@azure/msal-common 14.14.0 → 14.14.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/account/AccountInfo.d.ts +66 -66
- package/dist/account/AccountInfo.mjs +77 -77
- package/dist/account/AuthToken.d.ts +17 -17
- package/dist/account/AuthToken.mjs +58 -58
- package/dist/account/CcsCredential.d.ts +9 -9
- package/dist/account/CcsCredential.mjs +8 -8
- package/dist/account/ClientCredentials.d.ts +19 -19
- package/dist/account/ClientInfo.d.ts +18 -18
- package/dist/account/ClientInfo.mjs +37 -37
- package/dist/account/TokenClaims.d.ts +83 -83
- package/dist/account/TokenClaims.mjs +20 -20
- package/dist/authority/Authority.d.ts +254 -254
- package/dist/authority/Authority.mjs +836 -836
- package/dist/authority/AuthorityFactory.d.ts +18 -18
- package/dist/authority/AuthorityFactory.mjs +28 -28
- package/dist/authority/AuthorityMetadata.d.ts +43 -43
- package/dist/authority/AuthorityMetadata.mjs +137 -137
- package/dist/authority/AuthorityOptions.d.ts +27 -27
- package/dist/authority/AuthorityOptions.mjs +18 -18
- package/dist/authority/AuthorityType.d.ts +10 -10
- package/dist/authority/AuthorityType.mjs +13 -13
- package/dist/authority/AzureRegion.d.ts +1 -1
- package/dist/authority/AzureRegionConfiguration.d.ts +5 -5
- package/dist/authority/CloudDiscoveryMetadata.d.ts +5 -5
- package/dist/authority/CloudInstanceDiscoveryErrorResponse.d.ts +13 -13
- package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +8 -8
- package/dist/authority/CloudInstanceDiscoveryResponse.d.ts +9 -9
- package/dist/authority/CloudInstanceDiscoveryResponse.mjs +8 -8
- package/dist/authority/ImdsOptions.d.ts +5 -5
- package/dist/authority/OIDCOptions.d.ts +8 -8
- package/dist/authority/OpenIdConfigResponse.d.ts +11 -11
- package/dist/authority/OpenIdConfigResponse.mjs +10 -10
- package/dist/authority/ProtocolMode.d.ts +8 -8
- package/dist/authority/ProtocolMode.mjs +11 -11
- package/dist/authority/RegionDiscovery.d.ts +32 -32
- package/dist/authority/RegionDiscovery.mjs +106 -106
- package/dist/authority/RegionDiscoveryMetadata.d.ts +6 -6
- package/dist/broker/nativeBroker/INativeBrokerPlugin.d.ts +15 -15
- package/dist/cache/CacheManager.d.ts +497 -497
- package/dist/cache/CacheManager.mjs +1249 -1249
- package/dist/cache/entities/AccessTokenEntity.d.ts +25 -25
- package/dist/cache/entities/AccountEntity.d.ts +106 -106
- package/dist/cache/entities/AccountEntity.mjs +240 -240
- package/dist/cache/entities/AppMetadataEntity.d.ts +11 -11
- package/dist/cache/entities/AuthorityMetadataEntity.d.ts +15 -15
- package/dist/cache/entities/CacheRecord.d.ts +13 -13
- package/dist/cache/entities/CredentialEntity.d.ts +30 -30
- package/dist/cache/entities/IdTokenEntity.d.ts +8 -8
- package/dist/cache/entities/RefreshTokenEntity.d.ts +7 -7
- package/dist/cache/entities/ServerTelemetryEntity.d.ts +6 -6
- package/dist/cache/entities/ThrottlingEntity.d.ts +7 -7
- package/dist/cache/interface/ICacheManager.d.ts +166 -166
- package/dist/cache/interface/ICachePlugin.d.ts +5 -5
- package/dist/cache/interface/ISerializableTokenCache.d.ts +4 -4
- package/dist/cache/persistence/TokenCacheContext.d.ts +23 -23
- package/dist/cache/persistence/TokenCacheContext.mjs +25 -25
- package/dist/cache/utils/CacheHelpers.d.ts +94 -94
- package/dist/cache/utils/CacheHelpers.mjs +324 -324
- package/dist/cache/utils/CacheTypes.d.ts +69 -69
- package/dist/client/AuthorizationCodeClient.d.ts +74 -74
- package/dist/client/AuthorizationCodeClient.mjs +420 -420
- package/dist/client/BaseClient.d.ts +51 -51
- package/dist/client/BaseClient.mjs +100 -100
- package/dist/client/RefreshTokenClient.d.ts +35 -35
- package/dist/client/RefreshTokenClient.mjs +211 -211
- package/dist/client/SilentFlowClient.d.ts +27 -27
- package/dist/client/SilentFlowClient.mjs +133 -133
- package/dist/config/AppTokenProvider.d.ts +38 -38
- package/dist/config/ClientConfiguration.d.ts +150 -150
- package/dist/config/ClientConfiguration.mjs +95 -95
- package/dist/constants/AADServerParamKeys.d.ts +53 -53
- package/dist/constants/AADServerParamKeys.mjs +57 -57
- package/dist/crypto/ICrypto.d.ts +68 -68
- package/dist/crypto/ICrypto.mjs +36 -36
- package/dist/crypto/IGuidGenerator.d.ts +4 -4
- package/dist/crypto/JoseHeader.d.ts +22 -22
- package/dist/crypto/JoseHeader.mjs +37 -37
- package/dist/crypto/PopTokenGenerator.d.ts +59 -59
- package/dist/crypto/PopTokenGenerator.mjs +81 -81
- package/dist/crypto/SignedHttpRequest.d.ts +15 -15
- package/dist/error/AuthError.d.ts +44 -44
- package/dist/error/AuthError.mjs +46 -46
- package/dist/error/AuthErrorCodes.d.ts +5 -5
- package/dist/error/AuthErrorCodes.mjs +9 -9
- package/dist/error/CacheError.d.ts +20 -20
- package/dist/error/CacheError.mjs +24 -24
- package/dist/error/CacheErrorCodes.d.ts +2 -2
- package/dist/error/CacheErrorCodes.mjs +6 -6
- package/dist/error/ClientAuthError.d.ts +237 -237
- package/dist/error/ClientAuthError.mjs +249 -249
- package/dist/error/ClientAuthErrorCodes.d.ts +44 -44
- package/dist/error/ClientAuthErrorCodes.mjs +48 -48
- package/dist/error/ClientConfigurationError.d.ts +128 -128
- package/dist/error/ClientConfigurationError.mjs +135 -135
- package/dist/error/ClientConfigurationErrorCodes.d.ts +22 -22
- package/dist/error/ClientConfigurationErrorCodes.mjs +26 -26
- package/dist/error/InteractionRequiredAuthError.d.ts +65 -65
- package/dist/error/InteractionRequiredAuthError.mjs +85 -85
- package/dist/error/InteractionRequiredAuthErrorCodes.d.ts +7 -7
- package/dist/error/InteractionRequiredAuthErrorCodes.mjs +13 -13
- package/dist/error/JoseHeaderError.d.ts +15 -15
- package/dist/error/JoseHeaderError.mjs +22 -22
- package/dist/error/JoseHeaderErrorCodes.d.ts +2 -2
- package/dist/error/JoseHeaderErrorCodes.mjs +6 -6
- package/dist/error/ServerError.d.ts +15 -15
- package/dist/error/ServerError.mjs +16 -16
- package/dist/index.cjs +8662 -8658
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.ts +107 -107
- package/dist/index.mjs +1 -1
- package/dist/logger/Logger.d.ts +95 -95
- package/dist/logger/Logger.mjs +188 -188
- package/dist/network/INetworkModule.d.ts +29 -29
- package/dist/network/INetworkModule.mjs +12 -12
- package/dist/network/NetworkManager.d.ts +33 -33
- package/dist/network/NetworkManager.mjs +34 -34
- package/dist/network/RequestThumbprint.d.ts +18 -18
- package/dist/network/ThrottlingUtils.d.ts +42 -42
- package/dist/network/ThrottlingUtils.mjs +95 -95
- package/dist/packageMetadata.d.ts +2 -2
- package/dist/packageMetadata.mjs +4 -4
- package/dist/request/AuthenticationHeaderParser.d.ts +19 -19
- package/dist/request/AuthenticationHeaderParser.mjs +55 -55
- package/dist/request/BaseAuthRequest.d.ts +47 -47
- package/dist/request/CommonAuthorizationCodeRequest.d.ts +27 -27
- package/dist/request/CommonAuthorizationUrlRequest.d.ts +50 -50
- package/dist/request/CommonClientCredentialRequest.d.ts +17 -17
- package/dist/request/CommonDeviceCodeRequest.d.ts +21 -21
- package/dist/request/CommonEndSessionRequest.d.ts +21 -21
- package/dist/request/CommonOnBehalfOfRequest.d.ts +13 -13
- package/dist/request/CommonRefreshTokenRequest.d.ts +22 -22
- package/dist/request/CommonSilentFlowRequest.d.ts +27 -27
- package/dist/request/CommonUsernamePasswordRequest.d.ts +17 -17
- package/dist/request/NativeRequest.d.ts +19 -19
- package/dist/request/NativeSignOutRequest.d.ts +5 -5
- package/dist/request/RequestParameterBuilder.d.ts +217 -217
- package/dist/request/RequestParameterBuilder.mjs +382 -382
- package/dist/request/RequestValidator.d.ts +27 -27
- package/dist/request/RequestValidator.mjs +64 -64
- package/dist/request/ScopeSet.d.ts +88 -88
- package/dist/request/ScopeSet.mjs +197 -197
- package/dist/request/StoreInCache.d.ts +8 -8
- package/dist/response/AuthenticationResult.d.ts +41 -41
- package/dist/response/AuthorizationCodePayload.d.ts +13 -13
- package/dist/response/DeviceCodeResponse.d.ts +25 -25
- package/dist/response/ExternalTokenResponse.d.ts +15 -15
- package/dist/response/IMDSBadResponse.d.ts +4 -4
- package/dist/response/ResponseHandler.d.ts +69 -69
- package/dist/response/ResponseHandler.mjs +374 -374
- package/dist/response/ServerAuthorizationCodeResponse.d.ts +26 -26
- package/dist/response/ServerAuthorizationTokenResponse.d.ts +47 -47
- package/dist/telemetry/performance/IPerformanceClient.d.ts +57 -57
- package/dist/telemetry/performance/IPerformanceMeasurement.d.ts +5 -5
- package/dist/telemetry/performance/PerformanceClient.d.ts +242 -242
- package/dist/telemetry/performance/PerformanceClient.mjs +587 -587
- package/dist/telemetry/performance/PerformanceEvent.d.ts +515 -505
- package/dist/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
- package/dist/telemetry/performance/PerformanceEvent.mjs +484 -480
- package/dist/telemetry/performance/PerformanceEvent.mjs.map +1 -1
- package/dist/telemetry/performance/StubPerformanceClient.d.ts +24 -24
- package/dist/telemetry/performance/StubPerformanceClient.mjs +76 -76
- package/dist/telemetry/server/ServerTelemetryManager.d.ts +78 -78
- package/dist/telemetry/server/ServerTelemetryManager.mjs +260 -260
- package/dist/telemetry/server/ServerTelemetryRequest.d.ts +8 -8
- package/dist/url/IUri.d.ts +12 -12
- package/dist/url/UrlString.d.ts +48 -48
- package/dist/url/UrlString.mjs +161 -161
- package/dist/utils/ClientAssertionUtils.d.ts +2 -2
- package/dist/utils/ClientAssertionUtils.mjs +16 -16
- package/dist/utils/Constants.d.ts +309 -309
- package/dist/utils/Constants.mjs +322 -322
- package/dist/utils/FunctionWrappers.d.ts +27 -27
- package/dist/utils/FunctionWrappers.mjs +94 -94
- package/dist/utils/MsalTypes.d.ts +6 -6
- package/dist/utils/ProtocolUtils.d.ts +42 -42
- package/dist/utils/ProtocolUtils.mjs +69 -69
- package/dist/utils/StringUtils.d.ts +40 -40
- package/dist/utils/StringUtils.mjs +95 -95
- package/dist/utils/TimeUtils.d.ts +25 -25
- package/dist/utils/TimeUtils.mjs +43 -43
- package/dist/utils/UrlUtils.d.ts +10 -10
- package/dist/utils/UrlUtils.mjs +44 -44
- package/package.json +1 -1
- package/src/packageMetadata.ts +1 -1
- package/src/telemetry/performance/PerformanceEvent.ts +12 -0
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @azure/msal-common v14.14.
|
|
1
|
+
/*! @azure/msal-common v14.14.1 2024-08-13 */
|
|
2
2
|
'use strict';
|
|
3
3
|
import { isOidcProtocolMode } from '../config/ClientConfiguration.mjs';
|
|
4
4
|
import { BaseClient } from './BaseClient.mjs';
|
|
@@ -24,216 +24,216 @@ import { tokenRequestEmpty, missingSshJwk } from '../error/ClientConfigurationEr
|
|
|
24
24
|
import { noAccountInSilentRequest } from '../error/ClientAuthErrorCodes.mjs';
|
|
25
25
|
import { noTokensFound, refreshTokenExpired, badToken } from '../error/InteractionRequiredAuthErrorCodes.mjs';
|
|
26
26
|
|
|
27
|
-
/*
|
|
28
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
29
|
-
* Licensed under the MIT License.
|
|
30
|
-
*/
|
|
31
|
-
const DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS = 300; // 5 Minutes
|
|
32
|
-
/**
|
|
33
|
-
* OAuth2.0 refresh token client
|
|
34
|
-
* @internal
|
|
35
|
-
*/
|
|
36
|
-
class RefreshTokenClient extends BaseClient {
|
|
37
|
-
constructor(configuration, performanceClient) {
|
|
38
|
-
super(configuration, performanceClient);
|
|
39
|
-
}
|
|
40
|
-
async acquireToken(request) {
|
|
41
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireToken, request.correlationId);
|
|
42
|
-
const reqTimestamp = nowSeconds();
|
|
43
|
-
const response = await invokeAsync(this.executeTokenRequest.bind(this), PerformanceEvents.RefreshTokenClientExecuteTokenRequest, this.logger, this.performanceClient, request.correlationId)(request, this.authority);
|
|
44
|
-
// Retrieve requestId from response headers
|
|
45
|
-
const requestId = response.headers?.[HeaderNames.X_MS_REQUEST_ID];
|
|
46
|
-
const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, this.config.serializableCache, this.config.persistencePlugin);
|
|
47
|
-
responseHandler.validateTokenResponse(response.body);
|
|
48
|
-
return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, undefined, undefined, true, request.forceCache, requestId);
|
|
49
|
-
}
|
|
50
|
-
/**
|
|
51
|
-
* Gets cached refresh token and attaches to request, then calls acquireToken API
|
|
52
|
-
* @param request
|
|
53
|
-
*/
|
|
54
|
-
async acquireTokenByRefreshToken(request) {
|
|
55
|
-
// Cannot renew token if no request object is given.
|
|
56
|
-
if (!request) {
|
|
57
|
-
throw createClientConfigurationError(tokenRequestEmpty);
|
|
58
|
-
}
|
|
59
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireTokenByRefreshToken, request.correlationId);
|
|
60
|
-
// We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
|
|
61
|
-
if (!request.account) {
|
|
62
|
-
throw createClientAuthError(noAccountInSilentRequest);
|
|
63
|
-
}
|
|
64
|
-
// try checking if FOCI is enabled for the given application
|
|
65
|
-
const isFOCI = this.cacheManager.isAppMetadataFOCI(request.account.environment);
|
|
66
|
-
// if the app is part of the family, retrive a Family refresh token if present and make a refreshTokenRequest
|
|
67
|
-
if (isFOCI) {
|
|
68
|
-
try {
|
|
69
|
-
return await invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, true);
|
|
70
|
-
}
|
|
71
|
-
catch (e) {
|
|
72
|
-
const noFamilyRTInCache = e instanceof InteractionRequiredAuthError &&
|
|
73
|
-
e.errorCode ===
|
|
74
|
-
noTokensFound;
|
|
75
|
-
const clientMismatchErrorWithFamilyRT = e instanceof ServerError &&
|
|
76
|
-
e.errorCode === Errors.INVALID_GRANT_ERROR &&
|
|
77
|
-
e.subError === Errors.CLIENT_MISMATCH_ERROR;
|
|
78
|
-
// if family Refresh Token (FRT) cache acquisition fails or if client_mismatch error is seen with FRT, reattempt with application Refresh Token (ART)
|
|
79
|
-
if (noFamilyRTInCache || clientMismatchErrorWithFamilyRT) {
|
|
80
|
-
return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false);
|
|
81
|
-
// throw in all other cases
|
|
82
|
-
}
|
|
83
|
-
else {
|
|
84
|
-
throw e;
|
|
85
|
-
}
|
|
86
|
-
}
|
|
87
|
-
}
|
|
88
|
-
// fall back to application refresh token acquisition
|
|
89
|
-
return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false);
|
|
90
|
-
}
|
|
91
|
-
/**
|
|
92
|
-
* makes a network call to acquire tokens by exchanging RefreshToken available in userCache; throws if refresh token is not cached
|
|
93
|
-
* @param request
|
|
94
|
-
*/
|
|
95
|
-
async acquireTokenWithCachedRefreshToken(request, foci) {
|
|
96
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, request.correlationId);
|
|
97
|
-
// fetches family RT or application RT based on FOCI value
|
|
98
|
-
const refreshToken = invoke(this.cacheManager.getRefreshToken.bind(this.cacheManager), PerformanceEvents.CacheManagerGetRefreshToken, this.logger, this.performanceClient, request.correlationId)(request.account, foci, undefined, this.performanceClient, request.correlationId);
|
|
99
|
-
if (!refreshToken) {
|
|
100
|
-
throw createInteractionRequiredAuthError(noTokensFound);
|
|
101
|
-
}
|
|
102
|
-
if (refreshToken.expiresOn &&
|
|
103
|
-
isTokenExpired(refreshToken.expiresOn, request.refreshTokenExpirationOffsetSeconds ||
|
|
104
|
-
DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS)) {
|
|
105
|
-
throw createInteractionRequiredAuthError(refreshTokenExpired);
|
|
106
|
-
}
|
|
107
|
-
// attach cached RT size to the current measurement
|
|
108
|
-
const refreshTokenRequest = {
|
|
109
|
-
...request,
|
|
110
|
-
refreshToken: refreshToken.secret,
|
|
111
|
-
authenticationScheme: request.authenticationScheme || AuthenticationScheme.BEARER,
|
|
112
|
-
ccsCredential: {
|
|
113
|
-
credential: request.account.homeAccountId,
|
|
114
|
-
type: CcsCredentialType.HOME_ACCOUNT_ID,
|
|
115
|
-
},
|
|
116
|
-
};
|
|
117
|
-
try {
|
|
118
|
-
return await invokeAsync(this.acquireToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireToken, this.logger, this.performanceClient, request.correlationId)(refreshTokenRequest);
|
|
119
|
-
}
|
|
120
|
-
catch (e) {
|
|
121
|
-
if (e instanceof InteractionRequiredAuthError &&
|
|
122
|
-
e.subError === badToken) {
|
|
123
|
-
// Remove bad refresh token from cache
|
|
124
|
-
this.logger.verbose("acquireTokenWithRefreshToken: bad refresh token, removing from cache");
|
|
125
|
-
const badRefreshTokenKey = generateCredentialKey(refreshToken);
|
|
126
|
-
this.cacheManager.removeRefreshToken(badRefreshTokenKey);
|
|
127
|
-
}
|
|
128
|
-
throw e;
|
|
129
|
-
}
|
|
130
|
-
}
|
|
131
|
-
/**
|
|
132
|
-
* Constructs the network message and makes a NW call to the underlying secure token service
|
|
133
|
-
* @param request
|
|
134
|
-
* @param authority
|
|
135
|
-
*/
|
|
136
|
-
async executeTokenRequest(request, authority) {
|
|
137
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientExecuteTokenRequest, request.correlationId);
|
|
138
|
-
const queryParametersString = this.createTokenQueryParameters(request);
|
|
139
|
-
const endpoint = UrlString.appendQueryString(authority.tokenEndpoint, queryParametersString);
|
|
140
|
-
const requestBody = await invokeAsync(this.createTokenRequestBody.bind(this), PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, this.logger, this.performanceClient, request.correlationId)(request);
|
|
141
|
-
const headers = this.createTokenRequestHeaders(request.ccsCredential);
|
|
142
|
-
const thumbprint = {
|
|
143
|
-
clientId: request.tokenBodyParameters?.clientId ||
|
|
144
|
-
this.config.authOptions.clientId,
|
|
145
|
-
authority: authority.canonicalAuthority,
|
|
146
|
-
scopes: request.scopes,
|
|
147
|
-
claims: request.claims,
|
|
148
|
-
authenticationScheme: request.authenticationScheme,
|
|
149
|
-
resourceRequestMethod: request.resourceRequestMethod,
|
|
150
|
-
resourceRequestUri: request.resourceRequestUri,
|
|
151
|
-
shrClaims: request.shrClaims,
|
|
152
|
-
sshKid: request.sshKid,
|
|
153
|
-
};
|
|
154
|
-
return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint);
|
|
155
|
-
}
|
|
156
|
-
/**
|
|
157
|
-
* Helper function to create the token request body
|
|
158
|
-
* @param request
|
|
159
|
-
*/
|
|
160
|
-
async createTokenRequestBody(request) {
|
|
161
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, request.correlationId);
|
|
162
|
-
const correlationId = request.correlationId;
|
|
163
|
-
const parameterBuilder = new RequestParameterBuilder();
|
|
164
|
-
parameterBuilder.addClientId(request.tokenBodyParameters?.[CLIENT_ID] ||
|
|
165
|
-
this.config.authOptions.clientId);
|
|
166
|
-
if (request.redirectUri) {
|
|
167
|
-
parameterBuilder.addRedirectUri(request.redirectUri);
|
|
168
|
-
}
|
|
169
|
-
parameterBuilder.addScopes(request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
170
|
-
parameterBuilder.addGrantType(GrantType.REFRESH_TOKEN_GRANT);
|
|
171
|
-
parameterBuilder.addClientInfo();
|
|
172
|
-
parameterBuilder.addLibraryInfo(this.config.libraryInfo);
|
|
173
|
-
parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
|
|
174
|
-
parameterBuilder.addThrottling();
|
|
175
|
-
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
|
|
176
|
-
parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
|
|
177
|
-
}
|
|
178
|
-
parameterBuilder.addCorrelationId(correlationId);
|
|
179
|
-
parameterBuilder.addRefreshToken(request.refreshToken);
|
|
180
|
-
if (this.config.clientCredentials.clientSecret) {
|
|
181
|
-
parameterBuilder.addClientSecret(this.config.clientCredentials.clientSecret);
|
|
182
|
-
}
|
|
183
|
-
if (this.config.clientCredentials.clientAssertion) {
|
|
184
|
-
const clientAssertion = this.config.clientCredentials.clientAssertion;
|
|
185
|
-
parameterBuilder.addClientAssertion(await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
|
|
186
|
-
parameterBuilder.addClientAssertionType(clientAssertion.assertionType);
|
|
187
|
-
}
|
|
188
|
-
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
189
|
-
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
|
|
190
|
-
let reqCnfData;
|
|
191
|
-
if (!request.popKid) {
|
|
192
|
-
const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
|
|
193
|
-
reqCnfData = generatedReqCnfData.reqCnfString;
|
|
194
|
-
}
|
|
195
|
-
else {
|
|
196
|
-
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
197
|
-
}
|
|
198
|
-
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
|
|
199
|
-
parameterBuilder.addPopToken(reqCnfData);
|
|
200
|
-
}
|
|
201
|
-
else if (request.authenticationScheme === AuthenticationScheme.SSH) {
|
|
202
|
-
if (request.sshJwk) {
|
|
203
|
-
parameterBuilder.addSshJwk(request.sshJwk);
|
|
204
|
-
}
|
|
205
|
-
else {
|
|
206
|
-
throw createClientConfigurationError(missingSshJwk);
|
|
207
|
-
}
|
|
208
|
-
}
|
|
209
|
-
if (!StringUtils.isEmptyObj(request.claims) ||
|
|
210
|
-
(this.config.authOptions.clientCapabilities &&
|
|
211
|
-
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
212
|
-
parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
|
|
213
|
-
}
|
|
214
|
-
if (this.config.systemOptions.preventCorsPreflight &&
|
|
215
|
-
request.ccsCredential) {
|
|
216
|
-
switch (request.ccsCredential.type) {
|
|
217
|
-
case CcsCredentialType.HOME_ACCOUNT_ID:
|
|
218
|
-
try {
|
|
219
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.ccsCredential.credential);
|
|
220
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
221
|
-
}
|
|
222
|
-
catch (e) {
|
|
223
|
-
this.logger.verbose("Could not parse home account ID for CCS Header: " +
|
|
224
|
-
e);
|
|
225
|
-
}
|
|
226
|
-
break;
|
|
227
|
-
case CcsCredentialType.UPN:
|
|
228
|
-
parameterBuilder.addCcsUpn(request.ccsCredential.credential);
|
|
229
|
-
break;
|
|
230
|
-
}
|
|
231
|
-
}
|
|
232
|
-
if (request.tokenBodyParameters) {
|
|
233
|
-
parameterBuilder.addExtraQueryParameters(request.tokenBodyParameters);
|
|
234
|
-
}
|
|
235
|
-
return parameterBuilder.createQueryString();
|
|
236
|
-
}
|
|
27
|
+
/*
|
|
28
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
29
|
+
* Licensed under the MIT License.
|
|
30
|
+
*/
|
|
31
|
+
const DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS = 300; // 5 Minutes
|
|
32
|
+
/**
|
|
33
|
+
* OAuth2.0 refresh token client
|
|
34
|
+
* @internal
|
|
35
|
+
*/
|
|
36
|
+
class RefreshTokenClient extends BaseClient {
|
|
37
|
+
constructor(configuration, performanceClient) {
|
|
38
|
+
super(configuration, performanceClient);
|
|
39
|
+
}
|
|
40
|
+
async acquireToken(request) {
|
|
41
|
+
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireToken, request.correlationId);
|
|
42
|
+
const reqTimestamp = nowSeconds();
|
|
43
|
+
const response = await invokeAsync(this.executeTokenRequest.bind(this), PerformanceEvents.RefreshTokenClientExecuteTokenRequest, this.logger, this.performanceClient, request.correlationId)(request, this.authority);
|
|
44
|
+
// Retrieve requestId from response headers
|
|
45
|
+
const requestId = response.headers?.[HeaderNames.X_MS_REQUEST_ID];
|
|
46
|
+
const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, this.config.serializableCache, this.config.persistencePlugin);
|
|
47
|
+
responseHandler.validateTokenResponse(response.body);
|
|
48
|
+
return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, undefined, undefined, true, request.forceCache, requestId);
|
|
49
|
+
}
|
|
50
|
+
/**
|
|
51
|
+
* Gets cached refresh token and attaches to request, then calls acquireToken API
|
|
52
|
+
* @param request
|
|
53
|
+
*/
|
|
54
|
+
async acquireTokenByRefreshToken(request) {
|
|
55
|
+
// Cannot renew token if no request object is given.
|
|
56
|
+
if (!request) {
|
|
57
|
+
throw createClientConfigurationError(tokenRequestEmpty);
|
|
58
|
+
}
|
|
59
|
+
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireTokenByRefreshToken, request.correlationId);
|
|
60
|
+
// We currently do not support silent flow for account === null use cases; This will be revisited for confidential flow usecases
|
|
61
|
+
if (!request.account) {
|
|
62
|
+
throw createClientAuthError(noAccountInSilentRequest);
|
|
63
|
+
}
|
|
64
|
+
// try checking if FOCI is enabled for the given application
|
|
65
|
+
const isFOCI = this.cacheManager.isAppMetadataFOCI(request.account.environment);
|
|
66
|
+
// if the app is part of the family, retrive a Family refresh token if present and make a refreshTokenRequest
|
|
67
|
+
if (isFOCI) {
|
|
68
|
+
try {
|
|
69
|
+
return await invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, true);
|
|
70
|
+
}
|
|
71
|
+
catch (e) {
|
|
72
|
+
const noFamilyRTInCache = e instanceof InteractionRequiredAuthError &&
|
|
73
|
+
e.errorCode ===
|
|
74
|
+
noTokensFound;
|
|
75
|
+
const clientMismatchErrorWithFamilyRT = e instanceof ServerError &&
|
|
76
|
+
e.errorCode === Errors.INVALID_GRANT_ERROR &&
|
|
77
|
+
e.subError === Errors.CLIENT_MISMATCH_ERROR;
|
|
78
|
+
// if family Refresh Token (FRT) cache acquisition fails or if client_mismatch error is seen with FRT, reattempt with application Refresh Token (ART)
|
|
79
|
+
if (noFamilyRTInCache || clientMismatchErrorWithFamilyRT) {
|
|
80
|
+
return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false);
|
|
81
|
+
// throw in all other cases
|
|
82
|
+
}
|
|
83
|
+
else {
|
|
84
|
+
throw e;
|
|
85
|
+
}
|
|
86
|
+
}
|
|
87
|
+
}
|
|
88
|
+
// fall back to application refresh token acquisition
|
|
89
|
+
return invokeAsync(this.acquireTokenWithCachedRefreshToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, this.logger, this.performanceClient, request.correlationId)(request, false);
|
|
90
|
+
}
|
|
91
|
+
/**
|
|
92
|
+
* makes a network call to acquire tokens by exchanging RefreshToken available in userCache; throws if refresh token is not cached
|
|
93
|
+
* @param request
|
|
94
|
+
*/
|
|
95
|
+
async acquireTokenWithCachedRefreshToken(request, foci) {
|
|
96
|
+
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientAcquireTokenWithCachedRefreshToken, request.correlationId);
|
|
97
|
+
// fetches family RT or application RT based on FOCI value
|
|
98
|
+
const refreshToken = invoke(this.cacheManager.getRefreshToken.bind(this.cacheManager), PerformanceEvents.CacheManagerGetRefreshToken, this.logger, this.performanceClient, request.correlationId)(request.account, foci, undefined, this.performanceClient, request.correlationId);
|
|
99
|
+
if (!refreshToken) {
|
|
100
|
+
throw createInteractionRequiredAuthError(noTokensFound);
|
|
101
|
+
}
|
|
102
|
+
if (refreshToken.expiresOn &&
|
|
103
|
+
isTokenExpired(refreshToken.expiresOn, request.refreshTokenExpirationOffsetSeconds ||
|
|
104
|
+
DEFAULT_REFRESH_TOKEN_EXPIRATION_OFFSET_SECONDS)) {
|
|
105
|
+
throw createInteractionRequiredAuthError(refreshTokenExpired);
|
|
106
|
+
}
|
|
107
|
+
// attach cached RT size to the current measurement
|
|
108
|
+
const refreshTokenRequest = {
|
|
109
|
+
...request,
|
|
110
|
+
refreshToken: refreshToken.secret,
|
|
111
|
+
authenticationScheme: request.authenticationScheme || AuthenticationScheme.BEARER,
|
|
112
|
+
ccsCredential: {
|
|
113
|
+
credential: request.account.homeAccountId,
|
|
114
|
+
type: CcsCredentialType.HOME_ACCOUNT_ID,
|
|
115
|
+
},
|
|
116
|
+
};
|
|
117
|
+
try {
|
|
118
|
+
return await invokeAsync(this.acquireToken.bind(this), PerformanceEvents.RefreshTokenClientAcquireToken, this.logger, this.performanceClient, request.correlationId)(refreshTokenRequest);
|
|
119
|
+
}
|
|
120
|
+
catch (e) {
|
|
121
|
+
if (e instanceof InteractionRequiredAuthError &&
|
|
122
|
+
e.subError === badToken) {
|
|
123
|
+
// Remove bad refresh token from cache
|
|
124
|
+
this.logger.verbose("acquireTokenWithRefreshToken: bad refresh token, removing from cache");
|
|
125
|
+
const badRefreshTokenKey = generateCredentialKey(refreshToken);
|
|
126
|
+
this.cacheManager.removeRefreshToken(badRefreshTokenKey);
|
|
127
|
+
}
|
|
128
|
+
throw e;
|
|
129
|
+
}
|
|
130
|
+
}
|
|
131
|
+
/**
|
|
132
|
+
* Constructs the network message and makes a NW call to the underlying secure token service
|
|
133
|
+
* @param request
|
|
134
|
+
* @param authority
|
|
135
|
+
*/
|
|
136
|
+
async executeTokenRequest(request, authority) {
|
|
137
|
+
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientExecuteTokenRequest, request.correlationId);
|
|
138
|
+
const queryParametersString = this.createTokenQueryParameters(request);
|
|
139
|
+
const endpoint = UrlString.appendQueryString(authority.tokenEndpoint, queryParametersString);
|
|
140
|
+
const requestBody = await invokeAsync(this.createTokenRequestBody.bind(this), PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, this.logger, this.performanceClient, request.correlationId)(request);
|
|
141
|
+
const headers = this.createTokenRequestHeaders(request.ccsCredential);
|
|
142
|
+
const thumbprint = {
|
|
143
|
+
clientId: request.tokenBodyParameters?.clientId ||
|
|
144
|
+
this.config.authOptions.clientId,
|
|
145
|
+
authority: authority.canonicalAuthority,
|
|
146
|
+
scopes: request.scopes,
|
|
147
|
+
claims: request.claims,
|
|
148
|
+
authenticationScheme: request.authenticationScheme,
|
|
149
|
+
resourceRequestMethod: request.resourceRequestMethod,
|
|
150
|
+
resourceRequestUri: request.resourceRequestUri,
|
|
151
|
+
shrClaims: request.shrClaims,
|
|
152
|
+
sshKid: request.sshKid,
|
|
153
|
+
};
|
|
154
|
+
return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.RefreshTokenClientExecutePostToTokenEndpoint);
|
|
155
|
+
}
|
|
156
|
+
/**
|
|
157
|
+
* Helper function to create the token request body
|
|
158
|
+
* @param request
|
|
159
|
+
*/
|
|
160
|
+
async createTokenRequestBody(request) {
|
|
161
|
+
this.performanceClient?.addQueueMeasurement(PerformanceEvents.RefreshTokenClientCreateTokenRequestBody, request.correlationId);
|
|
162
|
+
const correlationId = request.correlationId;
|
|
163
|
+
const parameterBuilder = new RequestParameterBuilder();
|
|
164
|
+
parameterBuilder.addClientId(request.tokenBodyParameters?.[CLIENT_ID] ||
|
|
165
|
+
this.config.authOptions.clientId);
|
|
166
|
+
if (request.redirectUri) {
|
|
167
|
+
parameterBuilder.addRedirectUri(request.redirectUri);
|
|
168
|
+
}
|
|
169
|
+
parameterBuilder.addScopes(request.scopes, true, this.config.authOptions.authority.options.OIDCOptions?.defaultScopes);
|
|
170
|
+
parameterBuilder.addGrantType(GrantType.REFRESH_TOKEN_GRANT);
|
|
171
|
+
parameterBuilder.addClientInfo();
|
|
172
|
+
parameterBuilder.addLibraryInfo(this.config.libraryInfo);
|
|
173
|
+
parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
|
|
174
|
+
parameterBuilder.addThrottling();
|
|
175
|
+
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
|
|
176
|
+
parameterBuilder.addServerTelemetry(this.serverTelemetryManager);
|
|
177
|
+
}
|
|
178
|
+
parameterBuilder.addCorrelationId(correlationId);
|
|
179
|
+
parameterBuilder.addRefreshToken(request.refreshToken);
|
|
180
|
+
if (this.config.clientCredentials.clientSecret) {
|
|
181
|
+
parameterBuilder.addClientSecret(this.config.clientCredentials.clientSecret);
|
|
182
|
+
}
|
|
183
|
+
if (this.config.clientCredentials.clientAssertion) {
|
|
184
|
+
const clientAssertion = this.config.clientCredentials.clientAssertion;
|
|
185
|
+
parameterBuilder.addClientAssertion(await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
|
|
186
|
+
parameterBuilder.addClientAssertionType(clientAssertion.assertionType);
|
|
187
|
+
}
|
|
188
|
+
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
189
|
+
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
|
|
190
|
+
let reqCnfData;
|
|
191
|
+
if (!request.popKid) {
|
|
192
|
+
const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
|
|
193
|
+
reqCnfData = generatedReqCnfData.reqCnfString;
|
|
194
|
+
}
|
|
195
|
+
else {
|
|
196
|
+
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
197
|
+
}
|
|
198
|
+
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
|
|
199
|
+
parameterBuilder.addPopToken(reqCnfData);
|
|
200
|
+
}
|
|
201
|
+
else if (request.authenticationScheme === AuthenticationScheme.SSH) {
|
|
202
|
+
if (request.sshJwk) {
|
|
203
|
+
parameterBuilder.addSshJwk(request.sshJwk);
|
|
204
|
+
}
|
|
205
|
+
else {
|
|
206
|
+
throw createClientConfigurationError(missingSshJwk);
|
|
207
|
+
}
|
|
208
|
+
}
|
|
209
|
+
if (!StringUtils.isEmptyObj(request.claims) ||
|
|
210
|
+
(this.config.authOptions.clientCapabilities &&
|
|
211
|
+
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
212
|
+
parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
|
|
213
|
+
}
|
|
214
|
+
if (this.config.systemOptions.preventCorsPreflight &&
|
|
215
|
+
request.ccsCredential) {
|
|
216
|
+
switch (request.ccsCredential.type) {
|
|
217
|
+
case CcsCredentialType.HOME_ACCOUNT_ID:
|
|
218
|
+
try {
|
|
219
|
+
const clientInfo = buildClientInfoFromHomeAccountId(request.ccsCredential.credential);
|
|
220
|
+
parameterBuilder.addCcsOid(clientInfo);
|
|
221
|
+
}
|
|
222
|
+
catch (e) {
|
|
223
|
+
this.logger.verbose("Could not parse home account ID for CCS Header: " +
|
|
224
|
+
e);
|
|
225
|
+
}
|
|
226
|
+
break;
|
|
227
|
+
case CcsCredentialType.UPN:
|
|
228
|
+
parameterBuilder.addCcsUpn(request.ccsCredential.credential);
|
|
229
|
+
break;
|
|
230
|
+
}
|
|
231
|
+
}
|
|
232
|
+
if (request.tokenBodyParameters) {
|
|
233
|
+
parameterBuilder.addExtraQueryParameters(request.tokenBodyParameters);
|
|
234
|
+
}
|
|
235
|
+
return parameterBuilder.createQueryString();
|
|
236
|
+
}
|
|
237
237
|
}
|
|
238
238
|
|
|
239
239
|
export { RefreshTokenClient };
|
|
@@ -1,28 +1,28 @@
|
|
|
1
|
-
import { BaseClient } from "./BaseClient";
|
|
2
|
-
import { ClientConfiguration } from "../config/ClientConfiguration";
|
|
3
|
-
import { CommonSilentFlowRequest } from "../request/CommonSilentFlowRequest";
|
|
4
|
-
import { AuthenticationResult } from "../response/AuthenticationResult";
|
|
5
|
-
import { CacheOutcome } from "../utils/Constants";
|
|
6
|
-
import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient";
|
|
7
|
-
/** @internal */
|
|
8
|
-
export declare class SilentFlowClient extends BaseClient {
|
|
9
|
-
constructor(configuration: ClientConfiguration, performanceClient?: IPerformanceClient);
|
|
10
|
-
/**
|
|
11
|
-
* Retrieves a token from cache if it is still valid, or uses the cached refresh token to renew
|
|
12
|
-
* the given token and returns the renewed token
|
|
13
|
-
* @param request
|
|
14
|
-
*/
|
|
15
|
-
acquireToken(request: CommonSilentFlowRequest): Promise<AuthenticationResult>;
|
|
16
|
-
/**
|
|
17
|
-
* Retrieves token from cache or throws an error if it must be refreshed.
|
|
18
|
-
* @param request
|
|
19
|
-
*/
|
|
20
|
-
acquireCachedToken(request: CommonSilentFlowRequest): Promise<[AuthenticationResult, CacheOutcome]>;
|
|
21
|
-
private setCacheOutcome;
|
|
22
|
-
/**
|
|
23
|
-
* Helper function to build response object from the CacheRecord
|
|
24
|
-
* @param cacheRecord
|
|
25
|
-
*/
|
|
26
|
-
private generateResultFromCacheRecord;
|
|
27
|
-
}
|
|
1
|
+
import { BaseClient } from "./BaseClient";
|
|
2
|
+
import { ClientConfiguration } from "../config/ClientConfiguration";
|
|
3
|
+
import { CommonSilentFlowRequest } from "../request/CommonSilentFlowRequest";
|
|
4
|
+
import { AuthenticationResult } from "../response/AuthenticationResult";
|
|
5
|
+
import { CacheOutcome } from "../utils/Constants";
|
|
6
|
+
import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient";
|
|
7
|
+
/** @internal */
|
|
8
|
+
export declare class SilentFlowClient extends BaseClient {
|
|
9
|
+
constructor(configuration: ClientConfiguration, performanceClient?: IPerformanceClient);
|
|
10
|
+
/**
|
|
11
|
+
* Retrieves a token from cache if it is still valid, or uses the cached refresh token to renew
|
|
12
|
+
* the given token and returns the renewed token
|
|
13
|
+
* @param request
|
|
14
|
+
*/
|
|
15
|
+
acquireToken(request: CommonSilentFlowRequest): Promise<AuthenticationResult>;
|
|
16
|
+
/**
|
|
17
|
+
* Retrieves token from cache or throws an error if it must be refreshed.
|
|
18
|
+
* @param request
|
|
19
|
+
*/
|
|
20
|
+
acquireCachedToken(request: CommonSilentFlowRequest): Promise<[AuthenticationResult, CacheOutcome]>;
|
|
21
|
+
private setCacheOutcome;
|
|
22
|
+
/**
|
|
23
|
+
* Helper function to build response object from the CacheRecord
|
|
24
|
+
* @param cacheRecord
|
|
25
|
+
*/
|
|
26
|
+
private generateResultFromCacheRecord;
|
|
27
|
+
}
|
|
28
28
|
//# sourceMappingURL=SilentFlowClient.d.ts.map
|