@azure/msal-common 14.14.0 → 14.14.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (185) hide show
  1. package/dist/account/AccountInfo.d.ts +66 -66
  2. package/dist/account/AccountInfo.mjs +77 -77
  3. package/dist/account/AuthToken.d.ts +17 -17
  4. package/dist/account/AuthToken.mjs +58 -58
  5. package/dist/account/CcsCredential.d.ts +9 -9
  6. package/dist/account/CcsCredential.mjs +8 -8
  7. package/dist/account/ClientCredentials.d.ts +19 -19
  8. package/dist/account/ClientInfo.d.ts +18 -18
  9. package/dist/account/ClientInfo.mjs +37 -37
  10. package/dist/account/TokenClaims.d.ts +83 -83
  11. package/dist/account/TokenClaims.mjs +20 -20
  12. package/dist/authority/Authority.d.ts +254 -254
  13. package/dist/authority/Authority.mjs +836 -836
  14. package/dist/authority/AuthorityFactory.d.ts +18 -18
  15. package/dist/authority/AuthorityFactory.mjs +28 -28
  16. package/dist/authority/AuthorityMetadata.d.ts +43 -43
  17. package/dist/authority/AuthorityMetadata.mjs +137 -137
  18. package/dist/authority/AuthorityOptions.d.ts +27 -27
  19. package/dist/authority/AuthorityOptions.mjs +18 -18
  20. package/dist/authority/AuthorityType.d.ts +10 -10
  21. package/dist/authority/AuthorityType.mjs +13 -13
  22. package/dist/authority/AzureRegion.d.ts +1 -1
  23. package/dist/authority/AzureRegionConfiguration.d.ts +5 -5
  24. package/dist/authority/CloudDiscoveryMetadata.d.ts +5 -5
  25. package/dist/authority/CloudInstanceDiscoveryErrorResponse.d.ts +13 -13
  26. package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +8 -8
  27. package/dist/authority/CloudInstanceDiscoveryResponse.d.ts +9 -9
  28. package/dist/authority/CloudInstanceDiscoveryResponse.mjs +8 -8
  29. package/dist/authority/ImdsOptions.d.ts +5 -5
  30. package/dist/authority/OIDCOptions.d.ts +8 -8
  31. package/dist/authority/OpenIdConfigResponse.d.ts +11 -11
  32. package/dist/authority/OpenIdConfigResponse.mjs +10 -10
  33. package/dist/authority/ProtocolMode.d.ts +8 -8
  34. package/dist/authority/ProtocolMode.mjs +11 -11
  35. package/dist/authority/RegionDiscovery.d.ts +32 -32
  36. package/dist/authority/RegionDiscovery.mjs +106 -106
  37. package/dist/authority/RegionDiscoveryMetadata.d.ts +6 -6
  38. package/dist/broker/nativeBroker/INativeBrokerPlugin.d.ts +15 -15
  39. package/dist/cache/CacheManager.d.ts +497 -497
  40. package/dist/cache/CacheManager.mjs +1249 -1249
  41. package/dist/cache/entities/AccessTokenEntity.d.ts +25 -25
  42. package/dist/cache/entities/AccountEntity.d.ts +106 -106
  43. package/dist/cache/entities/AccountEntity.mjs +240 -240
  44. package/dist/cache/entities/AppMetadataEntity.d.ts +11 -11
  45. package/dist/cache/entities/AuthorityMetadataEntity.d.ts +15 -15
  46. package/dist/cache/entities/CacheRecord.d.ts +13 -13
  47. package/dist/cache/entities/CredentialEntity.d.ts +30 -30
  48. package/dist/cache/entities/IdTokenEntity.d.ts +8 -8
  49. package/dist/cache/entities/RefreshTokenEntity.d.ts +7 -7
  50. package/dist/cache/entities/ServerTelemetryEntity.d.ts +6 -6
  51. package/dist/cache/entities/ThrottlingEntity.d.ts +7 -7
  52. package/dist/cache/interface/ICacheManager.d.ts +166 -166
  53. package/dist/cache/interface/ICachePlugin.d.ts +5 -5
  54. package/dist/cache/interface/ISerializableTokenCache.d.ts +4 -4
  55. package/dist/cache/persistence/TokenCacheContext.d.ts +23 -23
  56. package/dist/cache/persistence/TokenCacheContext.mjs +25 -25
  57. package/dist/cache/utils/CacheHelpers.d.ts +94 -94
  58. package/dist/cache/utils/CacheHelpers.mjs +324 -324
  59. package/dist/cache/utils/CacheTypes.d.ts +69 -69
  60. package/dist/client/AuthorizationCodeClient.d.ts +74 -74
  61. package/dist/client/AuthorizationCodeClient.mjs +420 -420
  62. package/dist/client/BaseClient.d.ts +51 -51
  63. package/dist/client/BaseClient.mjs +100 -100
  64. package/dist/client/RefreshTokenClient.d.ts +35 -35
  65. package/dist/client/RefreshTokenClient.mjs +211 -211
  66. package/dist/client/SilentFlowClient.d.ts +27 -27
  67. package/dist/client/SilentFlowClient.mjs +133 -133
  68. package/dist/config/AppTokenProvider.d.ts +38 -38
  69. package/dist/config/ClientConfiguration.d.ts +150 -150
  70. package/dist/config/ClientConfiguration.mjs +95 -95
  71. package/dist/constants/AADServerParamKeys.d.ts +53 -53
  72. package/dist/constants/AADServerParamKeys.mjs +57 -57
  73. package/dist/crypto/ICrypto.d.ts +68 -68
  74. package/dist/crypto/ICrypto.mjs +36 -36
  75. package/dist/crypto/IGuidGenerator.d.ts +4 -4
  76. package/dist/crypto/JoseHeader.d.ts +22 -22
  77. package/dist/crypto/JoseHeader.mjs +37 -37
  78. package/dist/crypto/PopTokenGenerator.d.ts +59 -59
  79. package/dist/crypto/PopTokenGenerator.mjs +81 -81
  80. package/dist/crypto/SignedHttpRequest.d.ts +15 -15
  81. package/dist/error/AuthError.d.ts +44 -44
  82. package/dist/error/AuthError.mjs +46 -46
  83. package/dist/error/AuthErrorCodes.d.ts +5 -5
  84. package/dist/error/AuthErrorCodes.mjs +9 -9
  85. package/dist/error/CacheError.d.ts +20 -20
  86. package/dist/error/CacheError.mjs +24 -24
  87. package/dist/error/CacheErrorCodes.d.ts +2 -2
  88. package/dist/error/CacheErrorCodes.mjs +6 -6
  89. package/dist/error/ClientAuthError.d.ts +237 -237
  90. package/dist/error/ClientAuthError.mjs +249 -249
  91. package/dist/error/ClientAuthErrorCodes.d.ts +44 -44
  92. package/dist/error/ClientAuthErrorCodes.mjs +48 -48
  93. package/dist/error/ClientConfigurationError.d.ts +128 -128
  94. package/dist/error/ClientConfigurationError.mjs +135 -135
  95. package/dist/error/ClientConfigurationErrorCodes.d.ts +22 -22
  96. package/dist/error/ClientConfigurationErrorCodes.mjs +26 -26
  97. package/dist/error/InteractionRequiredAuthError.d.ts +65 -65
  98. package/dist/error/InteractionRequiredAuthError.mjs +85 -85
  99. package/dist/error/InteractionRequiredAuthErrorCodes.d.ts +7 -7
  100. package/dist/error/InteractionRequiredAuthErrorCodes.mjs +13 -13
  101. package/dist/error/JoseHeaderError.d.ts +15 -15
  102. package/dist/error/JoseHeaderError.mjs +22 -22
  103. package/dist/error/JoseHeaderErrorCodes.d.ts +2 -2
  104. package/dist/error/JoseHeaderErrorCodes.mjs +6 -6
  105. package/dist/error/ServerError.d.ts +15 -15
  106. package/dist/error/ServerError.mjs +16 -16
  107. package/dist/index.cjs +8662 -8658
  108. package/dist/index.cjs.map +1 -1
  109. package/dist/index.d.ts +107 -107
  110. package/dist/index.mjs +1 -1
  111. package/dist/logger/Logger.d.ts +95 -95
  112. package/dist/logger/Logger.mjs +188 -188
  113. package/dist/network/INetworkModule.d.ts +29 -29
  114. package/dist/network/INetworkModule.mjs +12 -12
  115. package/dist/network/NetworkManager.d.ts +33 -33
  116. package/dist/network/NetworkManager.mjs +34 -34
  117. package/dist/network/RequestThumbprint.d.ts +18 -18
  118. package/dist/network/ThrottlingUtils.d.ts +42 -42
  119. package/dist/network/ThrottlingUtils.mjs +95 -95
  120. package/dist/packageMetadata.d.ts +2 -2
  121. package/dist/packageMetadata.mjs +4 -4
  122. package/dist/request/AuthenticationHeaderParser.d.ts +19 -19
  123. package/dist/request/AuthenticationHeaderParser.mjs +55 -55
  124. package/dist/request/BaseAuthRequest.d.ts +47 -47
  125. package/dist/request/CommonAuthorizationCodeRequest.d.ts +27 -27
  126. package/dist/request/CommonAuthorizationUrlRequest.d.ts +50 -50
  127. package/dist/request/CommonClientCredentialRequest.d.ts +17 -17
  128. package/dist/request/CommonDeviceCodeRequest.d.ts +21 -21
  129. package/dist/request/CommonEndSessionRequest.d.ts +21 -21
  130. package/dist/request/CommonOnBehalfOfRequest.d.ts +13 -13
  131. package/dist/request/CommonRefreshTokenRequest.d.ts +22 -22
  132. package/dist/request/CommonSilentFlowRequest.d.ts +27 -27
  133. package/dist/request/CommonUsernamePasswordRequest.d.ts +17 -17
  134. package/dist/request/NativeRequest.d.ts +19 -19
  135. package/dist/request/NativeSignOutRequest.d.ts +5 -5
  136. package/dist/request/RequestParameterBuilder.d.ts +217 -217
  137. package/dist/request/RequestParameterBuilder.mjs +382 -382
  138. package/dist/request/RequestValidator.d.ts +27 -27
  139. package/dist/request/RequestValidator.mjs +64 -64
  140. package/dist/request/ScopeSet.d.ts +88 -88
  141. package/dist/request/ScopeSet.mjs +197 -197
  142. package/dist/request/StoreInCache.d.ts +8 -8
  143. package/dist/response/AuthenticationResult.d.ts +41 -41
  144. package/dist/response/AuthorizationCodePayload.d.ts +13 -13
  145. package/dist/response/DeviceCodeResponse.d.ts +25 -25
  146. package/dist/response/ExternalTokenResponse.d.ts +15 -15
  147. package/dist/response/IMDSBadResponse.d.ts +4 -4
  148. package/dist/response/ResponseHandler.d.ts +69 -69
  149. package/dist/response/ResponseHandler.mjs +374 -374
  150. package/dist/response/ServerAuthorizationCodeResponse.d.ts +26 -26
  151. package/dist/response/ServerAuthorizationTokenResponse.d.ts +47 -47
  152. package/dist/telemetry/performance/IPerformanceClient.d.ts +57 -57
  153. package/dist/telemetry/performance/IPerformanceMeasurement.d.ts +5 -5
  154. package/dist/telemetry/performance/PerformanceClient.d.ts +242 -242
  155. package/dist/telemetry/performance/PerformanceClient.mjs +587 -587
  156. package/dist/telemetry/performance/PerformanceEvent.d.ts +515 -505
  157. package/dist/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
  158. package/dist/telemetry/performance/PerformanceEvent.mjs +484 -480
  159. package/dist/telemetry/performance/PerformanceEvent.mjs.map +1 -1
  160. package/dist/telemetry/performance/StubPerformanceClient.d.ts +24 -24
  161. package/dist/telemetry/performance/StubPerformanceClient.mjs +76 -76
  162. package/dist/telemetry/server/ServerTelemetryManager.d.ts +78 -78
  163. package/dist/telemetry/server/ServerTelemetryManager.mjs +260 -260
  164. package/dist/telemetry/server/ServerTelemetryRequest.d.ts +8 -8
  165. package/dist/url/IUri.d.ts +12 -12
  166. package/dist/url/UrlString.d.ts +48 -48
  167. package/dist/url/UrlString.mjs +161 -161
  168. package/dist/utils/ClientAssertionUtils.d.ts +2 -2
  169. package/dist/utils/ClientAssertionUtils.mjs +16 -16
  170. package/dist/utils/Constants.d.ts +309 -309
  171. package/dist/utils/Constants.mjs +322 -322
  172. package/dist/utils/FunctionWrappers.d.ts +27 -27
  173. package/dist/utils/FunctionWrappers.mjs +94 -94
  174. package/dist/utils/MsalTypes.d.ts +6 -6
  175. package/dist/utils/ProtocolUtils.d.ts +42 -42
  176. package/dist/utils/ProtocolUtils.mjs +69 -69
  177. package/dist/utils/StringUtils.d.ts +40 -40
  178. package/dist/utils/StringUtils.mjs +95 -95
  179. package/dist/utils/TimeUtils.d.ts +25 -25
  180. package/dist/utils/TimeUtils.mjs +43 -43
  181. package/dist/utils/UrlUtils.d.ts +10 -10
  182. package/dist/utils/UrlUtils.mjs +44 -44
  183. package/package.json +1 -1
  184. package/src/packageMetadata.ts +1 -1
  185. package/src/telemetry/performance/PerformanceEvent.ts +12 -0
@@ -1,4 +1,4 @@
1
- /*! @azure/msal-common v14.14.0 2024-07-23 */
1
+ /*! @azure/msal-common v14.14.1 2024-08-13 */
2
2
  'use strict';
3
3
  import { isOidcProtocolMode } from '../config/ClientConfiguration.mjs';
4
4
  import { BaseClient } from './BaseClient.mjs';
@@ -24,216 +24,216 @@ import { tokenRequestEmpty, missingSshJwk } from '../error/ClientConfigurationEr
24
24
  import { noAccountInSilentRequest } from '../error/ClientAuthErrorCodes.mjs';
25
25
  import { noTokensFound, refreshTokenExpired, badToken } from '../error/InteractionRequiredAuthErrorCodes.mjs';
26
26
 
27
- /*
28
- * Copyright (c) Microsoft Corporation. All rights reserved.
29
- * Licensed under the MIT License.
30
- */
31
- const DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS = 300; // 5 Minutes
32
- /**
33
- * OAuth2.0 refresh token client
34
- * @internal
35
- */
36
- class RefreshTokenClient extends BaseClient {
37
- constructor(configuration, performanceClient) {
38
- super(configuration, performanceClient);
39
- }
40
- async acquireToken(request) {
41
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireToken, request.correlationId);
42
- const reqTimestamp = nowSeconds();
43
- const response = await invokeAsync(this.executeTokenRequest.bind(this), PerformanceEvents.RefreshTokenClientExecuteTokenRequest, this.logger, this.performanceClient, request.correlationId)(request, this.authority);
44
- // Retrieve requestId from response headers
45
- const requestId = response.headers?.[HeaderNames.X_MS_REQUEST_ID];
46
- const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, this.config.serializableCache, this.config.persistencePlugin);
47
- responseHandler.validateTokenResponse(response.body);
48
- return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, undefined, undefined, true, request.forceCache, requestId);
49
- }
50
- /**
51
- * Gets cached refresh token and attaches to request, then calls acquireToken API
52
- * @param request
53
- */
54
- async acquireTokenByRefreshToken(request) {
55
- // Cannot renew token if no request object is given.
56
- if (!request) {
57
- throw createClientConfigurationError(tokenRequestEmpty);
58
- }
59
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireTokenByRefreshToken, request.correlationId);
60
- // We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
61
- if (!request.account) {
62
- throw createClientAuthError(noAccountInSilentRequest);
63
- }
64
- // try checking if FOCI is enabled for the given application
65
- const isFOCI = this.cacheManager.isAppMetadataFOCI(request.account.environment);
66
- // if the app is part of the family, retrive a Family refresh token if present and make a refreshTokenRequest
67
- if (isFOCI) {
68
- try {
69
- return await invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, true);
70
- }
71
- catch (e) {
72
- const noFamilyRTInCache = e instanceof InteractionRequiredAuthError &&
73
- e.errorCode ===
74
- noTokensFound;
75
- const clientMismatchErrorWithFamilyRT = e instanceof ServerError &&
76
- e.errorCode === Errors.INVALID_GRANT_ERROR &&
77
- e.subError === Errors.CLIENT_MISMATCH_ERROR;
78
- // if family Refresh Token (FRT) cache acquisition fails or if client_mismatch error is seen with FRT, reattempt with application Refresh Token (ART)
79
- if (noFamilyRTInCache || clientMismatchErrorWithFamilyRT) {
80
- return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false);
81
- // throw in all other cases
82
- }
83
- else {
84
- throw e;
85
- }
86
- }
87
- }
88
- // fall back to application refresh token acquisition
89
- return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false);
90
- }
91
- /**
92
- * makes a network call to acquire tokens by exchanging RefreshToken available in userCache; throws if refresh token is not cached
93
- * @param request
94
- */
95
- async acquireTokenWithCachedRefreshToken(request, foci) {
96
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, request.correlationId);
97
- // fetches family RT or application RT based on FOCI value
98
- const refreshToken = invoke(this.cacheManager.getRefreshToken.bind(this.cacheManager), PerformanceEvents.CacheManagerGetRefreshToken, this.logger, this.performanceClient, request.correlationId)(request.account, foci, undefined, this.performanceClient, request.correlationId);
99
- if (!refreshToken) {
100
- throw createInteractionRequiredAuthError(noTokensFound);
101
- }
102
- if (refreshToken.expiresOn &&
103
- isTokenExpired(refreshToken.expiresOn, request.refreshTokenExpirationOffsetSeconds ||
104
- DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS)) {
105
- throw createInteractionRequiredAuthError(refreshTokenExpired);
106
- }
107
- // attach cached RT size to the current measurement
108
- const refreshTokenRequest = {
109
- ...request,
110
- refreshToken: refreshToken.secret,
111
- authenticationScheme: request.authenticationScheme || AuthenticationScheme.BEARER,
112
- ccsCredential: {
113
- credential: request.account.homeAccountId,
114
- type: CcsCredentialType.HOME_ACCOUNT_ID,
115
- },
116
- };
117
- try {
118
- return await invokeAsync(this.acquireToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireToken, this.logger, this.performanceClient, request.correlationId)(refreshTokenRequest);
119
- }
120
- catch (e) {
121
- if (e instanceof InteractionRequiredAuthError &&
122
- e.subError === badToken) {
123
- // Remove bad refresh token from cache
124
- this.logger.verbose("acquireTokenWithRefreshToken: bad refresh token, removing from cache");
125
- const badRefreshTokenKey = generateCredentialKey(refreshToken);
126
- this.cacheManager.removeRefreshToken(badRefreshTokenKey);
127
- }
128
- throw e;
129
- }
130
- }
131
- /**
132
- * Constructs the network message and makes a NW call to the underlying secure token service
133
- * @param request
134
- * @param authority
135
- */
136
- async executeTokenRequest(request, authority) {
137
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientExecuteTokenRequest, request.correlationId);
138
- const queryParametersString = this.createTokenQueryParameters(request);
139
- const endpoint = UrlString.appendQueryString(authority.tokenEndpoint, queryParametersString);
140
- const requestBody = await invokeAsync(this.createTokenRequestBody.bind(this), PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, this.logger, this.performanceClient, request.correlationId)(request);
141
- const headers = this.createTokenRequestHeaders(request.ccsCredential);
142
- const thumbprint = {
143
- clientId: request.tokenBodyParameters?.clientId ||
144
- this.config.authOptions.clientId,
145
- authority: authority.canonicalAuthority,
146
- scopes: request.scopes,
147
- claims: request.claims,
148
- authenticationScheme: request.authenticationScheme,
149
- resourceRequestMethod: request.resourceRequestMethod,
150
- resourceRequestUri: request.resourceRequestUri,
151
- shrClaims: request.shrClaims,
152
- sshKid: request.sshKid,
153
- };
154
- return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint);
155
- }
156
- /**
157
- * Helper function to create the token request body
158
- * @param request
159
- */
160
- async createTokenRequestBody(request) {
161
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, request.correlationId);
162
- const correlationId = request.correlationId;
163
- const parameterBuilder = new RequestParameterBuilder();
164
- parameterBuilder.addClientId(request.tokenBodyParameters?.[CLIENT_ID] ||
165
- this.config.authOptions.clientId);
166
- if (request.redirectUri) {
167
- parameterBuilder.addRedirectUri(request.redirectUri);
168
- }
169
- parameterBuilder.addScopes(request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
170
- parameterBuilder.addGrantType(GrantType.REFRESH_TOKEN_GRANT);
171
- parameterBuilder.addClientInfo();
172
- parameterBuilder.addLibraryInfo(this.config.libraryInfo);
173
- parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
174
- parameterBuilder.addThrottling();
175
- if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
176
- parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
177
- }
178
- parameterBuilder.addCorrelationId(correlationId);
179
- parameterBuilder.addRefreshToken(request.refreshToken);
180
- if (this.config.clientCredentials.clientSecret) {
181
- parameterBuilder.addClientSecret(this.config.clientCredentials.clientSecret);
182
- }
183
- if (this.config.clientCredentials.clientAssertion) {
184
- const clientAssertion = this.config.clientCredentials.clientAssertion;
185
- parameterBuilder.addClientAssertion(await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
186
- parameterBuilder.addClientAssertionType(clientAssertion.assertionType);
187
- }
188
- if (request.authenticationScheme === AuthenticationScheme.POP) {
189
- const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
190
- let reqCnfData;
191
- if (!request.popKid) {
192
- const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
193
- reqCnfData = generatedReqCnfData.reqCnfString;
194
- }
195
- else {
196
- reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
197
- }
198
- // SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
199
- parameterBuilder.addPopToken(reqCnfData);
200
- }
201
- else if (request.authenticationScheme === AuthenticationScheme.SSH) {
202
- if (request.sshJwk) {
203
- parameterBuilder.addSshJwk(request.sshJwk);
204
- }
205
- else {
206
- throw createClientConfigurationError(missingSshJwk);
207
- }
208
- }
209
- if (!StringUtils.isEmptyObj(request.claims) ||
210
- (this.config.authOptions.clientCapabilities &&
211
- this.config.authOptions.clientCapabilities.length > 0)) {
212
- parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
213
- }
214
- if (this.config.systemOptions.preventCorsPreflight &&
215
- request.ccsCredential) {
216
- switch (request.ccsCredential.type) {
217
- case CcsCredentialType.HOME_ACCOUNT_ID:
218
- try {
219
- const clientInfo = buildClientInfoFromHomeAccountId(request.ccsCredential.credential);
220
- parameterBuilder.addCcsOid(clientInfo);
221
- }
222
- catch (e) {
223
- this.logger.verbose("Could not parse home account ID for CCS Header: " +
224
- e);
225
- }
226
- break;
227
- case CcsCredentialType.UPN:
228
- parameterBuilder.addCcsUpn(request.ccsCredential.credential);
229
- break;
230
- }
231
- }
232
- if (request.tokenBodyParameters) {
233
- parameterBuilder.addExtraQueryParameters(request.tokenBodyParameters);
234
- }
235
- return parameterBuilder.createQueryString();
236
- }
27
+ /*
28
+ * Copyright (c) Microsoft Corporation. All rights reserved.
29
+ * Licensed under the MIT License.
30
+ */
31
+ const DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS = 300; // 5 Minutes
32
+ /**
33
+ * OAuth2.0 refresh token client
34
+ * @internal
35
+ */
36
+ class RefreshTokenClient extends BaseClient {
37
+ constructor(configuration, performanceClient) {
38
+ super(configuration, performanceClient);
39
+ }
40
+ async acquireToken(request) {
41
+ this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireToken, request.correlationId);
42
+ const reqTimestamp = nowSeconds();
43
+ const response = await invokeAsync(this.executeTokenRequest.bind(this), PerformanceEvents.RefreshTokenClientExecuteTokenRequest, this.logger, this.performanceClient, request.correlationId)(request, this.authority);
44
+ // Retrieve requestId from response headers
45
+ const requestId = response.headers?.[HeaderNames.X_MS_REQUEST_ID];
46
+ const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, this.config.serializableCache, this.config.persistencePlugin);
47
+ responseHandler.validateTokenResponse(response.body);
48
+ return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, undefined, undefined, true, request.forceCache, requestId);
49
+ }
50
+ /**
51
+ * Gets cached refresh token and attaches to request, then calls acquireToken API
52
+ * @param request
53
+ */
54
+ async acquireTokenByRefreshToken(request) {
55
+ // Cannot renew token if no request object is given.
56
+ if (!request) {
57
+ throw createClientConfigurationError(tokenRequestEmpty);
58
+ }
59
+ this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireTokenByRefreshToken, request.correlationId);
60
+ // We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
61
+ if (!request.account) {
62
+ throw createClientAuthError(noAccountInSilentRequest);
63
+ }
64
+ // try checking if FOCI is enabled for the given application
65
+ const isFOCI = this.cacheManager.isAppMetadataFOCI(request.account.environment);
66
+ // if the app is part of the family, retrive a Family refresh token if present and make a refreshTokenRequest
67
+ if (isFOCI) {
68
+ try {
69
+ return await invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, true);
70
+ }
71
+ catch (e) {
72
+ const noFamilyRTInCache = e instanceof InteractionRequiredAuthError &&
73
+ e.errorCode ===
74
+ noTokensFound;
75
+ const clientMismatchErrorWithFamilyRT = e instanceof ServerError &&
76
+ e.errorCode === Errors.INVALID_GRANT_ERROR &&
77
+ e.subError === Errors.CLIENT_MISMATCH_ERROR;
78
+ // if family Refresh Token (FRT) cache acquisition fails or if client_mismatch error is seen with FRT, reattempt with application Refresh Token (ART)
79
+ if (noFamilyRTInCache || clientMismatchErrorWithFamilyRT) {
80
+ return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false);
81
+ // throw in all other cases
82
+ }
83
+ else {
84
+ throw e;
85
+ }
86
+ }
87
+ }
88
+ // fall back to application refresh token acquisition
89
+ return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false);
90
+ }
91
+ /**
92
+ * makes a network call to acquire tokens by exchanging RefreshToken available in userCache; throws if refresh token is not cached
93
+ * @param request
94
+ */
95
+ async acquireTokenWithCachedRefreshToken(request, foci) {
96
+ this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, request.correlationId);
97
+ // fetches family RT or application RT based on FOCI value
98
+ const refreshToken = invoke(this.cacheManager.getRefreshToken.bind(this.cacheManager), PerformanceEvents.CacheManagerGetRefreshToken, this.logger, this.performanceClient, request.correlationId)(request.account, foci, undefined, this.performanceClient, request.correlationId);
99
+ if (!refreshToken) {
100
+ throw createInteractionRequiredAuthError(noTokensFound);
101
+ }
102
+ if (refreshToken.expiresOn &&
103
+ isTokenExpired(refreshToken.expiresOn, request.refreshTokenExpirationOffsetSeconds ||
104
+ DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS)) {
105
+ throw createInteractionRequiredAuthError(refreshTokenExpired);
106
+ }
107
+ // attach cached RT size to the current measurement
108
+ const refreshTokenRequest = {
109
+ ...request,
110
+ refreshToken: refreshToken.secret,
111
+ authenticationScheme: request.authenticationScheme || AuthenticationScheme.BEARER,
112
+ ccsCredential: {
113
+ credential: request.account.homeAccountId,
114
+ type: CcsCredentialType.HOME_ACCOUNT_ID,
115
+ },
116
+ };
117
+ try {
118
+ return await invokeAsync(this.acquireToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireToken, this.logger, this.performanceClient, request.correlationId)(refreshTokenRequest);
119
+ }
120
+ catch (e) {
121
+ if (e instanceof InteractionRequiredAuthError &&
122
+ e.subError === badToken) {
123
+ // Remove bad refresh token from cache
124
+ this.logger.verbose("acquireTokenWithRefreshToken: bad refresh token, removing from cache");
125
+ const badRefreshTokenKey = generateCredentialKey(refreshToken);
126
+ this.cacheManager.removeRefreshToken(badRefreshTokenKey);
127
+ }
128
+ throw e;
129
+ }
130
+ }
131
+ /**
132
+ * Constructs the network message and makes a NW call to the underlying secure token service
133
+ * @param request
134
+ * @param authority
135
+ */
136
+ async executeTokenRequest(request, authority) {
137
+ this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientExecuteTokenRequest, request.correlationId);
138
+ const queryParametersString = this.createTokenQueryParameters(request);
139
+ const endpoint = UrlString.appendQueryString(authority.tokenEndpoint, queryParametersString);
140
+ const requestBody = await invokeAsync(this.createTokenRequestBody.bind(this), PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, this.logger, this.performanceClient, request.correlationId)(request);
141
+ const headers = this.createTokenRequestHeaders(request.ccsCredential);
142
+ const thumbprint = {
143
+ clientId: request.tokenBodyParameters?.clientId ||
144
+ this.config.authOptions.clientId,
145
+ authority: authority.canonicalAuthority,
146
+ scopes: request.scopes,
147
+ claims: request.claims,
148
+ authenticationScheme: request.authenticationScheme,
149
+ resourceRequestMethod: request.resourceRequestMethod,
150
+ resourceRequestUri: request.resourceRequestUri,
151
+ shrClaims: request.shrClaims,
152
+ sshKid: request.sshKid,
153
+ };
154
+ return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint);
155
+ }
156
+ /**
157
+ * Helper function to create the token request body
158
+ * @param request
159
+ */
160
+ async createTokenRequestBody(request) {
161
+ this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, request.correlationId);
162
+ const correlationId = request.correlationId;
163
+ const parameterBuilder = new RequestParameterBuilder();
164
+ parameterBuilder.addClientId(request.tokenBodyParameters?.[CLIENT_ID] ||
165
+ this.config.authOptions.clientId);
166
+ if (request.redirectUri) {
167
+ parameterBuilder.addRedirectUri(request.redirectUri);
168
+ }
169
+ parameterBuilder.addScopes(request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
170
+ parameterBuilder.addGrantType(GrantType.REFRESH_TOKEN_GRANT);
171
+ parameterBuilder.addClientInfo();
172
+ parameterBuilder.addLibraryInfo(this.config.libraryInfo);
173
+ parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
174
+ parameterBuilder.addThrottling();
175
+ if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
176
+ parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
177
+ }
178
+ parameterBuilder.addCorrelationId(correlationId);
179
+ parameterBuilder.addRefreshToken(request.refreshToken);
180
+ if (this.config.clientCredentials.clientSecret) {
181
+ parameterBuilder.addClientSecret(this.config.clientCredentials.clientSecret);
182
+ }
183
+ if (this.config.clientCredentials.clientAssertion) {
184
+ const clientAssertion = this.config.clientCredentials.clientAssertion;
185
+ parameterBuilder.addClientAssertion(await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
186
+ parameterBuilder.addClientAssertionType(clientAssertion.assertionType);
187
+ }
188
+ if (request.authenticationScheme === AuthenticationScheme.POP) {
189
+ const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
190
+ let reqCnfData;
191
+ if (!request.popKid) {
192
+ const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
193
+ reqCnfData = generatedReqCnfData.reqCnfString;
194
+ }
195
+ else {
196
+ reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
197
+ }
198
+ // SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
199
+ parameterBuilder.addPopToken(reqCnfData);
200
+ }
201
+ else if (request.authenticationScheme === AuthenticationScheme.SSH) {
202
+ if (request.sshJwk) {
203
+ parameterBuilder.addSshJwk(request.sshJwk);
204
+ }
205
+ else {
206
+ throw createClientConfigurationError(missingSshJwk);
207
+ }
208
+ }
209
+ if (!StringUtils.isEmptyObj(request.claims) ||
210
+ (this.config.authOptions.clientCapabilities &&
211
+ this.config.authOptions.clientCapabilities.length > 0)) {
212
+ parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
213
+ }
214
+ if (this.config.systemOptions.preventCorsPreflight &&
215
+ request.ccsCredential) {
216
+ switch (request.ccsCredential.type) {
217
+ case CcsCredentialType.HOME_ACCOUNT_ID:
218
+ try {
219
+ const clientInfo = buildClientInfoFromHomeAccountId(request.ccsCredential.credential);
220
+ parameterBuilder.addCcsOid(clientInfo);
221
+ }
222
+ catch (e) {
223
+ this.logger.verbose("Could not parse home account ID for CCS Header: " +
224
+ e);
225
+ }
226
+ break;
227
+ case CcsCredentialType.UPN:
228
+ parameterBuilder.addCcsUpn(request.ccsCredential.credential);
229
+ break;
230
+ }
231
+ }
232
+ if (request.tokenBodyParameters) {
233
+ parameterBuilder.addExtraQueryParameters(request.tokenBodyParameters);
234
+ }
235
+ return parameterBuilder.createQueryString();
236
+ }
237
237
  }
238
238
 
239
239
  export { RefreshTokenClient };
@@ -1,28 +1,28 @@
1
- import { BaseClient } from "./BaseClient";
2
- import { ClientConfiguration } from "../config/ClientConfiguration";
3
- import { CommonSilentFlowRequest } from "../request/CommonSilentFlowRequest";
4
- import { AuthenticationResult } from "../response/AuthenticationResult";
5
- import { CacheOutcome } from "../utils/Constants";
6
- import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient";
7
- /** @internal */
8
- export declare class SilentFlowClient extends BaseClient {
9
- constructor(configuration: ClientConfiguration, performanceClient?: IPerformanceClient);
10
- /**
11
- * Retrieves a token from cache if it is still valid, or uses the cached refresh token to renew
12
- * the given token and returns the renewed token
13
- * @param request
14
- */
15
- acquireToken(request: CommonSilentFlowRequest): Promise<AuthenticationResult>;
16
- /**
17
- * Retrieves token from cache or throws an error if it must be refreshed.
18
- * @param request
19
- */
20
- acquireCachedToken(request: CommonSilentFlowRequest): Promise<[AuthenticationResult, CacheOutcome]>;
21
- private setCacheOutcome;
22
- /**
23
- * Helper function to build response object from the CacheRecord
24
- * @param cacheRecord
25
- */
26
- private generateResultFromCacheRecord;
27
- }
1
+ import { BaseClient } from "./BaseClient";
2
+ import { ClientConfiguration } from "../config/ClientConfiguration";
3
+ import { CommonSilentFlowRequest } from "../request/CommonSilentFlowRequest";
4
+ import { AuthenticationResult } from "../response/AuthenticationResult";
5
+ import { CacheOutcome } from "../utils/Constants";
6
+ import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient";
7
+ /** @internal */
8
+ export declare class SilentFlowClient extends BaseClient {
9
+ constructor(configuration: ClientConfiguration, performanceClient?: IPerformanceClient);
10
+ /**
11
+ * Retrieves a token from cache if it is still valid, or uses the cached refresh token to renew
12
+ * the given token and returns the renewed token
13
+ * @param request
14
+ */
15
+ acquireToken(request: CommonSilentFlowRequest): Promise<AuthenticationResult>;
16
+ /**
17
+ * Retrieves token from cache or throws an error if it must be refreshed.
18
+ * @param request
19
+ */
20
+ acquireCachedToken(request: CommonSilentFlowRequest): Promise<[AuthenticationResult, CacheOutcome]>;
21
+ private setCacheOutcome;
22
+ /**
23
+ * Helper function to build response object from the CacheRecord
24
+ * @param cacheRecord
25
+ */
26
+ private generateResultFromCacheRecord;
27
+ }
28
28
  //# sourceMappingURL=SilentFlowClient.d.ts.map