@azure/msal-common 14.13.1 → 14.14.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/account/AccountInfo.d.ts +66 -66
- package/dist/account/AccountInfo.mjs +77 -77
- package/dist/account/AuthToken.d.ts +17 -17
- package/dist/account/AuthToken.mjs +58 -58
- package/dist/account/CcsCredential.d.ts +9 -9
- package/dist/account/CcsCredential.mjs +8 -8
- package/dist/account/ClientCredentials.d.ts +19 -19
- package/dist/account/ClientInfo.d.ts +18 -18
- package/dist/account/ClientInfo.mjs +37 -37
- package/dist/account/TokenClaims.d.ts +83 -83
- package/dist/account/TokenClaims.mjs +20 -20
- package/dist/authority/Authority.d.ts +254 -254
- package/dist/authority/Authority.mjs +836 -836
- package/dist/authority/AuthorityFactory.d.ts +18 -18
- package/dist/authority/AuthorityFactory.mjs +28 -28
- package/dist/authority/AuthorityMetadata.d.ts +43 -43
- package/dist/authority/AuthorityMetadata.mjs +137 -137
- package/dist/authority/AuthorityOptions.d.ts +27 -27
- package/dist/authority/AuthorityOptions.mjs +18 -18
- package/dist/authority/AuthorityType.d.ts +10 -10
- package/dist/authority/AuthorityType.mjs +13 -13
- package/dist/authority/AzureRegion.d.ts +1 -1
- package/dist/authority/AzureRegionConfiguration.d.ts +5 -5
- package/dist/authority/CloudDiscoveryMetadata.d.ts +5 -5
- package/dist/authority/CloudInstanceDiscoveryErrorResponse.d.ts +13 -13
- package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +8 -8
- package/dist/authority/CloudInstanceDiscoveryResponse.d.ts +9 -9
- package/dist/authority/CloudInstanceDiscoveryResponse.mjs +8 -8
- package/dist/authority/ImdsOptions.d.ts +5 -5
- package/dist/authority/OIDCOptions.d.ts +8 -8
- package/dist/authority/OpenIdConfigResponse.d.ts +11 -11
- package/dist/authority/OpenIdConfigResponse.mjs +10 -10
- package/dist/authority/ProtocolMode.d.ts +8 -8
- package/dist/authority/ProtocolMode.mjs +11 -11
- package/dist/authority/RegionDiscovery.d.ts +32 -32
- package/dist/authority/RegionDiscovery.mjs +106 -106
- package/dist/authority/RegionDiscoveryMetadata.d.ts +6 -6
- package/dist/broker/nativeBroker/INativeBrokerPlugin.d.ts +15 -15
- package/dist/cache/CacheManager.d.ts +497 -497
- package/dist/cache/CacheManager.mjs +1249 -1249
- package/dist/cache/entities/AccessTokenEntity.d.ts +25 -25
- package/dist/cache/entities/AccountEntity.d.ts +106 -106
- package/dist/cache/entities/AccountEntity.mjs +240 -240
- package/dist/cache/entities/AppMetadataEntity.d.ts +11 -11
- package/dist/cache/entities/AuthorityMetadataEntity.d.ts +15 -15
- package/dist/cache/entities/CacheRecord.d.ts +13 -13
- package/dist/cache/entities/CredentialEntity.d.ts +30 -30
- package/dist/cache/entities/IdTokenEntity.d.ts +8 -8
- package/dist/cache/entities/RefreshTokenEntity.d.ts +7 -7
- package/dist/cache/entities/ServerTelemetryEntity.d.ts +6 -5
- package/dist/cache/entities/ServerTelemetryEntity.d.ts.map +1 -1
- package/dist/cache/entities/ThrottlingEntity.d.ts +7 -7
- package/dist/cache/interface/ICacheManager.d.ts +166 -166
- package/dist/cache/interface/ICachePlugin.d.ts +5 -5
- package/dist/cache/interface/ISerializableTokenCache.d.ts +4 -4
- package/dist/cache/persistence/TokenCacheContext.d.ts +23 -23
- package/dist/cache/persistence/TokenCacheContext.mjs +25 -25
- package/dist/cache/utils/CacheHelpers.d.ts +94 -94
- package/dist/cache/utils/CacheHelpers.mjs +324 -324
- package/dist/cache/utils/CacheTypes.d.ts +69 -69
- package/dist/client/AuthorizationCodeClient.d.ts +74 -74
- package/dist/client/AuthorizationCodeClient.mjs +420 -420
- package/dist/client/BaseClient.d.ts +51 -51
- package/dist/client/BaseClient.mjs +100 -100
- package/dist/client/RefreshTokenClient.d.ts +35 -35
- package/dist/client/RefreshTokenClient.mjs +211 -211
- package/dist/client/SilentFlowClient.d.ts +27 -27
- package/dist/client/SilentFlowClient.mjs +133 -133
- package/dist/config/AppTokenProvider.d.ts +38 -38
- package/dist/config/ClientConfiguration.d.ts +150 -150
- package/dist/config/ClientConfiguration.mjs +95 -95
- package/dist/constants/AADServerParamKeys.d.ts +53 -52
- package/dist/constants/AADServerParamKeys.d.ts.map +1 -1
- package/dist/constants/AADServerParamKeys.mjs +59 -58
- package/dist/constants/AADServerParamKeys.mjs.map +1 -1
- package/dist/crypto/ICrypto.d.ts +68 -68
- package/dist/crypto/ICrypto.mjs +36 -36
- package/dist/crypto/IGuidGenerator.d.ts +4 -4
- package/dist/crypto/JoseHeader.d.ts +22 -22
- package/dist/crypto/JoseHeader.mjs +37 -37
- package/dist/crypto/PopTokenGenerator.d.ts +59 -59
- package/dist/crypto/PopTokenGenerator.mjs +81 -81
- package/dist/crypto/SignedHttpRequest.d.ts +15 -15
- package/dist/error/AuthError.d.ts +44 -44
- package/dist/error/AuthError.mjs +46 -46
- package/dist/error/AuthErrorCodes.d.ts +5 -5
- package/dist/error/AuthErrorCodes.mjs +9 -9
- package/dist/error/CacheError.d.ts +20 -20
- package/dist/error/CacheError.mjs +24 -24
- package/dist/error/CacheErrorCodes.d.ts +2 -2
- package/dist/error/CacheErrorCodes.mjs +6 -6
- package/dist/error/ClientAuthError.d.ts +237 -237
- package/dist/error/ClientAuthError.mjs +249 -249
- package/dist/error/ClientAuthErrorCodes.d.ts +44 -44
- package/dist/error/ClientAuthErrorCodes.mjs +48 -48
- package/dist/error/ClientConfigurationError.d.ts +128 -128
- package/dist/error/ClientConfigurationError.mjs +135 -135
- package/dist/error/ClientConfigurationErrorCodes.d.ts +22 -22
- package/dist/error/ClientConfigurationErrorCodes.mjs +26 -26
- package/dist/error/InteractionRequiredAuthError.d.ts +65 -65
- package/dist/error/InteractionRequiredAuthError.mjs +85 -85
- package/dist/error/InteractionRequiredAuthErrorCodes.d.ts +7 -7
- package/dist/error/InteractionRequiredAuthErrorCodes.mjs +13 -13
- package/dist/error/JoseHeaderError.d.ts +15 -15
- package/dist/error/JoseHeaderError.mjs +22 -22
- package/dist/error/JoseHeaderErrorCodes.d.ts +2 -2
- package/dist/error/JoseHeaderErrorCodes.mjs +6 -6
- package/dist/error/ServerError.d.ts +15 -15
- package/dist/error/ServerError.mjs +16 -16
- package/dist/index.cjs +8664 -8599
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.ts +107 -107
- package/dist/index.mjs +1 -1
- package/dist/logger/Logger.d.ts +95 -95
- package/dist/logger/Logger.mjs +188 -188
- package/dist/network/INetworkModule.d.ts +29 -29
- package/dist/network/INetworkModule.mjs +12 -12
- package/dist/network/NetworkManager.d.ts +33 -33
- package/dist/network/NetworkManager.mjs +34 -34
- package/dist/network/RequestThumbprint.d.ts +18 -18
- package/dist/network/ThrottlingUtils.d.ts +42 -42
- package/dist/network/ThrottlingUtils.mjs +95 -95
- package/dist/packageMetadata.d.ts +2 -2
- package/dist/packageMetadata.mjs +4 -4
- package/dist/request/AuthenticationHeaderParser.d.ts +19 -19
- package/dist/request/AuthenticationHeaderParser.mjs +55 -55
- package/dist/request/BaseAuthRequest.d.ts +47 -47
- package/dist/request/CommonAuthorizationCodeRequest.d.ts +27 -27
- package/dist/request/CommonAuthorizationUrlRequest.d.ts +50 -50
- package/dist/request/CommonClientCredentialRequest.d.ts +17 -17
- package/dist/request/CommonDeviceCodeRequest.d.ts +21 -21
- package/dist/request/CommonEndSessionRequest.d.ts +21 -21
- package/dist/request/CommonOnBehalfOfRequest.d.ts +13 -13
- package/dist/request/CommonRefreshTokenRequest.d.ts +22 -22
- package/dist/request/CommonSilentFlowRequest.d.ts +27 -27
- package/dist/request/CommonUsernamePasswordRequest.d.ts +17 -17
- package/dist/request/NativeRequest.d.ts +19 -19
- package/dist/request/NativeSignOutRequest.d.ts +5 -5
- package/dist/request/RequestParameterBuilder.d.ts +217 -217
- package/dist/request/RequestParameterBuilder.mjs +382 -382
- package/dist/request/RequestValidator.d.ts +27 -27
- package/dist/request/RequestValidator.mjs +64 -64
- package/dist/request/ScopeSet.d.ts +88 -88
- package/dist/request/ScopeSet.mjs +197 -197
- package/dist/request/StoreInCache.d.ts +8 -8
- package/dist/response/AuthenticationResult.d.ts +41 -41
- package/dist/response/AuthorizationCodePayload.d.ts +13 -13
- package/dist/response/DeviceCodeResponse.d.ts +25 -25
- package/dist/response/ExternalTokenResponse.d.ts +15 -15
- package/dist/response/IMDSBadResponse.d.ts +4 -4
- package/dist/response/ResponseHandler.d.ts +69 -69
- package/dist/response/ResponseHandler.mjs +374 -374
- package/dist/response/ServerAuthorizationCodeResponse.d.ts +26 -26
- package/dist/response/ServerAuthorizationTokenResponse.d.ts +47 -47
- package/dist/telemetry/performance/IPerformanceClient.d.ts +57 -57
- package/dist/telemetry/performance/IPerformanceMeasurement.d.ts +5 -5
- package/dist/telemetry/performance/PerformanceClient.d.ts +242 -242
- package/dist/telemetry/performance/PerformanceClient.mjs +587 -587
- package/dist/telemetry/performance/PerformanceEvent.d.ts +515 -505
- package/dist/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
- package/dist/telemetry/performance/PerformanceEvent.mjs +484 -480
- package/dist/telemetry/performance/PerformanceEvent.mjs.map +1 -1
- package/dist/telemetry/performance/StubPerformanceClient.d.ts +24 -24
- package/dist/telemetry/performance/StubPerformanceClient.mjs +76 -76
- package/dist/telemetry/server/ServerTelemetryManager.d.ts +78 -66
- package/dist/telemetry/server/ServerTelemetryManager.d.ts.map +1 -1
- package/dist/telemetry/server/ServerTelemetryManager.mjs +260 -201
- package/dist/telemetry/server/ServerTelemetryManager.mjs.map +1 -1
- package/dist/telemetry/server/ServerTelemetryRequest.d.ts +8 -8
- package/dist/url/IUri.d.ts +12 -12
- package/dist/url/UrlString.d.ts +48 -48
- package/dist/url/UrlString.mjs +161 -161
- package/dist/utils/ClientAssertionUtils.d.ts +2 -2
- package/dist/utils/ClientAssertionUtils.mjs +16 -16
- package/dist/utils/Constants.d.ts +309 -309
- package/dist/utils/Constants.mjs +322 -322
- package/dist/utils/FunctionWrappers.d.ts +27 -27
- package/dist/utils/FunctionWrappers.mjs +94 -94
- package/dist/utils/MsalTypes.d.ts +6 -6
- package/dist/utils/ProtocolUtils.d.ts +42 -42
- package/dist/utils/ProtocolUtils.mjs +69 -69
- package/dist/utils/StringUtils.d.ts +40 -40
- package/dist/utils/StringUtils.mjs +95 -95
- package/dist/utils/TimeUtils.d.ts +25 -25
- package/dist/utils/TimeUtils.mjs +43 -43
- package/dist/utils/UrlUtils.d.ts +10 -10
- package/dist/utils/UrlUtils.mjs +44 -44
- package/package.json +1 -1
- package/src/cache/entities/ServerTelemetryEntity.ts +1 -0
- package/src/constants/AADServerParamKeys.ts +1 -0
- package/src/packageMetadata.ts +1 -1
- package/src/telemetry/performance/PerformanceEvent.ts +12 -0
- package/src/telemetry/server/ServerTelemetryManager.ts +95 -1
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @azure/msal-common v14.
|
|
1
|
+
/*! @azure/msal-common v14.14.1 2024-08-13 */
|
|
2
2
|
'use strict';
|
|
3
3
|
import { BaseClient } from './BaseClient.mjs';
|
|
4
4
|
import { wasClockTurnedBack, isTokenExpired } from '../utils/TimeUtils.mjs';
|
|
@@ -13,138 +13,138 @@ import { invokeAsync } from '../utils/FunctionWrappers.mjs';
|
|
|
13
13
|
import { getTenantFromAuthorityString } from '../authority/Authority.mjs';
|
|
14
14
|
import { tokenRefreshRequired, noAccountInSilentRequest, authTimeNotFound } from '../error/ClientAuthErrorCodes.mjs';
|
|
15
15
|
|
|
16
|
-
/*
|
|
17
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
18
|
-
* Licensed under the MIT License.
|
|
19
|
-
*/
|
|
20
|
-
/** @internal */
|
|
21
|
-
class SilentFlowClient extends BaseClient {
|
|
22
|
-
constructor(configuration, performanceClient) {
|
|
23
|
-
super(configuration, performanceClient);
|
|
24
|
-
}
|
|
25
|
-
/**
|
|
26
|
-
* Retrieves a token from cache if it is still valid, or uses the cached refresh token to renew
|
|
27
|
-
* the given token and returns the renewed token
|
|
28
|
-
* @param request
|
|
29
|
-
*/
|
|
30
|
-
async acquireToken(request) {
|
|
31
|
-
try {
|
|
32
|
-
const [authResponse, cacheOutcome] = await this.acquireCachedToken({
|
|
33
|
-
...request,
|
|
34
|
-
scopes: request.scopes?.length
|
|
35
|
-
? request.scopes
|
|
36
|
-
: [...OIDC_DEFAULT_SCOPES],
|
|
37
|
-
});
|
|
38
|
-
// if the token is not expired but must be refreshed; get a new one in the background
|
|
39
|
-
if (cacheOutcome === CacheOutcome.PROACTIVELY_REFRESHED) {
|
|
40
|
-
this.logger.info("SilentFlowClient:acquireCachedToken - Cached access token's refreshOn property has been exceeded'. It's not expired, but must be refreshed.");
|
|
41
|
-
// refresh the access token in the background
|
|
42
|
-
const refreshTokenClient = new RefreshTokenClient(this.config, this.performanceClient);
|
|
43
|
-
refreshTokenClient
|
|
44
|
-
.acquireTokenByRefreshToken(request)
|
|
45
|
-
.catch(() => {
|
|
46
|
-
// do nothing, this is running in the background and no action is to be taken upon success or failure
|
|
47
|
-
});
|
|
48
|
-
}
|
|
49
|
-
// return the cached token
|
|
50
|
-
return authResponse;
|
|
51
|
-
}
|
|
52
|
-
catch (e) {
|
|
53
|
-
if (e instanceof ClientAuthError &&
|
|
54
|
-
e.errorCode === tokenRefreshRequired) {
|
|
55
|
-
const refreshTokenClient = new RefreshTokenClient(this.config, this.performanceClient);
|
|
56
|
-
return refreshTokenClient.acquireTokenByRefreshToken(request);
|
|
57
|
-
}
|
|
58
|
-
else {
|
|
59
|
-
throw e;
|
|
60
|
-
}
|
|
61
|
-
}
|
|
62
|
-
}
|
|
63
|
-
/**
|
|
64
|
-
* Retrieves token from cache or throws an error if it must be refreshed.
|
|
65
|
-
* @param request
|
|
66
|
-
*/
|
|
67
|
-
async acquireCachedToken(request) {
|
|
68
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.SilentFlowClientAcquireCachedToken, request.correlationId);
|
|
69
|
-
let lastCacheOutcome = CacheOutcome.NOT_APPLICABLE;
|
|
70
|
-
if (request.forceRefresh ||
|
|
71
|
-
(!this.config.cacheOptions.claimsBasedCachingEnabled &&
|
|
72
|
-
!StringUtils.isEmptyObj(request.claims))) {
|
|
73
|
-
// Must refresh due to present force_refresh flag.
|
|
74
|
-
this.setCacheOutcome(CacheOutcome.FORCE_REFRESH_OR_CLAIMS, request.correlationId);
|
|
75
|
-
throw createClientAuthError(tokenRefreshRequired);
|
|
76
|
-
}
|
|
77
|
-
// We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
|
|
78
|
-
if (!request.account) {
|
|
79
|
-
throw createClientAuthError(noAccountInSilentRequest);
|
|
80
|
-
}
|
|
81
|
-
const requestTenantId = request.account.tenantId ||
|
|
82
|
-
getTenantFromAuthorityString(request.authority);
|
|
83
|
-
const tokenKeys = this.cacheManager.getTokenKeys();
|
|
84
|
-
const cachedAccessToken = this.cacheManager.getAccessToken(request.account, request, tokenKeys, requestTenantId, this.performanceClient, request.correlationId);
|
|
85
|
-
if (!cachedAccessToken) {
|
|
86
|
-
// must refresh due to non-existent access_token
|
|
87
|
-
this.setCacheOutcome(CacheOutcome.NO_CACHED_ACCESS_TOKEN, request.correlationId);
|
|
88
|
-
throw createClientAuthError(tokenRefreshRequired);
|
|
89
|
-
}
|
|
90
|
-
else if (wasClockTurnedBack(cachedAccessToken.cachedAt) ||
|
|
91
|
-
isTokenExpired(cachedAccessToken.expiresOn, this.config.systemOptions.tokenRenewalOffsetSeconds)) {
|
|
92
|
-
// must refresh due to the expires_in value
|
|
93
|
-
this.setCacheOutcome(CacheOutcome.CACHED_ACCESS_TOKEN_EXPIRED, request.correlationId);
|
|
94
|
-
throw createClientAuthError(tokenRefreshRequired);
|
|
95
|
-
}
|
|
96
|
-
else if (cachedAccessToken.refreshOn &&
|
|
97
|
-
isTokenExpired(cachedAccessToken.refreshOn, 0)) {
|
|
98
|
-
// must refresh (in the background) due to the refresh_in value
|
|
99
|
-
lastCacheOutcome = CacheOutcome.PROACTIVELY_REFRESHED;
|
|
100
|
-
// don't throw ClientAuthError.createRefreshRequiredError(), return cached token instead
|
|
101
|
-
}
|
|
102
|
-
const environment = request.authority || this.authority.getPreferredCache();
|
|
103
|
-
const cacheRecord = {
|
|
104
|
-
account: this.cacheManager.readAccountFromCache(request.account),
|
|
105
|
-
accessToken: cachedAccessToken,
|
|
106
|
-
idToken: this.cacheManager.getIdToken(request.account, tokenKeys, requestTenantId, this.performanceClient, request.correlationId),
|
|
107
|
-
refreshToken: null,
|
|
108
|
-
appMetadata: this.cacheManager.readAppMetadataFromCache(environment),
|
|
109
|
-
};
|
|
110
|
-
this.setCacheOutcome(lastCacheOutcome, request.correlationId);
|
|
111
|
-
if (this.config.serverTelemetryManager) {
|
|
112
|
-
this.config.serverTelemetryManager.incrementCacheHits();
|
|
113
|
-
}
|
|
114
|
-
return [
|
|
115
|
-
await invokeAsync(this.generateResultFromCacheRecord.bind(this), PerformanceEvents.SilentFlowClientGenerateResultFromCacheRecord, this.logger, this.performanceClient, request.correlationId)(cacheRecord, request),
|
|
116
|
-
lastCacheOutcome,
|
|
117
|
-
];
|
|
118
|
-
}
|
|
119
|
-
setCacheOutcome(cacheOutcome, correlationId) {
|
|
120
|
-
this.serverTelemetryManager?.setCacheOutcome(cacheOutcome);
|
|
121
|
-
this.performanceClient?.addFields({
|
|
122
|
-
cacheOutcome: cacheOutcome,
|
|
123
|
-
}, correlationId);
|
|
124
|
-
if (cacheOutcome !== CacheOutcome.NOT_APPLICABLE) {
|
|
125
|
-
this.logger.info(`Token refresh is required due to cache outcome: ${cacheOutcome}`);
|
|
126
|
-
}
|
|
127
|
-
}
|
|
128
|
-
/**
|
|
129
|
-
* Helper function to build response object from the CacheRecord
|
|
130
|
-
* @param cacheRecord
|
|
131
|
-
*/
|
|
132
|
-
async generateResultFromCacheRecord(cacheRecord, request) {
|
|
133
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.SilentFlowClientGenerateResultFromCacheRecord, request.correlationId);
|
|
134
|
-
let idTokenClaims;
|
|
135
|
-
if (cacheRecord.idToken) {
|
|
136
|
-
idTokenClaims = extractTokenClaims(cacheRecord.idToken.secret, this.config.cryptoInterface.base64Decode);
|
|
137
|
-
}
|
|
138
|
-
// token max_age check
|
|
139
|
-
if (request.maxAge || request.maxAge === 0) {
|
|
140
|
-
const authTime = idTokenClaims?.auth_time;
|
|
141
|
-
if (!authTime) {
|
|
142
|
-
throw createClientAuthError(authTimeNotFound);
|
|
143
|
-
}
|
|
144
|
-
checkMaxAge(authTime, request.maxAge);
|
|
145
|
-
}
|
|
146
|
-
return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, idTokenClaims);
|
|
147
|
-
}
|
|
16
|
+
/*
|
|
17
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
18
|
+
* Licensed under the MIT License.
|
|
19
|
+
*/
|
|
20
|
+
/** @internal */
|
|
21
|
+
class SilentFlowClient extends BaseClient {
|
|
22
|
+
constructor(configuration, performanceClient) {
|
|
23
|
+
super(configuration, performanceClient);
|
|
24
|
+
}
|
|
25
|
+
/**
|
|
26
|
+
* Retrieves a token from cache if it is still valid, or uses the cached refresh token to renew
|
|
27
|
+
* the given token and returns the renewed token
|
|
28
|
+
* @param request
|
|
29
|
+
*/
|
|
30
|
+
async acquireToken(request) {
|
|
31
|
+
try {
|
|
32
|
+
const [authResponse, cacheOutcome] = await this.acquireCachedToken({
|
|
33
|
+
...request,
|
|
34
|
+
scopes: request.scopes?.length
|
|
35
|
+
? request.scopes
|
|
36
|
+
: [...OIDC_DEFAULT_SCOPES],
|
|
37
|
+
});
|
|
38
|
+
// if the token is not expired but must be refreshed; get a new one in the background
|
|
39
|
+
if (cacheOutcome === CacheOutcome.PROACTIVELY_REFRESHED) {
|
|
40
|
+
this.logger.info("SilentFlowClient:acquireCachedToken - Cached access token's refreshOn property has been exceeded'. It's not expired, but must be refreshed.");
|
|
41
|
+
// refresh the access token in the background
|
|
42
|
+
const refreshTokenClient = new RefreshTokenClient(this.config, this.performanceClient);
|
|
43
|
+
refreshTokenClient
|
|
44
|
+
.acquireTokenByRefreshToken(request)
|
|
45
|
+
.catch(() => {
|
|
46
|
+
// do nothing, this is running in the background and no action is to be taken upon success or failure
|
|
47
|
+
});
|
|
48
|
+
}
|
|
49
|
+
// return the cached token
|
|
50
|
+
return authResponse;
|
|
51
|
+
}
|
|
52
|
+
catch (e) {
|
|
53
|
+
if (e instanceof ClientAuthError &&
|
|
54
|
+
e.errorCode === tokenRefreshRequired) {
|
|
55
|
+
const refreshTokenClient = new RefreshTokenClient(this.config, this.performanceClient);
|
|
56
|
+
return refreshTokenClient.acquireTokenByRefreshToken(request);
|
|
57
|
+
}
|
|
58
|
+
else {
|
|
59
|
+
throw e;
|
|
60
|
+
}
|
|
61
|
+
}
|
|
62
|
+
}
|
|
63
|
+
/**
|
|
64
|
+
* Retrieves token from cache or throws an error if it must be refreshed.
|
|
65
|
+
* @param request
|
|
66
|
+
*/
|
|
67
|
+
async acquireCachedToken(request) {
|
|
68
|
+
this.performanceClient?.addQueueMeasurement(PerformanceEvents.SilentFlowClientAcquireCachedToken, request.correlationId);
|
|
69
|
+
let lastCacheOutcome = CacheOutcome.NOT_APPLICABLE;
|
|
70
|
+
if (request.forceRefresh ||
|
|
71
|
+
(!this.config.cacheOptions.claimsBasedCachingEnabled &&
|
|
72
|
+
!StringUtils.isEmptyObj(request.claims))) {
|
|
73
|
+
// Must refresh due to present force_refresh flag.
|
|
74
|
+
this.setCacheOutcome(CacheOutcome.FORCE_REFRESH_OR_CLAIMS, request.correlationId);
|
|
75
|
+
throw createClientAuthError(tokenRefreshRequired);
|
|
76
|
+
}
|
|
77
|
+
// We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
|
|
78
|
+
if (!request.account) {
|
|
79
|
+
throw createClientAuthError(noAccountInSilentRequest);
|
|
80
|
+
}
|
|
81
|
+
const requestTenantId = request.account.tenantId ||
|
|
82
|
+
getTenantFromAuthorityString(request.authority);
|
|
83
|
+
const tokenKeys = this.cacheManager.getTokenKeys();
|
|
84
|
+
const cachedAccessToken = this.cacheManager.getAccessToken(request.account, request, tokenKeys, requestTenantId, this.performanceClient, request.correlationId);
|
|
85
|
+
if (!cachedAccessToken) {
|
|
86
|
+
// must refresh due to non-existent access_token
|
|
87
|
+
this.setCacheOutcome(CacheOutcome.NO_CACHED_ACCESS_TOKEN, request.correlationId);
|
|
88
|
+
throw createClientAuthError(tokenRefreshRequired);
|
|
89
|
+
}
|
|
90
|
+
else if (wasClockTurnedBack(cachedAccessToken.cachedAt) ||
|
|
91
|
+
isTokenExpired(cachedAccessToken.expiresOn, this.config.systemOptions.tokenRenewalOffsetSeconds)) {
|
|
92
|
+
// must refresh due to the expires_in value
|
|
93
|
+
this.setCacheOutcome(CacheOutcome.CACHED_ACCESS_TOKEN_EXPIRED, request.correlationId);
|
|
94
|
+
throw createClientAuthError(tokenRefreshRequired);
|
|
95
|
+
}
|
|
96
|
+
else if (cachedAccessToken.refreshOn &&
|
|
97
|
+
isTokenExpired(cachedAccessToken.refreshOn, 0)) {
|
|
98
|
+
// must refresh (in the background) due to the refresh_in value
|
|
99
|
+
lastCacheOutcome = CacheOutcome.PROACTIVELY_REFRESHED;
|
|
100
|
+
// don't throw ClientAuthError.createRefreshRequiredError(), return cached token instead
|
|
101
|
+
}
|
|
102
|
+
const environment = request.authority || this.authority.getPreferredCache();
|
|
103
|
+
const cacheRecord = {
|
|
104
|
+
account: this.cacheManager.readAccountFromCache(request.account),
|
|
105
|
+
accessToken: cachedAccessToken,
|
|
106
|
+
idToken: this.cacheManager.getIdToken(request.account, tokenKeys, requestTenantId, this.performanceClient, request.correlationId),
|
|
107
|
+
refreshToken: null,
|
|
108
|
+
appMetadata: this.cacheManager.readAppMetadataFromCache(environment),
|
|
109
|
+
};
|
|
110
|
+
this.setCacheOutcome(lastCacheOutcome, request.correlationId);
|
|
111
|
+
if (this.config.serverTelemetryManager) {
|
|
112
|
+
this.config.serverTelemetryManager.incrementCacheHits();
|
|
113
|
+
}
|
|
114
|
+
return [
|
|
115
|
+
await invokeAsync(this.generateResultFromCacheRecord.bind(this), PerformanceEvents.SilentFlowClientGenerateResultFromCacheRecord, this.logger, this.performanceClient, request.correlationId)(cacheRecord, request),
|
|
116
|
+
lastCacheOutcome,
|
|
117
|
+
];
|
|
118
|
+
}
|
|
119
|
+
setCacheOutcome(cacheOutcome, correlationId) {
|
|
120
|
+
this.serverTelemetryManager?.setCacheOutcome(cacheOutcome);
|
|
121
|
+
this.performanceClient?.addFields({
|
|
122
|
+
cacheOutcome: cacheOutcome,
|
|
123
|
+
}, correlationId);
|
|
124
|
+
if (cacheOutcome !== CacheOutcome.NOT_APPLICABLE) {
|
|
125
|
+
this.logger.info(`Token refresh is required due to cache outcome: ${cacheOutcome}`);
|
|
126
|
+
}
|
|
127
|
+
}
|
|
128
|
+
/**
|
|
129
|
+
* Helper function to build response object from the CacheRecord
|
|
130
|
+
* @param cacheRecord
|
|
131
|
+
*/
|
|
132
|
+
async generateResultFromCacheRecord(cacheRecord, request) {
|
|
133
|
+
this.performanceClient?.addQueueMeasurement(PerformanceEvents.SilentFlowClientGenerateResultFromCacheRecord, request.correlationId);
|
|
134
|
+
let idTokenClaims;
|
|
135
|
+
if (cacheRecord.idToken) {
|
|
136
|
+
idTokenClaims = extractTokenClaims(cacheRecord.idToken.secret, this.config.cryptoInterface.base64Decode);
|
|
137
|
+
}
|
|
138
|
+
// token max_age check
|
|
139
|
+
if (request.maxAge || request.maxAge === 0) {
|
|
140
|
+
const authTime = idTokenClaims?.auth_time;
|
|
141
|
+
if (!authTime) {
|
|
142
|
+
throw createClientAuthError(authTimeNotFound);
|
|
143
|
+
}
|
|
144
|
+
checkMaxAge(authTime, request.maxAge);
|
|
145
|
+
}
|
|
146
|
+
return ResponseHandler.generateAuthenticationResult(this.cryptoUtils, this.authority, cacheRecord, true, request, idTokenClaims);
|
|
147
|
+
}
|
|
148
148
|
}
|
|
149
149
|
|
|
150
150
|
export { SilentFlowClient };
|
|
@@ -1,39 +1,39 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Extensibility interface, which allows the app developer to return a token, based on the passed-in parameters, instead of fetching tokens from
|
|
3
|
-
* the Identity Provider (AAD).
|
|
4
|
-
* Developers need to construct and return an AppTokenProviderResult object back to MSAL. MSAL will cache the token response
|
|
5
|
-
* in the same way it would do if the result were comming from AAD.
|
|
6
|
-
* This extensibility point is only defined for the client_credential flow, i.e. acquireTokenByClientCredential and
|
|
7
|
-
* meant for Azure SDK to enhance Managed Identity support.
|
|
8
|
-
*/
|
|
9
|
-
export interface IAppTokenProvider {
|
|
10
|
-
(appTokenProviderParameters: AppTokenProviderParameters): Promise<AppTokenProviderResult>;
|
|
11
|
-
}
|
|
12
|
-
/**
|
|
13
|
-
* Input object for the IAppTokenProvider extensiblity. MSAL will create this object, which can be used
|
|
14
|
-
* to help create an AppTokenProviderResult.
|
|
15
|
-
*
|
|
16
|
-
* - correlationId - the correlation Id associated with the request
|
|
17
|
-
* - tenantId - the tenant Id for which the token must be provided
|
|
18
|
-
* - scopes - the scopes for which the token must be provided
|
|
19
|
-
* - claims - any extra claims that the token must satisfy
|
|
20
|
-
*/
|
|
21
|
-
export type AppTokenProviderParameters = {
|
|
22
|
-
readonly correlationId?: string;
|
|
23
|
-
readonly tenantId: string;
|
|
24
|
-
readonly scopes: Array<string>;
|
|
25
|
-
readonly claims?: string;
|
|
26
|
-
};
|
|
27
|
-
/**
|
|
28
|
-
* Output object for IAppTokenProvider extensiblity.
|
|
29
|
-
*
|
|
30
|
-
* - accessToken - the actual access token, typically in JWT format, that satisfies the request data AppTokenProviderParameters
|
|
31
|
-
* - expiresInSeconds - how long the tokens has before expiry, in seconds. Similar to the "expires_in" field in an AAD token response.
|
|
32
|
-
* - refreshInSeconds - how long the token has before it should be proactively refreshed. Similar to the "refresh_in" field in an AAD token response.
|
|
33
|
-
*/
|
|
34
|
-
export type AppTokenProviderResult = {
|
|
35
|
-
accessToken: string;
|
|
36
|
-
expiresInSeconds: number;
|
|
37
|
-
refreshInSeconds?: number;
|
|
38
|
-
};
|
|
1
|
+
/**
|
|
2
|
+
* Extensibility interface, which allows the app developer to return a token, based on the passed-in parameters, instead of fetching tokens from
|
|
3
|
+
* the Identity Provider (AAD).
|
|
4
|
+
* Developers need to construct and return an AppTokenProviderResult object back to MSAL. MSAL will cache the token response
|
|
5
|
+
* in the same way it would do if the result were comming from AAD.
|
|
6
|
+
* This extensibility point is only defined for the client_credential flow, i.e. acquireTokenByClientCredential and
|
|
7
|
+
* meant for Azure SDK to enhance Managed Identity support.
|
|
8
|
+
*/
|
|
9
|
+
export interface IAppTokenProvider {
|
|
10
|
+
(appTokenProviderParameters: AppTokenProviderParameters): Promise<AppTokenProviderResult>;
|
|
11
|
+
}
|
|
12
|
+
/**
|
|
13
|
+
* Input object for the IAppTokenProvider extensiblity. MSAL will create this object, which can be used
|
|
14
|
+
* to help create an AppTokenProviderResult.
|
|
15
|
+
*
|
|
16
|
+
* - correlationId - the correlation Id associated with the request
|
|
17
|
+
* - tenantId - the tenant Id for which the token must be provided
|
|
18
|
+
* - scopes - the scopes for which the token must be provided
|
|
19
|
+
* - claims - any extra claims that the token must satisfy
|
|
20
|
+
*/
|
|
21
|
+
export type AppTokenProviderParameters = {
|
|
22
|
+
readonly correlationId?: string;
|
|
23
|
+
readonly tenantId: string;
|
|
24
|
+
readonly scopes: Array<string>;
|
|
25
|
+
readonly claims?: string;
|
|
26
|
+
};
|
|
27
|
+
/**
|
|
28
|
+
* Output object for IAppTokenProvider extensiblity.
|
|
29
|
+
*
|
|
30
|
+
* - accessToken - the actual access token, typically in JWT format, that satisfies the request data AppTokenProviderParameters
|
|
31
|
+
* - expiresInSeconds - how long the tokens has before expiry, in seconds. Similar to the "expires_in" field in an AAD token response.
|
|
32
|
+
* - refreshInSeconds - how long the token has before it should be proactively refreshed. Similar to the "refresh_in" field in an AAD token response.
|
|
33
|
+
*/
|
|
34
|
+
export type AppTokenProviderResult = {
|
|
35
|
+
accessToken: string;
|
|
36
|
+
expiresInSeconds: number;
|
|
37
|
+
refreshInSeconds?: number;
|
|
38
|
+
};
|
|
39
39
|
//# sourceMappingURL=AppTokenProvider.d.ts.map
|