@azure/msal-common 14.14.0 → 14.14.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (185) hide show
  1. package/dist/account/AccountInfo.d.ts +66 -66
  2. package/dist/account/AccountInfo.mjs +77 -77
  3. package/dist/account/AuthToken.d.ts +17 -17
  4. package/dist/account/AuthToken.mjs +58 -58
  5. package/dist/account/CcsCredential.d.ts +9 -9
  6. package/dist/account/CcsCredential.mjs +8 -8
  7. package/dist/account/ClientCredentials.d.ts +19 -19
  8. package/dist/account/ClientInfo.d.ts +18 -18
  9. package/dist/account/ClientInfo.mjs +37 -37
  10. package/dist/account/TokenClaims.d.ts +83 -83
  11. package/dist/account/TokenClaims.mjs +20 -20
  12. package/dist/authority/Authority.d.ts +254 -254
  13. package/dist/authority/Authority.mjs +836 -836
  14. package/dist/authority/AuthorityFactory.d.ts +18 -18
  15. package/dist/authority/AuthorityFactory.mjs +28 -28
  16. package/dist/authority/AuthorityMetadata.d.ts +43 -43
  17. package/dist/authority/AuthorityMetadata.mjs +137 -137
  18. package/dist/authority/AuthorityOptions.d.ts +27 -27
  19. package/dist/authority/AuthorityOptions.mjs +18 -18
  20. package/dist/authority/AuthorityType.d.ts +10 -10
  21. package/dist/authority/AuthorityType.mjs +13 -13
  22. package/dist/authority/AzureRegion.d.ts +1 -1
  23. package/dist/authority/AzureRegionConfiguration.d.ts +5 -5
  24. package/dist/authority/CloudDiscoveryMetadata.d.ts +5 -5
  25. package/dist/authority/CloudInstanceDiscoveryErrorResponse.d.ts +13 -13
  26. package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +8 -8
  27. package/dist/authority/CloudInstanceDiscoveryResponse.d.ts +9 -9
  28. package/dist/authority/CloudInstanceDiscoveryResponse.mjs +8 -8
  29. package/dist/authority/ImdsOptions.d.ts +5 -5
  30. package/dist/authority/OIDCOptions.d.ts +8 -8
  31. package/dist/authority/OpenIdConfigResponse.d.ts +11 -11
  32. package/dist/authority/OpenIdConfigResponse.mjs +10 -10
  33. package/dist/authority/ProtocolMode.d.ts +8 -8
  34. package/dist/authority/ProtocolMode.mjs +11 -11
  35. package/dist/authority/RegionDiscovery.d.ts +32 -32
  36. package/dist/authority/RegionDiscovery.mjs +106 -106
  37. package/dist/authority/RegionDiscoveryMetadata.d.ts +6 -6
  38. package/dist/broker/nativeBroker/INativeBrokerPlugin.d.ts +15 -15
  39. package/dist/cache/CacheManager.d.ts +497 -497
  40. package/dist/cache/CacheManager.mjs +1249 -1249
  41. package/dist/cache/entities/AccessTokenEntity.d.ts +25 -25
  42. package/dist/cache/entities/AccountEntity.d.ts +106 -106
  43. package/dist/cache/entities/AccountEntity.mjs +240 -240
  44. package/dist/cache/entities/AppMetadataEntity.d.ts +11 -11
  45. package/dist/cache/entities/AuthorityMetadataEntity.d.ts +15 -15
  46. package/dist/cache/entities/CacheRecord.d.ts +13 -13
  47. package/dist/cache/entities/CredentialEntity.d.ts +30 -30
  48. package/dist/cache/entities/IdTokenEntity.d.ts +8 -8
  49. package/dist/cache/entities/RefreshTokenEntity.d.ts +7 -7
  50. package/dist/cache/entities/ServerTelemetryEntity.d.ts +6 -6
  51. package/dist/cache/entities/ThrottlingEntity.d.ts +7 -7
  52. package/dist/cache/interface/ICacheManager.d.ts +166 -166
  53. package/dist/cache/interface/ICachePlugin.d.ts +5 -5
  54. package/dist/cache/interface/ISerializableTokenCache.d.ts +4 -4
  55. package/dist/cache/persistence/TokenCacheContext.d.ts +23 -23
  56. package/dist/cache/persistence/TokenCacheContext.mjs +25 -25
  57. package/dist/cache/utils/CacheHelpers.d.ts +94 -94
  58. package/dist/cache/utils/CacheHelpers.mjs +324 -324
  59. package/dist/cache/utils/CacheTypes.d.ts +69 -69
  60. package/dist/client/AuthorizationCodeClient.d.ts +74 -74
  61. package/dist/client/AuthorizationCodeClient.mjs +420 -420
  62. package/dist/client/BaseClient.d.ts +51 -51
  63. package/dist/client/BaseClient.mjs +100 -100
  64. package/dist/client/RefreshTokenClient.d.ts +35 -35
  65. package/dist/client/RefreshTokenClient.mjs +211 -211
  66. package/dist/client/SilentFlowClient.d.ts +27 -27
  67. package/dist/client/SilentFlowClient.mjs +133 -133
  68. package/dist/config/AppTokenProvider.d.ts +38 -38
  69. package/dist/config/ClientConfiguration.d.ts +150 -150
  70. package/dist/config/ClientConfiguration.mjs +95 -95
  71. package/dist/constants/AADServerParamKeys.d.ts +53 -53
  72. package/dist/constants/AADServerParamKeys.mjs +57 -57
  73. package/dist/crypto/ICrypto.d.ts +68 -68
  74. package/dist/crypto/ICrypto.mjs +36 -36
  75. package/dist/crypto/IGuidGenerator.d.ts +4 -4
  76. package/dist/crypto/JoseHeader.d.ts +22 -22
  77. package/dist/crypto/JoseHeader.mjs +37 -37
  78. package/dist/crypto/PopTokenGenerator.d.ts +59 -59
  79. package/dist/crypto/PopTokenGenerator.mjs +81 -81
  80. package/dist/crypto/SignedHttpRequest.d.ts +15 -15
  81. package/dist/error/AuthError.d.ts +44 -44
  82. package/dist/error/AuthError.mjs +46 -46
  83. package/dist/error/AuthErrorCodes.d.ts +5 -5
  84. package/dist/error/AuthErrorCodes.mjs +9 -9
  85. package/dist/error/CacheError.d.ts +20 -20
  86. package/dist/error/CacheError.mjs +24 -24
  87. package/dist/error/CacheErrorCodes.d.ts +2 -2
  88. package/dist/error/CacheErrorCodes.mjs +6 -6
  89. package/dist/error/ClientAuthError.d.ts +237 -237
  90. package/dist/error/ClientAuthError.mjs +249 -249
  91. package/dist/error/ClientAuthErrorCodes.d.ts +44 -44
  92. package/dist/error/ClientAuthErrorCodes.mjs +48 -48
  93. package/dist/error/ClientConfigurationError.d.ts +128 -128
  94. package/dist/error/ClientConfigurationError.mjs +135 -135
  95. package/dist/error/ClientConfigurationErrorCodes.d.ts +22 -22
  96. package/dist/error/ClientConfigurationErrorCodes.mjs +26 -26
  97. package/dist/error/InteractionRequiredAuthError.d.ts +65 -65
  98. package/dist/error/InteractionRequiredAuthError.mjs +85 -85
  99. package/dist/error/InteractionRequiredAuthErrorCodes.d.ts +7 -7
  100. package/dist/error/InteractionRequiredAuthErrorCodes.mjs +13 -13
  101. package/dist/error/JoseHeaderError.d.ts +15 -15
  102. package/dist/error/JoseHeaderError.mjs +22 -22
  103. package/dist/error/JoseHeaderErrorCodes.d.ts +2 -2
  104. package/dist/error/JoseHeaderErrorCodes.mjs +6 -6
  105. package/dist/error/ServerError.d.ts +15 -15
  106. package/dist/error/ServerError.mjs +16 -16
  107. package/dist/index.cjs +8658 -8658
  108. package/dist/index.cjs.map +1 -1
  109. package/dist/index.d.ts +107 -107
  110. package/dist/index.mjs +1 -1
  111. package/dist/logger/Logger.d.ts +95 -95
  112. package/dist/logger/Logger.mjs +188 -188
  113. package/dist/network/INetworkModule.d.ts +29 -29
  114. package/dist/network/INetworkModule.mjs +12 -12
  115. package/dist/network/NetworkManager.d.ts +33 -33
  116. package/dist/network/NetworkManager.mjs +34 -34
  117. package/dist/network/RequestThumbprint.d.ts +18 -18
  118. package/dist/network/ThrottlingUtils.d.ts +42 -42
  119. package/dist/network/ThrottlingUtils.mjs +95 -95
  120. package/dist/packageMetadata.d.ts +2 -2
  121. package/dist/packageMetadata.mjs +4 -4
  122. package/dist/request/AuthenticationHeaderParser.d.ts +19 -19
  123. package/dist/request/AuthenticationHeaderParser.mjs +55 -55
  124. package/dist/request/BaseAuthRequest.d.ts +47 -47
  125. package/dist/request/CommonAuthorizationCodeRequest.d.ts +27 -27
  126. package/dist/request/CommonAuthorizationUrlRequest.d.ts +50 -50
  127. package/dist/request/CommonClientCredentialRequest.d.ts +17 -17
  128. package/dist/request/CommonDeviceCodeRequest.d.ts +21 -21
  129. package/dist/request/CommonEndSessionRequest.d.ts +21 -21
  130. package/dist/request/CommonOnBehalfOfRequest.d.ts +13 -13
  131. package/dist/request/CommonRefreshTokenRequest.d.ts +22 -22
  132. package/dist/request/CommonSilentFlowRequest.d.ts +27 -27
  133. package/dist/request/CommonUsernamePasswordRequest.d.ts +17 -17
  134. package/dist/request/NativeRequest.d.ts +19 -19
  135. package/dist/request/NativeSignOutRequest.d.ts +5 -5
  136. package/dist/request/RequestParameterBuilder.d.ts +217 -217
  137. package/dist/request/RequestParameterBuilder.mjs +382 -382
  138. package/dist/request/RequestValidator.d.ts +27 -27
  139. package/dist/request/RequestValidator.mjs +64 -64
  140. package/dist/request/ScopeSet.d.ts +88 -88
  141. package/dist/request/ScopeSet.mjs +197 -197
  142. package/dist/request/StoreInCache.d.ts +8 -8
  143. package/dist/response/AuthenticationResult.d.ts +41 -41
  144. package/dist/response/AuthorizationCodePayload.d.ts +13 -13
  145. package/dist/response/DeviceCodeResponse.d.ts +25 -25
  146. package/dist/response/ExternalTokenResponse.d.ts +15 -15
  147. package/dist/response/IMDSBadResponse.d.ts +4 -4
  148. package/dist/response/ResponseHandler.d.ts +69 -69
  149. package/dist/response/ResponseHandler.mjs +374 -374
  150. package/dist/response/ServerAuthorizationCodeResponse.d.ts +26 -26
  151. package/dist/response/ServerAuthorizationTokenResponse.d.ts +47 -47
  152. package/dist/telemetry/performance/IPerformanceClient.d.ts +57 -57
  153. package/dist/telemetry/performance/IPerformanceMeasurement.d.ts +5 -5
  154. package/dist/telemetry/performance/PerformanceClient.d.ts +242 -242
  155. package/dist/telemetry/performance/PerformanceClient.mjs +587 -587
  156. package/dist/telemetry/performance/PerformanceEvent.d.ts +511 -505
  157. package/dist/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
  158. package/dist/telemetry/performance/PerformanceEvent.mjs +480 -480
  159. package/dist/telemetry/performance/PerformanceEvent.mjs.map +1 -1
  160. package/dist/telemetry/performance/StubPerformanceClient.d.ts +24 -24
  161. package/dist/telemetry/performance/StubPerformanceClient.mjs +76 -76
  162. package/dist/telemetry/server/ServerTelemetryManager.d.ts +78 -78
  163. package/dist/telemetry/server/ServerTelemetryManager.mjs +260 -260
  164. package/dist/telemetry/server/ServerTelemetryRequest.d.ts +8 -8
  165. package/dist/url/IUri.d.ts +12 -12
  166. package/dist/url/UrlString.d.ts +48 -48
  167. package/dist/url/UrlString.mjs +161 -161
  168. package/dist/utils/ClientAssertionUtils.d.ts +2 -2
  169. package/dist/utils/ClientAssertionUtils.mjs +16 -16
  170. package/dist/utils/Constants.d.ts +309 -309
  171. package/dist/utils/Constants.mjs +322 -322
  172. package/dist/utils/FunctionWrappers.d.ts +27 -27
  173. package/dist/utils/FunctionWrappers.mjs +94 -94
  174. package/dist/utils/MsalTypes.d.ts +6 -6
  175. package/dist/utils/ProtocolUtils.d.ts +42 -42
  176. package/dist/utils/ProtocolUtils.mjs +69 -69
  177. package/dist/utils/StringUtils.d.ts +40 -40
  178. package/dist/utils/StringUtils.mjs +95 -95
  179. package/dist/utils/TimeUtils.d.ts +25 -25
  180. package/dist/utils/TimeUtils.mjs +43 -43
  181. package/dist/utils/UrlUtils.d.ts +10 -10
  182. package/dist/utils/UrlUtils.mjs +44 -44
  183. package/package.json +1 -1
  184. package/src/packageMetadata.ts +1 -1
  185. package/src/telemetry/performance/PerformanceEvent.ts +7 -0
@@ -1,4 +1,4 @@
1
- /*! @azure/msal-common v14.14.0 2024-07-23 */
1
+ /*! @azure/msal-common v14.14.2 2024-08-28 */
2
2
  'use strict';
3
3
  import { createClientAuthError } from '../error/ClientAuthError.mjs';
4
4
  import { ServerError } from '../error/ServerError.mjs';
@@ -16,379 +16,379 @@ import { updateAccountTenantProfileData, buildTenantProfile } from '../account/A
16
16
  import { createAccessTokenEntity, createRefreshTokenEntity, createIdTokenEntity } from '../cache/utils/CacheHelpers.mjs';
17
17
  import { stateNotFound, invalidState, stateMismatch, nonceMismatch, authTimeNotFound, invalidCacheEnvironment, keyIdMissing } from '../error/ClientAuthErrorCodes.mjs';
18
18
 
19
- /*
20
- * Copyright (c) Microsoft Corporation. All rights reserved.
21
- * Licensed under the MIT License.
22
- */
23
- function parseServerErrorNo(serverResponse) {
24
- const errorCodePrefix = "code=";
25
- const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
26
- return errorCodePrefixIndex && errorCodePrefixIndex >= 0
27
- ? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
28
- : undefined;
29
- }
30
- /**
31
- * Class that handles response parsing.
32
- * @internal
33
- */
34
- class ResponseHandler {
35
- constructor(clientId, cacheStorage, cryptoObj, logger, serializableCache, persistencePlugin, performanceClient) {
36
- this.clientId = clientId;
37
- this.cacheStorage = cacheStorage;
38
- this.cryptoObj = cryptoObj;
39
- this.logger = logger;
40
- this.serializableCache = serializableCache;
41
- this.persistencePlugin = persistencePlugin;
42
- this.performanceClient = performanceClient;
43
- }
44
- /**
45
- * Function which validates server authorization code response.
46
- * @param serverResponseHash
47
- * @param requestState
48
- * @param cryptoObj
49
- */
50
- validateServerAuthorizationCodeResponse(serverResponse, requestState) {
51
- if (!serverResponse.state || !requestState) {
52
- throw serverResponse.state
53
- ? createClientAuthError(stateNotFound, "Cached State")
54
- : createClientAuthError(stateNotFound, "Server State");
55
- }
56
- let decodedServerResponseState;
57
- let decodedRequestState;
58
- try {
59
- decodedServerResponseState = decodeURIComponent(serverResponse.state);
60
- }
61
- catch (e) {
62
- throw createClientAuthError(invalidState, serverResponse.state);
63
- }
64
- try {
65
- decodedRequestState = decodeURIComponent(requestState);
66
- }
67
- catch (e) {
68
- throw createClientAuthError(invalidState, serverResponse.state);
69
- }
70
- if (decodedServerResponseState !== decodedRequestState) {
71
- throw createClientAuthError(stateMismatch);
72
- }
73
- // Check for error
74
- if (serverResponse.error ||
75
- serverResponse.error_description ||
76
- serverResponse.suberror) {
77
- const serverErrorNo = parseServerErrorNo(serverResponse);
78
- if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
79
- throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
80
- }
81
- throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
82
- }
83
- }
84
- /**
85
- * Function which validates server authorization token response.
86
- * @param serverResponse
87
- * @param refreshAccessToken
88
- */
89
- validateTokenResponse(serverResponse, refreshAccessToken) {
90
- // Check for error
91
- if (serverResponse.error ||
92
- serverResponse.error_description ||
93
- serverResponse.suberror) {
94
- const errString = `Error(s): ${serverResponse.error_codes || Constants.NOT_AVAILABLE} - Timestamp: ${serverResponse.timestamp || Constants.NOT_AVAILABLE} - Description: ${serverResponse.error_description || Constants.NOT_AVAILABLE} - Correlation ID: ${serverResponse.correlation_id || Constants.NOT_AVAILABLE} - Trace ID: ${serverResponse.trace_id || Constants.NOT_AVAILABLE}`;
95
- const serverErrorNo = serverResponse.error_codes?.length
96
- ? serverResponse.error_codes[0]
97
- : undefined;
98
- const serverError = new ServerError(serverResponse.error, errString, serverResponse.suberror, serverErrorNo, serverResponse.status);
99
- // check if 500 error
100
- if (refreshAccessToken &&
101
- serverResponse.status &&
102
- serverResponse.status >= HttpStatus.SERVER_ERROR_RANGE_START &&
103
- serverResponse.status <= HttpStatus.SERVER_ERROR_RANGE_END) {
104
- this.logger.warning(`executeTokenRequest:validateTokenResponse - AAD is currently unavailable and the access token is unable to be refreshed.\n${serverError}`);
105
- // don't throw an exception, but alert the user via a log that the token was unable to be refreshed
106
- return;
107
- // check if 400 error
108
- }
109
- else if (refreshAccessToken &&
110
- serverResponse.status &&
111
- serverResponse.status >= HttpStatus.CLIENT_ERROR_RANGE_START &&
112
- serverResponse.status <= HttpStatus.CLIENT_ERROR_RANGE_END) {
113
- this.logger.warning(`executeTokenRequest:validateTokenResponse - AAD is currently available but is unable to refresh the access token.\n${serverError}`);
114
- // don't throw an exception, but alert the user via a log that the token was unable to be refreshed
115
- return;
116
- }
117
- if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
118
- throw new InteractionRequiredAuthError(serverResponse.error, serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || Constants.EMPTY_STRING, serverResponse.trace_id || Constants.EMPTY_STRING, serverResponse.correlation_id || Constants.EMPTY_STRING, serverResponse.claims || Constants.EMPTY_STRING, serverErrorNo);
119
- }
120
- throw serverError;
121
- }
122
- }
123
- /**
124
- * Returns a constructed token response based on given string. Also manages the cache updates and cleanups.
125
- * @param serverTokenResponse
126
- * @param authority
127
- */
128
- async handleServerTokenResponse(serverTokenResponse, authority, reqTimestamp, request, authCodePayload, userAssertionHash, handlingRefreshTokenResponse, forceCacheRefreshTokenResponse, serverRequestId) {
129
- this.performanceClient?.addQueueMeasurement(PerformanceEvents.HandleServerTokenResponse, serverTokenResponse.correlation_id);
130
- // create an idToken object (not entity)
131
- let idTokenClaims;
132
- if (serverTokenResponse.id_token) {
133
- idTokenClaims = extractTokenClaims(serverTokenResponse.id_token || Constants.EMPTY_STRING, this.cryptoObj.base64Decode);
134
- // token nonce check (TODO: Add a warning if no nonce is given?)
135
- if (authCodePayload && authCodePayload.nonce) {
136
- if (idTokenClaims.nonce !== authCodePayload.nonce) {
137
- throw createClientAuthError(nonceMismatch);
138
- }
139
- }
140
- // token max_age check
141
- if (request.maxAge || request.maxAge === 0) {
142
- const authTime = idTokenClaims.auth_time;
143
- if (!authTime) {
144
- throw createClientAuthError(authTimeNotFound);
145
- }
146
- checkMaxAge(authTime, request.maxAge);
147
- }
148
- }
149
- // generate homeAccountId
150
- this.homeAccountIdentifier = AccountEntity.generateHomeAccountId(serverTokenResponse.client_info || Constants.EMPTY_STRING, authority.authorityType, this.logger, this.cryptoObj, idTokenClaims);
151
- // save the response tokens
152
- let requestStateObj;
153
- if (!!authCodePayload && !!authCodePayload.state) {
154
- requestStateObj = ProtocolUtils.parseRequestState(this.cryptoObj, authCodePayload.state);
155
- }
156
- // Add keyId from request to serverTokenResponse if defined
157
- serverTokenResponse.key_id =
158
- serverTokenResponse.key_id || request.sshKid || undefined;
159
- const cacheRecord = this.generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload);
160
- let cacheContext;
161
- try {
162
- if (this.persistencePlugin && this.serializableCache) {
163
- this.logger.verbose("Persistence enabled, calling beforeCacheAccess");
164
- cacheContext = new TokenCacheContext(this.serializableCache, true);
165
- await this.persistencePlugin.beforeCacheAccess(cacheContext);
166
- }
167
- /*
168
- * When saving a refreshed tokens to the cache, it is expected that the account that was used is present in the cache.
169
- * If not present, we should return null, as it's the case that another application called removeAccount in between
170
- * the calls to getAllAccounts and acquireTokenSilent. We should not overwrite that removal, unless explicitly flagged by
171
- * the developer, as in the case of refresh token flow used in ADAL Node to MSAL Node migration.
172
- */
173
- if (handlingRefreshTokenResponse &&
174
- !forceCacheRefreshTokenResponse &&
175
- cacheRecord.account) {
176
- const key = cacheRecord.account.generateAccountKey();
177
- const account = this.cacheStorage.getAccount(key, this.logger);
178
- if (!account) {
179
- this.logger.warning("Account used to refresh tokens not in persistence, refreshed tokens will not be stored in the cache");
180
- return await ResponseHandler.generateAuthenticationResult(this.cryptoObj, authority, cacheRecord, false, request, idTokenClaims, requestStateObj, undefined, serverRequestId);
181
- }
182
- }
183
- await this.cacheStorage.saveCacheRecord(cacheRecord, request.storeInCache, request.correlationId);
184
- }
185
- finally {
186
- if (this.persistencePlugin &&
187
- this.serializableCache &&
188
- cacheContext) {
189
- this.logger.verbose("Persistence enabled, calling afterCacheAccess");
190
- await this.persistencePlugin.afterCacheAccess(cacheContext);
191
- }
192
- }
193
- return ResponseHandler.generateAuthenticationResult(this.cryptoObj, authority, cacheRecord, false, request, idTokenClaims, requestStateObj, serverTokenResponse, serverRequestId);
194
- }
195
- /**
196
- * Generates CacheRecord
197
- * @param serverTokenResponse
198
- * @param idTokenObj
199
- * @param authority
200
- */
201
- generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload) {
202
- const env = authority.getPreferredCache();
203
- if (!env) {
204
- throw createClientAuthError(invalidCacheEnvironment);
205
- }
206
- const claimsTenantId = getTenantIdFromIdTokenClaims(idTokenClaims);
207
- // IdToken: non AAD scenarios can have empty realm
208
- let cachedIdToken;
209
- let cachedAccount;
210
- if (serverTokenResponse.id_token && !!idTokenClaims) {
211
- cachedIdToken = createIdTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.id_token, this.clientId, claimsTenantId || "");
212
- cachedAccount = buildAccountToCache(this.cacheStorage, authority, this.homeAccountIdentifier, this.cryptoObj.base64Decode, idTokenClaims, serverTokenResponse.client_info, env, claimsTenantId, authCodePayload, undefined, // nativeAccountId
213
- this.logger);
214
- }
215
- // AccessToken
216
- let cachedAccessToken = null;
217
- if (serverTokenResponse.access_token) {
218
- // If scopes not returned in server response, use request scopes
219
- const responseScopes = serverTokenResponse.scope
220
- ? ScopeSet.fromString(serverTokenResponse.scope)
221
- : new ScopeSet(request.scopes || []);
222
- /*
223
- * Use timestamp calculated before request
224
- * Server may return timestamps as strings, parse to numbers if so.
225
- */
226
- const expiresIn = (typeof serverTokenResponse.expires_in === "string"
227
- ? parseInt(serverTokenResponse.expires_in, 10)
228
- : serverTokenResponse.expires_in) || 0;
229
- const extExpiresIn = (typeof serverTokenResponse.ext_expires_in === "string"
230
- ? parseInt(serverTokenResponse.ext_expires_in, 10)
231
- : serverTokenResponse.ext_expires_in) || 0;
232
- const refreshIn = (typeof serverTokenResponse.refresh_in === "string"
233
- ? parseInt(serverTokenResponse.refresh_in, 10)
234
- : serverTokenResponse.refresh_in) || undefined;
235
- const tokenExpirationSeconds = reqTimestamp + expiresIn;
236
- const extendedTokenExpirationSeconds = tokenExpirationSeconds + extExpiresIn;
237
- const refreshOnSeconds = refreshIn && refreshIn > 0
238
- ? reqTimestamp + refreshIn
239
- : undefined;
240
- // non AAD scenarios can have empty realm
241
- cachedAccessToken = createAccessTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.access_token, this.clientId, claimsTenantId || authority.tenant || "", responseScopes.printScopes(), tokenExpirationSeconds, extendedTokenExpirationSeconds, this.cryptoObj.base64Decode, refreshOnSeconds, serverTokenResponse.token_type, userAssertionHash, serverTokenResponse.key_id, request.claims, request.requestedClaimsHash);
242
- }
243
- // refreshToken
244
- let cachedRefreshToken = null;
245
- if (serverTokenResponse.refresh_token) {
246
- let rtExpiresOn;
247
- if (serverTokenResponse.refresh_token_expires_in) {
248
- const rtExpiresIn = typeof serverTokenResponse.refresh_token_expires_in ===
249
- "string"
250
- ? parseInt(serverTokenResponse.refresh_token_expires_in, 10)
251
- : serverTokenResponse.refresh_token_expires_in;
252
- rtExpiresOn = reqTimestamp + rtExpiresIn;
253
- }
254
- cachedRefreshToken = createRefreshTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.refresh_token, this.clientId, serverTokenResponse.foci, userAssertionHash, rtExpiresOn);
255
- }
256
- // appMetadata
257
- let cachedAppMetadata = null;
258
- if (serverTokenResponse.foci) {
259
- cachedAppMetadata = {
260
- clientId: this.clientId,
261
- environment: env,
262
- familyId: serverTokenResponse.foci,
263
- };
264
- }
265
- return {
266
- account: cachedAccount,
267
- idToken: cachedIdToken,
268
- accessToken: cachedAccessToken,
269
- refreshToken: cachedRefreshToken,
270
- appMetadata: cachedAppMetadata,
271
- };
272
- }
273
- /**
274
- * Creates an @AuthenticationResult from @CacheRecord , @IdToken , and a boolean that states whether or not the result is from cache.
275
- *
276
- * Optionally takes a state string that is set as-is in the response.
277
- *
278
- * @param cacheRecord
279
- * @param idTokenObj
280
- * @param fromTokenCache
281
- * @param stateString
282
- */
283
- static async generateAuthenticationResult(cryptoObj, authority, cacheRecord, fromTokenCache, request, idTokenClaims, requestState, serverTokenResponse, requestId) {
284
- let accessToken = Constants.EMPTY_STRING;
285
- let responseScopes = [];
286
- let expiresOn = null;
287
- let extExpiresOn;
288
- let refreshOn;
289
- let familyId = Constants.EMPTY_STRING;
290
- if (cacheRecord.accessToken) {
291
- /*
292
- * if the request object has `popKid` property, `signPopToken` will be set to false and
293
- * the token will be returned unsigned
294
- */
295
- if (cacheRecord.accessToken.tokenType ===
296
- AuthenticationScheme.POP &&
297
- !request.popKid) {
298
- const popTokenGenerator = new PopTokenGenerator(cryptoObj);
299
- const { secret, keyId } = cacheRecord.accessToken;
300
- if (!keyId) {
301
- throw createClientAuthError(keyIdMissing);
302
- }
303
- accessToken = await popTokenGenerator.signPopToken(secret, keyId, request);
304
- }
305
- else {
306
- accessToken = cacheRecord.accessToken.secret;
307
- }
308
- responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target).asArray();
309
- expiresOn = new Date(Number(cacheRecord.accessToken.expiresOn) * 1000);
310
- extExpiresOn = new Date(Number(cacheRecord.accessToken.extendedExpiresOn) * 1000);
311
- if (cacheRecord.accessToken.refreshOn) {
312
- refreshOn = new Date(Number(cacheRecord.accessToken.refreshOn) * 1000);
313
- }
314
- }
315
- if (cacheRecord.appMetadata) {
316
- familyId =
317
- cacheRecord.appMetadata.familyId === THE_FAMILY_ID
318
- ? THE_FAMILY_ID
319
- : "";
320
- }
321
- const uid = idTokenClaims?.oid || idTokenClaims?.sub || "";
322
- const tid = idTokenClaims?.tid || "";
323
- // for hybrid + native bridge enablement, send back the native account Id
324
- if (serverTokenResponse?.spa_accountid && !!cacheRecord.account) {
325
- cacheRecord.account.nativeAccountId =
326
- serverTokenResponse?.spa_accountid;
327
- }
328
- const accountInfo = cacheRecord.account
329
- ? updateAccountTenantProfileData(cacheRecord.account.getAccountInfo(), undefined, // tenantProfile optional
330
- idTokenClaims, cacheRecord.idToken?.secret)
331
- : null;
332
- return {
333
- authority: authority.canonicalAuthority,
334
- uniqueId: uid,
335
- tenantId: tid,
336
- scopes: responseScopes,
337
- account: accountInfo,
338
- idToken: cacheRecord?.idToken?.secret || "",
339
- idTokenClaims: idTokenClaims || {},
340
- accessToken: accessToken,
341
- fromCache: fromTokenCache,
342
- expiresOn: expiresOn,
343
- extExpiresOn: extExpiresOn,
344
- refreshOn: refreshOn,
345
- correlationId: request.correlationId,
346
- requestId: requestId || Constants.EMPTY_STRING,
347
- familyId: familyId,
348
- tokenType: cacheRecord.accessToken?.tokenType || Constants.EMPTY_STRING,
349
- state: requestState
350
- ? requestState.userRequestState
351
- : Constants.EMPTY_STRING,
352
- cloudGraphHostName: cacheRecord.account?.cloudGraphHostName ||
353
- Constants.EMPTY_STRING,
354
- msGraphHost: cacheRecord.account?.msGraphHost || Constants.EMPTY_STRING,
355
- code: serverTokenResponse?.spa_code,
356
- fromNativeBroker: false,
357
- };
358
- }
359
- }
360
- function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decode, idTokenClaims, clientInfo, environment, claimsTenantId, authCodePayload, nativeAccountId, logger) {
361
- logger?.verbose("setCachedAccount called");
362
- // Check if base account is already cached
363
- const accountKeys = cacheStorage.getAccountKeys();
364
- const baseAccountKey = accountKeys.find((accountKey) => {
365
- return accountKey.startsWith(homeAccountId);
366
- });
367
- let cachedAccount = null;
368
- if (baseAccountKey) {
369
- cachedAccount = cacheStorage.getAccount(baseAccountKey, logger);
370
- }
371
- const baseAccount = cachedAccount ||
372
- AccountEntity.createAccount({
373
- homeAccountId,
374
- idTokenClaims,
375
- clientInfo,
376
- environment,
377
- cloudGraphHostName: authCodePayload?.cloud_graph_host_name,
378
- msGraphHost: authCodePayload?.msgraph_host,
379
- nativeAccountId: nativeAccountId,
380
- }, authority, base64Decode);
381
- const tenantProfiles = baseAccount.tenantProfiles || [];
382
- const tenantId = claimsTenantId || baseAccount.realm;
383
- if (tenantId &&
384
- !tenantProfiles.find((tenantProfile) => {
385
- return tenantProfile.tenantId === tenantId;
386
- })) {
387
- const newTenantProfile = buildTenantProfile(homeAccountId, baseAccount.localAccountId, tenantId, idTokenClaims);
388
- tenantProfiles.push(newTenantProfile);
389
- }
390
- baseAccount.tenantProfiles = tenantProfiles;
391
- return baseAccount;
19
+ /*
20
+ * Copyright (c) Microsoft Corporation. All rights reserved.
21
+ * Licensed under the MIT License.
22
+ */
23
+ function parseServerErrorNo(serverResponse) {
24
+ const errorCodePrefix = "code=";
25
+ const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
26
+ return errorCodePrefixIndex && errorCodePrefixIndex >= 0
27
+ ? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
28
+ : undefined;
29
+ }
30
+ /**
31
+ * Class that handles response parsing.
32
+ * @internal
33
+ */
34
+ class ResponseHandler {
35
+ constructor(clientId, cacheStorage, cryptoObj, logger, serializableCache, persistencePlugin, performanceClient) {
36
+ this.clientId = clientId;
37
+ this.cacheStorage = cacheStorage;
38
+ this.cryptoObj = cryptoObj;
39
+ this.logger = logger;
40
+ this.serializableCache = serializableCache;
41
+ this.persistencePlugin = persistencePlugin;
42
+ this.performanceClient = performanceClient;
43
+ }
44
+ /**
45
+ * Function which validates server authorization code response.
46
+ * @param serverResponseHash
47
+ * @param requestState
48
+ * @param cryptoObj
49
+ */
50
+ validateServerAuthorizationCodeResponse(serverResponse, requestState) {
51
+ if (!serverResponse.state || !requestState) {
52
+ throw serverResponse.state
53
+ ? createClientAuthError(stateNotFound, "Cached State")
54
+ : createClientAuthError(stateNotFound, "Server State");
55
+ }
56
+ let decodedServerResponseState;
57
+ let decodedRequestState;
58
+ try {
59
+ decodedServerResponseState = decodeURIComponent(serverResponse.state);
60
+ }
61
+ catch (e) {
62
+ throw createClientAuthError(invalidState, serverResponse.state);
63
+ }
64
+ try {
65
+ decodedRequestState = decodeURIComponent(requestState);
66
+ }
67
+ catch (e) {
68
+ throw createClientAuthError(invalidState, serverResponse.state);
69
+ }
70
+ if (decodedServerResponseState !== decodedRequestState) {
71
+ throw createClientAuthError(stateMismatch);
72
+ }
73
+ // Check for error
74
+ if (serverResponse.error ||
75
+ serverResponse.error_description ||
76
+ serverResponse.suberror) {
77
+ const serverErrorNo = parseServerErrorNo(serverResponse);
78
+ if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
79
+ throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
80
+ }
81
+ throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
82
+ }
83
+ }
84
+ /**
85
+ * Function which validates server authorization token response.
86
+ * @param serverResponse
87
+ * @param refreshAccessToken
88
+ */
89
+ validateTokenResponse(serverResponse, refreshAccessToken) {
90
+ // Check for error
91
+ if (serverResponse.error ||
92
+ serverResponse.error_description ||
93
+ serverResponse.suberror) {
94
+ const errString = `Error(s): ${serverResponse.error_codes || Constants.NOT_AVAILABLE} - Timestamp: ${serverResponse.timestamp || Constants.NOT_AVAILABLE} - Description: ${serverResponse.error_description || Constants.NOT_AVAILABLE} - Correlation ID: ${serverResponse.correlation_id || Constants.NOT_AVAILABLE} - Trace ID: ${serverResponse.trace_id || Constants.NOT_AVAILABLE}`;
95
+ const serverErrorNo = serverResponse.error_codes?.length
96
+ ? serverResponse.error_codes[0]
97
+ : undefined;
98
+ const serverError = new ServerError(serverResponse.error, errString, serverResponse.suberror, serverErrorNo, serverResponse.status);
99
+ // check if 500 error
100
+ if (refreshAccessToken &&
101
+ serverResponse.status &&
102
+ serverResponse.status >= HttpStatus.SERVER_ERROR_RANGE_START &&
103
+ serverResponse.status <= HttpStatus.SERVER_ERROR_RANGE_END) {
104
+ this.logger.warning(`executeTokenRequest:validateTokenResponse - AAD is currently unavailable and the access token is unable to be refreshed.\n${serverError}`);
105
+ // don't throw an exception, but alert the user via a log that the token was unable to be refreshed
106
+ return;
107
+ // check if 400 error
108
+ }
109
+ else if (refreshAccessToken &&
110
+ serverResponse.status &&
111
+ serverResponse.status >= HttpStatus.CLIENT_ERROR_RANGE_START &&
112
+ serverResponse.status <= HttpStatus.CLIENT_ERROR_RANGE_END) {
113
+ this.logger.warning(`executeTokenRequest:validateTokenResponse - AAD is currently available but is unable to refresh the access token.\n${serverError}`);
114
+ // don't throw an exception, but alert the user via a log that the token was unable to be refreshed
115
+ return;
116
+ }
117
+ if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
118
+ throw new InteractionRequiredAuthError(serverResponse.error, serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || Constants.EMPTY_STRING, serverResponse.trace_id || Constants.EMPTY_STRING, serverResponse.correlation_id || Constants.EMPTY_STRING, serverResponse.claims || Constants.EMPTY_STRING, serverErrorNo);
119
+ }
120
+ throw serverError;
121
+ }
122
+ }
123
+ /**
124
+ * Returns a constructed token response based on given string. Also manages the cache updates and cleanups.
125
+ * @param serverTokenResponse
126
+ * @param authority
127
+ */
128
+ async handleServerTokenResponse(serverTokenResponse, authority, reqTimestamp, request, authCodePayload, userAssertionHash, handlingRefreshTokenResponse, forceCacheRefreshTokenResponse, serverRequestId) {
129
+ this.performanceClient?.addQueueMeasurement(PerformanceEvents.HandleServerTokenResponse, serverTokenResponse.correlation_id);
130
+ // create an idToken object (not entity)
131
+ let idTokenClaims;
132
+ if (serverTokenResponse.id_token) {
133
+ idTokenClaims = extractTokenClaims(serverTokenResponse.id_token || Constants.EMPTY_STRING, this.cryptoObj.base64Decode);
134
+ // token nonce check (TODO: Add a warning if no nonce is given?)
135
+ if (authCodePayload && authCodePayload.nonce) {
136
+ if (idTokenClaims.nonce !== authCodePayload.nonce) {
137
+ throw createClientAuthError(nonceMismatch);
138
+ }
139
+ }
140
+ // token max_age check
141
+ if (request.maxAge || request.maxAge === 0) {
142
+ const authTime = idTokenClaims.auth_time;
143
+ if (!authTime) {
144
+ throw createClientAuthError(authTimeNotFound);
145
+ }
146
+ checkMaxAge(authTime, request.maxAge);
147
+ }
148
+ }
149
+ // generate homeAccountId
150
+ this.homeAccountIdentifier = AccountEntity.generateHomeAccountId(serverTokenResponse.client_info || Constants.EMPTY_STRING, authority.authorityType, this.logger, this.cryptoObj, idTokenClaims);
151
+ // save the response tokens
152
+ let requestStateObj;
153
+ if (!!authCodePayload && !!authCodePayload.state) {
154
+ requestStateObj = ProtocolUtils.parseRequestState(this.cryptoObj, authCodePayload.state);
155
+ }
156
+ // Add keyId from request to serverTokenResponse if defined
157
+ serverTokenResponse.key_id =
158
+ serverTokenResponse.key_id || request.sshKid || undefined;
159
+ const cacheRecord = this.generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload);
160
+ let cacheContext;
161
+ try {
162
+ if (this.persistencePlugin && this.serializableCache) {
163
+ this.logger.verbose("Persistence enabled, calling beforeCacheAccess");
164
+ cacheContext = new TokenCacheContext(this.serializableCache, true);
165
+ await this.persistencePlugin.beforeCacheAccess(cacheContext);
166
+ }
167
+ /*
168
+ * When saving a refreshed tokens to the cache, it is expected that the account that was used is present in the cache.
169
+ * If not present, we should return null, as it's the case that another application called removeAccount in between
170
+ * the calls to getAllAccounts and acquireTokenSilent. We should not overwrite that removal, unless explicitly flagged by
171
+ * the developer, as in the case of refresh token flow used in ADAL Node to MSAL Node migration.
172
+ */
173
+ if (handlingRefreshTokenResponse &&
174
+ !forceCacheRefreshTokenResponse &&
175
+ cacheRecord.account) {
176
+ const key = cacheRecord.account.generateAccountKey();
177
+ const account = this.cacheStorage.getAccount(key, this.logger);
178
+ if (!account) {
179
+ this.logger.warning("Account used to refresh tokens not in persistence, refreshed tokens will not be stored in the cache");
180
+ return await ResponseHandler.generateAuthenticationResult(this.cryptoObj, authority, cacheRecord, false, request, idTokenClaims, requestStateObj, undefined, serverRequestId);
181
+ }
182
+ }
183
+ await this.cacheStorage.saveCacheRecord(cacheRecord, request.storeInCache, request.correlationId);
184
+ }
185
+ finally {
186
+ if (this.persistencePlugin &&
187
+ this.serializableCache &&
188
+ cacheContext) {
189
+ this.logger.verbose("Persistence enabled, calling afterCacheAccess");
190
+ await this.persistencePlugin.afterCacheAccess(cacheContext);
191
+ }
192
+ }
193
+ return ResponseHandler.generateAuthenticationResult(this.cryptoObj, authority, cacheRecord, false, request, idTokenClaims, requestStateObj, serverTokenResponse, serverRequestId);
194
+ }
195
+ /**
196
+ * Generates CacheRecord
197
+ * @param serverTokenResponse
198
+ * @param idTokenObj
199
+ * @param authority
200
+ */
201
+ generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload) {
202
+ const env = authority.getPreferredCache();
203
+ if (!env) {
204
+ throw createClientAuthError(invalidCacheEnvironment);
205
+ }
206
+ const claimsTenantId = getTenantIdFromIdTokenClaims(idTokenClaims);
207
+ // IdToken: non AAD scenarios can have empty realm
208
+ let cachedIdToken;
209
+ let cachedAccount;
210
+ if (serverTokenResponse.id_token && !!idTokenClaims) {
211
+ cachedIdToken = createIdTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.id_token, this.clientId, claimsTenantId || "");
212
+ cachedAccount = buildAccountToCache(this.cacheStorage, authority, this.homeAccountIdentifier, this.cryptoObj.base64Decode, idTokenClaims, serverTokenResponse.client_info, env, claimsTenantId, authCodePayload, undefined, // nativeAccountId
213
+ this.logger);
214
+ }
215
+ // AccessToken
216
+ let cachedAccessToken = null;
217
+ if (serverTokenResponse.access_token) {
218
+ // If scopes not returned in server response, use request scopes
219
+ const responseScopes = serverTokenResponse.scope
220
+ ? ScopeSet.fromString(serverTokenResponse.scope)
221
+ : new ScopeSet(request.scopes || []);
222
+ /*
223
+ * Use timestamp calculated before request
224
+ * Server may return timestamps as strings, parse to numbers if so.
225
+ */
226
+ const expiresIn = (typeof serverTokenResponse.expires_in === "string"
227
+ ? parseInt(serverTokenResponse.expires_in, 10)
228
+ : serverTokenResponse.expires_in) || 0;
229
+ const extExpiresIn = (typeof serverTokenResponse.ext_expires_in === "string"
230
+ ? parseInt(serverTokenResponse.ext_expires_in, 10)
231
+ : serverTokenResponse.ext_expires_in) || 0;
232
+ const refreshIn = (typeof serverTokenResponse.refresh_in === "string"
233
+ ? parseInt(serverTokenResponse.refresh_in, 10)
234
+ : serverTokenResponse.refresh_in) || undefined;
235
+ const tokenExpirationSeconds = reqTimestamp + expiresIn;
236
+ const extendedTokenExpirationSeconds = tokenExpirationSeconds + extExpiresIn;
237
+ const refreshOnSeconds = refreshIn && refreshIn > 0
238
+ ? reqTimestamp + refreshIn
239
+ : undefined;
240
+ // non AAD scenarios can have empty realm
241
+ cachedAccessToken = createAccessTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.access_token, this.clientId, claimsTenantId || authority.tenant || "", responseScopes.printScopes(), tokenExpirationSeconds, extendedTokenExpirationSeconds, this.cryptoObj.base64Decode, refreshOnSeconds, serverTokenResponse.token_type, userAssertionHash, serverTokenResponse.key_id, request.claims, request.requestedClaimsHash);
242
+ }
243
+ // refreshToken
244
+ let cachedRefreshToken = null;
245
+ if (serverTokenResponse.refresh_token) {
246
+ let rtExpiresOn;
247
+ if (serverTokenResponse.refresh_token_expires_in) {
248
+ const rtExpiresIn = typeof serverTokenResponse.refresh_token_expires_in ===
249
+ "string"
250
+ ? parseInt(serverTokenResponse.refresh_token_expires_in, 10)
251
+ : serverTokenResponse.refresh_token_expires_in;
252
+ rtExpiresOn = reqTimestamp + rtExpiresIn;
253
+ }
254
+ cachedRefreshToken = createRefreshTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.refresh_token, this.clientId, serverTokenResponse.foci, userAssertionHash, rtExpiresOn);
255
+ }
256
+ // appMetadata
257
+ let cachedAppMetadata = null;
258
+ if (serverTokenResponse.foci) {
259
+ cachedAppMetadata = {
260
+ clientId: this.clientId,
261
+ environment: env,
262
+ familyId: serverTokenResponse.foci,
263
+ };
264
+ }
265
+ return {
266
+ account: cachedAccount,
267
+ idToken: cachedIdToken,
268
+ accessToken: cachedAccessToken,
269
+ refreshToken: cachedRefreshToken,
270
+ appMetadata: cachedAppMetadata,
271
+ };
272
+ }
273
+ /**
274
+ * Creates an @AuthenticationResult from @CacheRecord , @IdToken , and a boolean that states whether or not the result is from cache.
275
+ *
276
+ * Optionally takes a state string that is set as-is in the response.
277
+ *
278
+ * @param cacheRecord
279
+ * @param idTokenObj
280
+ * @param fromTokenCache
281
+ * @param stateString
282
+ */
283
+ static async generateAuthenticationResult(cryptoObj, authority, cacheRecord, fromTokenCache, request, idTokenClaims, requestState, serverTokenResponse, requestId) {
284
+ let accessToken = Constants.EMPTY_STRING;
285
+ let responseScopes = [];
286
+ let expiresOn = null;
287
+ let extExpiresOn;
288
+ let refreshOn;
289
+ let familyId = Constants.EMPTY_STRING;
290
+ if (cacheRecord.accessToken) {
291
+ /*
292
+ * if the request object has `popKid` property, `signPopToken` will be set to false and
293
+ * the token will be returned unsigned
294
+ */
295
+ if (cacheRecord.accessToken.tokenType ===
296
+ AuthenticationScheme.POP &&
297
+ !request.popKid) {
298
+ const popTokenGenerator = new PopTokenGenerator(cryptoObj);
299
+ const { secret, keyId } = cacheRecord.accessToken;
300
+ if (!keyId) {
301
+ throw createClientAuthError(keyIdMissing);
302
+ }
303
+ accessToken = await popTokenGenerator.signPopToken(secret, keyId, request);
304
+ }
305
+ else {
306
+ accessToken = cacheRecord.accessToken.secret;
307
+ }
308
+ responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target).asArray();
309
+ expiresOn = new Date(Number(cacheRecord.accessToken.expiresOn) * 1000);
310
+ extExpiresOn = new Date(Number(cacheRecord.accessToken.extendedExpiresOn) * 1000);
311
+ if (cacheRecord.accessToken.refreshOn) {
312
+ refreshOn = new Date(Number(cacheRecord.accessToken.refreshOn) * 1000);
313
+ }
314
+ }
315
+ if (cacheRecord.appMetadata) {
316
+ familyId =
317
+ cacheRecord.appMetadata.familyId === THE_FAMILY_ID
318
+ ? THE_FAMILY_ID
319
+ : "";
320
+ }
321
+ const uid = idTokenClaims?.oid || idTokenClaims?.sub || "";
322
+ const tid = idTokenClaims?.tid || "";
323
+ // for hybrid + native bridge enablement, send back the native account Id
324
+ if (serverTokenResponse?.spa_accountid && !!cacheRecord.account) {
325
+ cacheRecord.account.nativeAccountId =
326
+ serverTokenResponse?.spa_accountid;
327
+ }
328
+ const accountInfo = cacheRecord.account
329
+ ? updateAccountTenantProfileData(cacheRecord.account.getAccountInfo(), undefined, // tenantProfile optional
330
+ idTokenClaims, cacheRecord.idToken?.secret)
331
+ : null;
332
+ return {
333
+ authority: authority.canonicalAuthority,
334
+ uniqueId: uid,
335
+ tenantId: tid,
336
+ scopes: responseScopes,
337
+ account: accountInfo,
338
+ idToken: cacheRecord?.idToken?.secret || "",
339
+ idTokenClaims: idTokenClaims || {},
340
+ accessToken: accessToken,
341
+ fromCache: fromTokenCache,
342
+ expiresOn: expiresOn,
343
+ extExpiresOn: extExpiresOn,
344
+ refreshOn: refreshOn,
345
+ correlationId: request.correlationId,
346
+ requestId: requestId || Constants.EMPTY_STRING,
347
+ familyId: familyId,
348
+ tokenType: cacheRecord.accessToken?.tokenType || Constants.EMPTY_STRING,
349
+ state: requestState
350
+ ? requestState.userRequestState
351
+ : Constants.EMPTY_STRING,
352
+ cloudGraphHostName: cacheRecord.account?.cloudGraphHostName ||
353
+ Constants.EMPTY_STRING,
354
+ msGraphHost: cacheRecord.account?.msGraphHost || Constants.EMPTY_STRING,
355
+ code: serverTokenResponse?.spa_code,
356
+ fromNativeBroker: false,
357
+ };
358
+ }
359
+ }
360
+ function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decode, idTokenClaims, clientInfo, environment, claimsTenantId, authCodePayload, nativeAccountId, logger) {
361
+ logger?.verbose("setCachedAccount called");
362
+ // Check if base account is already cached
363
+ const accountKeys = cacheStorage.getAccountKeys();
364
+ const baseAccountKey = accountKeys.find((accountKey) => {
365
+ return accountKey.startsWith(homeAccountId);
366
+ });
367
+ let cachedAccount = null;
368
+ if (baseAccountKey) {
369
+ cachedAccount = cacheStorage.getAccount(baseAccountKey, logger);
370
+ }
371
+ const baseAccount = cachedAccount ||
372
+ AccountEntity.createAccount({
373
+ homeAccountId,
374
+ idTokenClaims,
375
+ clientInfo,
376
+ environment,
377
+ cloudGraphHostName: authCodePayload?.cloud_graph_host_name,
378
+ msGraphHost: authCodePayload?.msgraph_host,
379
+ nativeAccountId: nativeAccountId,
380
+ }, authority, base64Decode);
381
+ const tenantProfiles = baseAccount.tenantProfiles || [];
382
+ const tenantId = claimsTenantId || baseAccount.realm;
383
+ if (tenantId &&
384
+ !tenantProfiles.find((tenantProfile) => {
385
+ return tenantProfile.tenantId === tenantId;
386
+ })) {
387
+ const newTenantProfile = buildTenantProfile(homeAccountId, baseAccount.localAccountId, tenantId, idTokenClaims);
388
+ tenantProfiles.push(newTenantProfile);
389
+ }
390
+ baseAccount.tenantProfiles = tenantProfiles;
391
+ return baseAccount;
392
392
  }
393
393
 
394
394
  export { ResponseHandler, buildAccountToCache };