@azure/msal-common 15.2.0 → 15.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/account/AccountInfo.mjs +1 -1
- package/dist/account/AuthToken.mjs +1 -1
- package/dist/account/CcsCredential.mjs +1 -1
- package/dist/account/ClientInfo.mjs +1 -1
- package/dist/account/TokenClaims.mjs +1 -1
- package/dist/authority/Authority.mjs +1 -1
- package/dist/authority/AuthorityFactory.mjs +1 -1
- package/dist/authority/AuthorityMetadata.mjs +1 -1
- package/dist/authority/AuthorityOptions.mjs +1 -1
- package/dist/authority/AuthorityType.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryErrorResponse.mjs +1 -1
- package/dist/authority/CloudInstanceDiscoveryResponse.mjs +1 -1
- package/dist/authority/OpenIdConfigResponse.mjs +1 -1
- package/dist/authority/ProtocolMode.mjs +1 -1
- package/dist/authority/RegionDiscovery.mjs +1 -1
- package/dist/cache/CacheManager.mjs +1 -1
- package/dist/cache/entities/AccountEntity.mjs +1 -1
- package/dist/cache/persistence/TokenCacheContext.mjs +1 -1
- package/dist/cache/utils/CacheHelpers.mjs +1 -1
- package/dist/client/AuthorizationCodeClient.d.ts +0 -31
- package/dist/client/AuthorizationCodeClient.d.ts.map +1 -1
- package/dist/client/AuthorizationCodeClient.mjs +43 -258
- package/dist/client/AuthorizationCodeClient.mjs.map +1 -1
- package/dist/client/BaseClient.d.ts.map +1 -1
- package/dist/client/BaseClient.mjs +9 -10
- package/dist/client/BaseClient.mjs.map +1 -1
- package/dist/client/RefreshTokenClient.d.ts.map +1 -1
- package/dist/client/RefreshTokenClient.mjs +29 -41
- package/dist/client/RefreshTokenClient.mjs.map +1 -1
- package/dist/client/SilentFlowClient.mjs +1 -1
- package/dist/config/ClientConfiguration.mjs +1 -1
- package/dist/constants/AADServerParamKeys.d.ts +1 -0
- package/dist/constants/AADServerParamKeys.d.ts.map +1 -1
- package/dist/constants/AADServerParamKeys.mjs +4 -3
- package/dist/constants/AADServerParamKeys.mjs.map +1 -1
- package/dist/crypto/ICrypto.mjs +1 -1
- package/dist/crypto/JoseHeader.mjs +1 -1
- package/dist/crypto/PopTokenGenerator.mjs +1 -1
- package/dist/error/AuthError.mjs +1 -1
- package/dist/error/AuthErrorCodes.mjs +1 -1
- package/dist/error/CacheError.mjs +1 -1
- package/dist/error/CacheErrorCodes.mjs +1 -1
- package/dist/error/ClientAuthError.mjs +1 -1
- package/dist/error/ClientAuthErrorCodes.mjs +1 -1
- package/dist/error/ClientConfigurationError.mjs +1 -1
- package/dist/error/ClientConfigurationErrorCodes.mjs +1 -1
- package/dist/error/InteractionRequiredAuthError.mjs +1 -1
- package/dist/error/InteractionRequiredAuthErrorCodes.mjs +1 -1
- package/dist/error/JoseHeaderError.mjs +1 -1
- package/dist/error/JoseHeaderErrorCodes.mjs +1 -1
- package/dist/error/NetworkError.mjs +1 -1
- package/dist/error/ServerError.mjs +1 -1
- package/dist/exports-common.d.ts +4 -3
- package/dist/exports-common.d.ts.map +1 -1
- package/dist/index-browser.mjs +6 -2
- package/dist/index-browser.mjs.map +1 -1
- package/dist/index-node.mjs +6 -2
- package/dist/index-node.mjs.map +1 -1
- package/dist/index.mjs +6 -2
- package/dist/index.mjs.map +1 -1
- package/dist/logger/Logger.mjs +1 -1
- package/dist/network/INetworkModule.mjs +1 -1
- package/dist/network/RequestThumbprint.d.ts +3 -0
- package/dist/network/RequestThumbprint.d.ts.map +1 -1
- package/dist/network/RequestThumbprint.mjs +24 -0
- package/dist/network/RequestThumbprint.mjs.map +1 -0
- package/dist/network/ThrottlingUtils.d.ts.map +1 -1
- package/dist/network/ThrottlingUtils.mjs +3 -13
- package/dist/network/ThrottlingUtils.mjs.map +1 -1
- package/dist/packageMetadata.d.ts +1 -1
- package/dist/packageMetadata.mjs +2 -2
- package/dist/protocol/Authorize.d.ts +37 -0
- package/dist/protocol/Authorize.d.ts.map +1 -0
- package/dist/protocol/Authorize.mjs +237 -0
- package/dist/protocol/Authorize.mjs.map +1 -0
- package/dist/request/AuthenticationHeaderParser.mjs +1 -1
- package/dist/request/BaseAuthRequest.d.ts +2 -0
- package/dist/request/BaseAuthRequest.d.ts.map +1 -1
- package/dist/request/CommonAuthorizationCodeRequest.d.ts +0 -2
- package/dist/request/CommonAuthorizationCodeRequest.d.ts.map +1 -1
- package/dist/request/CommonDeviceCodeRequest.d.ts +1 -1
- package/dist/request/CommonDeviceCodeRequest.d.ts.map +1 -1
- package/dist/request/CommonRefreshTokenRequest.d.ts +0 -2
- package/dist/request/CommonRefreshTokenRequest.d.ts.map +1 -1
- package/dist/request/CommonSilentFlowRequest.d.ts +0 -3
- package/dist/request/CommonSilentFlowRequest.d.ts.map +1 -1
- package/dist/request/RequestParameterBuilder.d.ts +206 -218
- package/dist/request/RequestParameterBuilder.d.ts.map +1 -1
- package/dist/request/RequestParameterBuilder.mjs +356 -369
- package/dist/request/RequestParameterBuilder.mjs.map +1 -1
- package/dist/request/RequestValidator.mjs +1 -1
- package/dist/request/ScopeSet.mjs +1 -1
- package/dist/response/AuthorizeResponse.d.ts +72 -0
- package/dist/response/AuthorizeResponse.d.ts.map +1 -0
- package/dist/response/ResponseHandler.d.ts +0 -8
- package/dist/response/ResponseHandler.d.ts.map +1 -1
- package/dist/response/ResponseHandler.mjs +7 -52
- package/dist/response/ResponseHandler.mjs.map +1 -1
- package/dist/telemetry/performance/PerformanceClient.mjs +1 -1
- package/dist/telemetry/performance/PerformanceEvent.d.ts +1 -2
- package/dist/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
- package/dist/telemetry/performance/PerformanceEvent.mjs +2 -11
- package/dist/telemetry/performance/PerformanceEvent.mjs.map +1 -1
- package/dist/telemetry/performance/StubPerformanceClient.mjs +1 -1
- package/dist/telemetry/server/ServerTelemetryManager.mjs +1 -1
- package/dist/url/UrlString.mjs +1 -1
- package/dist/utils/ClientAssertionUtils.mjs +1 -1
- package/dist/utils/Constants.mjs +1 -1
- package/dist/utils/FunctionWrappers.mjs +1 -1
- package/dist/utils/ProtocolUtils.mjs +1 -1
- package/dist/utils/StringUtils.mjs +1 -1
- package/dist/utils/TimeUtils.d.ts +10 -0
- package/dist/utils/TimeUtils.d.ts.map +1 -1
- package/dist/utils/TimeUtils.mjs +20 -2
- package/dist/utils/TimeUtils.mjs.map +1 -1
- package/dist/utils/UrlUtils.d.ts +6 -2
- package/dist/utils/UrlUtils.d.ts.map +1 -1
- package/dist/utils/UrlUtils.mjs +12 -2
- package/dist/utils/UrlUtils.mjs.map +1 -1
- package/lib/index-browser.cjs +4 -2
- package/lib/index-browser.cjs.map +1 -1
- package/lib/{index-node-0IMDqzO0.js → index-node-BjtDFnOl.js} +828 -805
- package/lib/index-node-BjtDFnOl.js.map +1 -0
- package/lib/index-node.cjs +4 -2
- package/lib/index-node.cjs.map +1 -1
- package/lib/index.cjs +4 -2
- package/lib/index.cjs.map +1 -1
- package/lib/types/client/AuthorizationCodeClient.d.ts +0 -31
- package/lib/types/client/AuthorizationCodeClient.d.ts.map +1 -1
- package/lib/types/client/BaseClient.d.ts.map +1 -1
- package/lib/types/client/RefreshTokenClient.d.ts.map +1 -1
- package/lib/types/constants/AADServerParamKeys.d.ts +1 -0
- package/lib/types/constants/AADServerParamKeys.d.ts.map +1 -1
- package/lib/types/exports-common.d.ts +4 -3
- package/lib/types/exports-common.d.ts.map +1 -1
- package/lib/types/network/RequestThumbprint.d.ts +3 -0
- package/lib/types/network/RequestThumbprint.d.ts.map +1 -1
- package/lib/types/network/ThrottlingUtils.d.ts.map +1 -1
- package/lib/types/packageMetadata.d.ts +1 -1
- package/lib/types/protocol/Authorize.d.ts +37 -0
- package/lib/types/protocol/Authorize.d.ts.map +1 -0
- package/lib/types/request/BaseAuthRequest.d.ts +2 -0
- package/lib/types/request/BaseAuthRequest.d.ts.map +1 -1
- package/lib/types/request/CommonAuthorizationCodeRequest.d.ts +0 -2
- package/lib/types/request/CommonAuthorizationCodeRequest.d.ts.map +1 -1
- package/lib/types/request/CommonDeviceCodeRequest.d.ts +1 -1
- package/lib/types/request/CommonDeviceCodeRequest.d.ts.map +1 -1
- package/lib/types/request/CommonRefreshTokenRequest.d.ts +0 -2
- package/lib/types/request/CommonRefreshTokenRequest.d.ts.map +1 -1
- package/lib/types/request/CommonSilentFlowRequest.d.ts +0 -3
- package/lib/types/request/CommonSilentFlowRequest.d.ts.map +1 -1
- package/lib/types/request/RequestParameterBuilder.d.ts +206 -218
- package/lib/types/request/RequestParameterBuilder.d.ts.map +1 -1
- package/lib/types/response/AuthorizeResponse.d.ts +72 -0
- package/lib/types/response/AuthorizeResponse.d.ts.map +1 -0
- package/lib/types/response/ResponseHandler.d.ts +0 -8
- package/lib/types/response/ResponseHandler.d.ts.map +1 -1
- package/lib/types/telemetry/performance/PerformanceEvent.d.ts +1 -2
- package/lib/types/telemetry/performance/PerformanceEvent.d.ts.map +1 -1
- package/lib/types/utils/TimeUtils.d.ts +10 -0
- package/lib/types/utils/TimeUtils.d.ts.map +1 -1
- package/lib/types/utils/UrlUtils.d.ts +6 -2
- package/lib/types/utils/UrlUtils.d.ts.map +1 -1
- package/package.json +1 -1
- package/src/client/AuthorizationCodeClient.ts +89 -409
- package/src/client/BaseClient.ts +20 -12
- package/src/client/RefreshTokenClient.ts +66 -44
- package/src/constants/AADServerParamKeys.ts +1 -0
- package/src/exports-common.ts +8 -3
- package/src/network/RequestThumbprint.ts +23 -0
- package/src/network/ThrottlingUtils.ts +9 -14
- package/src/packageMetadata.ts +1 -1
- package/src/protocol/Authorize.ts +409 -0
- package/src/request/BaseAuthRequest.ts +2 -0
- package/src/request/CommonAuthorizationCodeRequest.ts +0 -2
- package/src/request/CommonDeviceCodeRequest.ts +1 -1
- package/src/request/CommonRefreshTokenRequest.ts +0 -2
- package/src/request/CommonSilentFlowRequest.ts +0 -3
- package/src/request/RequestParameterBuilder.ts +508 -543
- package/src/response/AuthorizeResponse.ts +76 -0
- package/src/response/ResponseHandler.ts +8 -104
- package/src/telemetry/performance/PerformanceEvent.ts +1 -11
- package/src/utils/TimeUtils.ts +20 -0
- package/src/utils/UrlUtils.ts +18 -4
- package/dist/response/ServerAuthorizationCodeResponse.d.ts +0 -27
- package/dist/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
- package/lib/index-node-0IMDqzO0.js.map +0 -1
- package/lib/types/response/ServerAuthorizationCodeResponse.d.ts +0 -27
- package/lib/types/response/ServerAuthorizationCodeResponse.d.ts.map +0 -1
- package/src/response/ServerAuthorizationCodeResponse.ts +0 -34
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @azure/msal-common v15.
|
|
1
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2
2
|
'use strict';
|
|
3
3
|
import { createClientAuthError } from '../error/ClientAuthError.mjs';
|
|
4
4
|
import { tokenParsingError, nullOrEmptyToken, maxAgeTranspired } from '../error/ClientAuthErrorCodes.mjs';
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @azure/msal-common v15.
|
|
1
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2
2
|
'use strict';
|
|
3
3
|
import { Constants, ResponseCodes, RegionDiscoverySources } from '../utils/Constants.mjs';
|
|
4
4
|
import { PerformanceEvents } from '../telemetry/performance/PerformanceEvent.mjs';
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @azure/msal-common v15.
|
|
1
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2
2
|
'use strict';
|
|
3
3
|
import { Separators, CredentialType, AuthenticationScheme, THE_FAMILY_ID, APP_METADATA, AUTHORITY_METADATA_CONSTANTS } from '../utils/Constants.mjs';
|
|
4
4
|
import { generateCredentialKey } from './utils/CacheHelpers.mjs';
|
|
@@ -1,9 +1,7 @@
|
|
|
1
1
|
import { BaseClient } from "./BaseClient.js";
|
|
2
|
-
import { CommonAuthorizationUrlRequest } from "../request/CommonAuthorizationUrlRequest.js";
|
|
3
2
|
import { CommonAuthorizationCodeRequest } from "../request/CommonAuthorizationCodeRequest.js";
|
|
4
3
|
import { ClientConfiguration } from "../config/ClientConfiguration.js";
|
|
5
4
|
import { AuthenticationResult } from "../response/AuthenticationResult.js";
|
|
6
|
-
import { ServerAuthorizationCodeResponse } from "../response/ServerAuthorizationCodeResponse.js";
|
|
7
5
|
import { CommonEndSessionRequest } from "../request/CommonEndSessionRequest.js";
|
|
8
6
|
import { AuthorizationCodePayload } from "../response/AuthorizationCodePayload.js";
|
|
9
7
|
import { IPerformanceClient } from "../telemetry/performance/IPerformanceClient.js";
|
|
@@ -15,29 +13,12 @@ export declare class AuthorizationCodeClient extends BaseClient {
|
|
|
15
13
|
protected includeRedirectUri: boolean;
|
|
16
14
|
private oidcDefaultScopes;
|
|
17
15
|
constructor(configuration: ClientConfiguration, performanceClient?: IPerformanceClient);
|
|
18
|
-
/**
|
|
19
|
-
* Creates the URL of the authorization request letting the user input credentials and consent to the
|
|
20
|
-
* application. The URL target the /authorize endpoint of the authority configured in the
|
|
21
|
-
* application object.
|
|
22
|
-
*
|
|
23
|
-
* Once the user inputs their credentials and consents, the authority will send a response to the redirect URI
|
|
24
|
-
* sent in the request and should contain an authorization code, which can then be used to acquire tokens via
|
|
25
|
-
* acquireToken(AuthorizationCodeRequest)
|
|
26
|
-
* @param request
|
|
27
|
-
*/
|
|
28
|
-
getAuthCodeUrl(request: CommonAuthorizationUrlRequest): Promise<string>;
|
|
29
16
|
/**
|
|
30
17
|
* API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
|
|
31
18
|
* authorization_code_grant
|
|
32
19
|
* @param request
|
|
33
20
|
*/
|
|
34
21
|
acquireToken(request: CommonAuthorizationCodeRequest, authCodePayload?: AuthorizationCodePayload): Promise<AuthenticationResult>;
|
|
35
|
-
/**
|
|
36
|
-
* Handles the hash fragment response from public client code request. Returns a code response used by
|
|
37
|
-
* the client to exchange for a token in acquireToken.
|
|
38
|
-
* @param hashFragment
|
|
39
|
-
*/
|
|
40
|
-
handleFragmentResponse(serverParams: ServerAuthorizationCodeResponse, cachedState: string): AuthorizationCodePayload;
|
|
41
22
|
/**
|
|
42
23
|
* Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
|
|
43
24
|
* Default behaviour is to redirect the user to `window.location.href`.
|
|
@@ -55,22 +36,10 @@ export declare class AuthorizationCodeClient extends BaseClient {
|
|
|
55
36
|
* @param request
|
|
56
37
|
*/
|
|
57
38
|
private createTokenRequestBody;
|
|
58
|
-
/**
|
|
59
|
-
* This API validates the `AuthorizationCodeUrlRequest` and creates a URL
|
|
60
|
-
* @param request
|
|
61
|
-
*/
|
|
62
|
-
private createAuthCodeUrlQueryString;
|
|
63
39
|
/**
|
|
64
40
|
* This API validates the `EndSessionRequest` and creates a URL
|
|
65
41
|
* @param request
|
|
66
42
|
*/
|
|
67
43
|
private createLogoutUrlQueryString;
|
|
68
|
-
private addExtraQueryParams;
|
|
69
|
-
/**
|
|
70
|
-
* Helper to get sid from account. Returns null if idTokenClaims are not present or sid is not present.
|
|
71
|
-
* @param account
|
|
72
|
-
*/
|
|
73
|
-
private extractAccountSid;
|
|
74
|
-
private extractLoginHint;
|
|
75
44
|
}
|
|
76
45
|
//# sourceMappingURL=AuthorizationCodeClient.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"AuthorizationCodeClient.d.ts","sourceRoot":"","sources":["../../src/client/AuthorizationCodeClient.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"AuthorizationCodeClient.d.ts","sourceRoot":"","sources":["../../src/client/AuthorizationCodeClient.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,8BAA8B,EAAE,MAAM,8CAA8C,CAAC;AAW9F,OAAO,EACH,mBAAmB,EAEtB,MAAM,kCAAkC,CAAC;AAI1C,OAAO,EAAE,oBAAoB,EAAE,MAAM,qCAAqC,CAAC;AAO3E,OAAO,EAAE,uBAAuB,EAAE,MAAM,uCAAuC,CAAC;AAEhF,OAAO,EAAE,wBAAwB,EAAE,MAAM,yCAAyC,CAAC;AAYnF,OAAO,EAAE,kBAAkB,EAAE,MAAM,gDAAgD,CAAC;AAOpF;;;GAGG;AACH,qBAAa,uBAAwB,SAAQ,UAAU;IAEnD,SAAS,CAAC,kBAAkB,EAAE,OAAO,CAAQ;IAC7C,OAAO,CAAC,iBAAiB,CAAC;gBAGtB,aAAa,EAAE,mBAAmB,EAClC,iBAAiB,CAAC,EAAE,kBAAkB;IAO1C;;;;OAIG;IACG,YAAY,CACd,OAAO,EAAE,8BAA8B,EACvC,eAAe,CAAC,EAAE,wBAAwB,GAC3C,OAAO,CAAC,oBAAoB,CAAC;IAwDhC;;;;OAIG;IACH,YAAY,CAAC,aAAa,EAAE,uBAAuB,GAAG,MAAM;IAgB5D;;;;OAIG;YACW,mBAAmB;IAiEjC;;;OAGG;YACW,sBAAsB;IAoOpC;;;OAGG;IACH,OAAO,CAAC,0BAA0B;CAkDrC"}
|
|
@@ -1,8 +1,9 @@
|
|
|
1
|
-
/*! @azure/msal-common v15.
|
|
1
|
+
/*! @azure/msal-common v15.3.0 2025-03-20 */
|
|
2
2
|
'use strict';
|
|
3
3
|
import { BaseClient } from './BaseClient.mjs';
|
|
4
|
-
import {
|
|
5
|
-
import {
|
|
4
|
+
import { addClientId, addRedirectUri, addScopes, addAuthorizationCode, addLibraryInfo, addApplicationTelemetry, addThrottling, addServerTelemetry, addCodeVerifier, addClientSecret, addClientAssertion, addClientAssertionType, addGrantType, addClientInfo, addPopToken, addSshJwk, addClaims, addCcsUpn, addCcsOid, addBrokerParameters, addExtraQueryParameters, instrumentBrokerParams, addPostLogoutRedirectUri, addCorrelationId, addIdTokenHint, addState, addLogoutHint, addInstanceAware } from '../request/RequestParameterBuilder.mjs';
|
|
5
|
+
import { mapToQueryString } from '../utils/UrlUtils.mjs';
|
|
6
|
+
import { Separators, GrantType, AuthenticationScheme, HeaderNames } from '../utils/Constants.mjs';
|
|
6
7
|
import { CLIENT_ID, RETURN_SPA_CODE } from '../constants/AADServerParamKeys.mjs';
|
|
7
8
|
import { isOidcProtocolMode } from '../config/ClientConfiguration.mjs';
|
|
8
9
|
import { ResponseHandler } from '../response/ResponseHandler.mjs';
|
|
@@ -18,7 +19,8 @@ import { RequestValidator } from '../request/RequestValidator.mjs';
|
|
|
18
19
|
import { PerformanceEvents } from '../telemetry/performance/PerformanceEvent.mjs';
|
|
19
20
|
import { invokeAsync } from '../utils/FunctionWrappers.mjs';
|
|
20
21
|
import { getClientAssertion } from '../utils/ClientAssertionUtils.mjs';
|
|
21
|
-
import {
|
|
22
|
+
import { getRequestThumbprint } from '../network/RequestThumbprint.mjs';
|
|
23
|
+
import { requestCannotBeMade } from '../error/ClientAuthErrorCodes.mjs';
|
|
22
24
|
import { logoutRequestEmpty, missingSshJwk } from '../error/ClientConfigurationErrorCodes.mjs';
|
|
23
25
|
|
|
24
26
|
/*
|
|
@@ -37,21 +39,6 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
37
39
|
this.oidcDefaultScopes =
|
|
38
40
|
this.config.authOptions.authority.options.OIDCOptions?.defaultScopes;
|
|
39
41
|
}
|
|
40
|
-
/**
|
|
41
|
-
* Creates the URL of the authorization request letting the user input credentials and consent to the
|
|
42
|
-
* application. The URL target the /authorize endpoint of the authority configured in the
|
|
43
|
-
* application object.
|
|
44
|
-
*
|
|
45
|
-
* Once the user inputs their credentials and consents, the authority will send a response to the redirect URI
|
|
46
|
-
* sent in the request and should contain an authorization code, which can then be used to acquire tokens via
|
|
47
|
-
* acquireToken(AuthorizationCodeRequest)
|
|
48
|
-
* @param request
|
|
49
|
-
*/
|
|
50
|
-
async getAuthCodeUrl(request) {
|
|
51
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.GetAuthCodeUrl, request.correlationId);
|
|
52
|
-
const queryString = await invokeAsync(this.createAuthCodeUrlQueryString.bind(this), PerformanceEvents.AuthClientCreateQueryString, this.logger, this.performanceClient, request.correlationId)(request);
|
|
53
|
-
return UrlString.appendQueryString(this.authority.authorizationEndpoint, queryString);
|
|
54
|
-
}
|
|
55
42
|
/**
|
|
56
43
|
* API to acquire a token in exchange of 'authorization_code` acquired by the user in the first leg of the
|
|
57
44
|
* authorization_code_grant
|
|
@@ -71,22 +58,6 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
71
58
|
responseHandler.validateTokenResponse(response.body);
|
|
72
59
|
return invokeAsync(responseHandler.handleServerTokenResponse.bind(responseHandler), PerformanceEvents.HandleServerTokenResponse, this.logger, this.performanceClient, request.correlationId)(response.body, this.authority, reqTimestamp, request, authCodePayload, undefined, undefined, undefined, requestId);
|
|
73
60
|
}
|
|
74
|
-
/**
|
|
75
|
-
* Handles the hash fragment response from public client code request. Returns a code response used by
|
|
76
|
-
* the client to exchange for a token in acquireToken.
|
|
77
|
-
* @param hashFragment
|
|
78
|
-
*/
|
|
79
|
-
handleFragmentResponse(serverParams, cachedState) {
|
|
80
|
-
// Handle responses.
|
|
81
|
-
const responseHandler = new ResponseHandler(this.config.authOptions.clientId, this.cacheManager, this.cryptoUtils, this.logger, null, null);
|
|
82
|
-
// Get code response
|
|
83
|
-
responseHandler.validateServerAuthorizationCodeResponse(serverParams, cachedState);
|
|
84
|
-
// throw when there is no auth code in the response
|
|
85
|
-
if (!serverParams.code) {
|
|
86
|
-
throw createClientAuthError(authorizationCodeMissingFromServerResponse);
|
|
87
|
-
}
|
|
88
|
-
return serverParams;
|
|
89
|
-
}
|
|
90
61
|
/**
|
|
91
62
|
* Used to log out the current user, and redirect the user to the postLogoutRedirectUri.
|
|
92
63
|
* Default behaviour is to redirect the user to `window.location.href`.
|
|
@@ -125,18 +96,7 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
125
96
|
}
|
|
126
97
|
}
|
|
127
98
|
const headers = this.createTokenRequestHeaders(ccsCredential || request.ccsCredential);
|
|
128
|
-
const thumbprint =
|
|
129
|
-
clientId: request.tokenBodyParameters?.clientId ||
|
|
130
|
-
this.config.authOptions.clientId,
|
|
131
|
-
authority: authority.canonicalAuthority,
|
|
132
|
-
scopes: request.scopes,
|
|
133
|
-
claims: request.claims,
|
|
134
|
-
authenticationScheme: request.authenticationScheme,
|
|
135
|
-
resourceRequestMethod: request.resourceRequestMethod,
|
|
136
|
-
resourceRequestUri: request.resourceRequestUri,
|
|
137
|
-
shrClaims: request.shrClaims,
|
|
138
|
-
sshKid: request.sshKid,
|
|
139
|
-
};
|
|
99
|
+
const thumbprint = getRequestThumbprint(this.config.authOptions.clientId, request);
|
|
140
100
|
return invokeAsync(this.executePostToTokenEndpoint.bind(this), PerformanceEvents.AuthorizationCodeClientExecutePostToTokenEndpoint, this.logger, this.performanceClient, request.correlationId)(endpoint, requestBody, headers, thumbprint, request.correlationId, PerformanceEvents.AuthorizationCodeClientExecutePostToTokenEndpoint);
|
|
141
101
|
}
|
|
142
102
|
/**
|
|
@@ -145,8 +105,8 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
145
105
|
*/
|
|
146
106
|
async createTokenRequestBody(request) {
|
|
147
107
|
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateTokenRequestBody, request.correlationId);
|
|
148
|
-
const
|
|
149
|
-
|
|
108
|
+
const parameters = new Map();
|
|
109
|
+
addClientId(parameters, request.embeddedClientId ||
|
|
150
110
|
request.tokenBodyParameters?.[CLIENT_ID] ||
|
|
151
111
|
this.config.authOptions.clientId);
|
|
152
112
|
/*
|
|
@@ -159,33 +119,33 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
159
119
|
}
|
|
160
120
|
else {
|
|
161
121
|
// Validate and include redirect uri
|
|
162
|
-
|
|
122
|
+
addRedirectUri(parameters, request.redirectUri);
|
|
163
123
|
}
|
|
164
124
|
// Add scope array, parameter builder will add default scopes and dedupe
|
|
165
|
-
|
|
125
|
+
addScopes(parameters, request.scopes, true, this.oidcDefaultScopes);
|
|
166
126
|
// add code: user set, not validated
|
|
167
|
-
|
|
127
|
+
addAuthorizationCode(parameters, request.code);
|
|
168
128
|
// Add library metadata
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
129
|
+
addLibraryInfo(parameters, this.config.libraryInfo);
|
|
130
|
+
addApplicationTelemetry(parameters, this.config.telemetry.application);
|
|
131
|
+
addThrottling(parameters);
|
|
172
132
|
if (this.serverTelemetryManager && !isOidcProtocolMode(this.config)) {
|
|
173
|
-
|
|
133
|
+
addServerTelemetry(parameters, this.serverTelemetryManager);
|
|
174
134
|
}
|
|
175
135
|
// add code_verifier if passed
|
|
176
136
|
if (request.codeVerifier) {
|
|
177
|
-
|
|
137
|
+
addCodeVerifier(parameters, request.codeVerifier);
|
|
178
138
|
}
|
|
179
139
|
if (this.config.clientCredentials.clientSecret) {
|
|
180
|
-
|
|
140
|
+
addClientSecret(parameters, this.config.clientCredentials.clientSecret);
|
|
181
141
|
}
|
|
182
142
|
if (this.config.clientCredentials.clientAssertion) {
|
|
183
143
|
const clientAssertion = this.config.clientCredentials.clientAssertion;
|
|
184
|
-
|
|
185
|
-
|
|
144
|
+
addClientAssertion(parameters, await getClientAssertion(clientAssertion.assertion, this.config.authOptions.clientId, request.resourceRequestUri));
|
|
145
|
+
addClientAssertionType(parameters, clientAssertion.assertionType);
|
|
186
146
|
}
|
|
187
|
-
|
|
188
|
-
|
|
147
|
+
addGrantType(parameters, GrantType.AUTHORIZATION_CODE_GRANT);
|
|
148
|
+
addClientInfo(parameters);
|
|
189
149
|
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
190
150
|
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils, this.performanceClient);
|
|
191
151
|
let reqCnfData;
|
|
@@ -197,11 +157,11 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
197
157
|
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
198
158
|
}
|
|
199
159
|
// SPA PoP requires full Base64Url encoded req_cnf string (unhashed)
|
|
200
|
-
|
|
160
|
+
addPopToken(parameters, reqCnfData);
|
|
201
161
|
}
|
|
202
162
|
else if (request.authenticationScheme === AuthenticationScheme.SSH) {
|
|
203
163
|
if (request.sshJwk) {
|
|
204
|
-
|
|
164
|
+
addSshJwk(parameters, request.sshJwk);
|
|
205
165
|
}
|
|
206
166
|
else {
|
|
207
167
|
throw createClientConfigurationError(missingSshJwk);
|
|
@@ -210,7 +170,7 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
210
170
|
if (!StringUtils.isEmptyObj(request.claims) ||
|
|
211
171
|
(this.config.authOptions.clientCapabilities &&
|
|
212
172
|
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
213
|
-
|
|
173
|
+
addClaims(parameters, request.claims, this.config.authOptions.clientCapabilities);
|
|
214
174
|
}
|
|
215
175
|
let ccsCred = undefined;
|
|
216
176
|
if (request.clientInfo) {
|
|
@@ -234,7 +194,7 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
234
194
|
case CcsCredentialType.HOME_ACCOUNT_ID:
|
|
235
195
|
try {
|
|
236
196
|
const clientInfo = buildClientInfoFromHomeAccountId(ccsCred.credential);
|
|
237
|
-
|
|
197
|
+
addCcsOid(parameters, clientInfo);
|
|
238
198
|
}
|
|
239
199
|
catch (e) {
|
|
240
200
|
this.logger.verbose("Could not parse home account ID for CCS Header: " +
|
|
@@ -242,230 +202,55 @@ class AuthorizationCodeClient extends BaseClient {
|
|
|
242
202
|
}
|
|
243
203
|
break;
|
|
244
204
|
case CcsCredentialType.UPN:
|
|
245
|
-
|
|
205
|
+
addCcsUpn(parameters, ccsCred.credential);
|
|
246
206
|
break;
|
|
247
207
|
}
|
|
248
208
|
}
|
|
249
209
|
if (request.embeddedClientId) {
|
|
250
|
-
|
|
251
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
252
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
253
|
-
});
|
|
210
|
+
addBrokerParameters(parameters, this.config.authOptions.clientId, this.config.authOptions.redirectUri);
|
|
254
211
|
}
|
|
255
212
|
if (request.tokenBodyParameters) {
|
|
256
|
-
|
|
213
|
+
addExtraQueryParameters(parameters, request.tokenBodyParameters);
|
|
257
214
|
}
|
|
258
215
|
// Add hybrid spa parameters if not already provided
|
|
259
216
|
if (request.enableSpaAuthorizationCode &&
|
|
260
217
|
(!request.tokenBodyParameters ||
|
|
261
218
|
!request.tokenBodyParameters[RETURN_SPA_CODE])) {
|
|
262
|
-
|
|
219
|
+
addExtraQueryParameters(parameters, {
|
|
263
220
|
[RETURN_SPA_CODE]: "1",
|
|
264
221
|
});
|
|
265
222
|
}
|
|
266
|
-
|
|
267
|
-
|
|
268
|
-
/**
|
|
269
|
-
* This API validates the `AuthorizationCodeUrlRequest` and creates a URL
|
|
270
|
-
* @param request
|
|
271
|
-
*/
|
|
272
|
-
async createAuthCodeUrlQueryString(request) {
|
|
273
|
-
// generate the correlationId if not set by the user and add
|
|
274
|
-
const correlationId = request.correlationId ||
|
|
275
|
-
this.config.cryptoInterface.createNewGuid();
|
|
276
|
-
this.performanceClient?.addQueueMeasurement(PerformanceEvents.AuthClientCreateQueryString, correlationId);
|
|
277
|
-
const parameterBuilder = new RequestParameterBuilder(correlationId, this.performanceClient);
|
|
278
|
-
parameterBuilder.addClientId(request.embeddedClientId ||
|
|
279
|
-
request.extraQueryParameters?.[CLIENT_ID] ||
|
|
280
|
-
this.config.authOptions.clientId);
|
|
281
|
-
const requestScopes = [
|
|
282
|
-
...(request.scopes || []),
|
|
283
|
-
...(request.extraScopesToConsent || []),
|
|
284
|
-
];
|
|
285
|
-
parameterBuilder.addScopes(requestScopes, true, this.oidcDefaultScopes);
|
|
286
|
-
// validate the redirectUri (to be a non null value)
|
|
287
|
-
parameterBuilder.addRedirectUri(request.redirectUri);
|
|
288
|
-
parameterBuilder.addCorrelationId(correlationId);
|
|
289
|
-
// add response_mode. If not passed in it defaults to query.
|
|
290
|
-
parameterBuilder.addResponseMode(request.responseMode);
|
|
291
|
-
// add response_type = code
|
|
292
|
-
parameterBuilder.addResponseTypeCode();
|
|
293
|
-
// add library info parameters
|
|
294
|
-
parameterBuilder.addLibraryInfo(this.config.libraryInfo);
|
|
295
|
-
if (!isOidcProtocolMode(this.config)) {
|
|
296
|
-
parameterBuilder.addApplicationTelemetry(this.config.telemetry.application);
|
|
297
|
-
}
|
|
298
|
-
// add client_info=1
|
|
299
|
-
parameterBuilder.addClientInfo();
|
|
300
|
-
if (request.codeChallenge && request.codeChallengeMethod) {
|
|
301
|
-
parameterBuilder.addCodeChallengeParams(request.codeChallenge, request.codeChallengeMethod);
|
|
302
|
-
}
|
|
303
|
-
if (request.prompt) {
|
|
304
|
-
parameterBuilder.addPrompt(request.prompt);
|
|
305
|
-
}
|
|
306
|
-
if (request.domainHint) {
|
|
307
|
-
parameterBuilder.addDomainHint(request.domainHint);
|
|
308
|
-
this.performanceClient?.addFields({ domainHintFromRequest: true }, correlationId);
|
|
309
|
-
}
|
|
310
|
-
this.performanceClient?.addFields({ prompt: request.prompt }, correlationId);
|
|
311
|
-
// Add sid or loginHint with preference for login_hint claim (in request) -> sid -> loginHint (upn/email) -> username of AccountInfo object
|
|
312
|
-
if (request.prompt !== PromptValue.SELECT_ACCOUNT) {
|
|
313
|
-
// AAD will throw if prompt=select_account is passed with an account hint
|
|
314
|
-
if (request.sid && request.prompt === PromptValue.NONE) {
|
|
315
|
-
// SessionID is only used in silent calls
|
|
316
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from request");
|
|
317
|
-
parameterBuilder.addSid(request.sid);
|
|
318
|
-
this.performanceClient?.addFields({ sidFromRequest: true }, correlationId);
|
|
319
|
-
}
|
|
320
|
-
else if (request.account) {
|
|
321
|
-
const accountSid = this.extractAccountSid(request.account);
|
|
322
|
-
let accountLoginHintClaim = this.extractLoginHint(request.account);
|
|
323
|
-
if (accountLoginHintClaim && request.domainHint) {
|
|
324
|
-
this.logger.warning(`AuthorizationCodeClient.createAuthCodeUrlQueryString: "domainHint" param is set, skipping opaque "login_hint" claim. Please consider not passing domainHint`);
|
|
325
|
-
accountLoginHintClaim = null;
|
|
326
|
-
}
|
|
327
|
-
// If login_hint claim is present, use it over sid/username
|
|
328
|
-
if (accountLoginHintClaim) {
|
|
329
|
-
this.logger.verbose("createAuthCodeUrlQueryString: login_hint claim present on account");
|
|
330
|
-
parameterBuilder.addLoginHint(accountLoginHintClaim);
|
|
331
|
-
this.performanceClient?.addFields({ loginHintFromClaim: true }, correlationId);
|
|
332
|
-
try {
|
|
333
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
334
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
335
|
-
}
|
|
336
|
-
catch (e) {
|
|
337
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
338
|
-
}
|
|
339
|
-
}
|
|
340
|
-
else if (accountSid && request.prompt === PromptValue.NONE) {
|
|
341
|
-
/*
|
|
342
|
-
* If account and loginHint are provided, we will check account first for sid before adding loginHint
|
|
343
|
-
* SessionId is only used in silent calls
|
|
344
|
-
*/
|
|
345
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is none, adding sid from account");
|
|
346
|
-
parameterBuilder.addSid(accountSid);
|
|
347
|
-
this.performanceClient?.addFields({ sidFromClaim: true }, correlationId);
|
|
348
|
-
try {
|
|
349
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
350
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
351
|
-
}
|
|
352
|
-
catch (e) {
|
|
353
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
354
|
-
}
|
|
355
|
-
}
|
|
356
|
-
else if (request.loginHint) {
|
|
357
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from request");
|
|
358
|
-
parameterBuilder.addLoginHint(request.loginHint);
|
|
359
|
-
parameterBuilder.addCcsUpn(request.loginHint);
|
|
360
|
-
this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
361
|
-
}
|
|
362
|
-
else if (request.account.username) {
|
|
363
|
-
// Fallback to account username if provided
|
|
364
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Adding login_hint from account");
|
|
365
|
-
parameterBuilder.addLoginHint(request.account.username);
|
|
366
|
-
this.performanceClient?.addFields({ loginHintFromUpn: true }, correlationId);
|
|
367
|
-
try {
|
|
368
|
-
const clientInfo = buildClientInfoFromHomeAccountId(request.account.homeAccountId);
|
|
369
|
-
parameterBuilder.addCcsOid(clientInfo);
|
|
370
|
-
}
|
|
371
|
-
catch (e) {
|
|
372
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Could not parse home account ID for CCS Header");
|
|
373
|
-
}
|
|
374
|
-
}
|
|
375
|
-
}
|
|
376
|
-
else if (request.loginHint) {
|
|
377
|
-
this.logger.verbose("createAuthCodeUrlQueryString: No account, adding login_hint from request");
|
|
378
|
-
parameterBuilder.addLoginHint(request.loginHint);
|
|
379
|
-
parameterBuilder.addCcsUpn(request.loginHint);
|
|
380
|
-
this.performanceClient?.addFields({ loginHintFromRequest: true }, correlationId);
|
|
381
|
-
}
|
|
382
|
-
}
|
|
383
|
-
else {
|
|
384
|
-
this.logger.verbose("createAuthCodeUrlQueryString: Prompt is select_account, ignoring account hints");
|
|
385
|
-
}
|
|
386
|
-
if (request.nonce) {
|
|
387
|
-
parameterBuilder.addNonce(request.nonce);
|
|
388
|
-
}
|
|
389
|
-
if (request.state) {
|
|
390
|
-
parameterBuilder.addState(request.state);
|
|
391
|
-
}
|
|
392
|
-
if (request.claims ||
|
|
393
|
-
(this.config.authOptions.clientCapabilities &&
|
|
394
|
-
this.config.authOptions.clientCapabilities.length > 0)) {
|
|
395
|
-
parameterBuilder.addClaims(request.claims, this.config.authOptions.clientCapabilities);
|
|
396
|
-
}
|
|
397
|
-
if (request.embeddedClientId) {
|
|
398
|
-
parameterBuilder.addBrokerParameters({
|
|
399
|
-
brokerClientId: this.config.authOptions.clientId,
|
|
400
|
-
brokerRedirectUri: this.config.authOptions.redirectUri,
|
|
401
|
-
});
|
|
402
|
-
}
|
|
403
|
-
this.addExtraQueryParams(request, parameterBuilder);
|
|
404
|
-
if (request.platformBroker) {
|
|
405
|
-
// signal ests that this is a WAM call
|
|
406
|
-
parameterBuilder.addNativeBroker();
|
|
407
|
-
// pass the req_cnf for POP
|
|
408
|
-
if (request.authenticationScheme === AuthenticationScheme.POP) {
|
|
409
|
-
const popTokenGenerator = new PopTokenGenerator(this.cryptoUtils);
|
|
410
|
-
// req_cnf is always sent as a string for SPAs
|
|
411
|
-
let reqCnfData;
|
|
412
|
-
if (!request.popKid) {
|
|
413
|
-
const generatedReqCnfData = await invokeAsync(popTokenGenerator.generateCnf.bind(popTokenGenerator), PerformanceEvents.PopTokenGenerateCnf, this.logger, this.performanceClient, request.correlationId)(request, this.logger);
|
|
414
|
-
reqCnfData = generatedReqCnfData.reqCnfString;
|
|
415
|
-
}
|
|
416
|
-
else {
|
|
417
|
-
reqCnfData = this.cryptoUtils.encodeKid(request.popKid);
|
|
418
|
-
}
|
|
419
|
-
parameterBuilder.addPopToken(reqCnfData);
|
|
420
|
-
}
|
|
421
|
-
}
|
|
422
|
-
return parameterBuilder.createQueryString();
|
|
223
|
+
instrumentBrokerParams(parameters, request.correlationId, this.performanceClient);
|
|
224
|
+
return mapToQueryString(parameters);
|
|
423
225
|
}
|
|
424
226
|
/**
|
|
425
227
|
* This API validates the `EndSessionRequest` and creates a URL
|
|
426
228
|
* @param request
|
|
427
229
|
*/
|
|
428
230
|
createLogoutUrlQueryString(request) {
|
|
429
|
-
const
|
|
231
|
+
const parameters = new Map();
|
|
430
232
|
if (request.postLogoutRedirectUri) {
|
|
431
|
-
|
|
233
|
+
addPostLogoutRedirectUri(parameters, request.postLogoutRedirectUri);
|
|
432
234
|
}
|
|
433
235
|
if (request.correlationId) {
|
|
434
|
-
|
|
236
|
+
addCorrelationId(parameters, request.correlationId);
|
|
435
237
|
}
|
|
436
238
|
if (request.idTokenHint) {
|
|
437
|
-
|
|
239
|
+
addIdTokenHint(parameters, request.idTokenHint);
|
|
438
240
|
}
|
|
439
241
|
if (request.state) {
|
|
440
|
-
|
|
242
|
+
addState(parameters, request.state);
|
|
441
243
|
}
|
|
442
244
|
if (request.logoutHint) {
|
|
443
|
-
|
|
444
|
-
}
|
|
445
|
-
this.addExtraQueryParams(request, parameterBuilder);
|
|
446
|
-
return parameterBuilder.createQueryString();
|
|
447
|
-
}
|
|
448
|
-
addExtraQueryParams(request, parameterBuilder) {
|
|
449
|
-
const hasRequestInstanceAware = request.extraQueryParameters &&
|
|
450
|
-
request.extraQueryParameters.hasOwnProperty("instance_aware");
|
|
451
|
-
// Set instance_aware flag if config auth param is set
|
|
452
|
-
if (!hasRequestInstanceAware && this.config.authOptions.instanceAware) {
|
|
453
|
-
request.extraQueryParameters = request.extraQueryParameters || {};
|
|
454
|
-
request.extraQueryParameters["instance_aware"] = "true";
|
|
245
|
+
addLogoutHint(parameters, request.logoutHint);
|
|
455
246
|
}
|
|
456
247
|
if (request.extraQueryParameters) {
|
|
457
|
-
|
|
248
|
+
addExtraQueryParameters(parameters, request.extraQueryParameters);
|
|
458
249
|
}
|
|
459
|
-
|
|
460
|
-
|
|
461
|
-
|
|
462
|
-
|
|
463
|
-
*/
|
|
464
|
-
extractAccountSid(account) {
|
|
465
|
-
return account.idTokenClaims?.sid || null;
|
|
466
|
-
}
|
|
467
|
-
extractLoginHint(account) {
|
|
468
|
-
return account.idTokenClaims?.login_hint || null;
|
|
250
|
+
if (this.config.authOptions.instanceAware) {
|
|
251
|
+
addInstanceAware(parameters);
|
|
252
|
+
}
|
|
253
|
+
return mapToQueryString(parameters);
|
|
469
254
|
}
|
|
470
255
|
}
|
|
471
256
|
|