
}
|
|
6414
6496
|
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
6415
|
-
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
|
|
6497
|
+
addClaims(parameters, request.correlationId, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
|
|
6416
6498
|
return mapToQueryString(parameters);
|
|
6417
6499
|
}
|
|
6418
6500
|
/**
|
|
@@ -6456,7 +6538,7 @@
|
|
|
6456
6538
|
}
|
|
6457
6539
|
}
|
|
6458
6540
|
|
|
6459
|
-
/*! @azure/msal-common v16.
|
|
6541
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
6460
6542
|
|
|
6461
6543
|
/*
|
|
6462
6544
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6502,11 +6584,11 @@
|
|
|
6502
6584
|
async acquireTokenByRefreshToken(request, apiId) {
|
|
6503
6585
|
// Cannot renew token if no request object is given.
|
|
6504
6586
|
if (!request) {
|
|
6505
|
-
throw createClientConfigurationError(tokenRequestEmpty);
|
|
6587
|
+
throw createClientConfigurationError(tokenRequestEmpty, "");
|
|
6506
6588
|
}
|
|
6507
6589
|
// We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
|
|
6508
6590
|
if (!request.account) {
|
|
6509
|
-
throw createClientAuthError(noAccountInSilentRequest);
|
|
6591
|
+
throw createClientAuthError(noAccountInSilentRequest, request.correlationId);
|
|
6510
6592
|
}
|
|
6511
6593
|
// try checking if FOCI is enabled for the given application
|
|
6512
6594
|
const isFOCI = this.cacheManager.isAppMetadataFOCI(request.account.environment, request.correlationId);
|
|
@@ -6543,7 +6625,7 @@
|
|
|
6543
6625
|
// fetches family RT or application RT based on FOCI value
|
|
6544
6626
|
const refreshToken = invoke(this.cacheManager.getRefreshToken.bind(this.cacheManager), CacheManagerGetRefreshToken, this.logger, this.performanceClient, request.correlationId)(request.account, foci, request.correlationId, undefined);
|
|
6545
6627
|
if (!refreshToken) {
|
|
6546
|
-
throw createInteractionRequiredAuthError(noTokensFound);
|
|
6628
|
+
throw createInteractionRequiredAuthError(noTokensFound, request.correlationId);
|
|
6547
6629
|
}
|
|
6548
6630
|
if (refreshToken.expiresOn) {
|
|
6549
6631
|
const offset = request.refreshTokenExpirationOffsetSeconds ||
|
|
@@ -6553,7 +6635,7 @@
|
|
|
6553
6635
|
rtOffsetSeconds: offset,
|
|
6554
6636
|
}, request.correlationId);
|
|
6555
6637
|
if (isTokenExpired(refreshToken.expiresOn, offset)) {
|
|
6556
|
-
throw createInteractionRequiredAuthError(refreshTokenExpired);
|
|
6638
|
+
throw createInteractionRequiredAuthError(refreshTokenExpired, request.correlationId);
|
|
6557
6639
|
}
|
|
6558
6640
|
}
|
|
6559
6641
|
// attach cached RT size to the current measurement
|
|
@@ -6607,7 +6689,7 @@
|
|
|
6607
6689
|
if (request.redirectUri) {
|
|
6608
6690
|
addRedirectUri(parameters, request.redirectUri);
|
|
6609
6691
|
}
|
|
6610
|
-
addScopes(parameters, request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
6692
|
+
addScopes(parameters, request.scopes, request.correlationId, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
6611
6693
|
addGrantType(parameters, GrantType$1.REFRESH_TOKEN_GRANT);
|
|
6612
6694
|
addClientInfo(parameters);
|
|
6613
6695
|
addLibraryInfo(parameters, this.config.libraryInfo);
|
|
@@ -6643,7 +6725,7 @@
|
|
|
6643
6725
|
addSshJwk(parameters, request.sshJwk);
|
|
6644
6726
|
}
|
|
6645
6727
|
else {
|
|
6646
|
-
throw createClientConfigurationError(missingSshJwk);
|
|
6728
|
+
throw createClientConfigurationError(missingSshJwk, request.correlationId);
|
|
6647
6729
|
}
|
|
6648
6730
|
}
|
|
6649
6731
|
if (this.config.systemOptions.preventCorsPreflight &&
|
|
@@ -6655,7 +6737,7 @@
|
|
|
6655
6737
|
addCcsOid(parameters, clientInfo);
|
|
6656
6738
|
}
|
|
6657
6739
|
catch (e) {
|
|
6658
|
-
this.logger.verbose(
|
|
6740
|
+
this.logger.verbose(`1qhtee ${e}`, request.correlationId);
|
|
6659
6741
|
}
|
|
6660
6742
|
break;
|
|
6661
6743
|
case CcsCredentialType.UPN:
|
|
@@ -6672,12 +6754,12 @@
|
|
|
6672
6754
|
});
|
|
6673
6755
|
}
|
|
6674
6756
|
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
6675
|
-
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
|
|
6757
|
+
addClaims(parameters, request.correlationId, request.claims, this.config.authOptions.clientCapabilities, request.skipBrokerClaims);
|
|
6676
6758
|
return mapToQueryString(parameters);
|
|
6677
6759
|
}
|
|
6678
6760
|
}
|
|
6679
6761
|
|
|
6680
|
-
/*! @azure/msal-common v16.
|
|
6762
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
6681
6763
|
|
|
6682
6764
|
/*
|
|
6683
6765
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6712,32 +6794,32 @@
|
|
|
6712
6794
|
if (request.forceRefresh || !StringUtils.isEmptyObj(request.claims)) {
|
|
6713
6795
|
// Must refresh due to present force_refresh flag.
|
|
6714
6796
|
this.setCacheOutcome(CacheOutcome.FORCE_REFRESH_OR_CLAIMS, request.correlationId);
|
|
6715
|
-
throw createClientAuthError(tokenRefreshRequired);
|
|
6797
|
+
throw createClientAuthError(tokenRefreshRequired, request.correlationId);
|
|
6716
6798
|
}
|
|
6717
6799
|
// We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
|
|
6718
6800
|
if (!request.account) {
|
|
6719
|
-
throw createClientAuthError(noAccountInSilentRequest);
|
|
6801
|
+
throw createClientAuthError(noAccountInSilentRequest, request.correlationId);
|
|
6720
6802
|
}
|
|
6721
6803
|
const requestTenantId = request.account.tenantId ||
|
|
6722
|
-
getTenantFromAuthorityString(request.authority);
|
|
6804
|
+
getTenantFromAuthorityString(request.authority, request.correlationId);
|
|
6723
6805
|
const tokenKeys = this.cacheManager.getTokenKeys();
|
|
6724
6806
|
const cachedAccessToken = this.cacheManager.getAccessToken(request.account, request, tokenKeys, requestTenantId);
|
|
6725
6807
|
if (!cachedAccessToken) {
|
|
6726
6808
|
// must refresh due to non-existent access_token
|
|
6727
6809
|
this.setCacheOutcome(CacheOutcome.NO_CACHED_ACCESS_TOKEN, request.correlationId);
|
|
6728
|
-
throw createClientAuthError(tokenRefreshRequired);
|
|
6810
|
+
throw createClientAuthError(tokenRefreshRequired, request.correlationId);
|
|
6729
6811
|
}
|
|
6730
6812
|
else if (wasClockTurnedBack(cachedAccessToken.cachedAt) ||
|
|
6731
6813
|
isTokenExpired(cachedAccessToken.expiresOn, this.config.systemOptions.tokenRenewalOffsetSeconds)) {
|
|
6732
6814
|
// must refresh due to the expires_in value
|
|
6733
6815
|
this.setCacheOutcome(CacheOutcome.CACHED_ACCESS_TOKEN_EXPIRED, request.correlationId);
|
|
6734
|
-
throw createClientAuthError(tokenRefreshRequired);
|
|
6816
|
+
throw createClientAuthError(tokenRefreshRequired, request.correlationId);
|
|
6735
6817
|
}
|
|
6736
6818
|
else if (request.resource) {
|
|
6737
6819
|
// cached access token must have a resource that matches the request resource for MCP scenarios
|
|
6738
6820
|
if (cachedAccessToken.resource !== request.resource) {
|
|
6739
6821
|
this.setCacheOutcome(CacheOutcome.NO_CACHED_ACCESS_TOKEN, request.correlationId);
|
|
6740
|
-
throw createClientAuthError(tokenRefreshRequired);
|
|
6822
|
+
throw createClientAuthError(tokenRefreshRequired, request.correlationId);
|
|
6741
6823
|
}
|
|
6742
6824
|
}
|
|
6743
6825
|
else if (cachedAccessToken.refreshOn &&
|
|
@@ -6769,7 +6851,7 @@
|
|
|
6769
6851
|
cacheOutcome: cacheOutcome,
|
|
6770
6852
|
}, correlationId);
|
|
6771
6853
|
if (cacheOutcome !== CacheOutcome.NOT_APPLICABLE) {
|
|
6772
|
-
this.logger.info(
|
|
6854
|
+
this.logger.info(`09ingz ${cacheOutcome}`, correlationId);
|
|
6773
6855
|
}
|
|
6774
6856
|
}
|
|
6775
6857
|
/**
|
|
@@ -6779,36 +6861,29 @@
|
|
|
6779
6861
|
async generateResultFromCacheRecord(cacheRecord, request) {
|
|
6780
6862
|
let idTokenClaims;
|
|
6781
6863
|
if (cacheRecord.idToken) {
|
|
6782
|
-
idTokenClaims = extractTokenClaims(cacheRecord.idToken.secret, this.config.cryptoInterface.base64Decode);
|
|
6783
|
-
}
|
|
6784
|
-
// token max_age check
|
|
6785
|
-
if (request.maxAge || request.maxAge === 0) {
|
|
6786
|
-
const authTime = idTokenClaims?.auth_time;
|
|
6787
|
-
if (!authTime) {
|
|
6788
|
-
throw createClientAuthError(authTimeNotFound);
|
|
6789
|
-
}
|
|
6790
|
-
checkMaxAge(authTime, request.maxAge);
|
|
6864
|
+
idTokenClaims = extractTokenClaims(cacheRecord.idToken.secret, this.config.cryptoInterface.base64Decode, request.correlationId);
|
|
6791
6865
|
}
|
|
6792
6866
|
return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, this.performanceClient, idTokenClaims);
|
|
6793
6867
|
}
|
|
6794
6868
|
}
|
|
6795
6869
|
|
|
6796
|
-
/*! @azure/msal-common v16.
|
|
6870
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
6797
6871
|
|
|
6798
6872
|
/*
|
|
6799
6873
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
6800
6874
|
* Licensed under the MIT License.
|
|
6801
6875
|
*/
|
|
6802
6876
|
const StubbedNetworkModule = {
|
|
6877
|
+
// Module-level singleton: no per-request correlationId available
|
|
6803
6878
|
sendGetRequestAsync: () => {
|
|
6804
|
-
return Promise.reject(createClientAuthError(methodNotImplemented));
|
|
6879
|
+
return Promise.reject(createClientAuthError(methodNotImplemented, ""));
|
|
6805
6880
|
},
|
|
6806
6881
|
sendPostRequestAsync: () => {
|
|
6807
|
-
return Promise.reject(createClientAuthError(methodNotImplemented));
|
|
6882
|
+
return Promise.reject(createClientAuthError(methodNotImplemented, ""));
|
|
6808
6883
|
},
|
|
6809
6884
|
};
|
|
6810
6885
|
|
|
6811
|
-
/*! @azure/msal-common v16.
|
|
6886
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
6812
6887
|
|
|
6813
6888
|
/*
|
|
6814
6889
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -6821,6 +6896,7 @@
|
|
|
6821
6896
|
* @param logger
|
|
6822
6897
|
* @param performanceClient
|
|
6823
6898
|
* @returns
|
|
6899
|
+
* @internal
|
|
6824
6900
|
*/
|
|
6825
6901
|
function getStandardAuthorizeRequestParameters(authOptions, request, logger, performanceClient) {
|
|
6826
6902
|
// generate the correlationId if not set by the user and add
|
|
@@ -6833,7 +6909,7 @@
|
|
|
6833
6909
|
...(request.scopes || []),
|
|
6834
6910
|
...(request.extraScopesToConsent || []),
|
|
6835
6911
|
];
|
|
6836
|
-
addScopes(parameters, requestScopes, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
6912
|
+
addScopes(parameters, requestScopes, request.correlationId, true, authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
6837
6913
|
addResource(parameters, request.resource);
|
|
6838
6914
|
addRedirectUri(parameters, request.redirectUri);
|
|
6839
6915
|
addCorrelationId(parameters, correlationId);
|
|
@@ -6935,7 +7011,7 @@
|
|
|
6935
7011
|
if (request.embeddedClientId) {
|
|
6936
7012
|
addBrokerParameters(parameters, authOptions.clientId, authOptions.redirectUri);
|
|
6937
7013
|
}
|
|
6938
|
-
addClaims(parameters, request.claims, authOptions.clientCapabilities, request.skipBrokerClaims);
|
|
7014
|
+
addClaims(parameters, request.correlationId, request.claims, authOptions.clientCapabilities, request.skipBrokerClaims);
|
|
6939
7015
|
// If extraQueryParameters includes instance_aware its value will be added when extraQueryParameters are added
|
|
6940
7016
|
if (authOptions.instanceAware &&
|
|
6941
7017
|
(!request.extraQueryParameters ||
|
|
@@ -6949,6 +7025,7 @@
|
|
|
6949
7025
|
* @param authority
|
|
6950
7026
|
* @param requestParameters
|
|
6951
7027
|
* @returns
|
|
7028
|
+
* @internal
|
|
6952
7029
|
*/
|
|
6953
7030
|
function getAuthorizeUrl(authority, requestParameters) {
|
|
6954
7031
|
const queryString = mapToQueryString(requestParameters);
|
|
@@ -6959,13 +7036,14 @@
|
|
|
6959
7036
|
* the client to exchange for a token in acquireToken.
|
|
6960
7037
|
* @param serverParams
|
|
6961
7038
|
* @param cachedState
|
|
7039
|
+
* @param correlationId
|
|
6962
7040
|
*/
|
|
6963
|
-
function getAuthorizationCodePayload(serverParams, cachedState) {
|
|
7041
|
+
function getAuthorizationCodePayload(serverParams, cachedState, correlationId) {
|
|
6964
7042
|
// Get code response
|
|
6965
|
-
validateAuthorizationResponse(serverParams, cachedState);
|
|
7043
|
+
validateAuthorizationResponse(serverParams, cachedState, correlationId);
|
|
6966
7044
|
// throw when there is no auth code in the response
|
|
6967
7045
|
if (!serverParams.code) {
|
|
6968
|
-
throw createClientAuthError(authorizationCodeMissingFromServerResponse);
|
|
7046
|
+
throw createClientAuthError(authorizationCodeMissingFromServerResponse, correlationId);
|
|
6969
7047
|
}
|
|
6970
7048
|
return serverParams;
|
|
6971
7049
|
}
|
|
@@ -6973,12 +7051,13 @@
|
|
|
6973
7051
|
* Function which validates server authorization code response.
|
|
6974
7052
|
* @param serverResponseHash
|
|
6975
7053
|
* @param requestState
|
|
7054
|
+
* @param correlationId
|
|
6976
7055
|
*/
|
|
6977
|
-
function validateAuthorizationResponse(serverResponse, requestState) {
|
|
7056
|
+
function validateAuthorizationResponse(serverResponse, requestState, correlationId) {
|
|
6978
7057
|
if (!serverResponse.state || !requestState) {
|
|
6979
7058
|
throw serverResponse.state
|
|
6980
|
-
? createClientAuthError(stateNotFound, "Cached State")
|
|
6981
|
-
: createClientAuthError(stateNotFound, "Server State");
|
|
7059
|
+
? createClientAuthError(stateNotFound, correlationId, "Cached State")
|
|
7060
|
+
: createClientAuthError(stateNotFound, correlationId, "Server State");
|
|
6982
7061
|
}
|
|
6983
7062
|
let decodedServerResponseState;
|
|
6984
7063
|
let decodedRequestState;
|
|
@@ -6986,16 +7065,16 @@
|
|
|
6986
7065
|
decodedServerResponseState = decodeURIComponent(serverResponse.state);
|
|
6987
7066
|
}
|
|
6988
7067
|
catch (e) {
|
|
6989
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
7068
|
+
throw createClientAuthError(invalidState, correlationId, serverResponse.state);
|
|
6990
7069
|
}
|
|
6991
7070
|
try {
|
|
6992
7071
|
decodedRequestState = decodeURIComponent(requestState);
|
|
6993
7072
|
}
|
|
6994
7073
|
catch (e) {
|
|
6995
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
7074
|
+
throw createClientAuthError(invalidState, correlationId, serverResponse.state);
|
|
6996
7075
|
}
|
|
6997
7076
|
if (decodedServerResponseState !== decodedRequestState) {
|
|
6998
|
-
throw createClientAuthError(stateMismatch);
|
|
7077
|
+
throw createClientAuthError(stateMismatch, correlationId);
|
|
6999
7078
|
}
|
|
7000
7079
|
// Check for error
|
|
7001
7080
|
if (serverResponse.error ||
|
|
@@ -7003,9 +7082,9 @@
|
|
|
7003
7082
|
serverResponse.suberror) {
|
|
7004
7083
|
const serverErrorNo = parseServerErrorNo(serverResponse);
|
|
7005
7084
|
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
7006
|
-
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.
|
|
7085
|
+
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.correlation_id || correlationId, serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.claims || "", serverErrorNo);
|
|
7007
7086
|
}
|
|
7008
|
-
throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
7087
|
+
throw new ServerError(serverResponse.error || "", serverResponse.correlation_id || correlationId, serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
7009
7088
|
}
|
|
7010
7089
|
}
|
|
7011
7090
|
/**
|
|
@@ -7031,7 +7110,7 @@
|
|
|
7031
7110
|
return account.loginHint || account.idTokenClaims?.login_hint || null;
|
|
7032
7111
|
}
|
|
7033
7112
|
|
|
7034
|
-
/*! @azure/msal-common v16.
|
|
7113
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
7035
7114
|
|
|
7036
7115
|
/*
|
|
7037
7116
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7051,10 +7130,10 @@
|
|
|
7051
7130
|
if (request.resource &&
|
|
7052
7131
|
(containsResourceParam(request.extraParameters) ||
|
|
7053
7132
|
containsResourceParam(request.extraQueryParameters))) {
|
|
7054
|
-
throw createClientAuthError(misplacedResourceParam);
|
|
7133
|
+
throw createClientAuthError(misplacedResourceParam, request.correlationId || "");
|
|
7055
7134
|
}
|
|
7056
7135
|
if (!request.resource) {
|
|
7057
|
-
throw createClientAuthError(resourceParameterRequired);
|
|
7136
|
+
throw createClientAuthError(resourceParameterRequired, request.correlationId || "");
|
|
7058
7137
|
}
|
|
7059
7138
|
}
|
|
7060
7139
|
function containsResourceParam(params) {
|
|
@@ -7064,7 +7143,7 @@
|
|
|
7064
7143
|
return Object.prototype.hasOwnProperty.call(params, "resource");
|
|
7065
7144
|
}
|
|
7066
7145
|
|
|
7067
|
-
/*! @azure/msal-common v16.
|
|
7146
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
7068
7147
|
/*
|
|
7069
7148
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7070
7149
|
* Licensed under the MIT License.
|
|
@@ -7074,7 +7153,7 @@
|
|
|
7074
7153
|
*/
|
|
7075
7154
|
const unexpectedError = "unexpected_error";
|
|
7076
7155
|
|
|
7077
|
-
/*! @azure/msal-common v16.
|
|
7156
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
7078
7157
|
|
|
7079
7158
|
/*
|
|
7080
7159
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7367,7 +7446,7 @@
|
|
|
7367
7446
|
clearNativeBrokerErrorCode() { }
|
|
7368
7447
|
}
|
|
7369
7448
|
|
|
7370
|
-
/*! @azure/msal-common v16.
|
|
7449
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
7371
7450
|
|
|
7372
7451
|
/*
|
|
7373
7452
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7377,18 +7456,18 @@
|
|
|
7377
7456
|
* Error thrown when there is an error in the client code running on the browser.
|
|
7378
7457
|
*/
|
|
7379
7458
|
class JoseHeaderError extends AuthError {
|
|
7380
|
-
constructor(errorCode, errorMessage) {
|
|
7381
|
-
super(errorCode, errorMessage);
|
|
7459
|
+
constructor(errorCode, correlationId, errorMessage) {
|
|
7460
|
+
super(errorCode, correlationId, errorMessage);
|
|
7382
7461
|
this.name = "JoseHeaderError";
|
|
7383
7462
|
Object.setPrototypeOf(this, JoseHeaderError.prototype);
|
|
7384
7463
|
}
|
|
7385
7464
|
}
|
|
7386
7465
|
/** Returns JoseHeaderError object */
|
|
7387
|
-
function createJoseHeaderError(code) {
|
|
7388
|
-
return new JoseHeaderError(code);
|
|
7466
|
+
function createJoseHeaderError(code, correlationId) {
|
|
7467
|
+
return new JoseHeaderError(code, correlationId);
|
|
7389
7468
|
}
|
|
7390
7469
|
|
|
7391
|
-
/*! @azure/msal-common v16.
|
|
7470
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
7392
7471
|
/*
|
|
7393
7472
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
7394
7473
|
* Licensed under the MIT License.
|
|
@@ -7396,7 +7475,7 @@
|
|
|
7396
7475
|
const missingKidError = "missing_kid_error";
|
|
7397
7476
|
const missingAlgError = "missing_alg_error";
|
|
7398
7477
|
|
|
7399
|
-
/*! @azure/msal-common v16.
|
|
7478
|
+
/*! @azure/msal-common v16.10.0 2026-06-23 */
|
|
7400
7479
|
|
|
7401
7480
|
/*
|
|
7402
7481
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -7420,11 +7499,11 @@
|
|
|
7420
7499
|
static getShrHeaderString(shrHeaderOptions) {
|
|
7421
7500
|
// KeyID is required on the SHR header
|
|
7422
7501
|
if (!shrHeaderOptions.kid) {
|
|
7423
|
-
throw createJoseHeaderError(missingKidError);
|
|
7502
|
+
throw createJoseHeaderError(missingKidError, "");
|
|
7424
7503
|
}
|
|
7425
7504
|
// Alg is required on the SHR header
|
|
7426
7505
|
if (!shrHeaderOptions.alg) {
|
|
7427
|
-
throw createJoseHeaderError(missingAlgError);
|
|
7506
|
+
throw createJoseHeaderError(missingAlgError, "");
|
|
7428
7507
|
}
|
|
7429
7508
|
const shrHeader = new JoseHeader({
|
|
7430
7509
|
// Access Token PoP headers must have type pop, but the type header can be overriden for special cases
|
|
@@ -7831,7 +7910,7 @@
|
|
|
7831
7910
|
|
|
7832
7911
|
/* eslint-disable header/header */
|
|
7833
7912
|
const name = "@azure/msal-browser";
|
|
7834
|
-
const version = "5.
|
|
7913
|
+
const version = "5.15.0";
|
|
7835
7914
|
|
|
7836
7915
|
/*
|
|
7837
7916
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
@@ -8467,6 +8546,116 @@
|
|
|
8467
8546
|
*/
|
|
8468
8547
|
const WaitForBridgeLateResponse = "waitForBridgeLateResponse";
|
|
8469
8548
|
|
|
8549
|
+
/*
|
|
8550
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
8551
|
+
* Licensed under the MIT License.
|
|
8552
|
+
*/
|
|
8553
|
+
const pkceNotCreated = "pkce_not_created";
|
|
8554
|
+
const earJwkEmpty = "ear_jwk_empty";
|
|
8555
|
+
const earJweEmpty = "ear_jwe_empty";
|
|
8556
|
+
const cryptoNonExistent = "crypto_nonexistent";
|
|
8557
|
+
const emptyNavigateUri = "empty_navigate_uri";
|
|
8558
|
+
const hashEmptyError = "hash_empty_error";
|
|
8559
|
+
const noStateInHash = "no_state_in_hash";
|
|
8560
|
+
const hashDoesNotContainKnownProperties = "hash_does_not_contain_known_properties";
|
|
8561
|
+
const unableToParseState = "unable_to_parse_state";
|
|
8562
|
+
const stateInteractionTypeMismatch = "state_interaction_type_mismatch";
|
|
8563
|
+
const interactionInProgress = "interaction_in_progress";
|
|
8564
|
+
const interactionInProgressCancelled = "interaction_in_progress_cancelled";
|
|
8565
|
+
const popupWindowError = "popup_window_error";
|
|
8566
|
+
const emptyWindowError = "empty_window_error";
|
|
8567
|
+
const userCancelled = "user_cancelled";
|
|
8568
|
+
const redirectBridgeEmptyResponse = "redirect_bridge_empty_response";
|
|
8569
|
+
const redirectInIframe = "redirect_in_iframe";
|
|
8570
|
+
const blockIframeReload = "block_iframe_reload";
|
|
8571
|
+
const blockNestedPopups = "block_nested_popups";
|
|
8572
|
+
const silentLogoutUnsupported = "silent_logout_unsupported";
|
|
8573
|
+
const noAccountError = "no_account_error";
|
|
8574
|
+
const noTokenRequestCacheError = "no_token_request_cache_error";
|
|
8575
|
+
const unableToParseTokenRequestCacheError = "unable_to_parse_token_request_cache_error";
|
|
8576
|
+
const nonBrowserEnvironment = "non_browser_environment";
|
|
8577
|
+
const databaseNotOpen = "database_not_open";
|
|
8578
|
+
const noNetworkConnectivity = "no_network_connectivity";
|
|
8579
|
+
const postRequestFailed = "post_request_failed";
|
|
8580
|
+
const getRequestFailed = "get_request_failed";
|
|
8581
|
+
const failedToParseResponse = "failed_to_parse_response";
|
|
8582
|
+
const cryptoKeyNotFound = "crypto_key_not_found";
|
|
8583
|
+
const authCodeRequired = "auth_code_required";
|
|
8584
|
+
const authCodeOrNativeAccountIdRequired = "auth_code_or_nativeAccountId_required";
|
|
8585
|
+
const spaCodeAndNativeAccountIdPresent = "spa_code_and_nativeAccountId_present";
|
|
8586
|
+
const databaseUnavailable = "database_unavailable";
|
|
8587
|
+
const unableToAcquireTokenFromNativePlatform = "unable_to_acquire_token_from_native_platform";
|
|
8588
|
+
const nativeHandshakeTimeout = "native_handshake_timeout";
|
|
8589
|
+
const nativeExtensionNotInstalled = "native_extension_not_installed";
|
|
8590
|
+
const nativeConnectionNotEstablished = "native_connection_not_established";
|
|
8591
|
+
const uninitializedPublicClientApplication = "uninitialized_public_client_application";
|
|
8592
|
+
const nativePromptNotSupported = "native_prompt_not_supported";
|
|
8593
|
+
const invalidBase64String = "invalid_base64_string";
|
|
8594
|
+
const invalidPopTokenRequest = "invalid_pop_token_request";
|
|
8595
|
+
const failedToBuildHeaders = "failed_to_build_headers";
|
|
8596
|
+
const failedToParseHeaders = "failed_to_parse_headers";
|
|
8597
|
+
const failedToDecryptEarResponse = "failed_to_decrypt_ear_response";
|
|
8598
|
+
const timedOut = "timed_out";
|
|
8599
|
+
const emptyResponse = "empty_response";
|
|
8600
|
+
|
|
8601
|
+
/*
|
|
8602
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
8603
|
+
* Licensed under the MIT License.
|
|
8604
|
+
*/
|
|
8605
|
+
function getDefaultErrorMessage(code) {
|
|
8606
|
+
return `See https://aka.ms/msal.js.errors#${code} for details`;
|
|
8607
|
+
}
|
|
8608
|
+
/**
|
|
8609
|
+
* Browser library error class thrown by the MSAL.js library for SPAs
|
|
8610
|
+
*/
|
|
8611
|
+
class BrowserAuthError extends AuthError {
|
|
8612
|
+
constructor(errorCode, correlationId, subError) {
|
|
8613
|
+
super(errorCode, correlationId, getDefaultErrorMessage(errorCode), subError);
|
|
8614
|
+
Object.setPrototypeOf(this, BrowserAuthError.prototype);
|
|
8615
|
+
this.name = "BrowserAuthError";
|
|
8616
|
+
}
|
|
8617
|
+
}
|
|
8618
|
+
function createBrowserAuthError(errorCode, correlationId, subError) {
|
|
8619
|
+
return new BrowserAuthError(errorCode, correlationId, subError);
|
|
8620
|
+
}
|
|
8621
|
+
|
|
8622
|
+
/*
|
|
8623
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
8624
|
+
* Licensed under the MIT License.
|
|
8625
|
+
*/
|
|
8626
|
+
/**
|
|
8627
|
+
* Class which exposes APIs to decode base64 strings to plaintext. See here for implementation details:
|
|
8628
|
+
* https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem
|
|
8629
|
+
*/
|
|
8630
|
+
/**
|
|
8631
|
+
* Returns a URL-safe plaintext decoded string from b64 encoded input.
|
|
8632
|
+
* @param input
|
|
8633
|
+
*/
|
|
8634
|
+
function base64Decode(input) {
|
|
8635
|
+
return new TextDecoder().decode(base64DecToArr(input));
|
|
8636
|
+
}
|
|
8637
|
+
/**
|
|
8638
|
+
* Decodes base64 into Uint8Array
|
|
8639
|
+
* @param base64String
|
|
8640
|
+
*/
|
|
8641
|
+
function base64DecToArr(base64String) {
|
|
8642
|
+
let encodedString = base64String.replace(/-/g, "+").replace(/_/g, "/");
|
|
8643
|
+
switch (encodedString.length % 4) {
|
|
8644
|
+
case 0:
|
|
8645
|
+
break;
|
|
8646
|
+
case 2:
|
|
8647
|
+
encodedString += "==";
|
|
8648
|
+
break;
|
|
8649
|
+
case 3:
|
|
8650
|
+
encodedString += "=";
|
|
8651
|
+
break;
|
|
8652
|
+
default:
|
|
8653
|
+
throw createBrowserAuthError(invalidBase64String, "");
|
|
8654
|
+
}
|
|
8655
|
+
const binString = atob(encodedString);
|
|
8656
|
+
return Uint8Array.from(binString, (m) => m.codePointAt(0) || 0);
|
|
8657
|
+
}
|
|
8658
|
+
|
|
8470
8659
|
/*
|
|
8471
8660
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
8472
8661
|
* Licensed under the MIT License.
|
|
@@ -8651,116 +8840,6 @@
|
|
|
8651
8840
|
CacheLookupPolicy.RefreshTokenAndNetwork,
|
|
8652
8841
|
];
|
|
8653
8842
|
|
|
8654
|
-
/*
|
|
8655
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
8656
|
-
* Licensed under the MIT License.
|
|
8657
|
-
*/
|
|
8658
|
-
const pkceNotCreated = "pkce_not_created";
|
|
8659
|
-
const earJwkEmpty = "ear_jwk_empty";
|
|
8660
|
-
const earJweEmpty = "ear_jwe_empty";
|
|
8661
|
-
const cryptoNonExistent = "crypto_nonexistent";
|
|
8662
|
-
const emptyNavigateUri = "empty_navigate_uri";
|
|
8663
|
-
const hashEmptyError = "hash_empty_error";
|
|
8664
|
-
const noStateInHash = "no_state_in_hash";
|
|
8665
|
-
const hashDoesNotContainKnownProperties = "hash_does_not_contain_known_properties";
|
|
8666
|
-
const unableToParseState = "unable_to_parse_state";
|
|
8667
|
-
const stateInteractionTypeMismatch = "state_interaction_type_mismatch";
|
|
8668
|
-
const interactionInProgress = "interaction_in_progress";
|
|
8669
|
-
const interactionInProgressCancelled = "interaction_in_progress_cancelled";
|
|
8670
|
-
const popupWindowError = "popup_window_error";
|
|
8671
|
-
const emptyWindowError = "empty_window_error";
|
|
8672
|
-
const userCancelled = "user_cancelled";
|
|
8673
|
-
const redirectBridgeEmptyResponse = "redirect_bridge_empty_response";
|
|
8674
|
-
const redirectInIframe = "redirect_in_iframe";
|
|
8675
|
-
const blockIframeReload = "block_iframe_reload";
|
|
8676
|
-
const blockNestedPopups = "block_nested_popups";
|
|
8677
|
-
const silentLogoutUnsupported = "silent_logout_unsupported";
|
|
8678
|
-
const noAccountError = "no_account_error";
|
|
8679
|
-
const noTokenRequestCacheError = "no_token_request_cache_error";
|
|
8680
|
-
const unableToParseTokenRequestCacheError = "unable_to_parse_token_request_cache_error";
|
|
8681
|
-
const nonBrowserEnvironment = "non_browser_environment";
|
|
8682
|
-
const databaseNotOpen = "database_not_open";
|
|
8683
|
-
const noNetworkConnectivity = "no_network_connectivity";
|
|
8684
|
-
const postRequestFailed = "post_request_failed";
|
|
8685
|
-
const getRequestFailed = "get_request_failed";
|
|
8686
|
-
const failedToParseResponse = "failed_to_parse_response";
|
|
8687
|
-
const cryptoKeyNotFound = "crypto_key_not_found";
|
|
8688
|
-
const authCodeRequired = "auth_code_required";
|
|
8689
|
-
const authCodeOrNativeAccountIdRequired = "auth_code_or_nativeAccountId_required";
|
|
8690
|
-
const spaCodeAndNativeAccountIdPresent = "spa_code_and_nativeAccountId_present";
|
|
8691
|
-
const databaseUnavailable = "database_unavailable";
|
|
8692
|
-
const unableToAcquireTokenFromNativePlatform = "unable_to_acquire_token_from_native_platform";
|
|
8693
|
-
const nativeHandshakeTimeout = "native_handshake_timeout";
|
|
8694
|
-
const nativeExtensionNotInstalled = "native_extension_not_installed";
|
|
8695
|
-
const nativeConnectionNotEstablished = "native_connection_not_established";
|
|
8696
|
-
const uninitializedPublicClientApplication = "uninitialized_public_client_application";
|
|
8697
|
-
const nativePromptNotSupported = "native_prompt_not_supported";
|
|
8698
|
-
const invalidBase64String = "invalid_base64_string";
|
|
8699
|
-
const invalidPopTokenRequest = "invalid_pop_token_request";
|
|
8700
|
-
const failedToBuildHeaders = "failed_to_build_headers";
|
|
8701
|
-
const failedToParseHeaders = "failed_to_parse_headers";
|
|
8702
|
-
const failedToDecryptEarResponse = "failed_to_decrypt_ear_response";
|
|
8703
|
-
const timedOut = "timed_out";
|
|
8704
|
-
const emptyResponse = "empty_response";
|
|
8705
|
-
|
|
8706
|
-
/*
|
|
8707
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
8708
|
-
* Licensed under the MIT License.
|
|
8709
|
-
*/
|
|
8710
|
-
function getDefaultErrorMessage(code) {
|
|
8711
|
-
return `See https://aka.ms/msal.js.errors#${code} for details`;
|
|
8712
|
-
}
|
|
8713
|
-
/**
|
|
8714
|
-
* Browser library error class thrown by the MSAL.js library for SPAs
|
|
8715
|
-
*/
|
|
8716
|
-
class BrowserAuthError extends AuthError {
|
|
8717
|
-
constructor(errorCode, subError) {
|
|
8718
|
-
super(errorCode, getDefaultErrorMessage(errorCode), subError);
|
|
8719
|
-
Object.setPrototypeOf(this, BrowserAuthError.prototype);
|
|
8720
|
-
this.name = "BrowserAuthError";
|
|
8721
|
-
}
|
|
8722
|
-
}
|
|
8723
|
-
function createBrowserAuthError(errorCode, subError) {
|
|
8724
|
-
return new BrowserAuthError(errorCode, subError);
|
|
8725
|
-
}
|
|
8726
|
-
|
|
8727
|
-
/*
|
|
8728
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
8729
|
-
* Licensed under the MIT License.
|
|
8730
|
-
*/
|
|
8731
|
-
/**
|
|
8732
|
-
* Class which exposes APIs to decode base64 strings to plaintext. See here for implementation details:
|
|
8733
|
-
* https://developer.mozilla.org/en-US/docs/Glossary/Base64#the_unicode_problem
|
|
8734
|
-
*/
|
|
8735
|
-
/**
|
|
8736
|
-
* Returns a URL-safe plaintext decoded string from b64 encoded input.
|
|
8737
|
-
* @param input
|
|
8738
|
-
*/
|
|
8739
|
-
function base64Decode(input) {
|
|
8740
|
-
return new TextDecoder().decode(base64DecToArr(input));
|
|
8741
|
-
}
|
|
8742
|
-
/**
|
|
8743
|
-
* Decodes base64 into Uint8Array
|
|
8744
|
-
* @param base64String
|
|
8745
|
-
*/
|
|
8746
|
-
function base64DecToArr(base64String) {
|
|
8747
|
-
let encodedString = base64String.replace(/-/g, "+").replace(/_/g, "/");
|
|
8748
|
-
switch (encodedString.length % 4) {
|
|
8749
|
-
case 0:
|
|
8750
|
-
break;
|
|
8751
|
-
case 2:
|
|
8752
|
-
encodedString += "==";
|
|
8753
|
-
break;
|
|
8754
|
-
case 3:
|
|
8755
|
-
encodedString += "=";
|
|
8756
|
-
break;
|
|
8757
|
-
default:
|
|
8758
|
-
throw createBrowserAuthError(invalidBase64String);
|
|
8759
|
-
}
|
|
8760
|
-
const binString = atob(encodedString);
|
|
8761
|
-
return Uint8Array.from(binString, (m) => m.codePointAt(0) || 0);
|
|
8762
|
-
}
|
|
8763
|
-
|
|
8764
8843
|
/*
|
|
8765
8844
|
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
8766
8845
|
* Licensed under the MIT License.
|
|
@@ -8849,13 +8928,13 @@
|
|
|
8849
8928
|
*/
|
|
8850
8929
|
function validateCryptoAvailable(skipValidateSubtleCrypto) {
|
|
8851
8930
|
if (!window) {
|
|
8852
|
-
throw createBrowserAuthError(nonBrowserEnvironment);
|
|
8931
|
+
throw createBrowserAuthError(nonBrowserEnvironment, "");
|
|
8853
8932
|
}
|
|
8854
8933
|
if (!window.crypto) {
|
|
8855
|
-
throw createBrowserAuthError(cryptoNonExistent);
|
|
8934
|
+
throw createBrowserAuthError(cryptoNonExistent, "");
|
|
8856
8935
|
}
|
|
8857
8936
|
if (!skipValidateSubtleCrypto && !window.crypto.subtle) {
|
|
8858
|
-
throw createBrowserAuthError(cryptoNonExistent, SUBTLE_SUBERROR);
|
|
8937
|
+
throw createBrowserAuthError(cryptoNonExistent, "", SUBTLE_SUBERROR);
|
|
8859
8938
|
}
|
|
8860
8939
|
}
|
|
8861
8940
|
/**
|
|
@@ -8994,10 +9073,10 @@
|
|
|
8994
9073
|
async function decryptEarResponse(earJwk, earJwe) {
|
|
8995
9074
|
const earJweParts = earJwe.split(".");
|
|
8996
9075
|
if (earJweParts.length !== 5) {
|
|
8997
|
-
throw createBrowserAuthError(failedToDecryptEarResponse, "jwe_length");
|
|
9076
|
+
throw createBrowserAuthError(failedToDecryptEarResponse, "", "jwe_length");
|
|
8998
9077
|
}
|
|
8999
9078
|
const key = await importEarKey(earJwk).catch(() => {
|
|
9000
|
-
throw createBrowserAuthError(failedToDecryptEarResponse, "import_key");
|
|
9079
|
+
throw createBrowserAuthError(failedToDecryptEarResponse, "", "import_key");
|
|
9001
9080
|
});
|
|
9002
9081
|
try {
|
|
9003
9082
|
const header = new TextEncoder().encode(earJweParts[0]);
|
|
@@ -9018,7 +9097,7 @@
|
|
|
9018
9097
|
return new TextDecoder().decode(decryptedData);
|
|
9019
9098
|
}
|
|
9020
9099
|
catch (e) {
|
|
9021
|
-
throw createBrowserAuthError(failedToDecryptEarResponse, "decrypt");
|
|
9100
|
+
throw createBrowserAuthError(failedToDecryptEarResponse, "", "decrypt");
|
|
9022
9101
|
}
|
|
9023
9102
|
}
|
|
9024
9103
|
/**
|
|
@@ -9116,14 +9195,14 @@
|
|
|
9116
9195
|
* Browser library error class thrown by the MSAL.js library for SPAs
|
|
9117
9196
|
*/
|
|
9118
9197
|
class BrowserConfigurationAuthError extends AuthError {
|
|
9119
|
-
constructor(errorCode, errorMessage) {
|
|
9120
|
-
super(errorCode, errorMessage);
|
|
9198
|
+
constructor(errorCode, correlationId, errorMessage) {
|
|
9199
|
+
super(errorCode, correlationId, errorMessage);
|
|
9121
9200
|
this.name = "BrowserConfigurationAuthError";
|
|
9122
9201
|
Object.setPrototypeOf(this, BrowserConfigurationAuthError.prototype);
|
|
9123
9202
|
}
|
|
9124
9203
|
}
|
|
9125
|
-
function createBrowserConfigurationAuthError(errorCode) {
|
|
9126
|
-
return new BrowserConfigurationAuthError(errorCode, getDefaultErrorMessage(errorCode));
|
|
9204
|
+
function createBrowserConfigurationAuthError(errorCode, correlationId) {
|
|
9205
|
+
return new BrowserConfigurationAuthError(errorCode, correlationId, getDefaultErrorMessage(errorCode));
|
|
9127
9206
|
}
|
|
9128
9207
|
|
|
9129
9208
|
/*
|
|
@@ -9179,17 +9258,21 @@
|
|
|
9179
9258
|
payload = `${queryContent}${hashContent}`;
|
|
9180
9259
|
params = new URLSearchParams(payload);
|
|
9181
9260
|
}
|
|
9261
|
+
/*
|
|
9262
|
+
* Called by the redirect-bridge entry point before any request context exists,
|
|
9263
|
+
* so correlationId is intentionally empty for the throws below.
|
|
9264
|
+
*/
|
|
9182
9265
|
if (!payload || !params) {
|
|
9183
|
-
throw createBrowserAuthError(emptyResponse);
|
|
9266
|
+
throw createBrowserAuthError(emptyResponse, "");
|
|
9184
9267
|
}
|
|
9185
9268
|
const state = params.get("state");
|
|
9186
9269
|
if (!state) {
|
|
9187
|
-
throw createBrowserAuthError(noStateInHash);
|
|
9270
|
+
throw createBrowserAuthError(noStateInHash, "");
|
|
9188
9271
|
}
|
|
9189
|
-
const { libraryState } = parseRequestState(base64Decode, state);
|
|
9272
|
+
const { libraryState } = parseRequestState(base64Decode, state, "");
|
|
9190
9273
|
const { id, meta } = libraryState;
|
|
9191
9274
|
if (!id || !meta) {
|
|
9192
|
-
throw createBrowserAuthError(unableToParseState, "missing_library_state");
|
|
9275
|
+
throw createBrowserAuthError(unableToParseState, "", "missing_library_state");
|
|
9193
9276
|
}
|
|
9194
9277
|
return {
|
|
9195
9278
|
params,
|
|
@@ -9269,10 +9352,11 @@
|
|
|
9269
9352
|
logger.verbose("BrowserUtils.cancelPendingBridgeResponse - Cancelling pending bridge monitor", correlationId);
|
|
9270
9353
|
clearTimeout(activeBridgeMonitor.timeoutId);
|
|
9271
9354
|
activeBridgeMonitor.channel.close();
|
|
9272
|
-
activeBridgeMonitor.reject(createBrowserAuthError(interactionInProgressCancelled));
|
|
9355
|
+
activeBridgeMonitor.reject(createBrowserAuthError(interactionInProgressCancelled, ""));
|
|
9273
9356
|
activeBridgeMonitor = null;
|
|
9274
9357
|
}
|
|
9275
9358
|
}
|
|
9359
|
+
/** @internal */
|
|
9276
9360
|
async function waitForBridgeResponse(timeoutMs, logger, request, performanceClient, experimentalConfig) {
|
|
9277
9361
|
return new Promise((resolve, reject) => {
|
|
9278
9362
|
logger.verbose("BrowserUtils.waitForBridgeResponse - started", request.correlationId);
|
|
@@ -9281,7 +9365,7 @@
|
|
|
9281
9365
|
redirectBridgeTimeoutMs: timeoutMs,
|
|
9282
9366
|
lateResponseExperimentEnabled: experimentalConfig?.iframeTimeoutTelemetry || false,
|
|
9283
9367
|
}, correlationId);
|
|
9284
|
-
const { libraryState } = parseRequestState(base64Decode, request.state || "");
|
|
9368
|
+
const { libraryState } = parseRequestState(base64Decode, request.state || "", request.correlationId);
|
|
9285
9369
|
const channel = new BroadcastChannel(libraryState.id);
|
|
9286
9370
|
let responseString = undefined;
|
|
9287
9371
|
let timedOut$1 = false;
|
|
@@ -9302,7 +9386,7 @@
|
|
|
9302
9386
|
else {
|
|
9303
9387
|
channel.close();
|
|
9304
9388
|
}
|
|
9305
|
-
reject(createBrowserAuthError(timedOut, "redirect_bridge_timeout"));
|
|
9389
|
+
reject(createBrowserAuthError(timedOut, "", "redirect_bridge_timeout"));
|
|
9306
9390
|
}, timeoutMs);
|
|
9307
9391
|
// Track this monitor so it can be cancelled if needed
|
|
9308
9392
|
activeBridgeMonitor = {
|
|
@@ -9334,7 +9418,7 @@
|
|
|
9334
9418
|
resolve(responseString);
|
|
9335
9419
|
}
|
|
9336
9420
|
else {
|
|
9337
|
-
reject(createBrowserAuthError(redirectBridgeEmptyResponse));
|
|
9421
|
+
reject(createBrowserAuthError(redirectBridgeEmptyResponse, correlationId));
|
|
9338
9422
|
}
|
|
9339
9423
|
};
|
|
9340
9424
|
});
|
|
@@ -9351,8 +9435,8 @@
|
|
|
9351
9435
|
/**
|
|
9352
9436
|
* Gets the homepage url for the current window location.
|
|
9353
9437
|
*/
|
|
9354
|
-
function getHomepage() {
|
|
9355
|
-
const currentUrl = new UrlString(window.location.href);
|
|
9438
|
+
function getHomepage(correlationId) {
|
|
9439
|
+
const currentUrl = new UrlString(window.location.href, correlationId || "");
|
|
9356
9440
|
const urlComponents = currentUrl.getUrlComponents();
|
|
9357
9441
|
return `${urlComponents.Protocol}//${urlComponents.HostNameAndPort}/`;
|
|
9358
9442
|
}
|
|
@@ -9364,7 +9448,7 @@
|
|
|
9364
9448
|
const isResponseHash = getDeserializedResponse(window.location.hash);
|
|
9365
9449
|
// return an error if called from the hidden iframe created by the msal js silent calls
|
|
9366
9450
|
if (isResponseHash && isInIframe()) {
|
|
9367
|
-
throw createBrowserAuthError(blockIframeReload);
|
|
9451
|
+
throw createBrowserAuthError(blockIframeReload, "");
|
|
9368
9452
|
}
|
|
9369
9453
|
}
|
|
9370
9454
|
/**
|
|
@@ -9375,7 +9459,7 @@
|
|
|
9375
9459
|
function blockRedirectInIframe(allowRedirectInIframe) {
|
|
9376
9460
|
if (isInIframe() && !allowRedirectInIframe) {
|
|
9377
9461
|
// If we are not in top frame, we shouldn't redirect. This is also handled by the service.
|
|
9378
|
-
throw createBrowserAuthError(redirectInIframe);
|
|
9462
|
+
throw createBrowserAuthError(redirectInIframe, "");
|
|
9379
9463
|
}
|
|
9380
9464
|
}
|
|
9381
9465
|
/**
|
|
@@ -9384,7 +9468,7 @@
|
|
|
9384
9468
|
function blockAcquireTokenInPopups() {
|
|
9385
9469
|
// Popups opened by msal popup APIs are given a name that starts with "msal."
|
|
9386
9470
|
if (isInPopup()) {
|
|
9387
|
-
throw createBrowserAuthError(blockNestedPopups);
|
|
9471
|
+
throw createBrowserAuthError(blockNestedPopups, "");
|
|
9388
9472
|
}
|
|
9389
9473
|
}
|
|
9390
9474
|
/**
|
|
@@ -9393,7 +9477,7 @@
|
|
|
9393
9477
|
*/
|
|
9394
9478
|
function blockNonBrowserEnvironment() {
|
|
9395
9479
|
if (typeof window === "undefined") {
|
|
9396
|
-
throw createBrowserAuthError(nonBrowserEnvironment);
|
|
9480
|
+
throw createBrowserAuthError(nonBrowserEnvironment, "");
|
|
9397
9481
|
}
|
|
9398
9482
|
}
|
|
9399
9483
|
/**
|
|
@@ -9402,7 +9486,7 @@
|
|
|
9402
9486
|
*/
|
|
9403
9487
|
function blockAPICallsBeforeInitialize(initialized) {
|
|
9404
9488
|
if (!initialized) {
|
|
9405
|
-
throw createBrowserAuthError(uninitializedPublicClientApplication);
|
|
9489
|
+
throw createBrowserAuthError(uninitializedPublicClientApplication, "");
|
|
9406
9490
|
}
|
|
9407
9491
|
}
|
|
9408
9492
|
/**
|
|
@@ -9420,16 +9504,17 @@
|
|
|
9420
9504
|
blockAPICallsBeforeInitialize(initialized);
|
|
9421
9505
|
}
|
|
9422
9506
|
/**
|
|
9423
|
-
* Helper to validate app
|
|
9507
|
+
* Helper to validate app environment before making redirect request
|
|
9424
9508
|
* @param initialized
|
|
9425
9509
|
* @param config
|
|
9510
|
+
* @internal
|
|
9426
9511
|
*/
|
|
9427
9512
|
function redirectPreflightCheck(initialized, config) {
|
|
9428
9513
|
preflightCheck$1(initialized);
|
|
9429
9514
|
blockRedirectInIframe(config.system.allowRedirectInIframe);
|
|
9430
9515
|
// Block redirects if memory storage is enabled
|
|
9431
9516
|
if (config.cache.cacheLocation === BrowserCacheLocation.MemoryStorage) {
|
|
9432
|
-
throw createBrowserConfigurationAuthError(inMemRedirectUnavailable);
|
|
9517
|
+
throw createBrowserConfigurationAuthError(inMemRedirectUnavailable, "");
|
|
9433
9518
|
}
|
|
9434
9519
|
}
|
|
9435
9520
|
/**
|
|
@@ -9473,7 +9558,7 @@
|
|
|
9473
9558
|
this.navigationClient = navigationClient;
|
|
9474
9559
|
this.platformAuthProvider = platformAuthProvider;
|
|
9475
9560
|
this.correlationId = correlationId;
|
|
9476
|
-
this.logger = logger.clone(
|
|
9561
|
+
this.logger = logger.clone(name, version);
|
|
9477
9562
|
this.performanceClient = performanceClient;
|
|
9478
9563
|
}
|
|
9479
9564
|
}
|
|
@@ -9488,7 +9573,7 @@
|
|
|
9488
9573
|
function getRedirectUri(requestRedirectUri, clientConfigRedirectUri, logger, correlationId) {
|
|
9489
9574
|
logger.verbose("getRedirectUri called", correlationId);
|
|
9490
9575
|
const redirectUri = requestRedirectUri || clientConfigRedirectUri || "";
|
|
9491
|
-
return UrlString.getAbsoluteUrl(redirectUri, getCurrentUri());
|
|
9576
|
+
return UrlString.getAbsoluteUrl(redirectUri, getCurrentUri(), correlationId);
|
|
9492
9577
|
}
|
|
9493
9578
|
/**
|
|
9494
9579
|
* Initializes and returns a ServerTelemetryManager with the provided telemetry configuration.
|
|
@@ -9549,13 +9634,13 @@
|
|
|
9549
9634
|
? instanceAwareEQ === "true"
|
|
9550
9635
|
: config.auth.instanceAware;
|
|
9551
9636
|
const userAuthority = account && resolvedInstanceAware
|
|
9552
|
-
? config.auth.authority.replace(UrlString.getDomainFromUrl(resolvedAuthority), account.environment)
|
|
9637
|
+
? config.auth.authority.replace(UrlString.getDomainFromUrl(resolvedAuthority, correlationId), account.environment)
|
|
9553
9638
|
: resolvedAuthority;
|
|
9554
9639
|
// fall back to the authority from config
|
|
9555
9640
|
const builtAuthority = Authority.generateAuthority(userAuthority, requestAzureCloudOptions || config.auth.azureCloudOptions);
|
|
9556
9641
|
const discoveredAuthority = await invokeAsync(createDiscoveredInstance, AuthorityFactoryCreateDiscoveredInstance, logger, performanceClient, correlationId)(builtAuthority, config.system.networkClient, browserStorage, authorityOptions, logger, correlationId, performanceClient);
|
|
9557
9642
|
if (account && !discoveredAuthority.isAlias(account.environment)) {
|
|
9558
|
-
throw createClientConfigurationError(authorityMismatch);
|
|
9643
|
+
throw createClientConfigurationError(authorityMismatch, correlationId);
|
|
9559
9644
|
}
|
|
9560
9645
|
return discoveredAuthority;
|
|
9561
9646
|
}
|
|
@@ -9628,10 +9713,10 @@
|
|
|
9628
9713
|
if (validatedRequest.authenticationScheme ===
|
|
9629
9714
|
AuthenticationScheme.SSH) {
|
|
9630
9715
|
if (!request.sshJwk) {
|
|
9631
|
-
throw createClientConfigurationError(missingSshJwk);
|
|
9716
|
+
throw createClientConfigurationError(missingSshJwk, "");
|
|
9632
9717
|
}
|
|
9633
9718
|
if (!request.sshKid) {
|
|
9634
|
-
throw createClientConfigurationError(missingSshKid);
|
|
9719
|
+
throw createClientConfigurationError(missingSshKid, "");
|
|
9635
9720
|
}
|
|
9636
9721
|
}
|
|
9637
9722
|
logger.verbose(`Authentication Scheme set to "'${validatedRequest.authenticationScheme}'" as configured in Auth request`, correlationId);
|
|
@@ -9660,7 +9745,7 @@
|
|
|
9660
9745
|
if (protocolMode === ProtocolMode.EAR) {
|
|
9661
9746
|
// Validate that method can only be POST when protocol mode is EAR
|
|
9662
9747
|
if (requestMethod && requestMethod !== HttpMethod$1.POST) {
|
|
9663
|
-
throw createClientConfigurationError(invalidRequestMethodForEAR);
|
|
9748
|
+
throw createClientConfigurationError(invalidRequestMethodForEAR, "");
|
|
9664
9749
|
}
|
|
9665
9750
|
else {
|
|
9666
9751
|
httpMethod = HttpMethod$1.POST;
|
|
@@ -9725,7 +9810,7 @@
|
|
|
9725
9810
|
if (logoutRequest && logoutRequest.postLogoutRedirectUri) {
|
|
9726
9811
|
this.logger.verbose("Setting postLogoutRedirectUri to uri set on logout request", validLogoutRequest.correlationId);
|
|
9727
9812
|
validLogoutRequest.postLogoutRedirectUri =
|
|
9728
|
-
UrlString.getAbsoluteUrl(logoutRequest.postLogoutRedirectUri, getCurrentUri());
|
|
9813
|
+
UrlString.getAbsoluteUrl(logoutRequest.postLogoutRedirectUri, getCurrentUri(), validLogoutRequest.correlationId);
|
|
9729
9814
|
}
|
|
9730
9815
|
else if (this.config.auth.postLogoutRedirectUri === null) {
|
|
9731
9816
|
this.logger.verbose("postLogoutRedirectUri configured as null and no uri set on request, not passing post logout redirect", validLogoutRequest.correlationId);
|
|
@@ -9733,12 +9818,12 @@
|
|
|
9733
9818
|
else if (this.config.auth.postLogoutRedirectUri) {
|
|
9734
9819
|
this.logger.verbose("Setting postLogoutRedirectUri to configured uri", validLogoutRequest.correlationId);
|
|
9735
9820
|
validLogoutRequest.postLogoutRedirectUri =
|
|
9736
|
-
UrlString.getAbsoluteUrl(this.config.auth.postLogoutRedirectUri, getCurrentUri());
|
|
9821
|
+
UrlString.getAbsoluteUrl(this.config.auth.postLogoutRedirectUri, getCurrentUri(), validLogoutRequest.correlationId);
|
|
9737
9822
|
}
|
|
9738
9823
|
else {
|
|
9739
9824
|
this.logger.verbose("Setting postLogoutRedirectUri to current page", validLogoutRequest.correlationId);
|
|
9740
9825
|
validLogoutRequest.postLogoutRedirectUri =
|
|
9741
|
-
UrlString.getAbsoluteUrl(getCurrentUri(), getCurrentUri());
|
|
9826
|
+
UrlString.getAbsoluteUrl(getCurrentUri(), getCurrentUri(), validLogoutRequest.correlationId);
|
|
9742
9827
|
}
|
|
9743
9828
|
}
|
|
9744
9829
|
else {
|
|
@@ -9851,7 +9936,7 @@
|
|
|
9851
9936
|
const browserState = {
|
|
9852
9937
|
interactionType: interactionType,
|
|
9853
9938
|
};
|
|
9854
|
-
const state = setRequestState(browserCrypto, (request && request.state) || "", browserState);
|
|
9939
|
+
const state = setRequestState(browserCrypto, (request && request.state) || "", browserState, correlationId);
|
|
9855
9940
|
const baseRequest = await invokeAsync(initializeBaseRequest, InitializeBaseRequest, logger, performanceClient, correlationId)({ ...request, correlationId: correlationId }, config, performanceClient, logger, correlationId);
|
|
9856
9941
|
const interactionRequest = {
|
|
9857
9942
|
...baseRequest,
|
|
@@ -10703,7 +10788,7 @@
|
|
|
10703
10788
|
* @param customAuthProxyDomain - The custom auth proxy domain.
|
|
10704
10789
|
*/
|
|
10705
10790
|
constructor(authority, config, networkInterface, cacheManager, logger, performanceClient, customAuthProxyDomain) {
|
|
10706
|
-
const ciamAuthorityUrl = CustomAuthAuthority.transformCIAMAuthority(authority);
|
|
10791
|
+
const ciamAuthorityUrl = CustomAuthAuthority.transformCIAMAuthority(authority, "");
|
|
10707
10792
|
const authorityOptions = {
|
|
10708
10793
|
protocolMode: config.system.protocolMode,
|
|
10709
10794
|
OIDCOptions: config.auth.OIDCOptions,
|
|
@@ -12019,7 +12104,7 @@
|
|
|
12019
12104
|
this.logger.verbose("Cache cleared", correlationId);
|
|
12020
12105
|
const postLogoutRedirectUri = this.config.auth.postLogoutRedirectUri;
|
|
12021
12106
|
if (postLogoutRedirectUri) {
|
|
12022
|
-
const absoluteRedirectUri = UrlString.getAbsoluteUrl(postLogoutRedirectUri, getCurrentUri());
|
|
12107
|
+
const absoluteRedirectUri = UrlString.getAbsoluteUrl(postLogoutRedirectUri, getCurrentUri(), correlationId);
|
|
12023
12108
|
this.logger.verbose("Post logout redirect uri is set, redirecting to uri", correlationId);
|
|
12024
12109
|
// Redirect to post logout redirect uri
|
|
12025
12110
|
await this.navigationClient.navigateExternal(absoluteRedirectUri, {
|
|
@@ -13940,7 +14025,7 @@
|
|
|
13940
14025
|
this.dbOpen = true;
|
|
13941
14026
|
resolve();
|
|
13942
14027
|
});
|
|
13943
|
-
openDB.addEventListener("error", () => reject(createBrowserAuthError(databaseUnavailable)));
|
|
14028
|
+
openDB.addEventListener("error", () => reject(createBrowserAuthError(databaseUnavailable, "")));
|
|
13944
14029
|
});
|
|
13945
14030
|
}
|
|
13946
14031
|
/**
|
|
@@ -13971,7 +14056,7 @@
|
|
|
13971
14056
|
return new Promise((resolve, reject) => {
|
|
13972
14057
|
// TODO: Add timeouts?
|
|
13973
14058
|
if (!this.db) {
|
|
13974
|
-
return reject(createBrowserAuthError(databaseNotOpen));
|
|
14059
|
+
return reject(createBrowserAuthError(databaseNotOpen, ""));
|
|
13975
14060
|
}
|
|
13976
14061
|
const transaction = this.db.transaction([this.tableName], "readonly");
|
|
13977
14062
|
const objectStore = transaction.objectStore(this.tableName);
|
|
@@ -13997,7 +14082,7 @@
|
|
|
13997
14082
|
return new Promise((resolve, reject) => {
|
|
13998
14083
|
// TODO: Add timeouts?
|
|
13999
14084
|
if (!this.db) {
|
|
14000
|
-
return reject(createBrowserAuthError(databaseNotOpen));
|
|
14085
|
+
return reject(createBrowserAuthError(databaseNotOpen, ""));
|
|
14001
14086
|
}
|
|
14002
14087
|
const transaction = this.db.transaction([this.tableName], "readwrite");
|
|
14003
14088
|
const objectStore = transaction.objectStore(this.tableName);
|
|
@@ -14020,7 +14105,7 @@
|
|
|
14020
14105
|
await this.validateDbIsOpen();
|
|
14021
14106
|
return new Promise((resolve, reject) => {
|
|
14022
14107
|
if (!this.db) {
|
|
14023
|
-
return reject(createBrowserAuthError(databaseNotOpen));
|
|
14108
|
+
return reject(createBrowserAuthError(databaseNotOpen, ""));
|
|
14024
14109
|
}
|
|
14025
14110
|
const transaction = this.db.transaction([this.tableName], "readwrite");
|
|
14026
14111
|
const objectStore = transaction.objectStore(this.tableName);
|
|
@@ -14042,7 +14127,7 @@
|
|
|
14042
14127
|
await this.validateDbIsOpen();
|
|
14043
14128
|
return new Promise((resolve, reject) => {
|
|
14044
14129
|
if (!this.db) {
|
|
14045
|
-
return reject(createBrowserAuthError(databaseNotOpen));
|
|
14130
|
+
return reject(createBrowserAuthError(databaseNotOpen, ""));
|
|
14046
14131
|
}
|
|
14047
14132
|
const transaction = this.db.transaction([this.tableName], "readonly");
|
|
14048
14133
|
const objectStore = transaction.objectStore(this.tableName);
|
|
@@ -14066,7 +14151,7 @@
|
|
|
14066
14151
|
await this.validateDbIsOpen();
|
|
14067
14152
|
return new Promise((resolve, reject) => {
|
|
14068
14153
|
if (!this.db) {
|
|
14069
|
-
return reject(createBrowserAuthError(databaseNotOpen));
|
|
14154
|
+
return reject(createBrowserAuthError(databaseNotOpen, ""));
|
|
14070
14155
|
}
|
|
14071
14156
|
const transaction = this.db.transaction([this.tableName], "readonly");
|
|
14072
14157
|
const objectStore = transaction.objectStore(this.tableName);
|
|
@@ -14391,7 +14476,7 @@
|
|
|
14391
14476
|
await this.cache.removeItem(kid, correlationId);
|
|
14392
14477
|
const keyFound = await this.cache.containsKey(kid, correlationId);
|
|
14393
14478
|
if (keyFound) {
|
|
14394
|
-
throw createClientAuthError(bindingKeyNotRemoved);
|
|
14479
|
+
throw createClientAuthError(bindingKeyNotRemoved, correlationId);
|
|
14395
14480
|
}
|
|
14396
14481
|
}
|
|
14397
14482
|
/**
|
|
@@ -14428,7 +14513,7 @@
|
|
|
14428
14513
|
const signJwtMeasurement = this.performanceClient?.startMeasurement(CryptoOptsSignJwt, correlationId);
|
|
14429
14514
|
const cachedKeyPair = await this.cache.getItem(kid, correlationId || "");
|
|
14430
14515
|
if (!cachedKeyPair) {
|
|
14431
|
-
throw createBrowserAuthError(cryptoKeyNotFound);
|
|
14516
|
+
throw createBrowserAuthError(cryptoKeyNotFound, correlationId || "");
|
|
14432
14517
|
}
|
|
14433
14518
|
// Get public key as JWK
|
|
14434
14519
|
const publicKeyJwk = await exportJwk(cachedKeyPair.publicKey);
|
|
@@ -14584,7 +14669,7 @@
|
|
|
14584
14669
|
return "";
|
|
14585
14670
|
}
|
|
14586
14671
|
getUserData() {
|
|
14587
|
-
throw createClientAuthError(methodNotImplemented);
|
|
14672
|
+
throw createClientAuthError(methodNotImplemented, "");
|
|
14588
14673
|
}
|
|
14589
14674
|
setItem(key, value, cookieLifeDays, secure = true, sameSite = SameSiteOptions.Lax) {
|
|
14590
14675
|
let cookieStr = `${encodeURIComponent(key)}=${encodeURIComponent(value)};path=/;SameSite=${sameSite};`;
|
|
@@ -14598,8 +14683,8 @@
|
|
|
14598
14683
|
}
|
|
14599
14684
|
document.cookie = cookieStr;
|
|
14600
14685
|
}
|
|
14601
|
-
async setUserData() {
|
|
14602
|
-
return Promise.reject(createClientAuthError(methodNotImplemented));
|
|
14686
|
+
async setUserData(_key, _value, correlationId) {
|
|
14687
|
+
return Promise.reject(createClientAuthError(methodNotImplemented, correlationId));
|
|
14603
14688
|
}
|
|
14604
14689
|
removeItem(key) {
|
|
14605
14690
|
// Setting expiration to -1 removes it
|
|
@@ -14698,7 +14783,7 @@
|
|
|
14698
14783
|
class LocalStorage {
|
|
14699
14784
|
constructor(clientId, logger, performanceClient) {
|
|
14700
14785
|
if (!window.localStorage) {
|
|
14701
|
-
throw createBrowserConfigurationAuthError(storageNotSupported);
|
|
14786
|
+
throw createBrowserConfigurationAuthError(storageNotSupported, "");
|
|
14702
14787
|
}
|
|
14703
14788
|
this.memoryStorage = new MemoryStorage();
|
|
14704
14789
|
this.initialized = false;
|
|
@@ -14755,13 +14840,13 @@
|
|
|
14755
14840
|
}
|
|
14756
14841
|
getUserData(key) {
|
|
14757
14842
|
if (!this.initialized) {
|
|
14758
|
-
throw createBrowserAuthError(uninitializedPublicClientApplication);
|
|
14843
|
+
throw createBrowserAuthError(uninitializedPublicClientApplication, "");
|
|
14759
14844
|
}
|
|
14760
14845
|
return this.memoryStorage.getItem(key);
|
|
14761
14846
|
}
|
|
14762
14847
|
async decryptData(key, data, correlationId) {
|
|
14763
14848
|
if (!this.initialized || !this.encryptionCookie) {
|
|
14764
|
-
throw createBrowserAuthError(uninitializedPublicClientApplication);
|
|
14849
|
+
throw createBrowserAuthError(uninitializedPublicClientApplication, "");
|
|
14765
14850
|
}
|
|
14766
14851
|
if (data.id !== this.encryptionCookie.id) {
|
|
14767
14852
|
// Data was encrypted with a different key. It must be removed because it is from a previous session.
|
|
@@ -14788,7 +14873,7 @@
|
|
|
14788
14873
|
}
|
|
14789
14874
|
async setUserData(key, value, correlationId, timestamp, kmsi) {
|
|
14790
14875
|
if (!this.initialized || !this.encryptionCookie) {
|
|
14791
|
-
throw createBrowserAuthError(uninitializedPublicClientApplication);
|
|
14876
|
+
throw createBrowserAuthError(uninitializedPublicClientApplication, "");
|
|
14792
14877
|
}
|
|
14793
14878
|
if (kmsi) {
|
|
14794
14879
|
this.setItem(key, value);
|
|
@@ -14986,7 +15071,7 @@
|
|
|
14986
15071
|
class SessionStorage {
|
|
14987
15072
|
constructor() {
|
|
14988
15073
|
if (!window.sessionStorage) {
|
|
14989
|
-
throw createBrowserConfigurationAuthError(storageNotSupported);
|
|
15074
|
+
throw createBrowserConfigurationAuthError(storageNotSupported, "");
|
|
14990
15075
|
}
|
|
14991
15076
|
}
|
|
14992
15077
|
async initialize() {
|
|
@@ -15288,7 +15373,7 @@
|
|
|
15288
15373
|
const rawValue = this.browserStorage.getUserData(key);
|
|
15289
15374
|
if (rawValue) {
|
|
15290
15375
|
const idToken = JSON.parse(rawValue);
|
|
15291
|
-
const claims = extractTokenClaims(idToken.secret, base64Decode);
|
|
15376
|
+
const claims = extractTokenClaims(idToken.secret, base64Decode, "");
|
|
15292
15377
|
if (claims) {
|
|
15293
15378
|
kmsiMap[idToken.homeAccountId] = isKmsi(claims);
|
|
15294
15379
|
}
|
|
@@ -15349,12 +15434,12 @@
|
|
|
15349
15434
|
this.performanceClient.incrementFields({ skipITMigrateCount: 1 }, correlationId);
|
|
15350
15435
|
continue;
|
|
15351
15436
|
}
|
|
15352
|
-
const claims = extractTokenClaims(oldSchemaData.secret, base64Decode);
|
|
15437
|
+
const claims = extractTokenClaims(oldSchemaData.secret, base64Decode, correlationId);
|
|
15353
15438
|
const newIdTokenKey = this.generateCredentialKey(oldSchemaData);
|
|
15354
15439
|
const currentIdToken = this.getIdTokenCredential(newIdTokenKey, correlationId);
|
|
15355
15440
|
const oldTokenHasSignInState = Object.keys(claims).includes("signin_state");
|
|
15356
15441
|
const currentTokenHasSignInState = currentIdToken &&
|
|
15357
|
-
Object.keys(extractTokenClaims(currentIdToken.secret, base64Decode) || {}).includes("signin_state");
|
|
15442
|
+
Object.keys(extractTokenClaims(currentIdToken.secret, base64Decode, correlationId) || {}).includes("signin_state");
|
|
15358
15443
|
/**
|
|
15359
15444
|
* Only migrate if:
|
|
15360
15445
|
* 1. Token doesn't yet exist in current schema
|
|
@@ -15369,7 +15454,7 @@
|
|
|
15369
15454
|
!tenantProfiles.find((tenantProfile) => {
|
|
15370
15455
|
return tenantProfile.tenantId === tenantId;
|
|
15371
15456
|
})) {
|
|
15372
|
-
const newTenantProfile = buildTenantProfile(account.homeAccountId, account.localAccountId, tenantId, claims);
|
|
15457
|
+
const newTenantProfile = buildTenantProfile(account.homeAccountId, account.localAccountId, tenantId, account.nativeAccountId, claims);
|
|
15373
15458
|
tenantProfiles.push(newTenantProfile);
|
|
15374
15459
|
}
|
|
15375
15460
|
account.tenantProfiles = tenantProfiles;
|
|
@@ -16322,7 +16407,7 @@
|
|
|
16322
16407
|
// Get token request from cache and parse as TokenExchangeParameters.
|
|
16323
16408
|
const encodedTokenRequest = this.getTemporaryCache(TemporaryCacheKeys.REQUEST_PARAMS, correlationId, true);
|
|
16324
16409
|
if (!encodedTokenRequest) {
|
|
16325
|
-
throw createBrowserAuthError(noTokenRequestCacheError);
|
|
16410
|
+
throw createBrowserAuthError(noTokenRequestCacheError, "");
|
|
16326
16411
|
}
|
|
16327
16412
|
const encodedVerifier = this.getTemporaryCache(TemporaryCacheKeys.VERIFIER, correlationId, true);
|
|
16328
16413
|
let parsedRequest;
|
|
@@ -16336,7 +16421,7 @@
|
|
|
16336
16421
|
catch (e) {
|
|
16337
16422
|
this.logger.errorPii(`Attempted to parse: '${encodedTokenRequest}'`, correlationId);
|
|
16338
16423
|
this.logger.error(`Parsing cached token request threw with error: '${e}'`, correlationId);
|
|
16339
|
-
throw createBrowserAuthError(unableToParseTokenRequestCacheError);
|
|
16424
|
+
throw createBrowserAuthError(unableToParseTokenRequestCacheError, "");
|
|
16340
16425
|
}
|
|
16341
16426
|
return [parsedRequest, verifier];
|
|
16342
16427
|
}
|
|
@@ -16396,7 +16481,7 @@
|
|
|
16396
16481
|
this.removeTemporaryItem(key);
|
|
16397
16482
|
}
|
|
16398
16483
|
else {
|
|
16399
|
-
throw createBrowserAuthError(interactionInProgress);
|
|
16484
|
+
throw createBrowserAuthError(interactionInProgress, "");
|
|
16400
16485
|
}
|
|
16401
16486
|
}
|
|
16402
16487
|
// Set new interaction
|
|
@@ -16427,7 +16512,7 @@
|
|
|
16427
16512
|
? toSecondsFromDate(result.expiresOn)
|
|
16428
16513
|
: 0, result.extExpiresOn
|
|
16429
16514
|
? toSecondsFromDate(result.extExpiresOn)
|
|
16430
|
-
: 0, base64Decode, undefined, // refreshOn
|
|
16515
|
+
: 0, base64Decode, request.correlationId || "", undefined, // refreshOn
|
|
16431
16516
|
result.tokenType, undefined, // userAssertionHash
|
|
16432
16517
|
request.sshKid);
|
|
16433
16518
|
if (request.resource) {
|
|
@@ -16437,7 +16522,7 @@
|
|
|
16437
16522
|
idToken: idTokenEntity,
|
|
16438
16523
|
accessToken: accessTokenEntity,
|
|
16439
16524
|
};
|
|
16440
|
-
return this.saveCacheRecord(cacheRecord, result.correlationId, isKmsi(extractTokenClaims(result.idToken, base64Decode)), ApiId.hydrateCache);
|
|
16525
|
+
return this.saveCacheRecord(cacheRecord, result.correlationId, isKmsi(extractTokenClaims(result.idToken, base64Decode, result.correlationId)), ApiId.hydrateCache);
|
|
16441
16526
|
}
|
|
16442
16527
|
/**
|
|
16443
16528
|
* saves a cache record
|
|
@@ -16550,7 +16635,7 @@
|
|
|
16550
16635
|
class EventHandler {
|
|
16551
16636
|
constructor(logger) {
|
|
16552
16637
|
this.eventCallbacks = new Map();
|
|
16553
|
-
this.logger = logger || new Logger({});
|
|
16638
|
+
this.logger = logger || new Logger({}, name, version);
|
|
16554
16639
|
if (typeof BroadcastChannel !== "undefined") {
|
|
16555
16640
|
this.broadcastChannel = new BroadcastChannel(BROADCAST_CHANNEL_NAME);
|
|
16556
16641
|
}
|
|
@@ -16653,16 +16738,16 @@
|
|
|
16653
16738
|
* @param browserCrypto
|
|
16654
16739
|
* @param state
|
|
16655
16740
|
*/
|
|
16656
|
-
function extractBrowserRequestState(browserCrypto, state) {
|
|
16741
|
+
function extractBrowserRequestState(browserCrypto, state, correlationId) {
|
|
16657
16742
|
if (!state) {
|
|
16658
16743
|
return null;
|
|
16659
16744
|
}
|
|
16660
16745
|
try {
|
|
16661
|
-
const requestStateObj = parseRequestState(browserCrypto.base64Decode, state);
|
|
16746
|
+
const requestStateObj = parseRequestState(browserCrypto.base64Decode, state, correlationId);
|
|
16662
16747
|
return requestStateObj.libraryState.meta;
|
|
16663
16748
|
}
|
|
16664
16749
|
catch (e) {
|
|
16665
|
-
throw createClientAuthError(invalidState);
|
|
16750
|
+
throw createClientAuthError(invalidState, correlationId);
|
|
16666
16751
|
}
|
|
16667
16752
|
}
|
|
16668
16753
|
|
|
@@ -16677,12 +16762,12 @@
|
|
|
16677
16762
|
if (!stripLeadingHashOrQuery(responseString)) {
|
|
16678
16763
|
// Hash or Query string is empty
|
|
16679
16764
|
logger.error(`The request has returned to the redirectUri but a '${responseLocation}' is not present. It's likely that the '${responseLocation}' has been removed or the page has been redirected by code running on the redirectUri page.`, correlationId);
|
|
16680
|
-
throw createBrowserAuthError(hashEmptyError);
|
|
16765
|
+
throw createBrowserAuthError(hashEmptyError, correlationId);
|
|
16681
16766
|
}
|
|
16682
16767
|
else {
|
|
16683
16768
|
logger.error(`A '${responseLocation}' is present in the iframe but it does not contain known properties. It's likely that the '${responseLocation}' has been replaced by code running on the redirectUri page.`, correlationId);
|
|
16684
16769
|
logger.errorPii(`The '${responseLocation}' detected is: '${responseString}'`, correlationId);
|
|
16685
|
-
throw createBrowserAuthError(hashDoesNotContainKnownProperties);
|
|
16770
|
+
throw createBrowserAuthError(hashDoesNotContainKnownProperties, correlationId);
|
|
16686
16771
|
}
|
|
16687
16772
|
}
|
|
16688
16773
|
return serverParams;
|
|
@@ -16690,16 +16775,16 @@
|
|
|
16690
16775
|
/**
|
|
16691
16776
|
* Returns the interaction type that the response object belongs to
|
|
16692
16777
|
*/
|
|
16693
|
-
function validateInteractionType(response, browserCrypto, interactionType) {
|
|
16778
|
+
function validateInteractionType(response, browserCrypto, interactionType, correlationId) {
|
|
16694
16779
|
if (!response.state) {
|
|
16695
|
-
throw createBrowserAuthError(noStateInHash);
|
|
16780
|
+
throw createBrowserAuthError(noStateInHash, correlationId);
|
|
16696
16781
|
}
|
|
16697
|
-
const platformStateObj = extractBrowserRequestState(browserCrypto, response.state);
|
|
16782
|
+
const platformStateObj = extractBrowserRequestState(browserCrypto, response.state, correlationId);
|
|
16698
16783
|
if (!platformStateObj) {
|
|
16699
|
-
throw createBrowserAuthError(unableToParseState);
|
|
16784
|
+
throw createBrowserAuthError(unableToParseState, correlationId);
|
|
16700
16785
|
}
|
|
16701
16786
|
if (platformStateObj.interactionType !== interactionType) {
|
|
16702
|
-
throw createBrowserAuthError(stateInteractionTypeMismatch);
|
|
16787
|
+
throw createBrowserAuthError(stateInteractionTypeMismatch, correlationId);
|
|
16703
16788
|
}
|
|
16704
16789
|
}
|
|
16705
16790
|
|
|
@@ -16725,13 +16810,13 @@
|
|
|
16725
16810
|
async handleCodeResponse(response, request, apiId) {
|
|
16726
16811
|
let authCodeResponse;
|
|
16727
16812
|
try {
|
|
16728
|
-
authCodeResponse = getAuthorizationCodePayload(response, request.state);
|
|
16813
|
+
authCodeResponse = getAuthorizationCodePayload(response, request.state, request.correlationId);
|
|
16729
16814
|
}
|
|
16730
16815
|
catch (e) {
|
|
16731
16816
|
if (e instanceof ServerError &&
|
|
16732
16817
|
e.subError === userCancelled) {
|
|
16733
16818
|
// Translate server error caused by user closing native prompt to corresponding first class MSAL error
|
|
16734
|
-
throw createBrowserAuthError(userCancelled);
|
|
16819
|
+
throw createBrowserAuthError(userCancelled, request.correlationId);
|
|
16735
16820
|
}
|
|
16736
16821
|
else {
|
|
16737
16822
|
throw e;
|
|
@@ -16816,8 +16901,8 @@
|
|
|
16816
16901
|
*/
|
|
16817
16902
|
const INVALID_METHOD_ERROR = -2147186943;
|
|
16818
16903
|
class NativeAuthError extends AuthError {
|
|
16819
|
-
constructor(errorCode, description, ext) {
|
|
16820
|
-
super(errorCode, description || getDefaultErrorMessage(errorCode));
|
|
16904
|
+
constructor(errorCode, correlationId, description, ext) {
|
|
16905
|
+
super(errorCode, correlationId, description || getDefaultErrorMessage(errorCode));
|
|
16821
16906
|
Object.setPrototypeOf(this, NativeAuthError.prototype);
|
|
16822
16907
|
this.name = "NativeAuthError";
|
|
16823
16908
|
this.ext = ext;
|
|
@@ -16852,22 +16937,32 @@
|
|
|
16852
16937
|
* @param ext
|
|
16853
16938
|
* @returns
|
|
16854
16939
|
*/
|
|
16855
|
-
function createNativeAuthError(code, description, ext) {
|
|
16940
|
+
function createNativeAuthError(code, correlationId, description, ext) {
|
|
16941
|
+
let error;
|
|
16856
16942
|
if (ext && ext.status) {
|
|
16857
16943
|
switch (ext.status) {
|
|
16858
16944
|
case ACCOUNT_UNAVAILABLE:
|
|
16859
|
-
|
|
16945
|
+
error = createInteractionRequiredAuthError(nativeAccountUnavailable, correlationId, getDefaultErrorMessage(code));
|
|
16946
|
+
break;
|
|
16860
16947
|
case USER_INTERACTION_REQUIRED:
|
|
16861
|
-
|
|
16948
|
+
error = new InteractionRequiredAuthError(code, correlationId, description);
|
|
16949
|
+
break;
|
|
16862
16950
|
case USER_CANCEL:
|
|
16863
|
-
|
|
16951
|
+
error = createBrowserAuthError(userCancelled, correlationId);
|
|
16952
|
+
break;
|
|
16864
16953
|
case NO_NETWORK:
|
|
16865
|
-
|
|
16954
|
+
error = createBrowserAuthError(noNetworkConnectivity, correlationId);
|
|
16955
|
+
break;
|
|
16866
16956
|
case UI_NOT_ALLOWED:
|
|
16867
|
-
|
|
16957
|
+
error = createInteractionRequiredAuthError(uiNotAllowed, correlationId);
|
|
16958
|
+
break;
|
|
16959
|
+
default:
|
|
16960
|
+
error = new NativeAuthError(code, correlationId, description, ext);
|
|
16868
16961
|
}
|
|
16962
|
+
return error;
|
|
16869
16963
|
}
|
|
16870
|
-
|
|
16964
|
+
error = new NativeAuthError(code, correlationId, description, ext);
|
|
16965
|
+
return error;
|
|
16871
16966
|
}
|
|
16872
16967
|
|
|
16873
16968
|
/*
|
|
@@ -17023,7 +17118,7 @@
|
|
|
17023
17118
|
return {
|
|
17024
17119
|
authority: request.authority,
|
|
17025
17120
|
correlationId: this.correlationId,
|
|
17026
|
-
scopes: ScopeSet.fromString(request.scope).asArray(),
|
|
17121
|
+
scopes: ScopeSet.fromString(request.scope, this.correlationId).asArray(),
|
|
17027
17122
|
account: cachedAccount,
|
|
17028
17123
|
forceRefresh: false,
|
|
17029
17124
|
};
|
|
@@ -17037,21 +17132,21 @@
|
|
|
17037
17132
|
async acquireTokensFromCache(nativeAccountId, request) {
|
|
17038
17133
|
if (!nativeAccountId) {
|
|
17039
17134
|
this.logger.warning("NativeInteractionClient:acquireTokensFromCache - No nativeAccountId provided", this.correlationId);
|
|
17040
|
-
throw createClientAuthError(noAccountFound);
|
|
17135
|
+
throw createClientAuthError(noAccountFound, this.correlationId);
|
|
17041
17136
|
}
|
|
17042
17137
|
// fetch the account from browser cache
|
|
17043
17138
|
const account = this.browserStorage.getBaseAccountInfo({
|
|
17044
17139
|
nativeAccountId,
|
|
17045
17140
|
}, this.correlationId);
|
|
17046
17141
|
if (!account) {
|
|
17047
|
-
throw createClientAuthError(noAccountFound);
|
|
17142
|
+
throw createClientAuthError(noAccountFound, this.correlationId);
|
|
17048
17143
|
}
|
|
17049
17144
|
// leverage silent flow for cached tokens retrieval
|
|
17050
17145
|
try {
|
|
17051
17146
|
const silentRequest = this.createSilentCacheRequest(request, account);
|
|
17052
17147
|
const result = await this.silentCacheClient.acquireToken(silentRequest);
|
|
17053
17148
|
const idToken = this.browserStorage.getIdToken(account, this.correlationId, this.browserStorage.getTokenKeys(), account.tenantId);
|
|
17054
|
-
const idTokenClaims = extractTokenClaims(idToken?.secret || "", base64Decode);
|
|
17149
|
+
const idTokenClaims = extractTokenClaims(idToken?.secret || "", base64Decode, this.correlationId);
|
|
17055
17150
|
const fullAccount = updateAccountTenantProfileData(account, undefined, // tenantProfile optional
|
|
17056
17151
|
idTokenClaims, idToken?.secret);
|
|
17057
17152
|
return {
|
|
@@ -17095,7 +17190,7 @@
|
|
|
17095
17190
|
noHistory: false,
|
|
17096
17191
|
};
|
|
17097
17192
|
const redirectUri = navigateToLoginRequestUrl
|
|
17098
|
-
? UrlString.getAbsoluteUrl(request.redirectStartPage || window.location.href, getCurrentUri())
|
|
17193
|
+
? UrlString.getAbsoluteUrl(request.redirectStartPage || window.location.href, getCurrentUri(), this.correlationId)
|
|
17099
17194
|
: getRedirectUri(request.redirectUri, this.config.auth.redirectUri, this.logger, this.correlationId);
|
|
17100
17195
|
rootMeasurement.end({ success: true });
|
|
17101
17196
|
await this.navigationClient.navigateExternal(redirectUri, navigationOptions); // Need to treat this as external to ensure handleRedirectPromise is run again
|
|
@@ -17154,7 +17249,7 @@
|
|
|
17154
17249
|
async handleNativeResponse(response, request, reqTimestamp) {
|
|
17155
17250
|
this.logger.trace("NativeInteractionClient - handleNativeResponse called.", this.correlationId);
|
|
17156
17251
|
// generate identifiers
|
|
17157
|
-
const idTokenClaims = extractTokenClaims(response.id_token, base64Decode);
|
|
17252
|
+
const idTokenClaims = extractTokenClaims(response.id_token, base64Decode, this.correlationId);
|
|
17158
17253
|
const homeAccountIdentifier = this.createHomeAccountIdentifier(response, idTokenClaims);
|
|
17159
17254
|
const cachedhomeAccountId = this.browserStorage.getAccountInfoFilteredBy({
|
|
17160
17255
|
nativeAccountId: request.accountId,
|
|
@@ -17167,7 +17262,7 @@
|
|
|
17167
17262
|
else if (homeAccountIdentifier !== cachedhomeAccountId &&
|
|
17168
17263
|
response.account.id !== request.accountId) {
|
|
17169
17264
|
// User switch in native broker prompt is not supported. All users must first sign in through web flow to ensure server state is in sync
|
|
17170
|
-
throw createNativeAuthError(userSwitch);
|
|
17265
|
+
throw createNativeAuthError(userSwitch, this.correlationId);
|
|
17171
17266
|
}
|
|
17172
17267
|
// Get the preferred_cache domain for the given authority
|
|
17173
17268
|
const authority = await getDiscoveredAuthority(this.config, this.correlationId, this.performanceClient, this.browserStorage, this.logger, request.authority);
|
|
@@ -17203,8 +17298,8 @@
|
|
|
17203
17298
|
*/
|
|
17204
17299
|
generateScopes(requestScopes, responseScopes) {
|
|
17205
17300
|
return responseScopes
|
|
17206
|
-
? ScopeSet.fromString(responseScopes)
|
|
17207
|
-
: ScopeSet.fromString(requestScopes);
|
|
17301
|
+
? ScopeSet.fromString(responseScopes, this.correlationId)
|
|
17302
|
+
: ScopeSet.fromString(requestScopes, this.correlationId);
|
|
17208
17303
|
}
|
|
17209
17304
|
/**
|
|
17210
17305
|
* If PoP token is requesred, records the PoP token if returned from the WAM, else generates one in the browser
|
|
@@ -17237,7 +17332,7 @@
|
|
|
17237
17332
|
* PopTokenGenerator to query the full key for signing
|
|
17238
17333
|
*/
|
|
17239
17334
|
if (!request.keyId) {
|
|
17240
|
-
throw createClientAuthError(keyIdMissing);
|
|
17335
|
+
throw createClientAuthError(keyIdMissing, this.correlationId);
|
|
17241
17336
|
}
|
|
17242
17337
|
return popTokenGenerator.signPopToken(response.access_token, request.keyId, shrParameters);
|
|
17243
17338
|
}
|
|
@@ -17274,6 +17369,12 @@
|
|
|
17274
17369
|
*/
|
|
17275
17370
|
if (accountInfo.nativeAccountId !== response.account.id) {
|
|
17276
17371
|
accountInfo.nativeAccountId = response.account.id;
|
|
17372
|
+
// Also update the matching tenant profile (source of truth)
|
|
17373
|
+
const targetTenantId = tid || accountInfo.tenantId;
|
|
17374
|
+
const tenantProfile = accountInfo.tenantProfiles?.get(targetTenantId);
|
|
17375
|
+
if (tenantProfile) {
|
|
17376
|
+
tenantProfile.nativeAccountId = response.account.id;
|
|
17377
|
+
}
|
|
17277
17378
|
}
|
|
17278
17379
|
// generate PoP token as needed
|
|
17279
17380
|
const responseAccessToken = await this.generatePopAccessToken(response, request);
|
|
@@ -17330,7 +17431,7 @@
|
|
|
17330
17431
|
: response.expires_in) || 0;
|
|
17331
17432
|
const tokenExpirationSeconds = reqTimestamp + expiresIn;
|
|
17332
17433
|
const responseScopes = this.generateScopes(response.scope, request.scope);
|
|
17333
|
-
const cachedAccessToken = createAccessTokenEntity(homeAccountIdentifier, environment, response.access_token, request.clientId, idTokenClaims.tid || tenantId, responseScopes.printScopes(), tokenExpirationSeconds, 0, base64Decode, undefined, request.tokenType, undefined, request.keyId);
|
|
17434
|
+
const cachedAccessToken = createAccessTokenEntity(homeAccountIdentifier, environment, response.access_token, request.clientId, idTokenClaims.tid || tenantId, responseScopes.printScopes(), tokenExpirationSeconds, 0, base64Decode, request.correlationId, undefined, request.tokenType, undefined, request.keyId);
|
|
17334
17435
|
// save idtoken credential in configured browser storage
|
|
17335
17436
|
if (!!cachedIdToken && request.storeInCache?.idToken !== false) {
|
|
17336
17437
|
await this.browserStorage.setIdTokenCredential(cachedIdToken, this.correlationId, isKmsi(idTokenClaims));
|
|
@@ -17413,11 +17514,9 @@
|
|
|
17413
17514
|
: this.config.auth.clientCapabilities;
|
|
17414
17515
|
// scopes are expected to be received by the native broker as "scope" and will be added to the request below. Other properties that should be dropped from the request to the native broker can be included in the object destructuring here.
|
|
17415
17516
|
const { scopes, claims, ...remainingProperties } = request;
|
|
17416
|
-
const scopeSet = new ScopeSet(scopes || []);
|
|
17517
|
+
const scopeSet = new ScopeSet(scopes || [], this.correlationId);
|
|
17417
17518
|
scopeSet.appendScopes(OIDC_DEFAULT_SCOPES);
|
|
17418
|
-
const mergedClaims = configClaims
|
|
17419
|
-
? addClientCapabilitiesToClaims(claims, configClaims)
|
|
17420
|
-
: claims;
|
|
17519
|
+
const mergedClaims = buildMergedClaims(claims, configClaims?.length ? configClaims : undefined);
|
|
17421
17520
|
const validatedRequest = {
|
|
17422
17521
|
...remainingProperties,
|
|
17423
17522
|
claims: mergedClaims,
|
|
@@ -17438,7 +17537,7 @@
|
|
|
17438
17537
|
};
|
|
17439
17538
|
// Check for PoP token requests: signPopToken should only be set to true if popKid is not set
|
|
17440
17539
|
if (validatedRequest.signPopToken && !!request.popKid) {
|
|
17441
|
-
throw createBrowserAuthError(invalidPopTokenRequest);
|
|
17540
|
+
throw createBrowserAuthError(invalidPopTokenRequest, this.correlationId);
|
|
17442
17541
|
}
|
|
17443
17542
|
this.handleExtraBrokerParams(validatedRequest);
|
|
17444
17543
|
validatedRequest.extraParameters =
|
|
@@ -17481,7 +17580,7 @@
|
|
|
17481
17580
|
await getDiscoveredAuthority(this.config, this.correlationId, this.performanceClient, this.browserStorage, this.logger, requestAuthority, azureCloudOptions, undefined, // requestExtraQueryParameters
|
|
17482
17581
|
account);
|
|
17483
17582
|
}
|
|
17484
|
-
const canonicalAuthority = new UrlString(requestAuthority);
|
|
17583
|
+
const canonicalAuthority = new UrlString(requestAuthority, this.correlationId);
|
|
17485
17584
|
canonicalAuthority.validateAsUri();
|
|
17486
17585
|
return canonicalAuthority;
|
|
17487
17586
|
}
|
|
@@ -17507,7 +17606,7 @@
|
|
|
17507
17606
|
return prompt;
|
|
17508
17607
|
default:
|
|
17509
17608
|
this.logger.trace(`initializePlatformRequest: prompt = '${prompt}' is not compatible with native flow`, this.correlationId);
|
|
17510
|
-
throw createBrowserAuthError(nativePromptNotSupported);
|
|
17609
|
+
throw createBrowserAuthError(nativePromptNotSupported, this.correlationId);
|
|
17511
17610
|
}
|
|
17512
17611
|
}
|
|
17513
17612
|
/**
|
|
@@ -17663,7 +17762,7 @@
|
|
|
17663
17762
|
*/
|
|
17664
17763
|
async function getAuthCodeRequestUrl(config, authority, request, logger, performanceClient) {
|
|
17665
17764
|
if (!request.codeChallenge) {
|
|
17666
|
-
throw createClientConfigurationError(pkceParamsMissing);
|
|
17765
|
+
throw createClientConfigurationError(pkceParamsMissing, request.correlationId);
|
|
17667
17766
|
}
|
|
17668
17767
|
const parameters = await invokeAsync(getStandardParameters, GetStandardParams, logger, performanceClient, request.correlationId)(config, authority, request, logger, performanceClient);
|
|
17669
17768
|
addResponseType(parameters, OAuthResponseType.CODE);
|
|
@@ -17680,7 +17779,7 @@
|
|
|
17680
17779
|
*/
|
|
17681
17780
|
async function getEARForm(frame, config, authority, request, logger, performanceClient) {
|
|
17682
17781
|
if (!request.earJwk) {
|
|
17683
|
-
throw createBrowserAuthError(earJwkEmpty);
|
|
17782
|
+
throw createBrowserAuthError(earJwkEmpty, request.correlationId);
|
|
17684
17783
|
}
|
|
17685
17784
|
const parameters = await getStandardParameters(config, authority, request, logger, performanceClient);
|
|
17686
17785
|
addResponseType(parameters, OAuthResponseType.IDTOKEN_TOKEN_REFRESHTOKEN);
|
|
@@ -17754,11 +17853,11 @@
|
|
|
17754
17853
|
async function handleResponsePlatformBroker(request, accountId, apiId, config, browserStorage, nativeStorage, eventHandler, logger, performanceClient, platformAuthProvider) {
|
|
17755
17854
|
logger.verbose("Account id found, calling WAM for token", request.correlationId);
|
|
17756
17855
|
if (!platformAuthProvider) {
|
|
17757
|
-
throw createBrowserAuthError(nativeConnectionNotEstablished);
|
|
17856
|
+
throw createBrowserAuthError(nativeConnectionNotEstablished, request.correlationId);
|
|
17758
17857
|
}
|
|
17759
17858
|
const browserCrypto = new CryptoOps(logger, performanceClient);
|
|
17760
17859
|
const nativeInteractionClient = new PlatformAuthInteractionClient(config, browserStorage, browserCrypto, logger, eventHandler, config.system.navigationClient, apiId, performanceClient, platformAuthProvider, accountId, nativeStorage, request.correlationId);
|
|
17761
|
-
const { userRequestState } = parseRequestState(browserCrypto.base64Decode, request.state);
|
|
17860
|
+
const { userRequestState } = parseRequestState(browserCrypto.base64Decode, request.state, request.correlationId);
|
|
17762
17861
|
return invokeAsync(nativeInteractionClient.acquireToken.bind(nativeInteractionClient), NativeInteractionClientAcquireToken, logger, performanceClient, request.correlationId)({
|
|
17763
17862
|
...request,
|
|
17764
17863
|
state: userRequestState,
|
|
@@ -17816,12 +17915,12 @@
|
|
|
17816
17915
|
// Instrument clientdata telemetry fields from the authorize response
|
|
17817
17916
|
instrumentClientData(response, request.correlationId, performanceClient);
|
|
17818
17917
|
// Validate state & check response for errors
|
|
17819
|
-
validateAuthorizationResponse(response, request.state);
|
|
17918
|
+
validateAuthorizationResponse(response, request.state, request.correlationId);
|
|
17820
17919
|
if (!response.ear_jwe) {
|
|
17821
|
-
throw createBrowserAuthError(earJweEmpty);
|
|
17920
|
+
throw createBrowserAuthError(earJweEmpty, request.correlationId);
|
|
17822
17921
|
}
|
|
17823
17922
|
if (!request.earJwk) {
|
|
17824
|
-
throw createBrowserAuthError(earJwkEmpty);
|
|
17923
|
+
throw createBrowserAuthError(earJwkEmpty, request.correlationId);
|
|
17825
17924
|
}
|
|
17826
17925
|
const decryptedData = JSON.parse(await invokeAsync(decryptEarResponse, DecryptEarResponse, logger, performanceClient, request.correlationId)(request.earJwk, response.ear_jwe));
|
|
17827
17926
|
if (decryptedData.accountId) {
|
|
@@ -17878,7 +17977,7 @@
|
|
|
17878
17977
|
return pkceCodeVerifierB64;
|
|
17879
17978
|
}
|
|
17880
17979
|
catch (e) {
|
|
17881
|
-
throw createBrowserAuthError(pkceNotCreated);
|
|
17980
|
+
throw createBrowserAuthError(pkceNotCreated, correlationId);
|
|
17882
17981
|
}
|
|
17883
17982
|
}
|
|
17884
17983
|
/**
|
|
@@ -17893,7 +17992,7 @@
|
|
|
17893
17992
|
return urlEncodeArr(new Uint8Array(pkceHashedCodeVerifier));
|
|
17894
17993
|
}
|
|
17895
17994
|
catch (e) {
|
|
17896
|
-
throw createBrowserAuthError(pkceNotCreated);
|
|
17995
|
+
throw createBrowserAuthError(pkceNotCreated, correlationId);
|
|
17897
17996
|
}
|
|
17898
17997
|
}
|
|
17899
17998
|
|
|
@@ -17932,7 +18031,7 @@
|
|
|
17932
18031
|
}
|
|
17933
18032
|
return new Promise((resolve, reject) => {
|
|
17934
18033
|
setTimeout(() => {
|
|
17935
|
-
reject(createBrowserAuthError(timedOut, "failed_to_redirect"));
|
|
18034
|
+
reject(createBrowserAuthError(timedOut, "", "failed_to_redirect"));
|
|
17936
18035
|
}, options.timeout);
|
|
17937
18036
|
});
|
|
17938
18037
|
}
|
|
@@ -17966,7 +18065,7 @@
|
|
|
17966
18065
|
catch (e) {
|
|
17967
18066
|
throw createNetworkError(createBrowserAuthError(window.navigator.onLine
|
|
17968
18067
|
? getRequestFailed
|
|
17969
|
-
: noNetworkConnectivity), undefined, undefined, e);
|
|
18068
|
+
: noNetworkConnectivity, ""), undefined, undefined, e);
|
|
17970
18069
|
}
|
|
17971
18070
|
responseHeaders = getHeaderDict(response.headers);
|
|
17972
18071
|
try {
|
|
@@ -17978,7 +18077,7 @@
|
|
|
17978
18077
|
};
|
|
17979
18078
|
}
|
|
17980
18079
|
catch (e) {
|
|
17981
|
-
throw createNetworkError(createBrowserAuthError(failedToParseResponse), responseStatus, responseHeaders, e);
|
|
18080
|
+
throw createNetworkError(createBrowserAuthError(failedToParseResponse, ""), responseStatus, responseHeaders, e);
|
|
17982
18081
|
}
|
|
17983
18082
|
}
|
|
17984
18083
|
/**
|
|
@@ -18003,7 +18102,7 @@
|
|
|
18003
18102
|
catch (e) {
|
|
18004
18103
|
throw createNetworkError(createBrowserAuthError(window.navigator.onLine
|
|
18005
18104
|
? postRequestFailed
|
|
18006
|
-
: noNetworkConnectivity), undefined, undefined, e);
|
|
18105
|
+
: noNetworkConnectivity, ""), undefined, undefined, e);
|
|
18007
18106
|
}
|
|
18008
18107
|
responseHeaders = getHeaderDict(response.headers);
|
|
18009
18108
|
try {
|
|
@@ -18015,7 +18114,7 @@
|
|
|
18015
18114
|
};
|
|
18016
18115
|
}
|
|
18017
18116
|
catch (e) {
|
|
18018
|
-
throw createNetworkError(createBrowserAuthError(failedToParseResponse), responseStatus, responseHeaders, e);
|
|
18117
|
+
throw createNetworkError(createBrowserAuthError(failedToParseResponse, ""), responseStatus, responseHeaders, e);
|
|
18019
18118
|
}
|
|
18020
18119
|
}
|
|
18021
18120
|
}
|
|
@@ -18036,7 +18135,7 @@
|
|
|
18036
18135
|
return headers;
|
|
18037
18136
|
}
|
|
18038
18137
|
catch (e) {
|
|
18039
|
-
throw createNetworkError(createBrowserAuthError(failedToBuildHeaders), undefined, undefined, e);
|
|
18138
|
+
throw createNetworkError(createBrowserAuthError(failedToBuildHeaders, ""), undefined, undefined, e);
|
|
18040
18139
|
}
|
|
18041
18140
|
}
|
|
18042
18141
|
/**
|
|
@@ -18053,7 +18152,7 @@
|
|
|
18053
18152
|
return headerDict;
|
|
18054
18153
|
}
|
|
18055
18154
|
catch (e) {
|
|
18056
|
-
throw createBrowserAuthError(failedToParseHeaders);
|
|
18155
|
+
throw createBrowserAuthError(failedToParseHeaders, "");
|
|
18057
18156
|
}
|
|
18058
18157
|
}
|
|
18059
18158
|
|
|
@@ -18156,14 +18255,14 @@
|
|
|
18156
18255
|
// Throw an error if user has set OIDCOptions without being in OIDC protocol mode
|
|
18157
18256
|
if (userInputSystem?.protocolMode !== ProtocolMode.OIDC &&
|
|
18158
18257
|
userInputAuth?.OIDCOptions) {
|
|
18159
|
-
const logger = new Logger(providedSystemOptions.loggerOptions);
|
|
18160
|
-
logger.warning(JSON.stringify(createClientConfigurationError(cannotSetOIDCOptions)), "");
|
|
18258
|
+
const logger = new Logger(providedSystemOptions.loggerOptions, name, version);
|
|
18259
|
+
logger.warning(JSON.stringify(createClientConfigurationError(cannotSetOIDCOptions, "")), "");
|
|
18161
18260
|
}
|
|
18162
18261
|
// Throw an error if user has set allowPlatformBroker to true with OIDC protocol mode
|
|
18163
18262
|
if (userInputSystem?.protocolMode &&
|
|
18164
18263
|
userInputSystem.protocolMode === ProtocolMode.OIDC &&
|
|
18165
18264
|
providedSystemOptions?.allowPlatformBroker) {
|
|
18166
|
-
throw createClientConfigurationError(cannotAllowPlatformBroker);
|
|
18265
|
+
throw createClientConfigurationError(cannotAllowPlatformBroker, "");
|
|
18167
18266
|
}
|
|
18168
18267
|
const overlayedConfig = {
|
|
18169
18268
|
auth: {
|
|
@@ -18287,7 +18386,7 @@
|
|
|
18287
18386
|
extensionHandshakeTimedOut: true,
|
|
18288
18387
|
success: false,
|
|
18289
18388
|
});
|
|
18290
|
-
reject(createBrowserAuthError(nativeHandshakeTimeout));
|
|
18389
|
+
reject(createBrowserAuthError(nativeHandshakeTimeout, ""));
|
|
18291
18390
|
this.handshakeResolvers.delete(req.responseId);
|
|
18292
18391
|
}, this.handshakeTimeoutMs); // Use a reasonable timeout in milliseconds here
|
|
18293
18392
|
});
|
|
@@ -18333,7 +18432,7 @@
|
|
|
18333
18432
|
success: false,
|
|
18334
18433
|
extensionInstalled: false,
|
|
18335
18434
|
});
|
|
18336
|
-
handshakeResolver.reject(createBrowserAuthError(nativeExtensionNotInstalled));
|
|
18435
|
+
handshakeResolver.reject(createBrowserAuthError(nativeExtensionNotInstalled, ""));
|
|
18337
18436
|
}
|
|
18338
18437
|
}
|
|
18339
18438
|
/**
|
|
@@ -18356,19 +18455,19 @@
|
|
|
18356
18455
|
this.logger.trace(`'${this.platformAuthType}' - Received response from browser extension`, correlationId);
|
|
18357
18456
|
this.logger.tracePii(`'${this.platformAuthType}' - Received response from browser extension: '${JSON.stringify(response)}'`, correlationId);
|
|
18358
18457
|
if (response.status !== "Success") {
|
|
18359
|
-
resolver.reject(createNativeAuthError(response.code, response.description, response.ext));
|
|
18458
|
+
resolver.reject(createNativeAuthError(response.code, correlationId, response.description, response.ext));
|
|
18360
18459
|
}
|
|
18361
18460
|
else if (response.result) {
|
|
18362
18461
|
if (response.result["code"] &&
|
|
18363
18462
|
response.result["description"]) {
|
|
18364
|
-
resolver.reject(createNativeAuthError(response.result["code"], response.result["description"], response.result["ext"]));
|
|
18463
|
+
resolver.reject(createNativeAuthError(response.result["code"], correlationId, response.result["description"], response.result["ext"]));
|
|
18365
18464
|
}
|
|
18366
18465
|
else {
|
|
18367
18466
|
resolver.resolve(response.result);
|
|
18368
18467
|
}
|
|
18369
18468
|
}
|
|
18370
18469
|
else {
|
|
18371
|
-
throw createAuthError(unexpectedError, "Event does not contain result.");
|
|
18470
|
+
throw createAuthError(unexpectedError, correlationId, "Event does not contain result.");
|
|
18372
18471
|
}
|
|
18373
18472
|
this.resolvers.delete(request.responseId);
|
|
18374
18473
|
}
|
|
@@ -18417,7 +18516,7 @@
|
|
|
18417
18516
|
return response;
|
|
18418
18517
|
}
|
|
18419
18518
|
else {
|
|
18420
|
-
throw createAuthError(unexpectedError, "Response missing expected properties.");
|
|
18519
|
+
throw createAuthError(unexpectedError, "", "Response missing expected properties.");
|
|
18421
18520
|
}
|
|
18422
18521
|
}
|
|
18423
18522
|
/**
|
|
@@ -18541,7 +18640,7 @@
|
|
|
18541
18640
|
errorResponse.error &&
|
|
18542
18641
|
errorResponse.error.code) {
|
|
18543
18642
|
this.logger.trace(`'${this.platformAuthType}' - platform broker returned error response`, correlationId);
|
|
18544
|
-
throw createNativeAuthError(errorResponse.error.code, errorResponse.error.description, {
|
|
18643
|
+
throw createNativeAuthError(errorResponse.error.code, correlationId, errorResponse.error.description, {
|
|
18545
18644
|
error: parseInt(errorResponse.error.errorCode),
|
|
18546
18645
|
protocol_error: errorResponse.error.protocolError,
|
|
18547
18646
|
status: errorResponse.error.status,
|
|
@@ -18550,7 +18649,7 @@
|
|
|
18550
18649
|
}
|
|
18551
18650
|
}
|
|
18552
18651
|
}
|
|
18553
|
-
throw createAuthError(unexpectedError, "Response missing expected properties.");
|
|
18652
|
+
throw createAuthError(unexpectedError, correlationId, "Response missing expected properties.");
|
|
18554
18653
|
}
|
|
18555
18654
|
convertToPlatformBrokerResponse(response, correlationId) {
|
|
18556
18655
|
this.logger.trace(`'${this.platformAuthType}' - convertToNativeResponse called`, correlationId);
|
|
@@ -18634,7 +18733,7 @@
|
|
|
18634
18733
|
// throw an error if allowPlatformBroker is not enabled and allowPlatformBrokerWithDOM is enabled
|
|
18635
18734
|
if (!config.system.allowPlatformBroker &&
|
|
18636
18735
|
config.experimental.allowPlatformBrokerWithDOM) {
|
|
18637
|
-
throw createClientConfigurationError(invalidPlatformBrokerConfiguration);
|
|
18736
|
+
throw createClientConfigurationError(invalidPlatformBrokerConfiguration, "");
|
|
18638
18737
|
}
|
|
18639
18738
|
if (!config.system.allowPlatformBroker) {
|
|
18640
18739
|
logger.trace("isPlatformAuthAllowed: allowPlatformBroker is not enabled, returning false", correlationId);
|
|
@@ -18812,7 +18911,7 @@
|
|
|
18812
18911
|
// Close the synchronous popup if an error is thrown before the window unload event is registered
|
|
18813
18912
|
popupParams.popup?.close();
|
|
18814
18913
|
if (e instanceof AuthError) {
|
|
18815
|
-
e.
|
|
18914
|
+
e.correlationId = this.correlationId;
|
|
18816
18915
|
serverTelemetryManager.cacheFailedRequest(e);
|
|
18817
18916
|
}
|
|
18818
18917
|
throw e;
|
|
@@ -18903,7 +19002,7 @@
|
|
|
18903
19002
|
timeout: this.config.system.redirectNavigationTimeout,
|
|
18904
19003
|
noHistory: false,
|
|
18905
19004
|
};
|
|
18906
|
-
const absoluteUrl = UrlString.getAbsoluteUrl(mainWindowRedirectUri, getCurrentUri());
|
|
19005
|
+
const absoluteUrl = UrlString.getAbsoluteUrl(mainWindowRedirectUri, getCurrentUri(), this.correlationId);
|
|
18907
19006
|
await this.navigationClient.navigateInternal(absoluteUrl, navigationOptions);
|
|
18908
19007
|
}
|
|
18909
19008
|
popupParams.popup?.close();
|
|
@@ -18913,7 +19012,7 @@
|
|
|
18913
19012
|
// Redirect bridge requires "state" param to work properly
|
|
18914
19013
|
validRequest.state = setRequestState(this.browserCrypto, validRequest.state || "", {
|
|
18915
19014
|
interactionType: InteractionType.Popup,
|
|
18916
|
-
});
|
|
19015
|
+
}, validRequest.correlationId);
|
|
18917
19016
|
// Create logout string and navigate user window to logout.
|
|
18918
19017
|
const logoutUri = authClient.getLogoutUri(validRequest);
|
|
18919
19018
|
this.eventHandler.emitEvent(EventType.LOGOUT_SUCCESS, validRequest.correlationId, InteractionType.Popup, validRequest);
|
|
@@ -18929,7 +19028,7 @@
|
|
|
18929
19028
|
timeout: this.config.system.redirectNavigationTimeout,
|
|
18930
19029
|
noHistory: false,
|
|
18931
19030
|
};
|
|
18932
|
-
const absoluteUrl = UrlString.getAbsoluteUrl(mainWindowRedirectUri, getCurrentUri());
|
|
19031
|
+
const absoluteUrl = UrlString.getAbsoluteUrl(mainWindowRedirectUri, getCurrentUri(), this.correlationId);
|
|
18933
19032
|
this.logger.verbose("Redirecting main window to url specified in the request", this.correlationId);
|
|
18934
19033
|
this.logger.verbosePii(`Redirecting main window to: '${absoluteUrl}'`, this.correlationId);
|
|
18935
19034
|
await this.navigationClient.navigateInternal(absoluteUrl, navigationOptions);
|
|
@@ -18942,7 +19041,7 @@
|
|
|
18942
19041
|
// Close the synchronous popup if an error is thrown before the window unload event is registered
|
|
18943
19042
|
popupParams.popup?.close();
|
|
18944
19043
|
if (e instanceof AuthError) {
|
|
18945
|
-
e.
|
|
19044
|
+
e.correlationId = this.correlationId;
|
|
18946
19045
|
serverTelemetryManager.cacheFailedRequest(e);
|
|
18947
19046
|
}
|
|
18948
19047
|
this.eventHandler.emitEvent(EventType.LOGOUT_FAILURE, this.correlationId, InteractionType.Popup, null, e);
|
|
@@ -18965,7 +19064,7 @@
|
|
|
18965
19064
|
else {
|
|
18966
19065
|
// Throw error if request URL is empty.
|
|
18967
19066
|
this.logger.error("Navigate url is empty", this.correlationId);
|
|
18968
|
-
throw createBrowserAuthError(emptyNavigateUri);
|
|
19067
|
+
throw createBrowserAuthError(emptyNavigateUri, this.correlationId);
|
|
18969
19068
|
}
|
|
18970
19069
|
}
|
|
18971
19070
|
/**
|
|
@@ -18997,7 +19096,7 @@
|
|
|
18997
19096
|
}
|
|
18998
19097
|
// Popup will be null if popups are blocked
|
|
18999
19098
|
if (!popupWindow) {
|
|
19000
|
-
throw createBrowserAuthError(emptyWindowError);
|
|
19099
|
+
throw createBrowserAuthError(emptyWindowError, this.correlationId);
|
|
19001
19100
|
}
|
|
19002
19101
|
try {
|
|
19003
19102
|
popupWindow.document.title = "Microsoft Authentication";
|
|
@@ -19020,7 +19119,7 @@
|
|
|
19020
19119
|
}
|
|
19021
19120
|
catch (e) {
|
|
19022
19121
|
this.logger.error(`error opening popup '${e.message}'`, this.correlationId);
|
|
19023
|
-
throw createBrowserAuthError(popupWindowError);
|
|
19122
|
+
throw createBrowserAuthError(popupWindowError, this.correlationId);
|
|
19024
19123
|
}
|
|
19025
19124
|
}
|
|
19026
19125
|
/**
|
|
@@ -19150,7 +19249,7 @@
|
|
|
19150
19249
|
}
|
|
19151
19250
|
catch (e) {
|
|
19152
19251
|
if (e instanceof AuthError) {
|
|
19153
|
-
e.
|
|
19252
|
+
e.correlationId = this.correlationId;
|
|
19154
19253
|
}
|
|
19155
19254
|
window.removeEventListener("pageshow", handleBackButton);
|
|
19156
19255
|
throw e;
|
|
@@ -19191,7 +19290,7 @@
|
|
|
19191
19290
|
}
|
|
19192
19291
|
catch (e) {
|
|
19193
19292
|
if (e instanceof AuthError) {
|
|
19194
|
-
e.
|
|
19293
|
+
e.correlationId = this.correlationId;
|
|
19195
19294
|
serverTelemetryManager.cacheFailedRequest(e);
|
|
19196
19295
|
}
|
|
19197
19296
|
throw e;
|
|
@@ -19217,7 +19316,7 @@
|
|
|
19217
19316
|
form.submit();
|
|
19218
19317
|
return new Promise((resolve, reject) => {
|
|
19219
19318
|
setTimeout(() => {
|
|
19220
|
-
reject(createBrowserAuthError(timedOut, "failed_to_redirect"));
|
|
19319
|
+
reject(createBrowserAuthError(timedOut, "", "failed_to_redirect"));
|
|
19221
19320
|
}, this.config.system.redirectNavigationTimeout);
|
|
19222
19321
|
});
|
|
19223
19322
|
}
|
|
@@ -19234,7 +19333,7 @@
|
|
|
19234
19333
|
form.submit();
|
|
19235
19334
|
return new Promise((resolve, reject) => {
|
|
19236
19335
|
setTimeout(() => {
|
|
19237
|
-
reject(createBrowserAuthError(timedOut, "failed_to_redirect"));
|
|
19336
|
+
reject(createBrowserAuthError(timedOut, "", "failed_to_redirect"));
|
|
19238
19337
|
}, this.config.system.redirectNavigationTimeout);
|
|
19239
19338
|
});
|
|
19240
19339
|
}
|
|
@@ -19306,7 +19405,7 @@
|
|
|
19306
19405
|
let processHashOnRedirect = true;
|
|
19307
19406
|
if (!loginRequestUrl) {
|
|
19308
19407
|
// Redirect to home page if login request url is empty
|
|
19309
|
-
const homepage = getHomepage();
|
|
19408
|
+
const homepage = getHomepage(this.correlationId);
|
|
19310
19409
|
// Cache the homepage under ORIGIN_URI to ensure cached hash is processed on homepage
|
|
19311
19410
|
this.browserStorage.setTemporaryCache(TemporaryCacheKeys.ORIGIN_URI, homepage, true);
|
|
19312
19411
|
this.logger.warning("Unable to get valid login request url from cache, redirecting to home page", this.correlationId);
|
|
@@ -19328,7 +19427,7 @@
|
|
|
19328
19427
|
}
|
|
19329
19428
|
catch (e) {
|
|
19330
19429
|
if (e instanceof AuthError) {
|
|
19331
|
-
e.
|
|
19430
|
+
e.correlationId = this.correlationId;
|
|
19332
19431
|
serverTelemetryManager.cacheFailedRequest(e);
|
|
19333
19432
|
}
|
|
19334
19433
|
throw e;
|
|
@@ -19358,7 +19457,7 @@
|
|
|
19358
19457
|
let response = getDeserializedResponse(responseString);
|
|
19359
19458
|
if (response) {
|
|
19360
19459
|
try {
|
|
19361
|
-
validateInteractionType(response, this.browserCrypto, InteractionType.Redirect);
|
|
19460
|
+
validateInteractionType(response, this.browserCrypto, InteractionType.Redirect, this.correlationId);
|
|
19362
19461
|
}
|
|
19363
19462
|
catch (e) {
|
|
19364
19463
|
if (e instanceof AuthError) {
|
|
@@ -19389,7 +19488,7 @@
|
|
|
19389
19488
|
async handleResponse(serverParams, request, codeVerifier, serverTelemetryManager) {
|
|
19390
19489
|
const state = serverParams.state;
|
|
19391
19490
|
if (!state) {
|
|
19392
|
-
throw createBrowserAuthError(noStateInHash);
|
|
19491
|
+
throw createBrowserAuthError(noStateInHash, request.correlationId);
|
|
19393
19492
|
}
|
|
19394
19493
|
const { authority, azureCloudOptions, extraQueryParameters, account } = request;
|
|
19395
19494
|
if (serverParams.ear_jwe) {
|
|
@@ -19440,7 +19539,7 @@
|
|
|
19440
19539
|
else {
|
|
19441
19540
|
// Throw error if request URL is empty.
|
|
19442
19541
|
this.logger.info("RedirectHandler.initiateAuthRequest: Navigate url is empty", this.correlationId);
|
|
19443
|
-
throw createBrowserAuthError(emptyNavigateUri);
|
|
19542
|
+
throw createBrowserAuthError(emptyNavigateUri, this.correlationId);
|
|
19444
19543
|
}
|
|
19445
19544
|
}
|
|
19446
19545
|
/**
|
|
@@ -19481,7 +19580,7 @@
|
|
|
19481
19580
|
// Redirect bridge requires "state" param to work properly
|
|
19482
19581
|
validLogoutRequest.state = setRequestState(this.browserCrypto, validLogoutRequest.state || "", {
|
|
19483
19582
|
interactionType: InteractionType.Redirect,
|
|
19484
|
-
});
|
|
19583
|
+
}, validLogoutRequest.correlationId);
|
|
19485
19584
|
// Create logout string and navigate user window to logout.
|
|
19486
19585
|
const logoutUri = authClient.getLogoutUri(validLogoutRequest);
|
|
19487
19586
|
if (validLogoutRequest.account?.homeAccountId) {
|
|
@@ -19517,7 +19616,7 @@
|
|
|
19517
19616
|
}
|
|
19518
19617
|
catch (e) {
|
|
19519
19618
|
if (e instanceof AuthError) {
|
|
19520
|
-
e.
|
|
19619
|
+
e.correlationId = this.correlationId;
|
|
19521
19620
|
serverTelemetryManager.cacheFailedRequest(e);
|
|
19522
19621
|
}
|
|
19523
19622
|
this.eventHandler.emitEvent(EventType.LOGOUT_FAILURE, this.correlationId, InteractionType.Redirect, null, e);
|
|
@@ -19532,7 +19631,7 @@
|
|
|
19532
19631
|
*/
|
|
19533
19632
|
getRedirectStartPage(requestStartPage) {
|
|
19534
19633
|
const redirectStartPage = requestStartPage || window.location.href;
|
|
19535
|
-
const absoluteRedirectStartPage = UrlString.getAbsoluteUrl(redirectStartPage, getCurrentUri());
|
|
19634
|
+
const absoluteRedirectStartPage = UrlString.getAbsoluteUrl(redirectStartPage, getCurrentUri(), this.correlationId);
|
|
19536
19635
|
// Sanity check the URL before it is cached so we never persist a malformed value (e.g. the literal string "null")
|
|
19537
19636
|
validateUrl(absoluteRedirectStartPage, this.logger, this.correlationId);
|
|
19538
19637
|
return absoluteRedirectStartPage;
|
|
@@ -19552,7 +19651,7 @@
|
|
|
19552
19651
|
if (!requestUrl) {
|
|
19553
19652
|
// Throw error if request URL is empty.
|
|
19554
19653
|
logger.info("Navigate url is empty", correlationId);
|
|
19555
|
-
throw createBrowserAuthError(emptyNavigateUri);
|
|
19654
|
+
throw createBrowserAuthError(emptyNavigateUri, correlationId);
|
|
19556
19655
|
}
|
|
19557
19656
|
frame.src = requestUrl;
|
|
19558
19657
|
return frame;
|
|
@@ -19669,7 +19768,7 @@
|
|
|
19669
19768
|
}
|
|
19670
19769
|
catch (e) {
|
|
19671
19770
|
if (e instanceof AuthError) {
|
|
19672
|
-
e.
|
|
19771
|
+
e.correlationId = this.correlationId;
|
|
19673
19772
|
serverTelemetryManager.cacheFailedRequest(e);
|
|
19674
19773
|
}
|
|
19675
19774
|
if (!authClient ||
|
|
@@ -19757,7 +19856,7 @@
|
|
|
19757
19856
|
const { serverParams } = await this.silentAuthorizeHelper(authClient, silentRequest);
|
|
19758
19857
|
const correlationId = silentRequest.correlationId;
|
|
19759
19858
|
// Validate the response - this checks for errors and validates state
|
|
19760
|
-
validateAuthorizationResponse(serverParams, silentRequest.state);
|
|
19859
|
+
validateAuthorizationResponse(serverParams, silentRequest.state, correlationId);
|
|
19761
19860
|
// Verify a valid authorization code is present
|
|
19762
19861
|
if (!serverParams.code) {
|
|
19763
19862
|
this.logger.warning("SSO verification response did not contain an authorization code", correlationId);
|
|
@@ -19771,7 +19870,7 @@
|
|
|
19771
19870
|
*/
|
|
19772
19871
|
logout() {
|
|
19773
19872
|
// Synchronous so we must reject
|
|
19774
|
-
return Promise.reject(createBrowserAuthError(silentLogoutUnsupported));
|
|
19873
|
+
return Promise.reject(createBrowserAuthError(silentLogoutUnsupported, ""));
|
|
19775
19874
|
}
|
|
19776
19875
|
/**
|
|
19777
19876
|
* Helper which acquires an authorization code silently using a hidden iframe from given url
|
|
@@ -19865,7 +19964,7 @@
|
|
|
19865
19964
|
});
|
|
19866
19965
|
// Send request to renew token. Auth module will throw errors if token cannot be renewed.
|
|
19867
19966
|
return invokeAsync(refreshTokenClient.acquireTokenByRefreshToken.bind(refreshTokenClient), RefreshTokenClientAcquireTokenByRefreshToken, this.logger, this.performanceClient, request.correlationId)(silentRequest, ApiId.acquireTokenSilent_silentFlow).catch((e) => {
|
|
19868
|
-
e.
|
|
19967
|
+
e.correlationId = this.correlationId;
|
|
19869
19968
|
serverTelemetryManager.cacheFailedRequest(e);
|
|
19870
19969
|
throw e;
|
|
19871
19970
|
});
|
|
@@ -19875,7 +19974,7 @@
|
|
|
19875
19974
|
*/
|
|
19876
19975
|
logout() {
|
|
19877
19976
|
// Synchronous so we must reject
|
|
19878
|
-
return Promise.reject(createBrowserAuthError(silentLogoutUnsupported));
|
|
19977
|
+
return Promise.reject(createBrowserAuthError(silentLogoutUnsupported, ""));
|
|
19879
19978
|
}
|
|
19880
19979
|
/**
|
|
19881
19980
|
* Creates a Refresh Client with the given authority, or the default authority.
|
|
@@ -19927,7 +20026,7 @@
|
|
|
19927
20026
|
async acquireToken(request) {
|
|
19928
20027
|
// Auth code payload is required
|
|
19929
20028
|
if (!request.code) {
|
|
19930
|
-
throw createBrowserAuthError(authCodeRequired);
|
|
20029
|
+
throw createBrowserAuthError(authCodeRequired, this.correlationId);
|
|
19931
20030
|
}
|
|
19932
20031
|
// Create silent request
|
|
19933
20032
|
const silentRequest = await invokeAsync(initializeAuthorizationRequest, StandardInteractionClientInitializeAuthorizationRequest, this.logger, this.performanceClient, this.correlationId)(request, InteractionType.Silent, this.config, this.browserCrypto, this.browserStorage, this.logger, this.performanceClient,
|
|
@@ -19965,7 +20064,7 @@
|
|
|
19965
20064
|
}
|
|
19966
20065
|
catch (e) {
|
|
19967
20066
|
if (e instanceof AuthError) {
|
|
19968
|
-
e.
|
|
20067
|
+
e.correlationId = this.correlationId;
|
|
19969
20068
|
serverTelemetryManager.cacheFailedRequest(e);
|
|
19970
20069
|
}
|
|
19971
20070
|
throw e;
|
|
@@ -19976,7 +20075,7 @@
|
|
|
19976
20075
|
*/
|
|
19977
20076
|
logout() {
|
|
19978
20077
|
// Synchronous so we must reject
|
|
19979
|
-
return Promise.reject(createBrowserAuthError(silentLogoutUnsupported));
|
|
20078
|
+
return Promise.reject(createBrowserAuthError(silentLogoutUnsupported, ""));
|
|
19980
20079
|
}
|
|
19981
20080
|
}
|
|
19982
20081
|
|
|
@@ -20696,7 +20795,7 @@
|
|
|
20696
20795
|
try {
|
|
20697
20796
|
if (request.code && request.nativeAccountId) {
|
|
20698
20797
|
// Throw error in case server returns both spa_code and spa_accountid in exchange for auth code.
|
|
20699
|
-
throw createBrowserAuthError(spaCodeAndNativeAccountIdPresent);
|
|
20798
|
+
throw createBrowserAuthError(spaCodeAndNativeAccountIdPresent, correlationId);
|
|
20700
20799
|
}
|
|
20701
20800
|
else if (request.code) {
|
|
20702
20801
|
const hybridAuthCode = request.code;
|
|
@@ -20759,11 +20858,11 @@
|
|
|
20759
20858
|
return result;
|
|
20760
20859
|
}
|
|
20761
20860
|
else {
|
|
20762
|
-
throw createBrowserAuthError(unableToAcquireTokenFromNativePlatform);
|
|
20861
|
+
throw createBrowserAuthError(unableToAcquireTokenFromNativePlatform, correlationId);
|
|
20763
20862
|
}
|
|
20764
20863
|
}
|
|
20765
20864
|
else {
|
|
20766
|
-
throw createBrowserAuthError(authCodeOrNativeAccountIdRequired);
|
|
20865
|
+
throw createBrowserAuthError(authCodeOrNativeAccountIdRequired, correlationId);
|
|
20767
20866
|
}
|
|
20768
20867
|
}
|
|
20769
20868
|
catch (e) {
|
|
@@ -20825,7 +20924,7 @@
|
|
|
20825
20924
|
const silentCacheClient = this.createSilentCacheClient(commonRequest.correlationId);
|
|
20826
20925
|
return invokeAsync(silentCacheClient.acquireToken.bind(silentCacheClient), SilentCacheClientAcquireToken, this.logger, this.performanceClient, commonRequest.correlationId)(commonRequest);
|
|
20827
20926
|
default:
|
|
20828
|
-
throw createClientAuthError(tokenRefreshRequired);
|
|
20927
|
+
throw createClientAuthError(tokenRefreshRequired, commonRequest.correlationId);
|
|
20829
20928
|
}
|
|
20830
20929
|
}
|
|
20831
20930
|
/**
|
|
@@ -20843,7 +20942,7 @@
|
|
|
20843
20942
|
const silentRefreshClient = this.createSilentRefreshClient(commonRequest.correlationId);
|
|
20844
20943
|
return invokeAsync(silentRefreshClient.acquireToken.bind(silentRefreshClient), SilentRefreshClientAcquireToken, this.logger, this.performanceClient, commonRequest.correlationId)(commonRequest);
|
|
20845
20944
|
default:
|
|
20846
|
-
throw createClientAuthError(tokenRefreshRequired);
|
|
20945
|
+
throw createClientAuthError(tokenRefreshRequired, commonRequest.correlationId);
|
|
20847
20946
|
}
|
|
20848
20947
|
}
|
|
20849
20948
|
/**
|
|
@@ -20952,7 +21051,7 @@
|
|
|
20952
21051
|
? toSecondsFromDate(result.expiresOn)
|
|
20953
21052
|
: 0, result.extExpiresOn
|
|
20954
21053
|
? toSecondsFromDate(result.extExpiresOn)
|
|
20955
|
-
: 0, base64Decode, undefined, // refreshOn
|
|
21054
|
+
: 0, base64Decode, request.correlationId || "", undefined, // refreshOn
|
|
20956
21055
|
result.tokenType, undefined, // userAssertionHash
|
|
20957
21056
|
request.sshKid);
|
|
20958
21057
|
if (request.resource) {
|
|
@@ -20977,7 +21076,7 @@
|
|
|
20977
21076
|
const correlationId = this.getRequestCorrelationId(request);
|
|
20978
21077
|
this.logger.trace("acquireTokenNative called", correlationId);
|
|
20979
21078
|
if (!this.platformAuthProvider) {
|
|
20980
|
-
throw createBrowserAuthError(nativeConnectionNotEstablished);
|
|
21079
|
+
throw createBrowserAuthError(nativeConnectionNotEstablished, correlationId);
|
|
20981
21080
|
}
|
|
20982
21081
|
const nativeClient = new PlatformAuthInteractionClient(this.config, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, apiId, this.performanceClient, this.platformAuthProvider, accountId || this.getNativeAccountId(request), this.nativeInternalStorage, correlationId);
|
|
20983
21082
|
return invokeAsync(nativeClient.acquireToken.bind(nativeClient), NativeInteractionClientAcquireToken, this.logger, this.performanceClient, correlationId)(request, cacheLookupPolicy);
|
|
@@ -21221,7 +21320,7 @@
|
|
|
21221
21320
|
this.logger.verbose("acquireTokenSilent called", correlationId);
|
|
21222
21321
|
const account = request.account || this.getActiveAccount();
|
|
21223
21322
|
if (!account) {
|
|
21224
|
-
throw createBrowserAuthError(noAccountError);
|
|
21323
|
+
throw createBrowserAuthError(noAccountError, correlationId);
|
|
21225
21324
|
}
|
|
21226
21325
|
return this.acquireTokenSilentDeduped(request, account, correlationId)
|
|
21227
21326
|
.then((result) => {
|
|
@@ -21240,7 +21339,7 @@
|
|
|
21240
21339
|
.catch((error) => {
|
|
21241
21340
|
if (error instanceof AuthError) {
|
|
21242
21341
|
// Ensures PWB scenarios can correctly match request to response
|
|
21243
|
-
error.
|
|
21342
|
+
error.correlationId = correlationId;
|
|
21244
21343
|
}
|
|
21245
21344
|
atsMeasurement.end({
|
|
21246
21345
|
success: false,
|
|
@@ -21398,7 +21497,7 @@
|
|
|
21398
21497
|
this.logger.verbose("acquireTokenSilent - native platform unavailable, falling back to web flow", silentRequest.correlationId);
|
|
21399
21498
|
this.platformAuthProvider = undefined; // Prevent future requests from continuing to attempt
|
|
21400
21499
|
// Cache will not contain tokens, given that previous WAM requests succeeded. Skip cache and RT renewal and go straight to iframe renewal
|
|
21401
|
-
throw createClientAuthError(tokenRefreshRequired);
|
|
21500
|
+
throw createClientAuthError(tokenRefreshRequired, silentRequest.correlationId);
|
|
21402
21501
|
}
|
|
21403
21502
|
throw e;
|
|
21404
21503
|
});
|
|
@@ -21507,7 +21606,7 @@
|
|
|
21507
21606
|
this.logger.verbose("The SDK can only be used in a browser environment.", "");
|
|
21508
21607
|
throw new UnsupportedEnvironmentError();
|
|
21509
21608
|
}
|
|
21510
|
-
this.logger = this.logger.clone(
|
|
21609
|
+
this.logger = this.logger.clone(name, DefaultPackageInfo.VERSION);
|
|
21511
21610
|
this.customAuthConfig = operatingContext.getCustomAuthConfig();
|
|
21512
21611
|
this.authority = new CustomAuthAuthority(this.customAuthConfig.auth.authority, this.customAuthConfig, this.networkClient, this.browserStorage, this.logger, this.performanceClient, this.customAuthConfig.customAuth?.authApiProxyUrl);
|
|
21513
21612
|
const interactionClientFactory = new CustomAuthInterationClientFactory(this.customAuthConfig, this.browserStorage, this.browserCrypto, this.logger, this.eventHandler, this.navigationClient, this.performanceClient, customAuthApiClient ??
|