@azure/msal-common 14.14.0 → 14.14.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/account/AccountInfo.d.ts +66 -66
- package/dist/account/AccountInfo.mjs +77 -77
- package/dist/account/AuthToken.d.ts +17 -17
- package/dist/account/AuthToken.mjs +58 -58
- package/dist/account/CcsCredential.d.ts +9 -9
- package/dist/account/CcsCredential.mjs +8 -8
- package/dist/account/ClientCredentials.d.ts +19 -19
- package/dist/account/ClientInfo.d.ts +18 -18
- package/dist/account/ClientInfo.mjs +37 -37
- package/dist/account/TokenClaims.d.ts +83 -83
- package/dist/account/TokenClaims.mjs +20 -20
- package/dist/authority/Authority.d.ts +254 -254
- package/dist/authority/Authority.mjs +836 -836
- package/dist/authority/AuthorityFactory.d.ts +18 -18
- package/dist/authority/AuthorityFactory.mjs +28 -28
- package/dist/authority/AuthorityMetadata.d.ts +43 -43
- package/dist/authority/AuthorityMetadata.mjs +137 -137
- package/dist/authority/AuthorityOptions.d.ts +27 -27
- package/dist/authority/AuthorityOptions.mjs +18 -18
- package/dist/authority/AuthorityType.d.ts +10 -10
- package/dist/authority/AuthorityType.mjs +13 -13
- package/dist/authority/AzureRegion.d.ts +1 -1
- package/dist/authority/AzureRegionConfiguration.d.ts +5 -5
- package/dist/authority/CloudDiscoveryMetadata.d.ts +5 -5
- package/dist/authority/CloudInstanceDiscoveryErrorResponse.d.ts +13 -13
- package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +8 -8
- package/dist/authority/CloudInstanceDiscoveryResponse.d.ts +9 -9
- package/dist/authority/CloudInstanceDiscoveryResponse.mjs +8 -8
- package/dist/authority/ImdsOptions.d.ts +5 -5
- package/dist/authority/OIDCOptions.d.ts +8 -8
- package/dist/authority/OpenIdConfigResponse.d.ts +11 -11
- package/dist/authority/OpenIdConfigResponse.mjs +10 -10
- package/dist/authority/ProtocolMode.d.ts +8 -8
- package/dist/authority/ProtocolMode.mjs +11 -11
- package/dist/authority/RegionDiscovery.d.ts +32 -32
- package/dist/authority/RegionDiscovery.mjs +106 -106
- package/dist/authority/RegionDiscoveryMetadata.d.ts +6 -6
- package/dist/broker/nativeBroker/INativeBrokerPlugin.d.ts +15 -15
- package/dist/cache/CacheManager.d.ts +497 -497
- package/dist/cache/CacheManager.mjs +1249 -1249
- package/dist/cache/entities/AccessTokenEntity.d.ts +25 -25
- package/dist/cache/entities/AccountEntity.d.ts +106 -106
- package/dist/cache/entities/AccountEntity.mjs +240 -240
- package/dist/cache/entities/AppMetadataEntity.d.ts +11 -11
- package/dist/cache/entities/AuthorityMetadataEntity.d.ts +15 -15
- package/dist/cache/entities/CacheRecord.d.ts +13 -13
- package/dist/cache/entities/CredentialEntity.d.ts +30 -30
- package/dist/cache/entities/IdTokenEntity.d.ts +8 -8
- package/dist/cache/entities/RefreshTokenEntity.d.ts +7 -7
- package/dist/cache/entities/ServerTelemetryEntity.d.ts +6 -6
- package/dist/cache/entities/ThrottlingEntity.d.ts +7 -7
- package/dist/cache/interface/ICacheManager.d.ts +166 -166
- package/dist/cache/interface/ICachePlugin.d.ts +5 -5
- package/dist/cache/interface/ISerializableTokenCache.d.ts +4 -4
- package/dist/cache/persistence/TokenCacheContext.d.ts +23 -23
- package/dist/cache/persistence/TokenCacheContext.mjs +25 -25
- package/dist/cache/utils/CacheHelpers.d.ts +94 -94
- package/dist/cache/utils/CacheHelpers.mjs +324 -324
- package/dist/cache/utils/CacheTypes.d.ts +69 -69
- package/dist/client/AuthorizationCodeClient.d.ts +74 -74
- package/dist/client/AuthorizationCodeClient.mjs +420 -420
- package/dist/client/BaseClient.d.ts +51 -51
- package/dist/client/BaseClient.mjs +100 -100
- package/dist/client/RefreshTokenClient.d.ts +35 -35
- package/dist/client/RefreshTokenClient.mjs +211 -211
- package/dist/client/SilentFlowClient.d.ts +27 -27
- package/dist/client/SilentFlowClient.mjs +133 -133
- package/dist/config/AppTokenProvider.d.ts +38 -38
- package/dist/config/ClientConfiguration.d.ts +150 -150
- package/dist/config/ClientConfiguration.mjs +95 -95
- package/dist/constants/AADServerParamKeys.d.ts +53 -53
- package/dist/constants/AADServerParamKeys.mjs +57 -57
- package/dist/crypto/ICrypto.d.ts +68 -68
- package/dist/crypto/ICrypto.mjs +36 -36
- package/dist/crypto/IGuidGenerator.d.ts +4 -4
- package/dist/crypto/JoseHeader.d.ts +22 -22
- package/dist/crypto/JoseHeader.mjs +37 -37
- package/dist/crypto/PopTokenGenerator.d.ts +59 -59
- package/dist/crypto/PopTokenGenerator.mjs +81 -81
- package/dist/crypto/SignedHttpRequest.d.ts +15 -15
- package/dist/error/AuthError.d.ts +44 -44
- package/dist/error/AuthError.mjs +46 -46
- package/dist/error/AuthErrorCodes.d.ts +5 -5
- package/dist/error/AuthErrorCodes.mjs +9 -9
- package/dist/error/CacheError.d.ts +20 -20
- package/dist/error/CacheError.mjs +24 -24
- package/dist/error/CacheErrorCodes.d.ts +2 -2
- package/dist/error/CacheErrorCodes.mjs +6 -6
- package/dist/error/ClientAuthError.d.ts +237 -237
- package/dist/error/ClientAuthError.mjs +249 -249
- package/dist/error/ClientAuthErrorCodes.d.ts +44 -44
- package/dist/error/ClientAuthErrorCodes.mjs +48 -48
- package/dist/error/ClientConfigurationError.d.ts +128 -128
- package/dist/error/ClientConfigurationError.mjs +135 -135
- package/dist/error/ClientConfigurationErrorCodes.d.ts +22 -22
- package/dist/error/ClientConfigurationErrorCodes.mjs +26 -26
- package/dist/error/InteractionRequiredAuthError.d.ts +65 -65
- package/dist/error/InteractionRequiredAuthError.mjs +85 -85
- package/dist/error/InteractionRequiredAuthErrorCodes.d.ts +7 -7
- package/dist/error/InteractionRequiredAuthErrorCodes.mjs +13 -13
- package/dist/error/JoseHeaderError.d.ts +15 -15
- package/dist/error/JoseHeaderError.mjs +22 -22
- package/dist/error/JoseHeaderErrorCodes.d.ts +2 -2
- package/dist/error/JoseHeaderErrorCodes.mjs +6 -6
- package/dist/error/ServerError.d.ts +15 -15
- package/dist/error/ServerError.mjs +16 -16
- package/dist/index.cjs +8658 -8658
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.ts +107 -107
- package/dist/index.mjs +1 -1
- package/dist/logger/Logger.d.ts +95 -95
- package/dist/logger/Logger.mjs +188 -188
- package/dist/network/INetworkModule.d.ts +29 -29
- package/dist/network/INetworkModule.mjs +12 -12
- package/dist/network/NetworkManager.d.ts +33 -33
- package/dist/network/NetworkManager.mjs +34 -34
- package/dist/network/RequestThumbprint.d.ts +18 -18
- package/dist/network/ThrottlingUtils.d.ts +42 -42
- package/dist/network/ThrottlingUtils.mjs +95 -95
- package/dist/packageMetadata.d.ts +2 -2
- package/dist/packageMetadata.mjs +4 -4
- package/dist/request/AuthenticationHeaderParser.d.ts +19 -19
- package/dist/request/AuthenticationHeaderParser.mjs +55 -55
- package/dist/request/BaseAuthRequest.d.ts +47 -47
- package/dist/request/CommonAuthorizationCodeRequest.d.ts +27 -27
- package/dist/request/CommonAuthorizationUrlRequest.d.ts +50 -50
- package/dist/request/CommonClientCredentialRequest.d.ts +17 -17
- package/dist/request/CommonDeviceCodeRequest.d.ts +21 -21
- package/dist/request/CommonEndSessionRequest.d.ts +21 -21
- package/dist/request/CommonOnBehalfOfRequest.d.ts +13 -13
- package/dist/request/CommonRefreshTokenRequest.d.ts +22 -22
- package/dist/request/CommonSilentFlowRequest.d.ts +27 -27
- package/dist/request/CommonUsernamePasswordRequest.d.ts +17 -17
- package/dist/request/NativeRequest.d.ts +19 -19
- package/dist/request/NativeSignOutRequest.d.ts +5 -5
- package/dist/request/RequestParameterBuilder.d.ts +217 -217
- package/dist/request/RequestParameterBuilder.mjs +382 -382
- package/dist/request/RequestValidator.d.ts +27 -27
- package/dist/request/RequestValidator.mjs +64 -64
- package/dist/request/ScopeSet.d.ts +88 -88
- package/dist/request/ScopeSet.mjs +197 -197
- package/dist/request/StoreInCache.d.ts +8 -8
- package/dist/response/AuthenticationResult.d.ts +41 -41
- package/dist/response/AuthorizationCodePayload.d.ts +13 -13
- package/dist/response/DeviceCodeResponse.d.ts +25 -25
- package/dist/response/ExternalTokenResponse.d.ts +15 -15
- package/dist/response/IMDSBadResponse.d.ts +4 -4
- package/dist/response/ResponseHandler.d.ts +69 -69
- package/dist/response/ResponseHandler.mjs +374 -374
- package/dist/response/ServerAuthorizationCodeResponse.d.ts +26 -26
- package/dist/response/ServerAuthorizationTokenResponse.d.ts +47 -47
- package/dist/telemetry/performance/IPerformanceClient.d.ts +57 -57
- package/dist/telemetry/performance/IPerformanceMeasurement.d.ts +5 -5
- package/dist/telemetry/performance/PerformanceClient.d.ts +242 -242
- package/dist/telemetry/performance/PerformanceClient.mjs +587 -587
- package/dist/telemetry/performance/PerformanceEvent.d.ts +511 -505
- package/dist/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
- package/dist/telemetry/performance/PerformanceEvent.mjs +480 -480
- package/dist/telemetry/performance/PerformanceEvent.mjs.map +1 -1
- package/dist/telemetry/performance/StubPerformanceClient.d.ts +24 -24
- package/dist/telemetry/performance/StubPerformanceClient.mjs +76 -76
- package/dist/telemetry/server/ServerTelemetryManager.d.ts +78 -78
- package/dist/telemetry/server/ServerTelemetryManager.mjs +260 -260
- package/dist/telemetry/server/ServerTelemetryRequest.d.ts +8 -8
- package/dist/url/IUri.d.ts +12 -12
- package/dist/url/UrlString.d.ts +48 -48
- package/dist/url/UrlString.mjs +161 -161
- package/dist/utils/ClientAssertionUtils.d.ts +2 -2
- package/dist/utils/ClientAssertionUtils.mjs +16 -16
- package/dist/utils/Constants.d.ts +309 -309
- package/dist/utils/Constants.mjs +322 -322
- package/dist/utils/FunctionWrappers.d.ts +27 -27
- package/dist/utils/FunctionWrappers.mjs +94 -94
- package/dist/utils/MsalTypes.d.ts +6 -6
- package/dist/utils/ProtocolUtils.d.ts +42 -42
- package/dist/utils/ProtocolUtils.mjs +69 -69
- package/dist/utils/StringUtils.d.ts +40 -40
- package/dist/utils/StringUtils.mjs +95 -95
- package/dist/utils/TimeUtils.d.ts +25 -25
- package/dist/utils/TimeUtils.mjs +43 -43
- package/dist/utils/UrlUtils.d.ts +10 -10
- package/dist/utils/UrlUtils.mjs +44 -44
- package/package.json +1 -1
- package/src/packageMetadata.ts +1 -1
- package/src/telemetry/performance/PerformanceEvent.ts +7 -0
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @azure/msal-common v14.14.
|
|
1
|
+
/*! @azure/msal-common v14.14.2 2024-08-28 */
|
|
2
2
|
'use strict';
|
|
3
3
|
import { createClientAuthError } from '../error/ClientAuthError.mjs';
|
|
4
4
|
import { ServerError } from '../error/ServerError.mjs';
|
|
@@ -16,379 +16,379 @@ import { updateAccountTenantProfileData, buildTenantProfile } from '../account/A
|
|
|
16
16
|
import { createAccessTokenEntity, createRefreshTokenEntity, createIdTokenEntity } from '../cache/utils/CacheHelpers.mjs';
|
|
17
17
|
import { stateNotFound, invalidState, stateMismatch, nonceMismatch, authTimeNotFound, invalidCacheEnvironment, keyIdMissing } from '../error/ClientAuthErrorCodes.mjs';
|
|
18
18
|
|
|
19
|
-
/*
|
|
20
|
-
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
21
|
-
* Licensed under the MIT License.
|
|
22
|
-
*/
|
|
23
|
-
function parseServerErrorNo(serverResponse) {
|
|
24
|
-
const errorCodePrefix = "code=";
|
|
25
|
-
const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
|
|
26
|
-
return errorCodePrefixIndex && errorCodePrefixIndex >= 0
|
|
27
|
-
? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
|
|
28
|
-
: undefined;
|
|
29
|
-
}
|
|
30
|
-
/**
|
|
31
|
-
* Class that handles response parsing.
|
|
32
|
-
* @internal
|
|
33
|
-
*/
|
|
34
|
-
class ResponseHandler {
|
|
35
|
-
constructor(clientId, cacheStorage, cryptoObj, logger, serializableCache, persistencePlugin, performanceClient) {
|
|
36
|
-
this.clientId = clientId;
|
|
37
|
-
this.cacheStorage = cacheStorage;
|
|
38
|
-
this.cryptoObj = cryptoObj;
|
|
39
|
-
this.logger = logger;
|
|
40
|
-
this.serializableCache = serializableCache;
|
|
41
|
-
this.persistencePlugin = persistencePlugin;
|
|
42
|
-
this.performanceClient = performanceClient;
|
|
43
|
-
}
|
|
44
|
-
/**
|
|
45
|
-
* Function which validates server authorization code response.
|
|
46
|
-
* @param serverResponseHash
|
|
47
|
-
* @param requestState
|
|
48
|
-
* @param cryptoObj
|
|
49
|
-
*/
|
|
50
|
-
validateServerAuthorizationCodeResponse(serverResponse, requestState) {
|
|
51
|
-
if (!serverResponse.state || !requestState) {
|
|
52
|
-
throw serverResponse.state
|
|
53
|
-
? createClientAuthError(stateNotFound, "Cached State")
|
|
54
|
-
: createClientAuthError(stateNotFound, "Server State");
|
|
55
|
-
}
|
|
56
|
-
let decodedServerResponseState;
|
|
57
|
-
let decodedRequestState;
|
|
58
|
-
try {
|
|
59
|
-
decodedServerResponseState = decodeURIComponent(serverResponse.state);
|
|
60
|
-
}
|
|
61
|
-
catch (e) {
|
|
62
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
63
|
-
}
|
|
64
|
-
try {
|
|
65
|
-
decodedRequestState = decodeURIComponent(requestState);
|
|
66
|
-
}
|
|
67
|
-
catch (e) {
|
|
68
|
-
throw createClientAuthError(invalidState, serverResponse.state);
|
|
69
|
-
}
|
|
70
|
-
if (decodedServerResponseState !== decodedRequestState) {
|
|
71
|
-
throw createClientAuthError(stateMismatch);
|
|
72
|
-
}
|
|
73
|
-
// Check for error
|
|
74
|
-
if (serverResponse.error ||
|
|
75
|
-
serverResponse.error_description ||
|
|
76
|
-
serverResponse.suberror) {
|
|
77
|
-
const serverErrorNo = parseServerErrorNo(serverResponse);
|
|
78
|
-
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
79
|
-
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
|
|
80
|
-
}
|
|
81
|
-
throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
82
|
-
}
|
|
83
|
-
}
|
|
84
|
-
/**
|
|
85
|
-
* Function which validates server authorization token response.
|
|
86
|
-
* @param serverResponse
|
|
87
|
-
* @param refreshAccessToken
|
|
88
|
-
*/
|
|
89
|
-
validateTokenResponse(serverResponse, refreshAccessToken) {
|
|
90
|
-
// Check for error
|
|
91
|
-
if (serverResponse.error ||
|
|
92
|
-
serverResponse.error_description ||
|
|
93
|
-
serverResponse.suberror) {
|
|
94
|
-
const errString = `Error(s): ${serverResponse.error_codes || Constants.NOT_AVAILABLE} - Timestamp: ${serverResponse.timestamp || Constants.NOT_AVAILABLE} - Description: ${serverResponse.error_description || Constants.NOT_AVAILABLE} - Correlation ID: ${serverResponse.correlation_id || Constants.NOT_AVAILABLE} - Trace ID: ${serverResponse.trace_id || Constants.NOT_AVAILABLE}`;
|
|
95
|
-
const serverErrorNo = serverResponse.error_codes?.length
|
|
96
|
-
? serverResponse.error_codes[0]
|
|
97
|
-
: undefined;
|
|
98
|
-
const serverError = new ServerError(serverResponse.error, errString, serverResponse.suberror, serverErrorNo, serverResponse.status);
|
|
99
|
-
// check if 500 error
|
|
100
|
-
if (refreshAccessToken &&
|
|
101
|
-
serverResponse.status &&
|
|
102
|
-
serverResponse.status >= HttpStatus.SERVER_ERROR_RANGE_START &&
|
|
103
|
-
serverResponse.status <= HttpStatus.SERVER_ERROR_RANGE_END) {
|
|
104
|
-
this.logger.warning(`executeTokenRequest:validateTokenResponse - AAD is currently unavailable and the access token is unable to be refreshed.\n${serverError}`);
|
|
105
|
-
// don't throw an exception, but alert the user via a log that the token was unable to be refreshed
|
|
106
|
-
return;
|
|
107
|
-
// check if 400 error
|
|
108
|
-
}
|
|
109
|
-
else if (refreshAccessToken &&
|
|
110
|
-
serverResponse.status &&
|
|
111
|
-
serverResponse.status >= HttpStatus.CLIENT_ERROR_RANGE_START &&
|
|
112
|
-
serverResponse.status <= HttpStatus.CLIENT_ERROR_RANGE_END) {
|
|
113
|
-
this.logger.warning(`executeTokenRequest:validateTokenResponse - AAD is currently available but is unable to refresh the access token.\n${serverError}`);
|
|
114
|
-
// don't throw an exception, but alert the user via a log that the token was unable to be refreshed
|
|
115
|
-
return;
|
|
116
|
-
}
|
|
117
|
-
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
118
|
-
throw new InteractionRequiredAuthError(serverResponse.error, serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || Constants.EMPTY_STRING, serverResponse.trace_id || Constants.EMPTY_STRING, serverResponse.correlation_id || Constants.EMPTY_STRING, serverResponse.claims || Constants.EMPTY_STRING, serverErrorNo);
|
|
119
|
-
}
|
|
120
|
-
throw serverError;
|
|
121
|
-
}
|
|
122
|
-
}
|
|
123
|
-
/**
|
|
124
|
-
* Returns a constructed token response based on given string. Also manages the cache updates and cleanups.
|
|
125
|
-
* @param serverTokenResponse
|
|
126
|
-
* @param authority
|
|
127
|
-
*/
|
|
128
|
-
async handleServerTokenResponse(serverTokenResponse, authority, reqTimestamp, request, authCodePayload, userAssertionHash, handlingRefreshTokenResponse, forceCacheRefreshTokenResponse, serverRequestId) {
|
|
129
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.HandleServerTokenResponse, serverTokenResponse.correlation_id);
|
|
130
|
-
// create an idToken object (not entity)
|
|
131
|
-
let idTokenClaims;
|
|
132
|
-
if (serverTokenResponse.id_token) {
|
|
133
|
-
idTokenClaims = extractTokenClaims(serverTokenResponse.id_token || Constants.EMPTY_STRING, this.cryptoObj.base64Decode);
|
|
134
|
-
// token nonce check (TODO: Add a warning if no nonce is given?)
|
|
135
|
-
if (authCodePayload && authCodePayload.nonce) {
|
|
136
|
-
if (idTokenClaims.nonce !== authCodePayload.nonce) {
|
|
137
|
-
throw createClientAuthError(nonceMismatch);
|
|
138
|
-
}
|
|
139
|
-
}
|
|
140
|
-
// token max_age check
|
|
141
|
-
if (request.maxAge || request.maxAge === 0) {
|
|
142
|
-
const authTime = idTokenClaims.auth_time;
|
|
143
|
-
if (!authTime) {
|
|
144
|
-
throw createClientAuthError(authTimeNotFound);
|
|
145
|
-
}
|
|
146
|
-
checkMaxAge(authTime, request.maxAge);
|
|
147
|
-
}
|
|
148
|
-
}
|
|
149
|
-
// generate homeAccountId
|
|
150
|
-
this.homeAccountIdentifier = AccountEntity.generateHomeAccountId(serverTokenResponse.client_info || Constants.EMPTY_STRING, authority.authorityType, this.logger, this.cryptoObj, idTokenClaims);
|
|
151
|
-
// save the response tokens
|
|
152
|
-
let requestStateObj;
|
|
153
|
-
if (!!authCodePayload && !!authCodePayload.state) {
|
|
154
|
-
requestStateObj = ProtocolUtils.parseRequestState(this.cryptoObj, authCodePayload.state);
|
|
155
|
-
}
|
|
156
|
-
// Add keyId from request to serverTokenResponse if defined
|
|
157
|
-
serverTokenResponse.key_id =
|
|
158
|
-
serverTokenResponse.key_id || request.sshKid || undefined;
|
|
159
|
-
const cacheRecord = this.generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload);
|
|
160
|
-
let cacheContext;
|
|
161
|
-
try {
|
|
162
|
-
if (this.persistencePlugin && this.serializableCache) {
|
|
163
|
-
this.logger.verbose("Persistence enabled, calling beforeCacheAccess");
|
|
164
|
-
cacheContext = new TokenCacheContext(this.serializableCache, true);
|
|
165
|
-
await this.persistencePlugin.beforeCacheAccess(cacheContext);
|
|
166
|
-
}
|
|
167
|
-
/*
|
|
168
|
-
* When saving a refreshed tokens to the cache, it is expected that the account that was used is present in the cache.
|
|
169
|
-
* If not present, we should return null, as it's the case that another application called removeAccount in between
|
|
170
|
-
* the calls to getAllAccounts and acquireTokenSilent. We should not overwrite that removal, unless explicitly flagged by
|
|
171
|
-
* the developer, as in the case of refresh token flow used in ADAL Node to MSAL Node migration.
|
|
172
|
-
*/
|
|
173
|
-
if (handlingRefreshTokenResponse &&
|
|
174
|
-
!forceCacheRefreshTokenResponse &&
|
|
175
|
-
cacheRecord.account) {
|
|
176
|
-
const key = cacheRecord.account.generateAccountKey();
|
|
177
|
-
const account = this.cacheStorage.getAccount(key, this.logger);
|
|
178
|
-
if (!account) {
|
|
179
|
-
this.logger.warning("Account used to refresh tokens not in persistence, refreshed tokens will not be stored in the cache");
|
|
180
|
-
return await ResponseHandler.generateAuthenticationResult(this.cryptoObj, authority, cacheRecord, false, request, idTokenClaims, requestStateObj, undefined, serverRequestId);
|
|
181
|
-
}
|
|
182
|
-
}
|
|
183
|
-
await this.cacheStorage.saveCacheRecord(cacheRecord, request.storeInCache, request.correlationId);
|
|
184
|
-
}
|
|
185
|
-
finally {
|
|
186
|
-
if (this.persistencePlugin &&
|
|
187
|
-
this.serializableCache &&
|
|
188
|
-
cacheContext) {
|
|
189
|
-
this.logger.verbose("Persistence enabled, calling afterCacheAccess");
|
|
190
|
-
await this.persistencePlugin.afterCacheAccess(cacheContext);
|
|
191
|
-
}
|
|
192
|
-
}
|
|
193
|
-
return ResponseHandler.generateAuthenticationResult(this.cryptoObj, authority, cacheRecord, false, request, idTokenClaims, requestStateObj, serverTokenResponse, serverRequestId);
|
|
194
|
-
}
|
|
195
|
-
/**
|
|
196
|
-
* Generates CacheRecord
|
|
197
|
-
* @param serverTokenResponse
|
|
198
|
-
* @param idTokenObj
|
|
199
|
-
* @param authority
|
|
200
|
-
*/
|
|
201
|
-
generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload) {
|
|
202
|
-
const env = authority.getPreferredCache();
|
|
203
|
-
if (!env) {
|
|
204
|
-
throw createClientAuthError(invalidCacheEnvironment);
|
|
205
|
-
}
|
|
206
|
-
const claimsTenantId = getTenantIdFromIdTokenClaims(idTokenClaims);
|
|
207
|
-
// IdToken: non AAD scenarios can have empty realm
|
|
208
|
-
let cachedIdToken;
|
|
209
|
-
let cachedAccount;
|
|
210
|
-
if (serverTokenResponse.id_token && !!idTokenClaims) {
|
|
211
|
-
cachedIdToken = createIdTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.id_token, this.clientId, claimsTenantId || "");
|
|
212
|
-
cachedAccount = buildAccountToCache(this.cacheStorage, authority, this.homeAccountIdentifier, this.cryptoObj.base64Decode, idTokenClaims, serverTokenResponse.client_info, env, claimsTenantId, authCodePayload, undefined, // nativeAccountId
|
|
213
|
-
this.logger);
|
|
214
|
-
}
|
|
215
|
-
// AccessToken
|
|
216
|
-
let cachedAccessToken = null;
|
|
217
|
-
if (serverTokenResponse.access_token) {
|
|
218
|
-
// If scopes not returned in server response, use request scopes
|
|
219
|
-
const responseScopes = serverTokenResponse.scope
|
|
220
|
-
? ScopeSet.fromString(serverTokenResponse.scope)
|
|
221
|
-
: new ScopeSet(request.scopes || []);
|
|
222
|
-
/*
|
|
223
|
-
* Use timestamp calculated before request
|
|
224
|
-
* Server may return timestamps as strings, parse to numbers if so.
|
|
225
|
-
*/
|
|
226
|
-
const expiresIn = (typeof serverTokenResponse.expires_in === "string"
|
|
227
|
-
? parseInt(serverTokenResponse.expires_in, 10)
|
|
228
|
-
: serverTokenResponse.expires_in) || 0;
|
|
229
|
-
const extExpiresIn = (typeof serverTokenResponse.ext_expires_in === "string"
|
|
230
|
-
? parseInt(serverTokenResponse.ext_expires_in, 10)
|
|
231
|
-
: serverTokenResponse.ext_expires_in) || 0;
|
|
232
|
-
const refreshIn = (typeof serverTokenResponse.refresh_in === "string"
|
|
233
|
-
? parseInt(serverTokenResponse.refresh_in, 10)
|
|
234
|
-
: serverTokenResponse.refresh_in) || undefined;
|
|
235
|
-
const tokenExpirationSeconds = reqTimestamp + expiresIn;
|
|
236
|
-
const extendedTokenExpirationSeconds = tokenExpirationSeconds + extExpiresIn;
|
|
237
|
-
const refreshOnSeconds = refreshIn && refreshIn > 0
|
|
238
|
-
? reqTimestamp + refreshIn
|
|
239
|
-
: undefined;
|
|
240
|
-
// non AAD scenarios can have empty realm
|
|
241
|
-
cachedAccessToken = createAccessTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.access_token, this.clientId, claimsTenantId || authority.tenant || "", responseScopes.printScopes(), tokenExpirationSeconds, extendedTokenExpirationSeconds, this.cryptoObj.base64Decode, refreshOnSeconds, serverTokenResponse.token_type, userAssertionHash, serverTokenResponse.key_id, request.claims, request.requestedClaimsHash);
|
|
242
|
-
}
|
|
243
|
-
// refreshToken
|
|
244
|
-
let cachedRefreshToken = null;
|
|
245
|
-
if (serverTokenResponse.refresh_token) {
|
|
246
|
-
let rtExpiresOn;
|
|
247
|
-
if (serverTokenResponse.refresh_token_expires_in) {
|
|
248
|
-
const rtExpiresIn = typeof serverTokenResponse.refresh_token_expires_in ===
|
|
249
|
-
"string"
|
|
250
|
-
? parseInt(serverTokenResponse.refresh_token_expires_in, 10)
|
|
251
|
-
: serverTokenResponse.refresh_token_expires_in;
|
|
252
|
-
rtExpiresOn = reqTimestamp + rtExpiresIn;
|
|
253
|
-
}
|
|
254
|
-
cachedRefreshToken = createRefreshTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.refresh_token, this.clientId, serverTokenResponse.foci, userAssertionHash, rtExpiresOn);
|
|
255
|
-
}
|
|
256
|
-
// appMetadata
|
|
257
|
-
let cachedAppMetadata = null;
|
|
258
|
-
if (serverTokenResponse.foci) {
|
|
259
|
-
cachedAppMetadata = {
|
|
260
|
-
clientId: this.clientId,
|
|
261
|
-
environment: env,
|
|
262
|
-
familyId: serverTokenResponse.foci,
|
|
263
|
-
};
|
|
264
|
-
}
|
|
265
|
-
return {
|
|
266
|
-
account: cachedAccount,
|
|
267
|
-
idToken: cachedIdToken,
|
|
268
|
-
accessToken: cachedAccessToken,
|
|
269
|
-
refreshToken: cachedRefreshToken,
|
|
270
|
-
appMetadata: cachedAppMetadata,
|
|
271
|
-
};
|
|
272
|
-
}
|
|
273
|
-
/**
|
|
274
|
-
* Creates an @AuthenticationResult from @CacheRecord , @IdToken , and a boolean that states whether or not the result is from cache.
|
|
275
|
-
*
|
|
276
|
-
* Optionally takes a state string that is set as-is in the response.
|
|
277
|
-
*
|
|
278
|
-
* @param cacheRecord
|
|
279
|
-
* @param idTokenObj
|
|
280
|
-
* @param fromTokenCache
|
|
281
|
-
* @param stateString
|
|
282
|
-
*/
|
|
283
|
-
static async generateAuthenticationResult(cryptoObj, authority, cacheRecord, fromTokenCache, request, idTokenClaims, requestState, serverTokenResponse, requestId) {
|
|
284
|
-
let accessToken = Constants.EMPTY_STRING;
|
|
285
|
-
let responseScopes = [];
|
|
286
|
-
let expiresOn = null;
|
|
287
|
-
let extExpiresOn;
|
|
288
|
-
let refreshOn;
|
|
289
|
-
let familyId = Constants.EMPTY_STRING;
|
|
290
|
-
if (cacheRecord.accessToken) {
|
|
291
|
-
/*
|
|
292
|
-
* if the request object has `popKid` property, `signPopToken` will be set to false and
|
|
293
|
-
* the token will be returned unsigned
|
|
294
|
-
*/
|
|
295
|
-
if (cacheRecord.accessToken.tokenType ===
|
|
296
|
-
AuthenticationScheme.POP &&
|
|
297
|
-
!request.popKid) {
|
|
298
|
-
const popTokenGenerator = new PopTokenGenerator(cryptoObj);
|
|
299
|
-
const { secret, keyId } = cacheRecord.accessToken;
|
|
300
|
-
if (!keyId) {
|
|
301
|
-
throw createClientAuthError(keyIdMissing);
|
|
302
|
-
}
|
|
303
|
-
accessToken = await popTokenGenerator.signPopToken(secret, keyId, request);
|
|
304
|
-
}
|
|
305
|
-
else {
|
|
306
|
-
accessToken = cacheRecord.accessToken.secret;
|
|
307
|
-
}
|
|
308
|
-
responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target).asArray();
|
|
309
|
-
expiresOn = new Date(Number(cacheRecord.accessToken.expiresOn) * 1000);
|
|
310
|
-
extExpiresOn = new Date(Number(cacheRecord.accessToken.extendedExpiresOn) * 1000);
|
|
311
|
-
if (cacheRecord.accessToken.refreshOn) {
|
|
312
|
-
refreshOn = new Date(Number(cacheRecord.accessToken.refreshOn) * 1000);
|
|
313
|
-
}
|
|
314
|
-
}
|
|
315
|
-
if (cacheRecord.appMetadata) {
|
|
316
|
-
familyId =
|
|
317
|
-
cacheRecord.appMetadata.familyId === THE_FAMILY_ID
|
|
318
|
-
? THE_FAMILY_ID
|
|
319
|
-
: "";
|
|
320
|
-
}
|
|
321
|
-
const uid = idTokenClaims?.oid || idTokenClaims?.sub || "";
|
|
322
|
-
const tid = idTokenClaims?.tid || "";
|
|
323
|
-
// for hybrid + native bridge enablement, send back the native account Id
|
|
324
|
-
if (serverTokenResponse?.spa_accountid && !!cacheRecord.account) {
|
|
325
|
-
cacheRecord.account.nativeAccountId =
|
|
326
|
-
serverTokenResponse?.spa_accountid;
|
|
327
|
-
}
|
|
328
|
-
const accountInfo = cacheRecord.account
|
|
329
|
-
? updateAccountTenantProfileData(cacheRecord.account.getAccountInfo(), undefined, // tenantProfile optional
|
|
330
|
-
idTokenClaims, cacheRecord.idToken?.secret)
|
|
331
|
-
: null;
|
|
332
|
-
return {
|
|
333
|
-
authority: authority.canonicalAuthority,
|
|
334
|
-
uniqueId: uid,
|
|
335
|
-
tenantId: tid,
|
|
336
|
-
scopes: responseScopes,
|
|
337
|
-
account: accountInfo,
|
|
338
|
-
idToken: cacheRecord?.idToken?.secret || "",
|
|
339
|
-
idTokenClaims: idTokenClaims || {},
|
|
340
|
-
accessToken: accessToken,
|
|
341
|
-
fromCache: fromTokenCache,
|
|
342
|
-
expiresOn: expiresOn,
|
|
343
|
-
extExpiresOn: extExpiresOn,
|
|
344
|
-
refreshOn: refreshOn,
|
|
345
|
-
correlationId: request.correlationId,
|
|
346
|
-
requestId: requestId || Constants.EMPTY_STRING,
|
|
347
|
-
familyId: familyId,
|
|
348
|
-
tokenType: cacheRecord.accessToken?.tokenType || Constants.EMPTY_STRING,
|
|
349
|
-
state: requestState
|
|
350
|
-
? requestState.userRequestState
|
|
351
|
-
: Constants.EMPTY_STRING,
|
|
352
|
-
cloudGraphHostName: cacheRecord.account?.cloudGraphHostName ||
|
|
353
|
-
Constants.EMPTY_STRING,
|
|
354
|
-
msGraphHost: cacheRecord.account?.msGraphHost || Constants.EMPTY_STRING,
|
|
355
|
-
code: serverTokenResponse?.spa_code,
|
|
356
|
-
fromNativeBroker: false,
|
|
357
|
-
};
|
|
358
|
-
}
|
|
359
|
-
}
|
|
360
|
-
function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decode, idTokenClaims, clientInfo, environment, claimsTenantId, authCodePayload, nativeAccountId, logger) {
|
|
361
|
-
logger?.verbose("setCachedAccount called");
|
|
362
|
-
// Check if base account is already cached
|
|
363
|
-
const accountKeys = cacheStorage.getAccountKeys();
|
|
364
|
-
const baseAccountKey = accountKeys.find((accountKey) => {
|
|
365
|
-
return accountKey.startsWith(homeAccountId);
|
|
366
|
-
});
|
|
367
|
-
let cachedAccount = null;
|
|
368
|
-
if (baseAccountKey) {
|
|
369
|
-
cachedAccount = cacheStorage.getAccount(baseAccountKey, logger);
|
|
370
|
-
}
|
|
371
|
-
const baseAccount = cachedAccount ||
|
|
372
|
-
AccountEntity.createAccount({
|
|
373
|
-
homeAccountId,
|
|
374
|
-
idTokenClaims,
|
|
375
|
-
clientInfo,
|
|
376
|
-
environment,
|
|
377
|
-
cloudGraphHostName: authCodePayload?.cloud_graph_host_name,
|
|
378
|
-
msGraphHost: authCodePayload?.msgraph_host,
|
|
379
|
-
nativeAccountId: nativeAccountId,
|
|
380
|
-
}, authority, base64Decode);
|
|
381
|
-
const tenantProfiles = baseAccount.tenantProfiles || [];
|
|
382
|
-
const tenantId = claimsTenantId || baseAccount.realm;
|
|
383
|
-
if (tenantId &&
|
|
384
|
-
!tenantProfiles.find((tenantProfile) => {
|
|
385
|
-
return tenantProfile.tenantId === tenantId;
|
|
386
|
-
})) {
|
|
387
|
-
const newTenantProfile = buildTenantProfile(homeAccountId, baseAccount.localAccountId, tenantId, idTokenClaims);
|
|
388
|
-
tenantProfiles.push(newTenantProfile);
|
|
389
|
-
}
|
|
390
|
-
baseAccount.tenantProfiles = tenantProfiles;
|
|
391
|
-
return baseAccount;
|
|
19
|
+
/*
|
|
20
|
+
* Copyright (c) Microsoft Corporation. All rights reserved.
|
|
21
|
+
* Licensed under the MIT License.
|
|
22
|
+
*/
|
|
23
|
+
function parseServerErrorNo(serverResponse) {
|
|
24
|
+
const errorCodePrefix = "code=";
|
|
25
|
+
const errorCodePrefixIndex = serverResponse.error_uri?.lastIndexOf(errorCodePrefix);
|
|
26
|
+
return errorCodePrefixIndex && errorCodePrefixIndex >= 0
|
|
27
|
+
? serverResponse.error_uri?.substring(errorCodePrefixIndex + errorCodePrefix.length)
|
|
28
|
+
: undefined;
|
|
29
|
+
}
|
|
30
|
+
/**
|
|
31
|
+
* Class that handles response parsing.
|
|
32
|
+
* @internal
|
|
33
|
+
*/
|
|
34
|
+
class ResponseHandler {
|
|
35
|
+
constructor(clientId, cacheStorage, cryptoObj, logger, serializableCache, persistencePlugin, performanceClient) {
|
|
36
|
+
this.clientId = clientId;
|
|
37
|
+
this.cacheStorage = cacheStorage;
|
|
38
|
+
this.cryptoObj = cryptoObj;
|
|
39
|
+
this.logger = logger;
|
|
40
|
+
this.serializableCache = serializableCache;
|
|
41
|
+
this.persistencePlugin = persistencePlugin;
|
|
42
|
+
this.performanceClient = performanceClient;
|
|
43
|
+
}
|
|
44
|
+
/**
|
|
45
|
+
* Function which validates server authorization code response.
|
|
46
|
+
* @param serverResponseHash
|
|
47
|
+
* @param requestState
|
|
48
|
+
* @param cryptoObj
|
|
49
|
+
*/
|
|
50
|
+
validateServerAuthorizationCodeResponse(serverResponse, requestState) {
|
|
51
|
+
if (!serverResponse.state || !requestState) {
|
|
52
|
+
throw serverResponse.state
|
|
53
|
+
? createClientAuthError(stateNotFound, "Cached State")
|
|
54
|
+
: createClientAuthError(stateNotFound, "Server State");
|
|
55
|
+
}
|
|
56
|
+
let decodedServerResponseState;
|
|
57
|
+
let decodedRequestState;
|
|
58
|
+
try {
|
|
59
|
+
decodedServerResponseState = decodeURIComponent(serverResponse.state);
|
|
60
|
+
}
|
|
61
|
+
catch (e) {
|
|
62
|
+
throw createClientAuthError(invalidState, serverResponse.state);
|
|
63
|
+
}
|
|
64
|
+
try {
|
|
65
|
+
decodedRequestState = decodeURIComponent(requestState);
|
|
66
|
+
}
|
|
67
|
+
catch (e) {
|
|
68
|
+
throw createClientAuthError(invalidState, serverResponse.state);
|
|
69
|
+
}
|
|
70
|
+
if (decodedServerResponseState !== decodedRequestState) {
|
|
71
|
+
throw createClientAuthError(stateMismatch);
|
|
72
|
+
}
|
|
73
|
+
// Check for error
|
|
74
|
+
if (serverResponse.error ||
|
|
75
|
+
serverResponse.error_description ||
|
|
76
|
+
serverResponse.suberror) {
|
|
77
|
+
const serverErrorNo = parseServerErrorNo(serverResponse);
|
|
78
|
+
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
79
|
+
throw new InteractionRequiredAuthError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || "", serverResponse.trace_id || "", serverResponse.correlation_id || "", serverResponse.claims || "", serverErrorNo);
|
|
80
|
+
}
|
|
81
|
+
throw new ServerError(serverResponse.error || "", serverResponse.error_description, serverResponse.suberror, serverErrorNo);
|
|
82
|
+
}
|
|
83
|
+
}
|
|
84
|
+
/**
|
|
85
|
+
* Function which validates server authorization token response.
|
|
86
|
+
* @param serverResponse
|
|
87
|
+
* @param refreshAccessToken
|
|
88
|
+
*/
|
|
89
|
+
validateTokenResponse(serverResponse, refreshAccessToken) {
|
|
90
|
+
// Check for error
|
|
91
|
+
if (serverResponse.error ||
|
|
92
|
+
serverResponse.error_description ||
|
|
93
|
+
serverResponse.suberror) {
|
|
94
|
+
const errString = `Error(s): ${serverResponse.error_codes || Constants.NOT_AVAILABLE} - Timestamp: ${serverResponse.timestamp || Constants.NOT_AVAILABLE} - Description: ${serverResponse.error_description || Constants.NOT_AVAILABLE} - Correlation ID: ${serverResponse.correlation_id || Constants.NOT_AVAILABLE} - Trace ID: ${serverResponse.trace_id || Constants.NOT_AVAILABLE}`;
|
|
95
|
+
const serverErrorNo = serverResponse.error_codes?.length
|
|
96
|
+
? serverResponse.error_codes[0]
|
|
97
|
+
: undefined;
|
|
98
|
+
const serverError = new ServerError(serverResponse.error, errString, serverResponse.suberror, serverErrorNo, serverResponse.status);
|
|
99
|
+
// check if 500 error
|
|
100
|
+
if (refreshAccessToken &&
|
|
101
|
+
serverResponse.status &&
|
|
102
|
+
serverResponse.status >= HttpStatus.SERVER_ERROR_RANGE_START &&
|
|
103
|
+
serverResponse.status <= HttpStatus.SERVER_ERROR_RANGE_END) {
|
|
104
|
+
this.logger.warning(`executeTokenRequest:validateTokenResponse - AAD is currently unavailable and the access token is unable to be refreshed.\n${serverError}`);
|
|
105
|
+
// don't throw an exception, but alert the user via a log that the token was unable to be refreshed
|
|
106
|
+
return;
|
|
107
|
+
// check if 400 error
|
|
108
|
+
}
|
|
109
|
+
else if (refreshAccessToken &&
|
|
110
|
+
serverResponse.status &&
|
|
111
|
+
serverResponse.status >= HttpStatus.CLIENT_ERROR_RANGE_START &&
|
|
112
|
+
serverResponse.status <= HttpStatus.CLIENT_ERROR_RANGE_END) {
|
|
113
|
+
this.logger.warning(`executeTokenRequest:validateTokenResponse - AAD is currently available but is unable to refresh the access token.\n${serverError}`);
|
|
114
|
+
// don't throw an exception, but alert the user via a log that the token was unable to be refreshed
|
|
115
|
+
return;
|
|
116
|
+
}
|
|
117
|
+
if (isInteractionRequiredError(serverResponse.error, serverResponse.error_description, serverResponse.suberror)) {
|
|
118
|
+
throw new InteractionRequiredAuthError(serverResponse.error, serverResponse.error_description, serverResponse.suberror, serverResponse.timestamp || Constants.EMPTY_STRING, serverResponse.trace_id || Constants.EMPTY_STRING, serverResponse.correlation_id || Constants.EMPTY_STRING, serverResponse.claims || Constants.EMPTY_STRING, serverErrorNo);
|
|
119
|
+
}
|
|
120
|
+
throw serverError;
|
|
121
|
+
}
|
|
122
|
+
}
|
|
123
|
+
/**
|
|
124
|
+
* Returns a constructed token response based on given string. Also manages the cache updates and cleanups.
|
|
125
|
+
* @param serverTokenResponse
|
|
126
|
+
* @param authority
|
|
127
|
+
*/
|
|
128
|
+
async handleServerTokenResponse(serverTokenResponse, authority, reqTimestamp, request, authCodePayload, userAssertionHash, handlingRefreshTokenResponse, forceCacheRefreshTokenResponse, serverRequestId) {
|
|
129
|
+
this.performanceClient?.addQueueMeasurement(PerformanceEvents.HandleServerTokenResponse, serverTokenResponse.correlation_id);
|
|
130
|
+
// create an idToken object (not entity)
|
|
131
|
+
let idTokenClaims;
|
|
132
|
+
if (serverTokenResponse.id_token) {
|
|
133
|
+
idTokenClaims = extractTokenClaims(serverTokenResponse.id_token || Constants.EMPTY_STRING, this.cryptoObj.base64Decode);
|
|
134
|
+
// token nonce check (TODO: Add a warning if no nonce is given?)
|
|
135
|
+
if (authCodePayload && authCodePayload.nonce) {
|
|
136
|
+
if (idTokenClaims.nonce !== authCodePayload.nonce) {
|
|
137
|
+
throw createClientAuthError(nonceMismatch);
|
|
138
|
+
}
|
|
139
|
+
}
|
|
140
|
+
// token max_age check
|
|
141
|
+
if (request.maxAge || request.maxAge === 0) {
|
|
142
|
+
const authTime = idTokenClaims.auth_time;
|
|
143
|
+
if (!authTime) {
|
|
144
|
+
throw createClientAuthError(authTimeNotFound);
|
|
145
|
+
}
|
|
146
|
+
checkMaxAge(authTime, request.maxAge);
|
|
147
|
+
}
|
|
148
|
+
}
|
|
149
|
+
// generate homeAccountId
|
|
150
|
+
this.homeAccountIdentifier = AccountEntity.generateHomeAccountId(serverTokenResponse.client_info || Constants.EMPTY_STRING, authority.authorityType, this.logger, this.cryptoObj, idTokenClaims);
|
|
151
|
+
// save the response tokens
|
|
152
|
+
let requestStateObj;
|
|
153
|
+
if (!!authCodePayload && !!authCodePayload.state) {
|
|
154
|
+
requestStateObj = ProtocolUtils.parseRequestState(this.cryptoObj, authCodePayload.state);
|
|
155
|
+
}
|
|
156
|
+
// Add keyId from request to serverTokenResponse if defined
|
|
157
|
+
serverTokenResponse.key_id =
|
|
158
|
+
serverTokenResponse.key_id || request.sshKid || undefined;
|
|
159
|
+
const cacheRecord = this.generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload);
|
|
160
|
+
let cacheContext;
|
|
161
|
+
try {
|
|
162
|
+
if (this.persistencePlugin && this.serializableCache) {
|
|
163
|
+
this.logger.verbose("Persistence enabled, calling beforeCacheAccess");
|
|
164
|
+
cacheContext = new TokenCacheContext(this.serializableCache, true);
|
|
165
|
+
await this.persistencePlugin.beforeCacheAccess(cacheContext);
|
|
166
|
+
}
|
|
167
|
+
/*
|
|
168
|
+
* When saving a refreshed tokens to the cache, it is expected that the account that was used is present in the cache.
|
|
169
|
+
* If not present, we should return null, as it's the case that another application called removeAccount in between
|
|
170
|
+
* the calls to getAllAccounts and acquireTokenSilent. We should not overwrite that removal, unless explicitly flagged by
|
|
171
|
+
* the developer, as in the case of refresh token flow used in ADAL Node to MSAL Node migration.
|
|
172
|
+
*/
|
|
173
|
+
if (handlingRefreshTokenResponse &&
|
|
174
|
+
!forceCacheRefreshTokenResponse &&
|
|
175
|
+
cacheRecord.account) {
|
|
176
|
+
const key = cacheRecord.account.generateAccountKey();
|
|
177
|
+
const account = this.cacheStorage.getAccount(key, this.logger);
|
|
178
|
+
if (!account) {
|
|
179
|
+
this.logger.warning("Account used to refresh tokens not in persistence, refreshed tokens will not be stored in the cache");
|
|
180
|
+
return await ResponseHandler.generateAuthenticationResult(this.cryptoObj, authority, cacheRecord, false, request, idTokenClaims, requestStateObj, undefined, serverRequestId);
|
|
181
|
+
}
|
|
182
|
+
}
|
|
183
|
+
await this.cacheStorage.saveCacheRecord(cacheRecord, request.storeInCache, request.correlationId);
|
|
184
|
+
}
|
|
185
|
+
finally {
|
|
186
|
+
if (this.persistencePlugin &&
|
|
187
|
+
this.serializableCache &&
|
|
188
|
+
cacheContext) {
|
|
189
|
+
this.logger.verbose("Persistence enabled, calling afterCacheAccess");
|
|
190
|
+
await this.persistencePlugin.afterCacheAccess(cacheContext);
|
|
191
|
+
}
|
|
192
|
+
}
|
|
193
|
+
return ResponseHandler.generateAuthenticationResult(this.cryptoObj, authority, cacheRecord, false, request, idTokenClaims, requestStateObj, serverTokenResponse, serverRequestId);
|
|
194
|
+
}
|
|
195
|
+
/**
|
|
196
|
+
* Generates CacheRecord
|
|
197
|
+
* @param serverTokenResponse
|
|
198
|
+
* @param idTokenObj
|
|
199
|
+
* @param authority
|
|
200
|
+
*/
|
|
201
|
+
generateCacheRecord(serverTokenResponse, authority, reqTimestamp, request, idTokenClaims, userAssertionHash, authCodePayload) {
|
|
202
|
+
const env = authority.getPreferredCache();
|
|
203
|
+
if (!env) {
|
|
204
|
+
throw createClientAuthError(invalidCacheEnvironment);
|
|
205
|
+
}
|
|
206
|
+
const claimsTenantId = getTenantIdFromIdTokenClaims(idTokenClaims);
|
|
207
|
+
// IdToken: non AAD scenarios can have empty realm
|
|
208
|
+
let cachedIdToken;
|
|
209
|
+
let cachedAccount;
|
|
210
|
+
if (serverTokenResponse.id_token && !!idTokenClaims) {
|
|
211
|
+
cachedIdToken = createIdTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.id_token, this.clientId, claimsTenantId || "");
|
|
212
|
+
cachedAccount = buildAccountToCache(this.cacheStorage, authority, this.homeAccountIdentifier, this.cryptoObj.base64Decode, idTokenClaims, serverTokenResponse.client_info, env, claimsTenantId, authCodePayload, undefined, // nativeAccountId
|
|
213
|
+
this.logger);
|
|
214
|
+
}
|
|
215
|
+
// AccessToken
|
|
216
|
+
let cachedAccessToken = null;
|
|
217
|
+
if (serverTokenResponse.access_token) {
|
|
218
|
+
// If scopes not returned in server response, use request scopes
|
|
219
|
+
const responseScopes = serverTokenResponse.scope
|
|
220
|
+
? ScopeSet.fromString(serverTokenResponse.scope)
|
|
221
|
+
: new ScopeSet(request.scopes || []);
|
|
222
|
+
/*
|
|
223
|
+
* Use timestamp calculated before request
|
|
224
|
+
* Server may return timestamps as strings, parse to numbers if so.
|
|
225
|
+
*/
|
|
226
|
+
const expiresIn = (typeof serverTokenResponse.expires_in === "string"
|
|
227
|
+
? parseInt(serverTokenResponse.expires_in, 10)
|
|
228
|
+
: serverTokenResponse.expires_in) || 0;
|
|
229
|
+
const extExpiresIn = (typeof serverTokenResponse.ext_expires_in === "string"
|
|
230
|
+
? parseInt(serverTokenResponse.ext_expires_in, 10)
|
|
231
|
+
: serverTokenResponse.ext_expires_in) || 0;
|
|
232
|
+
const refreshIn = (typeof serverTokenResponse.refresh_in === "string"
|
|
233
|
+
? parseInt(serverTokenResponse.refresh_in, 10)
|
|
234
|
+
: serverTokenResponse.refresh_in) || undefined;
|
|
235
|
+
const tokenExpirationSeconds = reqTimestamp + expiresIn;
|
|
236
|
+
const extendedTokenExpirationSeconds = tokenExpirationSeconds + extExpiresIn;
|
|
237
|
+
const refreshOnSeconds = refreshIn && refreshIn > 0
|
|
238
|
+
? reqTimestamp + refreshIn
|
|
239
|
+
: undefined;
|
|
240
|
+
// non AAD scenarios can have empty realm
|
|
241
|
+
cachedAccessToken = createAccessTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.access_token, this.clientId, claimsTenantId || authority.tenant || "", responseScopes.printScopes(), tokenExpirationSeconds, extendedTokenExpirationSeconds, this.cryptoObj.base64Decode, refreshOnSeconds, serverTokenResponse.token_type, userAssertionHash, serverTokenResponse.key_id, request.claims, request.requestedClaimsHash);
|
|
242
|
+
}
|
|
243
|
+
// refreshToken
|
|
244
|
+
let cachedRefreshToken = null;
|
|
245
|
+
if (serverTokenResponse.refresh_token) {
|
|
246
|
+
let rtExpiresOn;
|
|
247
|
+
if (serverTokenResponse.refresh_token_expires_in) {
|
|
248
|
+
const rtExpiresIn = typeof serverTokenResponse.refresh_token_expires_in ===
|
|
249
|
+
"string"
|
|
250
|
+
? parseInt(serverTokenResponse.refresh_token_expires_in, 10)
|
|
251
|
+
: serverTokenResponse.refresh_token_expires_in;
|
|
252
|
+
rtExpiresOn = reqTimestamp + rtExpiresIn;
|
|
253
|
+
}
|
|
254
|
+
cachedRefreshToken = createRefreshTokenEntity(this.homeAccountIdentifier, env, serverTokenResponse.refresh_token, this.clientId, serverTokenResponse.foci, userAssertionHash, rtExpiresOn);
|
|
255
|
+
}
|
|
256
|
+
// appMetadata
|
|
257
|
+
let cachedAppMetadata = null;
|
|
258
|
+
if (serverTokenResponse.foci) {
|
|
259
|
+
cachedAppMetadata = {
|
|
260
|
+
clientId: this.clientId,
|
|
261
|
+
environment: env,
|
|
262
|
+
familyId: serverTokenResponse.foci,
|
|
263
|
+
};
|
|
264
|
+
}
|
|
265
|
+
return {
|
|
266
|
+
account: cachedAccount,
|
|
267
|
+
idToken: cachedIdToken,
|
|
268
|
+
accessToken: cachedAccessToken,
|
|
269
|
+
refreshToken: cachedRefreshToken,
|
|
270
|
+
appMetadata: cachedAppMetadata,
|
|
271
|
+
};
|
|
272
|
+
}
|
|
273
|
+
/**
|
|
274
|
+
* Creates an @AuthenticationResult from @CacheRecord , @IdToken , and a boolean that states whether or not the result is from cache.
|
|
275
|
+
*
|
|
276
|
+
* Optionally takes a state string that is set as-is in the response.
|
|
277
|
+
*
|
|
278
|
+
* @param cacheRecord
|
|
279
|
+
* @param idTokenObj
|
|
280
|
+
* @param fromTokenCache
|
|
281
|
+
* @param stateString
|
|
282
|
+
*/
|
|
283
|
+
static async generateAuthenticationResult(cryptoObj, authority, cacheRecord, fromTokenCache, request, idTokenClaims, requestState, serverTokenResponse, requestId) {
|
|
284
|
+
let accessToken = Constants.EMPTY_STRING;
|
|
285
|
+
let responseScopes = [];
|
|
286
|
+
let expiresOn = null;
|
|
287
|
+
let extExpiresOn;
|
|
288
|
+
let refreshOn;
|
|
289
|
+
let familyId = Constants.EMPTY_STRING;
|
|
290
|
+
if (cacheRecord.accessToken) {
|
|
291
|
+
/*
|
|
292
|
+
* if the request object has `popKid` property, `signPopToken` will be set to false and
|
|
293
|
+
* the token will be returned unsigned
|
|
294
|
+
*/
|
|
295
|
+
if (cacheRecord.accessToken.tokenType ===
|
|
296
|
+
AuthenticationScheme.POP &&
|
|
297
|
+
!request.popKid) {
|
|
298
|
+
const popTokenGenerator = new PopTokenGenerator(cryptoObj);
|
|
299
|
+
const { secret, keyId } = cacheRecord.accessToken;
|
|
300
|
+
if (!keyId) {
|
|
301
|
+
throw createClientAuthError(keyIdMissing);
|
|
302
|
+
}
|
|
303
|
+
accessToken = await popTokenGenerator.signPopToken(secret, keyId, request);
|
|
304
|
+
}
|
|
305
|
+
else {
|
|
306
|
+
accessToken = cacheRecord.accessToken.secret;
|
|
307
|
+
}
|
|
308
|
+
responseScopes = ScopeSet.fromString(cacheRecord.accessToken.target).asArray();
|
|
309
|
+
expiresOn = new Date(Number(cacheRecord.accessToken.expiresOn) * 1000);
|
|
310
|
+
extExpiresOn = new Date(Number(cacheRecord.accessToken.extendedExpiresOn) * 1000);
|
|
311
|
+
if (cacheRecord.accessToken.refreshOn) {
|
|
312
|
+
refreshOn = new Date(Number(cacheRecord.accessToken.refreshOn) * 1000);
|
|
313
|
+
}
|
|
314
|
+
}
|
|
315
|
+
if (cacheRecord.appMetadata) {
|
|
316
|
+
familyId =
|
|
317
|
+
cacheRecord.appMetadata.familyId === THE_FAMILY_ID
|
|
318
|
+
? THE_FAMILY_ID
|
|
319
|
+
: "";
|
|
320
|
+
}
|
|
321
|
+
const uid = idTokenClaims?.oid || idTokenClaims?.sub || "";
|
|
322
|
+
const tid = idTokenClaims?.tid || "";
|
|
323
|
+
// for hybrid + native bridge enablement, send back the native account Id
|
|
324
|
+
if (serverTokenResponse?.spa_accountid && !!cacheRecord.account) {
|
|
325
|
+
cacheRecord.account.nativeAccountId =
|
|
326
|
+
serverTokenResponse?.spa_accountid;
|
|
327
|
+
}
|
|
328
|
+
const accountInfo = cacheRecord.account
|
|
329
|
+
? updateAccountTenantProfileData(cacheRecord.account.getAccountInfo(), undefined, // tenantProfile optional
|
|
330
|
+
idTokenClaims, cacheRecord.idToken?.secret)
|
|
331
|
+
: null;
|
|
332
|
+
return {
|
|
333
|
+
authority: authority.canonicalAuthority,
|
|
334
|
+
uniqueId: uid,
|
|
335
|
+
tenantId: tid,
|
|
336
|
+
scopes: responseScopes,
|
|
337
|
+
account: accountInfo,
|
|
338
|
+
idToken: cacheRecord?.idToken?.secret || "",
|
|
339
|
+
idTokenClaims: idTokenClaims || {},
|
|
340
|
+
accessToken: accessToken,
|
|
341
|
+
fromCache: fromTokenCache,
|
|
342
|
+
expiresOn: expiresOn,
|
|
343
|
+
extExpiresOn: extExpiresOn,
|
|
344
|
+
refreshOn: refreshOn,
|
|
345
|
+
correlationId: request.correlationId,
|
|
346
|
+
requestId: requestId || Constants.EMPTY_STRING,
|
|
347
|
+
familyId: familyId,
|
|
348
|
+
tokenType: cacheRecord.accessToken?.tokenType || Constants.EMPTY_STRING,
|
|
349
|
+
state: requestState
|
|
350
|
+
? requestState.userRequestState
|
|
351
|
+
: Constants.EMPTY_STRING,
|
|
352
|
+
cloudGraphHostName: cacheRecord.account?.cloudGraphHostName ||
|
|
353
|
+
Constants.EMPTY_STRING,
|
|
354
|
+
msGraphHost: cacheRecord.account?.msGraphHost || Constants.EMPTY_STRING,
|
|
355
|
+
code: serverTokenResponse?.spa_code,
|
|
356
|
+
fromNativeBroker: false,
|
|
357
|
+
};
|
|
358
|
+
}
|
|
359
|
+
}
|
|
360
|
+
function buildAccountToCache(cacheStorage, authority, homeAccountId, base64Decode, idTokenClaims, clientInfo, environment, claimsTenantId, authCodePayload, nativeAccountId, logger) {
|
|
361
|
+
logger?.verbose("setCachedAccount called");
|
|
362
|
+
// Check if base account is already cached
|
|
363
|
+
const accountKeys = cacheStorage.getAccountKeys();
|
|
364
|
+
const baseAccountKey = accountKeys.find((accountKey) => {
|
|
365
|
+
return accountKey.startsWith(homeAccountId);
|
|
366
|
+
});
|
|
367
|
+
let cachedAccount = null;
|
|
368
|
+
if (baseAccountKey) {
|
|
369
|
+
cachedAccount = cacheStorage.getAccount(baseAccountKey, logger);
|
|
370
|
+
}
|
|
371
|
+
const baseAccount = cachedAccount ||
|
|
372
|
+
AccountEntity.createAccount({
|
|
373
|
+
homeAccountId,
|
|
374
|
+
idTokenClaims,
|
|
375
|
+
clientInfo,
|
|
376
|
+
environment,
|
|
377
|
+
cloudGraphHostName: authCodePayload?.cloud_graph_host_name,
|
|
378
|
+
msGraphHost: authCodePayload?.msgraph_host,
|
|
379
|
+
nativeAccountId: nativeAccountId,
|
|
380
|
+
}, authority, base64Decode);
|
|
381
|
+
const tenantProfiles = baseAccount.tenantProfiles || [];
|
|
382
|
+
const tenantId = claimsTenantId || baseAccount.realm;
|
|
383
|
+
if (tenantId &&
|
|
384
|
+
!tenantProfiles.find((tenantProfile) => {
|
|
385
|
+
return tenantProfile.tenantId === tenantId;
|
|
386
|
+
})) {
|
|
387
|
+
const newTenantProfile = buildTenantProfile(homeAccountId, baseAccount.localAccountId, tenantId, idTokenClaims);
|
|
388
|
+
tenantProfiles.push(newTenantProfile);
|
|
389
|
+
}
|
|
390
|
+
baseAccount.tenantProfiles = tenantProfiles;
|
|
391
|
+
return baseAccount;
|
|
392
392
|
}
|
|
393
393
|
|
|
394
394
|
export { ResponseHandler, buildAccountToCache };
|