@azure/msal-common 15.13.0 → 15.13.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (110) hide show
  1. package/dist/account/AccountInfo.mjs +1 -1
  2. package/dist/account/AuthToken.d.ts +6 -0
  3. package/dist/account/AuthToken.d.ts.map +1 -1
  4. package/dist/account/AuthToken.mjs +22 -2
  5. package/dist/account/AuthToken.mjs.map +1 -1
  6. package/dist/account/CcsCredential.mjs +1 -1
  7. package/dist/account/ClientInfo.mjs +1 -1
  8. package/dist/account/TokenClaims.d.ts +4 -0
  9. package/dist/account/TokenClaims.d.ts.map +1 -1
  10. package/dist/account/TokenClaims.mjs +1 -1
  11. package/dist/account/TokenClaims.mjs.map +1 -1
  12. package/dist/authority/Authority.mjs +1 -1
  13. package/dist/authority/AuthorityFactory.mjs +1 -1
  14. package/dist/authority/AuthorityMetadata.mjs +1 -1
  15. package/dist/authority/AuthorityOptions.mjs +1 -1
  16. package/dist/authority/AuthorityType.mjs +1 -1
  17. package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
  18. package/dist/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
  19. package/dist/authority/OpenIdConfigResponse.mjs +1 -1
  20. package/dist/authority/ProtocolMode.mjs +1 -1
  21. package/dist/authority/RegionDiscovery.mjs +1 -1
  22. package/dist/cache/CacheManager.d.ts +7 -6
  23. package/dist/cache/CacheManager.d.ts.map +1 -1
  24. package/dist/cache/CacheManager.mjs +13 -11
  25. package/dist/cache/CacheManager.mjs.map +1 -1
  26. package/dist/cache/entities/AccountEntity.d.ts +2 -2
  27. package/dist/cache/entities/AccountEntity.d.ts.map +1 -1
  28. package/dist/cache/entities/AccountEntity.mjs +13 -13
  29. package/dist/cache/entities/AccountEntity.mjs.map +1 -1
  30. package/dist/cache/interface/ICacheManager.d.ts +16 -5
  31. package/dist/cache/interface/ICacheManager.d.ts.map +1 -1
  32. package/dist/cache/persistence/TokenCacheContext.mjs +1 -1
  33. package/dist/cache/utils/CacheHelpers.mjs +1 -1
  34. package/dist/client/AuthorizationCodeClient.mjs +1 -1
  35. package/dist/client/BaseClient.mjs +1 -1
  36. package/dist/client/RefreshTokenClient.mjs +1 -1
  37. package/dist/client/SilentFlowClient.mjs +1 -1
  38. package/dist/config/ClientConfiguration.mjs +1 -1
  39. package/dist/constants/AADServerParamKeys.mjs +1 -1
  40. package/dist/crypto/ICrypto.mjs +1 -1
  41. package/dist/crypto/JoseHeader.mjs +1 -1
  42. package/dist/crypto/PopTokenGenerator.mjs +1 -1
  43. package/dist/error/AuthError.mjs +1 -1
  44. package/dist/error/AuthErrorCodes.mjs +1 -1
  45. package/dist/error/CacheError.mjs +1 -1
  46. package/dist/error/CacheErrorCodes.mjs +1 -1
  47. package/dist/error/ClientAuthError.mjs +1 -1
  48. package/dist/error/ClientAuthErrorCodes.mjs +1 -1
  49. package/dist/error/ClientConfigurationError.mjs +1 -1
  50. package/dist/error/ClientConfigurationErrorCodes.mjs +1 -1
  51. package/dist/error/InteractionRequiredAuthError.mjs +1 -1
  52. package/dist/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
  53. package/dist/error/JoseHeaderError.mjs +1 -1
  54. package/dist/error/JoseHeaderErrorCodes.mjs +1 -1
  55. package/dist/error/NetworkError.mjs +1 -1
  56. package/dist/error/ServerError.mjs +1 -1
  57. package/dist/index-browser.mjs +1 -1
  58. package/dist/index-node.mjs +1 -1
  59. package/dist/index.mjs +1 -1
  60. package/dist/logger/Logger.mjs +1 -1
  61. package/dist/network/INetworkModule.mjs +1 -1
  62. package/dist/network/RequestThumbprint.mjs +1 -1
  63. package/dist/network/ThrottlingUtils.mjs +1 -1
  64. package/dist/packageMetadata.d.ts +1 -1
  65. package/dist/packageMetadata.mjs +2 -2
  66. package/dist/protocol/Authorize.mjs +1 -1
  67. package/dist/request/AuthenticationHeaderParser.mjs +1 -1
  68. package/dist/request/RequestParameterBuilder.mjs +1 -1
  69. package/dist/request/ScopeSet.mjs +1 -1
  70. package/dist/response/ResponseHandler.d.ts.map +1 -1
  71. package/dist/response/ResponseHandler.mjs +5 -5
  72. package/dist/response/ResponseHandler.mjs.map +1 -1
  73. package/dist/telemetry/performance/PerformanceClient.mjs +1 -1
  74. package/dist/telemetry/performance/PerformanceEvent.mjs +1 -1
  75. package/dist/telemetry/performance/StubPerformanceClient.mjs +1 -1
  76. package/dist/telemetry/server/ServerTelemetryManager.mjs +1 -1
  77. package/dist/url/UrlString.mjs +1 -1
  78. package/dist/utils/ClientAssertionUtils.mjs +1 -1
  79. package/dist/utils/Constants.mjs +1 -1
  80. package/dist/utils/FunctionWrappers.mjs +1 -1
  81. package/dist/utils/ProtocolUtils.mjs +1 -1
  82. package/dist/utils/StringUtils.mjs +1 -1
  83. package/dist/utils/TimeUtils.mjs +1 -1
  84. package/dist/utils/UrlUtils.mjs +1 -1
  85. package/lib/index-browser.cjs +2 -2
  86. package/lib/{index-node-D8Iaiqq3.js → index-node-DhUjlPuB.js} +402 -380
  87. package/lib/index-node-DhUjlPuB.js.map +1 -0
  88. package/lib/index-node.cjs +2 -2
  89. package/lib/index.cjs +2 -2
  90. package/lib/types/account/AuthToken.d.ts +6 -0
  91. package/lib/types/account/AuthToken.d.ts.map +1 -1
  92. package/lib/types/account/TokenClaims.d.ts +4 -0
  93. package/lib/types/account/TokenClaims.d.ts.map +1 -1
  94. package/lib/types/cache/CacheManager.d.ts +7 -6
  95. package/lib/types/cache/CacheManager.d.ts.map +1 -1
  96. package/lib/types/cache/entities/AccountEntity.d.ts +2 -2
  97. package/lib/types/cache/entities/AccountEntity.d.ts.map +1 -1
  98. package/lib/types/cache/interface/ICacheManager.d.ts +16 -5
  99. package/lib/types/cache/interface/ICacheManager.d.ts.map +1 -1
  100. package/lib/types/packageMetadata.d.ts +1 -1
  101. package/lib/types/response/ResponseHandler.d.ts.map +1 -1
  102. package/package.json +1 -1
  103. package/src/account/AuthToken.ts +23 -0
  104. package/src/account/TokenClaims.ts +4 -0
  105. package/src/cache/CacheManager.ts +23 -13
  106. package/src/cache/entities/AccountEntity.ts +13 -13
  107. package/src/cache/interface/ICacheManager.ts +23 -4
  108. package/src/packageMetadata.ts +1 -1
  109. package/src/response/ResponseHandler.ts +8 -3
  110. package/lib/index-node-D8Iaiqq3.js.map +0 -1
@@ -1,4 +1,4 @@
1
- /*! @azure/msal-common v15.13.0 2025-09-24 */
1
+ /*! @azure/msal-common v15.13.1 2025-10-29 */
2
2
  'use strict';
3
3
  'use strict';
4
4
 
@@ -754,6 +754,26 @@ function extractTokenClaims(encodedToken, base64Decode) {
754
754
  throw createClientAuthError(tokenParsingError);
755
755
  }
756
756
  }
757
+ /**
758
+ * Check if the signin_state claim contains "kmsi"
759
+ * @param idTokenClaims
760
+ * @returns
761
+ */
762
+ function isKmsi(idTokenClaims) {
763
+ if (!idTokenClaims.signin_state) {
764
+ return false;
765
+ }
766
+ /**
767
+ * Signin_state claim known values:
768
+ * dvc_mngd - device is managed
769
+ * dvc_dmjd - device is domain joined
770
+ * kmsi - user opted to "keep me signed in"
771
+ * inknownntwk - Request made inside a known network. Don't use this, use CAE instead.
772
+ */
773
+ const kmsiClaims = ["kmsi", "dvc_dmjd"]; // There are some cases where kmsi may not be returned but persistent storage is still OK - allow dvc_dmjd as well
774
+ const kmsi = idTokenClaims.signin_state.some((value) => kmsiClaims.includes(value.trim().toLowerCase()));
775
+ return kmsi;
776
+ }
757
777
  /**
758
778
  * decode a JWT
759
779
  *
@@ -796,7 +816,8 @@ var AuthToken = /*#__PURE__*/Object.freeze({
796
816
  __proto__: null,
797
817
  checkMaxAge: checkMaxAge,
798
818
  extractTokenClaims: extractTokenClaims,
799
- getJWSPayload: getJWSPayload
819
+ getJWSPayload: getJWSPayload,
820
+ isKmsi: isKmsi
800
821
  });
801
822
 
802
823
  /*
@@ -3905,7 +3926,7 @@ class Logger {
3905
3926
 
3906
3927
  /* eslint-disable header/header */
3907
3928
  const name = "@azure/msal-common";
3908
- const version = "15.13.0";
3929
+ const version = "15.13.1";
3909
3930
 
3910
3931
  /*
3911
3932
  * Copyright (c) Microsoft Corporation. All rights reserved.
@@ -4100,6 +4121,44 @@ class ScopeSet {
4100
4121
  }
4101
4122
  }
4102
4123
 
4124
+ /*
4125
+ * Copyright (c) Microsoft Corporation. All rights reserved.
4126
+ * Licensed under the MIT License.
4127
+ */
4128
+ /**
4129
+ * Function to build a client info object from server clientInfo string
4130
+ * @param rawClientInfo
4131
+ * @param crypto
4132
+ */
4133
+ function buildClientInfo(rawClientInfo, base64Decode) {
4134
+ if (!rawClientInfo) {
4135
+ throw createClientAuthError(clientInfoEmptyError);
4136
+ }
4137
+ try {
4138
+ const decodedClientInfo = base64Decode(rawClientInfo);
4139
+ return JSON.parse(decodedClientInfo);
4140
+ }
4141
+ catch (e) {
4142
+ throw createClientAuthError(clientInfoDecodingError);
4143
+ }
4144
+ }
4145
+ /**
4146
+ * Function to build a client info object from cached homeAccountId string
4147
+ * @param homeAccountId
4148
+ */
4149
+ function buildClientInfoFromHomeAccountId(homeAccountId) {
4150
+ if (!homeAccountId) {
4151
+ throw createClientAuthError(clientInfoDecodingError);
4152
+ }
4153
+ const clientInfoParts = homeAccountId.split(Separators.CLIENT_INFO_SEPARATOR, 2);
4154
+ return {
4155
+ uid: clientInfoParts[0],
4156
+ utid: clientInfoParts.length < 2
4157
+ ? Constants.EMPTY_STRING
4158
+ : clientInfoParts[1],
4159
+ };
4160
+ }
4161
+
4103
4162
  /*
4104
4163
  * Copyright (c) Microsoft Corporation. All rights reserved.
4105
4164
  * Licensed under the MIT License.
@@ -4185,56 +4244,21 @@ function updateAccountTenantProfileData(baseAccountInfo, tenantProfile, idTokenC
4185
4244
  * Copyright (c) Microsoft Corporation. All rights reserved.
4186
4245
  * Licensed under the MIT License.
4187
4246
  */
4188
- const cacheQuotaExceeded = "cache_quota_exceeded";
4189
- const cacheErrorUnknown = "cache_error_unknown";
4190
-
4191
- var CacheErrorCodes = /*#__PURE__*/Object.freeze({
4192
- __proto__: null,
4193
- cacheErrorUnknown: cacheErrorUnknown,
4194
- cacheQuotaExceeded: cacheQuotaExceeded
4195
- });
4196
-
4197
- /*
4198
- * Copyright (c) Microsoft Corporation. All rights reserved.
4199
- * Licensed under the MIT License.
4200
- */
4201
- const CacheErrorMessages = {
4202
- [cacheQuotaExceeded]: "Exceeded cache storage capacity.",
4203
- [cacheErrorUnknown]: "Unexpected error occurred when using cache storage.",
4204
- };
4205
- /**
4206
- * Error thrown when there is an error with the cache
4207
- */
4208
- class CacheError extends AuthError {
4209
- constructor(errorCode, errorMessage) {
4210
- const message = errorMessage ||
4211
- (CacheErrorMessages[errorCode]
4212
- ? CacheErrorMessages[errorCode]
4213
- : CacheErrorMessages[cacheErrorUnknown]);
4214
- super(`${errorCode}: ${message}`);
4215
- Object.setPrototypeOf(this, CacheError.prototype);
4216
- this.name = "CacheError";
4217
- this.errorCode = errorCode;
4218
- this.errorMessage = message;
4219
- }
4220
- }
4221
4247
  /**
4222
- * Helper function to wrap browser errors in a CacheError object
4223
- * @param e
4248
+ * Gets tenantId from available ID token claims to set as credential realm with the following precedence:
4249
+ * 1. tid - if the token is acquired from an Azure AD tenant tid will be present
4250
+ * 2. tfp - if the token is acquired from a modern B2C tenant tfp should be present
4251
+ * 3. acr - if the token is acquired from a legacy B2C tenant acr should be present
4252
+ * Downcased to match the realm case-insensitive comparison requirements
4253
+ * @param idTokenClaims
4224
4254
  * @returns
4225
4255
  */
4226
- function createCacheError(e) {
4227
- if (!(e instanceof Error)) {
4228
- return new CacheError(cacheErrorUnknown);
4229
- }
4230
- if (e.name === "QuotaExceededError" ||
4231
- e.name === "NS_ERROR_DOM_QUOTA_REACHED" ||
4232
- e.message.includes("exceeded the quota")) {
4233
- return new CacheError(cacheQuotaExceeded);
4234
- }
4235
- else {
4236
- return new CacheError(e.name, e.message);
4256
+ function getTenantIdFromIdTokenClaims(idTokenClaims) {
4257
+ if (idTokenClaims) {
4258
+ const tenantId = idTokenClaims.tid || idTokenClaims.tfp || idTokenClaims.acr;
4259
+ return tenantId || null;
4237
4260
  }
4261
+ return null;
4238
4262
  }
4239
4263
 
4240
4264
  /*
@@ -4242,63 +4266,338 @@ function createCacheError(e) {
4242
4266
  * Licensed under the MIT License.
4243
4267
  */
4244
4268
  /**
4245
- * Interface class which implement cache storage functions used by MSAL to perform validity checks, and store tokens.
4269
+ * Type that defines required and optional parameters for an Account field (based on universal cache schema implemented by all MSALs).
4270
+ *
4271
+ * Key : Value Schema
4272
+ *
4273
+ * Key: <home_account_id>-<environment>-<realm*>
4274
+ *
4275
+ * Value Schema:
4276
+ * {
4277
+ * homeAccountId: home account identifier for the auth scheme,
4278
+ * environment: entity that issued the token, represented as a full host
4279
+ * realm: Full tenant or organizational identifier that the account belongs to
4280
+ * localAccountId: Original tenant-specific accountID, usually used for legacy cases
4281
+ * username: primary username that represents the user, usually corresponds to preferred_username in the v2 endpt
4282
+ * authorityType: Accounts authority type as a string
4283
+ * name: Full name for the account, including given name and family name,
4284
+ * lastModificationTime: last time this entity was modified in the cache
4285
+ * lastModificationApp:
4286
+ * nativeAccountId: Account identifier on the native device
4287
+ * tenantProfiles: Array of tenant profile objects for each tenant that the account has authenticated with in the browser
4288
+ * }
4246
4289
  * @internal
4247
4290
  */
4248
- class CacheManager {
4249
- constructor(clientId, cryptoImpl, logger, performanceClient, staticAuthorityOptions) {
4250
- this.clientId = clientId;
4251
- this.cryptoImpl = cryptoImpl;
4252
- this.commonLogger = logger.clone(name, version);
4253
- this.staticAuthorityOptions = staticAuthorityOptions;
4254
- this.performanceClient = performanceClient;
4291
+ class AccountEntity {
4292
+ /**
4293
+ * Returns the AccountInfo interface for this account.
4294
+ */
4295
+ static getAccountInfo(accountEntity) {
4296
+ return {
4297
+ homeAccountId: accountEntity.homeAccountId,
4298
+ environment: accountEntity.environment,
4299
+ tenantId: accountEntity.realm,
4300
+ username: accountEntity.username,
4301
+ localAccountId: accountEntity.localAccountId,
4302
+ loginHint: accountEntity.loginHint,
4303
+ name: accountEntity.name,
4304
+ nativeAccountId: accountEntity.nativeAccountId,
4305
+ authorityType: accountEntity.authorityType,
4306
+ // Deserialize tenant profiles array into a Map
4307
+ tenantProfiles: new Map((accountEntity.tenantProfiles || []).map((tenantProfile) => {
4308
+ return [tenantProfile.tenantId, tenantProfile];
4309
+ })),
4310
+ dataBoundary: accountEntity.dataBoundary,
4311
+ };
4255
4312
  }
4256
4313
  /**
4257
- * Returns all the accounts in the cache that match the optional filter. If no filter is provided, all accounts are returned.
4258
- * @param accountFilter - (Optional) filter to narrow down the accounts returned
4259
- * @returns Array of AccountInfo objects in cache
4314
+ * Returns true if the account entity is in single tenant format (outdated), false otherwise
4260
4315
  */
4261
- getAllAccounts(accountFilter, correlationId) {
4262
- return this.buildTenantProfiles(this.getAccountsFilteredBy(accountFilter, correlationId), correlationId, accountFilter);
4316
+ isSingleTenant() {
4317
+ return !this.tenantProfiles;
4263
4318
  }
4264
4319
  /**
4265
- * Gets first tenanted AccountInfo object found based on provided filters
4320
+ * Build Account cache from IdToken, clientInfo and authority/policy. Associated with AAD.
4321
+ * @param accountDetails
4266
4322
  */
4267
- getAccountInfoFilteredBy(accountFilter, correlationId) {
4268
- if (Object.keys(accountFilter).length === 0 ||
4269
- Object.values(accountFilter).every((value) => !value)) {
4270
- this.commonLogger.warning("getAccountInfoFilteredBy: Account filter is empty or invalid, returning null");
4271
- return null;
4323
+ static createAccount(accountDetails, authority, base64Decode) {
4324
+ const account = new AccountEntity();
4325
+ if (authority.authorityType === AuthorityType.Adfs) {
4326
+ account.authorityType = CacheAccountType.ADFS_ACCOUNT_TYPE;
4272
4327
  }
4273
- const allAccounts = this.getAllAccounts(accountFilter, correlationId);
4274
- if (allAccounts.length > 1) {
4275
- // If one or more accounts are found, prioritize accounts that have an ID token
4276
- const sortedAccounts = allAccounts.sort((account) => {
4277
- return account.idTokenClaims ? -1 : 1;
4278
- });
4279
- return sortedAccounts[0];
4328
+ else if (authority.protocolMode === ProtocolMode.OIDC) {
4329
+ account.authorityType = CacheAccountType.GENERIC_ACCOUNT_TYPE;
4280
4330
  }
4281
- else if (allAccounts.length === 1) {
4282
- // If only one account is found, return it regardless of whether a matching ID token was found
4283
- return allAccounts[0];
4331
+ else {
4332
+ account.authorityType = CacheAccountType.MSSTS_ACCOUNT_TYPE;
4333
+ }
4334
+ let clientInfo;
4335
+ if (accountDetails.clientInfo && base64Decode) {
4336
+ clientInfo = buildClientInfo(accountDetails.clientInfo, base64Decode);
4337
+ if (clientInfo.xms_tdbr) {
4338
+ account.dataBoundary =
4339
+ clientInfo.xms_tdbr === "EU" ? "EU" : "None";
4340
+ }
4341
+ }
4342
+ account.clientInfo = accountDetails.clientInfo;
4343
+ account.homeAccountId = accountDetails.homeAccountId;
4344
+ account.nativeAccountId = accountDetails.nativeAccountId;
4345
+ const env = accountDetails.environment ||
4346
+ (authority && authority.getPreferredCache());
4347
+ if (!env) {
4348
+ throw createClientAuthError(invalidCacheEnvironment);
4349
+ }
4350
+ account.environment = env;
4351
+ // non AAD scenarios can have empty realm
4352
+ account.realm =
4353
+ clientInfo?.utid ||
4354
+ getTenantIdFromIdTokenClaims(accountDetails.idTokenClaims) ||
4355
+ "";
4356
+ // How do you account for MSA CID here?
4357
+ account.localAccountId =
4358
+ clientInfo?.uid ||
4359
+ accountDetails.idTokenClaims?.oid ||
4360
+ accountDetails.idTokenClaims?.sub ||
4361
+ "";
4362
+ /*
4363
+ * In B2C scenarios the emails claim is used instead of preferred_username and it is an array.
4364
+ * In most cases it will contain a single email. This field should not be relied upon if a custom
4365
+ * policy is configured to return more than 1 email.
4366
+ */
4367
+ const preferredUsername = accountDetails.idTokenClaims?.preferred_username ||
4368
+ accountDetails.idTokenClaims?.upn;
4369
+ const email = accountDetails.idTokenClaims?.emails
4370
+ ? accountDetails.idTokenClaims.emails[0]
4371
+ : null;
4372
+ account.username = preferredUsername || email || "";
4373
+ account.loginHint = accountDetails.idTokenClaims?.login_hint;
4374
+ account.name = accountDetails.idTokenClaims?.name || "";
4375
+ account.cloudGraphHostName = accountDetails.cloudGraphHostName;
4376
+ account.msGraphHost = accountDetails.msGraphHost;
4377
+ if (accountDetails.tenantProfiles) {
4378
+ account.tenantProfiles = accountDetails.tenantProfiles;
4284
4379
  }
4285
4380
  else {
4286
- return null;
4381
+ const tenantProfile = buildTenantProfile(accountDetails.homeAccountId, account.localAccountId, account.realm, accountDetails.idTokenClaims);
4382
+ account.tenantProfiles = [tenantProfile];
4287
4383
  }
4384
+ return account;
4288
4385
  }
4289
4386
  /**
4290
- * Returns a single matching
4291
- * @param accountFilter
4387
+ * Creates an AccountEntity object from AccountInfo
4388
+ * @param accountInfo
4389
+ * @param cloudGraphHostName
4390
+ * @param msGraphHost
4292
4391
  * @returns
4293
4392
  */
4294
- getBaseAccountInfo(accountFilter, correlationId) {
4295
- const accountEntities = this.getAccountsFilteredBy(accountFilter, correlationId);
4296
- if (accountEntities.length > 0) {
4297
- return accountEntities[0].getAccountInfo();
4298
- }
4299
- else {
4300
- return null;
4301
- }
4393
+ static createFromAccountInfo(accountInfo, cloudGraphHostName, msGraphHost) {
4394
+ const account = new AccountEntity();
4395
+ account.authorityType =
4396
+ accountInfo.authorityType || CacheAccountType.GENERIC_ACCOUNT_TYPE;
4397
+ account.homeAccountId = accountInfo.homeAccountId;
4398
+ account.localAccountId = accountInfo.localAccountId;
4399
+ account.nativeAccountId = accountInfo.nativeAccountId;
4400
+ account.realm = accountInfo.tenantId;
4401
+ account.environment = accountInfo.environment;
4402
+ account.username = accountInfo.username;
4403
+ account.name = accountInfo.name;
4404
+ account.loginHint = accountInfo.loginHint;
4405
+ account.cloudGraphHostName = cloudGraphHostName;
4406
+ account.msGraphHost = msGraphHost;
4407
+ // Serialize tenant profiles map into an array
4408
+ account.tenantProfiles = Array.from(accountInfo.tenantProfiles?.values() || []);
4409
+ account.dataBoundary = accountInfo.dataBoundary;
4410
+ return account;
4411
+ }
4412
+ /**
4413
+ * Generate HomeAccountId from server response
4414
+ * @param serverClientInfo
4415
+ * @param authType
4416
+ */
4417
+ static generateHomeAccountId(serverClientInfo, authType, logger, cryptoObj, idTokenClaims) {
4418
+ // since ADFS/DSTS do not have tid and does not set client_info
4419
+ if (!(authType === AuthorityType.Adfs ||
4420
+ authType === AuthorityType.Dsts)) {
4421
+ // for cases where there is clientInfo
4422
+ if (serverClientInfo) {
4423
+ try {
4424
+ const clientInfo = buildClientInfo(serverClientInfo, cryptoObj.base64Decode);
4425
+ if (clientInfo.uid && clientInfo.utid) {
4426
+ return `${clientInfo.uid}.${clientInfo.utid}`;
4427
+ }
4428
+ }
4429
+ catch (e) { }
4430
+ }
4431
+ logger.warning("No client info in response");
4432
+ }
4433
+ // default to "sub" claim
4434
+ return idTokenClaims?.sub || "";
4435
+ }
4436
+ /**
4437
+ * Validates an entity: checks for all expected params
4438
+ * @param entity
4439
+ */
4440
+ static isAccountEntity(entity) {
4441
+ if (!entity) {
4442
+ return false;
4443
+ }
4444
+ return (entity.hasOwnProperty("homeAccountId") &&
4445
+ entity.hasOwnProperty("environment") &&
4446
+ entity.hasOwnProperty("realm") &&
4447
+ entity.hasOwnProperty("localAccountId") &&
4448
+ entity.hasOwnProperty("username") &&
4449
+ entity.hasOwnProperty("authorityType"));
4450
+ }
4451
+ /**
4452
+ * Helper function to determine whether 2 accountInfo objects represent the same account
4453
+ * @param accountA
4454
+ * @param accountB
4455
+ * @param compareClaims - If set to true idTokenClaims will also be compared to determine account equality
4456
+ */
4457
+ static accountInfoIsEqual(accountA, accountB, compareClaims) {
4458
+ if (!accountA || !accountB) {
4459
+ return false;
4460
+ }
4461
+ let claimsMatch = true; // default to true so as to not fail comparison below if compareClaims: false
4462
+ if (compareClaims) {
4463
+ const accountAClaims = (accountA.idTokenClaims ||
4464
+ {});
4465
+ const accountBClaims = (accountB.idTokenClaims ||
4466
+ {});
4467
+ // issued at timestamp and nonce are expected to change each time a new id token is acquired
4468
+ claimsMatch =
4469
+ accountAClaims.iat === accountBClaims.iat &&
4470
+ accountAClaims.nonce === accountBClaims.nonce;
4471
+ }
4472
+ return (accountA.homeAccountId === accountB.homeAccountId &&
4473
+ accountA.localAccountId === accountB.localAccountId &&
4474
+ accountA.username === accountB.username &&
4475
+ accountA.tenantId === accountB.tenantId &&
4476
+ accountA.loginHint === accountB.loginHint &&
4477
+ accountA.environment === accountB.environment &&
4478
+ accountA.nativeAccountId === accountB.nativeAccountId &&
4479
+ claimsMatch);
4480
+ }
4481
+ }
4482
+
4483
+ /*
4484
+ * Copyright (c) Microsoft Corporation. All rights reserved.
4485
+ * Licensed under the MIT License.
4486
+ */
4487
+ const cacheQuotaExceeded = "cache_quota_exceeded";
4488
+ const cacheErrorUnknown = "cache_error_unknown";
4489
+
4490
+ var CacheErrorCodes = /*#__PURE__*/Object.freeze({
4491
+ __proto__: null,
4492
+ cacheErrorUnknown: cacheErrorUnknown,
4493
+ cacheQuotaExceeded: cacheQuotaExceeded
4494
+ });
4495
+
4496
+ /*
4497
+ * Copyright (c) Microsoft Corporation. All rights reserved.
4498
+ * Licensed under the MIT License.
4499
+ */
4500
+ const CacheErrorMessages = {
4501
+ [cacheQuotaExceeded]: "Exceeded cache storage capacity.",
4502
+ [cacheErrorUnknown]: "Unexpected error occurred when using cache storage.",
4503
+ };
4504
+ /**
4505
+ * Error thrown when there is an error with the cache
4506
+ */
4507
+ class CacheError extends AuthError {
4508
+ constructor(errorCode, errorMessage) {
4509
+ const message = errorMessage ||
4510
+ (CacheErrorMessages[errorCode]
4511
+ ? CacheErrorMessages[errorCode]
4512
+ : CacheErrorMessages[cacheErrorUnknown]);
4513
+ super(`${errorCode}: ${message}`);
4514
+ Object.setPrototypeOf(this, CacheError.prototype);
4515
+ this.name = "CacheError";
4516
+ this.errorCode = errorCode;
4517
+ this.errorMessage = message;
4518
+ }
4519
+ }
4520
+ /**
4521
+ * Helper function to wrap browser errors in a CacheError object
4522
+ * @param e
4523
+ * @returns
4524
+ */
4525
+ function createCacheError(e) {
4526
+ if (!(e instanceof Error)) {
4527
+ return new CacheError(cacheErrorUnknown);
4528
+ }
4529
+ if (e.name === "QuotaExceededError" ||
4530
+ e.name === "NS_ERROR_DOM_QUOTA_REACHED" ||
4531
+ e.message.includes("exceeded the quota")) {
4532
+ return new CacheError(cacheQuotaExceeded);
4533
+ }
4534
+ else {
4535
+ return new CacheError(e.name, e.message);
4536
+ }
4537
+ }
4538
+
4539
+ /*
4540
+ * Copyright (c) Microsoft Corporation. All rights reserved.
4541
+ * Licensed under the MIT License.
4542
+ */
4543
+ /**
4544
+ * Interface class which implement cache storage functions used by MSAL to perform validity checks, and store tokens.
4545
+ * @internal
4546
+ */
4547
+ class CacheManager {
4548
+ constructor(clientId, cryptoImpl, logger, performanceClient, staticAuthorityOptions) {
4549
+ this.clientId = clientId;
4550
+ this.cryptoImpl = cryptoImpl;
4551
+ this.commonLogger = logger.clone(name, version);
4552
+ this.staticAuthorityOptions = staticAuthorityOptions;
4553
+ this.performanceClient = performanceClient;
4554
+ }
4555
+ /**
4556
+ * Returns all the accounts in the cache that match the optional filter. If no filter is provided, all accounts are returned.
4557
+ * @param accountFilter - (Optional) filter to narrow down the accounts returned
4558
+ * @returns Array of AccountInfo objects in cache
4559
+ */
4560
+ getAllAccounts(accountFilter, correlationId) {
4561
+ return this.buildTenantProfiles(this.getAccountsFilteredBy(accountFilter, correlationId), correlationId, accountFilter);
4562
+ }
4563
+ /**
4564
+ * Gets first tenanted AccountInfo object found based on provided filters
4565
+ */
4566
+ getAccountInfoFilteredBy(accountFilter, correlationId) {
4567
+ if (Object.keys(accountFilter).length === 0 ||
4568
+ Object.values(accountFilter).every((value) => !value)) {
4569
+ this.commonLogger.warning("getAccountInfoFilteredBy: Account filter is empty or invalid, returning null");
4570
+ return null;
4571
+ }
4572
+ const allAccounts = this.getAllAccounts(accountFilter, correlationId);
4573
+ if (allAccounts.length > 1) {
4574
+ // If one or more accounts are found, prioritize accounts that have an ID token
4575
+ const sortedAccounts = allAccounts.sort((account) => {
4576
+ return account.idTokenClaims ? -1 : 1;
4577
+ });
4578
+ return sortedAccounts[0];
4579
+ }
4580
+ else if (allAccounts.length === 1) {
4581
+ // If only one account is found, return it regardless of whether a matching ID token was found
4582
+ return allAccounts[0];
4583
+ }
4584
+ else {
4585
+ return null;
4586
+ }
4587
+ }
4588
+ /**
4589
+ * Returns a single matching
4590
+ * @param accountFilter
4591
+ * @returns
4592
+ */
4593
+ getBaseAccountInfo(accountFilter, correlationId) {
4594
+ const accountEntities = this.getAccountsFilteredBy(accountFilter, correlationId);
4595
+ if (accountEntities.length > 0) {
4596
+ return AccountEntity.getAccountInfo(accountEntities[0]);
4597
+ }
4598
+ else {
4599
+ return null;
4600
+ }
4302
4601
  }
4303
4602
  /**
4304
4603
  * Matches filtered account entities with cached ID tokens that match the tenant profile-specific account filters
@@ -4333,7 +4632,7 @@ class CacheManager {
4333
4632
  return tenantedAccountInfo;
4334
4633
  }
4335
4634
  getTenantProfilesFromAccountEntity(accountEntity, correlationId, targetTenantId, tenantProfileFilter) {
4336
- const accountInfo = accountEntity.getAccountInfo();
4635
+ const accountInfo = AccountEntity.getAccountInfo(accountEntity);
4337
4636
  let searchTenantProfiles = accountInfo.tenantProfiles || new Map();
4338
4637
  const tokenKeys = this.getTokenKeys();
4339
4638
  // If a tenant ID was provided, only return the tenant profile for that tenant ID if it exists
@@ -4403,27 +4702,28 @@ class CacheManager {
4403
4702
  /**
4404
4703
  * saves a cache record
4405
4704
  * @param cacheRecord {CacheRecord}
4406
- * @param storeInCache {?StoreInCache}
4407
4705
  * @param correlationId {?string} correlation id
4706
+ * @param kmsi - Keep Me Signed In
4707
+ * @param storeInCache {?StoreInCache}
4408
4708
  */
4409
- async saveCacheRecord(cacheRecord, correlationId, storeInCache) {
4709
+ async saveCacheRecord(cacheRecord, correlationId, kmsi, storeInCache) {
4410
4710
  if (!cacheRecord) {
4411
4711
  throw createClientAuthError(invalidCacheRecord);
4412
4712
  }
4413
4713
  try {
4414
4714
  if (!!cacheRecord.account) {
4415
- await this.setAccount(cacheRecord.account, correlationId);
4715
+ await this.setAccount(cacheRecord.account, correlationId, kmsi);
4416
4716
  }
4417
4717
  if (!!cacheRecord.idToken && storeInCache?.idToken !== false) {
4418
- await this.setIdTokenCredential(cacheRecord.idToken, correlationId);
4718
+ await this.setIdTokenCredential(cacheRecord.idToken, correlationId, kmsi);
4419
4719
  }
4420
4720
  if (!!cacheRecord.accessToken &&
4421
4721
  storeInCache?.accessToken !== false) {
4422
- await this.saveAccessToken(cacheRecord.accessToken, correlationId);
4722
+ await this.saveAccessToken(cacheRecord.accessToken, correlationId, kmsi);
4423
4723
  }
4424
4724
  if (!!cacheRecord.refreshToken &&
4425
4725
  storeInCache?.refreshToken !== false) {
4426
- await this.setRefreshTokenCredential(cacheRecord.refreshToken, correlationId);
4726
+ await this.setRefreshTokenCredential(cacheRecord.refreshToken, correlationId, kmsi);
4427
4727
  }
4428
4728
  if (!!cacheRecord.appMetadata) {
4429
4729
  this.setAppMetadata(cacheRecord.appMetadata, correlationId);
@@ -4443,7 +4743,7 @@ class CacheManager {
4443
4743
  * saves access token credential
4444
4744
  * @param credential
4445
4745
  */
4446
- async saveAccessToken(credential, correlationId) {
4746
+ async saveAccessToken(credential, correlationId, kmsi) {
4447
4747
  const accessTokenFilter = {
4448
4748
  clientId: credential.clientId,
4449
4749
  credentialType: credential.credentialType,
@@ -4468,7 +4768,7 @@ class CacheManager {
4468
4768
  }
4469
4769
  }
4470
4770
  });
4471
- await this.setAccessTokenCredential(credential, correlationId);
4771
+ await this.setAccessTokenCredential(credential, correlationId, kmsi);
4472
4772
  }
4473
4773
  /**
4474
4774
  * Retrieve account entities matching all provided tenant-agnostic filters; if no filter is set, get all account entities in the cache
@@ -5528,44 +5828,6 @@ const CcsCredentialType = {
5528
5828
  UPN: "UPN",
5529
5829
  };
5530
5830
 
5531
- /*
5532
- * Copyright (c) Microsoft Corporation. All rights reserved.
5533
- * Licensed under the MIT License.
5534
- */
5535
- /**
5536
- * Function to build a client info object from server clientInfo string
5537
- * @param rawClientInfo
5538
- * @param crypto
5539
- */
5540
- function buildClientInfo(rawClientInfo, base64Decode) {
5541
- if (!rawClientInfo) {
5542
- throw createClientAuthError(clientInfoEmptyError);
5543
- }
5544
- try {
5545
- const decodedClientInfo = base64Decode(rawClientInfo);
5546
- return JSON.parse(decodedClientInfo);
5547
- }
5548
- catch (e) {
5549
- throw createClientAuthError(clientInfoDecodingError);
5550
- }
5551
- }
5552
- /**
5553
- * Function to build a client info object from cached homeAccountId string
5554
- * @param homeAccountId
5555
- */
5556
- function buildClientInfoFromHomeAccountId(homeAccountId) {
5557
- if (!homeAccountId) {
5558
- throw createClientAuthError(clientInfoDecodingError);
5559
- }
5560
- const clientInfoParts = homeAccountId.split(Separators.CLIENT_INFO_SEPARATOR, 2);
5561
- return {
5562
- uid: clientInfoParts[0],
5563
- utid: clientInfoParts.length < 2
5564
- ? Constants.EMPTY_STRING
5565
- : clientInfoParts[1],
5566
- };
5567
- }
5568
-
5569
5831
  /*
5570
5832
  * Copyright (c) Microsoft Corporation. All rights reserved.
5571
5833
  * Licensed under the MIT License.
@@ -6326,246 +6588,6 @@ class BaseClient {
6326
6588
  }
6327
6589
  }
6328
6590
 
6329
- /*
6330
- * Copyright (c) Microsoft Corporation. All rights reserved.
6331
- * Licensed under the MIT License.
6332
- */
6333
- /**
6334
- * Gets tenantId from available ID token claims to set as credential realm with the following precedence:
6335
- * 1. tid - if the token is acquired from an Azure AD tenant tid will be present
6336
- * 2. tfp - if the token is acquired from a modern B2C tenant tfp should be present
6337
- * 3. acr - if the token is acquired from a legacy B2C tenant acr should be present
6338
- * Downcased to match the realm case-insensitive comparison requirements
6339
- * @param idTokenClaims
6340
- * @returns
6341
- */
6342
- function getTenantIdFromIdTokenClaims(idTokenClaims) {
6343
- if (idTokenClaims) {
6344
- const tenantId = idTokenClaims.tid || idTokenClaims.tfp || idTokenClaims.acr;
6345
- return tenantId || null;
6346
- }
6347
- return null;
6348
- }
6349
-
6350
- /*
6351
- * Copyright (c) Microsoft Corporation. All rights reserved.
6352
- * Licensed under the MIT License.
6353
- */
6354
- /**
6355
- * Type that defines required and optional parameters for an Account field (based on universal cache schema implemented by all MSALs).
6356
- *
6357
- * Key : Value Schema
6358
- *
6359
- * Key: <home_account_id>-<environment>-<realm*>
6360
- *
6361
- * Value Schema:
6362
- * {
6363
- * homeAccountId: home account identifier for the auth scheme,
6364
- * environment: entity that issued the token, represented as a full host
6365
- * realm: Full tenant or organizational identifier that the account belongs to
6366
- * localAccountId: Original tenant-specific accountID, usually used for legacy cases
6367
- * username: primary username that represents the user, usually corresponds to preferred_username in the v2 endpt
6368
- * authorityType: Accounts authority type as a string
6369
- * name: Full name for the account, including given name and family name,
6370
- * lastModificationTime: last time this entity was modified in the cache
6371
- * lastModificationApp:
6372
- * nativeAccountId: Account identifier on the native device
6373
- * tenantProfiles: Array of tenant profile objects for each tenant that the account has authenticated with in the browser
6374
- * }
6375
- * @internal
6376
- */
6377
- class AccountEntity {
6378
- /**
6379
- * Returns the AccountInfo interface for this account.
6380
- */
6381
- getAccountInfo() {
6382
- return {
6383
- homeAccountId: this.homeAccountId,
6384
- environment: this.environment,
6385
- tenantId: this.realm,
6386
- username: this.username,
6387
- localAccountId: this.localAccountId,
6388
- loginHint: this.loginHint,
6389
- name: this.name,
6390
- nativeAccountId: this.nativeAccountId,
6391
- authorityType: this.authorityType,
6392
- // Deserialize tenant profiles array into a Map
6393
- tenantProfiles: new Map((this.tenantProfiles || []).map((tenantProfile) => {
6394
- return [tenantProfile.tenantId, tenantProfile];
6395
- })),
6396
- dataBoundary: this.dataBoundary,
6397
- };
6398
- }
6399
- /**
6400
- * Returns true if the account entity is in single tenant format (outdated), false otherwise
6401
- */
6402
- isSingleTenant() {
6403
- return !this.tenantProfiles;
6404
- }
6405
- /**
6406
- * Build Account cache from IdToken, clientInfo and authority/policy. Associated with AAD.
6407
- * @param accountDetails
6408
- */
6409
- static createAccount(accountDetails, authority, base64Decode) {
6410
- const account = new AccountEntity();
6411
- if (authority.authorityType === AuthorityType.Adfs) {
6412
- account.authorityType = CacheAccountType.ADFS_ACCOUNT_TYPE;
6413
- }
6414
- else if (authority.protocolMode === ProtocolMode.OIDC) {
6415
- account.authorityType = CacheAccountType.GENERIC_ACCOUNT_TYPE;
6416
- }
6417
- else {
6418
- account.authorityType = CacheAccountType.MSSTS_ACCOUNT_TYPE;
6419
- }
6420
- let clientInfo;
6421
- if (accountDetails.clientInfo && base64Decode) {
6422
- clientInfo = buildClientInfo(accountDetails.clientInfo, base64Decode);
6423
- if (clientInfo.xms_tdbr) {
6424
- account.dataBoundary =
6425
- clientInfo.xms_tdbr === "EU" ? "EU" : "None";
6426
- }
6427
- }
6428
- account.clientInfo = accountDetails.clientInfo;
6429
- account.homeAccountId = accountDetails.homeAccountId;
6430
- account.nativeAccountId = accountDetails.nativeAccountId;
6431
- const env = accountDetails.environment ||
6432
- (authority && authority.getPreferredCache());
6433
- if (!env) {
6434
- throw createClientAuthError(invalidCacheEnvironment);
6435
- }
6436
- account.environment = env;
6437
- // non AAD scenarios can have empty realm
6438
- account.realm =
6439
- clientInfo?.utid ||
6440
- getTenantIdFromIdTokenClaims(accountDetails.idTokenClaims) ||
6441
- "";
6442
- // How do you account for MSA CID here?
6443
- account.localAccountId =
6444
- clientInfo?.uid ||
6445
- accountDetails.idTokenClaims?.oid ||
6446
- accountDetails.idTokenClaims?.sub ||
6447
- "";
6448
- /*
6449
- * In B2C scenarios the emails claim is used instead of preferred_username and it is an array.
6450
- * In most cases it will contain a single email. This field should not be relied upon if a custom
6451
- * policy is configured to return more than 1 email.
6452
- */
6453
- const preferredUsername = accountDetails.idTokenClaims?.preferred_username ||
6454
- accountDetails.idTokenClaims?.upn;
6455
- const email = accountDetails.idTokenClaims?.emails
6456
- ? accountDetails.idTokenClaims.emails[0]
6457
- : null;
6458
- account.username = preferredUsername || email || "";
6459
- account.loginHint = accountDetails.idTokenClaims?.login_hint;
6460
- account.name = accountDetails.idTokenClaims?.name || "";
6461
- account.cloudGraphHostName = accountDetails.cloudGraphHostName;
6462
- account.msGraphHost = accountDetails.msGraphHost;
6463
- if (accountDetails.tenantProfiles) {
6464
- account.tenantProfiles = accountDetails.tenantProfiles;
6465
- }
6466
- else {
6467
- const tenantProfile = buildTenantProfile(accountDetails.homeAccountId, account.localAccountId, account.realm, accountDetails.idTokenClaims);
6468
- account.tenantProfiles = [tenantProfile];
6469
- }
6470
- return account;
6471
- }
6472
- /**
6473
- * Creates an AccountEntity object from AccountInfo
6474
- * @param accountInfo
6475
- * @param cloudGraphHostName
6476
- * @param msGraphHost
6477
- * @returns
6478
- */
6479
- static createFromAccountInfo(accountInfo, cloudGraphHostName, msGraphHost) {
6480
- const account = new AccountEntity();
6481
- account.authorityType =
6482
- accountInfo.authorityType || CacheAccountType.GENERIC_ACCOUNT_TYPE;
6483
- account.homeAccountId = accountInfo.homeAccountId;
6484
- account.localAccountId = accountInfo.localAccountId;
6485
- account.nativeAccountId = accountInfo.nativeAccountId;
6486
- account.realm = accountInfo.tenantId;
6487
- account.environment = accountInfo.environment;
6488
- account.username = accountInfo.username;
6489
- account.name = accountInfo.name;
6490
- account.loginHint = accountInfo.loginHint;
6491
- account.cloudGraphHostName = cloudGraphHostName;
6492
- account.msGraphHost = msGraphHost;
6493
- // Serialize tenant profiles map into an array
6494
- account.tenantProfiles = Array.from(accountInfo.tenantProfiles?.values() || []);
6495
- account.dataBoundary = accountInfo.dataBoundary;
6496
- return account;
6497
- }
6498
- /**
6499
- * Generate HomeAccountId from server response
6500
- * @param serverClientInfo
6501
- * @param authType
6502
- */
6503
- static generateHomeAccountId(serverClientInfo, authType, logger, cryptoObj, idTokenClaims) {
6504
- // since ADFS/DSTS do not have tid and does not set client_info
6505
- if (!(authType === AuthorityType.Adfs ||
6506
- authType === AuthorityType.Dsts)) {
6507
- // for cases where there is clientInfo
6508
- if (serverClientInfo) {
6509
- try {
6510
- const clientInfo = buildClientInfo(serverClientInfo, cryptoObj.base64Decode);
6511
- if (clientInfo.uid && clientInfo.utid) {
6512
- return `${clientInfo.uid}.${clientInfo.utid}`;
6513
- }
6514
- }
6515
- catch (e) { }
6516
- }
6517
- logger.warning("No client info in response");
6518
- }
6519
- // default to "sub" claim
6520
- return idTokenClaims?.sub || "";
6521
- }
6522
- /**
6523
- * Validates an entity: checks for all expected params
6524
- * @param entity
6525
- */
6526
- static isAccountEntity(entity) {
6527
- if (!entity) {
6528
- return false;
6529
- }
6530
- return (entity.hasOwnProperty("homeAccountId") &&
6531
- entity.hasOwnProperty("environment") &&
6532
- entity.hasOwnProperty("realm") &&
6533
- entity.hasOwnProperty("localAccountId") &&
6534
- entity.hasOwnProperty("username") &&
6535
- entity.hasOwnProperty("authorityType"));
6536
- }
6537
- /**
6538
- * Helper function to determine whether 2 accountInfo objects represent the same account
6539
- * @param accountA
6540
- * @param accountB
6541
- * @param compareClaims - If set to true idTokenClaims will also be compared to determine account equality
6542
- */
6543
- static accountInfoIsEqual(accountA, accountB, compareClaims) {
6544
- if (!accountA || !accountB) {
6545
- return false;
6546
- }
6547
- let claimsMatch = true; // default to true so as to not fail comparison below if compareClaims: false
6548
- if (compareClaims) {
6549
- const accountAClaims = (accountA.idTokenClaims ||
6550
- {});
6551
- const accountBClaims = (accountB.idTokenClaims ||
6552
- {});
6553
- // issued at timestamp and nonce are expected to change each time a new id token is acquired
6554
- claimsMatch =
6555
- accountAClaims.iat === accountBClaims.iat &&
6556
- accountAClaims.nonce === accountBClaims.nonce;
6557
- }
6558
- return (accountA.homeAccountId === accountB.homeAccountId &&
6559
- accountA.localAccountId === accountB.localAccountId &&
6560
- accountA.username === accountB.username &&
6561
- accountA.tenantId === accountB.tenantId &&
6562
- accountA.loginHint === accountB.loginHint &&
6563
- accountA.environment === accountB.environment &&
6564
- accountA.nativeAccountId === accountB.nativeAccountId &&
6565
- claimsMatch);
6566
- }
6567
- }
6568
-
6569
6591
  /*
6570
6592
  * Copyright (c) Microsoft Corporation. All rights reserved.
6571
6593
  * Licensed under the MIT License.
@@ -6967,14 +6989,14 @@ class ResponseHandler {
6967
6989
  if (handlingRefreshTokenResponse &&
6968
6990
  !forceCacheRefreshTokenResponse &&
6969
6991
  cacheRecord.account) {
6970
- const key = this.cacheStorage.generateAccountKey(cacheRecord.account.getAccountInfo());
6992
+ const key = this.cacheStorage.generateAccountKey(AccountEntity.getAccountInfo(cacheRecord.account));
6971
6993
  const account = this.cacheStorage.getAccount(key, request.correlationId);
6972
6994
  if (!account) {
6973
6995
  this.logger.warning("Account used to refresh tokens not in persistence, refreshed tokens will not be stored in the cache");
6974
6996
  return await ResponseHandler.generateAuthenticationResult(this.cryptoObj, authority, cacheRecord, false, request, idTokenClaims, requestStateObj, undefined, serverRequestId);
6975
6997
  }
6976
6998
  }
6977
- await this.cacheStorage.saveCacheRecord(cacheRecord, request.correlationId, request.storeInCache);
6999
+ await this.cacheStorage.saveCacheRecord(cacheRecord, request.correlationId, isKmsi(idTokenClaims || {}), request.storeInCache);
6978
7000
  }
6979
7001
  finally {
6980
7002
  if (this.persistencePlugin &&
@@ -7121,7 +7143,7 @@ class ResponseHandler {
7121
7143
  serverTokenResponse?.spa_accountid;
7122
7144
  }
7123
7145
  const accountInfo = cacheRecord.account
7124
- ? updateAccountTenantProfileData(cacheRecord.account.getAccountInfo(), undefined, // tenantProfile optional
7146
+ ? updateAccountTenantProfileData(AccountEntity.getAccountInfo(cacheRecord.account), undefined, // tenantProfile optional
7125
7147
  idTokenClaims, cacheRecord.idToken?.secret)
7126
7148
  : null;
7127
7149
  return {
@@ -8408,4 +8430,4 @@ exports.invokeAsync = invokeAsync;
8408
8430
  exports.tenantIdMatchesHomeTenant = tenantIdMatchesHomeTenant;
8409
8431
  exports.updateAccountTenantProfileData = updateAccountTenantProfileData;
8410
8432
  exports.version = version;
8411
- //# sourceMappingURL=index-node-D8Iaiqq3.js.map
8433
+ //# sourceMappingURL=index-node-DhUjlPuB.js.map