@azure/msal-common 14.13.1 → 14.14.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (193) hide show
  1. package/dist/account/AccountInfo.d.ts +66 -66
  2. package/dist/account/AccountInfo.mjs +77 -77
  3. package/dist/account/AuthToken.d.ts +17 -17
  4. package/dist/account/AuthToken.mjs +58 -58
  5. package/dist/account/CcsCredential.d.ts +9 -9
  6. package/dist/account/CcsCredential.mjs +8 -8
  7. package/dist/account/ClientCredentials.d.ts +19 -19
  8. package/dist/account/ClientInfo.d.ts +18 -18
  9. package/dist/account/ClientInfo.mjs +37 -37
  10. package/dist/account/TokenClaims.d.ts +83 -83
  11. package/dist/account/TokenClaims.mjs +20 -20
  12. package/dist/authority/Authority.d.ts +254 -254
  13. package/dist/authority/Authority.mjs +836 -836
  14. package/dist/authority/AuthorityFactory.d.ts +18 -18
  15. package/dist/authority/AuthorityFactory.mjs +28 -28
  16. package/dist/authority/AuthorityMetadata.d.ts +43 -43
  17. package/dist/authority/AuthorityMetadata.mjs +137 -137
  18. package/dist/authority/AuthorityOptions.d.ts +27 -27
  19. package/dist/authority/AuthorityOptions.mjs +18 -18
  20. package/dist/authority/AuthorityType.d.ts +10 -10
  21. package/dist/authority/AuthorityType.mjs +13 -13
  22. package/dist/authority/AzureRegion.d.ts +1 -1
  23. package/dist/authority/AzureRegionConfiguration.d.ts +5 -5
  24. package/dist/authority/CloudDiscoveryMetadata.d.ts +5 -5
  25. package/dist/authority/CloudInstanceDiscoveryErrorResponse.d.ts +13 -13
  26. package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +8 -8
  27. package/dist/authority/CloudInstanceDiscoveryResponse.d.ts +9 -9
  28. package/dist/authority/CloudInstanceDiscoveryResponse.mjs +8 -8
  29. package/dist/authority/ImdsOptions.d.ts +5 -5
  30. package/dist/authority/OIDCOptions.d.ts +8 -8
  31. package/dist/authority/OpenIdConfigResponse.d.ts +11 -11
  32. package/dist/authority/OpenIdConfigResponse.mjs +10 -10
  33. package/dist/authority/ProtocolMode.d.ts +8 -8
  34. package/dist/authority/ProtocolMode.mjs +11 -11
  35. package/dist/authority/RegionDiscovery.d.ts +32 -32
  36. package/dist/authority/RegionDiscovery.mjs +106 -106
  37. package/dist/authority/RegionDiscoveryMetadata.d.ts +6 -6
  38. package/dist/broker/nativeBroker/INativeBrokerPlugin.d.ts +15 -15
  39. package/dist/cache/CacheManager.d.ts +497 -497
  40. package/dist/cache/CacheManager.mjs +1249 -1249
  41. package/dist/cache/entities/AccessTokenEntity.d.ts +25 -25
  42. package/dist/cache/entities/AccountEntity.d.ts +106 -106
  43. package/dist/cache/entities/AccountEntity.mjs +240 -240
  44. package/dist/cache/entities/AppMetadataEntity.d.ts +11 -11
  45. package/dist/cache/entities/AuthorityMetadataEntity.d.ts +15 -15
  46. package/dist/cache/entities/CacheRecord.d.ts +13 -13
  47. package/dist/cache/entities/CredentialEntity.d.ts +30 -30
  48. package/dist/cache/entities/IdTokenEntity.d.ts +8 -8
  49. package/dist/cache/entities/RefreshTokenEntity.d.ts +7 -7
  50. package/dist/cache/entities/ServerTelemetryEntity.d.ts +6 -5
  51. package/dist/cache/entities/ServerTelemetryEntity.d.ts.map +1 -1
  52. package/dist/cache/entities/ThrottlingEntity.d.ts +7 -7
  53. package/dist/cache/interface/ICacheManager.d.ts +166 -166
  54. package/dist/cache/interface/ICachePlugin.d.ts +5 -5
  55. package/dist/cache/interface/ISerializableTokenCache.d.ts +4 -4
  56. package/dist/cache/persistence/TokenCacheContext.d.ts +23 -23
  57. package/dist/cache/persistence/TokenCacheContext.mjs +25 -25
  58. package/dist/cache/utils/CacheHelpers.d.ts +94 -94
  59. package/dist/cache/utils/CacheHelpers.mjs +324 -324
  60. package/dist/cache/utils/CacheTypes.d.ts +69 -69
  61. package/dist/client/AuthorizationCodeClient.d.ts +74 -74
  62. package/dist/client/AuthorizationCodeClient.mjs +420 -420
  63. package/dist/client/BaseClient.d.ts +51 -51
  64. package/dist/client/BaseClient.mjs +100 -100
  65. package/dist/client/RefreshTokenClient.d.ts +35 -35
  66. package/dist/client/RefreshTokenClient.mjs +211 -211
  67. package/dist/client/SilentFlowClient.d.ts +27 -27
  68. package/dist/client/SilentFlowClient.mjs +133 -133
  69. package/dist/config/AppTokenProvider.d.ts +38 -38
  70. package/dist/config/ClientConfiguration.d.ts +150 -150
  71. package/dist/config/ClientConfiguration.mjs +95 -95
  72. package/dist/constants/AADServerParamKeys.d.ts +53 -52
  73. package/dist/constants/AADServerParamKeys.d.ts.map +1 -1
  74. package/dist/constants/AADServerParamKeys.mjs +59 -58
  75. package/dist/constants/AADServerParamKeys.mjs.map +1 -1
  76. package/dist/crypto/ICrypto.d.ts +68 -68
  77. package/dist/crypto/ICrypto.mjs +36 -36
  78. package/dist/crypto/IGuidGenerator.d.ts +4 -4
  79. package/dist/crypto/JoseHeader.d.ts +22 -22
  80. package/dist/crypto/JoseHeader.mjs +37 -37
  81. package/dist/crypto/PopTokenGenerator.d.ts +59 -59
  82. package/dist/crypto/PopTokenGenerator.mjs +81 -81
  83. package/dist/crypto/SignedHttpRequest.d.ts +15 -15
  84. package/dist/error/AuthError.d.ts +44 -44
  85. package/dist/error/AuthError.mjs +46 -46
  86. package/dist/error/AuthErrorCodes.d.ts +5 -5
  87. package/dist/error/AuthErrorCodes.mjs +9 -9
  88. package/dist/error/CacheError.d.ts +20 -20
  89. package/dist/error/CacheError.mjs +24 -24
  90. package/dist/error/CacheErrorCodes.d.ts +2 -2
  91. package/dist/error/CacheErrorCodes.mjs +6 -6
  92. package/dist/error/ClientAuthError.d.ts +237 -237
  93. package/dist/error/ClientAuthError.mjs +249 -249
  94. package/dist/error/ClientAuthErrorCodes.d.ts +44 -44
  95. package/dist/error/ClientAuthErrorCodes.mjs +48 -48
  96. package/dist/error/ClientConfigurationError.d.ts +128 -128
  97. package/dist/error/ClientConfigurationError.mjs +135 -135
  98. package/dist/error/ClientConfigurationErrorCodes.d.ts +22 -22
  99. package/dist/error/ClientConfigurationErrorCodes.mjs +26 -26
  100. package/dist/error/InteractionRequiredAuthError.d.ts +65 -65
  101. package/dist/error/InteractionRequiredAuthError.mjs +85 -85
  102. package/dist/error/InteractionRequiredAuthErrorCodes.d.ts +7 -7
  103. package/dist/error/InteractionRequiredAuthErrorCodes.mjs +13 -13
  104. package/dist/error/JoseHeaderError.d.ts +15 -15
  105. package/dist/error/JoseHeaderError.mjs +22 -22
  106. package/dist/error/JoseHeaderErrorCodes.d.ts +2 -2
  107. package/dist/error/JoseHeaderErrorCodes.mjs +6 -6
  108. package/dist/error/ServerError.d.ts +15 -15
  109. package/dist/error/ServerError.mjs +16 -16
  110. package/dist/index.cjs +8664 -8599
  111. package/dist/index.cjs.map +1 -1
  112. package/dist/index.d.ts +107 -107
  113. package/dist/index.mjs +1 -1
  114. package/dist/logger/Logger.d.ts +95 -95
  115. package/dist/logger/Logger.mjs +188 -188
  116. package/dist/network/INetworkModule.d.ts +29 -29
  117. package/dist/network/INetworkModule.mjs +12 -12
  118. package/dist/network/NetworkManager.d.ts +33 -33
  119. package/dist/network/NetworkManager.mjs +34 -34
  120. package/dist/network/RequestThumbprint.d.ts +18 -18
  121. package/dist/network/ThrottlingUtils.d.ts +42 -42
  122. package/dist/network/ThrottlingUtils.mjs +95 -95
  123. package/dist/packageMetadata.d.ts +2 -2
  124. package/dist/packageMetadata.mjs +4 -4
  125. package/dist/request/AuthenticationHeaderParser.d.ts +19 -19
  126. package/dist/request/AuthenticationHeaderParser.mjs +55 -55
  127. package/dist/request/BaseAuthRequest.d.ts +47 -47
  128. package/dist/request/CommonAuthorizationCodeRequest.d.ts +27 -27
  129. package/dist/request/CommonAuthorizationUrlRequest.d.ts +50 -50
  130. package/dist/request/CommonClientCredentialRequest.d.ts +17 -17
  131. package/dist/request/CommonDeviceCodeRequest.d.ts +21 -21
  132. package/dist/request/CommonEndSessionRequest.d.ts +21 -21
  133. package/dist/request/CommonOnBehalfOfRequest.d.ts +13 -13
  134. package/dist/request/CommonRefreshTokenRequest.d.ts +22 -22
  135. package/dist/request/CommonSilentFlowRequest.d.ts +27 -27
  136. package/dist/request/CommonUsernamePasswordRequest.d.ts +17 -17
  137. package/dist/request/NativeRequest.d.ts +19 -19
  138. package/dist/request/NativeSignOutRequest.d.ts +5 -5
  139. package/dist/request/RequestParameterBuilder.d.ts +217 -217
  140. package/dist/request/RequestParameterBuilder.mjs +382 -382
  141. package/dist/request/RequestValidator.d.ts +27 -27
  142. package/dist/request/RequestValidator.mjs +64 -64
  143. package/dist/request/ScopeSet.d.ts +88 -88
  144. package/dist/request/ScopeSet.mjs +197 -197
  145. package/dist/request/StoreInCache.d.ts +8 -8
  146. package/dist/response/AuthenticationResult.d.ts +41 -41
  147. package/dist/response/AuthorizationCodePayload.d.ts +13 -13
  148. package/dist/response/DeviceCodeResponse.d.ts +25 -25
  149. package/dist/response/ExternalTokenResponse.d.ts +15 -15
  150. package/dist/response/IMDSBadResponse.d.ts +4 -4
  151. package/dist/response/ResponseHandler.d.ts +69 -69
  152. package/dist/response/ResponseHandler.mjs +374 -374
  153. package/dist/response/ServerAuthorizationCodeResponse.d.ts +26 -26
  154. package/dist/response/ServerAuthorizationTokenResponse.d.ts +47 -47
  155. package/dist/telemetry/performance/IPerformanceClient.d.ts +57 -57
  156. package/dist/telemetry/performance/IPerformanceMeasurement.d.ts +5 -5
  157. package/dist/telemetry/performance/PerformanceClient.d.ts +242 -242
  158. package/dist/telemetry/performance/PerformanceClient.mjs +587 -587
  159. package/dist/telemetry/performance/PerformanceEvent.d.ts +515 -505
  160. package/dist/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
  161. package/dist/telemetry/performance/PerformanceEvent.mjs +484 -480
  162. package/dist/telemetry/performance/PerformanceEvent.mjs.map +1 -1
  163. package/dist/telemetry/performance/StubPerformanceClient.d.ts +24 -24
  164. package/dist/telemetry/performance/StubPerformanceClient.mjs +76 -76
  165. package/dist/telemetry/server/ServerTelemetryManager.d.ts +78 -66
  166. package/dist/telemetry/server/ServerTelemetryManager.d.ts.map +1 -1
  167. package/dist/telemetry/server/ServerTelemetryManager.mjs +260 -201
  168. package/dist/telemetry/server/ServerTelemetryManager.mjs.map +1 -1
  169. package/dist/telemetry/server/ServerTelemetryRequest.d.ts +8 -8
  170. package/dist/url/IUri.d.ts +12 -12
  171. package/dist/url/UrlString.d.ts +48 -48
  172. package/dist/url/UrlString.mjs +161 -161
  173. package/dist/utils/ClientAssertionUtils.d.ts +2 -2
  174. package/dist/utils/ClientAssertionUtils.mjs +16 -16
  175. package/dist/utils/Constants.d.ts +309 -309
  176. package/dist/utils/Constants.mjs +322 -322
  177. package/dist/utils/FunctionWrappers.d.ts +27 -27
  178. package/dist/utils/FunctionWrappers.mjs +94 -94
  179. package/dist/utils/MsalTypes.d.ts +6 -6
  180. package/dist/utils/ProtocolUtils.d.ts +42 -42
  181. package/dist/utils/ProtocolUtils.mjs +69 -69
  182. package/dist/utils/StringUtils.d.ts +40 -40
  183. package/dist/utils/StringUtils.mjs +95 -95
  184. package/dist/utils/TimeUtils.d.ts +25 -25
  185. package/dist/utils/TimeUtils.mjs +43 -43
  186. package/dist/utils/UrlUtils.d.ts +10 -10
  187. package/dist/utils/UrlUtils.mjs +44 -44
  188. package/package.json +1 -1
  189. package/src/cache/entities/ServerTelemetryEntity.ts +1 -0
  190. package/src/constants/AADServerParamKeys.ts +1 -0
  191. package/src/packageMetadata.ts +1 -1
  192. package/src/telemetry/performance/PerformanceEvent.ts +12 -0
  193. package/src/telemetry/server/ServerTelemetryManager.ts +95 -1
@@ -1,4 +1,4 @@
1
- /*! @azure/msal-common v14.13.1 2024-07-16 */
1
+ /*! @azure/msal-common v14.14.1 2024-08-13 */
2
2
  'use strict';
3
3
  import { isOidcProtocolMode } from '../config/ClientConfiguration.mjs';
4
4
  import { BaseClient } from './BaseClient.mjs';
@@ -24,216 +24,216 @@ import { tokenRequestEmpty, missingSshJwk } from '../error/ClientConfigurationEr
24
24
  import { noAccountInSilentRequest } from '../error/ClientAuthErrorCodes.mjs';
25
25
  import { noTokensFound, refreshTokenExpired, badToken } from '../error/InteractionRequiredAuthErrorCodes.mjs';
26
26
 
27
- /*
28
- * Copyright (c) Microsoft Corporation. All rights reserved.
29
- * Licensed under the MIT License.
30
- */
31
- const DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS = 300; // 5 Minutes
32
- /**
33
- * OAuth2.0 refresh token client
34
- * @internal
35
- */
36
- class RefreshTokenClient extends BaseClient {
37
- constructor(configuration, performanceClient) {
38
- super(configuration, performanceClient);
39
- }
40
- async acquireToken(request) {
41
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireToken, request.correlationId);
42
- const reqTimestamp = nowSeconds();
43
- const response = await invokeAsync(this.executeTokenRequest.bind(this), PerformanceEvents.RefreshTokenClientExecuteTokenRequest, this.logger, this.performanceClient, request.correlationId)(request, this.authority);
44
- // Retrieve requestId from response headers
45
- const requestId = response.headers?.[HeaderNames.X_MS_REQUEST_ID];
46
- const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, this.config.serializableCache, this.config.persistencePlugin);
47
- responseHandler.validateTokenResponse(response.body);
48
- return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, undefined, undefined, true, request.forceCache, requestId);
49
- }
50
- /**
51
- * Gets cached refresh token and attaches to request, then calls acquireToken API
52
- * @param request
53
- */
54
- async acquireTokenByRefreshToken(request) {
55
- // Cannot renew token if no request object is given.
56
- if (!request) {
57
- throw createClientConfigurationError(tokenRequestEmpty);
58
- }
59
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireTokenByRefreshToken, request.correlationId);
60
- // We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
61
- if (!request.account) {
62
- throw createClientAuthError(noAccountInSilentRequest);
63
- }
64
- // try checking if FOCI is enabled for the given application
65
- const isFOCI = this.cacheManager.isAppMetadataFOCI(request.account.environment);
66
- // if the app is part of the family, retrive a Family refresh token if present and make a refreshTokenRequest
67
- if (isFOCI) {
68
- try {
69
- return await invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, true);
70
- }
71
- catch (e) {
72
- const noFamilyRTInCache = e instanceof InteractionRequiredAuthError &&
73
- e.errorCode ===
74
- noTokensFound;
75
- const clientMismatchErrorWithFamilyRT = e instanceof ServerError &&
76
- e.errorCode === Errors.INVALID_GRANT_ERROR &&
77
- e.subError === Errors.CLIENT_MISMATCH_ERROR;
78
- // if family Refresh Token (FRT) cache acquisition fails or if client_mismatch error is seen with FRT, reattempt with application Refresh Token (ART)
79
- if (noFamilyRTInCache || clientMismatchErrorWithFamilyRT) {
80
- return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false);
81
- // throw in all other cases
82
- }
83
- else {
84
- throw e;
85
- }
86
- }
87
- }
88
- // fall back to application refresh token acquisition
89
- return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false);
90
- }
91
- /**
92
- * makes a network call to acquire tokens by exchanging RefreshToken available in userCache; throws if refresh token is not cached
93
- * @param request
94
- */
95
- async acquireTokenWithCachedRefreshToken(request, foci) {
96
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, request.correlationId);
97
- // fetches family RT or application RT based on FOCI value
98
- const refreshToken = invoke(this.cacheManager.getRefreshToken.bind(this.cacheManager), PerformanceEvents.CacheManagerGetRefreshToken, this.logger, this.performanceClient, request.correlationId)(request.account, foci, undefined, this.performanceClient, request.correlationId);
99
- if (!refreshToken) {
100
- throw createInteractionRequiredAuthError(noTokensFound);
101
- }
102
- if (refreshToken.expiresOn &&
103
- isTokenExpired(refreshToken.expiresOn, request.refreshTokenExpirationOffsetSeconds ||
104
- DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS)) {
105
- throw createInteractionRequiredAuthError(refreshTokenExpired);
106
- }
107
- // attach cached RT size to the current measurement
108
- const refreshTokenRequest = {
109
- ...request,
110
- refreshToken: refreshToken.secret,
111
- authenticationScheme: request.authenticationScheme || AuthenticationScheme.BEARER,
112
- ccsCredential: {
113
- credential: request.account.homeAccountId,
114
- type: CcsCredentialType.HOME_ACCOUNT_ID,
115
- },
116
- };
117
- try {
118
- return await invokeAsync(this.acquireToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireToken, this.logger, this.performanceClient, request.correlationId)(refreshTokenRequest);
119
- }
120
- catch (e) {
121
- if (e instanceof InteractionRequiredAuthError &&
122
- e.subError === badToken) {
123
- // Remove bad refresh token from cache
124
- this.logger.verbose("acquireTokenWithRefreshToken: bad refresh token, removing from cache");
125
- const badRefreshTokenKey = generateCredentialKey(refreshToken);
126
- this.cacheManager.removeRefreshToken(badRefreshTokenKey);
127
- }
128
- throw e;
129
- }
130
- }
131
- /**
132
- * Constructs the network message and makes a NW call to the underlying secure token service
133
- * @param request
134
- * @param authority
135
- */
136
- async executeTokenRequest(request, authority) {
137
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientExecuteTokenRequest, request.correlationId);
138
- const queryParametersString = this.createTokenQueryParameters(request);
139
- const endpoint = UrlString.appendQueryString(authority.tokenEndpoint, queryParametersString);
140
- const requestBody = await invokeAsync(this.createTokenRequestBody.bind(this), PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, this.logger, this.performanceClient, request.correlationId)(request);
141
- const headers = this.createTokenRequestHeaders(request.ccsCredential);
142
- const thumbprint = {
143
- clientId: request.tokenBodyParameters?.clientId ||
144
- this.config.authOptions.clientId,
145
- authority: authority.canonicalAuthority,
146
- scopes: request.scopes,
147
- claims: request.claims,
148
- authenticationScheme: request.authenticationScheme,
149
- resourceRequestMethod: request.resourceRequestMethod,
150
- resourceRequestUri: request.resourceRequestUri,
151
- shrClaims: request.shrClaims,
152
- sshKid: request.sshKid,
153
- };
154
- return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint);
155
- }
156
- /**
157
- * Helper function to create the token request body
158
- * @param request
159
- */
160
- async createTokenRequestBody(request) {
161
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, request.correlationId);
162
- const correlationId = request.correlationId;
163
- const parameterBuilder = new RequestParameterBuilder();
164
- parameterBuilder.addClientId(request.tokenBodyParameters?.[CLIENT_ID] ||
165
- this.config.authOptions.clientId);
166
- if (request.redirectUri) {
167
- parameterBuilder.addRedirectUri(request.redirectUri);
168
- }
169
- parameterBuilder.addScopes(request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
170
- parameterBuilder.addGrantType(GrantType.REFRESH_TOKEN_GRANT);
171
- parameterBuilder.addClientInfo();
172
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
173
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
174
- parameterBuilder.addThrottling();
175
- if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
176
- parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
177
- }
178
- parameterBuilder.addCorrelationId(correlationId);
179
- parameterBuilder.addRefreshToken(request.refreshToken);
180
- if (this.config.clientCredentials.clientSecret) {
181
- parameterBuilder.addClientSecret(this.config.clientCredentials.clientSecret);
182
- }
183
- if (this.config.clientCredentials.clientAssertion) {
184
- const clientAssertion = this.config.clientCredentials.clientAssertion;
185
- parameterBuilder.addClientAssertion(await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
186
- parameterBuilder.addClientAssertionType(clientAssertion.assertionType);
187
- }
188
- if (request.authenticationScheme === AuthenticationScheme.POP) {
189
- const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
190
- let reqCnfData;
191
- if (!request.popKid) {
192
- const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
193
- reqCnfData = generatedReqCnfData.reqCnfString;
194
- }
195
- else {
196
- reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
197
- }
198
- // SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
199
- parameterBuilder.addPopToken(reqCnfData);
200
- }
201
- else if (request.authenticationScheme === AuthenticationScheme.SSH) {
202
- if (request.sshJwk) {
203
- parameterBuilder.addSshJwk(request.sshJwk);
204
- }
205
- else {
206
- throw createClientConfigurationError(missingSshJwk);
207
- }
208
- }
209
- if (!StringUtils.isEmptyObj(request.claims) ||
210
- (this.config.authOptions.clientCapabilities &&
211
- this.config.authOptions.clientCapabilities.length > 0)) {
212
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
213
- }
214
- if (this.config.systemOptions.preventCorsPreflight &&
215
- request.ccsCredential) {
216
- switch (request.ccsCredential.type) {
217
- case CcsCredentialType.HOME_ACCOUNT_ID:
218
- try {
219
- const clientInfo = buildClientInfoFromHomeAccountId(request.ccsCredential.credential);
220
- parameterBuilder.addCcsOid(clientInfo);
221
- }
222
- catch (e) {
223
- this.logger.verbose("Could not parse home account ID for CCS Header: " +
224
- e);
225
- }
226
- break;
227
- case CcsCredentialType.UPN:
228
- parameterBuilder.addCcsUpn(request.ccsCredential.credential);
229
- break;
230
- }
231
- }
232
- if (request.tokenBodyParameters) {
233
- parameterBuilder.addExtraQueryParameters(request.tokenBodyParameters);
234
- }
235
- return parameterBuilder.createQueryString();
236
- }
27
+ /*
28
+ * Copyright (c) Microsoft Corporation. All rights reserved.
29
+ * Licensed under the MIT License.
30
+ */
31
+ const DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS = 300; // 5 Minutes
32
+ /**
33
+ * OAuth2.0 refresh token client
34
+ * @internal
35
+ */
36
+ class RefreshTokenClient extends BaseClient {
37
+ constructor(configuration, performanceClient) {
38
+ super(configuration, performanceClient);
39
+ }
40
+ async acquireToken(request) {
41
+ this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireToken, request.correlationId);
42
+ const reqTimestamp = nowSeconds();
43
+ const response = await invokeAsync(this.executeTokenRequest.bind(this), PerformanceEvents.RefreshTokenClientExecuteTokenRequest, this.logger, this.performanceClient, request.correlationId)(request, this.authority);
44
+ // Retrieve requestId from response headers
45
+ const requestId = response.headers?.[HeaderNames.X_MS_REQUEST_ID];
46
+ const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, this.config.serializableCache, this.config.persistencePlugin);
47
+ responseHandler.validateTokenResponse(response.body);
48
+ return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, undefined, undefined, true, request.forceCache, requestId);
49
+ }
50
+ /**
51
+ * Gets cached refresh token and attaches to request, then calls acquireToken API
52
+ * @param request
53
+ */
54
+ async acquireTokenByRefreshToken(request) {
55
+ // Cannot renew token if no request object is given.
56
+ if (!request) {
57
+ throw createClientConfigurationError(tokenRequestEmpty);
58
+ }
59
+ this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireTokenByRefreshToken, request.correlationId);
60
+ // We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
61
+ if (!request.account) {
62
+ throw createClientAuthError(noAccountInSilentRequest);
63
+ }
64
+ // try checking if FOCI is enabled for the given application
65
+ const isFOCI = this.cacheManager.isAppMetadataFOCI(request.account.environment);
66
+ // if the app is part of the family, retrive a Family refresh token if present and make a refreshTokenRequest
67
+ if (isFOCI) {
68
+ try {
69
+ return await invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, true);
70
+ }
71
+ catch (e) {
72
+ const noFamilyRTInCache = e instanceof InteractionRequiredAuthError &&
73
+ e.errorCode ===
74
+ noTokensFound;
75
+ const clientMismatchErrorWithFamilyRT = e instanceof ServerError &&
76
+ e.errorCode === Errors.INVALID_GRANT_ERROR &&
77
+ e.subError === Errors.CLIENT_MISMATCH_ERROR;
78
+ // if family Refresh Token (FRT) cache acquisition fails or if client_mismatch error is seen with FRT, reattempt with application Refresh Token (ART)
79
+ if (noFamilyRTInCache || clientMismatchErrorWithFamilyRT) {
80
+ return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false);
81
+ // throw in all other cases
82
+ }
83
+ else {
84
+ throw e;
85
+ }
86
+ }
87
+ }
88
+ // fall back to application refresh token acquisition
89
+ return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false);
90
+ }
91
+ /**
92
+ * makes a network call to acquire tokens by exchanging RefreshToken available in userCache; throws if refresh token is not cached
93
+ * @param request
94
+ */
95
+ async acquireTokenWithCachedRefreshToken(request, foci) {
96
+ this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, request.correlationId);
97
+ // fetches family RT or application RT based on FOCI value
98
+ const refreshToken = invoke(this.cacheManager.getRefreshToken.bind(this.cacheManager), PerformanceEvents.CacheManagerGetRefreshToken, this.logger, this.performanceClient, request.correlationId)(request.account, foci, undefined, this.performanceClient, request.correlationId);
99
+ if (!refreshToken) {
100
+ throw createInteractionRequiredAuthError(noTokensFound);
101
+ }
102
+ if (refreshToken.expiresOn &&
103
+ isTokenExpired(refreshToken.expiresOn, request.refreshTokenExpirationOffsetSeconds ||
104
+ DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS)) {
105
+ throw createInteractionRequiredAuthError(refreshTokenExpired);
106
+ }
107
+ // attach cached RT size to the current measurement
108
+ const refreshTokenRequest = {
109
+ ...request,
110
+ refreshToken: refreshToken.secret,
111
+ authenticationScheme: request.authenticationScheme || AuthenticationScheme.BEARER,
112
+ ccsCredential: {
113
+ credential: request.account.homeAccountId,
114
+ type: CcsCredentialType.HOME_ACCOUNT_ID,
115
+ },
116
+ };
117
+ try {
118
+ return await invokeAsync(this.acquireToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireToken, this.logger, this.performanceClient, request.correlationId)(refreshTokenRequest);
119
+ }
120
+ catch (e) {
121
+ if (e instanceof InteractionRequiredAuthError &&
122
+ e.subError === badToken) {
123
+ // Remove bad refresh token from cache
124
+ this.logger.verbose("acquireTokenWithRefreshToken: bad refresh token, removing from cache");
125
+ const badRefreshTokenKey = generateCredentialKey(refreshToken);
126
+ this.cacheManager.removeRefreshToken(badRefreshTokenKey);
127
+ }
128
+ throw e;
129
+ }
130
+ }
131
+ /**
132
+ * Constructs the network message and makes a NW call to the underlying secure token service
133
+ * @param request
134
+ * @param authority
135
+ */
136
+ async executeTokenRequest(request, authority) {
137
+ this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientExecuteTokenRequest, request.correlationId);
138
+ const queryParametersString = this.createTokenQueryParameters(request);
139
+ const endpoint = UrlString.appendQueryString(authority.tokenEndpoint, queryParametersString);
140
+ const requestBody = await invokeAsync(this.createTokenRequestBody.bind(this), PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, this.logger, this.performanceClient, request.correlationId)(request);
141
+ const headers = this.createTokenRequestHeaders(request.ccsCredential);
142
+ const thumbprint = {
143
+ clientId: request.tokenBodyParameters?.clientId ||
144
+ this.config.authOptions.clientId,
145
+ authority: authority.canonicalAuthority,
146
+ scopes: request.scopes,
147
+ claims: request.claims,
148
+ authenticationScheme: request.authenticationScheme,
149
+ resourceRequestMethod: request.resourceRequestMethod,
150
+ resourceRequestUri: request.resourceRequestUri,
151
+ shrClaims: request.shrClaims,
152
+ sshKid: request.sshKid,
153
+ };
154
+ return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint);
155
+ }
156
+ /**
157
+ * Helper function to create the token request body
158
+ * @param request
159
+ */
160
+ async createTokenRequestBody(request) {
161
+ this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, request.correlationId);
162
+ const correlationId = request.correlationId;
163
+ const parameterBuilder = new RequestParameterBuilder();
164
+ parameterBuilder.addClientId(request.tokenBodyParameters?.[CLIENT_ID] ||
165
+ this.config.authOptions.clientId);
166
+ if (request.redirectUri) {
167
+ parameterBuilder.addRedirectUri(request.redirectUri);
168
+ }
169
+ parameterBuilder.addScopes(request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
170
+ parameterBuilder.addGrantType(GrantType.REFRESH_TOKEN_GRANT);
171
+ parameterBuilder.addClientInfo();
172
+ parameterBuilder.addLibraryInfo(this.config.libraryInfo);
173
+ parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
174
+ parameterBuilder.addThrottling();
175
+ if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
176
+ parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
177
+ }
178
+ parameterBuilder.addCorrelationId(correlationId);
179
+ parameterBuilder.addRefreshToken(request.refreshToken);
180
+ if (this.config.clientCredentials.clientSecret) {
181
+ parameterBuilder.addClientSecret(this.config.clientCredentials.clientSecret);
182
+ }
183
+ if (this.config.clientCredentials.clientAssertion) {
184
+ const clientAssertion = this.config.clientCredentials.clientAssertion;
185
+ parameterBuilder.addClientAssertion(await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
186
+ parameterBuilder.addClientAssertionType(clientAssertion.assertionType);
187
+ }
188
+ if (request.authenticationScheme === AuthenticationScheme.POP) {
189
+ const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
190
+ let reqCnfData;
191
+ if (!request.popKid) {
192
+ const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
193
+ reqCnfData = generatedReqCnfData.reqCnfString;
194
+ }
195
+ else {
196
+ reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
197
+ }
198
+ // SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
199
+ parameterBuilder.addPopToken(reqCnfData);
200
+ }
201
+ else if (request.authenticationScheme === AuthenticationScheme.SSH) {
202
+ if (request.sshJwk) {
203
+ parameterBuilder.addSshJwk(request.sshJwk);
204
+ }
205
+ else {
206
+ throw createClientConfigurationError(missingSshJwk);
207
+ }
208
+ }
209
+ if (!StringUtils.isEmptyObj(request.claims) ||
210
+ (this.config.authOptions.clientCapabilities &&
211
+ this.config.authOptions.clientCapabilities.length > 0)) {
212
+ parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
213
+ }
214
+ if (this.config.systemOptions.preventCorsPreflight &&
215
+ request.ccsCredential) {
216
+ switch (request.ccsCredential.type) {
217
+ case CcsCredentialType.HOME_ACCOUNT_ID:
218
+ try {
219
+ const clientInfo = buildClientInfoFromHomeAccountId(request.ccsCredential.credential);
220
+ parameterBuilder.addCcsOid(clientInfo);
221
+ }
222
+ catch (e) {
223
+ this.logger.verbose("Could not parse home account ID for CCS Header: " +
224
+ e);
225
+ }
226
+ break;
227
+ case CcsCredentialType.UPN:
228
+ parameterBuilder.addCcsUpn(request.ccsCredential.credential);
229
+ break;
230
+ }
231
+ }
232
+ if (request.tokenBodyParameters) {
233
+ parameterBuilder.addExtraQueryParameters(request.tokenBodyParameters);
234
+ }
235
+ return parameterBuilder.createQueryString();
236
+ }
237
237
  }
238
238
 
239
239
  export { RefreshTokenClient };
@@ -1,28 +1,28 @@
1
- import { BaseClient } from "./BaseClient";
2
- import { ClientConfiguration } from "../config/ClientConfiguration";
3
- import { CommonSilentFlowRequest } from "../request/CommonSilentFlowRequest";
4
- import { AuthenticationResult } from "../response/AuthenticationResult";
5
- import { CacheOutcome } from "../utils/Constants";
6
- import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient";
7
- /** @internal */
8
- export declare class SilentFlowClient extends BaseClient {
9
- constructor(configuration: ClientConfiguration, performanceClient?: IPerformanceClient);
10
- /**
11
- * Retrieves a token from cache if it is still valid, or uses the cached refresh token to renew
12
- * the given token and returns the renewed token
13
- * @param request
14
- */
15
- acquireToken(request: CommonSilentFlowRequest): Promise<AuthenticationResult>;
16
- /**
17
- * Retrieves token from cache or throws an error if it must be refreshed.
18
- * @param request
19
- */
20
- acquireCachedToken(request: CommonSilentFlowRequest): Promise<[AuthenticationResult, CacheOutcome]>;
21
- private setCacheOutcome;
22
- /**
23
- * Helper function to build response object from the CacheRecord
24
- * @param cacheRecord
25
- */
26
- private generateResultFromCacheRecord;
27
- }
1
+ import { BaseClient } from "./BaseClient";
2
+ import { ClientConfiguration } from "../config/ClientConfiguration";
3
+ import { CommonSilentFlowRequest } from "../request/CommonSilentFlowRequest";
4
+ import { AuthenticationResult } from "../response/AuthenticationResult";
5
+ import { CacheOutcome } from "../utils/Constants";
6
+ import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient";
7
+ /** @internal */
8
+ export declare class SilentFlowClient extends BaseClient {
9
+ constructor(configuration: ClientConfiguration, performanceClient?: IPerformanceClient);
10
+ /**
11
+ * Retrieves a token from cache if it is still valid, or uses the cached refresh token to renew
12
+ * the given token and returns the renewed token
13
+ * @param request
14
+ */
15
+ acquireToken(request: CommonSilentFlowRequest): Promise<AuthenticationResult>;
16
+ /**
17
+ * Retrieves token from cache or throws an error if it must be refreshed.
18
+ * @param request
19
+ */
20
+ acquireCachedToken(request: CommonSilentFlowRequest): Promise<[AuthenticationResult, CacheOutcome]>;
21
+ private setCacheOutcome;
22
+ /**
23
+ * Helper function to build response object from the CacheRecord
24
+ * @param cacheRecord
25
+ */
26
+ private generateResultFromCacheRecord;
27
+ }
28
28
  //# sourceMappingURL=SilentFlowClient.d.ts.map